From 073e61a034a3941131a8d09968b0a42480bf3453 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Tue, 28 Jun 2022 10:38:17 -0700 Subject: [PATCH 1/2] Omit MD5 fingerprints in deploy key API response In FIPS mode, MD5 fingerprints are not generated, but the SHA256 versions are available. Adjust the API entity to export the SHA256 fingerprint and schema to ensure that the SHA256 value is available. Update deploy keys API docs to reflect this. Include `fingerprint` and `fingerprint_sha256` where the fields were missing before. Add a note about FIPS behavior. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/364562 Changelog: changed --- doc/api/deploy_keys.md | 42 +++++++++++++------ lib/api/entities/deploy_key.rb | 3 +- .../api/schemas/public_api/v4/deploy_key.json | 3 +- spec/lib/api/entities/deploy_key_spec.rb | 9 +++- 4 files changed, 41 insertions(+), 16 deletions(-) diff --git a/doc/api/deploy_keys.md b/doc/api/deploy_keys.md index adeda014af0b27..defede6b6a55c7 100644 --- a/doc/api/deploy_keys.md +++ b/doc/api/deploy_keys.md @@ -6,6 +6,11 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Deploy keys API **(FREE)** +The deploy keys API can return fingerprints of the public key in the following fields in responses: + +- `fingerprint` (MD5 hash). Not available on FIPS-enabled systems. +- `fingerprint_sha256` (SHA256 hash). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91302) in GitLab 15.2. + ## List all deploy keys **(FREE SELF)** Get a list of all deploy keys across all projects of the GitLab instance. This @@ -34,8 +39,9 @@ Example response: { "id": 1, "title": "Public key", - "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=", - "fingerprint": "7f:72:08:7d:0e:47:48:ec:37:79:b2:76:68:b5:87:65", + "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDNJAkI3Wdf0r13c8a5pEExB2YowPWCSVzfZV22pNBc1CuEbyYLHpUyaD0GwpGvFdx2aP7lMEk35k6Rz3ccBF6jRaVJyhsn5VNnW92PMpBJ/P1UebhXwsFHdQf5rTt082cSxWuk61kGWRQtk4ozt/J2DF/dIUVaLvc+z4HomT41fQ==", + "fingerprint": "4a:9d:64:15:ed:3a:e6:07:6e:89:36:b3:3b:03:05:d9", + "fingerprint_sha256": "SHA256:Jrs3LD1Ji30xNLtTVf9NDCj7kkBgPBb2pjvTZ3HfIgU", "created_at": "2013-10-02T10:12:29Z", "projects_with_write_access": [ { @@ -61,8 +67,9 @@ Example response: { "id": 3, "title": "Another Public key", - "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=", - "fingerprint": "64:d3:73:d4:83:70:ab:41:96:68:d5:3d:a5:b0:34:ea", + "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDIJFwIL6YNcCgVBLTHgM6hzmoL5vf0ThDKQMWT3HrwCjUCGPwR63vBwn6+/Gx+kx+VTo9FuojzR0O4XfwD3LrYA+oT3ETbn9U4e/VS4AH/G4SDMzgSLwu0YuPe517FfGWhWGQhjiXphkaQ+6bXPmcASWb0RCO5+pYlGIfxv4eFGQ==" + "fingerprint": "0b:cf:58:40:b9:23:96:c7:ba:44:df:0e:9e:87:5e:75", + "fingerprint_sha256": "SHA256:lGI/Ys/Wx7PfMhUO1iuBH92JQKYN+3mhJZvWO4Q5ims", "created_at": "2013-10-02T11:12:29Z", "projects_with_write_access": [] } @@ -92,14 +99,18 @@ Example response: { "id": 1, "title": "Public