SSH public-key authentication for push mirroring

9 files changed, 127 insertions, 11 deletions

diff --git a/spec/controllers/projects/mirrors_controller_spec.rb b/spec/controllers/projects/mirrors_controller_spec.rb
index 00c1e617e3a..976f480930c 100644
--- a/spec/controllers/projects/mirrors_controller_spec.rb
+++ b/spec/controllers/projects/mirrors_controller_spec.rb
@@ -15,6 +15,31 @@ describe Projects::MirrorsController do
         end.to change { RemoteMirror.count }.to(1)
       end
     end
+
+    context 'setting up SSH public-key authentication' do
+      let(:ssh_mirror_attributes) do
+        {
+          'auth_method' => 'ssh_public_key',
+          'url' => 'ssh://git@example.com',
+          'ssh_known_hosts' => 'test'
+        }
+      end
+
+      it 'processes a successful update' do
+        sign_in(project.owner)
+        do_put(project, remote_mirrors_attributes: { '0' => ssh_mirror_attributes })
+
+        expect(response).to redirect_to(project_settings_repository_path(project, anchor: 'js-push-remote-settings'))
+
+        expect(RemoteMirror.count).to eq(1)
+        expect(RemoteMirror.first).to have_attributes(
+          auth_method: 'ssh_public_key',
+          url: 'ssh://git@example.com',
+          ssh_public_key: match(/\Assh-rsa /),
+          ssh_known_hosts: 'test'
+        )
+      end
+    end
   end
 
   describe '#update' do
diff --git a/spec/features/projects/settings/repository_settings_spec.rb b/spec/features/projects/settings/repository_settings_spec.rb
index 377a75cbcb3..401aac9478d 100644
--- a/spec/features/projects/settings/repository_settings_spec.rb
+++ b/spec/features/projects/settings/repository_settings_spec.rb
@@ -132,6 +132,27 @@ describe 'Projects > Settings > Repository settings' do
       it 'shows push mirror settings', :js do
         expect(page).to have_selector('#mirror_direction')
       end
+
+      it 'generates an SSH public key on submission', :js do
+        fill_in 'url', with: 'ssh://user@localhost/project.git'
+        select 'SSH public key', from: 'Authentication method'
+
+        direction_select = find('#mirror_direction')
+
+        # In CE, this select box is disabled, but in EE, it is enabled
+        if direction_select.disabled?
+          expect(direction_select.value).to eq('push')
+        else
+          direction_select.select('Push')
+        end
+
+        Sidekiq::Testing.fake! do
+          click_button 'Mirror repository'
+        end
+
+        expect(page).to have_content('Mirroring settings were successfully updated')
+        expect(page).to have_selector('[title="Copy SSH public key"]')
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/git/remote_mirror_spec.rb b/spec/lib/gitlab/git/remote_mirror_spec.rb
new file mode 100644
index 00000000000..dc63eef7814
--- /dev/null
+++ b/spec/lib/gitlab/git/remote_mirror_spec.rb
@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe Gitlab::Git::RemoteMirror do
+  describe '#update' do
+    let(:project) { create(:project, :repository) }
+    let(:repository) { project.repository }
+    let(:ref_name) { 'foo' }
+    let(:options) { { only_branches_matching: ['master'], ssh_key: 'KEY', known_hosts: 'KNOWN HOSTS' } }
+
+    subject(:remote_mirror) { described_class.new(repository, ref_name, **options) }
+
+    it 'delegates to the Gitaly client' do
+      expect(repository.gitaly_remote_client)
+        .to receive(:update_remote_mirror)
+        .with(ref_name, ['master'], ssh_key: 'KEY', known_hosts: 'KNOWN HOSTS')
+
+      remote_mirror.update
+    end
+
+    it 'wraps gitaly errors' do
+      expect(repository.gitaly_remote_client)
+        .to receive(:update_remote_mirror)
+        .and_raise(StandardError)
+
+      expect { remote_mirror.update }.to raise_error(StandardError)
+    end
+  end
+end
diff --git a/spec/lib/gitlab/gitaly_client/remote_service_spec.rb b/spec/lib/gitlab/gitaly_client/remote_service_spec.rb
index 9030a49983d..aff47599ad6 100644
--- a/spec/lib/gitlab/gitaly_client/remote_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/remote_service_spec.rb
@@ -68,6 +68,8 @@ describe Gitlab::GitalyClient::RemoteService do
   describe '#update_remote_mirror' do
     let(:ref_name) { 'remote_mirror_1' }
     let(:only_branches_matching) { ['my-branch', 'master'] }
+    let(:ssh_key) { 'KEY' }
+    let(:known_hosts) { 'KNOWN HOSTS' }
 
