Public Deploy Keys can't be created with an expiry date
Summary
The behaviour to allow for Deploy Key expiration was introduced in this merge request, and deployed in GitLab 15.11. While this functions properly for project-level Deploy Keys, a few things currently prevent the use of expiration with public instance-level deploy keys.
Expiration date field is read-only
When an administrator navigates to /admin/deploy_keys/new
, they see the following:
Title and Key can be edited, but the expiration date field is marked as read only. This is shown in the code here.
Ruby permitted values are restricted
Attempting to bypass the read only form has no impact, as Ruby does form validation and has a specific set of permitted attributes:
def create_params
params.require(:deploy_key).permit(:key, :title)
end
It is possible to create a Key without expiration, then modify the expires_at
value in Ruby:
irb(main):021:0> d = DeployKey.find_by(id: 2)
=>
#<DeployKey:0x00007fa4f9363260
...
irb(main):022:0> pp d
#<DeployKey:0x00007fa4f9363260
id: 2,
user_id: 1,
created_at: Wed, 11 Oct 2023 02:12:00.279194000 UTC +00:00,
updated_at: Wed, 11 Oct 2023 02:12:00.279194000 UTC +00:00,
key: "[FILTERED]",
title: "[FILTERED]",
type: "DeployKey",
fingerprint: "02:d0:f2:5f:ec:9a:4b:01:49:99:f2:af:61:d9:79:f6",
public: true,
last_used_at: nil,
fingerprint_sha256: "yO3Ddt2CZAOS5GXbYMIejPzvhJr/3wpu2u4k2HRcAsU",
expires_at: nil,
expiry_notification_delivered_at: nil,
before_expiry_notification_delivered_at: nil,
usage_type: "auth_and_signing">
irb(main):023:0>
irb(main):024:0> d.expires_at = "Thu, 26 Oct 2023 00:00:00.000000000 UTC +00:00"
=> "Thu, 26 Oct 2023 00:00:00.000000000 UTC +00:00"
irb(main):025:0> d.save!
The UI will then present the expiration value as expected:
This confirms that public Deploy Keys support is possible, but is restricted due to UI limitations.
Steps to reproduce
On a Self-Managed instance, navigate to the Admin Area > Deploy Keys. Attempt to create a new Deploy Key, where you will find the expiration date field is read only.
Example Project
N/A. Can't share on GitLab.com due to Admin privileges being required.
What is the current bug behavior?
The UI prevents a user from setting an expiration date.
What is the expected correct behavior?
The UI optionally lets a user set the expiration date, much like how project-level deploy keys function.
Possible fixes
As shared above, I suspect the main problem is in:
-
The form being used to render a 'new' deploy key.
- It seems possible the logic was to mark an existing deploy key's expiration date field as read only when editing it, as this cannot be changed in the UI for project-level deploy keys.
-
Restricted parameters accepted on form input. This should include
:expires_at
.
These seem like minor changes, so I'm assigning this issue to myself while I work on an MR.