2019-07-07 11:18:12 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2014-09-02 18:07:02 +05:30
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
RSpec.describe Key, :mailer do
|
2014-09-02 18:07:02 +05:30
|
|
|
describe "Associations" do
|
2015-04-26 12:48:37 +05:30
|
|
|
it { is_expected.to belong_to(:user) }
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
describe "Validation" do
|
2015-04-26 12:48:37 +05:30
|
|
|
it { is_expected.to validate_presence_of(:title) }
|
2017-08-17 22:00:37 +05:30
|
|
|
it { is_expected.to validate_length_of(:title).is_at_most(255) }
|
|
|
|
|
2015-04-26 12:48:37 +05:30
|
|
|
it { is_expected.to validate_presence_of(:key) }
|
2017-08-17 22:00:37 +05:30
|
|
|
it { is_expected.to validate_length_of(:key).is_at_most(5000) }
|
2018-03-17 18:26:18 +05:30
|
|
|
it { is_expected.to allow_value(attributes_for(:rsa_key_2048)[:key]).for(:key) }
|
2018-03-27 19:54:05 +05:30
|
|
|
it { is_expected.to allow_value(attributes_for(:rsa_key_4096)[:key]).for(:key) }
|
|
|
|
it { is_expected.to allow_value(attributes_for(:rsa_key_5120)[:key]).for(:key) }
|
|
|
|
it { is_expected.to allow_value(attributes_for(:rsa_key_8192)[:key]).for(:key) }
|
2018-03-17 18:26:18 +05:30
|
|
|
it { is_expected.to allow_value(attributes_for(:dsa_key_2048)[:key]).for(:key) }
|
|
|
|
it { is_expected.to allow_value(attributes_for(:ecdsa_key_256)[:key]).for(:key) }
|
|
|
|
it { is_expected.to allow_value(attributes_for(:ed25519_key_256)[:key]).for(:key) }
|
2022-04-04 11:22:00 +05:30
|
|
|
it { is_expected.to allow_value(attributes_for(:ecdsa_sk_key_256)[:key]).for(:key) }
|
|
|
|
it { is_expected.to allow_value(attributes_for(:ed25519_sk_key_256)[:key]).for(:key) }
|
2017-08-17 22:00:37 +05:30
|
|
|
it { is_expected.not_to allow_value('foo-bar').for(:key) }
|
2022-03-02 08:16:31 +05:30
|
|
|
|
|
|
|
context 'key format' do
|
|
|
|
let(:key) { build(:key) }
|
|
|
|
|
|
|
|
it 'does not allow the key that begins with an algorithm name that is unsupported' do
|
|
|
|
key.key = 'unsupported-ssh-rsa key'
|
|
|
|
|
|
|
|
key.valid?
|
|
|
|
|
|
|
|
expect(key.errors.of_kind?(:key, :invalid)).to eq(true)
|
|
|
|
end
|
|
|
|
|
|
|
|
Gitlab::SSHPublicKey.supported_algorithms.each do |supported_algorithm|
|
|
|
|
it "allows the key that begins with supported algorithm name '#{supported_algorithm}'" do
|
|
|
|
key.key = "#{supported_algorithm} key"
|
|
|
|
|
|
|
|
key.valid?
|
|
|
|
|
|
|
|
expect(key.errors.of_kind?(:key, :invalid)).to eq(false)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2022-07-23 23:45:48 +05:30
|
|
|
|
|
|
|
describe 'validation of banned keys' do
|
|
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
|
|
|
|
let(:key) { build(:key) }
|
|
|
|
let(:banned_keys) do
|
|
|
|
[
|
|
|
|
'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwRIdDlHaIqZXND/l1vFT7ue3rc/DvXh2y' \
|
|
|
|
'x5EFtuxGQRHVxGMazDhV4vj5ANGXDQwUYI0iZh6aOVrDy8I/y9/y+YDGCvsnqrDbuPDjW' \
|
|
|
|
'26s2bBXWgUPiC93T3TA6L2KOxhVcl7mljEOIYACRHPpJNYVGhinCxDUH9LxMrdNXgP5Ok= mateidu@localhost',
|
|
|
|
|
|
|
|
'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBnZQ+6nhlPX/JnX5i5hXpljJ89bSnnrsSs51' \
|
|
|
|
'hSPuoJGmoKowBddISK7s10AIpO0xAWGcr8PUr2FOjEBbDHqlRxoXF0Ocms9xv3ql9EYUQ5' \
|
|
|
|
'+U+M6BymWhNTFPOs6gFHUl8Bw3t6c+SRKBpfRFB0yzBj9d093gSdfTAFoz+yLo4vRw==',
|
|
|
|
|
|
|
|
'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPq' \
|
|
|
|
'rskogkYFrcW8OK4VJT+5+Fx7wd4sQCnVn8rNqahw/x6sfcOMDI/Xvn4yKU4t8TnYf2MpUV' \
|
|
|
|
'r4ndz39L5Ds1n7Si1m2suUNxWbKv58I8+NMhlt2ITraSuTU0NGymWOc8+LNi+MHXdLk= SCCP Superuser',
|
|
|
|
|
|
|
|
'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr' \
|
|
|
|
'+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6' \
|
|
|
|
'IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5' \
|
|
|
|
'y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0j' \
|
|
|
|
'MZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98' \
|
|
|
|
'OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key',
|
|
|
|
|
|
|
|
'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwRIdDlHaIqZXND/l1vFT7ue3rc/DvXh2yx' \
|
|
|
|
'5EFtuxGQRHVxGMazDhV4vj5ANGXDQwUYI0iZh6aOVrDy8I/y9/y+YDGCvsnqrDbuPDjW26' \
|
|
|
|
's2bBXWgUPiC93T3TA6L2KOxhVcl7mljEOIYACRHPpJNYVGhinCxDUH9LxMrdNXgP5Ok= mateidu@localhost',
|
|
|
|
|
|
|
|
'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAn8LoId2N5i28cNKuEWWea3yt0I/LdT/NRO' \
|
|
|
|
'rF44WZewtxch+DIwteQhM1qL6EKUSqz3Q2geX1crpOsNnyh67xy5lNo086u/QewOCSRAUG' \
|
|
|
|
'rQCXqFQ4JU8ny/qugWALQHjbIaPHj/3zMK09r4cpTSeAU7CW5nQyTKGmh7v9CAfWfcs= adam@localhost.localdomain',
|
|
|
|
|
|
|
|
'ssh-dss AAAAB3NzaC1kc3MAAACBAJTDsX+8olPZeyr58g9XE0L8PKT5030NZBPlE7np4h' \
|
|
|
|
'Bqx36HoWarWq1Csn8M57dWN9StKbs03k2ggY6sYJK5AW2EWar70um3pYjKQHiZq7mITmit' \
|
|
|
|
'sozFN/K7wu2e2iKRgquUwH5SuYoOJ29n7uhaILXiKZP4/H/dDudqPRSY6tJPAAAAFQDtuW' \
|
|
|
|
'H90mDbU2L/Ms2lfl/cja/wHwAAAIAMBwSHZt2ysOHCFe1WLUvdwVDHUqk3QHTskuuAnMlw' \
|
|
|
|
'MtSvCaUxSatdHahsMZ9VCHjoQUx6j+TcgRLDbMlRLnwUlb6wpniehLBFk+qakGcREqks5N' \
|
|
|
|
'xYzFTJXwROzP72jPvVgQyOZHWq81gCild/ljL7hmrduCqYwxDIz4o7U92UKQAAAIBmhSl9' \
|
|
|
|
'CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQOC/nraaXFTBlqiQsvB8tzr' \
|
|
|
|
'4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb+0YAsw5Ja+bEZZvEVlAYnd10qRWr' \
|
|
|
|
'PeEY1txLMmX3wDa+JvJL7fmuBg==',
|
|
|
|
|
|
|
|
'ssh-dss AAAAB3NzaC1kc3MAAACBAMq5EcIFdfCjJakyQnP/BBp9oc6mpaZVguf0Znp5C4' \
|
|
|
|
'0twiG1lASQJZlM1qOB/hkBWYeBCHUkcOLEnVXSZzB62L+W/LGKodqnsiQPRr57AA6jPc6m' \
|
|
|
|
'NBnejHai8cSdAl9n/0s2IQjdcrxM8CPq2uEyfm0J3AV6Lrbbxr5NgE5xxM+DAAAAFQCmFk' \
|
|
|
|
'/M7Rx2jexsJ9COpHkHwUjcNQAAAIAdg18oByp/tjjDKhWhmmv+HbVIROkRqSxBvuEZEmcW' \
|
|
|
|
'lg38mLIT1bydfpSou/V4rI5ctxwCfJ1rRr66pw6GwCrz4fXmyVlhrj7TrktyQ9+zRXhynF' \
