delta/gitlab/gitlab-shell.git/internal/command, branch master gitlab.com: gitlab-org/gitlab-shell.git Add 2fa_verify command 2020-12-10T14:23:44+00:00 Imre Farkas ifarkas@gitlab.com 2020-12-01T13:46:27+00:00 1293a33014c9cfc82b0bc1b9525987476b2aa857 






Fix incorrect actor used to check permissions for SSH receive-pack
2020-10-19T20:26:46+00:00

Stan Hu
stanhu@gmail.com

2020-10-19T20:06:59+00:00

354f5bf20c3d1b48481bd4e6f4d4219f830b986b

During a SSH receive-pack request (e.g. `git push`), gitlab-shell was
incorrectly using the user returned by the `/internal/allowed` API
endpoint to make an SSHReceivePack RPC call. This caused a number of
problems with deploy keys with write access:

1. Keys that were generated by a blocked user would be denied the
ability to write.

2. Keys that were generated by user that did not have write access to
the project would also be denied.

GitLab 12.4 removed the Ruby implementation of gitlab-shell in favor of
the Golang implementation, and these implementations worked slightly
differently. In
https://gitlab.com/gitlab-org/gitlab-shell/blob/v10.1.0/lib/gitlab_shell.rb,
the Ruby implementation would always use `@who` (e.g. `key-123`), but in
gitlab-shell v10.2.0 the Go implementation would always use the user
from the API response.

Reads did not have this issue because the user/deploy key is never
passed to Gitaly for additional permission checks. Writes need this
information for the pre-receive to check access to protected branches,
push rules, etc.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/479





During a SSH receive-pack request (e.g. `git push`), gitlab-shell was
incorrectly using the user returned by the `/internal/allowed` API
endpoint to make an SSHReceivePack RPC call. This caused a number of
problems with deploy keys with write access:

1. Keys that were generated by a blocked user would be denied the
ability to write.

2. Keys that were generated by user that did not have write access to
the project would also be denied.

GitLab 12.4 removed the Ruby implementation of gitlab-shell in favor of
the Golang implementation, and these implementations worked slightly
differently. In
https://gitlab.com/gitlab-org/gitlab-shell/blob/v10.1.0/lib/gitlab_shell.rb,
the Ruby implementation would always use `@who` (e.g. `key-123`), but in
gitlab-shell v10.2.0 the Go implementation would always use the user
from the API response.

Reads did not have this issue because the user/deploy key is never
passed to Gitaly for additional permission checks. Writes need this
information for the pre-receive to check access to protected branches,
push rules, etc.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/479







Set SSL_CERT_DIR env var when building command
2020-10-19T07:53:12+00:00

Ash McKenzie
amckenzie@gitlab.com

2020-10-19T03:29:12+00:00

0478ba97950bd6606f823c8a26eeeecf617df653












Remove prefixing with SSL_CERT_DIR
2020-10-19T07:53:11+00:00

Ash McKenzie
amckenzie@gitlab.com

2020-10-19T03:41:45+00:00

f5f9ffc086fe52e2651fb498a76673bda3392bfd












tests: Replace assert with require
2020-10-15T06:44:05+00:00

Zeger-Jan van de Weg
git@zjvandeweg.nl

2020-10-15T06:44:05+00:00

308948b3838c88621e738762241e8d1980881a17

Testify features sub packages `assert` and `require`. The difference is
subtle, and lost on novice Golang developers that don't read the docs.
To create a more consistent code base `assert` will no longer be used.

This change was generated by a running a sed command on all `_test.go`
files, followed by `goimports -w`.





Testify features sub packages `assert` and `require`. The difference is
subtle, and lost on novice Golang developers that don't read the docs.
To create a more consistent code base `assert` will no longer be used.

This change was generated by a running a sed command on all `_test.go`
files, followed by `goimports -w`.







Drop "generated random correlation ID" log message
2020-10-13T21:17:46+00:00

Stan Hu
stanhu@gmail.com

2020-10-13T21:15:46+00:00

9fe764b25e1e860fbabbe4d89326b78e622243a9

This message happens all the time and doesn't add a lot of value.

Relates to https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/1275





This message happens all the time and doesn't add a lot of value.

Relates to https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/1275







Make it possible to propagate correlation ID across processes
2020-09-21T04:40:40+00:00

Stan Hu
stanhu@gmail.com

2020-09-19T10:34:49+00:00

a487572a904cc149840488eefdfe121173d8bcb5

Previously, gitlab-shell did not pass a context through the application.
Correlation IDs were generated down the call stack instead of passed
around from the start execution.

This has several potential downsides:

1. It's easier for programming mistakes to be made in future that lead
to multiple correlation IDs being generated for a single request.
2. Correlation IDs cannot be passed in from upstream requests
3. Other advantages of context passing, such as distributed tracing is
not possible.

This commit changes the behavior:

1. Extract the correlation ID from the environment at the start of
the application.
2. If no correlation ID exists, generate a random one.
3. Pass the correlation ID to the GitLabNet API requests.

This change also enables other clients of GitLabNet (e.g. Gitaly) to
pass along the correlation ID in the internal API requests
(https://gitlab.com/gitlab-org/gitaly/-/issues/2725).

Fixes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/474





Previously, gitlab-shell did not pass a context through the application.
Correlation IDs were generated down the call stack instead of passed
around from the start execution.

This has several potential downsides:

1. It's easier for programming mistakes to be made in future that lead
to multiple correlation IDs being generated for a single request.
2. Correlation IDs cannot be passed in from upstream requests
3. Other advantages of context passing, such as distributed tracing is
not possible.

This commit changes the behavior:

1. Extract the correlation ID from the environment at the start of
the application.
2. If no correlation ID exists, generate a random one.
3. Pass the correlation ID to the GitLabNet API requests.

This change also enables other clients of GitLabNet (e.g. Gitaly) to
pass along the correlation ID in the internal API requests
(https://gitlab.com/gitlab-org/gitaly/-/issues/2725).

Fixes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/474







Add support obtaining personal access tokens via SSH
2020-08-17T15:16:06+00:00

Taylan Develioglu
taylan.develioglu@booking.com

2020-07-06T12:09:55+00:00

b8d66d7923150402f54f13d793d3051efab3a832

Implements the feature requested in gitlab-org/gitlab#19672

This requires the internal api counterpart in gitlab-org/gitlab!36302 to
be merged first.

It can be used as follows:
```
censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token
remote:
remote: ========================================================================
remote:
remote: Usage: personal_access_token <name> <scope1[,scope2,...]> [ttl_days]
remote:
remote: ========================================================================
remote:

censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token newtoken read_api,read_repository 30
Token:   aAY1G3YPeemECgUvxuXY
Scopes:  read_api,read_repository
Expires: 2020-08-07
```





Implements the feature requested in gitlab-org/gitlab#19672

This requires the internal api counterpart in gitlab-org/gitlab!36302 to
be merged first.

It can be used as follows:
```
censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token
remote:
remote: ========================================================================
remote:
remote: Usage: personal_access_token <name> <scope1[,scope2,...]> [ttl_days]
remote:
remote: ========================================================================
remote:

censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token newtoken read_api,read_repository 30
Token:   aAY1G3YPeemECgUvxuXY
Scopes:  read_api,read_repository
Expires: 2020-08-07
```







Generate and log correlation IDs
2020-07-31T12:58:42+00:00

Stan Hu
stanhu@gmail.com

2020-07-31T12:58:42+00:00

87402ed127d9855b8123e5e08a4c89d373cc79e8

This will make it easier to tie an SSH access request to Rails API and
Gitaly requests.





This will make it easier to tie an SSH access request to Rails API and
Gitaly requests.







Log SSH key details
2020-07-23T06:19:57+00:00

Stan Hu
stanhu@gmail.com

2020-07-23T06:19:57+00:00

6555cb81641af139aa65865c4a749a8c7d53e07e

Right now when a client such as gitlab-shell calls the
`/api/v4/internal/allowed` API, the response only tells the client what
user has been granted access, and it's impossible to tell which deploy
key/token was used in the authentication request.

This commit adds logs for the following when available:

1. `gl_key_type` (e.g. `deploy_key` or `key`)
2. `gl_key_id`

These fields make it possible for admins to identify the exact record
that was used to authenticate the user.

API changes in the `/internal/allowed` endpoint in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37289 are needed
to support this.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/203





Right now when a client such as gitlab-shell calls the
`/api/v4/internal/allowed` API, the response only tells the client what
user has been granted access, and it's impossible to tell which deploy
key/token was used in the authentication request.

This commit adds logs for the following when available:

1. `gl_key_type` (e.g. `deploy_key` or `key`)
2. `gl_key_id`

These fields make it possible for admins to identify the exact record
that was used to authenticate the user.

API changes in the `/internal/allowed` endpoint in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37289 are needed
to support this.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/203