BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
b84ca08e
Commit
b84ca08e
authored
Aug 28, 2017
by
Nick Thomas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Address review comments
parent
68470602
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
29 additions
and
36 deletions
+29
-36
form_helper.rb
app/helpers/form_helper.rb
+2
-2
application_setting.rb
app/models/application_setting.rb
+1
-2
key.rb
app/models/key.rb
+0
-1
_key_details.html.haml
app/views/profiles/keys/_key_details.html.haml
+1
-1
17849-allow-admin-to-restrict-min-key-length-and-techno.yml
...849-allow-admin-to-restrict-min-key-length-and-techno.yml
+1
-1
20161020180657_add_minimum_key_length_to_application_settings.rb
...0180657_add_minimum_key_length_to_application_settings.rb
+4
-3
README.md
doc/security/README.md
+1
-1
ssh_keys_restrictions.md
doc/security/ssh_keys_restrictions.md
+4
-3
git_access.rb
lib/gitlab/git_access.rb
+1
-1
ssh_public_key.rb
lib/gitlab/ssh_public_key.rb
+6
-9
git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+8
-12
No files found.
app/helpers/form_helper.rb
View file @
b84ca08e
module
FormHelper
def
form_errors
(
model
,
headline
=
'The form contains the following
'
)
def
form_errors
(
model
,
type:
'form
'
)
return
unless
model
.
errors
.
any?
pluralized
=
'error'
.
pluralize
(
model
.
errors
.
count
)
headline
=
headline
+
' '
+
pluralized
+
':'
headline
=
"The
#{
type
}
contains the following
#{
pluralized
}
:"
content_tag
(
:div
,
class:
'alert alert-danger'
,
id:
'error_explanation'
)
do
content_tag
(
:h4
,
headline
)
<<
...
...
app/models/application_setting.rb
View file @
b84ca08e
...
...
@@ -442,8 +442,7 @@ class ApplicationSetting < ActiveRecord::Base
def
key_restriction_for
(
type
)
attr_name
=
"
#{
type
}
_key_restriction"
# rubocop:disable GitlabSecurity/PublicSend
has_attribute?
(
attr_name
)
?
public_send
(
attr_name
)
:
FORBIDDEN_KEY_VALUE
has_attribute?
(
attr_name
)
?
public_send
(
attr_name
)
:
FORBIDDEN_KEY_VALUE
# rubocop:disable GitlabSecurity/PublicSend
end
private
...
...
app/models/key.rb
View file @
b84ca08e
require
'digest/md5'
class
Key
<
ActiveRecord
::
Base
include
AfterCommitQueue
include
Gitlab
::
CurrentSettings
include
Sortable
...
...
app/views/profiles/keys/_key_details.html.haml
View file @
b84ca08e
...
...
@@ -16,7 +16,7 @@
%strong
=
@key
.
last_used_at
.
try
(
:to_s
,
:medium
)
||
'N/A'
.col-md-8
=
form_errors
(
@key
,
'The key has the following
'
)
unless
@key
.
valid?
=
form_errors
(
@key
,
type:
'key
'
)
unless
@key
.
valid?
%p
%span
.light
Fingerprint:
%code
.key-fingerprint
=
@key
.
fingerprint
...
...
changelogs/unreleased/17849-allow-admin-to-restrict-min-key-length-and-techno.yml
View file @
b84ca08e
---
title
:
Add settings for minimum key strength and allowed key type
title
:
Add settings for minimum
SSH
key strength and allowed key type
merge_request
:
13712
author
:
Cory Hinshaw
type
:
added
db/migrate/20161020180657_add_minimum_key_length_to_application_settings.rb
View file @
b84ca08e
...
...
@@ -7,12 +7,13 @@ class AddMinimumKeyLengthToApplicationSettings < ActiveRecord::Migration
disable_ddl_transaction!
def
up
# A key restriction has t
wo
possible states:
# A key restriction has t
hese
possible states:
#
# * -1 means "this key type is completely disabled"
# * >= 0 means "keys must have at least this many bits to be valid"
# * 0 means "all keys of this type are valid"
# * > 0 means "keys must have at least this many bits to be valid"
#
#
A value of 0 is equivalent to "there are no restrictions on keys of this type"
#
The default is 0, for backward compatibility
add_column_with_default
:application_settings
,
:rsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:dsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:ecdsa_key_restriction
,
:integer
,
default:
0
...