|
|
|
|
'4wdNPWErhNHb8tGlSOFiOBcUTlouX3V/ka6Dkd6ZQrZLQFaH+gjfyTZZ82HQAAAIEArsJg' \
|
|
|
|
'p7RLPOsCeLqoia/eljseBFVDazO5Q0ysUotTw9wgXGGVWREwm8wNggFNb9eCiBAAUfVZVf' \
|
|
|
|
'hVAtFT0pBf/eIVLPXyaMw3prBt7LqeBrbagODc3WAAdMTPIdYYcOKgv+YvTXa51zG64v6p' \
|
|
|
|
'QOfS8WXgKCzDl44puXfYeDk5lVQ=',
|
|
|
|
|
|
|
|
'ssh-dss AAAAB3NzaC1kc3MAAACBAKwKBw7D4OA1H/uD4htdh04TBIHdbSjeXUSnWJsce8' \
|
|
|
|
'C0tvoB01Yarjv9TFj+tfeDYVWtUK1DA1JkyqSuoAtDANJzF4I6Isyd0KPrW3dHFTcg6Xlz' \
|
|
|
|
'8d3KEaHokY93NOmB/xWEkhme8b7Q0U2iZie2pgWbTLXV0FA+lhskTtPHW3+VAAAAFQDRya' \
|
|
|
|
'yUlVZKXEweF3bUe03zt9e8VQAAAIAEPK1k3Y6ErAbIl96dnUCnZjuWQ7xXy062pf63QuRW' \
|
|
|
|
'I6LYSscm3f1pEknWUNFr/erQ02pkfi2eP9uHl1TI1ql+UmJX3g3frfssLNZwWXAW0m8PbY' \
|
|
|
|
'3HZSs+f5hevM3ua32pnKDmbQ2WpvKNyycKHi81hSI14xMcdblJolhN5iY8/wAAAIAjEe5+' \
|
|
|
|
'0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1MjxsAC/vthWYSTYXORkDFM' \
|
|
|
|
'hrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl2ZejLFdTJFwFgcfXz+iQ1mx6h9TP' \
|
|
|
|
'X1crE1KoMAVOj3yKVfKpLB1EkA== root@lbslave',
|
|
|
|
|
|
|
|
'ssh-dss AAAAB3NzaC1kc3MAAACBAN3AITryJMQyOKZjAky+mQ/8pOHIlu4q8pzmR0qotK' \
|
|
|
|
'aLm2yye5a0PY2rOaQRAzi7EPheBXbqTb8a8TrHhGXI5P7GUHaJho5HhEnw+5TwAvP72L7L' \
|
|
|
|
'cPwxMxj/rLcR/jV+uLMsVeJVWjwJcUv83yzPXoVjK0hrIm+RLLeuTM+gTylHAAAAFQD5gB' \
|
|
|
|
'dXsXAiTz1atzMg3xDFF1zlowAAAIAlLy6TCMlOBM0IcPsvP/9bEjDj0M8YZazdqt4amO2I' \
|
|
|
|
'aNUPYt9/sIsLOQfxIj8myDK1TOp8NyRJep7V5aICG4f3Q+XktlmLzdWn3sjvbWuIAXe1op' \
|
|
|
|
'jG2T69YhxfHZr8Wn7P4tpCgyqM4uHmUKrfnBzQQ9vkUUWsZoUXM2Z7vUXVfQAAAIAU6eNl' \
|
|
|
|
'phQWDwx0KOBiiYhF9BM6kDbQlyw8333rAG3G4CcjI2G8eYGtpBNliaD185UjCEsjPiudhG' \
|
|
|
|
'il/j4Zt/+VY3aGOLoi8kqXBBc8ZAML9bbkXpyhQhMgwiywx3ciFmvSn2UAin8yurStYPQx' \
|
|
|
|
'tXauZN5PYbdwCHPS7ApIStdpMA== wood@endec1',
|
|
|
|
|
|
|
|
'ssh-dss AAAAB3NzaC1kc3MAAACBAISAE3CAX4hsxTw0dRc0gx8nQ41r3Vkj9OmG6LGeKW' \
|
|
|
|
'Rmpy7C6vaExuupjxid76fd4aS56lCUEEoRlJ3zE93qoK9acI6EGqGQFLuDZ0fqMyRSX+il' \
|
|
|
|
'f+1HDo/TRyuraggxp9Hj9LMpZVbpFATMm0+d9Xs7eLmaJjuMsowNlOf8NFdHAAAAFQCwdv' \
|
|
|
|
'qOAkR6QhuiAapQ/9iVuR0UAQAAAIBpLMo4dhSeWkChfv659WLPftxRrX/HR8YMD/jqa3R4' \
|
|
|
|
'PsVM2g6dQ1191nHugtdV7uaMeOqOJ/QRWeYM+UYwT0Zgx2LqvgVSjNDfdjk+ZRY8x3SmEx' \
|
|
|
|
'Fi62mKFoTGSOCXfcAfuanjaoF+sepnaiLUd+SoJShGYHoqR2QWiysTRqknlwAAAIBLEgYm' \
|
|
|
|
'r9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK6X/6VivPAUWmmmev/BuAs8' \
|
|
|
|
'M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrnk/inYAp5l29hjidoAONcXoHmUAMY' \
|
|
|
|
'OKqn63Q2AsDpExVcmfj99/BlpQ=='
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when ssh_banned_key feature flag is enabled with a user' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(ssh_banned_key: user)
|
|
|
|
end
|
|
|
|
|
|
|
|
where(:key_content) { banned_keys }
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it 'does not allow banned keys' do
|
|
|
|
key.key = key_content
|
|
|
|
key.user = user
|
|
|
|
|
|
|
|
expect(key).to be_invalid
|
|
|
|
expect(key.errors[:key]).to include(
|
|
|
|
_('cannot be used because it belongs to a compromised private key. Stop using this key and generate a new one.'))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows when the user is a ghost user' do
|
|
|
|
key.key = key_content
|
|
|
|
key.user = User.ghost
|
|
|
|
|
|
|
|
expect(key).to be_valid
