From a8667f4a29b4ba319f9abfdbe7b8c4a9bc178934 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Thu, 26 Oct 2023 18:34:34 +0200 Subject: [PATCH 1/8] Add a new section for secret detection in admin settings This commit adds the user interface to toggle the secret detection application setting introduced in an earlier merge request. EE: true --- app/helpers/application_settings_helper.rb | 3 ++- .../settings/pre_receive_secret_detection.md | 7 +++++++ ee/app/models/ee/application_setting.rb | 3 +++ .../_pre_receive_secret_detection.html.haml | 11 +++++++++++ .../security_and_compliance.html.haml | 13 +++++++++++++ ee/spec/models/application_setting_spec.rb | 4 ++++ locale/gitlab.pot | 12 ++++++++++++ 7 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 doc/administration/settings/pre_receive_secret_detection.md create mode 100644 ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb index 0c6ab41004a70c..fbb74104d9b63c 100644 --- a/app/helpers/application_settings_helper.rb +++ b/app/helpers/application_settings_helper.rb @@ -512,7 +512,8 @@ def visible_attributes :gitlab_shell_operation_limit, :namespace_aggregation_schedule_lease_duration_in_seconds, :ci_max_total_yaml_size_bytes, - :project_jobs_api_rate_limit + :project_jobs_api_rate_limit, + :pre_receive_secret_detection_enabled ].tap do |settings| next if Gitlab.com? diff --git a/doc/administration/settings/pre_receive_secret_detection.md b/doc/administration/settings/pre_receive_secret_detection.md new file mode 100644 index 00000000000000..932a9a23a4a28d --- /dev/null +++ b/doc/administration/settings/pre_receive_secret_detection.md @@ -0,0 +1,7 @@ +--- +stage: Secure +group: Static Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Pre-receive Secret Detection diff --git a/ee/app/models/ee/application_setting.rb b/ee/app/models/ee/application_setting.rb index e242b1b7910668..4d9755854c4478 100644 --- a/ee/app/models/ee/application_setting.rb +++ b/ee/app/models/ee/application_setting.rb @@ -201,6 +201,9 @@ module ApplicationSetting numericality: { only_integer: true, greater_than: proc { Devise.allow_unconfirmed_access_for.in_days.to_i } }, if: :email_confirmation_setting_soft? + validates :pre_receive_secret_detection_enabled, + inclusion: { in: [true, false], message: 'must be a boolean value' } + alias_attribute :delayed_project_deletion, :delayed_project_removal before_save :update_lock_delayed_project_removal, if: :delayed_group_deletion_changed? diff --git a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml new file mode 100644 index 00000000000000..80763f2f48c37c --- /dev/null +++ b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml @@ -0,0 +1,11 @@ += gitlab_ui_form_for @application_setting, url: general_admin_application_settings_path(anchor: 'js-secret-detection-settings'), html: { class: 'fieldset-form', id: 'secret-detection-settings' } do |f| + = form_errors(@application_setting) + + %fieldset + .form-group + = f.label :pre_receive_secret_detection_enabled, s_('AdminSettings|Pre-receive secret detection'), class: 'label-bold gl-mb-0' + %span.form-text.gl-mt-0.gl-mb-3#pre_receive_secret_detection-help + = _('Prevent accidental secret exposures by scanning files for sensitive information before they are committed to any repository within this GitLab instance.') + = link_to(_('Learn more.'), help_page_path('administration/settings/pre_receive_secret_detection'), target: '_blank', rel: 'noopener noreferrer') + = f.gitlab_ui_checkbox_component :pre_receive_secret_detection_enabled, _('Enable pre-receive secret detection') + = f.submit _('Save changes'), pajamas_button: true diff --git a/ee/app/views/admin/application_settings/security_and_compliance.html.haml b/ee/app/views/admin/application_settings/security_and_compliance.html.haml index 1c887795f66083..903db01d5f2e9a 100644 --- a/ee/app/views/admin/application_settings/security_and_compliance.html.haml +++ b/ee/app/views/admin/application_settings/security_and_compliance.html.haml @@ -13,3 +13,16 @@ = _('Settings for the License Compliance feature') .settings-content = render 'license_compliance' + +- if License.feature_available?(:pre_receive_secret_detection) + %section.settings.as-secret-detection.no-animate#js-secret-detection-settings{ class: ('expanded' if expanded_by_default?), data: { testid: 'admin-secret-detection-settings' } } + .settings-header + %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only + = _('Secret Detection') + = render Pajamas::BadgeComponent.new(_('Experiment'), variant: 'neutral') + = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do + = expanded_by_default? ? _('Collapse') : _('Expand') + %p.gl-text-secondary + = _('Configure secret detection behaviour for all projects in your GitLab instance') + .settings-content + = render 'pre_receive_secret_detection' diff --git a/ee/spec/models/application_setting_spec.rb b/ee/spec/models/application_setting_spec.rb index e6c5291b14a5c7..cc8c50cd9aa1f0 100644 --- a/ee/spec/models/application_setting_spec.rb +++ b/ee/spec/models/application_setting_spec.rb @@ -197,6 +197,10 @@ it { is_expected.not_to allow_value("a" * (subject.email_additional_text_character_limit + 1)).for(:email_additional_text) } end + describe 'secret detection validations', feature_category: :secret_detection do + it { is_expected.to validate_inclusion_of(:pre_receive_secret_detection_enabled).in_array([true, false]) } + end + describe 'when secret detection token revocation is enabled', feature_category: :secret_detection do before do stub_application_setting(secret_detection_token_revocation_enabled: true) diff --git a/locale/gitlab.pot b/locale/gitlab.pot index c7dfb517b45fcf..a16cc8e2cf6e2b 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3647,6 +3647,9 @@ msgstr "" msgid "AdminSettings|Pause Elasticsearch indexing" msgstr "" +msgid "AdminSettings|Pre-receive secret detection" +msgstr "" + msgid "AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets." msgstr "" @@ -12846,6 +12849,9 @@ msgstr "" msgid "Configure repository storage." msgstr "" +msgid "Configure secret detection behaviour for all projects in your GitLab instance" +msgstr "" + msgid "Configure settings for Advanced Search with Elasticsearch." msgstr "" @@ -18393,6 +18399,9 @@ msgstr "" msgid "Enable or disable version check and Service Ping." msgstr "" +msgid "Enable pre-receive secret detection" +msgstr "" + msgid "Enable rate limiting for requests to the specified paths" msgstr "" @@ -36151,6 +36160,9 @@ msgstr "" msgid "Prev" msgstr "" +msgid "Prevent accidental secret exposures by scanning files for sensitive information before they are committed to any repository within this GitLab instance." +msgstr "" + msgid "Prevent auto-stopping" msgstr "" -- GitLab From ad7da97314f027c6d20ad80637c737ea886b1b4a Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Mon, 13 Nov 2023 14:00:53 +0100 Subject: [PATCH 2/8] Put the new section behind its own feature flag --- .../security_and_compliance.html.haml | 2 +- .../development/secret_detection_application_setting.yml | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 ee/config/feature_flags/development/secret_detection_application_setting.yml diff --git a/ee/app/views/admin/application_settings/security_and_compliance.html.haml b/ee/app/views/admin/application_settings/security_and_compliance.html.haml index 903db01d5f2e9a..91723f7e09f7a3 100644 --- a/ee/app/views/admin/application_settings/security_and_compliance.html.haml +++ b/ee/app/views/admin/application_settings/security_and_compliance.html.haml @@ -14,7 +14,7 @@ .settings-content = render 'license_compliance' -- if License.feature_available?(:pre_receive_secret_detection) +- if Feature.enabled?(:secret_detection_application_setting) && License.feature_available?