1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
package command
import (
"context"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/authorizedkeys"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/authorizedprincipals"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/commandargs"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/discover"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/healthcheck"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/lfsauthenticate"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/personalaccesstoken"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/readwriter"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/receivepack"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/shared/disallowedcommand"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/twofactorrecover"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/twofactorverify"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/uploadarchive"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/uploadpack"
"gitlab.com/gitlab-org/gitlab-shell/internal/config"
"gitlab.com/gitlab-org/gitlab-shell/internal/executable"
"gitlab.com/gitlab-org/gitlab-shell/internal/sshenv"
"gitlab.com/gitlab-org/labkit/correlation"
"gitlab.com/gitlab-org/labkit/tracing"
)
type Command interface {
Execute(ctx context.Context) error
}
func New(e *executable.Executable, arguments []string, env sshenv.Env, config *config.Config, readWriter *readwriter.ReadWriter) (Command, error) {
var args commandargs.CommandArgs
if e.AcceptArgs {
var err error
args, err = commandargs.Parse(e, arguments, env)
if err != nil {
return nil, err
}
}
if cmd := buildCommand(e, args, config, readWriter); cmd != nil {
return cmd, nil
}
return nil, disallowedcommand.Error
}
// Setup() initializes tracing from the configuration file and generates a
// background context from which all other contexts in the process should derive
// from, as it has a service name and initial correlation ID set.
func Setup(serviceName string, config *config.Config) (context.Context, func()) {
closer := tracing.Initialize(
tracing.WithServiceName(serviceName),
// For GitLab-Shell, we explicitly initialize tracing from a config file
// instead of the default environment variable (using GITLAB_TRACING)
// This decision was made owing to the difficulty in passing environment
// variables into GitLab-Shell processes.
//
// Processes are spawned as children of the SSH daemon, which tightly
// controls environment variables; doing this means we don't have to
// enable PermitUserEnvironment
//
// gitlab-sshd could use the standard GITLAB_TRACING envvar, but that
// would lead to inconsistencies between the two forms of operation
tracing.WithConnectionString(config.GitlabTracing),
)
ctx, finished := tracing.ExtractFromEnv(context.Background())
ctx = correlation.ContextWithClientName(ctx, serviceName)
correlationID := correlation.ExtractFromContext(ctx)
if correlationID == "" {
correlationID := correlation.SafeRandomID()
ctx = correlation.ContextWithCorrelation(ctx, correlationID)
}
return ctx, func() {
finished()
closer.Close()
}
}
func buildCommand(e *executable.Executable, args commandargs.CommandArgs, config *config.Config, readWriter *readwriter.ReadWriter) Command {
switch e.Name {
case executable.GitlabShell:
return BuildShellCommand(args.(*commandargs.Shell), config, readWriter)
case executable.AuthorizedKeysCheck:
return buildAuthorizedKeysCommand(args.(*commandargs.AuthorizedKeys), config, readWriter)
case executable.AuthorizedPrincipalsCheck:
return buildAuthorizedPrincipalsCommand(args.(*commandargs.AuthorizedPrincipals), config, readWriter)
case executable.Healthcheck:
return buildHealthcheckCommand(config, readWriter)
}
return nil
}
func BuildShellCommand(args *commandargs.Shell, config *config.Config, readWriter *readwriter.ReadWriter) Command {
switch args.CommandType {
case commandargs.Discover:
return &discover.Command{Config: config, Args: args, ReadWriter: readWriter}
case commandargs.TwoFactorRecover:
return &twofactorrecover.Command{Config: config, Args: args, ReadWriter: readWriter}
case commandargs.TwoFactorVerify:
return &twofactorverify.Command{Config: config, Args: args, ReadWriter: readWriter}
case commandargs.LfsAuthenticate:
return &lfsauthenticate.Command{Config: config, Args: args, ReadWriter: readWriter}
case commandargs.ReceivePack:
return &receivepack.Command{Config: config, Args: args, ReadWriter: readWriter}
case commandargs.UploadPack:
return &uploadpack.Command{Config: config, Args: args, ReadWriter: readWriter}
case commandargs.UploadArchive:
return &uploadarchive.Command{Config: config, Args: args, ReadWriter: readWriter}
case commandargs.PersonalAccessToken:
return &personalaccesstoken.Command{Config: config, Args: args, ReadWriter: readWriter}
}
return nil
}
func buildAuthorizedKeysCommand(args *commandargs.AuthorizedKeys, config *config.Config, readWriter *readwriter.ReadWriter) Command {
return &authorizedkeys.Command{Config: config, Args: args, ReadWriter: readWriter}
}
func buildAuthorizedPrincipalsCommand(args *commandargs.AuthorizedPrincipals, config *config.Config, readWriter *readwriter.ReadWriter) Command {
return &authorizedprincipals.Command{Config: config, Args: args, ReadWriter: readWriter}
}
func buildHealthcheckCommand(config *config.Config, readWriter *readwriter.ReadWriter) Command {
return &healthcheck.Command{Config: config, ReadWriter: readWriter}
}
|
