| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|\
| |
| |
| | |
148-merge-8-1-1-to-master
|
| |
| |
| |
| | |
command line
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix two regressions in my 2e8b670 ("Add support for SSH certificate
authentication", 2018-06-14) merged in gitlab-org/gitlab-shell!207.
This fixes the issue noted in gitlab-org/gitlab-shell#145 where the
command-line contains things other than the key/user/username, and
also a regression where SSH certificates are being used, and the
username presented in the key is unknown to GitLab.
In that case, we should log the user in as "Anonymous" (on an instance
that allows public access), but because of how the error checking
around api.discover() was implemented we ended up erroring out
instead.
|
| |
| |
| |
| |
| | |
This reverts commit 3aaf4751e09262c53544a1987f59b1308af9b6c1, reversing
changes made to c6577e0d75f51b017f2f332838b97c3ca5b497c0.
|
| |
| |
| |
| | |
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/50160
|
| | |
|
|\ \
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This along with the code submitted to gitlab-ce in the
gitlab-org/gitlab-ce! MR implements SSH certificate
authentication. See the docs added to gitlab-ce for why and how to
enable this. This, along with that MR, closes
gitlab-org/gitlab-ce#3457
Implementation notes:
- Because it's easy to do, and because an earlier nascent version of
this would pass user-ID to gitlab-shell, that's now supported, even
though the SSH certificate authentication uses username-USERNAME.
- The astute reader will notice that not all the API calls in
gitlab-ce's lib/api/internal.rb support a "username" argument, some
only support "user_id".
There's a few reasons for this:
a) For this to be efficient, I am bending over backwards to avoid
extra API calls when using SSH certificates.
Therefore the /allowed API call will now return a "user id" to
us if we're allowed to proceed further. This is then fed to
existing APIs that would only be called after a successful
call to /allowed.
b) Not all of the git-shell codepaths go through
/internal/allowed, or ever deal with a repository, e.g. the
argument-less "Welcome to GitLab", and
/internal/2fa_recovery_codes. These need to use
/internal/discover to figure out details about the user, so
support looking that up by username.
c) Once we have the "user id", the GL_ID gets passed down to
e.g. user-authored hooks. I don't want to have those all break
by having to handle a third GL_ID mode of "username" in
addition to the current "key id" and "user id".
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
bin/authorized_keys doesn't check that the requesting user matches the expected
user, so to enable database authorized keys lookups, we currently ask the admin
to create a custom script for that purpose.
Better is to have a complete script that can perform the whole task. This commit
introduces bin/gitlab-shell-authorized-keys-check which does so.
|
| |
|
|
|
|
|
| |
This reverts commit a18c90128e4d3eeae1233b1bc3c3998afd223c0d, reversing
changes made to 0a64624152735766c428d1532e434dd0bf5a9748.
|
|
|
|
|
|
| |
By default, RubyGems is enabled, which causes the Ruby interpreter
to load 600+ additional files at startup when gitlab-shell is
designed not to use any external gems.
|
| |
|
|
|
|
| |
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
| |
|
| |
|
| |
|
|
|
|
|
| |
It is not nice to have both 'GitlabKeys' and 'GitlabKey'. We also do
not need GitlabKey to be a class when it has no state.
|
| |
|
|
|
|
|
|
| |
The old check only looked if authorized_keys exists. With this change, we look
whether we can actually open the file for reading and writing. When this fails
we try to print useful diagnostic information.
|
|
|
|
|
|
| |
We can lazily create authorized_keys and set its permissions. This
adds negligible overhead and it allows us to remove a setup step from
GitLab both on source and in omnibus-gitlab.
|
| |
|
| |
|
|
|
|
| |
Closes gitlab-org/gitlab-ce#17329
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Hoping this makes it more obvious when code touches the very
unsafe contents of this variable.
|
|
|
|
|
| |
This reverts commit ae498b6cd4122d3d7f35e6b73b50c53615ca3488, reversing
changes made to 79fdf65c71e90773fbf52d6832b74cf5a7124755.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is not clear what we need these for anymore. Because these commands
would recurse once through all existing files in all Git repositories,
and then another time through all directories these commands could
take very long on a server with a lot of repositories.
We keep the 'chmod' on config.repos_path, to deny world access to all
files and directories beneath it.
|
| |
|
|\
| |
| | |
Added list-keys command, with associated spec
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removed puts and tidied up regex
Address the hound
Address the hound, again
Use single quotes
Add back travis.yml file
Remove travis.yml, only keep on fh-master
Use single quotes
Use single quotes
|
|/
|
|
|
|
|
|
|
|
| |
list-projects command usage
Single quotes
Use single quotes
Use single quotes
|
|
|
|
|
|
|
| |
When bin/create-hooks is run against a live GitLab server, there is
a possibility of race conditions when a user deletes one of their
repositories after bin/create-hooks found it. With this change,
bin/create-hooks will ignore missing file errors.
|
|
|
|
|
| |
This command is intended to be called by the GitLab Rails code when
restoring an application backup.
|
| |
|
| |
|