summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Speicher <rspeicher@gmail.com>2018-11-20 13:43:24 +0000
committerRobert Speicher <rspeicher@gmail.com>2018-11-20 13:43:24 +0000
commit9fe85710f6bfae2363c01c827be434506ddca00a (patch)
treed30b066658df669efab8bceb14f9986bdfc02f58
parent2ea250d4bff03b656403e85db14cc5a4be593c67 (diff)
parentf1bc7b6eb5cb9beab55e4edac87cc5e0b7ceb069 (diff)
downloadgitlab-ce-9fe85710f6bfae2363c01c827be434506ddca00a.tar.gz
Merge branch '49565-ssh-push-mirroring' into 'master'
SSH public-key authentication for push mirroring Closes #49565 See merge request gitlab-org/gitlab-ce!22982
-rw-r--r--app/assets/javascripts/mirrors/constants.js4
-rw-r--r--app/assets/javascripts/mirrors/mirror_repos.js (renamed from app/assets/javascripts/pages/projects/settings/repository/show/mirror_repos.js)14
-rw-r--r--app/assets/javascripts/mirrors/ssh_mirror.js299
-rw-r--r--app/assets/javascripts/pages/projects/settings/repository/show/index.js2
-rw-r--r--app/assets/stylesheets/pages/projects.scss24
-rw-r--r--app/controllers/projects/mirrors_controller.rb4
-rw-r--r--app/helpers/mirror_helper.rb5
-rw-r--r--app/models/concerns/mirror_authentication.rb91
-rw-r--r--app/models/remote_mirror.rb45
-rw-r--r--app/serializers/project_mirror_entity.rb8
-rw-r--r--app/serializers/remote_mirror_entity.rb15
-rw-r--r--app/services/projects/update_remote_mirror_service.rb2
-rw-r--r--app/views/projects/mirrors/_authentication_method.html.haml36
-rw-r--r--app/views/projects/mirrors/_mirror_repos.html.haml2
-rw-r--r--app/views/projects/mirrors/_mirror_repos_form.html.haml15
-rw-r--r--app/views/projects/mirrors/_mirror_repos_push.html.haml8
-rw-r--r--app/views/projects/mirrors/_regenerate_public_ssh_key_confirm_modal.html.haml13
-rw-r--r--app/views/projects/mirrors/_show.html.haml1
-rw-r--r--app/views/projects/mirrors/_ssh_host_keys.html.haml33
-rw-r--r--app/views/projects/settings/repository/show.html.haml2
-rw-r--r--changelogs/unreleased/49565-ssh-push-mirroring.yml5
-rw-r--r--doc/workflow/repository_mirroring.md51
-rw-r--r--lib/gitlab/git/remote_mirror.rb16
-rw-r--r--lib/gitlab/gitaly_client/remote_service.rb9
-rw-r--r--lib/gitlab/gitaly_client/repository_service.rb2
-rw-r--r--locale/gitlab.pot42
-rw-r--r--spec/controllers/projects/mirrors_controller_spec.rb25
-rw-r--r--spec/features/projects/settings/repository_settings_spec.rb21
-rw-r--r--spec/lib/gitlab/git/remote_mirror_spec.rb28
-rw-r--r--spec/lib/gitlab/gitaly_client/remote_service_spec.rb4
-rw-r--r--spec/lib/gitlab/gitaly_client/repository_service_spec.rb4
-rw-r--r--spec/models/remote_mirror_spec.rb14
-rw-r--r--spec/serializers/project_mirror_entity_spec.rb12
-rw-r--r--spec/serializers/remote_mirror_entity_spec.rb16
-rw-r--r--spec/services/projects/update_remote_mirror_service_spec.rb14
35 files changed, 813 insertions, 73 deletions
diff --git a/app/assets/javascripts/mirrors/constants.js b/app/assets/javascripts/mirrors/constants.js
new file mode 100644
index 00000000000..8dd6a726425
--- /dev/null
+++ b/app/assets/javascripts/mirrors/constants.js
@@ -0,0 +1,4 @@
+export default {
+ PASSWORD: 'password',
+ SSH: 'ssh_public_key',
+};
diff --git a/app/assets/javascripts/pages/projects/settings/repository/show/mirror_repos.js b/app/assets/javascripts/mirrors/mirror_repos.js
index 4c56af20cc3..0d8f31d6bfc 100644
--- a/app/assets/javascripts/pages/projects/settings/repository/show/mirror_repos.js
+++ b/app/assets/javascripts/mirrors/mirror_repos.js
@@ -3,10 +3,12 @@ import _ from 'underscore';
import { __ } from '~/locale';
import Flash from '~/flash';
import axios from '~/lib/utils/axios_utils';
+import SSHMirror from './ssh_mirror';
export default class MirrorRepos {
constructor(container) {
this.$container = $(container);
+ this.$password = null;
this.$form = $('.js-mirror-form', this.$container);
this.$urlInput = $('.js-mirror-url', this.$form);
this.$protectedBranchesInput = $('.js-mirror-protected', this.$form);
@@ -26,6 +28,18 @@ export default class MirrorRepos {
this.$authMethod.on('change', () => this.togglePassword());
this.$password.on('input.updateUrl', () => this.debouncedUpdateUrl());
+
+ this.initMirrorSSH();
+ }
+
+ initMirrorSSH() {
+ if (this.$password) {
+ this.$password.off('input.updateUrl');
+ }
+ this.$password = undefined;
+
+ this.sshMirror = new SSHMirror('.js-mirror-form');
+ this.sshMirror.init();
}
updateUrl() {
diff --git a/app/assets/javascripts/mirrors/ssh_mirror.js b/app/assets/javascripts/mirrors/ssh_mirror.js
new file mode 100644
index 00000000000..5bdf5d6277a
--- /dev/null
+++ b/app/assets/javascripts/mirrors/ssh_mirror.js
@@ -0,0 +1,299 @@
+import $ from 'jquery';
+import _ from 'underscore';
+import { __ } from '~/locale';
+import axios from '~/lib/utils/axios_utils';
+import Flash from '~/flash';
+import { backOff } from '~/lib/utils/common_utils';
+import AUTH_METHOD from './constants';
+
+export default class SSHMirror {
+ constructor(formSelector) {
+ this.backOffRequestCounter = 0;
+
+ this.$form = $(formSelector);
+
+ this.$repositoryUrl = this.$form.find('.js-repo-url');
+ this.$knownHosts = this.$form.find('.js-known-hosts');
+
+ this.$sectionSSHHostKeys = this.$form.find('.js-ssh-host-keys-section');
+ this.$hostKeysInformation = this.$form.find('.js-fingerprint-ssh-info');
+ this.$btnDetectHostKeys = this.$form.find('.js-detect-host-keys');
+ this.$btnSSHHostsShowAdvanced = this.$form.find('.btn-show-advanced');
+ this.$dropdownAuthType = this.$form.find('.js-mirror-auth-type');
+
+ this.$wellAuthTypeChanging = this.$form.find('.js-well-changing-auth');
+ this.$wellPasswordAuth = this.$form.find('.js-well-password-auth');
+ this.$wellSSHAuth = this.$form.find('.js-well-ssh-auth');
+ this.$sshPublicKeyWrap = this.$form.find('.js-ssh-public-key-wrap');
+ this.$regeneratePublicSshKeyButton = this.$wellSSHAuth.find('.js-btn-regenerate-ssh-key');
+ this.$regeneratePublicSshKeyModal = this.$wellSSHAuth.find(
+ '.js-regenerate-public-ssh-key-confirm-modal',
+ );
+ }
+
+ init() {
+ this.handleRepositoryUrlInput(true);
+
+ this.$repositoryUrl.on('keyup', () => this.handleRepositoryUrlInput());
+ this.$knownHosts.on('keyup', e => this.handleSSHKnownHostsInput(e));
+ this.$dropdownAuthType.on('change', e => this.handleAuthTypeChange(e));
+ this.$btnDetectHostKeys.on('click', e => this.handleDetectHostKeys(e));
+ this.$btnSSHHostsShowAdvanced.on('click', e => this.handleSSHHostsAdvanced(e));
+ this.$regeneratePublicSshKeyButton.on('click', () =>
+ this.$regeneratePublicSshKeyModal.toggle(true),
+ );
+ $('.js-confirm', this.$regeneratePublicSshKeyModal).on('click', e =>
+ this.regeneratePublicSshKey(e),
+ );
+ $('.js-cancel', this.$regeneratePublicSshKeyModal).on('click', () =>
+ this.$regeneratePublicSshKeyModal.toggle(false),
+ );
+ }
+
+ /**
+ * Method to monitor Git Repository URL input
+ */
+ handleRepositoryUrlInput(forceMatch) {
+ const protocol = this.$repositoryUrl.val().split('://')[0];
+ const protRegEx = /http|git/;
+
+ // Validate URL and verify if it consists only supported protocols
+ if (forceMatch || this.$form.get(0).checkValidity()) {
+ const isSsh = protocol === 'ssh';
+ // Hide/Show SSH Host keys section only for SSH URLs
+ this.$sectionSSHHostKeys.collapse(isSsh ? 'show' : 'hide');
+ this.$btnDetectHostKeys.enable();
+
+ // Verify if URL is http, https or git and hide/show Auth type dropdown
+ // as we don't support auth type SSH for non-SSH URLs
+ const matchesProtocol = protRegEx.test(protocol);
+ this.$dropdownAuthType.attr('disabled', matchesProtocol);
+
+ if (forceMatch && isSsh) {
+ this.$dropdownAuthType.val(AUTH_METHOD.SSH);
+ this.toggleAuthWell(AUTH_METHOD.SSH);
+ } else {
+ this.$dropdownAuthType.val(AUTH_METHOD.PASSWORD);
+ this.toggleAuthWell(AUTH_METHOD.PASSWORD);
+ }
+ }
+ }
+
+ /**
+ * Click event handler to detect SSH Host key and fingerprints from
+ * provided Git Repository URL.
+ */
+ handleDetectHostKeys() {
+ const projectMirrorSSHEndpoint = this.$form.data('project-mirror-ssh-endpoint');
+ const repositoryUrl = this.$repositoryUrl.val();
+ const currentKnownHosts = this.$knownHosts.val();
+ const $btnLoadSpinner = this.$btnDetectHostKeys.find('.js-spinner');
+
+ // Disable button while we make request
+ this.$btnDetectHostKeys.disable();
+ $btnLoadSpinner.removeClass('d-none');
+
+ // Make backOff polling to get data
+ backOff((next, stop) => {
+ axios
+ .get(
+ `${projectMirrorSSHEndpoint}?ssh_url=${repositoryUrl}&compare_host_keys=${encodeURIComponent(
+ currentKnownHosts,
+ )}`,
+ )
+ .then(({ data, status }) => {
+ if (status === 204) {
+ this.backOffRequestCounter += 1;
+ if (this.backOffRequestCounter < 3) {
+ next();
+ } else {
+ stop(data);
+ }
+ } else {
+ stop(data);
+ }
+ })
+ .catch(stop);
+ })
+ .then(res => {
+ $btnLoadSpinner.addClass('d-none');
+ // Once data is received, we show verification info along with Host keys and fingerprints
+ this.$hostKeysInformation
+ .find('.js-fingerprint-verification')
+ .collapse(res.host_keys_changed ? 'hide' : 'show');
+ if (res.known_hosts && res.fingerprints) {
+ this.showSSHInformation(res);
+ }
+ })
+ .catch(({ response }) => {
+ // Show failure message when there's an error and re-enable Detect host keys button
+ const failureMessage = response.data
+ ? response.data.message
+ : __('An error occurred while detecting host keys');
+ Flash(failureMessage);
+
+ $btnLoadSpinner.addClass('hidden');
+ this.$btnDetectHostKeys.enable();
+ });
+ }
+
+ /**
+ * Method to monitor known hosts textarea input
+ */
+ handleSSHKnownHostsInput() {
+ // Strike-out fingerprints and remove verification info if `known hosts` value is altered
+ this.$hostKeysInformation.find('.js-fingerprints-list').addClass('invalidate');
+ this.$hostKeysInformation.find('.js-fingerprint-verification').collapse('hide');
+ }
+
+ /**
+ * Click event handler for `Show advanced` button under SSH Host keys section
+ */
+ handleSSHHostsAdvanced() {
+ const $knownHost = this.$sectionSSHHostKeys.find('.js-ssh-known-hosts');
+ const toggleShowAdvanced = $knownHost.hasClass('show');
+
+ $knownHost.collapse('toggle');
+ this.$btnSSHHostsShowAdvanced.toggleClass('show-advanced', toggleShowAdvanced);
+ }
+
+ /**
+ * Authentication method dropdown change event listener
+ */
+ handleAuthTypeChange() {
+ const projectMirrorAuthTypeEndpoint = `${this.$form.attr('action')}.json`;
+ const $sshPublicKey = this.$sshPublicKeyWrap.find('.ssh-public-key');
+ const selectedAuthType = this.$dropdownAuthType.val();
+
+ this.$wellPasswordAuth.collapse('hide');
+ this.$wellSSHAuth.collapse('hide');
+
+ // This request should happen only if selected Auth type was SSH
+ // and SSH Public key was not present on page load
+ if (selectedAuthType === AUTH_METHOD.SSH && !$sshPublicKey.text().trim()) {
+ if (!this.$wellSSHAuth.length) return;
+
+ // Construct request body
+ const authTypeData = {
+ project: {
+ ...this.$regeneratePublicSshKeyButton.data().projectData,
+ },
+ };
+
+ this.$wellAuthTypeChanging.collapse('show');
+ this.$dropdownAuthType.disable();
+
+ axios
+ .put(projectMirrorAuthTypeEndpoint, JSON.stringify(authTypeData), {
+ headers: {
+ 'Content-Type': 'application/json; charset=utf-8',
+ },
+ })
+ .then(({ data }) => {
+ // Show SSH public key container and fill in public key
+ this.toggleAuthWell(selectedAuthType);
+ this.toggleSSHAuthWellMessage(true);
+ this.setSSHPublicKey(data.import_data_attributes.ssh_public_key);
+
+ this.$wellAuthTypeChanging.collapse('hide');
+ this.$dropdownAuthType.enable();
+ })
+ .catch(() => {
+ Flash(__('Something went wrong on our end.'));
+
+ this.$wellAuthTypeChanging.collapse('hide');
+ this.$dropdownAuthType.enable();
+ });
+ } else {
+ this.toggleAuthWell(selectedAuthType);
+ this.$wellSSHAuth.find('.js-ssh-public-key-present').collapse('show');
+ }
+ }
+
+ /**
+ * Method to parse SSH Host keys data and render it
+ * under SSH host keys section
+ */
+ showSSHInformation(sshHostKeys) {
+ const $fingerprintsList = this.$hostKeysInformation.find('.js-fingerprints-list');
+ let fingerprints = '';
+ sshHostKeys.fingerprints.forEach(fingerprint => {
+ const escFingerprints = _.escape(fingerprint.fingerprint);
+ fingerprints += `<code>${escFingerprints}</code>`;
+ });
+
+ this.$hostKeysInformation.collapse('show');
+ $fingerprintsList.removeClass('invalidate');
+ $fingerprintsList.html(fingerprints);
+ this.$sectionSSHHostKeys.find('.js-known-hosts').val(sshHostKeys.known_hosts);
+ }
+
+ /**
+ * Toggle Auth type information container based on provided `authType`
+ */
+ toggleAuthWell(authType) {
+ this.$wellPasswordAuth.collapse(authType === AUTH_METHOD.PASSWORD ? 'show' : 'hide');
+ this.$wellSSHAuth.collapse(authType === AUTH_METHOD.SSH ? 'show' : 'hide');
+ }
+
+ /**
+ * Toggle SSH auth information message
+ */
+ toggleSSHAuthWellMessage(sshKeyPresent) {
+ this.$sshPublicKeyWrap.collapse(sshKeyPresent ? 'show' : 'hide');
+ this.$wellSSHAuth.find('.js-ssh-public-key-present').collapse(sshKeyPresent ? 'show' : 'hide');
+ this.$regeneratePublicSshKeyButton.collapse(sshKeyPresent ? 'show' : 'hide');
+ this.$wellSSHAuth.find('.js-ssh-public-key-pending').collapse(sshKeyPresent ? 'hide' : 'show');
+ }
+
+ /**
+ * Sets SSH Public key to Clipboard button and shows it on UI.
+ */
+ setSSHPublicKey(sshPublicKey) {
+ this.$sshPublicKeyWrap.find('.ssh-public-key').text(sshPublicKey);
+ this.$sshPublicKeyWrap
+ .find('.btn-copy-ssh-public-key')
+ .attr('data-clipboard-text', sshPublicKey);
+ }
+
+ regeneratePublicSshKey(event) {
+ event.preventDefault();
+
+ this.$regeneratePublicSshKeyModal.toggle(false);
+
+ const button = this.$regeneratePublicSshKeyButton;
+ const spinner = $('.js-spinner', button);
+ const endpoint = button.data('endpoint');
+ const authTypeData = {
+ project: {
+ ...this.$regeneratePublicSshKeyButton.data().projectData,
+ },
+ };
+
+ button.attr('disabled', 'disabled');
+ spinner.removeClass('d-none');
+
+ axios
+ .patch(endpoint, authTypeData)
+ .then(({ data }) => {
+ button.removeAttr('disabled');
+ spinner.addClass('d-none');
+
+ this.setSSHPublicKey(data.import_data_attributes.ssh_public_key);
+ })
+ .catch(() => {
+ Flash(_('Unable to regenerate public ssh key.'));
+ });
+ }
+
+ destroy() {
+ this.$repositoryUrl.off('keyup');
+ this.$form.find('.js-known-hosts').off('keyup');
+ this.$dropdownAuthType.off('change');
+ this.$btnDetectHostKeys.off('click');
+ this.$btnSSHHostsShowAdvanced.off('click');
+ this.$regeneratePublicSshKeyButton.off('click');
+ $('.js-confirm', this.$regeneratePublicSshKeyModal).off('click');
+ $('.js-cancel', this.$regeneratePublicSshKeyModal).off('click');
+ }
+}
diff --git a/app/assets/javascripts/pages/projects/settings/repository/show/index.js b/app/assets/javascripts/pages/projects/settings/repository/show/index.js
index 78cf5406e43..1ef4b460263 100644
--- a/app/assets/javascripts/pages/projects/settings/repository/show/index.js
+++ b/app/assets/javascripts/pages/projects/settings/repository/show/index.js
@@ -1,5 +1,5 @@
import initForm from '../form';
-import MirrorRepos from './mirror_repos';
+import MirrorRepos from '~/mirrors/mirror_repos';
document.addEventListener('DOMContentLoaded', () => {
initForm();
diff --git a/app/assets/stylesheets/pages/projects.scss b/app/assets/stylesheets/pages/projects.scss
index da3d8aa53ad..c7f986247bd 100644
--- a/app/assets/stylesheets/pages/projects.scss
+++ b/app/assets/stylesheets/pages/projects.scss
@@ -1223,3 +1223,27 @@ pre.light-well {
opacity: 1;
}
}
+
+.project-mirror-settings {
+ .btn-show-advanced {
+ min-width: 135px;
+
+ .label-show {
+ display: none;
+ }
+
+ .label-hide {
+ display: inline;
+ }
+
+ &.show-advanced {
+ .label-show {
+ display: inline;
+ }
+
+ .label-hide {
+ display: none;
+ }
+ }
+ }
+}
diff --git a/app/controllers/projects/mirrors_controller.rb b/app/controllers/projects/mirrors_controller.rb
index 53176978416..ab7ab13657a 100644
--- a/app/controllers/projects/mirrors_controller.rb
+++ b/app/controllers/projects/mirrors_controller.rb
@@ -77,6 +77,10 @@ class Projects::MirrorsController < Projects::ApplicationController
id
enabled
only_protected_branches
+ auth_method
+ password
+ ssh_known_hosts
+ regenerate_ssh_private_key
]
]
end
diff --git a/app/helpers/mirror_helper.rb b/app/helpers/mirror_helper.rb
index a4025730397..65c7cd82832 100644
--- a/app/helpers/mirror_helper.rb
+++ b/app/helpers/mirror_helper.rb
@@ -2,6 +2,9 @@
module MirrorHelper
def mirrors_form_data_attributes
- { project_mirror_endpoint: project_mirror_path(@project) }
+ {
+ project_mirror_ssh_endpoint: ssh_host_keys_project_mirror_path(@project, :json),
+ project_mirror_endpoint: project_mirror_path(@project, :json)
+ }
end
end
diff --git a/app/models/concerns/mirror_authentication.rb b/app/models/concerns/mirror_authentication.rb
new file mode 100644
index 00000000000..e3e1a0441f8
--- /dev/null
+++ b/app/models/concerns/mirror_authentication.rb
@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+# Mirroring may use password or SSH public-key authentication. This concern
+# implements support for persisting the necessary data in a `credentials`
+# serialized attribute. It also needs an `url` method to be defined
+module MirrorAuthentication
+ SSH_PRIVATE_KEY_OPTS = {
+ type: 'RSA',
+ bits: 4096
+ }.freeze
+
+ extend ActiveSupport::Concern
+
+ included do
+ validates :auth_method, inclusion: { in: %w[password ssh_public_key] }, allow_blank: true
+
+ # We should generate a key even if there's no SSH URL present
+ before_validation :generate_ssh_private_key!, if: -> {
+ regenerate_ssh_private_key || ( auth_method == 'ssh_public_key' && ssh_private_key.blank? )
+ }
+
+ credentials_field :auth_method, reader: false
+ credentials_field :ssh_known_hosts
+ credentials_field :ssh_known_hosts_verified_at
+ credentials_field :ssh_known_hosts_verified_by_id
+ credentials_field :ssh_private_key
+ credentials_field :user
+ credentials_field :password
+ end
+
+ class_methods do
+ def credentials_field(name, reader: true)
+ if reader
+ define_method(name) do
+ credentials[name] if credentials.present?
+ end
+ end
+
+ define_method("#{name}=") do |value|
+ self.credentials ||= {}
+
+ # Removal of the password, username, etc, generally causes an update of
+ # the value to the empty string. Detect and gracefully handle this case.
+ if value.present?
+ self.credentials[name] = value
+ else
+ self.credentials.delete(name)
+ end
+ end
+ end
+ end
+
+ attr_accessor :regenerate_ssh_private_key
+
+ def ssh_key_auth?
+ ssh_mirror_url? && auth_method == 'ssh_public_key'
+ end
+
+ def password_auth?
+ auth_method == 'password'
+ end
+
+ def ssh_mirror_url?
+ url&.start_with?('ssh://')
+ end
+
+ def ssh_known_hosts_verified_by
+ @ssh_known_hosts_verified_by ||= ::User.find_by(id: ssh_known_hosts_verified_by_id)
+ end
+
+ def ssh_known_hosts_fingerprints
+ ::SshHostKey.fingerprint_host_keys(ssh_known_hosts)
+ end
+
+ def auth_method
+ auth_method = credentials.fetch(:auth_method, nil) if credentials.present?
+
+ auth_method.presence || 'password'
+ end
+
+ def ssh_public_key
+ return nil if ssh_private_key.blank?
+
+ comment = "git@#{::Gitlab.config.gitlab.host}"
+ ::SSHKey.new(ssh_private_key, comment: comment).ssh_public_key
+ end
+
+ def generate_ssh_private_key!
+ self.ssh_private_key = ::SSHKey.generate(SSH_PRIVATE_KEY_OPTS).private_key
+ end
+end
diff --git a/app/models/remote_mirror.rb b/app/models/remote_mirror.rb
index c1f53b5da4f..a3415a4a14c 100644
--- a/app/models/remote_mirror.rb
+++ b/app/models/remote_mirror.rb
@@ -2,6 +2,7 @@
class RemoteMirror < ActiveRecord::Base
include AfterCommitQueue
+ include MirrorAuthentication
PROTECTED_BACKOFF_DELAY = 1.minute
UNPROTECTED_BACKOFF_DELAY = 5.minutes
@@ -28,6 +29,8 @@ class RemoteMirror < ActiveRecord::Base
after_commit :remove_remote, on: :destroy
+ before_validation :store_credentials
+
scope :enabled, -> { where(enabled: true) }
scope :started, -> { with_update_status(:started) }
scope :stuck, -> { started.where('last_update_at < ? OR (last_update_at IS NULL AND updated_at < ?)', 1.day.ago, 1.day.ago) }
@@ -84,7 +87,21 @@ class RemoteMirror < ActiveRecord::Base
end
def update_repository(options)
- raw.update(options)
+ if ssh_mirror_url?
+ if ssh_key_auth? && ssh_private_key.present?
+ options[:ssh_key] = ssh_private_key
+ end
+
+ if ssh_known_hosts.present?
+ options[:known_hosts] = ssh_known_hosts
+ end
+ end
+
+ Gitlab::Git::RemoteMirror.new(
+ project.repository.raw,
+ remote_name,
+ **options
+ ).update
end
def sync?
@@ -128,7 +145,8 @@ class RemoteMirror < ActiveRecord::Base
super(value) && return unless Gitlab::UrlSanitizer.valid?(value)
mirror_url = Gitlab::UrlSanitizer.new(value)
- self.credentials = mirror_url.credentials
+ self.credentials ||= {}
+ self.credentials = self.credentials.merge(mirror_url.credentials)
super(mirror_url.sanitized_url)
end
@@ -152,17 +170,28 @@ class RemoteMirror < ActiveRecord::Base
def ensure_remote!
return unless project
- return unless remote_name && url
+ return unless remote_name && remote_url
# If this fails or the remote already exists, we won't know due to
# https://gitlab.com/gitlab-org/gitaly/issues/1317
- project.repository.add_remote(remote_name, url)
+ project.repository.add_remote(remote_name, remote_url)
end
private
- def raw
- @raw ||= Gitlab::Git::RemoteMirror.new(project.repository.raw, remote_name)
+ def store_credentials
+ # This is a necessary workaround for attr_encrypted, which doesn't otherwise
+ # notice that the credentials have changed
+ self.credentials = self.credentials
+ end
+
+ # The remote URL omits any password if SSH public-key authentication is in use
+ def remote_url
+ return url unless ssh_key_auth? && password.present?
+
+ Gitlab::UrlSanitizer.new(read_attribute(:url), credentials: { user: user }).full_url
+ rescue
+ super
end
def fallback_remote_name
@@ -214,7 +243,7 @@ class RemoteMirror < ActiveRecord::Base
project.repository.async_remove_remote(prev_remote_name)
end
- project.repository.add_remote(remote_name, url)
+ project.repository.add_remote(remote_name, remote_url)
end
def remove_remote
@@ -224,6 +253,6 @@ class RemoteMirror < ActiveRecord::Base
end
def mirror_url_changed?
- url_changed? || encrypted_credentials_changed?
+ url_changed? || credentials_changed?
end
end
diff --git a/app/serializers/project_mirror_entity.rb b/app/serializers/project_mirror_entity.rb
index 8aba244cd11..c13cc3276a7 100644
--- a/app/serializers/project_mirror_entity.rb
+++ b/app/serializers/project_mirror_entity.rb
@@ -3,11 +3,7 @@
class ProjectMirrorEntity < Grape::Entity
expose :id
- expose :remote_mirrors_attributes do |project|
- next [] unless project.remote_mirrors.present?
-
- project.remote_mirrors.map do |remote|
- remote.as_json(only: %i[id url enabled])
- end
+ expose :remote_mirrors_attributes, using: RemoteMirrorEntity do |project|
+ project.remote_mirrors
end
end
diff --git a/app/serializers/remote_mirror_entity.rb b/app/serializers/remote_mirror_entity.rb
new file mode 100644
index 00000000000..8835c6d4647
--- /dev/null
+++ b/app/serializers/remote_mirror_entity.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class RemoteMirrorEntity < Grape::Entity
+ expose :id
+ expose :url
+ expose :enabled
+
+ expose :auth_method
+ expose :ssh_known_hosts
+ expose :ssh_public_key
+
+ expose :ssh_known_hosts_fingerprints do |remote_mirror|
+ remote_mirror.ssh_known_hosts_fingerprints.as_json
+ end
+end
diff --git a/app/services/projects/update_remote_mirror_service.rb b/app/services/projects/update_remote_mirror_service.rb
index 9d0877d1ab2..1244a0f72a7 100644
--- a/app/services/projects/update_remote_mirror_service.rb
+++ b/app/services/projects/update_remote_mirror_service.rb
@@ -11,7 +11,7 @@ module Projects
begin
remote_mirror.ensure_remote!
- repository.fetch_remote(remote_mirror.remote_name, no_tags: true)
+ repository.fetch_remote(remote_mirror.remote_name, ssh_auth: remote_mirror, no_tags: true)
opts = {}
if remote_mirror.only_protected_branches?
diff --git a/app/views/projects/mirrors/_authentication_method.html.haml b/app/views/projects/mirrors/_authentication_method.html.haml
new file mode 100644
index 00000000000..8dc042d87d1
--- /dev/null
+++ b/app/views/projects/mirrors/_authentication_method.html.haml
@@ -0,0 +1,36 @@
+- mirror = f.object
+- is_push = local_assigns.fetch(:is_push, false)
+- auth_options = [[_('Password'), 'password'], [_('SSH public key'), 'ssh_public_key']]
+- regen_data = { auth_method: 'ssh_public_key', regenerate_ssh_private_key: true }
+- ssh_public_key_present = mirror.ssh_public_key.present?
+
+.form-group
+ = f.label :auth_method, _('Authentication method'), class: 'label-bold'
+ = f.select :auth_method,
+ options_for_select(auth_options, mirror.auth_method),
+ {}, { class: "form-control js-mirror-auth-type" }
+
+.form-group
+ .collapse.js-well-changing-auth
+ .changing-auth-method= icon('spinner spin lg')
+ .well-password-auth.collapse.js-well-password-auth
+ = f.label :password, _("Password"), class: "label-bold"
+ = f.password_field :password, value: mirror.password, class: 'form-control'
+ - unless is_push
+ .well-ssh-auth.collapse.js-well-ssh-auth
+ %p.js-ssh-public-key-present{ class: ('collapse' unless ssh_public_key_present) }
+ = _('Here is the public SSH key that needs to be added to the remote server. For more information, please refer to the documentation.')
+ %p.js-ssh-public-key-pending{ class: ('collapse' if ssh_public_key_present) }
+ = _('An SSH key will be automatically generated when the form is submitted. For more information, please refer to the documentation.')
+
+ .clearfix.js-ssh-public-key-wrap{ class: ('collapse' unless ssh_public_key_present) }
+ %code.prepend-top-10.ssh-public-key
+ = mirror.ssh_public_key
+ = clipboard_button(text: mirror.ssh_public_key, title: _("Copy SSH public key to clipboard"), class: 'prepend-top-10 btn-copy-ssh-public-key')
+
+ = button_tag type: 'button',
+ data: { endpoint: project_mirror_path(@project), project_data: { import_data_attributes: regen_data } },
+ class: "btn btn-inverted btn-warning prepend-top-10 js-btn-regenerate-ssh-key#{ ' collapse' unless ssh_public_key_present }" do
+ = icon('spinner spin', class: 'js-spinner d-none')
+ = _('Regenerate key')
+ = render 'projects/mirrors/regenerate_public_ssh_key_confirm_modal'
diff --git a/app/views/projects/mirrors/_mirror_repos.html.haml b/app/views/projects/mirrors/_mirror_repos.html.haml
index d523df1cd90..2f9bd5b04b6 100644
--- a/app/views/projects/mirrors/_mirror_repos.html.haml
+++ b/app/views/projects/mirrors/_mirror_repos.html.haml
@@ -59,5 +59,7 @@
.badge.mirror-error-badge{ data: { toggle: 'tooltip', html: 'true' }, title: html_escape(mirror.last_error.try(:strip)) }= _('Error')
%td.mirror-action-buttons
.btn-group.mirror-actions-group.pull-right{ role: 'group' }
+ - if mirror.ssh_key_auth?
+ = clipboard_button(text: mirror.ssh_public_key, class: 'btn btn-default', title: _('Copy SSH public key'))
= render 'shared/remote_mirror_update_button', remote_mirror: mirror
%button.js-delete-mirror.btn.btn-danger{ type: 'button', data: { mirror_id: mirror.id, toggle: 'tooltip', container: 'body' }, title: _('Remove') }= icon('trash-o')
diff --git a/app/views/projects/mirrors/_mirror_repos_form.html.haml b/app/views/projects/mirrors/_mirror_repos_form.html.haml
index 93994cb30ac..a2cce83bfab 100644
--- a/app/views/projects/mirrors/_mirror_repos_form.html.haml
+++ b/app/views/projects/mirrors/_mirror_repos_form.html.haml
@@ -1,18 +1,5 @@
-- protocols = Gitlab::UrlSanitizer::ALLOWED_SCHEMES.join('|')
-
.form-group
= label_tag :mirror_direction, _('Mirror direction'), class: 'label-light'
= select_tag :mirror_direction, options_for_select([[_('Push'), 'push']]), class: 'form-control js-mirror-direction', disabled: true
-= f.fields_for :remote_mirrors, @project.remote_mirrors.build do |rm_f|
- = rm_f.hidden_field :enabled, value: '1'
- = rm_f.hidden_field :url, class: 'js-mirror-url-hidden', required: true, pattern: "(#{protocols}):\/\/.+"
- = rm_f.hidden_field :only_protected_branches, class: 'js-mirror-protected-hidden'
-
-.form-group
- = label_tag :auth_method, _('Authentication method'), class: 'label-bold'
- = select_tag :auth_method, options_for_select([[_('None'), 'none'], [_('Password'), 'password']], 'none'), { class: "form-control js-auth-method" }
-
-.form-group.js-password-group.collapse
- = label_tag :password, _('Password'), class: 'label-bold'
- = text_field_tag :password, '', class: 'form-control js-password'
+= render partial: "projects/mirrors/mirror_repos_push", locals: { f: f }
diff --git a/app/views/projects/mirrors/_mirror_repos_push.html.haml b/app/views/projects/mirrors/_mirror_repos_push.html.haml
new file mode 100644
index 00000000000..1d9c83653fe
--- /dev/null
+++ b/app/views/projects/mirrors/_mirror_repos_push.html.haml
@@ -0,0 +1,8 @@
+- protocols = Gitlab::UrlSanitizer::ALLOWED_SCHEMES.join('|')
+
+= f.fields_for :remote_mirrors, @project.remote_mirrors.build do |rm_f|
+ = rm_f.hidden_field :enabled, value: '1'
+ = rm_f.hidden_field :url, class: 'js-mirror-url-hidden', required: true, pattern: "(#{protocols}):\/\/.+"
+ = rm_f.hidden_field :only_protected_branches, class: 'js-mirror-protected-hidden'
+ = render partial: 'projects/mirrors/ssh_host_keys', locals: { f: rm_f }
+ = render partial: 'projects/mirrors/authentication_method', locals: { f: rm_f, is_push: true }
diff --git a/app/views/projects/mirrors/_regenerate_public_ssh_key_confirm_modal.html.haml b/app/views/projects/mirrors/_regenerate_public_ssh_key_confirm_modal.html.haml
new file mode 100644
index 00000000000..327552c9b2c
--- /dev/null
+++ b/app/views/projects/mirrors/_regenerate_public_ssh_key_confirm_modal.html.haml
@@ -0,0 +1,13 @@
+.modal.js-regenerate-public-ssh-key-confirm-modal{ tabindex: -1 }
+ .modal-dialog
+ .modal-content
+ .modal-header
+ %h3.modal-title.page-title
+ Regenerate public SSH key?
+ %button.close.js-cancel{ type: 'button', 'data-dismiss': 'modal', 'aria-label' => _('Close') }
+ %span{ 'aria-hidden': true } &times;
+ .modal-body
+ %p= _('Are you sure you want to regenerate the public key? You will have to update the public key on the remote server before mirroring will work again.')
+ .form-actions.modal-footer
+ = button_tag _('Cancel'), type: 'button', class: 'btn js-cancel'
+ = button_tag _('Regenerate key'), type: 'button', class: 'btn btn-inverted btn-warning js-confirm'
diff --git a/app/views/projects/mirrors/_show.html.haml b/app/views/projects/mirrors/_show.html.haml
deleted file mode 100644
index 8318d5898a1..00000000000
--- a/app/views/projects/mirrors/_show.html.haml
+++ /dev/null
@@ -1 +0,0 @@
-= render 'projects/mirrors/mirror_repos'
diff --git a/app/views/projects/mirrors/_ssh_host_keys.html.haml b/app/views/projects/mirrors/_ssh_host_keys.html.haml
new file mode 100644
index 00000000000..f61aa6ecd11
--- /dev/null
+++ b/app/views/projects/mirrors/_ssh_host_keys.html.haml
@@ -0,0 +1,33 @@
+- mirror = f.object
+- verified_by = mirror.ssh_known_hosts_verified_by
+- verified_at = mirror.ssh_known_hosts_verified_at
+
+.form-group.js-ssh-host-keys-section{ class: ('collapse' unless mirror.ssh_mirror_url?) }
+ %button.btn.btn-inverted.btn-success.inline.js-detect-host-keys.append-right-10{ type: 'button' }
+ = icon('spinner spin', class: 'js-spinner d-none')
+ = _('Detect host keys')
+ .fingerprint-ssh-info.js-fingerprint-ssh-info.prepend-top-10.append-bottom-10{ class: ('collapse' unless mirror.ssh_mirror_url?) }
+ %label.label-bold
+ = _('Fingerprints')
+ .fingerprints-list.js-fingerprints-list
+ - mirror.ssh_known_hosts_fingerprints.each do |fp|
+ %code= fp.fingerprint
+ - if verified_at
+ .form-text.text-muted.js-fingerprint-verification
+ %i.fa.fa-check.fingerprint-verified
+ Verified by
+ - if verified_by
+ = link_to verified_by.name, user_path(verified_by)
+ - else
+ = _('a deleted user')
+ #{time_ago_in_words(verified_at)} ago
+
+ .js-ssh-hosts-advanced.inline
+ %button.btn.btn-default.btn-show-advanced.show-advanced{ type: 'button' }
+ %span.label-show
+ = _('Input host keys manually')
+ %span.label-hide
+ = _('Hide host keys manual input')
+ .js-ssh-known-hosts.collapse.prepend-top-default
+ = f.label :ssh_known_hosts, _('SSH host keys'), class: 'label-bold'
+ = f.text_area :ssh_known_hosts, class: 'form-control known-hosts js-known-hosts', rows: '10'
diff --git a/app/views/projects/settings/repository/show.html.haml b/app/views/projects/settings/repository/show.html.haml
index a0bcaaf3c54..c14e95a382c 100644
--- a/app/views/projects/settings/repository/show.html.haml
+++ b/app/views/projects/settings/repository/show.html.haml
@@ -3,7 +3,7 @@
- @content_class = "limit-container-width" unless fluid_layout
= render "projects/default_branch/show"
-= render "projects/mirrors/show"
+= render "projects/mirrors/mirror_repos"
-# Protected branches & tags use a lot of nested partials.
-# The shared parts of the views can be found in the `shared` directory.
diff --git a/changelogs/unreleased/49565-ssh-push-mirroring.yml b/changelogs/unreleased/49565-ssh-push-mirroring.yml
new file mode 100644
index 00000000000..2dfeffa4088
--- /dev/null
+++ b/changelogs/unreleased/49565-ssh-push-mirroring.yml
@@ -0,0 +1,5 @@
+---
+title: Allow SSH public-key authentication for push mirroring
+merge_request: 22982
+author:
+type: added
diff --git a/doc/workflow/repository_mirroring.md b/doc/workflow/repository_mirroring.md
index 4225d1aa31d..7eb324e3ece 100644
--- a/doc/workflow/repository_mirroring.md
+++ b/doc/workflow/repository_mirroring.md
@@ -135,23 +135,25 @@ If the mirror updates successfully, it will be enqueued once again with a small
If the mirror fails (for example, a branch diverged from upstream), the project's backoff period is
increased each time it fails, up to a maximum amount of time.
-### SSH authentication **[STARTER]**
+### SSH authentication
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2551) in [GitLab Starter](https://about.gitlab.com/pricing/) 9.5.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2551) for Push mirroring in [GitLab Starter](https://about.gitlab.com/pricing/) 9.5.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22982) for Pull mirroring in [GitLab Core](https://about.gitlab.com/pricing/) 11.6
SSH authentication is mutual:
- You have to prove to the server that you're allowed to access the repository.
- The server also has to prove to *you* that it's who it claims to be.
-You provide your credentials as a password or public key. The server that the source repository
-resides on provides its credentials as a "host key", the fingerprint of which needs to be verified manually.
+You provide your credentials as a password or public key. The server that the
+other repository resides on provides its credentials as a "host key", the
+fingerprint of which needs to be verified manually.
If you're mirroring over SSH (that is, using an `ssh://` URL), you can authenticate using:
- Password-based authentication, just as over HTTPS.
-- Public key authentication. This is often more secure than password authentication, especially when
- the source repository supports [Deploy Keys](../ssh/README.md#deploy-keys).
+- Public key authentication. This is often more secure than password authentication,
+ especially when the other repository supports [Deploy Keys](../ssh/README.md#deploy-keys).
To get started:
@@ -171,9 +173,9 @@ If you click the:
- **Detect host keys** button, GitLab will fetch the host keys from the server and display the fingerprints.
- **Input host keys manually** button, a field is displayed where you can paste in host keys.
-You now need to verify that the fingerprints are those you expect. GitLab.com
-and other code hosting sites publish their fingerprints in the open for you
-to check:
+Assuming you used the former, you now need to verify that the fingerprints are
+those you expect. GitLab.com and other code hosting sites publish their
+fingerprints in the open for you to check:
- [AWS CodeCommit](http://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-fingerprints)
- [Bitbucket](https://confluence.atlassian.com/bitbucket/use-the-ssh-protocol-with-bitbucket-cloud-221449711.html#UsetheSSHprotocolwithBitbucketCloud-KnownhostorBitbucket%27spublickeyfingerprints)
@@ -184,7 +186,8 @@ to check:
- [SourceForge](https://sourceforge.net/p/forge/documentation/SSH%20Key%20Fingerprints/)
Other providers will vary. If you're running self-managed GitLab, or otherwise
-have access to the source server, you can securely gather the key fingerprints:
+have access to the server for the other repository, you can securely gather the
+key fingerprints:
```sh
$ cat /etc/ssh/ssh_host*pub | ssh-keygen -E md5 -l -f -
@@ -196,25 +199,27 @@ $ cat /etc/ssh/ssh_host*pub | ssh-keygen -E md5 -l -f -
NOTE: **Note:**
You may need to exclude `-E md5` for some older versions of SSH.
-When pulling changes from the source repository, GitLab will now check that at least one of the stored
-host keys matches before connecting. This can prevent malicious code from being injected into your
-mirror, or your password being stolen.
+When mirroring the repository, GitLab will now check that at least one of the
+stored host keys matches before connecting. This can prevent malicious code from
+being injected into your mirror, or your password being stolen.
### SSH public key authentication
-To use SSH public key authentication, you'll also need to choose that option from the **Authentication method**
-dropdown. GitLab will generate a 4096-bit RSA key and display the public component of that key to you.
+To use SSH public key authentication, you'll also need to choose that option
+from the **Authentication method** dropdown. GitLab will generate a 4096-bit RSA
+key and display the public component of that key to you.
-You then need to add the public SSH key to the source repository configuration. If:
+You then need to add the public SSH key to the other repository's configuration:
-- The source is hosted on GitLab, you should add the public SSH key as a [Deploy Key](../ssh/README.md#deploy-keys).
-- The source is hosted elsewhere, you may need to add the key to your user's `authorized_keys` file.
- Paste the entire public SSH key into the file on its own line and save it.
+- If the other repository is hosted on GitLab, you should add the public SSH key
+ as a [Deploy Key](../ssh/README.md#deploy-keys).
+- If the other repository is hosted elsewhere, you may need to add the key to
+ your user's `authorized_keys` file. Paste the entire public SSH key into the
+ file on its own line and save it.
-Once the public key is set up on the source repository, click the **Mirror repository** button and
-your mirror will begin working.
-
-If you need to change the key at any time, you can click the **Regenerate key** button to do so. You'll have to update the source repository with the new key to keep the mirror running.
+If you need to change the key at any time, you can remove and re-add the mirror
+to generate a new key. You'll have to update the other repository with the new
+key to keep the mirror running.
### Overwrite diverged branches **[STARTER]**
diff --git a/lib/gitlab/git/remote_mirror.rb b/lib/gitlab/git/remote_mirror.rb
index e992d522e7f..df3cd422527 100644
--- a/lib/gitlab/git/remote_mirror.rb
+++ b/lib/gitlab/git/remote_mirror.rb
@@ -5,14 +5,24 @@ module Gitlab
class RemoteMirror
include Gitlab::Git::WrapsGitalyErrors
- def initialize(repository, ref_name)
+ attr_reader :repository, :ref_name, :only_branches_matching, :ssh_key, :known_hosts
+
+ def initialize(repository, ref_name, only_branches_matching: [], ssh_key: nil, known_hosts: nil)
@repository = repository
@ref_name = ref_name
+ @only_branches_matching = only_branches_matching
+ @ssh_key = ssh_key
+ @known_hosts = known_hosts
end
- def update(only_branches_matching: [])
+ def update
wrapped_gitaly_errors do
- @repository.gitaly_remote_client.update_remote_mirror(@ref_name, only_branches_matching)
+ repository.gitaly_remote_client.update_remote_mirror(
+ ref_name,
+ only_branches_matching,
+ ssh_key: ssh_key,
+ known_hosts: known_hosts
+ )
end
end
end
diff --git a/lib/gitlab/gitaly_client/remote_service.rb b/lib/gitlab/gitaly_client/remote_service.rb
index 24e8a5e16d3..81fac37ee68 100644
--- a/lib/gitlab/gitaly_client/remote_service.rb
+++ b/lib/gitlab/gitaly_client/remote_service.rb
@@ -68,13 +68,18 @@ module Gitlab
encode_utf8(response.ref)
end
- def update_remote_mirror(ref_name, only_branches_matching)
+ def update_remote_mirror(ref_name, only_branches_matching, ssh_key: nil, known_hosts: nil)
req_enum = Enumerator.new do |y|
- y.yield Gitaly::UpdateRemoteMirrorRequest.new(
+ first_request = Gitaly::UpdateRemoteMirrorRequest.new(
repository: @gitaly_repo,
ref_name: ref_name
)
+ first_request.ssh_key = ssh_key if ssh_key.present?
+ first_request.known_hosts = known_hosts if known_hosts.present?
+
+ y.yield(first_request)
+
current_size = 0
slices = only_branches_matching.slice_before do |branch_name|
diff --git a/lib/gitlab/gitaly_client/repository_service.rb b/lib/gitlab/gitaly_client/repository_service.rb
index f968ebc2cbf..12a0ee16649 100644
--- a/lib/gitlab/gitaly_client/repository_service.rb
+++ b/lib/gitlab/gitaly_client/repository_service.rb
@@ -69,7 +69,7 @@ module Gitlab
no_tags: no_tags, timeout: timeout, no_prune: !prune
)
- if ssh_auth&.ssh_import?
+ if ssh_auth&.ssh_mirror_url?
if ssh_auth.ssh_key_auth? && ssh_auth.ssh_private_key.present?
request.ssh_key = ssh_auth.ssh_private_key
end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 8b27870a583..abdb2084edd 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -483,6 +483,9 @@ msgstr ""
msgid "Amount of time (in hours) that users are allowed to skip forced configuration of two-factor authentication"
msgstr ""
+msgid "An SSH key will be automatically generated when the form is submitted. For more information, please refer to the documentation."
+msgstr ""
+
msgid "An application called %{link_to_client} is requesting access to your GitLab account."
msgstr ""
@@ -531,6 +534,9 @@ msgstr ""
msgid "An error occurred when toggling the notification subscription"
msgstr ""
+msgid "An error occurred while detecting host keys"
+msgstr ""
+
msgid "An error occurred while dismissing the alert. Refresh the page and try again."
msgstr ""
@@ -645,6 +651,9 @@ msgstr ""
msgid "Are you sure you want to lose unsaved changes?"
msgstr ""
+msgid "Are you sure you want to regenerate the public key? You will have to update the public key on the remote server before mirroring will work again."
+msgstr ""
+
msgid "Are you sure you want to remove %{group_name}?"
msgstr ""
@@ -2001,6 +2010,12 @@ msgstr ""
msgid "Copy SSH clone URL"
msgstr ""
+msgid "Copy SSH public key"
+msgstr ""
+
+msgid "Copy SSH public key to clipboard"
+msgstr ""
+
msgid "Copy URL to clipboard"
msgstr ""
@@ -2405,6 +2420,9 @@ msgstr ""
msgid "Details"
msgstr ""
+msgid "Detect host keys"
+msgstr ""
+
msgid "Diff content limits"
msgstr ""
@@ -2906,6 +2924,9 @@ msgstr ""
msgid "Find the newly extracted <code>Takeout/Google Code Project Hosting/GoogleCodeProjectHosting.json</code> file."
msgstr ""
+msgid "Fingerprints"
+msgstr ""
+
msgid "Finished"
msgstr ""
@@ -3251,6 +3272,12 @@ msgstr ""
msgid "Help page text and support page url."
msgstr ""
+msgid "Here is the public SSH key that needs to be added to the remote server. For more information, please refer to the documentation."
+msgstr ""
+
+msgid "Hide host keys manual input"
+msgstr ""
+
msgid "Hide payload"
msgstr ""
@@ -3415,6 +3442,9 @@ msgstr ""
msgid "Inline"
msgstr ""
+msgid "Input host keys manually"
+msgstr ""
+
msgid "Input your repository URL"
msgstr ""
@@ -5204,6 +5234,9 @@ msgid_plural "Refreshing in %d seconds to show the updated status..."
msgstr[0] ""
msgstr[1] ""
+msgid "Regenerate key"
+msgstr ""
+
msgid "Regex pattern"
msgstr ""
@@ -5458,6 +5491,12 @@ msgstr ""
msgid "SSH Keys"
msgstr ""
+msgid "SSH host keys"
+msgstr ""
+
+msgid "SSH public key"
+msgstr ""
+
msgid "SSL Verification"
msgstr ""
@@ -7383,6 +7422,9 @@ msgstr ""
msgid "Your projects"
msgstr ""
+msgid "a deleted user"
+msgstr ""
+
msgid "ago"
msgstr ""
diff --git a/spec/controllers/projects/mirrors_controller_spec.rb b/spec/controllers/projects/mirrors_controller_spec.rb
index 00c1e617e3a..976f480930c 100644
--- a/spec/controllers/projects/mirrors_controller_spec.rb
+++ b/spec/controllers/projects/mirrors_controller_spec.rb
@@ -15,6 +15,31 @@ describe Projects::MirrorsController do
end.to change { RemoteMirror.count }.to(1)
end
end
+
+ context 'setting up SSH public-key authentication' do
+ let(:ssh_mirror_attributes) do
+ {
+ 'auth_method' => 'ssh_public_key',
+ 'url' => 'ssh://git@example.com',
+ 'ssh_known_hosts' => 'test'
+ }
+ end
+
+ it 'processes a successful update' do
+ sign_in(project.owner)
+ do_put(project, remote_mirrors_attributes: { '0' => ssh_mirror_attributes })
+
+ expect(response).to redirect_to(project_settings_repository_path(project, anchor: 'js-push-remote-settings'))
+
+ expect(RemoteMirror.count).to eq(1)
+ expect(RemoteMirror.first).to have_attributes(
+ auth_method: 'ssh_public_key',
+ url: 'ssh://git@example.com',
+ ssh_public_key: match(/\Assh-rsa /),
+ ssh_known_hosts: 'test'
+ )
+ end
+ end
end
describe '#update' do
diff --git a/spec/features/projects/settings/repository_settings_spec.rb b/spec/features/projects/settings/repository_settings_spec.rb
index 377a75cbcb3..401aac9478d 100644
--- a/spec/features/projects/settings/repository_settings_spec.rb
+++ b/spec/features/projects/settings/repository_settings_spec.rb
@@ -132,6 +132,27 @@ describe 'Projects > Settings > Repository settings' do
it 'shows push mirror settings', :js do
expect(page).to have_selector('#mirror_direction')
end
+
+ it 'generates an SSH public key on submission', :js do
+ fill_in 'url', with: 'ssh://user@localhost/project.git'
+ select 'SSH public key', from: 'Authentication method'
+
+ direction_select = find('#mirror_direction')
+
+ # In CE, this select box is disabled, but in EE, it is enabled
+ if direction_select.disabled?