(:pre_receive_secret_detection) %section.settings.as-secret-detection.no-animate#js-secret-detection-settings{ class: ('expanded' if expanded_by_default?), data: { testid: 'admin-secret-detection-settings' } } .settings-header %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only diff --git a/ee/config/feature_flags/development/secret_detection_application_setting.yml b/ee/config/feature_flags/development/secret_detection_application_setting.yml new file mode 100644 index 00000000000000..17b32abee9be5d --- /dev/null +++ b/ee/config/feature_flags/development/secret_detection_application_setting.yml @@ -0,0 +1,8 @@ +--- +name: secret_detection_application_setting +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135273 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/431584 +milestone: '16.7' +type: development +group: group::static analysis +default_enabled: false -- GitLab From 6b09b394f7f527e0ba8deeed43cb5ed5f22113cd Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Thu, 16 Nov 2023 13:43:29 +0100 Subject: [PATCH 3/8] Apply technical writing reviewer feedback --- .../settings/pre_receive_secret_detection.md | 7 ------- .../_pre_receive_secret_detection.html.haml | 3 +-- .../security_and_compliance.html.haml | 2 +- locale/gitlab.pot | 8 ++++---- 4 files changed, 6 insertions(+), 14 deletions(-) delete mode 100644 doc/administration/settings/pre_receive_secret_detection.md diff --git a/doc/administration/settings/pre_receive_secret_detection.md b/doc/administration/settings/pre_receive_secret_detection.md deleted file mode 100644 index 932a9a23a4a28d..00000000000000 --- a/doc/administration/settings/pre_receive_secret_detection.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -stage: Secure -group: Static Analysis -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments ---- - -# Pre-receive Secret Detection diff --git a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml index 80763f2f48c37c..ba20cc6bdb0167 100644 --- a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml +++ b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml @@ -5,7 +5,6 @@ .form-group = f.label :pre_receive_secret_detection_enabled, s_('AdminSettings|Pre-receive secret detection'), class: 'label-bold gl-mb-0' %span.form-text.gl-mt-0.gl-mb-3#pre_receive_secret_detection-help - = _('Prevent accidental secret exposures by scanning files for sensitive information before they are committed to any repository within this GitLab instance.') - = link_to(_('Learn more.'), help_page_path('administration/settings/pre_receive_secret_detection'), target: '_blank', rel: 'noopener noreferrer') + = _('Minimize the risk of secrets from being committed to any repository in this GitLab instance.') = f.gitlab_ui_checkbox_component :pre_receive_secret_detection_enabled, _('Enable pre-receive secret detection') = f.submit _('Save changes'), pajamas_button: true diff --git a/ee/app/views/admin/application_settings/security_and_compliance.html.haml b/ee/app/views/admin/application_settings/security_and_compliance.html.haml index 91723f7e09f7a3..0c5fe356a7bed7 100644 --- a/ee/app/views/admin/application_settings/security_and_compliance.html.haml +++ b/ee/app/views/admin/application_settings/security_and_compliance.html.haml @@ -23,6 +23,6 @@ = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do = expanded_by_default? ? _('Collapse') : _('Expand') %p.gl-text-secondary - = _('Configure secret detection behaviour for all projects in your GitLab instance') + = _('Configure secret detection behavior for all projects in your GitLab instance') .settings-content = render 'pre_receive_secret_detection' diff --git a/locale/gitlab.pot b/locale/gitlab.pot index a16cc8e2cf6e2b..90e57e5c090b93 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -12849,7 +12849,7 @@ msgstr "" msgid "Configure repository storage." msgstr "" -msgid "Configure secret detection behaviour for all projects in your GitLab instance" +msgid "Configure secret detection behavior for all projects in your GitLab instance" msgstr "" msgid "Configure settings for Advanced Search with Elasticsearch." @@ -30548,6 +30548,9 @@ msgstr "" msgid "Minimal Access" msgstr "" +msgid "Minimize the risk of secrets from being committed to any repository in this GitLab instance." +msgstr "" + msgid "Minimum capacity to be available before we schedule more mirrors preemptively." msgstr "" @@ -36160,9 +36163,6 @@ msgstr "" msgid "Prev" msgstr "" -msgid "Prevent accidental secret exposures by scanning files for sensitive information before they are committed to any repository within this GitLab instance." -msgstr "" - msgid "Prevent auto-stopping" msgstr "" -- GitLab From 468c8e779bf01a3ed3ee37789ee6c95a6a453d4e Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Thu, 16 Nov 2023 22:54:38 +0100 Subject: [PATCH 4/8] Apply more feedback from reviewers --- app/helpers/application_settings_helper.rb | 3 +-- .../admin/application_settings_controller.rb | 3 ++- .../helpers/ee/application_settings_helper.rb | 4 +++- ee/app/models/ee/application_setting.rb | 2 +- .../security_and_compliance.html.haml | 1 - .../application_settings_controller_spec.rb | 7 ++++++ .../ee/application_settings_helper_spec.rb | 24 ++++++++----------- 7 files changed, 24 insertions(+), 20 deletions(-) diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb index fbb74104d9b63c..0c6ab41004a70c 100644 --- a/app/helpers/application_settings_helper.rb +++ b/app/helpers/application_settings_helper.rb @@ -512,8 +512,7 @@ def visible_attributes :gitlab_shell_operation_limit, :namespace_aggregation_schedule_lease_duration_in_seconds, :ci_max_total_yaml_size_bytes, - :project_jobs_api_rate_limit, - :pre_receive_secret_detection_enabled + :project_jobs_api_rate_limit ].tap do |settings| next if Gitlab.com? diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb index 195a400b6f5884..89d55c82efd796 100644 --- a/ee/app/controllers/ee/admin/application_settings_controller.rb +++ b/ee/app/controllers/ee/admin/application_settings_controller.rb @@ -121,7 +121,8 @@ def visible_application_setting_attributes :lock_maven_package_requests_forwarding], default_branch_protection_restriction_in_groups: :group_owners_can_manage_default_branch_protection, group_ip_restriction: :globally_allowed_ips, - service_accounts: :service_access_tokens_expiration_enforced + service_accounts: :service_access_tokens_expiration_enforced, + pre_receive_secret_detection: :pre_receive_secret_detection_enabled }.each do |license_feature, attribute_names| if License.feature_available?(license_feature) attrs += Array.wrap(attribute_names) diff --git a/ee/app/helpers/ee/application_settings_helper.rb b/ee/app/helpers/ee/application_settings_helper.rb index 2e705a5ed2f1fd..bc7b4e6b514af1 100644 --- a/ee/app/helpers/ee/application_settings_helper.rb +++ b/ee/app/helpers/ee/application_settings_helper.rb @@ -71,7 +71,8 @@ def visible_attributes :telesign_api_key, :openai_api_key, :security_policy_global_group_approvers_enabled, - :anthropic_api_key + :anthropic_api_key, + :pre_receive_secret_detection_enabled ] end @@ -129,6 +130,7 @@ def self.possible_licensed_attributes maintenance_mode_message globally_allowed_ips service_access_tokens_expiration_enforced + pre_receive_secret_detection_enabled ] end diff --git a/ee/app/models/ee/application_setting.rb b/ee/app/models/ee/application_setting.rb index 4d9755854c4478..d649ce2c406de9 100644 --- a/ee/app/models/ee/application_setting.rb +++ b/ee/app/models/ee/application_setting.rb @@ -202,7 +202,7 @@ module ApplicationSetting if: :email_confirmation_setting_soft? validates :pre_receive_secret_detection_enabled, - inclusion: { in: [true, false], message: 'must be a boolean value' } + inclusion: { in: [true, false], message: N_('must be a boolean value') } alias_attribute :delayed_project_deletion, :delayed_project_removal diff --git a/ee/app/views/admin/application_settings/security_and_compliance.html.haml b/ee/app/views/admin/application_settings/security_and_compliance.html.haml index 0c5fe356a7bed7..ad911e0a5fd10d 100644 --- a/ee/app/views/admin/application_settings/security_and_compliance.html.haml +++ b/ee/app/views/admin/application_settings/security_and_compliance.html.haml @@ -19,7 +19,6 @@ .settings-header %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only = _('Secret Detection') - = render Pajamas::BadgeComponent.new(_('Experiment'), variant: 'neutral') = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do = expanded_by_default? ? _('Collapse') : _('Expand') %p.gl-text-secondary diff --git a/ee/spec/controllers/admin/application_settings_controller_spec.rb b/ee/spec/controllers/admin/application_settings_controller_spec.rb index d295502938ef75..6260aa5c63a1c1 100644 --- a/ee/spec/controllers/admin/application_settings_controller_spec.rb +++ b/ee/spec/controllers/admin/application_settings_controller_spec.rb @@ -266,6 +266,13 @@ end end + context 'secret detection settings' do + let(:settings) { { pre_receive_secret_detection_enabled: false } } + let(:feature) { :pre_receive_secret_detection } + + it_behaves_like 'settings for licensed features' + end + it 'updates repository_size_limit' do put :update, params: { application_setting: { repository_size_limit: '100' } } diff --git a/ee/spec/helpers/ee/application_settings_helper_spec.rb b/ee/spec/helpers/ee/application_settings_helper_spec.rb index 8d1b54003f11fd..af7ad5ce740815 100644 --- a/ee/spec/helpers/ee/application_settings_helper_spec.rb +++ b/ee/spec/helpers/ee/application_settings_helper_spec.rb @@ -4,20 +4,16 @@ RSpec.describe EE::ApplicationSettingsHelper do describe '.visible_attributes' do - it 'contains personal access token parameters' do - expect(visible_attributes).to include(*%i[max_personal_access_token_lifetime]) - end - - it 'contains telesign values' do - expect(visible_attributes).to include(*%i[telesign_customer_xid telesign_api_key]) - end - - it 'contains openai_api_key value' do - expect(visible_attributes).to include(*%i[openai_api_key]) - end - - it 'contains anthropic_api_key value' do - expect(visible_attributes).to include(*%i[anthropic_api_key]) + it 'contains defined visible attributes' do + expect(visible_attributes).to include( + *%i[ + max_personal_access_token_lifetime + telesign_customer_xid telesign_api_key + openai_api_key + anthropic_api_key + pre_receive_secret_detection_enabled + ] + ) end end -- GitLab From ec128f3708cabd8e122ba345af09f2a49d39f79a Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Thu, 16 Nov 2023 22:57:49 +0100 Subject: [PATCH 5/8] Remove a redundant reference --- ee/app/helpers/ee/application_settings_helper.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ee/app/helpers/ee/application_settings_helper.rb b/ee/app/helpers/ee/application_settings_helper.rb index bc7b4e6b514af1..02e047c717c506 100644 --- a/ee/app/helpers/ee/application_settings_helper.rb +++ b/ee/app/helpers/ee/application_settings_helper.rb @@ -71,8 +71,7 @@ def visible_attributes :telesign_api_key, :openai_api_key, :security_policy_global_group_approvers_enabled, - :anthropic_api_key, - :pre_receive_secret_detection_enabled + :anthropic_api_key ] end -- GitLab From 9d7073f890fe734d2608adc5cc9fd8f96a3e1162 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Fri, 17 Nov 2023 01:43:17 +0100 Subject: [PATCH 6/8] Revert spec to original state --- .../ee/application_settings_helper_spec.rb | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/ee/spec/helpers/ee/application_settings_helper_spec.rb b/ee/spec/helpers/ee/application_settings_helper_spec.rb index af7ad5ce740815..8d1b54003f11fd 100644 --- a/ee/spec/helpers/ee/application_settings_helper_spec.rb +++ b/ee/spec/helpers/ee/application_settings_helper_spec.rb @@ -4,16 +4,20 @@ RSpec.describe EE::ApplicationSettingsHelper do describe '.visible_attributes' do - it 'contains defined visible attributes' do - expect(visible_attributes).to include( - *%i[ - max_personal_access_token_lifetime - telesign_customer_xid telesign_api_key - openai_api_key - anthropic_api_key - pre_receive_secret_detection_enabled - ] - ) + it 'contains personal access token parameters' do + expect(visible_attributes).to include(*%i[max_personal_access_token_lifetime]) + end + + it 'contains telesign values' do + expect(visible_attributes).to include(*%i[telesign_customer_xid telesign_api_key]) + end + + it 'contains openai_api_key value' do + expect(visible_attributes).to include(*%i[openai_api_key]) + end + + it 'contains anthropic_api_key value' do + expect(visible_attributes).to include(*%i[anthropic_api_key]) end end -- GitLab From 6680d681f799f13e75e948ac37d015169d589031 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Fri, 17 Nov 2023 18:36:47 +0100 Subject: [PATCH 7/8] Ensure attribute is protected by both FF and licnese check --- .../ee/admin/application_settings_controller.rb | 8 ++++++-- .../admin/application_settings_controller_spec.rb | 14 +++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb index 89d55c82efd796..7f43c1939fae18 100644 --- a/ee/app/controllers/ee/admin/application_settings_controller.rb +++ b/ee/app/controllers/ee/admin/application_settings_controller.rb @@ -121,8 +121,7 @@ def visible_application_setting_attributes :lock_maven_package_requests_forwarding], default_branch_protection_restriction_in_groups: :group_owners_can_manage_default_branch_protection, group_ip_restriction: :globally_allowed_ips, - service_accounts: :service_access_tokens_expiration_enforced, - pre_receive_secret_detection: :pre_receive_secret_detection_enabled + service_accounts: :service_access_tokens_expiration_enforced }.each do |license_feature, attribute_names| if License.feature_available?(license_feature) attrs += Array.wrap(attribute_names) @@ -133,6 +132,11 @@ def visible_application_setting_attributes attrs << :git_two_factor_session_expiry end + if License.feature_available?(:pre_receive_secret_detection) && + ::Feature.enabled?(:secret_detection_application_setting) + attrs << :pre_receive_secret_detection_enabled + end + if License.feature_available?(:admin_merge_request_approvers_rules) attrs += EE::ApplicationSettingsHelper.merge_request_appovers_rules_attributes end diff --git a/ee/spec/controllers/admin/application_settings_controller_spec.rb b/ee/spec/controllers/admin/application_settings_controller_spec.rb index 6260aa5c63a1c1..707d3f2999b4da 100644 --- a/ee/spec/controllers/admin/application_settings_controller_spec.rb +++ b/ee/spec/controllers/admin/application_settings_controller_spec.rb @@ -267,10 +267,22 @@ end context 'secret detection settings' do - let(:settings) { { pre_receive_secret_detection_enabled: false } } + let(:settings) { { pre_receive_secret_detection_enabled: true } } let(:feature) { :pre_receive_secret_detection } it_behaves_like 'settings for licensed features' + + context 'when secret_detection_application_setting feature flag is disabled' do + before do + stub_licensed_features(feature => true) + stub_feature_flags(secret_detection_application_setting: false) + end + + it 'does not update pre_receive_secret_detection_enabled setting' do + expect { put :update, params: { application_setting: settings } } + .not_to change { ApplicationSetting.current.reload.attributes['pre_receive_secret_detection_enabled'] } + end + end end it 'updates repository_size_limit' do -- GitLab From ae4c7c5043ce8cab34626e2354dd40e36c420272 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Mon, 20 Nov 2023 13:57:23 +0100 Subject: [PATCH 8/8] Ensure setting is only editable via UI for now --- ee/app/helpers/ee/application_settings_helper.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/ee/app/helpers/ee/application_settings_helper.rb b/ee/app/helpers/ee/application_settings_helper.rb index 02e047c717c506..2e705a5ed2f1fd 100644 --- a/ee/app/helpers/ee/application_settings_helper.rb +++ b/ee/app/helpers/ee/application_settings_helper.rb @@ -129,7 +129,6 @@ def self.possible_licensed_attributes maintenance_mode_message globally_allowed_ips service_access_tokens_expiration_enforced - pre_receive_secret_detection_enabled ] end -- GitLab