• Ævar Arnfjörð Bjarmason's avatar
    Add support for SSH certificate authentication · 2e8b6702
    Ævar Arnfjörð Bjarmason authored
    This along with the code submitted to gitlab-ce in the
    gitlab-org/gitlab-ce! MR implements SSH certificate
    authentication. See the docs added to gitlab-ce for why and how to
    enable this. This, along with that MR, closes
    gitlab-org/gitlab-ce#3457
    
    Implementation notes:
    
     - Because it's easy to do, and because an earlier nascent version of
       this would pass user-ID to gitlab-shell, that's now supported, even
       though the SSH certificate authentication uses username-USERNAME.
    
     - The astute reader will notice that not all the API calls in
       gitlab-ce's lib/api/internal.rb support a "username" argument, some
       only support "user_id".
    
       There's a few reasons for this:
    
         a) For this to be efficient, I am bending over backwards to avoid
            extra API calls when using SSH certificates.
    
            Therefore the /allowed API call will now return a "user id" to
            us if we're allowed to proceed further. This is then fed to
            existing APIs that would only be called after a successful
            call to /allowed.
    
         b) Not all of the git-shell codepaths go through
            /internal/allowed, or ever deal with a repository, e.g. the
            argument-less "Welcome to GitLab", and
            /internal/2fa_recovery_codes. These need to use
            /internal/discover to figure out details about the user, so
            support looking that up by username.
    
         c) Once we have the "user id", the GL_ID gets passed down to
            e.g. user-authored hooks. I don't want to have those all break
            by having to handle a third GL_ID mode of "username" in
            addition to the current "key id" and "user id".
    2e8b6702
gitlab_shell_spec.rb 17.1 KB