diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb index 195a400b6f5884b95ee37943256c98c6679712b8..7f43c1939fae18b07451b27c55d26db4608304f2 100644 --- a/ee/app/controllers/ee/admin/application_settings_controller.rb +++ b/ee/app/controllers/ee/admin/application_settings_controller.rb @@ -132,6 +132,11 @@ def visible_application_setting_attributes attrs << :git_two_factor_session_expiry end + if License.feature_available?(:pre_receive_secret_detection) && + ::Feature.enabled?(:secret_detection_application_setting) + attrs << :pre_receive_secret_detection_enabled + end + if License.feature_available?(:admin_merge_request_approvers_rules) attrs += EE::ApplicationSettingsHelper.merge_request_appovers_rules_attributes end diff --git a/ee/app/models/ee/application_setting.rb b/ee/app/models/ee/application_setting.rb index e242b1b7910668e183a45c1a80fbc41ddae08882..d649ce2c406de9f2378309e073b2afc28869621f 100644 --- a/ee/app/models/ee/application_setting.rb +++ b/ee/app/models/ee/application_setting.rb @@ -201,6 +201,9 @@ module ApplicationSetting numericality: { only_integer: true, greater_than: proc { Devise.allow_unconfirmed_access_for.in_days.to_i } }, if: :email_confirmation_setting_soft? + validates :pre_receive_secret_detection_enabled, + inclusion: { in: [true, false], message: N_('must be a boolean value') } + alias_attribute :delayed_project_deletion, :delayed_project_removal before_save :update_lock_delayed_project_removal, if: :delayed_group_deletion_changed? diff --git a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml new file mode 100644 index 0000000000000000000000000000000000000000..ba20cc6bdb0167d31db7e5cf43cbb01404dcf9e3 --- /dev/null +++ b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml @@ -0,0 +1,10 @@ += gitlab_ui_form_for @application_setting, url: general_admin_application_settings_path(anchor: 'js-secret-detection-settings'), html: { class: 'fieldset-form', id: 'secret-detection-settings' } do |f| + = form_errors(@application_setting) + + %fieldset + .form-group + = f.label :pre_receive_secret_detection_enabled, s_('AdminSettings|Pre-receive secret detection'), class: 'label-bold gl-mb-0' + %span.form-text.gl-mt-0.gl-mb-3#pre_receive_secret_detection-help + = _('Minimize the risk of secrets from being committed to any repository in this GitLab instance.') + = f.gitlab_ui_checkbox_component :pre_receive_secret_detection_enabled, _('Enable pre-receive secret detection') + = f.submit _('Save changes'), pajamas_button: true diff --git a/ee/app/views/admin/application_settings/security_and_compliance.html.haml b/ee/app/views/admin/application_settings/security_and_compliance.html.haml index 1c887795f660830089ed1371f1184e0c22ea13dc..ad911e0a5fd10d937529cb1cbbec355c5c2ef17e 100644 --- a/ee/app/views/admin/application_settings/security_and_compliance.html.haml +++ b/ee/app/views/admin/application_settings/security_and_compliance.html.haml @@ -13,3 +13,15 @@ = _('Settings for the License Compliance feature') .settings-content = render 'license_compliance' + +- if Feature.enabled?(:secret_detection_application_setting) && License.feature_available?(:pre_receive_secret_detection) + %section.settings.as-secret-detection.no-animate#js-secret-detection-settings{ class: ('expanded' if expanded_by_default?), data: { testid: 'admin-secret-detection-settings' } } + .settings-header + %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only + = _('Secret Detection') + = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do + = expanded_by_default? ? _('Collapse') : _('Expand') + %p.gl-text-secondary + = _('Configure secret detection behavior for all projects in your GitLab instance') + .settings-content + = render 'pre_receive_secret_detection' diff --git a/ee/config/feature_flags/development/secret_detection_application_setting.yml b/ee/config/feature_flags/development/secret_detection_application_setting.yml new file mode 100644 index 0000000000000000000000000000000000000000..17b32abee9be5d0d08679ecf4742c08a4c3fcd6e --- /dev/null +++ b/ee/config/feature_flags/development/secret_detection_application_setting.yml @@ -0,0 +1,8 @@ +--- +name: secret_detection_application_setting +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135273 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/431584 +milestone: '16.7' +type: development +group: group::static analysis +default_enabled: false diff --git a/ee/spec/controllers/admin/application_settings_controller_spec.rb b/ee/spec/controllers/admin/application_settings_controller_spec.rb index d295502938ef7580c83913bd60e77ee9c397071d..707d3f2999b4daee7d2653494e452c0fe5245b99 100644 --- a/ee/spec/controllers/admin/application_settings_controller_spec.rb +++ b/ee/spec/controllers/admin/application_settings_controller_spec.rb @@ -266,6 +266,25 @@ end end + context 'secret detection settings' do + let(:settings) { { pre_receive_secret_detection_enabled: true } } + let(:feature) { :pre_receive_secret_detection } + + it_behaves_like 'settings for licensed features' + + context 'when secret_detection_application_setting feature flag is disabled' do + before do + stub_licensed_features(feature => true) + stub_feature_flags(secret_detection_application_setting: false) + end + + it 'does not update pre_receive_secret_detection_enabled setting' do + expect { put :update, params: { application_setting: settings } } + .not_to change { ApplicationSetting.current.reload.attributes['pre_receive_secret_detection_enabled'] } + end + end + end + it 'updates repository_size_limit' do put :update, params: { application_setting: { repository_size_limit: '100' } } diff --git a/ee/spec/models/application_setting_spec.rb b/ee/spec/models/application_setting_spec.rb index e6c5291b14a5c7956523d3d25157d20f298fde96..cc8c50cd9aa1f030872161652d33b1f8e580d790 100644 --- a/ee/spec/models/application_setting_spec.rb +++ b/ee/spec/models/application_setting_spec.rb @@ -197,6 +197,10 @@ it { is_expected.not_to allow_value("a" * (subject.email_additional_text_character_limit + 1)).for(:email_additional_text) } end + describe 'secret detection validations', feature_category: :secret_detection do + it { is_expected.to validate_inclusion_of(:pre_receive_secret_detection_enabled).in_array([true, false]) } + end + describe 'when secret detection token revocation is enabled', feature_category: :secret_detection do before do stub_application_setting(secret_detection_token_revocation_enabled: true) diff --git a/locale/gitlab.pot b/locale/gitlab.pot index c7dfb517b45fcfeafefc10e0fce6c41d8af5a5c1..90e57e5c090b93d0297fbe62c1f6d463204ea0dd 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3647,6 +3647,9 @@ msgstr "" msgid "AdminSettings|Pause Elasticsearch indexing" msgstr "" +msgid "AdminSettings|Pre-receive secret detection" +msgstr "" + msgid "AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets." msgstr "" @@ -12846,6 +12849,9 @@ msgstr "" msgid "Configure repository storage." msgstr "" +msgid "Configure secret detection behavior for all projects in your GitLab instance" +msgstr "" + msgid "Configure settings for Advanced Search with Elasticsearch." msgstr "" @@ -18393,6 +18399,9 @@ msgstr "" msgid "Enable or disable version check and Service Ping." msgstr "" +msgid "Enable pre-receive secret detection" +msgstr "" + msgid "Enable rate limiting for requests to the specified paths" msgstr "" @@ -30539,6 +30548,9 @@ msgstr "" msgid "Minimal Access" msgstr "" +msgid "Minimize the risk of secrets from being committed to any repository in this GitLab instance." +msgstr "" + msgid "Minimum capacity to be available before we schedule more mirrors preemptively." msgstr ""