delta/gitlab/gitlab-shell.git/internal/command/receivepack, branch id-context-fields gitlab.com: gitlab-org/gitlab-shell.git Remove some unreliable tests 2021-07-30T16:11:15+00:00 Nick Thomas nick@gitlab.com 2021-07-30T15:09:07+00:00 72d70eab03d38b7c01054b7c598d17afe177212a Logrus buffers its output internally, which makes these tests fail intermittently. They're also not a good example to follow generally. We now have acceptance tests that exercise this functionality so I'm pretty relaxed about losing the expectations. However, we can test them by inspecting the server-received metadata too, so there's no loss of coverage here. The move from logrus to labkit for logging also makes these tests hard to justify keeping. 
Logrus buffers its output internally, which makes these tests fail
intermittently. They're also not a good example to follow generally.

We now have acceptance tests that exercise this functionality so I'm
pretty relaxed about losing the expectations. However, we can test
them by inspecting the server-received metadata too, so there's no loss
of coverage here.

The move from logrus to labkit for logging also makes these tests hard
to justify keeping.
fix: upgrade of the gitaly dependency 2021-06-02T08:56:45+00:00 Pavlo Strokov pstrokov@gitlab.com 2021-06-02T08:54:10+00:00 9f5a802258338483075aa440225d67e95616740f Gitaly project now properly respects module release flow and includes a module suffix in the package name. It requires to re-write all non-suffixed imports with suffixed of a specific version of tha module. With proper module versioning we don't need to use a 'replace' directive to point to specific commit and can use semantic versioning for the gitaly dependency. Part of: https://gitlab.com/gitlab-org/gitaly/-/issues/3177 
Gitaly project now properly respects module release flow
and includes a module suffix in the package name. It requires
to re-write all non-suffixed imports with suffixed of a specific
version of tha module. With proper module versioning we don't
need to use a 'replace' directive to point to specific commit
and can use semantic versioning for the gitaly dependency.

Part of: https://gitlab.com/gitlab-org/gitaly/-/issues/3177
Fix opentracing setup for gitlab-sshd 2021-05-17T14:52:55+00:00 Nick Thomas nick@gitlab.com 2021-05-14T15:47:16+00:00 de13980f3795679958a65881a813723da37894f5 Previously, opentracing (if configured) was initialized late in the gitlab-shell process's lifespan, coming just before making a gRPC call to Gitaly. By moving the opentracing initialization to be at process startup, we make it available for the whole process lifecycle, which is very useful to gitlab-sshd, as it means we'll only call tracing.Initialize() once on process startup, rather than once per SSH connection. To get this working, we need to introduce a context to gitlab-sshd. This carries the client/service name, but also carries an initial correlation ID. The main outcome of this is that all calls to the authorized_keys endpoint from a given gitlab-sshd process will now share a correlation ID. I don't have a strong opinion about this either way. Changelog: fixed 
Previously, opentracing (if configured) was initialized late in the
gitlab-shell process's lifespan, coming just before making a gRPC
call to Gitaly.

By moving the opentracing initialization to be at process startup, we
make it available for the whole process lifecycle, which is very useful
to gitlab-sshd, as it means we'll only call tracing.Initialize() once
on process startup, rather than once per SSH connection.

To get this working, we need to introduce a context to gitlab-sshd.
This carries the client/service name, but also carries an initial
correlation ID. The main outcome of this is that all calls to the
authorized_keys endpoint from a given gitlab-sshd process will now
share a correlation ID. I don't have a strong opinion about this either
way.

Changelog: fixed
Respect parent context for Gitaly calls 2021-05-05T16:07:23+00:00 Nick Thomas nick@gitlab.com 2021-05-05T15:00:35+00:00 d79d4777a88fcbf8f44771df76c4a6f1d3baa58b Without these changes, Gitaly calls would not be linked to a parent context. This means that they would have an unassociated correlationID, and Gitaly RPC calls would not be cancel()ed by parent context cancellation. Changelog: fixed 
Without these changes, Gitaly calls would not be linked to a parent
context. This means that they would have an unassociated correlationID,
and Gitaly RPC calls would not be cancel()ed by parent context
cancellation.

