Make LDAP user update support adding sk-* format SSH keys

Jason Knablrequested to merge
415363-ldap-ssh-key-filter-fix into master

What does this MR do and why?

  • When LDAP users perform auth-related actions like signing in, the code syncs user data between the LDAP server and GitLab.
  • This includes adding SSH keys from the LDAP server to GitLab, if the sync feature is enabled.
  • sk-* type SSH keys (security keys) were not syncing because the code only supports non-sk-* keys

This MR updates the LDAP sync logic to support adding sk-* keys during sync.

Alternatives

The fix is low-impact and purely additive: make the existing regex also match on sk-* keys, optionally. This ensures this fix won't break anything else or have unintended side effects

I considered a couple other options:

  1. Make the regex filter only on key types supported in SSHPublicKey::TECHNOLOGIES list
  2. Don't filter at all, and let the Key model validation fail adding any non-supported keys

I decided against these because:

  • They are larger changes that could have side effects.
  • Requires more detailed testing and manual testing.
  • Changes more behaviour than just fixing the sk-* bug.
  • I'm not against implementing either of the alternatives but I'd suggest doing them separately from fixing this bug.

References

Issue: #415363

How to set up and validate locally

  1. Follow these instructions to validate locally
  2. The above instructions verify that sk-* keys will be supported. To check that other non-sk-* types of keys continue to be supported, just add a bunch of different keys in step 4) when changing john's entry on the LDAP schema. Example:
Add more keys for `john` in `frontend.example.com.ldif` 
# frontend.example.com.ldif

...

dn: uid=john,ou=people,dc=example,dc=com
...
objectClass: ldapPublicKey
...
initials: JD
sshPublicKey: <key_from_issue_description>

dn: uid=mary,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: ldapPublicKey
...
initials: JD
sshPublicKey: sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPnI5pgZCsItcMh9e4lVK3CBP7cU0RbYnDzFE73dtdQnAAAABHNzaDo=
sshPublicKey: sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPnI5pgZCsItcMh9e4lVK3CBP7cU0RbYnDzFE73dtdQnAAAABHNzaDo= fake@email.com
sshPublicKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETnVTgzqC1gatgSlC4zH6aYt2CAQzgJOhDRvf59ohL6 fake@email.com
...

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #415363

Edited by Jason Knabl

Merge request reports