Add support for SSH certificate authentication

This along with the code submitted to gitlab-ce in the
gitlab-org/gitlab-ce! MR implements SSH certificate
authentication. See the docs added to gitlab-ce for why and how to
enable this. This, along with that MR, closes
gitlab-org/gitlab-ce#3457

Implementation notes:

 - Because it's easy to do, and because an earlier nascent version of
   this would pass user-ID to gitlab-shell, that's now supported, even
   though the SSH certificate authentication uses username-USERNAME.

 - The astute reader will notice that not all the API calls in
   gitlab-ce's lib/api/internal.rb support a "username" argument, some
   only support "user_id".

   There's a few reasons for this:

     a) For this to be efficient, I am bending over backwards to avoid
        extra API calls when using SSH certificates.

        Therefore the /allowed API call will now return a "user id" to
        us if we're allowed to proceed further. This is then fed to
        existing APIs that would only be called after a successful
        call to /allowed.

     b) Not all of the git-shell codepaths go through
        /internal/allowed, or ever deal with a repository, e.g. the
        argument-less "Welcome to GitLab", and
        /internal/2fa_recovery_codes. These need to use
        /internal/discover to figure out details about the user, so
        support looking that up by username.

     c) Once we have the "user id", the GL_ID gets passed down to
        e.g. user-authored hooks. I don't want to have those all break
        by having to handle a third GL_ID mode of "username" in
        addition to the current "key id" and "user id".

2 files changed, 39 insertions, 3 deletions

diff --git a/bin/gitlab-shell b/bin/gitlab-shell
index 6ef572f..1016570 100755
--- a/bin/gitlab-shell
+++ b/bin/gitlab-shell
@@ -5,19 +5,19 @@ unless ENV['SSH_CONNECTION']
   exit
 end
 
-key_id = /key-[0-9]+/.match(ARGV.join).to_s
 original_cmd = ENV.delete('SSH_ORIGINAL_COMMAND')
 
 require_relative '../lib/gitlab_init'
 
 #
 #
-# GitLab shell, invoked from ~/.ssh/authorized_keys
+# GitLab shell, invoked from ~/.ssh/authorized_keys or from an
+# AuthorizedPrincipalsCommand in the key-less SSH CERT mode.
 #
 #
 require File.join(ROOT_PATH, 'lib', 'gitlab_shell')
 
-if GitlabShell.new(key_id).exec(original_cmd)
+if GitlabShell.new(ARGV.join).exec(original_cmd)
   exit 0
 else
   exit 1
diff --git a/bin/gitlab-shell-authorized-principals-check b/bin/gitlab-shell-authorized-principals-check
new file mode 100755
index 0000000..aa6d427
--- /dev/null
+++ b/bin/gitlab-shell-authorized-principals-check
@@ -0,0 +1,36 @@
+#!/usr/bin/env ruby
+
+#
+# GitLab shell authorized principals helper. Emits the same sort of
+# command="..." line as gitlab-shell-authorized-principals-check, with
+# the right options.
+#
+# Ex.
+#   bin/gitlab-shell-authorized-keys-check <key-id> <principal1> [<principal2>...]
+#
+# Returns one line per principal passed in, e.g.:
+#   command="/bin/gitlab-shell username-{KEY_ID}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {PRINCIPAL}
+#   [command="/bin/gitlab-shell username-{KEY_ID}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {PRINCIPAL2}]
+#
+# Expects to be called by the SSH daemon, via configuration like:
+#     AuthorizedPrincipalsCommandUser root
+#     AuthorizedPrincipalsCommand /bin/gitlab-shell-authorized-principals-check git %i sshUsers
+
+abort "# Wrong number of arguments. #{ARGV.size}. Usage:
+#     gitlab-shell-authorized-principals-check <key-id> <principal1> [<principal2>...]" unless ARGV.size >= 2
+
+key_id = ARGV[0]
+abort '# No key_id provided' if key_id.nil? || key_id == ''
+
+principals = ARGV[1..-1]
+principals.each { |principal|
+  abort '# An invalid principal was provided' if principal.nil? || principal == ''  
+}
+
+require_relative '../lib/gitlab_init'
+require_relative '../lib/gitlab_net'
+require_relative '../lib/gitlab_keys'
+
+principals.each { |principal|
+  puts GitlabKeys.principal_line("username-#{key_id}", principal.dup)
+}