As we reevaluate how to best support and maintain Staging Ref in the future, we encourage development teams using this environment to highlight their use cases in the following issue: https://gitlab.com/gitlab-com/gl-infra/software-delivery/framework/software-delivery-framework-issue-tracker/-/issues/36.

Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • idrozdov/gitlab-shell
  • mmj/gitlab-shell
2 results
Show changes
Commits on Source (1)
Hide whitespace changes
Inline Side-by-side
go.mod
View file @ 4d5862dd
module gitlab.com/gitlab-org/gitlab-shell/v14 module gitlab.com/gitlab-org/gitlab-shell/v14
go 1.20 go 1.21.3
toolchain go1.21.6
require ( require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
github.com/golang-jwt/jwt/v5 v5.2.0 github.com/golang-jwt/jwt/v5 v5.2.0
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
github.com/hashicorp/go-retryablehttp v0.7.5 github.com/hashicorp/go-retryablehttp v0.7.5
@@ -40,7 +43,6 @@ require (
@@ -40,7 +43,6 @@ require (
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/client9/reopen v1.0.0 // indirect github.com/client9/reopen v1.0.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/go-ole/go-ole v1.2.6 // indirect github.com/go-ole/go-ole v1.2.6 // indirect
github.com/gogo/protobuf v1.3.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -99,3 +101,5 @@ require (
@@ -99,3 +101,5 @@ require (
) )
exclude github.com/prometheus/client_golang v1.12.1 exclude github.com/prometheus/client_golang v1.12.1
replace github.com/openshift/gssapi => /Users/ash/src/gitlab/go-gssapi
internal/sshd/connection.go
View file @ 4d5862dd
@@ -132,7 +132,7 @@ func (c *connection) handleRequests(ctx context.Context, sconn *ssh.ServerConn,
@@ -132,7 +132,7 @@ func (c *connection) handleRequests(ctx context.Context, sconn *ssh.ServerConn,
// Prevent a panic in a single session from taking out the whole server // Prevent a panic in a single session from taking out the whole server
defer func() { defer func() {
if err := recover(); err != nil { if err := recover(); err != nil {
ctxlog.WithField("recovered_error", err).Error("panic handling session") ctxlog.WithField("recovered_error2", err).Error("panic handling session")
} }
}() }()
internal/sshd/gssapi.go
View file @ 4d5862dd
@@ -6,6 +6,7 @@ import (
@@ -6,6 +6,7 @@ import (
"fmt" "fmt"
"sync" "sync"
"github.com/davecgh/go-spew/spew"
"github.com/openshift/gssapi" "github.com/openshift/gssapi"
"gitlab.com/gitlab-org/gitlab-shell/v14/internal/config" "gitlab.com/gitlab-org/gitlab-shell/v14/internal/config"
@@ -49,35 +50,29 @@ type OSGSSAPIServer struct {
@@ -49,35 +50,29 @@ type OSGSSAPIServer struct {
func (_ *OSGSSAPIServer) str2name(str string) (*gssapi.Name, error) { func (_ *OSGSSAPIServer) str2name(str string) (*gssapi.Name, error) {
strBuffer, err := lib.MakeBufferString(str) strBuffer, err := lib.MakeBufferString(str)
if err != nil { if err != nil {
return nil, err return nil, fmt.Errorf("3: %v", err)
} }
defer strBuffer.Release() defer strBuffer.Release()
return strBuffer.Name(lib.GSS_C_NO_OID) return strBuffer.Name(lib.GSS_C_NO_OID)
} }
func (server *OSGSSAPIServer) AcceptSecContext( func (server *OSGSSAPIServer) AcceptSecContext(token []byte) (outputToken []byte, srcName string, needContinue bool, err error) {
token []byte,
) (
outputToken []byte,
srcName string,
needContinue bool,
err error,
) {
server.mutex.Lock()
defer server.mutex.Unlock()
tokenBuffer, err := lib.MakeBufferBytes(token) tokenBuffer, err := lib.MakeBufferBytes(token)
if err != nil { if err != nil {
spew.Dump("3")
return return
} }
defer tokenBuffer.Release() defer tokenBuffer.Release()
var spn *gssapi.CredId = lib.GSS_C_NO_CREDENTIAL var spn *gssapi.CredId = lib.GSS_C_NO_CREDENTIAL
if server.ServicePrincipalName != "" { if server.ServicePrincipalName != "" {
var name *gssapi.Name var name *gssapi.Name
name, err = server.str2name(server.ServicePrincipalName) name, err = server.str2name(server.ServicePrincipalName)
if err != nil { if err != nil {
spew.Dump("4")
return return
} }
defer name.Release() defer name.Release()
@@ -85,8 +80,10 @@ func (server *OSGSSAPIServer) AcceptSecContext(
@@ -85,8 +80,10 @@ func (server *OSGSSAPIServer) AcceptSecContext(
var actualMech *gssapi.OIDSet var actualMech *gssapi.OIDSet
spn, actualMech, _, err = lib.AcquireCred(name, 0, lib.GSS_C_NO_OID_SET, gssapi.GSS_C_ACCEPT) spn, actualMech, _, err = lib.AcquireCred(name, 0, lib.GSS_C_NO_OID_SET, gssapi.GSS_C_ACCEPT)
if err != nil { if err != nil {
spew.Dump("5")
return return
} }
defer spn.Release() defer spn.Release()
defer actualMech.Release() defer actualMech.Release()
} }
@@ -97,12 +94,16 @@ func (server *OSGSSAPIServer) AcceptSecContext(
@@ -97,12 +94,16 @@ func (server *OSGSSAPIServer) AcceptSecContext(
tokenBuffer, tokenBuffer,
nil, nil,
) )
if err == gssapi.ErrContinueNeeded { if err == gssapi.ErrContinueNeeded {
needContinue = true needContinue = true
err = nil err = nil
} else if err != nil { } else if err != nil {
spew.Dump("6")
spew.Dump(err)
return return
} }
defer outputTokenBuffer.Release() defer outputTokenBuffer.Release()
defer srcNameName.Release() defer srcNameName.Release()
@@ -112,44 +113,37 @@ func (server *OSGSSAPIServer) AcceptSecContext(
@@ -112,44 +113,37 @@ func (server *OSGSSAPIServer) AcceptSecContext(
return outputToken, srcNameName.String(), needContinue, err return outputToken, srcNameName.String(), needContinue, err
} }
func (server *OSGSSAPIServer) VerifyMIC( func (server *OSGSSAPIServer) VerifyMIC(micField []byte, micToken []byte) error {
micField []byte,
micToken []byte,
) error {
server.mutex.Lock()
defer server.mutex.Unlock()
if server.contextId == nil { if server.contextId == nil {
return fmt.Errorf("gssapi: uninitialized contextId") return fmt.Errorf("gssapi: uninitialized contextId")
} }
micFieldBuffer, err := lib.MakeBufferBytes(micField) micFieldBuffer, err := lib.MakeBufferBytes(micField)
if err != nil { if err != nil {
return err return fmt.Errorf("2: %v", err)
} }
defer micFieldBuffer.Release() defer micFieldBuffer.Release()
micTokenBuffer, err := lib.MakeBufferBytes(micToken) micTokenBuffer, err := lib.MakeBufferBytes(micToken)
if err != nil { if err != nil {
return err return fmt.Errorf("1: %v", err)
} }
defer micTokenBuffer.Release() defer micTokenBuffer.Release()
_, err = server.contextId.VerifyMIC(micFieldBuffer, micTokenBuffer) _, err = server.contextId.VerifyMIC(micFieldBuffer, micTokenBuffer)
return err
return err
} }
func (server *OSGSSAPIServer) DeleteSecContext() error { func (server *OSGSSAPIServer) DeleteSecContext() error {
server.mutex.Lock()
defer server.mutex.Unlock()
if server.contextId == nil { if server.contextId == nil {
return nil return fmt.Errorf("gssapi: uninitialized contextId")
} }
err := server.contextId.DeleteSecContext() err := server.contextId.DeleteSecContext()
if err == nil { if err == nil {
server.contextId = nil server.contextId = nil
} }
return err return err
} }
internal/sshd/server_config.go
View file @ 4d5862dd
@@ -210,6 +210,7 @@ func (s *serverConfig) handleUserCertificate(ctx context.Context, user string, c
@@ -210,6 +210,7 @@ func (s *serverConfig) handleUserCertificate(ctx context.Context, user string, c
func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig { func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
var gssapiWithMICConfig *ssh.GSSAPIWithMICConfig var gssapiWithMICConfig *ssh.GSSAPIWithMICConfig
if s.cfg.Server.GSSAPI.Enabled { if s.cfg.Server.GSSAPI.Enabled {
gssapiWithMICConfig = &ssh.GSSAPIWithMICConfig{ gssapiWithMICConfig = &ssh.GSSAPIWithMICConfig{
AllowLogin: func(conn ssh.ConnMetadata, srcName string) (*ssh.Permissions, error) { AllowLogin: func(conn ssh.ConnMetadata, srcName string) (*ssh.Permissions, error) {
@@ -244,6 +245,7 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
@@ -244,6 +245,7 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
return s.handleUserKey(ctx, conn.User(), key) return s.handleUserKey(ctx, conn.User(), key)
}, },
GSSAPIWithMICConfig: gssapiWithMICConfig, GSSAPIWithMICConfig: gssapiWithMICConfig,
ServerVersion: "SSH-2.0-GitLab-SSHD", ServerVersion: "SSH-2.0-GitLab-SSHD",
} }
internal/sshd/sshd.go
View file @ 4d5862dd
@@ -183,13 +183,13 @@ func (s *Server) handleConn(ctx context.Context, nconn net.Conn) {
@@ -183,13 +183,13 @@ func (s *Server) handleConn(ctx context.Context, nconn net.Conn) {
ctxlog := log.WithContextFields(ctx, log.Fields{"remote_addr": remoteAddr}) ctxlog := log.WithContextFields(ctx, log.Fields{"remote_addr": remoteAddr})
// Prevent a panic in a single connection from taking out the whole server // Prevent a panic in a single connection from taking out the whole server
defer func() { // defer func() {
if err := recover(); err != nil { // if err := recover(); err != nil {
ctxlog.WithField("recovered_error", err).Error("panic handling session") // ctxlog.WithField("recovered_error1", err).Error("panic handling session")
metrics.SliSshdSessionsErrorsTotal.Inc() // metrics.SliSshdSessionsErrorsTotal.Inc()
} // }
}() // }()
started := time.Now() started := time.Now()
conn := newConnection(s.Config, nconn) conn := newConnection(s.Config, nconn)

As we reevaluate how to best support and maintain Staging Ref in the future, we encourage development teams using this environment to highlight their use cases in the following issue: https://gitlab.com/gitlab-com/gl-infra/software-delivery/framework/software-delivery-framework-issue-tracker/-/issues/36.