Changelog: fixed
Replace cleanup functions with t.Cleanup 2021-03-17T18:23:07+00:00 Igor Drozdov idrozdov@gitlab.com 2021-03-17T18:18:42+00:00 ee41d0dfb7b02a19f5926bfe24dbad1df417a29e In this case we don't need to propagate cleanup function. It simplifies the code. 
In this case we don't need to propagate cleanup
function. It simplifies the code.
chore: Refactor env introspection to rely on command initialization 2021-03-15T20:47:11+00:00 Lucas Charles me@lucascharles.me 2021-02-17T21:49:46+00:00 d539068dc372e46d10adee89e9b96b59156a2bb6 Refactors introspection of execution environment to rely on per-connection state (`gitlab-shell`) or per request (`gitlab-sshd`) Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/496 
Refactors introspection of execution environment to rely on
per-connection state (`gitlab-shell`) or per request (`gitlab-sshd`)

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/496
RFC: Simple built-in SSH server 2021-01-18T18:36:25+00:00 Lorenz Brun lorenz@dolansoft.org 2021-01-18T18:36:25+00:00 2a410f31b633ec5a994ecf1ff39dc8ffb9c6f828 






Fix incorrect actor used to check permissions for SSH receive-pack
2020-10-19T20:26:46+00:00

Stan Hu
stanhu@gmail.com

2020-10-19T20:06:59+00:00

354f5bf20c3d1b48481bd4e6f4d4219f830b986b

During a SSH receive-pack request (e.g. `git push`), gitlab-shell was
incorrectly using the user returned by the `/internal/allowed` API
endpoint to make an SSHReceivePack RPC call. This caused a number of
problems with deploy keys with write access:

1. Keys that were generated by a blocked user would be denied the
ability to write.

2. Keys that were generated by user that did not have write access to
the project would also be denied.

GitLab 12.4 removed the Ruby implementation of gitlab-shell in favor of
the Golang implementation, and these implementations worked slightly
differently. In
https://gitlab.com/gitlab-org/gitlab-shell/blob/v10.1.0/lib/gitlab_shell.rb,
the Ruby implementation would always use `@who` (e.g. `key-123`), but in
gitlab-shell v10.2.0 the Go implementation would always use the user
from the API response.

Reads did not have this issue because the user/deploy key is never
passed to Gitaly for additional permission checks. Writes need this
information for the pre-receive to check access to protected branches,
push rules, etc.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/479





During a SSH receive-pack request (e.g. `git push`), gitlab-shell was
incorrectly using the user returned by the `/internal/allowed` API
endpoint to make an SSHReceivePack RPC call. This caused a number of
problems with deploy keys with write access:

1. Keys that were generated by a blocked user would be denied the
ability to write.

2. Keys that were generated by user that did not have write access to
the project would also be denied.

GitLab 12.4 removed the Ruby implementation of gitlab-shell in favor of
the Golang implementation, and these implementations worked slightly
differently. In
https://gitlab.com/gitlab-org/gitlab-shell/blob/v10.1.0/lib/gitlab_shell.rb,
the Ruby implementation would always use `@who` (e.g. `key-123`), but in
gitlab-shell v10.2.0 the Go implementation would always use the user
from the API response.

Reads did not have this issue because the user/deploy key is never
passed to Gitaly for additional permission checks. Writes need this
information for the pre-receive to check access to protected branches,
push rules, etc.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/479







Make it possible to propagate correlation ID across processes
2020-09-21T04:40:40+00:00

Stan Hu
stanhu@gmail.com

2020-09-19T10:34:49+00:00

a487572a904cc149840488eefdfe121173d8bcb5

Previously, gitlab-shell did not pass a context through the application.
Correlation IDs were generated down the call stack instead of passed
around from the start execution.

This has several potential downsides:

1. It's easier for programming mistakes to be made in future that lead
to multiple correlation IDs being generated for a single request.
2. Correlation IDs cannot be passed in from upstream requests
3. Other advantages of context passing, such as distributed tracing is
not possible.

This commit changes the behavior:

1. Extract the correlation ID from the environment at the start of
the application.
2. If no correlation ID exists, generate a random one.
3. Pass the correlation ID to the GitLabNet API requests.

This change also enables other clients of GitLabNet (e.g. Gitaly) to
pass along the correlation ID in the internal API requests
(https://gitlab.com/gitlab-org/gitaly/-/issues/2725).

Fixes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/474





Previously, gitlab-shell did not pass a context through the application.
Correlation IDs were generated down the call stack instead of passed
around from the start execution.

This has several potential downsides:

1. It's easier for programming mistakes to be made in future that lead
to multiple correlation IDs being generated for a single request.
2. Correlation IDs cannot be passed in from upstream requests
3. Other advantages of context passing, such as distributed tracing is
not possible.

This commit changes the behavior:

1. Extract the correlation ID from the environment at the start of
the application.
2. If no correlation ID exists, generate a random one.
3. Pass the correlation ID to the GitLabNet API requests.

This change also enables other clients of GitLabNet (e.g. Gitaly) to
pass along the correlation ID in the internal API requests
(https://gitlab.com/gitlab-org/gitaly/-/issues/2725).

Fixes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/474







Generate and log correlation IDs
2020-07-31T12:58:42+00:00

Stan Hu
stanhu@gmail.com

2020-07-31T12:58:42+00:00

87402ed127d9855b8123e5e08a4c89d373cc79e8

This will make it easier to tie an SSH access request to Rails API and
Gitaly requests.





This will make it easier to tie an SSH access request to Rails API and
Gitaly requests.