Introduce concern for resetting secret fields

Markus Kollerrequested to merge
344099-reset-password-fields into master

What does this MR do and why?

We want to force users to re-enter secret fields when changing certain other fields (such as URLs), which can unintentionally expose the secret fields.

This adds a new concern to handle this logic, and sets it up in the Jira integration. In future MRs we also want to reuse this concern for other integrations which currently duplicate this logic.

Exposing fields can be marked with the exposing_secrets: flag in the Field DSL.

The Jira integration also had some custom logic where the url field was only considered if the api_url was blank, but to generalize this we're now resetting the secrets if either of the URL fields has changed.

Issue: #344099 (closed)

How to set up and validate locally

  1. Open a project.
  2. Navigate to Settings -> Integrations -> Jira.
    1. Enable the Active checkbox.
    2. Enter http://example.com in Web URL.
    3. Enter an email address in Username or Email.
    4. Enter any value in Password or API token.
  3. Click Save changes -> Form should be saved without errors.
  4. Test that passwords are not reset when not necessary:
    1. Click Save changes without changing any fields -> Form should be saved without errors.
    2. Enter any value for Password or API token and click Save changes -> Form should be saved without errors.
  5. Test that passwords are reset when necessary:
    1. Change Web URL and click Save changes -> Form should show errors for the Password or API token field.
    2. Enter a valid URL in Jira API URL and click Save changes -> Form should show errors for the Password or API token field.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #344099 (closed)

Edited by Markus Koller

Merge request reports