diff options
| author | Stan Hu <stanhu@gmail.com> | 2020-07-23 06:19:57 +0000 |
|---|---|---|
| committer | Igor Drozdov <idrozdov@gitlab.com> | 2020-07-23 06:19:57 +0000 |
| commit | 6555cb81641af139aa65865c4a749a8c7d53e07e (patch) | |
| tree | 5f2fe6b065969b0e71e5d3de18a9267951576dad | |
| parent | b8b75477d9b49e809926826a1cd4bc413d018514 (diff) | |
| download | gitlab-shell-6555cb81641af139aa65865c4a749a8c7d53e07e.tar.gz | |
Log SSH key details
Right now when a client such as gitlab-shell calls the
`/api/v4/internal/allowed` API, the response only tells the client what
user has been granted access, and it's impossible to tell which deploy
key/token was used in the authentication request.
This commit adds logs for the following when available:
1. `gl_key_type` (e.g. `deploy_key` or `key`)
2. `gl_key_id`
These fields make it possible for admins to identify the exact record
that was used to authenticate the user.
API changes in the `/internal/allowed` endpoint in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37289 are needed
to support this.
Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/203
| -rw-r--r-- | internal/command/receivepack/gitalycall_test.go | 2 | ||||
| -rw-r--r-- | internal/command/uploadarchive/gitalycall_test.go | 2 | ||||
| -rw-r--r-- | internal/command/uploadpack/gitalycall_test.go | 2 | ||||
| -rw-r--r-- | internal/gitlabnet/accessverifier/client.go | 2 | ||||
| -rw-r--r-- | internal/handler/exec.go | 2 | ||||
| -rw-r--r-- | internal/testhelper/requesthandlers/requesthandlers.go | 6 |
6 files changed, 14 insertions, 2 deletions
diff --git a/internal/command/receivepack/gitalycall_test.go b/internal/command/receivepack/gitalycall_test.go index e93860a..df922d9 100644 --- a/internal/command/receivepack/gitalycall_test.go +++ b/internal/command/receivepack/gitalycall_test.go @@ -54,4 +54,6 @@ func TestReceivePack(t *testing.T) { require.Contains(t, entries[1].Message, "executing git command") require.Contains(t, entries[1].Message, "command=git-receive-pack") require.Contains(t, entries[1].Message, "remote_ip=127.0.0.1") + require.Contains(t, entries[1].Message, "gl_key_type=key") + require.Contains(t, entries[1].Message, "gl_key_id=123") } diff --git a/internal/command/uploadarchive/gitalycall_test.go b/internal/command/uploadarchive/gitalycall_test.go index 488c390..eaeb2b7 100644 --- a/internal/command/uploadarchive/gitalycall_test.go +++ b/internal/command/uploadarchive/gitalycall_test.go @@ -49,4 +49,6 @@ func TestUploadPack(t *testing.T) { require.Equal(t, logrus.InfoLevel, entries[1].Level) require.Contains(t, entries[1].Message, "executing git command") require.Contains(t, entries[1].Message, "command=git-upload-archive") + require.Contains(t, entries[1].Message, "gl_key_type=key") + require.Contains(t, entries[1].Message, "gl_key_id=123") } diff --git a/internal/command/uploadpack/gitalycall_test.go b/internal/command/uploadpack/gitalycall_test.go index cf3e621..d6762a2 100644 --- a/internal/command/uploadpack/gitalycall_test.go +++ b/internal/command/uploadpack/gitalycall_test.go @@ -45,6 +45,8 @@ func TestUploadPack(t *testing.T) { assert.Equal(t, 2, len(entries)) require.Contains(t, entries[1].Message, "executing git command") require.Contains(t, entries[1].Message, "command=git-upload-pack") + require.Contains(t, entries[1].Message, "gl_key_type=key") + require.Contains(t, entries[1].Message, "gl_key_id=123") for k, v := range map[string]string{ "gitaly-feature-cache_invalidator": "true", diff --git a/internal/gitlabnet/accessverifier/client.go b/internal/gitlabnet/accessverifier/client.go index a9c7d97..234e854 100644 --- a/internal/gitlabnet/accessverifier/client.go +++ b/internal/gitlabnet/accessverifier/client.go @@ -55,6 +55,8 @@ type Response struct { Message string `json:"message"` Repo string `json:"gl_repository"` UserId string `json:"gl_id"` + KeyType string `json:"gl_key_type"` + KeyId int `json:"gl_key_id"` Username string `json:"gl_username"` GitConfigOptions []string `json:"git_config_options"` Gitaly Gitaly `json:"gitaly"` diff --git a/internal/handler/exec.go b/internal/handler/exec.go index 060b709..e4641b2 100644 --- a/internal/handler/exec.go +++ b/internal/handler/exec.go @@ -66,6 +66,8 @@ func (gc *GitalyCommand) LogExecution(repository *pb.Repository, response *acces "username": response.Username, "git_protocol": protocol, "remote_ip": sshenv.LocalAddr(), + "gl_key_type": response.KeyType, + "gl_key_id": response.KeyId, } log.WithFields(fields).Info("executing git command") diff --git a/internal/testhelper/requesthandlers/requesthandlers.go b/internal/testhelper/requesthandlers/requesthandlers.go index 73acc26..6d501d0 100644 --- a/internal/testhelper/requesthandlers/requesthandlers.go +++ b/internal/testhelper/requesthandlers/requesthandlers.go @@ -34,8 +34,10 @@ func BuildAllowedWithGitalyHandlers(t *testing.T, gitalyAddress string) []testse Path: "/api/v4/internal/allowed", Handler: func(w http.ResponseWriter, r *http.Request) { body := map[string]interface{}{ - "status": true, - "gl_id": "1", + "status": true, + "gl_id": "1", + "gl_key_type": "key", + "gl_key_id": 123, "gitaly": map[string]interface{}{ "repository": map[string]interface{}{ "storage_name": "storage_name", |