.gitlab-ci.yml

@@ -3,7 +3,6 @@ include:
   - template: Security/SAST.gitlab-ci.yml
   - template: Security/Dependency-Scanning.gitlab-ci.yml
   - template: Security/Secret-Detection.gitlab-ci.yml
-  - component: ${CI_SERVER_FQDN}/gitlab-org/components/danger-review/danger-review@1.4.1
 
 stages:
   - prepare
@@ -16,16 +15,16 @@ variables:
   TRANSFER_METER_FREQUENCY: "1s"
   DOCKER_VERSION: "20.10.15"
   BUNDLE_FROZEN: "true"
-  GO_VERSION: "golang-1.22"
+  GO_VERSION: "1.23"
   GOPATH: $CI_PROJECT_DIR/.GOPATH
   DEBIAN_VERSION: "bookworm"
-  RUBY_VERSION: "3.2.4"
+  RUBY_VERSION: "3.2.5"
   BUNDLE_PATH: vendor/ruby
   POLICY: pull
   CI_DEBUG_SERVICES: 'true'
-  RUST_VERSION: "rust-1.73"
+  RUST_VERSION: "1.73"
   UBI_VERSION: "8.6"
-  IMAGE_TAG: "rubygems-3.4-git-2.36-exiftool-12.60"
+  IMAGE_TAG: "rubygems-3.5-git-2.45-exiftool-12.60"
   GITLAB_ADVANCED_SAST_ENABLED: 'true'
 
 workflow:
@@ -37,8 +36,15 @@ workflow:
     # For tags, create a pipeline.
     - if: '$CI_COMMIT_TAG'
 
+.rules:go-changes:
+  rules:
+    - changes:
+        - 'go.mod'
+        - 'go.sum'
+        - '**/*.go'
+
 default:
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-${GO_VERSION}-${RUST_VERSION}:${IMAGE_TAG}
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}-rust-${RUST_VERSION}:${IMAGE_TAG}
   tags:
     - gitlab-org
 
@@ -52,7 +58,7 @@ default:
 
 .cached-go: &cached_go
   - key:
-      prefix: $GO_VERSION-cache
+      prefix: "golang-${GO_VERSION}-cache"
       files:
         - go.mod
         - go.sum
@@ -87,7 +93,7 @@ default:
 .go-matrix-job:
   parallel:
     matrix:
-      - GO_VERSION: ["golang-1.21", "golang-1.22"]
+      - GO_VERSION: ["1.22", "1.23"]
 
 ################################################################################
 # Prepare jobs
@@ -117,6 +123,7 @@ modules:download:
 
 .test-job:
   needs: ['bundle:install', 'modules:download']
+  rules: !reference [".rules:go-changes", rules]
   variables:
     GITALY_CONNECTION_INFO: '{"address":"tcp://gitaly:8075", "storage":"default"}'
   before_script:
@@ -159,7 +166,7 @@ tests_without_cgo:
     - make verify test_fancy
 
 tests:fips:
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images/ubi-${UBI_VERSION}-ruby-${RUBY_VERSION}-${GO_VERSION}-${RUST_VERSION}:${IMAGE_TAG}
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images/ubi-${UBI_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}-rust-${RUST_VERSION}:${IMAGE_TAG}
   extends:
     - .cached-job
     - .test-job
@@ -267,6 +274,7 @@ lint:
 
 nilaway:
   stage: lint
+  rules: !reference [".rules:go-changes", rules]
   before_script:
     - go install go.uber.org/nilaway/cmd/nilaway@latest
   script:

.golangci.yml

@@ -61,6 +61,8 @@ output:
   # print linter name in the end of issue text, default is true
   print-linter-name: true
 
+  sort-results: true
+
 # all available settings of specific linters
 linters-settings:
   errcheck:
@@ -262,11 +264,11 @@ linters:
   disable-all: true
   enable:
     - bodyclose
+    - copyloopvar
     - depguard
     - dogsled
     - dupl
     - errcheck
-    - exportloopref
     - funlen
     - gocognit
     - goconst

.tool-versions

-ruby 3.3.4
-golang 1.23.0
+ruby 3.3.5
+golang 1.23.2

Gemfile

@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 
 group :development, :test do
   gem 'rspec', '~> 3.13.0'
-  gem 'webrick', '~> 1.8', '>= 1.8.1'
+  gem 'webrick', '~> 1.8', '>= 1.8.2'
 end
 
 group :development, :danger do

Gemfile.lock

@@ -91,7 +91,7 @@ GEM
       unicode-display_width (>= 1.1.1, < 3)
     unicode-display_width (2.5.0)
     uri (0.13.0)
-    webrick (1.8.1)
+    webrick (1.8.2)
 
 PLATFORMS
   ruby
@@ -99,7 +99,7 @@ PLATFORMS
 DEPENDENCIES
   gitlab-dangerfiles (~> 4.8.0)
   rspec (~> 3.13.0)
-  webrick (~> 1.8, >= 1.8.1)
+  webrick (~> 1.8, >= 1.8.2)
 
 BUNDLED WITH
    2.5.11

Makefile

@@ -9,10 +9,10 @@ GO_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver
 
 ARCH ?= $(shell uname -m | sed -e 's/x86_64/amd64/' | sed -e 's/aarch64/arm64/')
 
-GOTESTSUM_VERSION := 1.11.0
+GOTESTSUM_VERSION := 1.12.0
 GOTESTSUM_FILE := support/bin/gotestsum-${GOTESTSUM_VERSION}
 
-GOLANGCI_LINT_VERSION := 1.60.1
+GOLANGCI_LINT_VERSION := 1.60.3
 GOLANGCI_LINT_FILE := support/bin/golangci-lint-${GOLANGCI_LINT_VERSION}
 
 export GOFLAGS := -mod=readonly
@@ -86,13 +86,15 @@ coverage: coverage_golang
 coverage_golang:
 	[ -f cover.out ] && go tool cover -func cover.out
 
-lint: ${GOLANGCI_LINT_FILE}
-	${GOLANGCI_LINT_FILE} --version
-	${GOLANGCI_LINT_FILE} run --issues-exit-code 0 --print-issued-lines=false ${GOLANGCI_LINT_ARGS}
+lint:
+	@support/lint.sh ./...
+
+golangci: ${GOLANGCI_LINT_FILE}
+	@${GOLANGCI_LINT_FILE} run --issues-exit-code 0 --print-issued-lines=false ${GOLANGCI_LINT_ARGS}
 
 ${GOLANGCI_LINT_FILE}:
-	mkdir -p $(shell dirname ${GOLANGCI_LINT_FILE})
-	curl -L https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-${OS}-${ARCH}.tar.gz | tar --strip-components 1 -zOxf - golangci-lint-${GOLANGCI_LINT_VERSION}-${OS}-${ARCH}/golangci-lint > ${GOLANGCI_LINT_FILE} && chmod +x ${GOLANGCI_LINT_FILE}
+	@mkdir -p $(shell dirname ${GOLANGCI_LINT_FILE})
+	@curl -L https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-${OS}-${ARCH}.tar.gz | tar --strip-components 1 -zOxf - golangci-lint-${GOLANGCI_LINT_VERSION}-${OS}-${ARCH}/golangci-lint > ${GOLANGCI_LINT_FILE} && chmod +x ${GOLANGCI_LINT_FILE}
 
 setup: make_necessary_dirs bin/gitlab-shell
 

README.md

@@ -4,10 +4,48 @@ group: Source Code
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
-# GitLab Shell documentation has moved
-
 [![pipeline status](https://gitlab.com/gitlab-org/gitlab-shell/badges/main/pipeline.svg)](https://gitlab.com/gitlab-org/gitlab-shell/-/pipelines?ref=main)
 [![coverage report](https://gitlab.com/gitlab-org/gitlab-shell/badges/main/coverage.svg)](https://gitlab.com/gitlab-org/gitlab-shell/-/pipelines?ref=main)
 [![Code Climate](https://codeclimate.com/github/gitlabhq/gitlab-shell.svg)](https://codeclimate.com/github/gitlabhq/gitlab-shell)
 
-The documentation for GitLab Shell [has moved into the `gitlab` repository](https://docs.gitlab.com/ee/development/gitlab_shell/).
+# GitLab Shell
+
+GitLab Shell handles Git SSH sessions for GitLab and modifies the list of
+authorized keys. GitLab Shell is not a Unix shell nor a replacement for Bash or Zsh.
+
+GitLab supports Git LFS authentication through SSH.
+
+## Development Documentation
+
+Development documentation for GitLab Shell [has moved into the `gitlab` repository](https://docs.gitlab.com/ee/development/gitlab_shell/).
+
+## Project structure
+
+| Directory | Description |
+|-----------|-------------|
+| `cmd/` | 'Commands' that will ultimately be compiled into binaries. |
+| `internal/` | Internal Go source code that is not intended to be used outside of the project/module. |
+| `client/` | HTTP and GitLab client logic that is used internally and by other modules, e.g. Gitaly. |
+| `bin/` | Compiled binaries are created here. |
+| `support/` | Scripts and tools that assist in development and/or testing. |
+| `spec/` | Ruby based integration tests. |
+
+## Building
+
+Run `make` or `make build`.
+
+## Testing
+
+Run `make test`.
+
+## Release Process
+
+1. Create a `gitlab-org/gitlab-shell` MR to update [`VERSION`](https://gitlab.com/gitlab-org/gitlab-shell/-/blob/main/VERSION) and [`CHANGELOG`](https://gitlab.com/gitlab-org/gitlab-shell/-/blob/main/CHANGELOG) files, e.g. [Release v14.39.0](https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/1123).
+2. Once `gitlab-org/gitlab-shell` MR is merged, create the corresponding git tag, e.g. https://gitlab.com/gitlab-org/gitlab-shell/-/tags/v14.39.0.
+3. Create a `gitlab-org/gitlab` MR to update [`GITLAB_SHELL_VERSION`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/GITLAB_SHELL_VERSION) to the proposed tag, e.g. [Bump GitLab Shell to 14.39.0](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162661).
+4. Announce in `#gitlab-shell` a new version has been created.
+
+## Licensing
+
+See the `LICENSE` file for licensing information as it pertains to files in
+this repository.

client/client_test.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"gitlab.com/gitlab-org/gitlab-shell/v14/client/testserver"
@@ -36,31 +37,31 @@ func TestClients(t *testing.T) {
 	}{
 		{
 			desc:   "Socket client",
-			server: testserver.StartSocketHttpServer,
+			server: testserver.StartSocketHTTPServer,
 			secret: secret,
 		},
 		{
 			desc:            "Socket client with a relative URL at /",
 			relativeURLRoot: "/",
-			server:          testserver.StartSocketHttpServer,
+			server:          testserver.StartSocketHTTPServer,
 			secret:          secret,
 		},
 		{
 			desc:            "Socket client with relative URL at /gitlab",
 			relativeURLRoot: "/gitlab",
-			server:          testserver.StartSocketHttpServer,
+			server:          testserver.StartSocketHTTPServer,
 			secret:          secret,
 		},
 		{
 			desc:   "Http client",
-			server: testserver.StartHttpServer,
+			server: testserver.StartHTTPServer,
 			secret: secret,
 		},
 		{
 			desc:   "Https client",
 			caFile: path.Join(testRoot, "certs/valid/server.crt"),
 			server: func(t *testing.T, handlers []testserver.TestRequestHandler) string {
-				return testserver.StartHttpsServer(t, handlers, "")
+				return testserver.StartHTTPSServer(t, handlers, "")
 			},
 			secret: secret,
 		},
@@ -68,13 +69,13 @@ func TestClients(t *testing.T) {
 			desc:   "Secret with newlines",
 			caFile: path.Join(testRoot, "certs/valid/server.crt"),
 			server: func(t *testing.T, handlers []testserver.TestRequestHandler) string {
-				return testserver.StartHttpsServer(t, handlers, "")
+				return testserver.StartHTTPSServer(t, handlers, "")
 			},
 			secret: "\n" + secret + "\n",
 		},
 		{
 			desc:   "Retry client",
-			server: testserver.StartRetryHttpServer,
+			server: testserver.StartRetryHTTPServer,
 			secret: secret,
 		},
 	}
@@ -240,7 +241,7 @@ func buildRequests(t *testing.T, relativeURLRoot string) []testserver.TestReques
 		{
 			Path: "/api/v4/internal/hello",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
-				require.Equal(t, http.MethodGet, r.Method)
+				assert.Equal(t, http.MethodGet, r.Method)
 
 				fmt.Fprint(w, "Hello")
 			},
@@ -248,12 +249,12 @@ func buildRequests(t *testing.T, relativeURLRoot string) []testserver.TestReques
 		{
 			Path: "/api/v4/internal/post_endpoint",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
-				require.Equal(t, http.MethodPost, r.Method)
+				assert.Equal(t, http.MethodPost, r.Method)
 
 				b, err := io.ReadAll(r.Body)
 				defer r.Body.Close()
 
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				fmt.Fprint(w, "Echo: "+string(b))
 			},

client/httpclient_test.go

@@ -10,6 +10,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gitlab.com/gitlab-org/gitlab-shell/v14/client/testserver"
 )
@@ -34,7 +35,7 @@ func TestBasicAuthSettings(t *testing.T) {
 		{
 			Path: "/api/v4/internal/get_endpoint",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
-				require.Equal(t, http.MethodGet, r.Method)
+				assert.Equal(t, http.MethodGet, r.Method)
 
 				fmt.Fprint(w, r.Header.Get("Authorization"))
 			},
@@ -42,7 +43,7 @@ func TestBasicAuthSettings(t *testing.T) {
 		{
 			Path: "/api/v4/internal/post_endpoint",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
-				require.Equal(t, http.MethodPost, r.Method)
+				assert.Equal(t, http.MethodPost, r.Method)
 
 				fmt.Fprint(w, r.Header.Get("Authorization"))
 			},
@@ -82,7 +83,7 @@ func TestEmptyBasicAuthSettings(t *testing.T) {
 		{
 			Path: "/api/v4/internal/empty_basic_auth",
 			Handler: func(_ http.ResponseWriter, r *http.Request) {
-				require.Equal(t, "", r.Header.Get("Authorization"))
+				assert.Equal(t, "", r.Header.Get("Authorization"))
 			},
 		},
 	}
@@ -100,13 +101,13 @@ func TestRequestWithUserAgent(t *testing.T) {
 		{
 			Path: "/api/v4/internal/default_user_agent",
 			Handler: func(_ http.ResponseWriter, r *http.Request) {
-				require.Equal(t, defaultUserAgent, r.UserAgent())
+				assert.Equal(t, defaultUserAgent, r.UserAgent())
 			},
 		},
 		{
 			Path: "/api/v4/internal/override_user_agent",
 			Handler: func(_ http.ResponseWriter, r *http.Request) {
-				require.Equal(t, gitalyUserAgent, r.UserAgent())
+				assert.Equal(t, gitalyUserAgent, r.UserAgent())
 			},
 		},
 	}
@@ -125,7 +126,7 @@ func TestRequestWithUserAgent(t *testing.T) {
 }
 
 func setup(t *testing.T, username, password string, requests []testserver.TestRequestHandler) *GitlabNetClient {
-	url := testserver.StartHttpServer(t, requests)
+	url := testserver.StartHTTPServer(t, requests)
 
 	httpClient, err := NewHTTPClientWithOpts(url, "", "", "", 1, nil)
 	require.NoError(t, err)

client/httpsclient_test.go

@@ -8,6 +8,7 @@ import (
 	"path"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gitlab.com/gitlab-org/gitlab-shell/v14/client/testserver"
 	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/testhelper"
@@ -116,14 +117,14 @@ func setupWithRequests(t *testing.T, caFile, caPath, clientCAPath, clientCertPat
 		{
 			Path: "/api/v4/internal/hello",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
-				require.Equal(t, http.MethodGet, r.Method)
+				assert.Equal(t, http.MethodGet, r.Method)
 
 				fmt.Fprint(w, "Hello")
 			},
 		},
 	}
 
-	url := testserver.StartHttpsServer(t, requests, clientCAPath)
+	url := testserver.StartHTTPSServer(t, requests, clientCAPath)
 
 	opts := defaultHttpOpts
 	if clientCertPath != "" && clientKeyPath != "" {

client/testserver/testserver.go

@@ -22,7 +22,8 @@ type TestRequestHandler struct {
 	Handler func(w http.ResponseWriter, r *http.Request)
 }
 
-func StartSocketHttpServer(t *testing.T, handlers []TestRequestHandler) string {
+// StartSocketHTTPServer starts a socket based HTTP server
+func StartSocketHTTPServer(t *testing.T, handlers []TestRequestHandler) string {
 	t.Helper()
 
 	// We can't use t.TempDir() here because it will create a directory that
@@ -55,7 +56,8 @@ func StartSocketHttpServer(t *testing.T, handlers []TestRequestHandler) string {
 	return url
 }
 
-func StartHttpServer(t *testing.T, handlers []TestRequestHandler) string {
+// StartHTTPServer starts a TCP based HTTP server
+func StartHTTPServer(t *testing.T, handlers []TestRequestHandler) string {
 	t.Helper()
 
 	server := httptest.NewServer(buildHandler(handlers))
@@ -64,7 +66,8 @@ func StartHttpServer(t *testing.T, handlers []TestRequestHandler) string {
 	return server.URL
 }
 
-func StartRetryHttpServer(t *testing.T, handlers []TestRequestHandler) string {
+// StartRetryHTTPServer starts a TCP based HTTP server with retry capabilities
+func StartRetryHTTPServer(t *testing.T, handlers []TestRequestHandler) string {
 	attempts := map[string]int{}
 
 	retryMiddileware := func(next func(w http.ResponseWriter, r *http.Request)) http.Handler {
@@ -92,7 +95,8 @@ func StartRetryHttpServer(t *testing.T, handlers []TestRequestHandler) string {
 	return server.URL
 }
 
-func StartHttpsServer(t *testing.T, handlers []TestRequestHandler, clientCAPath string) string {
+// StartHTTPSServer starts a TCP based HTTPS capable server
+func StartHTTPSServer(t *testing.T, handlers []TestRequestHandler, clientCAPath string) string {
 	t.Helper()
 
 	testRoot := testhelper.PrepareTestRootDir(t)

client/transport.go

+// Package client provides an HTTP client with enhanced logging, tracing, and correlation handling.
 package client
 
 import (
@@ -13,6 +14,7 @@ type transport struct {
 	next http.RoundTripper
 }
 
+// RoundTrip executes a single HTTP transaction, adding logging and tracing capabilities.
 func (rt *transport) RoundTrip(request *http.Request) (*http.Response, error) {
 	ctx := request.Context()
 
@@ -55,10 +57,12 @@ func (rt *transport) RoundTrip(request *http.Request) (*http.Response, error) {
 	return response, nil
 }
 
+// DefaultTransport returns a clone of the default HTTP transport.
 func DefaultTransport() http.RoundTripper {
 	return http.DefaultTransport.(*http.Transport).Clone()
 }
 
+// NewTransport creates a new transport with logging, tracing, and correlation handling.
 func NewTransport(next http.RoundTripper) http.RoundTripper {
 	t := &transport{next: next}
 	return correlation.NewInstrumentedRoundTripper(tracing.NewRoundTripper(t))

cmd/gitlab-shell-authorized-principals-check/command/command.go

+// Package command handles command creation and initialization in GitLab Shell.
 package command
 
 import (
@@ -9,6 +10,7 @@ import (
 	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/config"
 )
 
+// New creates a new command based on provided arguments, config, and I/O.
 func New(arguments []string, config *config.Config, readWriter *readwriter.ReadWriter) (command.Command, error) {
 	args, err := Parse(arguments)
 	if err != nil {
@@ -22,6 +24,7 @@ func New(arguments []string, config *config.Config, readWriter *readwriter.ReadW
 	return nil, disallowedcommand.Error
 }
 
+// Parse parses command-line arguments into a CommandArgs structure.
 func Parse(arguments []string) (*commandargs.AuthorizedPrincipals, error) {
 	args := &commandargs.AuthorizedPrincipals{Arguments: arguments}
 

cmd/gitlab-shell-authorized-principals-check/command/command_test.go

@@ -58,7 +58,7 @@ func TestParseSuccess(t *testing.T) {
 			desc:         "It parses authorized-principals command",
 			executable:   &executable.Executable{Name: executable.AuthorizedPrincipalsCheck},
 			arguments:    []string{"key", "principal-1", "principal-2"},
-			expectedArgs: &commandargs.AuthorizedPrincipals{Arguments: []string{"key", "principal-1", "principal-2"}, KeyId: "key", Principals: []string{"principal-1", "principal-2"}},
+			expectedArgs: &commandargs.AuthorizedPrincipals{Arguments: []string{"key", "principal-1", "principal-2"}, KeyID: "key", Principals: []string{"principal-1", "principal-2"}},
 		},
 	}
 

cmd/gitlab-shell-authorized-principals-check/main.go

+// Package main is the entry point for the GitLab Shell authorized principals check command.
 package main
 
 import (
@@ -21,6 +22,10 @@ var (
 )
 
 func main() {
+	os.Exit(run())
+}
+
+func run() int {
 	command.CheckForVersionFlag(os.Args, Version, BuildTime)
 
 	readWriter := &readwriter.ReadWriter{
@@ -31,32 +36,33 @@ func main() {
 
 	executable, err := executable.New(executable.AuthorizedPrincipalsCheck)
 	if err != nil {
-		fmt.Fprintln(readWriter.ErrOut, "Failed to determine executable, exiting")
-		os.Exit(1)
+		_, _ = fmt.Fprintln(readWriter.ErrOut, "Failed to determine executable, exiting")
+		return 1
 	}
 
 	config, err := config.NewFromDirExternal(executable.RootDir)
 	if err != nil {
-		fmt.Fprintln(readWriter.ErrOut, "Failed to read config, exiting")
-		os.Exit(1)
+		_, _ = fmt.Fprintln(readWriter.ErrOut, "Failed to read config, exiting:", err)
+		return 1
 	}
 
 	logCloser := logger.Configure(config)
-	defer logCloser.Close()
+	defer logCloser.Close() //nolint:errcheck
 
 	cmd, err := cmd.New(os.Args[1:], config, readWriter)
 	if err != nil {
 		// For now this could happen if `SSH_CONNECTION` is not set on
 		// the environment
-		fmt.Fprintf(readWriter.ErrOut, "%v\n", err)
-		os.Exit(1)
+		_, _ = fmt.Fprintf(readWriter.ErrOut, "%v\n", err)
+		return 1
 	}
 
 	ctx, finished := command.Setup(executable.Name, config)
 	defer finished()
 
-	if ctx, err = cmd.Execute(ctx); err != nil {
+	if _, err = cmd.Execute(ctx); err != nil {
 		console.DisplayWarningMessage(err.Error(), readWriter.ErrOut)
-		os.Exit(1)
+		return 1
 	}
+	return 0
 }

cmd/gitlab-shell-check/main.go

+// Package main is the entry point for the GitLab Shell health check command.
 package main
 
 import (
@@ -20,6 +21,10 @@ var (
 )
 
 func main() {
+	os.Exit(run())
+}
+
+func run() int {
 	command.CheckForVersionFlag(os.Args, Version, BuildTime)
 
 	readWriter := &readwriter.ReadWriter{
@@ -28,32 +33,38 @@ func main() {
 		ErrOut: os.Stderr,
 	}
 
+	exitOnError := func(err error, message string) int {
+		if err != nil {
+			_, _ = fmt.Fprintf(readWriter.ErrOut, "%s: %v\n", message, err)
+			return 1
+		}
+		return 0
+	}
+
 	executable, err := executable.New(executable.Healthcheck)
-	if err != nil {
-		fmt.Fprintln(readWriter.ErrOut, "Failed to determine executable, exiting")
-		os.Exit(1)
+	if code := exitOnError(err, "Failed to determine executable, exiting"); code != 0 {
+		return code
 	}
 
 	config, err := config.NewFromDirExternal(executable.RootDir)
-	if err != nil {
-		fmt.Fprintln(readWriter.ErrOut, "Failed to read config, exiting")
-		os.Exit(1)
+	if code := exitOnError(err, "Failed to read config, exiting"); code != 0 {
+		return code
 	}
 
 	logCloser := logger.Configure(config)
-	defer logCloser.Close()
+	defer logCloser.Close() //nolint:errcheck
 
 	cmd, err := checkCmd.New(config, readWriter)
-	if err != nil {
-		fmt.Fprintf(readWriter.ErrOut, "%v\n", err)
-		os.Exit(1)
+	if code := exitOnError(err, "Failed to create command"); code != 0 {
+		return code
 	}
 
 	ctx, finished := command.Setup(executable.Name, config)
 	defer finished()
 
-	if ctx, err = cmd.Execute(ctx); err != nil {
-		fmt.Fprintf(readWriter.ErrOut, "%v\n", err)
-		os.Exit(1)
+	if _, err = cmd.Execute(ctx); err != nil {
+		_, _ = fmt.Fprintf(readWriter.ErrOut, "%v\n", err)
+		return 1
 	}
+	return 0
 }

cmd/gitlab-shell/command/command.go

@@ -41,7 +41,7 @@ func NewWithKey(gitlabKeyID string, env sshenv.Env, config *config.Config, readW
 		return nil, err
 	}
 
-	args.GitlabKeyId = gitlabKeyID
+	args.GitlabKeyID = gitlabKeyID
 	if cmd := Build(args, config, readWriter); cmd != nil {
 		return cmd, nil
 	}
@@ -71,7 +71,7 @@ func NewWithUsername(gitlabUsername string, env sshenv.Env, config *config.Confi
 		return nil, err
 	}
 
-	// When 1.21+ only Golang is supported, it can be refactored by using slices.Contains
+	// FIXME: When 1.21+ only Golang is supported, it can be refactored by using slices.Contains
 	if env.NamespacePath != "" {
 		exists := false
 		for _, gitCmd := range commandargs.GitCommands {

cmd/gitlab-shell/command/command_test.go

@@ -256,112 +256,112 @@ func TestParseSuccess(t *testing.T) {
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{}, CommandType: commandargs.Discover, Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{}, CommandType: commandargs.Discover, Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
 		},
 		{
 			desc:         "It finds the key id in any passed arguments",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{"hello", "key-123"},
-			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "key-123"}, SshArgs: []string{}, CommandType: commandargs.Discover, GitlabKeyId: "123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "key-123"}, SSHArgs: []string{}, CommandType: commandargs.Discover, GitlabKeyID: "123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
 		},
 		{
 			desc:         "It finds the key id only if the argument is of <key-id> format",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{"hello", "username-key-123"},
-			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "username-key-123"}, SshArgs: []string{}, CommandType: commandargs.Discover, GitlabUsername: "key-123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "username-key-123"}, SSHArgs: []string{}, CommandType: commandargs.Discover, GitlabUsername: "key-123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
 		},
 		{
 			desc:         "It finds the key id if the key is listed as the last argument",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{"hello", "gitlab-shell -c key-123"},
-			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "gitlab-shell -c key-123"}, SshArgs: []string{}, CommandType: commandargs.Discover, GitlabKeyId: "123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "gitlab-shell -c key-123"}, SSHArgs: []string{}, CommandType: commandargs.Discover, GitlabKeyID: "123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
 		},
 		{
 			desc:         "It finds the username if the username is listed as the last argument",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{"hello", "gitlab-shell -c username-jane-doe"},
-			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "gitlab-shell -c username-jane-doe"}, SshArgs: []string{}, CommandType: commandargs.Discover, GitlabUsername: "jane-doe", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "gitlab-shell -c username-jane-doe"}, SSHArgs: []string{}, CommandType: commandargs.Discover, GitlabUsername: "jane-doe", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
 		},
 		{
 			desc:         "It finds the key id only if the last argument is of <key-id> format",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{"hello", "gitlab-shell -c username-key-123"},
-			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "gitlab-shell -c username-key-123"}, SshArgs: []string{}, CommandType: commandargs.Discover, GitlabUsername: "key-123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "gitlab-shell -c username-key-123"}, SSHArgs: []string{}, CommandType: commandargs.Discover, GitlabUsername: "key-123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
 		},
 		{
 			desc:         "It finds the username in any passed arguments",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{"hello", "username-jane-doe"},
-			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "username-jane-doe"}, SshArgs: []string{}, CommandType: commandargs.Discover, GitlabUsername: "jane-doe", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{"hello", "username-jane-doe"}, SSHArgs: []string{}, CommandType: commandargs.Discover, GitlabUsername: "jane-doe", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
 		},
 		{
 			desc:         "It parses 2fa_recovery_codes command",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: "2fa_recovery_codes"},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"2fa_recovery_codes"}, CommandType: commandargs.TwoFactorRecover, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "2fa_recovery_codes"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"2fa_recovery_codes"}, CommandType: commandargs.TwoFactorRecover, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "2fa_recovery_codes"}},
 		},
 		{
 			desc:         "It parses git-receive-pack command",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-receive-pack group/repo"},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"git-receive-pack", "group/repo"}, CommandType: commandargs.ReceivePack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-receive-pack group/repo"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"git-receive-pack", "group/repo"}, CommandType: commandargs.ReceivePack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-receive-pack group/repo"}},
 		},
 		{
 			desc:         "It parses git-receive-pack command and a project with single quotes",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-receive-pack 'group/repo'"},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"git-receive-pack", "group/repo"}, CommandType: commandargs.ReceivePack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-receive-pack 'group/repo'"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"git-receive-pack", "group/repo"}, CommandType: commandargs.ReceivePack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-receive-pack 'group/repo'"}},
 		},
 		{
 			desc:         `It parses "git receive-pack" command`,
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: `git-receive-pack "group/repo"`},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"git-receive-pack", "group/repo"}, CommandType: commandargs.ReceivePack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: `git-receive-pack "group/repo"`}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"git-receive-pack", "group/repo"}, CommandType: commandargs.ReceivePack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: `git-receive-pack "group/repo"`}},
 		},
 		{
 			desc:         `It parses a command followed by control characters`,
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: `git-receive-pack group/repo; any command`},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"git-receive-pack", "group/repo"}, CommandType: commandargs.ReceivePack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: `git-receive-pack group/repo; any command`}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"git-receive-pack", "group/repo"}, CommandType: commandargs.ReceivePack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: `git-receive-pack group/repo; any command`}},
 		},
 		{
 			desc:         "It parses git-upload-pack command",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: `git upload-pack "group/repo"`},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"git-upload-pack", "group/repo"}, CommandType: commandargs.UploadPack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: `git upload-pack "group/repo"`}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"git-upload-pack", "group/repo"}, CommandType: commandargs.UploadPack, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: `git upload-pack "group/repo"`}},
 		},
 		{
 			desc:         "It parses git-upload-archive command",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-upload-archive 'group/repo'"},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"git-upload-archive", "group/repo"}, CommandType: commandargs.UploadArchive, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-upload-archive 'group/repo'"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"git-upload-archive", "group/repo"}, CommandType: commandargs.UploadArchive, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-upload-archive 'group/repo'"}},
 		},
 		{
 			desc:         "It parses git-lfs-authenticate command",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-lfs-authenticate 'group/repo' download"},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"git-lfs-authenticate", "group/repo", "download"}, CommandType: commandargs.LfsAuthenticate, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-lfs-authenticate 'group/repo' download"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"git-lfs-authenticate", "group/repo", "download"}, CommandType: commandargs.LfsAuthenticate, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-lfs-authenticate 'group/repo' download"}},
 		},
 		{
 			desc:         "It parses git-lfs-transfer command",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-lfs-transfer 'group/repo' download"},
 			arguments:    []string{},
-			expectedArgs: &commandargs.Shell{Arguments: []string{}, SshArgs: []string{"git-lfs-transfer", "group/repo", "download"}, CommandType: commandargs.LfsTransfer, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-lfs-transfer 'group/repo' download"}},
+			expectedArgs: &commandargs.Shell{Arguments: []string{}, SSHArgs: []string{"git-lfs-transfer", "group/repo", "download"}, CommandType: commandargs.LfsTransfer, Env: sshenv.Env{IsSSHConnection: true, OriginalCommand: "git-lfs-transfer 'group/repo' download"}},
 		},
 	}
 
@@ -427,7 +427,7 @@ func TestNewWithUsername(t *testing.T) {
 				Args: &commandargs.Shell{
 					CommandType:    commandargs.ReceivePack,
 					GitlabUsername: "username",
-					SshArgs:        []string{"git-receive-pack", "group/repo"},
+					SSHArgs:        []string{"git-receive-pack", "group/repo"},
 					Env: sshenv.Env{
 						IsSSHConnection: true,
 						OriginalCommand: "git-receive-pack 'group/repo'",
@@ -442,7 +442,7 @@ func TestNewWithUsername(t *testing.T) {
 				Args: &commandargs.Shell{
 					CommandType:    commandargs.TwoFactorRecover,
 					GitlabUsername: "username",
-					SshArgs:        []string{"2fa_recovery_codes"},
+					SSHArgs:        []string{"2fa_recovery_codes"},
 					Env: sshenv.Env{
 						IsSSHConnection: true,
 						OriginalCommand: "2fa_recovery_codes",
@@ -463,7 +463,7 @@ func TestNewWithUsername(t *testing.T) {
 				Args: &commandargs.Shell{
 					CommandType:    commandargs.ReceivePack,
 					GitlabUsername: "username",
-					SshArgs:        []string{"git-receive-pack", "group/repo"},
+					SSHArgs:        []string{"git-receive-pack", "group/repo"},
 					Env: sshenv.Env{
 						IsSSHConnection: true,
 						OriginalCommand: "git-receive-pack 'group/repo'",

cmd/gitlab-shell/main.go

@@ -45,7 +45,7 @@ func main() {
 
 	config, err := config.NewFromDirExternal(executable.RootDir)
 	if err != nil {
-		fmt.Fprintln(readWriter.ErrOut, "Failed to read config, exiting")
+		fmt.Fprintln(readWriter.ErrOut, "Failed to read config, exiting:", err)
 		os.Exit(1)
 	}
 

cmd/gitlab-sshd/acceptance_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/mikesmitty/edkey"
 	"github.com/pires/go-proxyproto"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	gitalyClient "gitlab.com/gitlab-org/gitaly/v16/client"
 	pb "gitlab.com/gitlab-org/gitaly/v16/proto/go/gitalypb"
@@ -112,7 +113,7 @@ func startGitOverHTTPServer(t *testing.T) string {
 				switch r.URL.Query().Get("service") {
 				case "git-receive-pack":
 					stream, err := client.InfoRefsReceivePack(ctx, rpcRequest)
-					require.NoError(t, err)
+					assert.NoError(t, err)
 					reader = streamio.NewReader(func() ([]byte, error) {
 						resp, err := stream.Recv()
 						return resp.GetData(), err
@@ -122,22 +123,22 @@ func startGitOverHTTPServer(t *testing.T) string {
 				}
 
 				_, err := io.Copy(w, reader)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 			},
 		},
 		{
 			Path: "/git-receive-pack",
 			Handler: func(_ http.ResponseWriter, r *http.Request) {
 				body, err := io.ReadAll(r.Body)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				defer r.Body.Close()
 
-				require.Equal(t, "0000", string(body))
+				assert.Equal(t, "0000", string(body))
 			},
 		},
 	}
 
-	return testserver.StartHttpServer(t, requests)
+	return testserver.StartHTTPServer(t, requests)
 }
 
 func buildAllowedResponse(t *testing.T, filename string) string {
@@ -185,7 +186,7 @@ func successAPI(t *testing.T, handlers ...customHandler) http.Handler {
 			response := buildAllowedResponse(t, "responses/allowed_without_console_messages.json")
 
 			_, err := fmt.Fprint(w, response)
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		case "/api/v4/internal/shellhorse/git_audit_event":
 			w.WriteHeader(http.StatusOK)
 			return
@@ -495,7 +496,7 @@ func TestGeoGitReceivePackSuccess(t *testing.T) {
 
 			w.WriteHeader(300)
 			_, err := fmt.Fprint(w, response)
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		},
 	}
 	client := runSSHD(t, successAPI(t, handler))