diff options
author | Ævar Arnfjörð Bjarmason <avarab@gmail.com> | 2018-06-14 15:54:38 +0200 |
---|---|---|
committer | Ævar Arnfjörð Bjarmason <avarab@gmail.com> | 2018-07-26 12:35:55 +0200 |
commit | 2e8b67027067761034f36dadb3c2208ce66d2552 (patch) | |
tree | 1f35c43611dcd0041d3f30fe7a86eac507912b75 /lib/gitlab_net.rb | |
parent | dc67cf1a62529bf7aecc8e350994ac40d5f4a068 (diff) | |
download | gitlab-shell-2e8b67027067761034f36dadb3c2208ce66d2552.tar.gz |
Add support for SSH certificate authentication
This along with the code submitted to gitlab-ce in the
gitlab-org/gitlab-ce! MR implements SSH certificate
authentication. See the docs added to gitlab-ce for why and how to
enable this. This, along with that MR, closes
gitlab-org/gitlab-ce#3457
Implementation notes:
- Because it's easy to do, and because an earlier nascent version of
this would pass user-ID to gitlab-shell, that's now supported, even
though the SSH certificate authentication uses username-USERNAME.
- The astute reader will notice that not all the API calls in
gitlab-ce's lib/api/internal.rb support a "username" argument, some
only support "user_id".
There's a few reasons for this:
a) For this to be efficient, I am bending over backwards to avoid
extra API calls when using SSH certificates.
Therefore the /allowed API call will now return a "user id" to
us if we're allowed to proceed further. This is then fed to
existing APIs that would only be called after a successful
call to /allowed.
b) Not all of the git-shell codepaths go through
/internal/allowed, or ever deal with a repository, e.g. the
argument-less "Welcome to GitLab", and
/internal/2fa_recovery_codes. These need to use
/internal/discover to figure out details about the user, so
support looking that up by username.
c) Once we have the "user id", the GL_ID gets passed down to
e.g. user-authored hooks. I don't want to have those all break
by having to handle a third GL_ID mode of "username" in
addition to the current "key id" and "user id".
Diffstat (limited to 'lib/gitlab_net.rb')
-rw-r--r-- | lib/gitlab_net.rb | 62 |
1 files changed, 45 insertions, 17 deletions
diff --git a/lib/gitlab_net.rb b/lib/gitlab_net.rb index 584dd93..7013d79 100644 --- a/lib/gitlab_net.rb +++ b/lib/gitlab_net.rb @@ -17,7 +17,7 @@ class GitlabNet # rubocop:disable Metrics/ClassLength CHECK_TIMEOUT = 5 - def check_access(cmd, gl_repository, repo, actor, changes, protocol, env: {}) + def check_access(cmd, gl_repository, repo, who, changes, protocol, env: {}) changes = changes.join("\n") unless changes.is_a?(String) params = { @@ -29,11 +29,8 @@ class GitlabNet # rubocop:disable Metrics/ClassLength env: env } - if actor =~ /\Akey\-\d+\Z/ - params[:key_id] = actor.gsub("key-", "") - elsif actor =~ /\Auser\-\d+\Z/ - params[:user_id] = actor.gsub("user-", "") - end + who_sym, _, who_v = self.class.parse_who(who) + params[who_sym] = who_v url = "#{internal_api_endpoint}/allowed" resp = post(url, params) @@ -44,23 +41,37 @@ class GitlabNet # rubocop:disable Metrics/ClassLength GitAccessStatus.new(false, 'API is not accessible', gl_repository: nil, + gl_id: nil, gl_username: nil, repository_path: nil, gitaly: nil) end end - def discover(key) - key_id = key.gsub("key-", "") - resp = get("#{internal_api_endpoint}/discover?key_id=#{key_id}") + def discover(who) + _, who_k, who_v = self.class.parse_who(who) + + resp = get("#{internal_api_endpoint}/discover?#{who_k}=#{who_v}") + JSON.parse(resp.body) rescue nil end - def lfs_authenticate(key, repo) - params = { - project: sanitize_path(repo), - key_id: key.gsub('key-', '') - } + def lfs_authenticate(gl_id, repo) + id_sym, _, id = self.class.parse_who(gl_id) + + if id_sym == :key_id + params = { + project: sanitize_path(repo), + key_id: id + } + elsif id_sym == :user_id + params = { + project: sanitize_path(repo), + user_id: id + } + else + raise ArgumentError, "lfs_authenticate() got unsupported GL_ID='#{gl_id}'!" + end resp = post("#{internal_api_endpoint}/lfs_authenticate", params) @@ -101,9 +112,10 @@ class GitlabNet # rubocop:disable Metrics/ClassLength nil end - def two_factor_recovery_codes(key) - key_id = key.gsub('key-', '') - resp = post("#{internal_api_endpoint}/two_factor_recovery_codes", key_id: key_id) + def two_factor_recovery_codes(gl_id) + id_sym, _, id = self.class.parse_who(gl_id) + + resp = post("#{internal_api_endpoint}/two_factor_recovery_codes", id_sym => id) JSON.parse(resp.body) if resp.code == '200' rescue @@ -140,6 +152,22 @@ class GitlabNet # rubocop:disable Metrics/ClassLength JSON.parse(resp.body) if resp.code == '200' end + def self.parse_who(who) + if who.start_with?("key-") + value = who.gsub("key-", "") + raise ArgumentError, "who='#{who}' is invalid!" unless value =~ /\A[0-9]+\z/ + [:key_id, 'key_id', value] + elsif who.start_with?("user-") + value = who.gsub("user-", "") + raise ArgumentError, "who='#{who}' is invalid!" unless value =~ /\A[0-9]+\z/ + [:user_id, 'user_id', value] + elsif who.start_with?("username-") + [:username, 'username', who.gsub("username-", "")] + else + raise ArgumentError, "who='#{who}' is invalid!" + end + end + protected def sanitize_path(repo) |