Draft: Support uploading CA files to a group
What does this MR do and why?
Related issue: Add support for git access control via SSH cert... (#408474 - closed)
Gitlab Shell: Support authentication using SSH Certificates (gitlab-shell!812 - merged)
Screenshot
This MR introduces this UI for the convenience of adding a CA file and verifying the PoC of Add support for git access control via SSH cert... (#408474 - closed). UX Design hasn't been discussed yet.
Group Settings > General > Certificate Authority
Functional flow:
The functional workflow is the following:
- An admin adds
CA.pub
to a namespace - A user tries authenticating using a certificate signed by the
CA
- Gitlab Shell sends the fingerprint of the CA to
/authorized_certs
and returns the namespace, which is remembered on Gitlab Shell during an SSH connection. TheCA
is unique for an instance (unique index for the fingerprint). It means that it's not necessary to integrate a namespace into the certificate, a certificate and a namespace have1 -> 1
relationship. - The namespace is sent every time
/allowed
is called. It means that we send project fullpath and the namespace in which a user is authenticated. If the project doesn't have the namespace in the list of its ancestors, the action is not allowed.
sequenceDiagram
User->>+Gitlab Shell: Auth using SSH Certificate
Gitlab Shell->>+Gitlab Rails: /authorized_certs?key=signing-key-of-certificate&user_identity=username-or-primary-email
Gitlab Rails-->>-Gitlab Shell: responds with the namespace that configures the CA and username of the user
Gitlab Shell-->>User: Authenticated successfully
User->>+Gitlab Shell: Git command to a specific project
Gitlab Shell->>+Gitlab Rails: /allowed [allowed_namespace=namespace]
Gitlab Rails-->>-Gitlab Shell: responds that the project belongs to this namespace or its ancestor
Gitlab Shell-->>User: success
Edited by Igor Drozdov