diff options
| author | Ævar Arnfjörð Bjarmason <avarab@gmail.com> | 2018-06-14 15:54:38 +0200 |
|---|---|---|
| committer | Ævar Arnfjörð Bjarmason <avarab@gmail.com> | 2018-07-26 12:35:55 +0200 |
| commit | 2e8b67027067761034f36dadb3c2208ce66d2552 (patch) | |
| tree | 1f35c43611dcd0041d3f30fe7a86eac507912b75 /lib/gitlab_shell.rb | |
| parent | dc67cf1a62529bf7aecc8e350994ac40d5f4a068 (diff) | |
| download | gitlab-shell-2e8b67027067761034f36dadb3c2208ce66d2552.tar.gz | |
Add support for SSH certificate authentication
This along with the code submitted to gitlab-ce in the
gitlab-org/gitlab-ce! MR implements SSH certificate
authentication. See the docs added to gitlab-ce for why and how to
enable this. This, along with that MR, closes
gitlab-org/gitlab-ce#3457
Implementation notes:
- Because it's easy to do, and because an earlier nascent version of
this would pass user-ID to gitlab-shell, that's now supported, even
though the SSH certificate authentication uses username-USERNAME.
- The astute reader will notice that not all the API calls in
gitlab-ce's lib/api/internal.rb support a "username" argument, some
only support "user_id".
There's a few reasons for this:
a) For this to be efficient, I am bending over backwards to avoid
extra API calls when using SSH certificates.
Therefore the /allowed API call will now return a "user id" to
us if we're allowed to proceed further. This is then fed to
existing APIs that would only be called after a successful
call to /allowed.
b) Not all of the git-shell codepaths go through
/internal/allowed, or ever deal with a repository, e.g. the
argument-less "Welcome to GitLab", and
/internal/2fa_recovery_codes. These need to use
/internal/discover to figure out details about the user, so
support looking that up by username.
c) Once we have the "user id", the GL_ID gets passed down to
e.g. user-authored hooks. I don't want to have those all break
by having to handle a third GL_ID mode of "username" in
addition to the current "key id" and "user id".
Diffstat (limited to 'lib/gitlab_shell.rb')
| -rw-r--r-- | lib/gitlab_shell.rb | 39 |
1 files changed, 29 insertions, 10 deletions
diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb index 9644cf4..9f05004 100644 --- a/lib/gitlab_shell.rb +++ b/lib/gitlab_shell.rb @@ -18,11 +18,16 @@ class GitlabShell # rubocop:disable Metrics/ClassLength API_COMMANDS = %w(2fa_recovery_codes).freeze GL_PROTOCOL = 'ssh'.freeze - attr_accessor :key_id, :gl_repository, :repo_name, :command, :git_access + attr_accessor :gl_id, :gl_repository, :repo_name, :command, :git_access attr_reader :repo_path - def initialize(key_id) - @key_id = key_id + def initialize(who) + who_sym, = GitlabNet.parse_who(who) + if who_sym == :username + @who = who + else + @gl_id = who + end @config = GitlabConfig.new end @@ -40,6 +45,12 @@ class GitlabShell # rubocop:disable Metrics/ClassLength if GIT_COMMANDS.include?(args.first) GitlabMetrics.measure('verify-access') { verify_access } + elsif !defined?(@gl_id) + # We're processing an API command like 2fa_recovery_codes, but + # don't have a @gl_id yet, that means we're in the "username" + # mode and need to materialize it, calling the "user" method + # will do that and call the /discover method. + user end process_cmd(args) @@ -101,7 +112,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength end def verify_access - status = api.check_access(@git_access, nil, @repo_name, @key_id, '_any', GL_PROTOCOL) + status = api.check_access(@git_access, nil, @repo_name, @who || @gl_id, '_any', GL_PROTOCOL) raise AccessDeniedError, status.message unless status.allowed? @@ -109,6 +120,9 @@ class GitlabShell # rubocop:disable Metrics/ClassLength @gl_repository = status.gl_repository @gitaly = status.gitaly @username = status.gl_username + if defined?(@who) + @gl_id = status.gl_id + end end def process_cmd(args) @@ -135,7 +149,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength gitaly_request = { 'repository' => @gitaly['repository'], 'gl_repository' => @gl_repository, - 'gl_id' => @key_id, + 'gl_id' => @gl_id, 'gl_username' => @username } @@ -161,7 +175,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength 'PATH' => ENV['PATH'], 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], 'LANG' => ENV['LANG'], - 'GL_ID' => @key_id, + 'GL_ID' => @gl_id, 'GL_PROTOCOL' => GL_PROTOCOL, 'GL_REPOSITORY' => @gl_repository, 'GL_USERNAME' => @username @@ -190,7 +204,12 @@ class GitlabShell # rubocop:disable Metrics/ClassLength return @user if defined?(@user) begin - @user = api.discover(@key_id) + if defined?(@who) + @user = api.discover(@who) + @gl_id = "user-#{@user['id']}" + else + @user = api.discover(@gl_id) + end rescue GitlabNet::ApiUnreachableError @user = nil end @@ -208,11 +227,11 @@ class GitlabShell # rubocop:disable Metrics/ClassLength # User identifier to be used in log messages. def log_username - @config.audit_usernames ? username : "user with key #{@key_id}" + @config.audit_usernames ? username : "user with id #{@gl_id}" end def lfs_authenticate - lfs_access = api.lfs_authenticate(@key_id, @repo_name) + lfs_access = api.lfs_authenticate(@gl_id, @repo_name) return unless lfs_access @@ -240,7 +259,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength return end - resp = api.two_factor_recovery_codes(key_id) + resp = api.two_factor_recovery_codes(@gl_id) if resp['success'] codes = resp['recovery_codes'].join("\n") puts "Your two-factor authentication recovery codes are:\n\n" \ |