Skip to content

Pre-implementation request for opinions sought #40

New issue
New issue
Open
Open
Pre-implementation request for opinions sought#40
@jspc

Description

@jspc
jspc
opened on Jul 23, 2023

Sorry for the absolute butchery of the English language in the issue title; I'm not really sure what I'm hoping for here.

I have a series of changes I'd like to make, but they're large-ish changes, and this isn't my project. Because of this, I'd like to solicit feedback before I do them- I'm more than happy to be told these changes aren't suitable of course, too.

Shell-request banners

A handy feature on services, such as github, is the ability to do ssh [email protected] to validate your key works, and to make sure you're using the correct key for the correct user (I don't know about anyone else, but this is very useful for me when I'm on a machine with both my work stuff and personal stuff, and ssh keys are the only thing keeping things separate).

Now, I've already implemented this on my fork, but the potentially contentious bits come from:

  1. I kept getting lost in the large functions in ssh.go, and so I split them up; and
  2. I replaced all the passing around of keyID with a context, which now holds the full PublicKey{}

The context will come in handy with the next bits I want to add in

Authn/ Authz hooks

I'd quite like to validate certain things on connect, such as the ssh user (current options are setting either a single user or all users), or whether the owner of a key is allowed to perform certain operations.

For instance, I'd quite like to be able to run in-cluster jobs (running GC on large repos which I haven't touched in a while) from a different user with a different auth flow when called from a 10/8 address.

I imagine this is something lots of people have given thought to, and I imagine nobody will be 100% happy with a single solution but what I want to do is:

  1. Create a couple of hooks; one for pre-auth (is this user correct? which user is it?), and one for pre-operation (is this valid user allowed to do x/y/z?)
  2. Make these no-op by default, though move the current if s.config.Auth && s.config.GitUser != "" && sConn.User() != s.config.GitUser { stuff to a library function
  3. Pass this stuff around in contexts to allow these things to do almost anything people need

Obvs the name 'hooks' is a poor choice

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions