diff options
| author | Ævar Arnfjörð Bjarmason <avarab@gmail.com> | 2018-06-14 15:54:38 +0200 |
|---|---|---|
| committer | Ævar Arnfjörð Bjarmason <avarab@gmail.com> | 2018-07-26 12:35:55 +0200 |
| commit | 2e8b67027067761034f36dadb3c2208ce66d2552 (patch) | |
| tree | 1f35c43611dcd0041d3f30fe7a86eac507912b75 /spec/gitlab_access_spec.rb | |
| parent | dc67cf1a62529bf7aecc8e350994ac40d5f4a068 (diff) | |
| download | gitlab-shell-2e8b67027067761034f36dadb3c2208ce66d2552.tar.gz | |
Add support for SSH certificate authentication
This along with the code submitted to gitlab-ce in the
gitlab-org/gitlab-ce! MR implements SSH certificate
authentication. See the docs added to gitlab-ce for why and how to
enable this. This, along with that MR, closes
gitlab-org/gitlab-ce#3457
Implementation notes:
- Because it's easy to do, and because an earlier nascent version of
this would pass user-ID to gitlab-shell, that's now supported, even
though the SSH certificate authentication uses username-USERNAME.
- The astute reader will notice that not all the API calls in
gitlab-ce's lib/api/internal.rb support a "username" argument, some
only support "user_id".
There's a few reasons for this:
a) For this to be efficient, I am bending over backwards to avoid
extra API calls when using SSH certificates.
Therefore the /allowed API call will now return a "user id" to
us if we're allowed to proceed further. This is then fed to
existing APIs that would only be called after a successful
call to /allowed.
b) Not all of the git-shell codepaths go through
/internal/allowed, or ever deal with a repository, e.g. the
argument-less "Welcome to GitLab", and
/internal/2fa_recovery_codes. These need to use
/internal/discover to figure out details about the user, so
support looking that up by username.
c) Once we have the "user id", the GL_ID gets passed down to
e.g. user-authored hooks. I don't want to have those all break
by having to handle a third GL_ID mode of "username" in
addition to the current "key id" and "user id".
Diffstat (limited to 'spec/gitlab_access_spec.rb')
| -rw-r--r-- | spec/gitlab_access_spec.rb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/spec/gitlab_access_spec.rb b/spec/gitlab_access_spec.rb index 8882e01..d082176 100644 --- a/spec/gitlab_access_spec.rb +++ b/spec/gitlab_access_spec.rb @@ -10,6 +10,7 @@ describe GitlabAccess do api.stub(check_access: GitAccessStatus.new(true, 'ok', gl_repository: 'project-1', + gl_id: 'user-123', gl_username: 'testuser', repository_path: '/home/git/repositories', gitaly: nil)) @@ -47,6 +48,7 @@ describe GitlabAccess do false, 'denied', gl_repository: nil, + gl_id: nil, gl_username: nil, repository_path: nil, gitaly: nil |