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows when the user is nil' do
|
|
|
|
key.key = key_content
|
|
|
|
key.user = nil
|
|
|
|
|
|
|
|
expect(key).to be_valid
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows other keys' do
|
|
|
|
key.user = user
|
|
|
|
|
|
|
|
expect(key).to be_valid
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows other users' do
|
|
|
|
key.user = User.ghost
|
|
|
|
|
|
|
|
expect(key).to be_valid
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when ssh_banned_key feature flag is disabled' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(ssh_banned_key: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
where(:key_content) { banned_keys }
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it 'allows banned keys' do
|
|
|
|
key.key = key_content
|
|
|
|
|
|
|
|
expect(key).to be_valid
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows other keys' do
|
|
|
|
expect(key).to be_valid
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
describe "Methods" do
|
2016-09-13 17:45:13 +05:30
|
|
|
let(:user) { create(:user) }
|
2020-03-13 15:44:24 +05:30
|
|
|
|
2015-04-26 12:48:37 +05:30
|
|
|
it { is_expected.to respond_to :projects }
|
2015-09-11 14:41:01 +05:30
|
|
|
it { is_expected.to respond_to :publishable_key }
|
|
|
|
|
|
|
|
describe "#publishable_keys" do
|
2016-09-13 17:45:13 +05:30
|
|
|
it 'replaces SSH key comment with simple identifier of username + hostname' do
|
2017-08-17 22:00:37 +05:30
|
|
|
expect(build(:key, user: user).publishable_key).to include("#{user.name} (#{Gitlab.config.gitlab.host})")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe "#update_last_used_at" do
|
2018-03-17 18:26:18 +05:30
|
|
|
it 'updates the last used timestamp' do
|
|
|
|
key = build(:key)
|
|
|
|
service = double(:service)
|
|
|
|
|
|
|
|
expect(Keys::LastUsedService).to receive(:new)
|
|
|
|
.with(key)
|
|
|
|
.and_return(service)
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
expect(service).to receive(:execute)
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
key.update_last_used_at
|
2015-09-11 14:41:01 +05:30
|
|
|
end
|
|
|
|
end
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
describe 'scopes' do
|
|
|
|
describe '.for_user' do
|
|
|
|
let(:user_1) { create(:user) }
|
|
|
|
let(:key_of_user_1) { create(:personal_key, user: user_1) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
create_list(:personal_key, 2, user: create(:user))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns keys of the specified user only' do
|
|
|
|
expect(described_class.for_user(user_1)).to contain_exactly(key_of_user_1)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.order_last_used_at_desc' do
|
|
|
|
it 'sorts by last_used_at descending, with null values at last' do
|
|
|
|
key_1 = create(:personal_key, last_used_at: 7.days.ago)
|
|
|
|
key_2 = create(:personal_key, last_used_at: nil)
|
|
|
|
key_3 = create(:personal_key, last_used_at: 2.days.ago)
|
|
|
|
|
|
|
|
expect(described_class.order_last_used_at_desc)
|
|
|
|
.to eq([key_3, key_1, key_2])
|
|
|
|
end
|
|
|
|
end
|
2021-04-29 21:17:54 +05:30
|
|
|
|
|
|
|
context 'expiration scopes' do
|
|
|
|
let_it_be(:user) { create(:user) }
|
2022-07-16 23:28:13 +05:30
|
|
|