     it 'sends an update_remote_mirror message' do
       expect_any_instance_of(Gitaly::RemoteService::Stub)
@@ -75,7 +77,7 @@ describe Gitlab::GitalyClient::RemoteService do
         .with(kind_of(Enumerator), kind_of(Hash))
         .and_return(double(:update_remote_mirror_response))
 
-      client.update_remote_mirror(ref_name, only_branches_matching)
+      client.update_remote_mirror(ref_name, only_branches_matching, ssh_key: ssh_key, known_hosts: known_hosts)
     end
   end
 
diff --git a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
index d605fcbafee..46ca2340389 100644
--- a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
@@ -130,7 +130,7 @@ describe Gitlab::GitalyClient::RepositoryService do
     end
 
     context 'SSH auth' do
-      where(:ssh_import, :ssh_key_auth, :ssh_private_key, :ssh_known_hosts, :expected_params) do
+      where(:ssh_mirror_url, :ssh_key_auth, :ssh_private_key, :ssh_known_hosts, :expected_params) do
         false | false | 'key' | 'known_hosts' | {}
         false | true  | 'key' | 'known_hosts' | {}
         true  | false | 'key' | 'known_hosts' | { known_hosts: 'known_hosts' }
@@ -145,7 +145,7 @@ describe Gitlab::GitalyClient::RepositoryService do
         let(:ssh_auth) do
           double(
             :ssh_auth,
-            ssh_import?: ssh_import,
+            ssh_mirror_url?: ssh_mirror_url,
             ssh_key_auth?: ssh_key_auth,
             ssh_private_key: ssh_private_key,
             ssh_known_hosts: ssh_known_hosts
diff --git a/spec/models/remote_mirror_spec.rb b/spec/models/remote_mirror_spec.rb
index 3d316fb3c5b..da61a5f2771 100644
--- a/spec/models/remote_mirror_spec.rb
+++ b/spec/models/remote_mirror_spec.rb
@@ -222,14 +222,26 @@ describe RemoteMirror do
 
   context '#ensure_remote!' do
     let(:remote_mirror) { create(:project, :repository, :remote_mirror).remote_mirrors.first }
+    let(:project) { remote_mirror.project }
+    let(:repository) { project.repository }
 
     it 'adds a remote multiple times with no errors' do
-      expect(remote_mirror.project.repository).to receive(:add_remote).with(remote_mirror.remote_name, remote_mirror.url).twice.and_call_original
+      expect(repository).to receive(:add_remote).with(remote_mirror.remote_name, remote_mirror.url).twice.and_call_original
 
