Add support for SSH certificate authentication

This along with the code submitted to gitlab-ce in the gitlab-org/gitlab-ce! MR implements SSH certificate authentication. See the docs added to gitlab-ce for why and how to enable this. This, along with that MR, closes gitlab-org/gitlab-ce#3457 Implementation notes: - Because it's easy to do, and because an earlier nascent version of this would pass user-ID to gitlab-shell, that's now supported, even though the SSH certificate authentication uses username-USERNAME. - The astute reader will notice that not all the API calls in gitlab-ce's lib/api/internal.rb support a "username" argument, some only support "user_id". There's a few reasons for this: a) For this to be efficient, I am bending over backwards to avoid extra API calls when using SSH certificates. Therefore the /allowed API call will now return a "user id" to us if we're allowed to proceed further. This is then fed to existing APIs that would only be called after a successful call to /allowed. b) Not all of the git-shell codepaths go through /internal/allowed, or ever deal with a repository, e.g. the argument-less "Welcome to GitLab", and /internal/2fa_recovery_codes. These need to use /internal/discover to figure out details about the user, so support looking that up by username. c) Once we have the "user id", the GL_ID gets passed down to e.g. user-authored hooks. I don't want to have those all break by having to handle a third GL_ID mode of "username" in addition to the current "key id" and "user id".
author: Ævar Arnfjörð Bjarmason <avarab@gmail.com> 2018-06-14 15:54:38 +0200
committer: Ævar Arnfjörð Bjarmason <avarab@gmail.com> 2018-07-26 12:35:55 +0200
commit: 2e8b67027067761034f36dadb3c2208ce66d2552 (patch)
tree: 1f35c43611dcd0041d3f30fe7a86eac507912b75 /lib/gitlab_net.rb
parent: dc67cf1a62529bf7aecc8e350994ac40d5f4a068 (diff)
download: gitlab-shell-2e8b67027067761034f36dadb3c2208ce66d2552.tar.gz
1 files changed, 45 insertions, 17 deletions
diff --git a/lib/gitlab_net.rb b/lib/gitlab_net.rb
index 584dd93..7013d79 100644
--- a/lib/gitlab_net.rb
+++ b/lib/gitlab_net.rb
@@ -17,7 +17,7 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
 
   CHECK_TIMEOUT = 5
 
-  def check_access(cmd, gl_repository, repo, actor, changes, protocol, env: {})
+  def check_access(cmd, gl_repository, repo, who, changes, protocol, env: {})
     changes = changes.join("\n") unless changes.is_a?(String)
 
     params = {
@@ -29,11 +29,8 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
       env: env
     }
 
-    if actor =~ /\Akey\-\d+\Z/
-      params[:key_id] = actor.gsub("key-", "")
-    elsif actor =~ /\Auser\-\d+\Z/
-      params[:user_id] = actor.gsub("user-", "")
-    end
+    who_sym, _, who_v = self.class.parse_who(who)
+    params[who_sym] = who_v
 
     url = "#{internal_api_endpoint}/allowed"
     resp = post(url, params)
@@ -44,23 +41,37 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
       GitAccessStatus.new(false,
                           'API is not accessible',
                           gl_repository: nil,
+                          gl_id: nil,
                           gl_username: nil,
                           repository_path: nil,
                           gitaly: nil)
     end
   end
 
-  def discover(key)
-    key_id = key.gsub("key-", "")
-    resp = get("#{internal_api_endpoint}/discover?key_id=#{key_id}")
+  def discover(who)
+    _, who_k, who_v = self.class.parse_who(who)
+
+    resp = get("#{internal_api_endpoint}/discover?#{who_k}=#{who_v}")
+
     JSON.parse(resp.body) rescue nil
   end
 
-  def lfs_authenticate(key, repo)
-    params = {
-      project: sanitize_path(repo),
-      key_id: key.gsub('key-', '')
-    }
+  def lfs_authenticate(gl_id, repo)
+    id_sym, _, id = self.class.parse_who(gl_id)
+
+    if id_sym == :key_id
+      params = {
+        project: sanitize_path(repo),
+        key_id: id
+      }
+    elsif id_sym == :user_id
+      params = {
+        project: sanitize_path(repo),
+        user_id: id
+      }
+    else
+      raise ArgumentError, "lfs_authenticate() got unsupported GL_ID='#{gl_id}'!"
+    end
 
     resp = post("#{internal_api_endpoint}/lfs_authenticate", params)
 
@@ -101,9 +112,10 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
     nil
   end
 
-  def two_factor_recovery_codes(key)
-    key_id = key.gsub('key-', '')
-    resp = post("#{internal_api_endpoint}/two_factor_recovery_codes", key_id: key_id)
+  def two_factor_recovery_codes(gl_id)
+    id_sym, _, id = self.class.parse_who(gl_id)
+
+    resp = post("#{internal_api_endpoint}/two_factor_recovery_codes", id_sym => id)
 
     JSON.parse(resp.body) if resp.code == '200'
   rescue
@@ -140,6 +152,22 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
     JSON.parse(resp.body) if resp.code == '200'
   end
 
+  def self.parse_who(who)
+    if who.start_with?("key-")
+      value = who.gsub("key-", "")
+      raise ArgumentError, "who='#{who}' is invalid!" unless value =~ /\A[0-9]+\z/
+      [:key_id, 'key_id', value]
+    elsif who.start_with?("user-")
+      value = who.gsub("user-", "")
+      raise ArgumentError, "who='#{who}' is invalid!" unless value =~ /\A[0-9]+\z/
+      [:user_id, 'user_id', value]
+    elsif who.start_with?("username-")
+      [:username, 'username', who.gsub("username-", "")]
+    else
+      raise ArgumentError, "who='#{who}' is invalid!"
+    end
+  end
+
   protected
 
   def sanitize_path(repo)
author	Ævar Arnfjörð Bjarmason <avarab@gmail.com>	2018-06-14 15:54:38 +0200
committer	Ævar Arnfjörð Bjarmason <avarab@gmail.com>	2018-07-26 12:35:55 +0200
commit	2e8b67027067761034f36dadb3c2208ce66d2552 (patch)
tree	1f35c43611dcd0041d3f30fe7a86eac507912b75 /lib/gitlab_net.rb
parent	dc67cf1a62529bf7aecc8e350994ac40d5f4a068 (diff)
download	gitlab-shell-2e8b67027067761034f36dadb3c2208ce66d2552.tar.gz