let_it_be(:expired_today_not_notified) { create(:key, :expired_today, user: user) }
|
|
|
|
let_it_be(:expired_today_already_notified) { create(:key, :expired_today, user: user, expiry_notification_delivered_at: Time.current) }
|
|
|
|
let_it_be(:expired_yesterday) { create(:key, :expired, user: user) }
|
2021-04-29 21:17:54 +05:30
|
|
|
let_it_be(:expiring_soon_unotified) { create(:key, expires_at: 3.days.from_now, user: user) }
|
|
|
|
let_it_be(:expiring_soon_notified) { create(:key, expires_at: 4.days.from_now, user: user, before_expiry_notification_delivered_at: Time.current) }
|
|
|
|
let_it_be(:future_expiry) { create(:key, expires_at: 1.month.from_now, user: user) }
|
|
|
|
|
2021-12-11 22:18:48 +05:30
|
|
|
describe '.expired_today_and_not_notified' do
|
2022-07-16 23:28:13 +05:30
|
|
|
it 'returns keys that expire today and have not been notified' do
|
2021-12-11 22:18:48 +05:30
|
|
|
expect(described_class.expired_today_and_not_notified).to contain_exactly(expired_today_not_notified)
|
2021-04-29 21:17:54 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.expiring_soon_and_not_notified' do
|
|
|
|
it 'returns keys that will expire soon' do
|
|
|
|
expect(described_class.expiring_soon_and_not_notified).to contain_exactly(expiring_soon_unotified)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
|
|
|
|
2022-06-21 17:19:12 +05:30
|
|
|
context 'validation of uniqueness (based on fingerprint uniqueness)' do
|
2014-09-02 18:07:02 +05:30
|
|
|
let(:user) { create(:user) }
|
|
|
|
|
2022-07-16 23:28:13 +05:30
|
|
|
it 'accepts the key once' do
|
|
|
|
expect(build(:rsa_key_4096, user: user)).to be_valid
|
|
|
|
end
|
2022-06-21 17:19:12 +05:30
|
|
|
|
2022-07-16 23:28:13 +05:30
|
|
|
it 'does not accept the exact same key twice' do
|
|
|
|
first_key = create(:rsa_key_4096, user: user)
|
2022-06-21 17:19:12 +05:30
|
|
|
|
2022-07-16 23:28:13 +05:30
|
|
|
expect(build(:key, user: user, key: first_key.key)).not_to be_valid
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
2022-07-16 23:28:13 +05:30
|
|
|
it 'does not accept a duplicate key with a different comment' do
|
|
|
|
first_key = create(:rsa_key_4096, user: user)
|
|
|
|
duplicate = build(:key, user: user, key: first_key.key)
|
|
|
|
duplicate.key << ' extra comment'
|
2022-06-21 17:19:12 +05:30
|
|
|
|
2022-07-16 23:28:13 +05:30
|
|
|
expect(duplicate).not_to be_valid
|
2022-06-21 17:19:12 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'fingerprint generation' do
|
|
|
|
it 'generates both md5 and sha256 fingerprints' do
|
|
|
|
key = build(:rsa_key_4096)
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2022-06-21 17:19:12 +05:30
|
|
|
expect(key).to be_valid
|
|
|
|
expect(key.fingerprint).to be_kind_of(String)
|
|
|
|
expect(key.fingerprint_sha256).to be_kind_of(String)
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
2022-06-21 17:19:12 +05:30
|
|
|
context 'with FIPS mode', :fips_mode do
|
|
|
|
it 'generates only sha256 fingerprint' do
|
|
|
|
key = build(:rsa_key_4096)
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2022-06-21 17:19:12 +05:30
|
|
|
expect(key).to be_valid
|
|
|
|
expect(key.fingerprint).to be_nil
|
|
|
|
expect(key.fingerprint_sha256).to be_kind_of(String)
|
|
|
|
end
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "validate it is a fingerprintable key" do
