From 2e8b67027067761034f36dadb3c2208ce66d2552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Thu, 14 Jun 2018 15:54:38 +0200 Subject: Add support for SSH certificate authentication This along with the code submitted to gitlab-ce in the gitlab-org/gitlab-ce! MR implements SSH certificate authentication. See the docs added to gitlab-ce for why and how to enable this. This, along with that MR, closes gitlab-org/gitlab-ce#3457 Implementation notes: - Because it's easy to do, and because an earlier nascent version of this would pass user-ID to gitlab-shell, that's now supported, even though the SSH certificate authentication uses username-USERNAME. - The astute reader will notice that not all the API calls in gitlab-ce's lib/api/internal.rb support a "username" argument, some only support "user_id". There's a few reasons for this: a) For this to be efficient, I am bending over backwards to avoid extra API calls when using SSH certificates. Therefore the /allowed API call will now return a "user id" to us if we're allowed to proceed further. This is then fed to existing APIs that would only be called after a successful call to /allowed. b) Not all of the git-shell codepaths go through /internal/allowed, or ever deal with a repository, e.g. the argument-less "Welcome to GitLab", and /internal/2fa_recovery_codes. These need to use /internal/discover to figure out details about the user, so support looking that up by username. c) Once we have the "user id", the GL_ID gets passed down to e.g. user-authored hooks. I don't want to have those all break by having to handle a third GL_ID mode of "username" in addition to the current "key id" and "user id". --- lib/gitlab_access_status.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lib/gitlab_access_status.rb') diff --git a/lib/gitlab_access_status.rb b/lib/gitlab_access_status.rb index 783bc0c..44225aa 100644 --- a/lib/gitlab_access_status.rb +++ b/lib/gitlab_access_status.rb @@ -1,12 +1,13 @@ require 'json' class GitAccessStatus - attr_reader :message, :gl_repository, :gl_username, :repository_path, :gitaly + attr_reader :message, :gl_repository, :gl_id, :gl_username, :repository_path, :gitaly - def initialize(status, message, gl_repository:, gl_username:, repository_path:, gitaly:) + def initialize(status, message, gl_repository:, gl_id:, gl_username:, repository_path:, gitaly:) @status = status @message = message @gl_repository = gl_repository + @gl_id = gl_id @gl_username = gl_username @repository_path = repository_path @gitaly = gitaly @@ -17,6 +18,7 @@ class GitAccessStatus new(values["status"], values["message"], gl_repository: values["gl_repository"], + gl_id: values["gl_id"], gl_username: values["gl_username"], repository_path: values["repository_path"], gitaly: values["gitaly"]) -- cgit v1.2.1