summaryrefslogtreecommitdiff
path: root/cmd
Commit message (Collapse)AuthorAgeFilesLines
* Configure a default ttl for personal access tokensJoe Woodward2023-05-111-2/+2
| | | | | | | | | | | | | Prior to this change personal access tokens without a ttl would never expire. In Gitlab 15.4 we deprecated non-expiring tokens and are scheduled for removal in 16.0. https://gitlab.com/gitlab-org/gitlab/-/issues/369122 This change alters the gitlab-shell command for creating tokens to ensure add a default limit of 30 days. Closes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/640
* refactor: success api on acceptance testsMohamed Saber2023-04-261-15/+35
|
* Acceptance test for Geo pushIgor Drozdov2023-03-171-18/+135
| | | | | It imitates a push to the secondary and verifies that the push is redirected to the primary
* Configure Gitaly storage acceptance testsPatrick Cyiza2023-03-151-0/+1
|
* Add support for the gssapi-with-mic auth methodMarin Hannache2023-01-232-0/+16
|
* gitlab-sshd: Add acceptance test missing error assertionJames Fargher2022-11-231-0/+1
|
* gitlab-sshd: Log full output in acceptance testJames Fargher2022-11-231-0/+1
|
* Update Gitaly to v15Igor Drozdov2022-08-051-2/+2
| | | | | | | | | | | This commit also excludes gitlab-shell from dependencies: Gitaly specifies Gitlab Shell as a dependency as well in order to use gitlabnet client to perform API endpoints to Gitlab Rails. As a result, Gitlab Shell requires Gitaly -> Gitaly requires an older version of Gitlab Shell -> that version requires an older version of Gitlab Shell, etc. Let's use exclude to break the chain earlier
* Fix failing TestGitReceivePackSuccessIgor Drozdov2022-08-051-2/+15
| | | | | | | | | After https://gitlab.com/gitlab-org/gitaly/-/merge_requests/4766 has been introduced, the test started fail because we basically cancel the git-receive-pack after the output is received This commit gracefully closes the connection to make the test pass
* go: Bump major version to v14Patrick Steinhardt2022-07-0514-95/+95
| | | | | | | | | | | | | While gitlab-shell currently has a major version of v14, the module path it exposes is not using that major version like it is required by the Go standard. This makes it impossible for dependents to import gitlab-shell as a dependency without using a commit as version. Fix this by changing the module path of gitlab-shell to instead be `gitlab.com/gitlab-org/gitlab-shell/v14` and adjust all imports accordingly. Changelog: fixed
* Allow specifying formatted durations in configIgor Drozdov2022-05-191-2/+3
| | | | | - If an integer is specified, we assume that these are seconds - A duration of format "500ms", "10s", "1m", etc... accepted
* Use labkit for FIPS checkIgor Drozdov2022-05-051-2/+2
| | | | | New version of LabKit provides FIPS checks that we can use instead of the custom code
* Add support for FIPS encryptionStan Hu2022-04-181-0/+2
| | | | | | | | | | | | | | This commit adds support of using a FIPS-validated SSL library with compiled Go executables when `FIPS_MODE=1 make` is run. A Go compiler that supports BoringSSL either directly (e.g. the `dev.boringcrypto` branch) or with a dynamically linked OpenSSL (e.g. https://github.com/golang-fips/go) is required. This is similar to the changes to support FIPS in GitLab Runner and in GitLab Pages: https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/716 Changelog: added
* Reuse Gitaly conns and SidechannelIgor Drozdov2022-03-072-0/+4
| | | | | | | | When gitlab-sshd has been introduced we've started running our own SSH server. In this case we're able to cache and reuse Gitaly connections and Registry. It helps to reduce memory usage.