|
|
|
|
it "accepts the fingerprintable key" do
|
2015-04-26 12:48:37 +05:30
|
|
|
expect(build(:key)).to be_valid
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
2015-04-26 12:48:37 +05:30
|
|
|
it 'rejects the unfingerprintable key (not a key)' do
|
|
|
|
expect(build(:key, key: 'ssh-rsa an-invalid-key==')).not_to be_valid
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
where(:factory, :characters, :expected_sections) do
|
2018-03-27 19:54:05 +05:30
|
|
|
[
|
|
|
|
[:key, ["\n", "\r\n"], 3],
|
|
|
|
[:key, [' ', ' '], 3],
|
|
|
|
[:key_without_comment, [' ', ' '], 2]
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
2021-09-04 01:27:46 +05:30
|
|
|
let!(:key) { create(factory) } # rubocop:disable Rails/SaveBang
|
2018-03-27 19:54:05 +05:30
|
|
|
let!(:original_fingerprint) { key.fingerprint }
|
2020-01-01 13:55:28 +05:30
|
|
|
let!(:original_fingerprint_sha256) { key.fingerprint_sha256 }
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
it 'accepts a key with blank space characters after stripping them' do
|
2021-01-29 00:20:46 +05:30
|
|
|
modified_key = key.key.insert(100, characters.first).insert(40, characters.last)
|
2018-03-27 19:54:05 +05:30
|
|
|
_, content = modified_key.split
|
|
|
|
|
|
|
|
key.update!(key: modified_key)
|
|
|
|
|
|
|
|
expect(key).to be_valid
|
|
|
|
expect(key.key.split.size).to eq(expected_sections)
|
|
|
|
|
|
|
|
expect(content).not_to match(/\s/)
|
|
|
|
expect(original_fingerprint).to eq(key.fingerprint)
|
2020-01-01 13:55:28 +05:30
|
|
|
expect(original_fingerprint).to eq(key.fingerprint_md5)
|
|
|
|
expect(original_fingerprint_sha256).to eq(key.fingerprint_sha256)
|
2018-03-27 19:54:05 +05:30
|
|
|
end
|
|
|
|
end
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
context 'validate it meets key restrictions' do
|
|
|
|
where(:factory, :minimum, :result) do
|
|
|
|
forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
|
|
|
|
|
|
|
|
[
|
2022-04-04 11:22:00 +05:30
|
|
|
[:rsa_key_2048, 0, true],
|
|
|
|
[:dsa_key_2048, 0, true],
|
|
|
|
[:ecdsa_key_256, 0, true],
|
|
|
|
[:ed25519_key_256, 0, true],
|
|
|
|
[:ecdsa_sk_key_256, 0, true],
|
|
|
|
[:ed25519_sk_key_256, 0, true],
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
[:rsa_key_2048, 1024, true],
|
|
|
|
[:rsa_key_2048, 2048, true],
|
|
|
|
[:rsa_key_2048, 4096, false],
|
|
|
|
|
|
|
|
[:dsa_key_2048, 1024, true],
|
|
|
|
[:dsa_key_2048, 2048, true],
|
|
|
|
[:dsa_key_2048, 4096, false],
|
|
|
|
|
|
|
|
[:ecdsa_key_256, 256, true],
|
|
|
|
[:ecdsa_key_256, 384, false],
|
|
|
|
|
|
|
|
[:ed25519_key_256, 256, true],
|
|
|
|
[:ed25519_key_256, 384, false],
|
|
|
|
|
2022-04-04 11:22:00 +05:30
|
|
|
[:ecdsa_sk_key_256, 256, true],
|
|
|
|
[:ecdsa_sk_key_256, 384, false],
|
|
|
|
|
|
|
|
[:ed25519_sk_key_256, 256, true],
|
|
|
|
[:ed25519_sk_key_256, 384, false],
|
|
|
|
|
|
|
|
[:rsa_key_2048, forbidden, false],
|
|
|
|
[:dsa_key_2048, forbidden, false],
|
|
|
|
[:ecdsa_key_256, forbidden, false],
|
|
|
|
[:ed25519_key_256, forbidden, false],
|
|
|
|
[:ecdsa_sk_key_256, forbidden, false],
|
|
|
|
[:ed25519_sk_key_256, forbidden, false]
|
2018-03-17 18:26:18 +05:30
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
