delta/gitlab/gitlab-shell.git/internal, branch id-use-docker-image-for-code-intelligence gitlab.com: gitlab-org/gitlab-shell.git Fix gitlab-shell not handling relative URLs over UNIX sockets 2020-08-20T23:54:36+00:00 Stan Hu stanhu@gmail.com 2020-08-18T05:19:56+00:00 eb3b35b9b0cc55fb8464d9b0662e6b94aafc54cc From https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4498#note_397401883, if you specify a relative path such as: ``` external_url 'http://gitlab.example.com/gitlab' ``` gitlab-shell doesn't have a way to pass the `/gitlab` to the host. For example, let's say we have: ``` gitlab_url: "http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsocket" ``` If we have `/gitlab` as the relative path, how do we specify what is the UNIX socket path and what is the relative path? If we specify: ``` gitlab_url: "http+unix:///var/opt/gitlab/gitlab-workhorse.socket/gitlab ``` This is ambiguous. Is the socket in `/var/opt/gitlab/gitlab-workhorse.socket/gitlab` or in `/var/opt/gitlab/gitlab-workhorse.socket`? To fix this, this merge request adds an optional `gitlab_relative_url_root` config parameter: ``` gitlab_url: "http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsocket" gitlab_relative_url_root: /gitlab ``` This is only used with UNIX domain sockets to disambiguate the socket and base URL path. If `gitlab_url` uses `http://` or `https://`, then `gitlab_relative_url_root` is ignored. Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/476 
From
https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4498#note_397401883,
if you specify a relative path such as:

```
external_url 'http://gitlab.example.com/gitlab'
```

gitlab-shell doesn't have a way to pass the `/gitlab` to the host. For example, let's say we have:

```
gitlab_url: "http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsocket"
```

If we have `/gitlab` as the relative path, how do we specify what is the
UNIX socket path and what is the relative path? If we specify:

```
gitlab_url: "http+unix:///var/opt/gitlab/gitlab-workhorse.socket/gitlab
```

This is ambiguous. Is the socket in
`/var/opt/gitlab/gitlab-workhorse.socket/gitlab` or in
`/var/opt/gitlab/gitlab-workhorse.socket`?

To fix this, this merge request adds an optional
`gitlab_relative_url_root` config parameter:

```
gitlab_url: "http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsocket"
gitlab_relative_url_root: /gitlab
```

This is only used with UNIX domain sockets to disambiguate the socket
and base URL path. If `gitlab_url` uses `http://` or `https://`, then
`gitlab_relative_url_root` is ignored.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/476
Add support obtaining personal access tokens via SSH 2020-08-17T15:16:06+00:00 Taylan Develioglu taylan.develioglu@booking.com 2020-07-06T12:09:55+00:00 b8d66d7923150402f54f13d793d3051efab3a832 Implements the feature requested in gitlab-org/gitlab#19672 This requires the internal api counterpart in gitlab-org/gitlab!36302 to be merged first. It can be used as follows: ``` censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token remote: remote: ======================================================================== remote: remote: Usage: personal_access_token <name> <scope1[,scope2,...]> [ttl_days] remote: remote: ======================================================================== remote: censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token newtoken read_api,read_repository 30 Token: aAY1G3YPeemECgUvxuXY Scopes: read_api,read_repository Expires: 2020-08-07 ``` 
Implements the feature requested in gitlab-org/gitlab#19672

This requires the internal api counterpart in gitlab-org/gitlab!36302 to
be merged first.

It can be used as follows:
```
censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token
remote:
remote: ========================================================================
remote:
remote: Usage: personal_access_token <name> <scope1[,scope2,...]> [ttl_days]
remote:
remote: ========================================================================
remote:

censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token newtoken read_api,read_repository 30
Token:   aAY1G3YPeemECgUvxuXY
Scopes:  read_api,read_repository
Expires: 2020-08-07
```
Generate and log correlation IDs 2020-07-31T12:58:42+00:00 Stan Hu stanhu@gmail.com 2020-07-31T12:58:42+00:00 87402ed127d9855b8123e5e08a4c89d373cc79e8 This will make it easier to tie an SSH access request to Rails API and Gitaly requests. 
This will make it easier to tie an SSH access request to Rails API and
Gitaly requests.
Revert "Update executable.go" 2020-07-23T12:38:37+00:00 Igor Drozdov idrozdov@gitlab.com 2020-07-23T12:38:37+00:00 bbb1de8d2b3f3dfc872308f804743b8c30626791 This reverts commit 869aeb9057962b089abfd8ce0b6d4a0962bbb154 
This reverts commit 869aeb9057962b089abfd8ce0b6d4a0962bbb154
 Update executable.go 2020-07-23T12:37:53+00:00 Igor Drozdov idrozdov@gitlab.com 2020-07-23T12:37:53+00:00 869aeb9057962b089abfd8ce0b6d4a0962bbb154 






Log SSH key details
2020-07-23T06:19:57+00:00

Stan Hu
stanhu@gmail.com

2020-07-23T06:19:57+00:00

6555cb81641af139aa65865c4a749a8c7d53e07e

Right now when a client such as gitlab-shell calls the
`/api/v4/internal/allowed` API, the response only tells the client what
user has been granted access, and it's impossible to tell which deploy
key/token was used in the authentication request.

This commit adds logs for the following when available:

1. `gl_key_type` (e.g. `deploy_key` or `key`)
2. `gl_key_id`

These fields make it possible for admins to identify the exact record
that was used to authenticate the user.

API changes in the `/internal/allowed` endpoint in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37289 are needed
to support this.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/203





Right now when a client such as gitlab-shell calls the
`/api/v4/internal/allowed` API, the response only tells the client what
user has been granted access, and it's impossible to tell which deploy
key/token was used in the authentication request.

This commit adds logs for the following when available:

1. `gl_key_type` (e.g. `deploy_key` or `key`)
2. `gl_key_id`

These fields make it possible for admins to identify the exact record
that was used to authenticate the user.

API changes in the `/internal/allowed` endpoint in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37289 are needed
to support this.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/203







Log remote IP for executed commands
2020-07-20T20:15:49+00:00

Stan Hu
stanhu@gmail.com

2020-07-20T06:24:32+00:00

7d62bbc3dd92f1e73b3e2a199f6b6b613d5821d9

Admins may want to know what client IP originated the request. This
commit adds a `remote_ip` field to the log that extracts the IP address
from the `SSH_CONNECTION` environment variable.

Closes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/199





Admins may want to know what client IP originated the request. This
commit adds a `remote_ip` field to the log that extracts the IP address
from the `SSH_CONNECTION` environment variable.

Closes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/199







Pass in ssl_cert_dir config setting
2020-07-02T07:40:22+00:00

Ash McKenzie
amckenzie@gitlab.com

2020-07-01T10:02:32+00:00

fe09c395e8d64555fbc8f0f32f4606870f3c2e90












Include SSL_CERT_DIR env var in command
2020-07-02T07:40:22+00:00

Ash McKenzie
amckenzie@gitlab.com

2020-07-01T10:01:48+00:00

d32959e399ff8770e67abeb80fa83cdd3c52fde9












Support new ssl_cert_dir config setting
2020-07-01T10:00:36+00:00

Ash McKenzie
amckenzie@gitlab.com

2020-07-01T09:55:22+00:00

5d8d00fb7139612cbab9a3c1b0187816302d7d4a