* Suppress internal errors in client outputwc-intern-errWill Chandler2021-12-281-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Until recently, Gitaly was silently swallowing any errors returned by SSH `git upload-pack` processes. Clients would still receive stderr output and a non-zero return code, but Gitlab-Shell would receive error as nil and log success. With 9deaf47f1ecb00f0f36d18ee4a0fb1576f5a0efe Gitaly will now return an error when git fails, but this causes Gitlab-Shell to print out the GRPC error code as a message to the client: > fatal: couldn't find remote ref not-a-real-ref > fatal: the remote end hung up unexpectedly > remote: > remote: > ======================================================================== > remote: > remote: rpc error: code = Internal desc = SSHUploadPack: exit status 128 > remote: > remote: > ======================================================================== > remote: The `remote:` text gives no additional context for the user and adds clutter. This commit suppresses the additional message added by Gitlab-Shell on failure when the error type is `Internal`, returning client output to the format it was prior to the Gitaly change.
* Send full git request/response in SSHD testswc-sshd-upload-packWill Chandler2021-12-221-8/+42
| | | | | | | | | | | | | | | Before 9deaf47f1ecb00f0f36d18ee4a0fb1576f5a0efe, Gitaly would return success for `SSHUploadPack` and `SSHUploadArchive` regardless of the exit code of the `git upload-pack|archive` process. As a result, the gitlab-sshd acceptance tests could rely on no errors being returned from Gitaly. Currently these tests send the minimum request needed to start a session, causing the server git process to fail as the `0000` flush packet to end the session is never sent. This commit fixes the tests by sending the full request/response needed for a successful git operation.
* Relax key and username matching for sshdsh-improve-key-matching-sshdStan Hu2021-11-101-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to the way sshd works, gitlab-shell could be called with a single string in the form: ``` /path/to/gitlab-shell -c key-id ``` However, due to the tightening of the regular expressions in fcff692b this string no longer matches, so logins would fail with: ``` Failed to get username: who='' is invalid ``` This can be reproduced by changing the user's shell to point to gitlab-shell. For example: ``` usermod git -s /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell ``` While setting gitlab-shell as the user's shell isn't officially supported, gitlab-shell still should be able to cope with the key being specified as the last argument. We now split the argument list and use the last value. Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/530
* Log command invocation499-log-command-invocationNick Thomas2021-10-071-1/+11
| | | | | | | | Use reflection to log the command we are about to execute, both in gitlab-shell and gitlab-sshd. Include the environment, which has all the context we need to understand what the command is expected to do. Changelog: added
* Don't swallow an error parsing SSH_ORIGINAL_COMMANDNick Thomas2021-09-271-1/+1
|
* refactor: unify instantiation of command.Shellfeistel2021-09-201-0/+14
|
* Add context fields to loggingid-context-fieldsIgor Drozdov2021-09-151-1/+1
| | | | It adds correlation ids wherever possible
* refactor: fix style issuesfeistel2021-09-081-1/+0
|
* refactor: cleanup func signature and remove unused argsfeistel2021-09-089-29/+22
|
* refactor: rearchitect command and executable Go modulesfeistel2021-09-0812-9/+734
|
* Merge branch 'remove/generic-args' into 'main'Nick Thomas2021-09-084-4/+4
|\ | | | | | | | | | | | | refactor: remove commandargs.GenericArgs Closes #212 See merge request gitlab-org/gitlab-shell!506
| * refactor: add acceptargs field to executablefeistel2021-09-084-4/+4
| | | | | | | | | | parse logic will only run if the executable accept args. healthcheck is the only one not accepting arguments.