subject(:key) { build(factory) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_application_setting("#{key.public_key.type}_key_restriction" => minimum)
|
|
|
|
end
|
|
|
|
|
|
|
|
it { expect(key.valid?).to eq(result) }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-09-02 18:07:02 +05:30
|
|
|
context 'callbacks' do
|
2020-04-08 14:13:33 +05:30
|
|
|
let(:key) { build(:personal_key) }
|
|
|
|
|
|
|
|
context 'authorized keys file is enabled' do
|
|
|
|
before do
|
|
|
|
stub_application_setting(authorized_keys_enabled: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'adds new key to authorized_file' do
|
|
|
|
allow(AuthorizedKeysWorker).to receive(:perform_async)
|
|
|
|
|
|
|
|
key.save!
|
|
|
|
|
|
|
|
# Check after the fact so we have access to Key#id
|
|
|
|
expect(AuthorizedKeysWorker).to have_received(:perform_async).with(:add_key, key.shell_id, key.key)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'removes key from authorized_file' do
|
|
|
|
key.save!
|
|
|
|
|
|
|
|
expect(AuthorizedKeysWorker).to receive(:perform_async).with(:remove_key, key.shell_id)
|
|
|
|
|
2021-09-04 01:27:46 +05:30
|
|
|
key.destroy!
|
2020-04-08 14:13:33 +05:30
|
|
|
end
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
2020-04-08 14:13:33 +05:30
|
|
|
context 'authorized_keys file is disabled' do
|
|
|
|
before do
|
|
|
|
stub_application_setting(authorized_keys_enabled: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not add the key on creation' do
|
|
|
|
expect(AuthorizedKeysWorker).not_to receive(:perform_async)
|
|
|
|
|
|
|
|
key.save!
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not remove the key on destruction' do
|
|
|
|
key.save!
|
|
|
|
|
|
|
|
expect(AuthorizedKeysWorker).not_to receive(:perform_async)
|
|
|
|
|
2021-09-04 01:27:46 +05:30
|
|
|
key.destroy!
|
2020-04-08 14:13:33 +05:30
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#key=' do
|
|
|
|
let(:valid_key) do
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0= dummy@gitlab.com"
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'strips white spaces' do
|
|
|
|
expect(described_class.new(key: " #{valid_key} ").key).to eq(valid_key)
|
|
|
|
end
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
it 'invalidates the public_key attribute' do
|
|
|
|
key = build(:key)
|
|
|
|
|
|
|
|
original = key.public_key
|
|
|
|
key.key = valid_key
|
|
|
|
|
|
|
|
expect(original.key_text).not_to be_nil
|
|
|
|
expect(key.public_key.key_text).to eq(valid_key)
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
describe '#refresh_user_cache', :use_clean_rails_memory_store_caching do
|
|
|
|
context 'when the key belongs to a user' do
|
|
|
|
it 'refreshes the keys count cache for the user' do
|
|
|
|
expect_any_instance_of(Users::KeysCountService)
|
|
|
|
.to receive(:refresh_cache)
|
|
|
|
.and_call_original
|
|
|
|
|
|
|
|
key = create(:personal_key)
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
expect(Users::KeysCountService.new(key.user).count).to eq(1)
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the key does not belong to a user' do
|
|
|
|
it 'does nothing' do
|
|
|
|
expect_any_instance_of(Users::KeysCountService)
|
|
|
|
.not_to receive(:refresh_cache)
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
create(:key)
|
|
|
|
end
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|