       2.times do
         remote_mirror.ensure_remote!
       end
     end
+
+    context 'SSH public-key authentication' do
+      it 'omits the password from the URL' do
+        remote_mirror.update!(auth_method: 'ssh_public_key', url: 'ssh://git:pass@example.com')
+
+        expect(repository).to receive(:add_remote).with(remote_mirror.remote_name, 'ssh://git@example.com')
+
+        remote_mirror.ensure_remote!
+      end
+    end
   end
 
   context '#updated_since?' do
diff --git a/spec/serializers/project_mirror_entity_spec.rb b/spec/serializers/project_mirror_entity_spec.rb
new file mode 100644
index 00000000000..ad0a8bbdff0
--- /dev/null
+++ b/spec/serializers/project_mirror_entity_spec.rb
@@ -0,0 +1,12 @@
+require 'spec_helper'
+
+describe ProjectMirrorEntity do
+  let(:project) { create(:project, :repository, :remote_mirror) }
+  let(:entity) { described_class.new(project) }
+
+  subject { entity.as_json }
+
+  it 'exposes project-specific elements' do
+    is_expected.to include(:id, :remote_mirrors_attributes)
+  end
+end
diff --git a/spec/serializers/remote_mirror_entity_spec.rb b/spec/serializers/remote_mirror_entity_spec.rb
new file mode 100644
index 00000000000..885b0b9b423
--- /dev/null
+++ b/spec/serializers/remote_mirror_entity_spec.rb
@@ -0,0 +1,16 @@
+require 'spec_helper'
+
+describe RemoteMirrorEntity do
+  let(:project) { create(:project, :repository, :remote_mirror) }
+  let(:remote_mirror) { project.remote_mirrors.first }
+  let(:entity) { described_class.new(remote_mirror) }
+
+  subject { entity.as_json }
+
+  it 'exposes remote-mirror-specific elements' do
+    is_expected.to include(
+      :id, :url, :enabled, :auth_method,
+      :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints
+    )
+  end
+end
diff --git a/spec/services/projects/update_remote_mirror_service_spec.rb b/spec/services/projects/update_remote_mirror_service_spec.rb
index cd903bfe8a5..c1e5f788146 100644
--- a/spec/services/projects/update_remote_mirror_service_spec.rb
+++ b/spec/services/projects/update_remote_mirror_service_spec.rb
@@ -16,7 +16,7 @@ describe Projects::UpdateRemoteMirrorService do
     end
 
     it "ensures the remote exists" do
-      stub_fetch_remote(project, remote_name: remote_name)
+      stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
 
       expect(remote_mirror).to receive(:ensure_remote!)
 
@@ -26,13 +26,13 @@ describe Projects::UpdateRemoteMirrorService do
     it "fetches the remote repository" do
       expect(project.repository)
         .to receive(:fetch_remote)
-        .with(remote_mirror.remote_name, no_tags: true)
+        .with(remote_mirror.remote_name, no_tags: true, ssh_auth: remote_mirror)
 
       service.execute(remote_mirror)
     end
 
     it "returns success when updated succeeds" do
-      stub_fetch_remote(project, remote_name: remote_name)
+      stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
 
       result = service.execute(remote_mirror)
 
@@ -41,7 +41,7 @@ describe Projects::UpdateRemoteMirrorService do
 
     context 'when syncing all branches' do
       it "push all the branches the first time" do
-        stub_fetch_remote(project, remote_name: remote_name)
+        stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
 
         expect(remote_mirror).to receive(:update_repository).with({})
 
@@ -51,7 +51,7 @@ describe Projects::UpdateRemoteMirrorService do
 
     context 'when only syncing protected branches' do
       it "sync updated protected branches" do
-        stub_fetch_remote(project, remote_name: remote_name)
+        stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
         protected_branch = create_protected_branch(project)
         remote_mirror.only_protected_branches = true
 
@@ -69,10 +69,10 @@ describe Projects::UpdateRemoteMirrorService do
     end
   end
 
-  def stub_fetch_remote(project, remote_name:)
+  def stub_fetch_remote(project, remote_name:, ssh_auth:)
     allow(project.repository)
       .to receive(:fetch_remote)
-      .with(remote_name, no_tags: true) { fetch_remote(project.repository, remote_name) }
+      .with(remote_name, no_tags: true, ssh_auth: ssh_auth) { fetch_remote(project.repository, remote_name) }
   end
 
   def fetch_remote(repository, remote_name)