Auth via SSH certificates
## Summary
On GitLab.com customers obtain their own top-level group (later organization). In comparison to self-managed, they have to manage organization-wide settings at this level.
Currently, the provided Git access control options on SaaS (SSH, HTTPS) rely on credentials (access tokens, SSH keys) setup in the user profile. As the user profile is out of control of the organization, there is no way for a customer to assess whether the key is kept confidential or whether the expiry date is meeting policies. Also, there’s very little that can be done for damage control in case the keys are leaked as well as a customer cannot enforce MFA on Git access flows.
Customers may have processes in place, where developers on a daily basis can, via MFA, request a temporary SSH certificate which gives them access to internal systems. To enable the same way of working on SaaS, we would need a way to share public Certificate Authority (CA) files with GitLab.com SaaS for the purpose of Git access control.
## Motivation
- Enable users to share public Certificate Authority (CA) files with GitLab.com SaaS for the purpose of Git access control.
- Fill the product gap between GitLab and competitive products that already support authentication via SSH certificates.
## Architecture
It's a joint effort of ~"group::source code" and ~"group::authentication and authorization" because ~"group::source code" is responsible for [Gitlab Shell](https://gitlab.com/gitlab-org/gitlab-shell) project and ~"group::authentication and authorization" owns Authentication topic
Blueprint: https://docs.gitlab.com/ee/architecture/blueprints/ssh_certificates/
```mermaid
sequenceDiagram
User->>+GitLab Shell: Auth using SSH Certificate
GitLab Shell->>+GitLab Rails: /authorized_certs?key=fingerprint-of-signing-key&user_identity=username-or-primary-email
GitLab Rails-->>-GitLab Shell: responds with the namespace that configures the CA and the username of the user
GitLab Shell-->>User: Authenticated successfully
User->>+GitLab Shell: Git command to a specific project
GitLab Shell->>+GitLab Rails: /allowed [namespace=namespace]
GitLab Rails-->>-GitLab Shell: responds that the user is allowed to access a project in this namespace
GitLab Shell-->>User: success
```
epic