delta/gitlab/gitlab-shell.git/cmd/gitlab-shell, branch tmp-kerberos-testing

Draft: Kerberos changes for testing purposes

2022-11-24T10:55:00+00:00

go: Bump major version to v14

2022-07-05T06:44:14+00:00

While gitlab-shell currently has a major version of v14, the module path
it exposes is not using that major version like it is required by the Go
standard. This makes it impossible for dependents to import gitlab-shell
as a dependency without using a commit as version.

Fix this by changing the module path of gitlab-shell to instead be
`gitlab.com/gitlab-org/gitlab-shell/v14` and adjust all imports
accordingly.

Changelog: fixed

Use labkit for FIPS check

2022-05-05T15:40:30+00:00

New version of LabKit provides FIPS checks that we can use instead
of the custom code

Add support for FIPS encryption

2022-04-18T19:16:22+00:00

This commit adds support of using a FIPS-validated SSL library with
compiled Go executables when `FIPS_MODE=1 make` is run. A Go compiler
that supports BoringSSL either directly (e.g. the `dev.boringcrypto`
branch) or with a dynamically linked OpenSSL
(e.g. https://github.com/golang-fips/go) is required.

This is similar to the changes to support FIPS in GitLab Runner and in
GitLab Pages:
https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/716

Changelog: added

Reuse Gitaly conns and Sidechannel

2022-03-07T13:54:15+00:00

When gitlab-sshd has been introduced we've started running our
own SSH server. In this case we're able to cache and reuse
Gitaly connections and Registry.

It helps to reduce memory usage.

Suppress internal errors in client output

2021-12-28T21:06:19+00:00

Until recently, Gitaly was silently swallowing any errors returned by
SSH `git upload-pack` processes. Clients would still receive stderr
output and a non-zero return code, but Gitlab-Shell would receive error
as nil and log success.

With 9deaf47f1ecb00f0f36d18ee4a0fb1576f5a0efe Gitaly will now return an
error when git fails, but this causes Gitlab-Shell to print out the
GRPC error code as a message to the client:

> fatal: couldn't find remote ref not-a-real-ref
> fatal: the remote end hung up unexpectedly
> remote:
> remote:
> ========================================================================
> remote:
> remote: rpc error: code = Internal desc = SSHUploadPack: exit status 128
> remote:
> remote:
> ========================================================================
> remote:

The `remote:` text gives no additional context for the user and adds
clutter.

This commit suppresses the additional message added by Gitlab-Shell on
failure when the error type is `Internal`, returning client output to
the format it was prior to the Gitaly change.

Relax key and username matching for sshd

2021-11-11T00:48:26+00:00

Due to the way sshd works, gitlab-shell could be called with a single
string in the form:

```
/path/to/gitlab-shell -c key-id
```

However, due to the tightening of the regular expressions in fcff692b
this string no longer matches, so logins would fail with:

```
Failed to get username: who='' is invalid
```

This can be reproduced by changing the user's shell to point to
gitlab-shell. For example:

```
usermod git -s /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell
```

While setting gitlab-shell as the user's shell isn't officially
supported, gitlab-shell still should be able to cope with the key being
specified as the last argument. We now split the argument list and use
the last value.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/530

Log command invocation

2021-10-07T09:43:27+00:00

Use reflection to log the command we are about to execute, both in
gitlab-shell and gitlab-sshd. Include the environment, which has all
the context we need to understand what the command is expected to do.

Changelog: added

Don't swallow an error parsing SSH_ORIGINAL_COMMAND

2021-09-27T19:25:10+00:00

refactor: unify instantiation of command.Shell

2021-09-20T08:19:41+00:00