diff options
| author | Stan Hu <stanhu@gmail.com> | 2020-07-19 23:24:32 -0700 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2020-07-21 15:24:24 -0700 |
| commit | 35c1f6cf6436a95eeeb59b6b0d9d6f71dcbf59a2 (patch) | |
| tree | 44d6b8ac6a75adc162589a14349396dc86e6f075 | |
| parent | b3f6fcdb77a3d047ce8b02e9a0faf32e5a244c92 (diff) | |
| download | gitlab-shell-sh-log-ssh-key-details.tar.gz | |
Log SSH key detailssh-log-ssh-key-details
Right now when a client such as gitlab-shell calls the
`/api/v4/internal/allowed` API, the response only tells the client what
user has been granted access, and it's impossible to tell which deploy
key/token was used in the authentication request.
This commit adds logs for the following when available:
1. `gl_key_type` (e.g. `deploy_key` or `key`)
2. `gl_key_id`
These fields make it possible for admins to identify the exact record
that was used to authenticate the user.
API changes in the `/internal/allowed` endpoint in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37289 are needed
to support this.
Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/203
| -rw-r--r-- | internal/command/receivepack/gitalycall_test.go | 2 | ||||
| -rw-r--r-- | internal/command/uploadarchive/gitalycall_test.go | 2 | ||||
| -rw-r--r-- | internal/command/uploadpack/gitalycall_test.go | 3 | ||||
| -rw-r--r-- | internal/gitlabnet/accessverifier/client.go | 2 | ||||
| -rw-r--r-- | internal/handler/exec.go | 2 | ||||
| -rw-r--r-- | internal/testhelper/requesthandlers/requesthandlers.go | 6 |
6 files changed, 15 insertions, 2 deletions
diff --git a/internal/command/receivepack/gitalycall_test.go b/internal/command/receivepack/gitalycall_test.go index 0cfbf5c..d3f687c 100644 --- a/internal/command/receivepack/gitalycall_test.go +++ b/internal/command/receivepack/gitalycall_test.go @@ -49,4 +49,6 @@ func TestReceivePack(t *testing.T) { require.Equal(t, logrus.InfoLevel, entries[1].Level) require.Contains(t, entries[1].Message, "executing git command") require.Contains(t, entries[1].Message, "command=git-receive-pack") + require.Contains(t, entries[1].Message, "gl_key_type=key") + require.Contains(t, entries[1].Message, "gl_key_id=123") } diff --git a/internal/command/uploadarchive/gitalycall_test.go b/internal/command/uploadarchive/gitalycall_test.go index 488c390..eaeb2b7 100644 --- a/internal/command/uploadarchive/gitalycall_test.go +++ b/internal/command/uploadarchive/gitalycall_test.go @@ -49,4 +49,6 @@ func TestUploadPack(t *testing.T) { require.Equal(t, logrus.InfoLevel, entries[1].Level) require.Contains(t, entries[1].Message, "executing git command") require.Contains(t, entries[1].Message, "command=git-upload-archive") + require.Contains(t, entries[1].Message, "gl_key_type=key") + require.Contains(t, entries[1].Message, "gl_key_id=123") } diff --git a/internal/command/uploadpack/gitalycall_test.go b/internal/command/uploadpack/gitalycall_test.go index cf3e621..234319f 100644 --- a/internal/command/uploadpack/gitalycall_test.go +++ b/internal/command/uploadpack/gitalycall_test.go @@ -45,6 +45,8 @@ func TestUploadPack(t *testing.T) { assert.Equal(t, 2, len(entries)) require.Contains(t, entries[1].Message, "executing git command") require.Contains(t, entries[1].Message, "command=git-upload-pack") + require.Contains(t, entries[1].Message, "gl_key_type=key") + require.Contains(t, entries[1].Message, "gl_key_id=123") for k, v := range map[string]string{ "gitaly-feature-cache_invalidator": "true", @@ -55,4 +57,5 @@ func TestUploadPack(t *testing.T) { assert.Equal(t, v, actual[0]) } assert.Empty(t, testServer.ReceivedMD["some-other-ff"]) + } diff --git a/internal/gitlabnet/accessverifier/client.go b/internal/gitlabnet/accessverifier/client.go index a9c7d97..234e854 100644 --- a/internal/gitlabnet/accessverifier/client.go +++ b/internal/gitlabnet/accessverifier/client.go @@ -55,6 +55,8 @@ type Response struct { Message string `json:"message"` Repo string `json:"gl_repository"` UserId string `json:"gl_id"` + KeyType string `json:"gl_key_type"` + KeyId int `json:"gl_key_id"` Username string `json:"gl_username"` GitConfigOptions []string `json:"git_config_options"` Gitaly Gitaly `json:"gitaly"` diff --git a/internal/handler/exec.go b/internal/handler/exec.go index d6e06aa..865dc5d 100644 --- a/internal/handler/exec.go +++ b/internal/handler/exec.go @@ -64,6 +64,8 @@ func (gc *GitalyCommand) LogExecution(repository *pb.Repository, response *acces "user_id": response.UserId, "username": response.Username, "git_protocol": protocol, + "gl_key_type": response.KeyType, + "gl_key_id": response.KeyId, } log.WithFields(fields).Info("executing git command") diff --git a/internal/testhelper/requesthandlers/requesthandlers.go b/internal/testhelper/requesthandlers/requesthandlers.go index 73acc26..6d501d0 100644 --- a/internal/testhelper/requesthandlers/requesthandlers.go +++ b/internal/testhelper/requesthandlers/requesthandlers.go @@ -34,8 +34,10 @@ func BuildAllowedWithGitalyHandlers(t *testing.T, gitalyAddress string) []testse Path: "/api/v4/internal/allowed", Handler: func(w http.ResponseWriter, r *http.Request) { body := map[string]interface{}{ - "status": true, - "gl_id": "1", + "status": true, + "gl_id": "1", + "gl_key_type": "key", + "gl_key_id": 123, "gitaly": map[string]interface{}{ "repository": map[string]interface{}{ "storage_name": "storage_name", |