+ expect(direction_select.value).to eq('push')
+ else
+ direction_select.select('Push')
+ end
+
+ Sidekiq::Testing.fake! do
+ click_button 'Mirror repository'
+ end
+
+ expect(page).to have_content('Mirroring settings were successfully updated')
+ expect(page).to have_selector('[title="Copy SSH public key"]')
+ end
end
end
end
diff --git a/spec/lib/gitlab/git/remote_mirror_spec.rb b/spec/lib/gitlab/git/remote_mirror_spec.rb
new file mode 100644
index 00000000000..dc63eef7814
--- /dev/null
+++ b/spec/lib/gitlab/git/remote_mirror_spec.rb
@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe Gitlab::Git::RemoteMirror do
+ describe '#update' do
+ let(:project) { create(:project, :repository) }
+ let(:repository) { project.repository }
+ let(:ref_name) { 'foo' }
+ let(:options) { { only_branches_matching: ['master'], ssh_key: 'KEY', known_hosts: 'KNOWN HOSTS' } }
+
+ subject(:remote_mirror) { described_class.new(repository, ref_name, **options) }
+
+ it 'delegates to the Gitaly client' do
+ expect(repository.gitaly_remote_client)
+ .to receive(:update_remote_mirror)
+ .with(ref_name, ['master'], ssh_key: 'KEY', known_hosts: 'KNOWN HOSTS')
+
+ remote_mirror.update
+ end
+
+ it 'wraps gitaly errors' do
+ expect(repository.gitaly_remote_client)
+ .to receive(:update_remote_mirror)
+ .and_raise(StandardError)
+
+ expect { remote_mirror.update }.to raise_error(StandardError)
+ end
+ end
+end
diff --git a/spec/lib/gitlab/gitaly_client/remote_service_spec.rb b/spec/lib/gitlab/gitaly_client/remote_service_spec.rb
index 9030a49983d..aff47599ad6 100644
--- a/spec/lib/gitlab/gitaly_client/remote_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/remote_service_spec.rb
@@ -68,6 +68,8 @@ describe Gitlab::GitalyClient::RemoteService do
describe '#update_remote_mirror' do
let(:ref_name) { 'remote_mirror_1' }
let(:only_branches_matching) { ['my-branch', 'master'] }
+ let(:ssh_key) { 'KEY' }
+ let(:known_hosts) { 'KNOWN HOSTS' }
it 'sends an update_remote_mirror message' do
expect_any_instance_of(Gitaly::RemoteService::Stub)
@@ -75,7 +77,7 @@ describe Gitlab::GitalyClient::RemoteService do
.with(kind_of(Enumerator), kind_of(Hash))
.and_return(double(:update_remote_mirror_response))
- client.update_remote_mirror(ref_name, only_branches_matching)
+ client.update_remote_mirror(ref_name, only_branches_matching, ssh_key: ssh_key, known_hosts: known_hosts)
end
end
diff --git a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
index d605fcbafee..46ca2340389 100644
--- a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
@@ -130,7 +130,7 @@ describe Gitlab::GitalyClient::RepositoryService do
end
context 'SSH auth' do
- where(:ssh_import, :ssh_key_auth, :ssh_private_key, :ssh_known_hosts, :expected_params) do
+ where(:ssh_mirror_url, :ssh_key_auth, :ssh_private_key, :ssh_known_hosts, :expected_params) do
false | false | 'key' | 'known_hosts' | {}
false | true | 'key' | 'known_hosts' | {}
true | false | 'key' | 'known_hosts' | { known_hosts: 'known_hosts' }
@@ -145,7 +145,7 @@ describe Gitlab::GitalyClient::RepositoryService do
let(:ssh_auth) do
double(
:ssh_auth,
- ssh_import?: ssh_import,
+ ssh_mirror_url?: ssh_mirror_url,
ssh_key_auth?: ssh_key_auth,
ssh_private_key: ssh_private_key,
ssh_known_hosts: ssh_known_hosts
diff --git a/spec/models/remote_mirror_spec.rb b/spec/models/remote_mirror_spec.rb
index 3d316fb3c5b..da61a5f2771 100644
--- a/spec/models/remote_mirror_spec.rb
+++ b/spec/models/remote_mirror_spec.rb
@@ -222,14 +222,26 @@ describe RemoteMirror do
context '#ensure_remote!' do
let(:remote_mirror) { create(:project, :repository, :remote_mirror).remote_mirrors.first }
+ let(:project) { remote_mirror.project }
+ let(:repository) { project.repository }
it 'adds a remote multiple times with no errors' do
- expect(remote_mirror.project.repository).to receive(:add_remote).with(remote_mirror.remote_name, remote_mirror.url).twice.and_call_original
+ expect(repository).to receive(:add_remote).with(remote_mirror.remote_name, remote_mirror.url).twice.and_call_original
2.times do
remote_mirror.ensure_remote!
end
end
+
+ context 'SSH public-key authentication' do
+ it 'omits the password from the URL' do
+ remote_mirror.update!(auth_method: 'ssh_public_key', url: 'ssh://git:pass@example.com')
+
+ expect(repository).to receive(:add_remote).with(remote_mirror.remote_name, 'ssh://git@example.com')
+
+ remote_mirror.ensure_remote!
+ end
+ end
end
context '#updated_since?' do
diff --git a/spec/serializers/project_mirror_entity_spec.rb b/spec/serializers/project_mirror_entity_spec.rb
new file mode 100644
index 00000000000..ad0a8bbdff0
--- /dev/null
+++ b/spec/serializers/project_mirror_entity_spec.rb
@@ -0,0 +1,12 @@
+require 'spec_helper'
+
+describe ProjectMirrorEntity do
+ let(:project) { create(:project, :repository, :remote_mirror) }
+ let(:entity) { described_class.new(project) }
+
+ subject { entity.as_json }
+
+ it 'exposes project-specific elements' do
+ is_expected.to include(:id, :remote_mirrors_attributes)
+ end
+end
diff --git a/spec/serializers/remote_mirror_entity_spec.rb b/spec/serializers/remote_mirror_entity_spec.rb
new file mode 100644
index 00000000000..885b0b9b423
--- /dev/null
+++ b/spec/serializers/remote_mirror_entity_spec.rb
@@ -0,0 +1,16 @@
+require 'spec_helper'
+
+describe RemoteMirrorEntity do
+ let(:project) { create(:project, :repository, :remote_mirror) }
+ let(:remote_mirror) { project.remote_mirrors.first }
+ let(:entity) { described_class.new(remote_mirror) }
+
+ subject { entity.as_json }
+
+ it 'exposes remote-mirror-specific elements' do
+ is_expected.to include(
+ :id, :url, :enabled, :auth_method,
+ :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints
+ )
+ end
+end
diff --git a/spec/services/projects/update_remote_mirror_service_spec.rb b/spec/services/projects/update_remote_mirror_service_spec.rb
index cd903bfe8a5..c1e5f788146 100644
--- a/spec/services/projects/update_remote_mirror_service_spec.rb
+++ b/spec/services/projects/update_remote_mirror_service_spec.rb
@@ -16,7 +16,7 @@ describe Projects::UpdateRemoteMirrorService do
end
it "ensures the remote exists" do
- stub_fetch_remote(project, remote_name: remote_name)
+ stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
expect(remote_mirror).to receive(:ensure_remote!)
@@ -26,13 +26,13 @@ describe Projects::UpdateRemoteMirrorService do
it "fetches the remote repository" do
expect(project.repository)
.to receive(:fetch_remote)
- .with(remote_mirror.remote_name, no_tags: true)
+ .with(remote_mirror.remote_name, no_tags: true, ssh_auth: remote_mirror)
service.execute(remote_mirror)
end
it "returns success when updated succeeds" do
- stub_fetch_remote(project, remote_name: remote_name)
+ stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
result = service.execute(remote_mirror)
@@ -41,7 +41,7 @@ describe Projects::UpdateRemoteMirrorService do
context 'when syncing all branches' do
it "push all the branches the first time" do
- stub_fetch_remote(project, remote_name: remote_name)
+ stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
expect(remote_mirror).to receive(:update_repository).with({})
@@ -51,7 +51,7 @@ describe Projects::UpdateRemoteMirrorService do
context 'when only syncing protected branches' do
it "sync updated protected branches" do
- stub_fetch_remote(project, remote_name: remote_name)
+ stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
protected_branch = create_protected_branch(project)
remote_mirror.only_protected_branches = true
@@ -69,10 +69,10 @@ describe Projects::UpdateRemoteMirrorService do
end
end
- def stub_fetch_remote(project, remote_name:)
+ def stub_fetch_remote(project, remote_name:, ssh_auth:)
allow(project.repository)
.to receive(:fetch_remote)
- .with(remote_name, no_tags: true) { fetch_remote(project.repository, remote_name) }
+ .with(remote_name, no_tags: true, ssh_auth: ssh_auth) { fetch_remote(project.repository, remote_name) }
end
def fetch_remote(repository, remote_name)