* | refactor: move away from ioutil (deprecated)feistel2021-08-191-7/+6
|/
* Switch to labkit for logging system setupNick Thomas2021-08-046-6/+11
| | | | | | | | | | | - We start supporting the "color" format for logs. - We now respond to SIGHUP by reopening the log file. - We now respect the log format when no log filename is specified. Output to syslog in the event of logging system setup is preserved in OpenSSH mode. Changelog: added
* Sshd: Log same correlation_id on auth keysIgor Drozdov2021-07-271-2/+5
|
* Fix formatting via make fmtStan Hu2021-07-261-2/+2
|
* Switch to labkit/log for logging functionalityIgor Drozdov2021-07-222-14/+15
|
* Provide liveness and readiness probesIgor Drozdov2021-07-191-0/+1
| | | | | They are going to be used to determine whether a server is alive and ready to accept traffic
* Shutdown sshd gracefullyIgor Drozdov2021-07-151-1/+27
| | | | | | | | When interruption signal is sent, we are closing ssh listener to prevent it from accepting new connections Then after configured grace period, we cancel the context to cancel all ongoing operations
* Refactor testhelper.PrepareTestRootDir using t.CleanupIgor Drozdov2021-07-141-3/+1
|
* Merge branch '500_git_upload_pack_test' into 'main'Patrick Bajao2021-06-041-0/+23
|\ | | | | | | | | Add acceptance test for git-upload-pack See merge request gitlab-org/gitlab-shell!477
| * Add acceptance test for git-upload-packVasilii Iakliushin2021-06-011-0/+23
| | | | | | | | Contributes to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/500
* | fix: upgrade of the gitaly dependencyPavlo Strokov2021-06-021-2/+2
|/ | | | | | | | | | | Gitaly project now properly respects module release flow and includes a module suffix in the package name. It requires to re-write all non-suffixed imports with suffixed of a specific version of tha module. With proper module versioning we don't need to use a 'replace' directive to point to specific commit and can use semantic versioning for the gitaly dependency. Part of: https://gitlab.com/gitlab-org/gitaly/-/issues/3177
* Add acceptance test for git-upload-archiveVasilii Iakliushin2021-06-011-0/+18
| | | | Contributes to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/500
* Merge branch '501-fix-opentracing-init' into 'main'Igor Drozdov2021-05-245-5/+9
|\ | | | | | | | | | | | | Fix opentracing setup for gitlab-sshd Closes #501 See merge request gitlab-org/gitlab-shell!473
| * Fix opentracing setup for gitlab-sshdNick Thomas2021-05-175-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, opentracing (if configured) was initialized late in the gitlab-shell process's lifespan, coming just before making a gRPC call to Gitaly. By moving the opentracing initialization to be at process startup, we make it available for the whole process lifecycle, which is very useful to gitlab-sshd, as it means we'll only call tracing.Initialize() once on process startup, rather than once per SSH connection. To get this working, we need to introduce a context to gitlab-sshd. This carries the client/service name, but also carries an initial correlation ID. The main outcome of this is that all calls to the authorized_keys endpoint from a given gitlab-sshd process will now share a correlation ID. I don't have a strong opinion about this either way. Changelog: fixed
* | Add a simple acceptance test for git-receive-packSean McGivern2021-05-201-2/+73
| |
* | Add acceptance test for git-lfs-authenticateSean McGivern2021-05-171-0/+27
| |
* | Add acceptance test for 2fa_verifySean McGivern2021-05-171-0/+32
| |
* | Add acceptance test for 2fa_recovery_codesSean McGivern2021-05-171-0/+45
|/
* Add acceptance test for personal_access_token commandSean McGivern2021-05-131-1/+15
|
* gitlab-sshd: Respect the ssl_cert_dir config516-handle-ssl-cert-dir-correctlyNick Thomas2021-04-301-0/+3
| | | | Changelog: fixed
* gitlab-sshd: Support the PROXY protocolNick Thomas2021-04-121-1/+28
|
* Merge branch '500-gitlab-sshd-acceptance-tests' into 'main'Igor Drozdov2021-03-171-0/+192
|\ | | | | | | | | gitlab-sshd: Acceptance test for the discover command See merge request gitlab-org/gitlab-shell!457
| * gitlab-sshd: Acceptance test for the discover commandNick Thomas2021-03-171-0/+192
| | | | | | | | | | With this, we can start to build confidence in making changes to gitlab-sshd.
* | chore: Refactor env introspection to rely on command initialization496-move-env-introspection-to-sshenvLucas Charles2021-03-154-4/+9
|/ | | | | | | Refactors introspection of execution environment to rely on per-connection state (`gitlab-shell`) or per request (`gitlab-sshd`) Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/496
View Lorry Controller Status