key", - "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=", + "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDNJAkI3Wdf0r13c8a5pEExB2YowPWCSVzfZV22pNBc1CuEbyYLHpUyaD0GwpGvFdx2aP7lMEk35k6Rz3ccBF6jRaVJyhsn5VNnW92PMpBJ/P1UebhXwsFHdQf5rTt082cSxWuk61kGWRQtk4ozt/J2DF/dIUVaLvc+z4HomT41fQ==", + "fingerprint": "4a:9d:64:15:ed:3a:e6:07:6e:89:36:b3:3b:03:05:d9", + "fingerprint_sha256": "SHA256:Jrs3LD1Ji30xNLtTVf9NDCj7kkBgPBb2pjvTZ3HfIgU", "created_at": "2013-10-02T10:12:29Z", "can_push": false }, { "id": 3, "title": "Another Public key", - "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=", + "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDIJFwIL6YNcCgVBLTHgM6hzmoL5vf0ThDKQMWT3HrwCjUCGPwR63vBwn6+/Gx+kx+VTo9FuojzR0O4XfwD3LrYA+oT3ETbn9U4e/VS4AH/G4SDMzgSLwu0YuPe517FfGWhWGQhjiXphkaQ+6bXPmcASWb0RCO5+pYlGIfxv4eFGQ==" + "fingerprint": "0b:cf:58:40:b9:23:96:c7:ba:44:df:0e:9e:87:5e:75", + "fingerprint_sha256": "SHA256:lGI/Ys/Wx7PfMhUO1iuBH92JQKYN+3mhJZvWO4Q5ims", "created_at": "2013-10-02T11:12:29Z", "can_push": false } @@ -129,16 +140,18 @@ Parameters: "title": "Key A", "created_at": "2022-05-30T12:28:27.855Z", "expires_at": null, - "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTEVaAtU5wiVducsOa01InRFf7QSTxoAm6Xy0PGv/k48M6xCALa9nY+BzlOv47jUT57 Key", - "fingerprint": "60:8e:10:f0:6a:82:c8:29:5f:bf:c0:38:72:00:6f:8f" + "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkYXU2fVeO4/0rDCSsswP5iIX2+B6tv15YT3KObgyDl Key", + "fingerprint": "40:8e:fa:df:70:f7:a7:06:1e:0d:6f:ae:f2:27:92:01", + "fingerprint_sha256": "SHA256:Ojq2LZW43BFK/AMP81jBkDGn9YpPWYRNcViKBB44LPU" }, { "id": 2, "title": "Key B", "created_at": "2022-05-30T13:34:56.219Z", "expires_at": null, - "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=", - "fingerprint": "75:33:44:7e:55:84:dd:70:29:a3:8e:a3:c0:b9:8b:65" + "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDNJAkI3Wdf0r13c8a5pEExB2YowPWCSVzfZV22pNBc1CuEbyYLHpUyaD0GwpGvFdx2aP7lMEk35k6Rz3ccBF6jRaVJyhsn5VNnW92PMpBJ/P1UebhXwsFHdQf5rTt082cSxWuk61kGWRQtk4ozt/J2DF/dIUVaLvc+z4HomT41fQ==", + "fingerprint": "4a:9d:64:15:ed:3a:e6:07:6e:89:36:b3:3b:03:05:d9", + "fingerprint_sha256": "SHA256:Jrs3LD1Ji30xNLtTVf9NDCj7kkBgPBb2pjvTZ3HfIgU", } ] ``` @@ -156,8 +169,9 @@ Example response: "title": "Key A", "created_at": "2022-05-30T12:28:27.855Z", "expires_at": "2022-10-30T12:28:27.855Z", - "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTEVaAtU5wiVducsOa01InRFf7QSTxoAm6Xy0PGv/k48M6xCALa9nY+BzlOv47jUT57 Key", - "fingerprint": "60:8e:10:f0:6a:82:c8:29:5f:bf:c0:38:72:00:6f:8f" + "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkYXU2fVeO4/0rDCSsswP5iIX2+B6tv15YT3KObgyDl Key", + "fingerprint": "40:8e:fa:df:70:f7:a7:06:1e:0d:6f:ae:f2:27:92:01", + "fingerprint_sha256": "SHA256:Ojq2LZW43BFK/AMP81jBkDGn9YpPWYRNcViKBB44LPU" } ] ``` @@ -187,7 +201,9 @@ Example response: { "id": 1, "title": "Public key", - "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=", + "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDNJAkI3Wdf0r13c8a5pEExB2YowPWCSVzfZV22pNBc1CuEbyYLHpUyaD0GwpGvFdx2aP7lMEk35k6Rz3ccBF6jRaVJyhsn5VNnW92PMpBJ/P1UebhXwsFHdQf5rTt082cSxWuk61kGWRQtk4ozt/J2DF/dIUVaLvc+z4HomT41fQ==", + "fingerprint": "4a:9d:64:15:ed:3a:e6:07:6e:89:36:b3:3b:03:05:d9", + "fingerprint_sha256": "SHA256:Jrs3LD1Ji30xNLtTVf9NDCj7kkBgPBb2pjvTZ3HfIgU", "created_at": "2013-10-02T10:12:29Z", "can_push": false } diff --git a/lib/api/entities/deploy_key.rb b/lib/api/entities/deploy_key.rb index e8537c4c677e00..2c9c33549a1f13 100644 --- a/lib/api/entities/deploy_key.rb +++ b/lib/api/entities/deploy_key.rb @@ -4,7 +4,8 @@ module API module Entities class DeployKey < Entities::SSHKey expose :key - expose :fingerprint + expose :fingerprint, if: ->(key, _) { key.fingerprint.present? } + expose :fingerprint_sha256 expose :projects_with_write_access, using: Entities::ProjectIdentity, if: -> (_, options) { options[:include_projects_with_write_access] } end diff --git a/spec/fixtures/api/schemas/public_api/v4/deploy_key.json b/spec/fixtures/api/schemas/public_api/v4/deploy_key.json index 3dbdfcc95a1145..99e57a4c218253 100644 --- a/spec/fixtures/api/schemas/public_api/v4/deploy_key.json +++ b/spec/fixtures/api/schemas/public_api/v4/deploy_key.json @@ -6,7 +6,7 @@ "created_at", "expires_at", "key", - "fingerprint", + "fingerprint_sha256", "projects_with_write_access" ], "properties": { @@ -16,6 +16,7 @@ "expires_at": { "type": ["string", "null"], "format": "date-time" }, "key": { "type": "string" }, "fingerprint": { "type": "string" }, + "fingerprint_sha256": { "type": "string" }, "projects_with_write_access": { "type": "array", "items": { "$ref": "project/identity.json" } diff --git a/spec/lib/api/entities/deploy_key_spec.rb b/spec/lib/api/entities/deploy_key_spec.rb index 6427d6eac8f154..50a274184883a6 100644 --- a/spec/lib/api/entities/deploy_key_spec.rb +++ b/spec/lib/api/entities/deploy_key_spec.rb @@ -15,8 +15,15 @@ title: deploy_key.title, created_at: deploy_key.created_at, expires_at: deploy_key.expires_at, - key: deploy_key.key + key: deploy_key.key, + fingerprint_sha256: deploy_key.fingerprint_sha256 ) + + is_expected.to include(fingerprint: deploy_key.fingerprint) unless Gitlab::FIPS.enabled? + end + + context 'when in FIPS mode', :fips_mode do + it { is_expected.not_to have_key(:fingerprint) } end end end -- GitLab From 543dda86eb784e455186aa25f7ab1a89747ba2ae Mon Sep 17 00:00:00 2001 From: Evan Read Date: Mon, 4 Jul 2022 09:32:31 +0000 Subject: [PATCH 2/2] Apply 1 suggestion(s) to 1 file(s) --- doc/api/deploy_keys.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/deploy_keys.md b/doc/api/deploy_keys.md index defede6b6a55c7..40641c6e2f78ca 100644 --- a/doc/api/deploy_keys.md +++ b/doc/api/deploy_keys.md @@ -6,7 +6,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Deploy keys API **(FREE)** -The deploy keys API can return fingerprints of the public key in the following fields in responses: +The deploy keys API can return in responses fingerprints of the public key in the following fields: - `fingerprint` (MD5 hash). Not available on FIPS-enabled systems. - `fingerprint_sha256` (SHA256 hash). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91302) in GitLab 15.2. -- GitLab