Merge branch 'security-1180-fix-dependency-proxy-leak-17-3' into '17-3-stable-ee'

Reset dependency proxy maven credentials when registry url is changed See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4458 Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com> Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com>

Merge branch 'security-1180-fix-dependency-proxy-leak-17-3' into '17-3-stable-ee'
9d4ff594 · GitLab Release Tools Bot · ff7e39ad · 74a4ae92 · 9d4ff594 · 9d4ff594
Commit 9d4ff594 authored 5 months ago by GitLab Release Tools Bot
--- a/ee/app/models/dependency_proxy/packages/setting.rb
+++ b/ee/app/models/dependency_proxy/packages/setting.rb
@@ -59,6 +59,8 @@ class Setting < ApplicationRecord
        :npm_external_registry_auth_token,
        length: { maximum: 255 }
  
+      after_validation :reset_maven_credentials, if: -> { persisted? && maven_external_registry_url_changed? }
+
      scope :enabled, -> { where(enabled: true) }
  
      def url_from_maven_upstream(path:, file_name:)
@@ -94,6 +96,15 @@ def validate_npm_external_registry_tokens
  
        errors.add(:base, "Npm external registry basic auth and auth token can't be set at the same time")
      end
+
+      def reset_maven_credentials
+        return if maven_external_registry_username_changed? && maven_external_registry_password_changed?
+
+        self.maven_external_registry_username = nil
+        self.maven_external_registry_password = nil
+        self.encrypted_maven_external_registry_username_iv = nil
+        self.encrypted_maven_external_registry_password_iv = nil
+      end
    end
  end
 end
--- a/ee/spec/models/dependency_proxy/packages/setting_spec.rb
+++ b/ee/spec/models/dependency_proxy/packages/setting_spec.rb
@@ -147,6 +147,41 @@
    end
  end
  
+  context 'when maven_external_registry_url is updated' do
+    where(:new_url, :new_user, :new_pwd, :expected_user, :expected_pwd) do
+      'http://original_url.test' | 'test' | 'test' | 'test' | 'test'
+      'http://update_url.test'   | 'test' | 'test' | 'test' | 'test'
+      'http://update_url.test'   | :none  | :none  | nil    | nil
+      'http://update_url.test'   | 'test' | :none  | nil    | nil
+      'http://update_url.test'   | :none  | 'test' | nil    | nil
+    end
+
+    with_them do
+      let(:setting) do
+        create(:dependency_proxy_packages_setting, :maven,
+          maven_external_registry_url: 'http://original_url.test',
+          maven_external_registry_username: 'original_user',
+          maven_external_registry_password: 'original_pwd'
+        )
+      end
+
+      it 'resets the username and the password when necessary' do
+        new_attributes = {
+          maven_external_registry_url: new_url,
+          maven_external_registry_username: new_user,
+          maven_external_registry_password: new_pwd
+        }.select { |_, v| v != :none }
+        setting.update!(new_attributes)
+
+        expect(setting.reload).to have_attributes(
+          maven_external_registry_url: new_url,
+          maven_external_registry_username: expected_user,
+          maven_external_registry_password: expected_pwd
+        )
+      end
+    end
+  end
+
  describe '.enabled' do
    let_it_be(:enabled_setting) { create(:dependency_proxy_packages_setting) }
    let_it_be(:disabled_setting) { create(:dependency_proxy_packages_setting, :disabled) }