Automatically upgrade SSH key restrictions in FIPS mode (!88597) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-fips-upgrade-key-restrictions into master May 25, 2022

What does this MR do and why?

In FIPS mode, if the SSH key restrictions are not set or are too lenient, ApplicationSetting will not validate, which also prevents them from being saved.

To fix this, we add a before_validation hook that will tighten the key restrictions. If a key type is disabled, we honor that setting. However, a key size restriction is too lenient, then we automatically promote the setting to the minimum required by FIPS.

This helps tests run in FIPS mode without having to change the ApplicationSetting factory to set the right value. This also fixes an issue where the UI can't be updated unless a user manually updates the key restrictions.

Relates to #358985

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited May 25, 2022 by Stan Hu

Automatically upgrade SSH key restrictions in FIPS mode

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports