Merge upstream and resolve conflicts

.gitignore

 *.log
 *.swp
+.DS_Store
+.GOPATH
 .bundle
 .bundle/
 .gitlab_shell_secret
@@ -14,9 +16,11 @@
 authorized_keys.lock
 config.yml
 cover.out
+cover.xml
 custom_hooks
 hooks/*.d
+/support/bin/golangci-*
+/support/bin/gotestsum-*
 tags
 tmp/*
 vendor
-.DS_Store

.gitlab-ci.yml

@@ -7,12 +7,22 @@ include:
     file:
       - '/ci/danger-review.yml'
 
+stages:
+  - prepare
+  - test
+
 variables:
+  FF_USE_FASTZIP: 'true'
+  TRANSFER_METER_FREQUENCY: "1s"
   DOCKER_VERSION: "20.10.15"
   BUNDLE_FROZEN: "true"
   GO_VERSION: "golang-1.20"
+  GOPATH: $CI_PROJECT_DIR/.GOPATH
   DEBIAN_VERSION: "bullseye"
   RUBY_VERSION: "ruby-3.2"
+  BUNDLE_PATH: vendor/ruby
+  POLICY: pull
+  CI_DEBUG_SERVICES: 'true'
 
 workflow:
   rules: &workflow_rules
@@ -36,12 +46,77 @@ default:
     # See https://gitlab.com/gitlab-com/www-gitlab-com/-/issues/7019 for tag descriptions
     - gitlab-org-docker
 
-.test:
+.cached-go: &cached_go
+  - key:
+      prefix: $GO_VERSION-cache
+      files:
+        - go.mod
+        - go.sum
+    policy: $POLICY
+    paths:
+      - .GOPATH/pkg/mod/
+
+.cached-ruby: &cached_ruby
+  - key:
+      prefix: $RUBY_VERSION-cache
+      files:
+        - Gemfile.lock
+    policy: $POLICY
+    paths:
+      - ${BUNDLE_PATH}
+
+.cached-go-job:
+  variables:
+    CACHE_COMPRESSION_LEVEL: "fastest"
+  cache:
+    - *cached_go
+
+.cached-ruby-job:
+  cache:
+    - *cached_ruby
+
+.cached-job:
+  cache:
+    - *cached_go
+    - *cached_ruby
+
+.go-matrix-job:
+  parallel:
+    matrix:
+      - GO_VERSION: ["golang-1.19", "golang-1.20", "golang-1.21"]
+
+################################################################################
+# Prepare jobs
+################################################################################
+
+bundle:install:
+  stage: prepare
+  extends: .cached-ruby-job
+  variables:
+    POLICY: pull-push
+  script:
+    - bundle install --jobs $(nproc)
+
+modules:download:
+  stage: prepare
+  extends:
+    - .cached-go-job
+    - .go-matrix-job
+  variables:
+    POLICY: pull-push
+  script:
+    - go mod download
+
+################################################################################
+# Test jobs
+################################################################################
+
+.test-job:
+  needs: ['bundle:install', 'modules:download']
   variables:
     GITALY_CONNECTION_INFO: '{"address":"tcp://gitaly:8075", "storage":"default"}'
   before_script:
     # Set up the environment to run integration tests (still written in Ruby)
-    - bundle install
     - make build
     - cp config.yml.example config.yml
     - go version
@@ -49,22 +124,31 @@ default:
   services:
     - name: registry.gitlab.com/gitlab-org/build/cng/gitaly:master
       # Disable the hooks so we don't have to stub the GitLab API
-      command: ["bash", "-c", "mkdir -p /home/git/repositories && rm -rf /srv/gitlab-shell/hooks/* && exec /usr/bin/env GITALY_TESTING_NO_GIT_HOOKS=1 /scripts/process-wrapper"]
+      command: ["bash", "-c", "mkdir -p /home/git/repositories && rm -rf /srv/gitlab-shell/hooks/* && touch /srv/gitlab-shell/.gitlab_shell_secret && cp /etc/gitaly/config.toml.erb /etc/gitaly/config.toml 2>/dev/null && exec /usr/bin/env GITALY_TESTING_NO_GIT_HOOKS=1 /scripts/process-wrapper"]
       alias: gitaly
 
 tests:
-  extends: .test
-  parallel:
-    matrix:
-      - GO_VERSION: ["golang-1.18", "golang-1.19", "golang-1.20"]
+  extends:
+    - .cached-job
+    - .go-matrix-job
+    - .test-job
   script:
-    - make verify test
+    - make verify test_fancy
   after_script:
     - make coverage
   coverage: '/\d+.\d+%/'
+  artifacts:
+    when: always
+    paths:
+      - cover.xml
+    reports:
+      junit: cover.xml
 
 race:
-  extends: .test
+  extends:
+    - .cached-go-job
+    - .go-matrix-job
+    - .test-job
   script:
     - make test_golang_race
 
@@ -130,18 +214,15 @@ modules:tidy:
     - go mod tidy
     - git diff --exit-code go.mod go.sum
 
-modules:download:
-  parallel:
-    matrix:
-      - GO_VERSION: ["golang-1.18", "golang-1.19", "golang-1.20"]
+lint:
+  stage: test
   script:
-    - go mod download
-  cache:
-    key:
-      prefix: $GO_VERSION
-      files:
-        - go.mod
-        - go.sum
+    # Write the code coverage report to gl-code-quality-report.json
+    # and print linting issues to stdout in the format: path/to/file:line description
+    # remove `--issues-exit-code 0` or set to non-zero to fail the job if linting issues are detected
+    - make lint GOLANGCI_LINT_ARGS="--out-format code-climate:gl-code-quality-report.json,line-number"
+  artifacts:
+    reports:
+      codequality: gl-code-quality-report.json
     paths:
-      - .GOPATH/pkg/mod/
-    policy: push
+      - gl-code-quality-report.json

.golangci.yml

+# This file contains all available configuration options
+# with their default values.
+
+# options for analysis running
+run:
+  # default concurrency is a available CPU number
+  # concurrency: 4
+
+  # timeout for analysis, e.g. 30s, 5m, default is 1m
+  timeout: 30m
+
+  # exit code when at least one issue was found, default is 1
+  issues-exit-code: 1
+
+  # include test files or not, default is true
+  tests: true
+
+  # list of build tags, all linters use it. Default is empty list.
+  # build-tags:
+  #   - mytag
+
+  # which dirs to skip: issues from them won't be reported;
+  # can use regexp here: generated.*, regexp is applied on full path;
+  # default value is empty list, but default dirs are skipped independently
+  # from this option's value (see skip-dirs-use-default).
+  # skip-dirs:
+  #   - src/external_libs
+  #   - autogenerated_by_my_lib
+
+  # default is true. Enables skipping of directories:
+  #   vendor$, third_party$, testdata$, examples$, Godeps$, builtin$
+  skip-dirs-use-default: true
+
+  # which files to skip: they will be analyzed, but issues from them
+  # won't be reported. Default value is empty list, but there is
+  # no need to include all autogenerated files, we confidently recognize
+  # autogenerated files. If it's not please let us know.
+  # skip-files:
+  #   - ".*\\.my\\.go$"
+  #   - lib/bad.go
+
+  # by default isn't set. If set we pass it to "go list -mod={option}". From "go help modules":
+  # If invoked with -mod=readonly, the go command is disallowed from the implicit
+  # automatic updating of go.mod described above. Instead, it fails when any changes
+  # to go.mod are needed. This setting is most useful to check that go.mod does
+  # not need updates, such as in a continuous integration and testing system.
+  # If invoked with -mod=vendor, the go command assumes that the vendor
+  # directory holds the correct copies of dependencies and ignores
+  # the dependency descriptions in go.mod.
+  # modules-download-mode: readonly|release|vendor
+
+# output configuration options
+output:
+  # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
+  format: line-number
+
+  # print lines of code with issue, default is true
+  print-issued-lines: true
+
+  # print linter name in the end of issue text, default is true
+  print-linter-name: true
+
+# all available settings of specific linters
+linters-settings:
+  errcheck:
+    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
+    # default is false: such cases aren't reported by default.
+    check-type-assertions: false
+
+    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
+    # default is false: such cases aren't reported by default.
+    check-blank: false
+
+    # [deprecated] comma-separated list of pairs of the form pkg:regex
+    # the regex is used to ignore names within pkg. (default "fmt:.*").
+    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
+    # ignore: fmt:.*,io/ioutil:^Read.*
+
+    # path to a file containing a list of functions to exclude from checking
+    # see https://github.com/kisielk/errcheck#excluding-functions for details
+    # exclude: /path/to/file.txt
+
+  # Disable error checking, as errorcheck detects more errors and is more configurable.
+  gosec:
+    exclude:
+    - "G104"
+
+  funlen:
+    lines: 60
+    statements: 40
+
+  govet:
+    # report about shadowed variables
+    check-shadowing: true
+
+    # settings per analyzer
+    settings:
+      printf: # analyzer name, run `go tool vet help` to see all analyzers
+        funcs: # run `go tool vet help printf` to see available settings for `printf` analyzer
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Infof
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Warnf
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Errorf
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Fatalf
+
+    # enable or disable analyzers by name
+    # enable:
+    #   - atomicalign
+    # enable-all: false
+    # disable:
+    #   - shadow
+    # disable-all: false
+  golint:
+    # minimal confidence for issues, default is 0.8
+    min-confidence: 0.8
+  gofmt:
+    # simplify code: gofmt with `-s` option, true by default
+    simplify: true
+  goimports:
+    # put imports beginning with prefix after 3rd-party packages;
+    # it's a comma-separated list of prefixes
+    # local-prefixes: github.com/org/project
+  gocyclo:
+    # minimal code complexity to report, 30 by default (but we recommend 10-20)
+    min-complexity: 30
+  gocognit:
+    # minimal code complexity to report, 30 by default (but we recommend 10-20)
+    min-complexity: 20
+  maligned:
+    # print struct with more effective memory layout or not, false by default
+    suggest-new: true
+  dupl:
+    # tokens count to trigger issue, 150 by default
+    threshold: 100
+  goconst:
+    # minimal length of string constant, 3 by default
+    min-len: 3
+    # minimal occurrences count to trigger, 3 by default
+    min-occurrences: 3
+  # depguard:
+  #   list-type: blacklist
+  #   include-go-root: false
+  #   packages:
+  #     - github.com/sirupsen/logrus
+  #   packages-with-error-messages:
+  #     # specify an error message to output when a blacklisted package is used
+  #     github.com/sirupsen/logrus: "logging is allowed only by logutils.Log"
+  misspell:
+    # Correct spellings using locale preferences for US or UK.
+    # Default is to use a neutral variety of English.
+    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
+    locale: US
+    ignore-words:
+      - GitLab
+  lll:
+    # max line length, lines longer will be reported. Default is 120.
+    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+    line-length: 120
+    # tab width in spaces. Default to 1.
+    tab-width: 1
+  unused:
+    # treat code as a program (not a library) and report unused exported identifiers; default is false.
+    # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
+    # if it's called for subdir of a project it can't find funcs usages. All text editor integrations
+    # with golangci-lint call it on a directory with the changed file.
+    check-exported: false
+  unparam:
+    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
+    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
+    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
+    # with golangci-lint call it on a directory with the changed file.
+    check-exported: false
+  nakedret:
+    # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
+    max-func-lines: 30
+  prealloc:
+    # XXX: we don't recommend using this linter before doing performance profiling.
+    # For most programs usage of prealloc will be a premature optimization.
+
+    # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
+    # True by default.
+    simple: true
+    range-loops: true # Report preallocation suggestions on range loops, true by default
+    for-loops: false # Report preallocation suggestions on for loops, false by default
+  gocritic:
+    # Which checks should be enabled; can't be combined with 'disabled-checks';
+    # See https://go-critic.github.io/overview#checks-overview
+    # To check which checks are enabled run `GL_DEBUG=gocritic golangci-lint run`
+    # By default list of stable checks is used.
+    # enabled-checks:
+    #   - rangeValCopy
+
+    # Which checks should be disabled; can't be combined with 'enabled-checks'; default is empty
+    # disabled-checks:
+    #   - regexpMust
+
+    # Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint run` to see all tags and checks.
+    # Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
+    # enabled-tags:
+    #   - performance
+
+    settings: # settings passed to gocritic
+      captLocal: # must be valid enabled check name
+        paramsOnly: true
+    # rangeValCopy:
+    #   sizeThreshold: 32
+  godox:
+    # report any comments starting with keywords, this is useful for TODO or FIXME comments that
+    # might be left in the code accidentally and should be resolved before merging
+    keywords: # default keywords are TODO, BUG, and FIXME, these can be overwritten by this setting
+      - TODO
+      - BUG
+      - FIXME
+      - NOTE
+      - OPTIMIZE # marks code that should be optimized before merging
+      - HACK # marks hack-arounds that should be removed before merging
+  dogsled:
+    # checks assignments with too many blank identifiers; default is 2
+    max-blank-identifiers: 2
+
+  whitespace:
+    multi-if: false   # Enforces newlines (or comments) after every multi-line if statement
+    multi-func: false # Enforces newlines (or comments) after every multi-line function signature
+  wsl:
+    # If true append is only allowed to be cuddled if appending value is
+    # matching variables, fields or types on line above. Default is true.
+    strict-append: true
+    # Allow calls and assignments to be cuddled as long as the lines have any
+    # matching variables, fields or types. Default is true.
+    allow-assign-and-call: true
+    # Allow multiline assignments to be cuddled. Default is true.
+    allow-multiline-assign: true
+    # Allow declarations (var) to be cuddled.
+    allow-cuddle-declarations: false
+    # Allow trailing comments in ending of blocks
+    allow-trailing-comment: false
+    # Force newlines in end of case at this limit (0 = never).
+    force-case-trailing-whitespace: 0
+
+linters:
+  # please, do not use `enable-all`: it's deprecated and will be removed soon.
+  # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
+  disable-all: true
+  enable:
+    - bodyclose
+    - depguard
+    - dogsled
+    - dupl
+    - errcheck
+    - funlen
+    - gocognit
+    - goconst
+    - gocritic
+    - godox
+    - gofmt
+    - goimports
+    - golint
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - interfacer
+    - misspell
+    - nakedret
+    - scopelint
+    - staticcheck
+    - structcheck
+    - stylecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - whitespace
+  # don't enable:
+  # - deadcode
+  # - gochecknoglobals
+  # - gochecknoinits
+  # - gocyclo
+  # - lll
+  # - maligned
+  # - prealloc
+  # - varcheck
+
+issues:
+  # List of regexps of issue texts to exclude, empty list by default.
+  # But independently from this option we use default exclude patterns,
+  # it can be disabled by `exclude-use-default: false`. To list all
+  # excluded by default patterns execute `golangci-lint run --help`
+  # exclude:
+  #   - abcdef
+
+  # Excluding configuration per-path, per-linter, per-text and per-source
+  exclude-rules:
+    # Exclude some linters from running on tests files.
+    - path: _test\.go
+      linters:
+        - gocyclo
+        - errcheck
+        - dupl
+        - gosec
+        - funlen
+
+    # Exclude known linters from partially hard-vendored code,
+    # which is impossible to exclude via "nolint" comments.
+    # - path: internal/hmac/
+    #   text: "weak cryptographic primitive"
+    #   linters:
+    #     - gosec
+
+    # Exclude some staticcheck messages
+    # - linters:
+    #     - staticcheck
+    #   text: "SA9003:"
+
+    # Exclude lll issues for long lines with go:generate
+    - linters:
+        - lll
+      source: "^//go:generate "
+
+  # Independently from option `exclude` we use default exclude patterns,
+  # it can be disabled by this option. To list all
+  # excluded by default patterns execute `golangci-lint run --help`.
+  # Default value for this option is true.
+  exclude-use-default: false
+
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
+
+  # Show only new issues: if there are unstaged changes or untracked files,
+  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
+  # It's a super-useful option for integration of golangci-lint into existing
+  # large codebase. It's not practical to fix all existing issues at the moment
+  # of integration: much better don't allow issues in new code.
+  # Default is false.
+  new: false
+
+  # Show only new issues created after git revision `REV`
+  # This should be passed as flag during individual CI jobs.
+  # new-from-rev: REV
+
+  # Show only new issues created in git patch with set file path.
+  # new-from-patch: path/to/patch/file

.tool-versions

 ruby 3.2.2
-golang 1.20.5
+golang 1.21.4

CHANGELOG

+v14.30.1
+
+- Update dependency golang to v1.21.4 !881
+- Update module github.com/golang-jwt/jwt/v5 to v5.1.0 !882
+- Set CI_DEBUG_SERVICES: true to assist debugging !883
+- Update module github.com/hashicorp/go-retryablehttp to v0.7.5 !885
+
+v14.30.0
+
+- Disable GSSAPI when CGO is enabled to support DNS resolution !866
+- Add log for public key authentication type !870
+- Update dependency golang to v1.21.3 !867
+- Update dependency gitlab-dangerfiles to '~> 4.3.2' !871
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.5.0 !873
+- Update module google.golang.org/grpc to v1.59.0 !872
+- Update dependency gitlab-dangerfiles to '~> 4.4.0' !874
+- Update dependency gitlab-dangerfiles to '~> 4.5.1' !876
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.5.1 !877
+- Update module golang.org/x/sync to v0.5.0 !879
+- Fix race conditions in GSSAPI calls !875
+
+v14.29.0
+
+- Update module google.golang.org/grpc to v1.58.2 !850
+- Update dependency gitlab-dangerfiles to v4 !852
+- Optimize Ruby and Go job caching !805
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.4.0 !853
+- Update module github.com/prometheus/client_golang to v1.17.0 !854
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.4.1 !856
+- Update dependency gitlab-dangerfiles to '~> 4.1.0' !857
+- Always return stdin/stdout errors !847
+- Update module golang.org/x/sync to v0.4.0 !860
+- Update dependency golang to v1.21.2 !862
+- Removes module github.com/grpc-ecosystem/go-grpc-middleware !859
+- Update module github.com/otiai10/copy to v1.14.0 !858
+- Update module golang.org/x/crypto to v0.14.0 !861
+- Allow only git commands for auth via SSH certs !864
+- Send ssh_certificates as protocol !863
+- Update module google.golang.org/grpc to v1.58.3 !868
+
+v14.28.0
+
+- Add PullCommand to githttp package !836
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.3.3 !849
+- Fix `make lint` on aarch64 platforms !848
+- Update dependency golang to v1.21.1 !844
+- Update module google.golang.org/grpc to v1.58.0 !845
+- Add golangci-lint to CI job !839
+- Update module golang.org/x/crypto to v0.13.0 !842
+
+v14.27.0
+
+- Workaround to allow gitaly service to start !838
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.3.1 !837
+- Resolve "GitLab sshd should include data transfer bytes in logs" !831
+- Update dependency golang to v1.21.0 !828
+- Log metadata refactor !832
+- Support authentication using SSH Certificates !812
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.3.0 !833
+- Implement geo_proxy_direct_to_primary feature flag !834
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.2.4 !830
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.2.2 !818
+- Add Go v1.21 to CI !829
+
+v14.26.0
+
+- Include error and log as Error when recovering !825
+- Fix the established session metric !826
+- Require Go 1.19 and drop use of golang-crypto fork !806
+- Update dependency gitlab-dangerfiles to '~> 3.13.0' !824
+- Create gotestsum in support/bin and ignore !825
+
+v14.25.0
+
+- Ensure context is not nil before processing !820
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.2.1 !814
+- Update module google.golang.org/grpc to v1.57.0 !815
+- Update module gitlab.com/gitlab-org/labkit to v1.20.0 !817
+- Update dependency golang to v1.20.7 !819
+
+v14.24.1
+
+- Return metadata context without using channels !810
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.2.0 !813
+- Update dependency gitlab-dangerfiles to '~> 3.12.0' !811
+
+v14.24.0
+
+- Bump golang to 1.20.6 !808
+- Ensure all binaries respond to -version !800
+- Update module google.golang.org/grpc to v1.56.2 !804
+- Update module golang.org/x/crypto to v0.11.0 !803
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.1.2 !802
+- Add support for gotestsum !796
+- Log 'access: finish' line with additional metadata !783
+- Ensure prometheus counter has time to increment !795
+- Use both go and ruby cache for test jobs !793
+- Split caching of go and ruby jobs !792
+- Optimise Ruby and Go based CI jobs !787
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.1.1 !794
+- Update module google.golang.org/protobuf to v1.31.0 !789
+- Update dependency gitlab-dangerfiles to '~> 3.11.0' !788
+- New modules:tidy and modules:download jobs !784
+- Update module google.golang.org/grpc to v1.56.1 !786
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.1.0 !785
+- Tidy up go.mod and go.sum !781
+- Create a 'msg: "access"' log entry at the completion of work, including a `duration_s` field !782
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.0.5 !779
+- Update module github.com/otiai10/copy to v1.12.0 !780
+- Ensure test cache is not used for 'go test' !778
+- Update module google.golang.org/grpc to v1.56.0 !777
+- Update module github.com/prometheus/client_golang to v1.16.0 !776
+- Update module gitlab.com/gitlab-org/labkit to v1.19.0 !771
+- Update module golang.org/x/sync to v0.3.0 !775
+- Update module golang.org/x/crypto to v0.10.0 !774
+- Update Ruby dependencies !773
+- Update module gitlab.com/gitlab-org/gitaly/v16 to v16.0.4 !772
+- Update dependency golang to v1.20.5 !768
+- Use gitlab-shell maintainers group instead for CODEOWNERS !770
+- Update module github.com/golang-jwt/jwt/v4 to v5 !759
+- Update module github.com/hashicorp/go-retryablehttp to v0.7.4 !767
+
 v14.23.0
 
 - Update module github.com/golang-jwt/jwt/v4 to v5 !759

Gemfile

@@ -6,5 +6,5 @@ group :development, :test do
 end
 
 group :development, :danger do
-  gem 'gitlab-dangerfiles', '~> 3.10.0'
+  gem 'gitlab-dangerfiles', '~> 4.6.0'
 end

Gemfile.lock

 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.4)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
+    base64 (0.2.0)
     claide (1.1.0)
     claide-plugins (0.9.2)
       cork
@@ -11,58 +12,40 @@ GEM
     colored2 (3.1.2)
     cork (0.3.0)
       colored2 (~> 3.1)
-    danger (8.6.1)
+    danger (9.3.2)
       claide (~> 1.0)
       claide-plugins (>= 0.9.2)
       colored2 (~> 3.1)
       cork (~> 0.1)
-      faraday (>= 0.9.0, < 2.0)
+      faraday (>= 0.9.0, < 3.0)
       faraday-http-cache (~> 2.0)
-      git (~> 1.7)
+      git (~> 1.13)
       kramdown (~> 2.3)
       kramdown-parser-gfm (~> 1.0)
       no_proxy_fix
-      octokit (~> 4.7)
+      octokit (~> 6.0)
       terminal-table (>= 1, < 4)
     danger-gitlab (8.0.0)
       danger
       gitlab (~> 4.2, >= 4.2.0)
     diff-lcs (1.5.0)
-    faraday (1.10.3)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0)
-      faraday-multipart (~> 1.0)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.0)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      faraday-retry (~> 1.0)
+    faraday (2.7.11)
+      base64
+      faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
     faraday-http-cache (2.5.0)
       faraday (>= 0.8)
-    faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.4)
-      multipart-post (~> 2)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
-    faraday-retry (1.0.3)
+    faraday-net_http (3.0.2)
     git (1.18.0)
       addressable (~> 2.8)
       rchardet (~> 1.8)
     gitlab (4.19.0)
       httparty (~> 0.20)
       terminal-table (>= 1.5.1)
-    gitlab-dangerfiles (3.10.0)
-      danger (>= 8.4.5)
+    gitlab-dangerfiles (4.6.0)
+      danger (>= 9.3.0)
       danger-gitlab (>= 8.0.0)
-      rake
+      rake (~> 13.0)
     httparty (0.21.0)
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
@@ -70,19 +53,18 @@ GEM
       rexml
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
-    mini_mime (1.1.2)
+    mini_mime (1.1.5)
     multi_xml (0.6.0)
-    multipart-post (2.3.0)
     nap (1.1.0)
     no_proxy_fix (0.1.2)
-    octokit (4.25.1)
+    octokit (6.1.1)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
     open4 (1.3.4)
-    public_suffix (4.0.7)
-    rake (13.0.6)
+    public_suffix (5.0.3)
+    rake (13.1.0)
     rchardet (1.8.0)
-    rexml (3.2.5)
+    rexml (3.2.6)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
@@ -102,16 +84,16 @@ GEM
       faraday (>= 0.17.3, < 3)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
     webrick (1.8.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  gitlab-dangerfiles (~> 3.10.0)
+  gitlab-dangerfiles (~> 4.6.0)
   rspec (~> 3.12.0)
   webrick (~> 1.8, >= 1.8.1)
 
 BUNDLED WITH
-   2.4.13
+   2.4.22

Makefile

-.PHONY: validate verify verify_ruby verify_golang test test_ruby test_golang coverage coverage_golang setup _script_install build compile check clean install
+.PHONY: validate verify verify_ruby verify_golang test test_ruby test_golang test_fancy test_golang_fancy coverage coverage_golang setup _script_install build compile check clean install lint
 
 FIPS_MODE ?= 0
-OS := $(shell uname)
-GO_SOURCES := $(shell find . -name '*.go')
+OS := $(shell uname | tr A-Z a-z)
+GO_SOURCES := $(shell git ls-files \*.go)
 VERSION_STRING := $(shell git describe --match v* 2>/dev/null || awk '$$0="v"$$0' VERSION 2>/dev/null || echo unknown)
 BUILD_TIME := $(shell date -u +%Y%m%d.%H%M%S)
-BUILD_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver
+BUILD_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver gssapi
+
+ARCH ?= $(shell uname -m | sed -e 's/x86_64/amd64/' | sed -e 's/aarch64/arm64/')
+
+GOTESTSUM_VERSION := 1.10.0
+GOTESTSUM_VERSION_ARCH ?= ${ARCH}
+GOTESTSUM_FILE := support/bin/gotestsum-${GOTESTSUM_VERSION}
+
+GOLANGCI_LINT_VERSION := 1.54.2
+GOLANGCI_LINT_ARCH ?= ${ARCH}
+GOLANGCI_LINT_FILE := support/bin/golangci-lint-${GOLANGCI_LINT_VERSION}
+
+export GOFLAGS := -mod=readonly
 
 ifeq (${FIPS_MODE}, 1)
     # Go 1.19 now requires GOEXPERIMENT=boringcrypto for FIPS compilation.
@@ -21,7 +33,7 @@ ifeq (${FIPS_MODE}, 1)
     export CGO_ENABLED=1
 endif
 
-ifeq (${OS}, Darwin) # Mac OS
+ifeq (${OS}, darwin) # Mac OS
     BREW_PREFIX := $(shell brew --prefix 2>/dev/null || echo "/opt/homebrew")
 
     # To be able to compile gssapi library
@@ -46,6 +58,8 @@ fmt:
 
 test: test_ruby test_golang
 
+test_fancy: test_ruby test_golang_fancy
+
 # The Ruby tests are now all integration specs that test the Go implementation.
 test_ruby:
 	bundle exec rspec --color --format d spec
@@ -53,6 +67,13 @@ test_ruby:
 test_golang:
 	go test -cover -coverprofile=cover.out -count 1 ./...
 
+test_golang_fancy: ${GOTESTSUM_FILE}
+	@./${GOTESTSUM_FILE} --junitfile ./cover.xml --format pkgname -- -coverprofile=./cover.out -covermode=atomic -count 1 ./...
+
+${GOTESTSUM_FILE}:
+	mkdir -p $(shell dirname ${GOTESTSUM_FILE})
+	curl -L https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_${OS}_${GOTESTSUM_VERSION_ARCH}.tar.gz | tar -zOxf - gotestsum > ${GOTESTSUM_FILE} && chmod +x ${GOTESTSUM_FILE}
+
 test_golang_race:
 	go test -race -count 1 ./...
 
@@ -61,6 +82,13 @@ coverage: coverage_golang
 coverage_golang:
 	[ -f cover.out ] && go tool cover -func cover.out
 
+lint: ${GOLANGCI_LINT_FILE}
+	${GOLANGCI_LINT_FILE} run --issues-exit-code 0 --print-issued-lines=false ${GOLANGCI_LINT_ARGS}
+
+${GOLANGCI_LINT_FILE}:
+	mkdir -p $(shell dirname ${GOLANGCI_LINT_FILE})
+	curl -L https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-${OS}-${GOLANGCI_LINT_ARCH}.tar.gz | tar --strip-components 1 -zOxf - golangci-lint-${GOLANGCI_LINT_VERSION}-${OS}-${GOLANGCI_LINT_ARCH}/golangci-lint > ${GOLANGCI_LINT_FILE} && chmod +x ${GOLANGCI_LINT_FILE}
+
 setup: _script_install bin/gitlab-shell
 
 _script_install:

VERSION

-14.23.0
+14.30.1

client/testserver/gitalyserver.go

@@ -32,9 +32,7 @@ func (s *TestGitalyServer) SSHReceivePack(stream pb.SSHService_SSHReceivePackSer
 	s.ReceivedMD, _ = metadata.FromIncomingContext(stream.Context())
 
 	response := []byte("ReceivePack: " + req.GlId + " " + req.Repository.GlRepository)
-	stream.Send(&pb.SSHReceivePackResponse{Stdout: response})
-
-	return nil
+	return stream.Send(&pb.SSHReceivePackResponse{Stdout: response})
 }
 
 func (s *TestGitalyServer) SSHUploadPack(stream pb.SSHService_SSHUploadPackServer) error {
@@ -46,9 +44,7 @@ func (s *TestGitalyServer) SSHUploadPack(stream pb.SSHService_SSHUploadPackServe
 	s.ReceivedMD, _ = metadata.FromIncomingContext(stream.Context())
 
 	response := []byte("UploadPack: " + req.Repository.GlRepository)
-	stream.Send(&pb.SSHUploadPackResponse{Stdout: response})
-
-	return nil
+	return stream.Send(&pb.SSHUploadPackResponse{Stdout: response})
 }
 
 func (s *TestGitalyServer) SSHUploadPackWithSidechannel(ctx context.Context, req *pb.SSHUploadPackWithSidechannelRequest) (*pb.SSHUploadPackWithSidechannelResponse, error) {
@@ -80,9 +76,7 @@ func (s *TestGitalyServer) SSHUploadArchive(stream pb.SSHService_SSHUploadArchiv
 	s.ReceivedMD, _ = metadata.FromIncomingContext(stream.Context())
 
 	response := []byte("UploadArchive: " + req.Repository.GlRepository)
-	stream.Send(&pb.SSHUploadArchiveResponse{Stdout: response})
-
-	return nil
+	return stream.Send(&pb.SSHUploadArchiveResponse{Stdout: response})
 }
 
 func StartGitalyServer(t *testing.T, network string) (string, *TestGitalyServer) {

cmd/check/main.go

@@ -12,9 +12,18 @@ import (
 	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/logger"
 )
 
+var (
+	// Version is the current version of gitlab-shell
+	Version = "(unknown version)" // Set at build time in the Makefile
+	// BuildTime signifies the time the binary was build
+	BuildTime = "19700101.000000" // Set at build time in the Makefile
+)
+
 func main() {
+	command.CheckForVersionFlag(os.Args, Version, BuildTime)
+
 	readWriter := &readwriter.ReadWriter{
-		Out:    os.Stdout,
+		Out:    &readwriter.CountingWriter{W: os.Stdout},
 		In:     os.Stdin,
 		ErrOut: os.Stderr,
 	}
@@ -43,7 +52,7 @@ func main() {
 	ctx, finished := command.Setup(executable.Name, config)
 	defer finished()
 
-	if err = cmd.Execute(ctx); err != nil {
+	if ctx, err = cmd.Execute(ctx); err != nil {
 		fmt.Fprintf(readWriter.ErrOut, "%v\n", err)
 		os.Exit(1)
 	}

cmd/gitlab-shell-authorized-keys-check/main.go

@@ -13,9 +13,18 @@ import (
 	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/logger"
 )
 
+var (
+	// Version is the current version of gitlab-shell
+	Version = "(unknown version)" // Set at build time in the Makefile
+	// BuildTime signifies the time the binary was build
+	BuildTime = "19700101.000000" // Set at build time in the Makefile
+)
+
 func main() {
+	command.CheckForVersionFlag(os.Args, Version, BuildTime)
+
 	readWriter := &readwriter.ReadWriter{
-		Out:    os.Stdout,
+		Out:    &readwriter.CountingWriter{W: os.Stdout},
 		In:     os.Stdin,
 		ErrOut: os.Stderr,
 	}
@@ -46,7 +55,7 @@ func main() {
 	ctx, finished := command.Setup(executable.Name, config)
 	defer finished()
 
-	if err = cmd.Execute(ctx); err != nil {
+	if ctx, err = cmd.Execute(ctx); err != nil {
 		console.DisplayWarningMessage(err.Error(), readWriter.ErrOut)
 		os.Exit(1)
 	}

cmd/gitlab-shell-authorized-principals-check/main.go

@@ -13,9 +13,18 @@ import (
 	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/logger"
 )
 
+var (
+	// Version is the current version of gitlab-shell
+	Version = "(unknown version)" // Set at build time in the Makefile
+	// BuildTime signifies the time the binary was build
+	BuildTime = "19700101.000000" // Set at build time in the Makefile
+)
+
 func main() {
+	command.CheckForVersionFlag(os.Args, Version, BuildTime)
+
 	readWriter := &readwriter.ReadWriter{
-		Out:    os.Stdout,
+		Out:    &readwriter.CountingWriter{W: os.Stdout},
 		In:     os.Stdin,
 		ErrOut: os.Stderr,
 	}
@@ -46,7 +55,7 @@ func main() {
 	ctx, finished := command.Setup(executable.Name, config)
 	defer finished()
 
-	if err = cmd.Execute(ctx); err != nil {
+	if ctx, err = cmd.Execute(ctx); err != nil {
 		console.DisplayWarningMessage(err.Error(), readWriter.ErrOut)
 		os.Exit(1)
 	}

cmd/gitlab-shell/command/command.go

@@ -58,6 +58,36 @@ func NewWithKrb5Principal(gitlabKrb5Principal string, env sshenv.Env, config *co
 	return nil, disallowedcommand.Error
 }
 
+func NewWithUsername(gitlabUsername string, env sshenv.Env, config *config.Config, readWriter *readwriter.ReadWriter) (command.Command, error) {
+	args, err := Parse(nil, env)
+	if err != nil {
+		return nil, err
+	}
+
+	// When 1.21+ only Golang is supported, it can be refactored by using slices.Contains
+	if env.NamespacePath != "" {
+		exists := false
+		for _, gitCmd := range commandargs.GitCommands {
+			if args.CommandType == gitCmd {
+				exists = true
+
+				break
+			}
+		}
+
+		if !exists {
+			return nil, disallowedcommand.Error
+		}
+	}
+
+	args.GitlabUsername = gitlabUsername
+	if cmd := Build(args, config, readWriter); cmd != nil {
+		return cmd, nil
+	}
+
+	return nil, disallowedcommand.Error
+}
+
 func Parse(arguments []string, env sshenv.Env) (*commandargs.Shell, error) {
 	args := &commandargs.Shell{Arguments: arguments, Env: env}
 

cmd/gitlab-shell/command/command_test.go

@@ -300,3 +300,82 @@ func TestParseFailure(t *testing.T) {
 		})
 	}
 }
+
+func TestNewWithUsername(t *testing.T) {
+	tests := []struct {
+		desc         string
+		command      string
+		namespace    string
+		expectedErr  error
+		expectedType interface{}
+	}{
+		{
+			desc:        "valid command",
+			command:     "git-receive-pack 'group/repo'",
+			expectedErr: nil,
+			expectedType: &receivepack.Command{
+				Args: &commandargs.Shell{
+					CommandType:    commandargs.ReceivePack,
+					GitlabUsername: "username",
+					SshArgs:        []string{"git-receive-pack", "group/repo"},
+					Env: sshenv.Env{
+						IsSSHConnection: true,
+						OriginalCommand: "git-receive-pack 'group/repo'",
+					},
+				},
+			},
+		}, {
+			desc:        "valid non-git command",
+			command:     "2fa_recovery_codes",
+			expectedErr: nil,
+			expectedType: &twofactorrecover.Command{
+				Args: &commandargs.Shell{
+					CommandType:    commandargs.TwoFactorRecover,
+					GitlabUsername: "username",
+					SshArgs:        []string{"2fa_recovery_codes"},
+					Env: sshenv.Env{
+						IsSSHConnection: true,
+						OriginalCommand: "2fa_recovery_codes",
+					},
+				},
+			},
+		}, {
+			desc:         "invalid command",
+			command:      "invalid",
+			expectedErr:  disallowedcommand.Error,
+			expectedType: nil,
+		}, {
+			desc:        "git command with namespace",
+			command:     "git-receive-pack 'group/repo'",
+			namespace:   "group",
+			expectedErr: nil,
+			expectedType: &receivepack.Command{
+				Args: &commandargs.Shell{
+					CommandType:    commandargs.ReceivePack,
+					GitlabUsername: "username",
+					SshArgs:        []string{"git-receive-pack", "group/repo"},
+					Env: sshenv.Env{
+						IsSSHConnection: true,
+						OriginalCommand: "git-receive-pack 'group/repo'",
+						NamespacePath:   "group",
+					},
+				},
+			},
+		}, {
+			desc:         "non-git command with namespace",
+			command:      "2fa_recovery_codes",
+			namespace:    "group",
+			expectedErr:  disallowedcommand.Error,
+			expectedType: nil,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.desc, func(t *testing.T) {
+			env := sshenv.Env{IsSSHConnection: true, OriginalCommand: tc.command, NamespacePath: tc.namespace}
+			c, err := cmd.NewWithUsername("username", env, nil, nil)
+			require.IsType(t, tc.expectedErr, err)
+			require.Equal(t, tc.expectedType, c)
+		})
+	}
+}

cmd/gitlab-shell/main.go

@@ -29,15 +29,10 @@ var (
 )
 
 func main() {
-	// We can't use the flag library because gitlab-shell receives other arguments
-	// that confuse the parser.
-	if len(os.Args) == 2 && os.Args[1] == "-version" {
-		fmt.Printf("gitlab-shell %s-%s\n", Version, BuildTime)
-		os.Exit(0)
-	}
+	command.CheckForVersionFlag(os.Args, Version, BuildTime)
 
 	readWriter := &readwriter.ReadWriter{
-		Out:    os.Stdout,
+		Out:    &readwriter.CountingWriter{W: os.Stdout},
 		In:     os.Stdin,
 		ErrOut: os.Stderr,
 	}
@@ -76,7 +71,7 @@ func main() {
 	ctxlog.WithFields(log.Fields{"env": env, "command": cmdName}).Info("gitlab-shell: main: executing command")
 	fips.Check()
 
-	if err := cmd.Execute(ctx); err != nil {
+	if _, err := cmd.Execute(ctx); err != nil {
 		ctxlog.WithError(err).Warn("gitlab-shell: main: command execution failed")
 		if grpcstatus.Convert(err).Code() != grpccodes.Internal {
 			console.DisplayWarningMessage(err.Error(), readWriter.ErrOut)

cmd/gitlab-sshd/acceptance_test.go

@@ -382,20 +382,11 @@ func TestTwoFactorAuthRecoveryCodesSuccess(t *testing.T) {
 		},
 	}
 	client := runSSHD(t, successAPI(t, handler))
-
-	session, err := client.NewSession()
-	require.NoError(t, err)
-	defer session.Close()
-
-	stdin, err := session.StdinPipe()
-	require.NoError(t, err)
-
-	stdout, err := session.StdoutPipe()
-	require.NoError(t, err)
+	session, stdin, stdout := newSession(t, client)
 
 	reader := bufio.NewReader(stdout)
 
-	err = session.Start("2fa_recovery_codes")
+	err := session.Start("2fa_recovery_codes")
 	require.NoError(t, err)
 
 	line, err := reader.ReadString('\n')
@@ -431,20 +422,11 @@ func TwoFactorAuthVerifySuccess(t *testing.T) {
 		},
 	}
 	client := runSSHD(t, successAPI(t, handler))
-
-	session, err := client.NewSession()
-	require.NoError(t, err)
-	defer session.Close()
-
-	stdin, err := session.StdinPipe()
-	require.NoError(t, err)
-
-	stdout, err := session.StdoutPipe()
-	require.NoError(t, err)
+	session, stdin, stdout := newSession(t, client)
 
 	reader := bufio.NewReader(stdout)
 
-	err = session.Start("2fa_verify")
+	err := session.Start("2fa_verify")
 	require.NoError(t, err)
 
 	line, err := reader.ReadString('\n')
@@ -483,17 +465,9 @@ func TestGitReceivePackSuccess(t *testing.T) {
 	ensureGitalyRepository(t)
 
 	client := runSSHD(t, successAPI(t))
-	session, err := client.NewSession()
-	require.NoError(t, err)
-	defer session.Close()
+	session, stdin, stdout := newSession(t, client)
 
-	stdin, err := session.StdinPipe()
-	require.NoError(t, err)
-
-	stdout, err := session.StdoutPipe()
-	require.NoError(t, err)
-
-	err = session.Start(fmt.Sprintf("git-receive-pack %s", testRepo))
+	err := session.Start(fmt.Sprintf("git-receive-pack %s", testRepo))
 	require.NoError(t, err)
 
 	// Gracefully close connection
@@ -528,17 +502,9 @@ func TestGeoGitReceivePackSuccess(t *testing.T) {
 		},
 	}
 	client := runSSHD(t, successAPI(t, handler))
-	session, err := client.NewSession()
-	require.NoError(t, err)
-	defer session.Close()
-
-	stdin, err := session.StdinPipe()
-	require.NoError(t, err)
-
-	stdout, err := session.StdoutPipe()
-	require.NoError(t, err)
+	session, stdin, stdout := newSession(t, client)
 
-	err = session.Start(fmt.Sprintf("git-receive-pack %s", testRepo))
+	err := session.Start(fmt.Sprintf("git-receive-pack %s", testRepo))
 	require.NoError(t, err)
 
 	// Gracefully close connection
@@ -562,59 +528,47 @@ func TestGitUploadPackSuccess(t *testing.T) {
 	ensureGitalyRepository(t)
 
 	client := runSSHD(t, successAPI(t))
-	session, err := client.NewSession()
-	require.NoError(t, err)
-	defer session.Close()
+	defer client.Close()
 
-	stdin, err := session.StdinPipe()
-	require.NoError(t, err)
+	numberOfSessions := 3
+	for sessionNumber := 0; sessionNumber < numberOfSessions; sessionNumber++ {
+		t.Run(fmt.Sprintf("session #%v", sessionNumber), func(t *testing.T) {
+			session, stdin, stdout := newSession(t, client)
+			reader := bufio.NewReader(stdout)
 
-	stdout, err := session.StdoutPipe()
-	require.NoError(t, err)
-
-	reader := bufio.NewReader(stdout)
+			err := session.Start(fmt.Sprintf("git-upload-pack %s", testRepo))
+			require.NoError(t, err)
 
-	err = session.Start(fmt.Sprintf("git-upload-pack %s", testRepo))
-	require.NoError(t, err)
+			line, err := reader.ReadString('\n')
+			require.NoError(t, err)
+			require.Regexp(t, "^[0-9a-f]{44} HEAD.+", line)
 
-	line, err := reader.ReadString('\n')
-	require.NoError(t, err)
-	require.Regexp(t, "^[0-9a-f]{44} HEAD.+", line)
+			// Gracefully close connection
+			_, err = fmt.Fprintln(stdin, "0000")
+			require.NoError(t, err)
 
-	// Gracefully close connection
-	_, err = fmt.Fprintln(stdin, "0000")
-	require.NoError(t, err)
+			output, err := io.ReadAll(stdout)
+			require.NoError(t, err)
 
-	output, err := io.ReadAll(stdout)
-	require.NoError(t, err)
+			outputLines := strings.Split(string(output), "\n")
 
-	outputLines := strings.Split(string(output), "\n")
+			for i := 1; i < (len(outputLines) - 1); i++ {
+				require.Regexp(t, "^[0-9a-f]{44} refs/(heads|tags)/[^ ]+", outputLines[i])
+			}
 
-	for i := 1; i < (len(outputLines) - 1); i++ {
-		require.Regexp(t, "^[0-9a-f]{44} refs/(heads|tags)/[^ ]+", outputLines[i])
+			require.Equal(t, "0000", outputLines[len(outputLines)-1])
+		})
 	}
-
-	require.Equal(t, "0000", outputLines[len(outputLines)-1])
 }
 
 func TestGitUploadArchiveSuccess(t *testing.T) {
 	ensureGitalyRepository(t)
 
 	client := runSSHD(t, successAPI(t))
-
-	session, err := client.NewSession()
-	require.NoError(t, err)
-	defer session.Close()
-
-	stdin, err := session.StdinPipe()
-	require.NoError(t, err)
-
-	stdout, err := session.StdoutPipe()
-	require.NoError(t, err)
-
+	session, stdin, stdout := newSession(t, client)
 	reader := bufio.NewReader(stdout)
 
-	err = session.Start(fmt.Sprintf("git-upload-archive %s", testRepo))
+	err := session.Start(fmt.Sprintf("git-upload-archive %s", testRepo))
 	require.NoError(t, err)
 
 	_, err = fmt.Fprintln(stdin, "0012argument HEAD\n0000")
@@ -634,3 +588,20 @@ func TestGitUploadArchiveSuccess(t *testing.T) {
 	t.Logf("output: %q", output)
 	require.Equal(t, []byte("0000"), output[len(output)-4:])
 }
+
+func newSession(t *testing.T, client *ssh.Client) (*ssh.Session, io.WriteCloser, io.Reader) {
+	session, err := client.NewSession()
+	require.NoError(t, err)
+
+	stdin, err := session.StdinPipe()
+	require.NoError(t, err)
+
+	stdout, err := session.StdoutPipe()
+	require.NoError(t, err)
+
+	t.Cleanup(func() {
+		session.Close()
+	})
+
+	return session, stdin, stdout
+}

cmd/gitlab-sshd/main.go

@@ -20,10 +20,10 @@ import (
 var (
 	configDir = flag.String("config-dir", "", "The directory the config is in")
 
-	// BuildTime signifies the time the binary was build.
-	BuildTime = "2021-02-16T09:28:07+01:00" // Set at build time in the Makefile
-	// Version is the current version of GitLab Shell sshd.
+	// Version is the current version of gitlab-shell
 	Version = "(unknown version)" // Set at build time in the Makefile
+	// BuildTime signifies the time the binary was build
+	BuildTime = "19700101.000000" // Set at build time in the Makefile
 )
 
 func overrideConfigFromEnvironment(cfg *config.Config) {
@@ -39,11 +39,13 @@ func overrideConfigFromEnvironment(cfg *config.Config) {
 	if gitlabLogFormat := os.Getenv("GITLAB_LOG_FORMAT"); gitlabLogFormat != "" {
 		cfg.LogFormat = gitlabLogFormat
 	}
-	return
 }
 
 func main() {
+	command.CheckForVersionFlag(os.Args, Version, BuildTime)
+
 	flag.Parse()
+
 	cfg := new(config.Config)
 	if *configDir != "" {
 		var err error
@@ -52,6 +54,7 @@ func main() {
 			log.WithError(err).Fatal("failed to load configuration from specified directory")
 		}
 	}
+
 	overrideConfigFromEnvironment(cfg)
 	if err := cfg.IsSane(); err != nil {
 		if *configDir == "" {

docker-compose.yml

@@ -4,5 +4,7 @@ services:
     environment:
       - GITALY_TESTING_NO_GIT_HOOKS=1
     image: registry.gitlab.com/gitlab-org/build/cng/gitaly:master
+    command:
+      ["bash", "-c", "mkdir -p /home/git/repositories && rm -rf /srv/gitlab-shell/hooks/* && touch /srv/gitlab-shell/.gitlab_shell_secret && cp /etc/gitaly/config.toml.erb /etc/gitaly/config.toml 2>/dev/null && exec /usr/bin/env GITALY_TESTING_NO_GIT_HOOKS=1 /scripts/process-wrapper"]
     ports:
       - '8075:8075'

go.mod

 module gitlab.com/gitlab-org/gitlab-shell/v14
 
-go 1.18
+go 1.19
 
 require (
-	github.com/golang-jwt/jwt/v5 v5.0.0
-	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
+	github.com/golang-jwt/jwt/v5 v5.1.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
-	github.com/hashicorp/go-retryablehttp v0.7.4
+	github.com/hashicorp/go-retryablehttp v0.7.5
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
 	github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b
-	github.com/otiai10/copy v1.12.0
+	github.com/otiai10/copy v1.14.0
 	github.com/pires/go-proxyproto v0.7.0
-	github.com/prometheus/client_golang v1.16.0
+	github.com/prometheus/client_golang v1.17.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.8.4
-	gitlab.com/gitlab-org/gitaly/v16 v16.1.0
-	gitlab.com/gitlab-org/labkit v1.19.0
-	golang.org/x/crypto v0.10.0
-	golang.org/x/sync v0.3.0
-	google.golang.org/grpc v1.56.1
-	google.golang.org/protobuf v1.30.0
+	gitlab.com/gitlab-org/gitaly/v16 v16.5.1
+	gitlab.com/gitlab-org/labkit v1.20.0
+	golang.org/x/crypto v0.15.0
+	golang.org/x/sync v0.5.0
+	google.golang.org/grpc v1.59.0
+	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
-require github.com/Microsoft/go-winio v0.6.0 // indirect
-
 require (
-	cloud.google.com/go v0.110.0 // indirect
-	cloud.google.com/go/compute v1.19.1 // indirect
+	cloud.google.com/go v0.110.7 // indirect
+	cloud.google.com/go/compute v1.23.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/monitoring v1.13.0 // indirect
+	cloud.google.com/go/monitoring v1.15.1 // indirect
 	cloud.google.com/go/profiler v0.1.0 // indirect
-	cloud.google.com/go/trace v1.9.0 // indirect
+	cloud.google.com/go/trace v1.10.1 // indirect
 	contrib.go.opencensus.io/exporter/stackdriver v0.13.14 // indirect
 	github.com/DataDog/datadog-go v4.4.0+incompatible // indirect
-	github.com/DataDog/sketches-go v1.0.0 // indirect; indirect github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/aws/aws-sdk-go v1.44.200 // indirect
-	github.com/beevik/ntp v1.0.0 // indirect
+	github.com/DataDog/sketches-go v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/aws/aws-sdk-go v1.44.314 // indirect
+	github.com/beevik/ntp v1.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/client9/reopen v1.0.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
-	github.com/googleapis/gax-go/v2 v2.7.1 // indirect
+	github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 // indirect
+	github.com/google/s2a-go v0.1.4 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/yamux v0.1.1 // indirect
+	github.com/hashicorp/yamux v0.1.2-0.20220728231024-8f49b6f63f18 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20210210170715-a8dfcb80d3a7 // indirect
 	github.com/lightstep/lightstep-tracer-go v0.25.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/oklog/ulid/v2 v2.0.2 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
@@ -67,13 +65,12 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/philhofer/fwd v1.1.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.42.0 // indirect
-	github.com/prometheus/procfs v0.10.1 // indirect
-	github.com/prometheus/prometheus v0.42.0 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
+	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.11.1 // indirect
+	github.com/prometheus/prometheus v0.46.0 // indirect
 	github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a // indirect
 	github.com/shirou/gopsutil/v3 v3.22.8 // indirect
 	github.com/tinylib/msgp v1.1.2 // indirect
@@ -83,21 +80,21 @@ require (
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
-	golang.org/x/oauth2 v0.7.0 // indirect
-	golang.org/x/sys v0.9.0 // indirect
-	golang.org/x/text v0.10.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	golang.org/x/mod v0.13.0 // indirect
+	golang.org/x/net v0.16.0 // indirect
+	golang.org/x/oauth2 v0.11.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/tools v0.14.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/api v0.114.0 // indirect
+	google.golang.org/api v0.134.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
+	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230913181813-007df8e322eb // indirect
 	gopkg.in/DataDog/dd-trace-go.v1 v1.32.0 // indirect
 )
 
-replace golang.org/x/crypto => gitlab.com/gitlab-org/golang-crypto v0.0.0-20230504124748-218ebedc75c6
-
 exclude github.com/prometheus/client_golang v1.12.1