summaryrefslogtreecommitdiff
path: root/cmd/gitlab-shell
Commit message (Collapse)AuthorAgeFilesLines
* Add support for the gssapi-with-mic auth methodMarin Hannache2023-01-231-0/+14
|
* go: Bump major version to v14Patrick Steinhardt2022-07-053-36/+36
| | | | | | | | | | | | | While gitlab-shell currently has a major version of v14, the module path it exposes is not using that major version like it is required by the Go standard. This makes it impossible for dependents to import gitlab-shell as a dependency without using a commit as version. Fix this by changing the module path of gitlab-shell to instead be `gitlab.com/gitlab-org/gitlab-shell/v14` and adjust all imports accordingly. Changelog: fixed
* Use labkit for FIPS checkIgor Drozdov2022-05-051-2/+2
| | | | | New version of LabKit provides FIPS checks that we can use instead of the custom code
* Add support for FIPS encryptionStan Hu2022-04-181-0/+2
| | | | | | | | | | | | | | This commit adds support of using a FIPS-validated SSL library with compiled Go executables when `FIPS_MODE=1 make` is run. A Go compiler that supports BoringSSL either directly (e.g. the `dev.boringcrypto` branch) or with a dynamically linked OpenSSL (e.g. https://github.com/golang-fips/go) is required. This is similar to the changes to support FIPS in GitLab Runner and in GitLab Pages: https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/716 Changelog: added
* Reuse Gitaly conns and SidechannelIgor Drozdov2022-03-071-0/+2
| | | | | | | | When gitlab-sshd has been introduced we've started running our own SSH server. In this case we're able to cache and reuse Gitaly connections and Registry. It helps to reduce memory usage.
* Suppress internal errors in client outputwc-intern-errWill Chandler2021-12-281-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Until recently, Gitaly was silently swallowing any errors returned by SSH `git upload-pack` processes. Clients would still receive stderr output and a non-zero return code, but Gitlab-Shell would receive error as nil and log success. With 9deaf47f1ecb00f0f36d18ee4a0fb1576f5a0efe Gitaly will now return an error when git fails, but this causes Gitlab-Shell to print out the GRPC error code as a message to the client: > fatal: couldn't find remote ref not-a-real-ref > fatal: the remote end hung up unexpectedly > remote: > remote: > ======================================================================== > remote: > remote: rpc error: code = Internal desc = SSHUploadPack: exit status 128 > remote: > remote: > ======================================================================== > remote: The `remote:` text gives no additional context for the user and adds clutter. This commit suppresses the additional message added by Gitlab-Shell on failure when the error type is `Internal`, returning client output to the format it was prior to the Gitaly change.
* Relax key and username matching for sshdsh-improve-key-matching-sshdStan Hu2021-11-101-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to the way sshd works, gitlab-shell could be called with a single string in the form: ``` /path/to/gitlab-shell -c key-id ``` However, due to the tightening of the regular expressions in fcff692b this string no longer matches, so logins would fail with: ``` Failed to get username: who='' is invalid ``` This can be reproduced by changing the user's shell to point to gitlab-shell. For example: ``` usermod git -s /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell ``` While setting gitlab-shell as the user's shell isn't officially supported, gitlab-shell still should be able to cope with the key being specified as the last argument. We now split the argument list and use the last value. Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/530
* Log command invocation499-log-command-invocationNick Thomas2021-10-071-1/+11
| | | | | | | | Use reflection to log the command we are about to execute, both in gitlab-shell and gitlab-sshd. Include the environment, which has all the context we need to understand what the command is expected to do. Changelog: added
* Don't swallow an error parsing SSH_ORIGINAL_COMMANDNick Thomas2021-09-271-1/+1
|
* refactor: unify instantiation of command.Shellfeistel2021-09-201-0/+14
|
* refactor: cleanup func signature and remove unused argsfeistel2021-09-083-9/+8
|
* refactor: rearchitect command and executable Go modulesfeistel2021-09-083-2/+349
|
* refactor: add acceptargs field to executablefeistel2021-09-081-1/+1
| | | | | parse logic will only run if the executable accept args. healthcheck is the only one not accepting arguments.
* Switch to labkit for logging system setupNick Thomas2021-08-041-1/+2
| | | | | | | | | | | - We start supporting the "color" format for logs. - We now respond to SIGHUP by reopening the log file. - We now respect the log format when no log filename is specified. Output to syslog in the event of logging system setup is preserved in OpenSSH mode. Changelog: added
* Fix opentracing setup for gitlab-sshdNick Thomas2021-05-171-1/+1
| | | | | | | | | | | | | | | | | | | | Previously, opentracing (if configured) was initialized late in the gitlab-shell process's lifespan, coming just before making a gRPC call to Gitaly. By moving the opentracing initialization to be at process startup, we make it available for the whole process lifecycle, which is very useful to gitlab-sshd, as it means we'll only call tracing.Initialize() once on process startup, rather than once per SSH connection. To get this working, we need to introduce a context to gitlab-sshd. This carries the client/service name, but also carries an initial correlation ID. The main outcome of this is that all calls to the authorized_keys endpoint from a given gitlab-sshd process will now share a correlation ID. I don't have a strong opinion about this either way. Changelog: fixed
* chore: Refactor env introspection to rely on command initialization496-move-env-introspection-to-sshenvLucas Charles2021-03-151-1/+3
| | | | | | | Refactors introspection of execution environment to rely on per-connection state (`gitlab-shell`) or per request (`gitlab-sshd`) Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/496
* RFC: Simple built-in SSH serverLorenz Brun2021-01-181-1/+1
|
* Add support for -version argumentStan Hu2020-10-151-0/+14
| | | | | This will help determine the version of the binary particularly on Cloud Native GitLab, where VERSION may not be shipped with the binaries.
* Make it possible to propagate correlation ID across processesStan Hu2020-09-201-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, gitlab-shell did not pass a context through the application. Correlation IDs were generated down the call stack instead of passed around from the start execution. This has several potential downsides: 1. It's easier for programming mistakes to be made in future that lead to multiple correlation IDs being generated for a single request. 2. Correlation IDs cannot be passed in from upstream requests 3. Other advantages of context passing, such as distributed tracing is not possible. This commit changes the behavior: 1. Extract the correlation ID from the environment at the start of the application. 2. If no correlation ID exists, generate a random one. 3. Pass the correlation ID to the GitLabNet API requests. This change also enables other clients of GitLabNet (e.g. Gitaly) to pass along the correlation ID in the internal API requests (https://gitlab.com/gitlab-org/gitaly/-/issues/2725). Fixes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/474
* Log internal HTTP requestsStan Hu2020-03-101-0/+3
| | | | | | | This restores the previous behavior of logging the success and failures of internal HTTP requests. Part of https://gitlab.com/gitlab-org/gitlab/issues/207916
* More consistent console messages (golang)Ash McKenzie2019-10-231-1/+2
|
* Rename import pathsNick Thomas2019-10-181-4/+4
|
* Move go code up one levelNick Thomas2019-10-181-0/+44
View Lorry Controller Status