...
doc/security/README.md
View file @
b84ca08e
# Security
-
[
Password length limits
](
password_length_limits.md
)
-
[
Restrict
allowed
SSH key technologies and minimum length
](
ssh_keys_restrictions.md
)
-
[
Restrict SSH key technologies and minimum length
](
ssh_keys_restrictions.md
)
-
[
Rack attack
](
rack_attack.md
)
-
[
Webhooks and insecure internal web services
](
webhooks.md
)
-
[
Information exclusivity
](
information_exclusivity.md
)
...
...
doc/security/ssh_keys_restrictions.md
View file @
b84ca08e
...
...
@@ -2,12 +2,13 @@
`ssh-keygen`
allows users to create RSA keys with as few as 768 bits, which
falls well below recommendations from certain standards groups (such as the US
NIST). Some organizations deploying Git
l
ab will need to enforce minimum key
NIST). Some organizations deploying Git
L
ab will need to enforce minimum key
strength, either to satisfy internal security policy or for regulatory
compliance.
Similarly, certain standards groups recommend using RSA or ECDSA over the older
DSA and administrators may need to limit the allowed SSH key algorithms.
Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over
the older DSA, and administrators may need to limit the allowed SSH key
algorithms.
GitLab allows you to restrict the allowed SSH key technology as well as specify
the minimum key length for each technology.
...
...
lib/gitlab/git_access.rb
View file @
b84ca08e
...
...
@@ -34,8 +34,8 @@ module Gitlab
end
def
check
(
cmd
,
changes
)
check_valid_actor!
check_protocol!
check_valid_actor!
check_active_user!
check_project_accessibility!
check_project_moved!
...
...
lib/gitlab/ssh_public_key.rb
View file @
b84ca08e
...
...
@@ -13,6 +13,10 @@ module Gitlab
Technologies
.
find
{
|
tech
|
tech
.
name
.
to_s
==
name
.
to_s
}
end
def
self
.
technology_for_key
(
key
)
Technologies
.
find
{
|
tech
|
key
.
is_a?
(
tech
.
key_class
)
}
end
def
self
.
supported_sizes
(
name
)
technology
(
name
)
&
.
supported_sizes
end
...
...
@@ -37,9 +41,7 @@ module Gitlab
end
def
type
return
unless
valid?
technology
.
name
technology
.
name
if
valid?
end
def
bits
...
...
@@ -63,12 +65,7 @@ module Gitlab
def
technology
@technology
||=
begin
tech
=
Technologies
.
find
{
|
tech
|
key
.
is_a?
(
tech
.
key_class
)
}
raise
"Unsupported key type:
#{
key
.
class
}
"
unless
tech
tech
end
self
.
class
.
technology_for_key
(
key
)
||
raise
(
"Unsupported key type:
#{
key
.
class
}
"
)
end
end
end
spec/lib/gitlab/git_access_spec.rb
View file @
b84ca08e
...
...
@@ -165,12 +165,10 @@ describe Gitlab::GitAccess do
stub_application_setting
(
rsa_key_restriction:
4096
)
end
it
'does not allow keys which are too small'
do
aggregate_failures
do
expect
(
actor
).
not_to
be_valid
expect
{
pull_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
end
it
'does not allow keys which are too small'
,
aggregate_failures:
true
do
expect
(
actor
).
not_to
be_valid
expect
{
pull_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
end
end
...
...
@@ -179,12 +177,10 @@ describe Gitlab::GitAccess do
stub_application_setting
(
rsa_key_restriction:
ApplicationSetting
::
FORBIDDEN_KEY_VALUE
)
end
it
'does not allow keys which are too small'
do
aggregate_failures
do
expect
(
actor
).
not_to
be_valid
expect
{
pull_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
end
it
'does not allow keys which are too small'
,
aggregate_failures:
true
do
expect
(
actor
).
not_to
be_valid
expect
{
pull_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment