Add FF_GITLAB_SHELL_SSH_CERTIFICATES feature flag

Igor Drozdov · Igor Drozdov · commit f3c80161f164 · 2023-08-10T10:57:17.000+02:00
diff --git a/internal/sshd/server_config.go b/internal/sshd/server_config.go
@@ -162,6 +162,10 @@ func (s *serverConfig) handleUserKey(ctx context.Context, user string, key ssh.P
 }
 
 func (s *serverConfig) handleUserCertificate(ctx context.Context, user string, cert *ssh.Certificate) (*ssh.Permissions, error) {
+	if os.Getenv("FF_GITLAB_SHELL_SSH_CERTIFICATES") != "1" {
+		return nil, fmt.Errorf("handleUserCertificate: feature is disabled")
+	}
+
 	fingerprint := ssh.FingerprintSHA256(cert.SignatureKey)
 
 	if cert.CertType != ssh.UserCert {
diff --git a/internal/sshd/server_config_test.go b/internal/sshd/server_config_test.go
@@ -192,35 +192,52 @@ func TestUserCertificateHandling(t *testing.T) {
 	testCases := []struct {
 		desc                string
 		cert                *ssh.Certificate
+		featureFlagValue    string
 		expectedErr         error
 		expectedPermissions *ssh.Permissions
 	}{
 		{
-			desc:        "wrong cert type",
-			cert:        userCert(t, ssh.HostCert, time.Now().Add(time.Hour)),
-			expectedErr: errors.New("handleUserCertificate: cert has type 2"),
+			desc:             "wrong cert type",
+			cert:             userCert(t, ssh.HostCert, time.Now().Add(time.Hour)),
+			featureFlagValue: "1",
+			expectedErr:      errors.New("handleUserCertificate: cert has type 2"),
 		}, {
-			desc:        "expired cert",
-			cert:        userCert(t, ssh.UserCert, time.Now().Add(-time.Hour)),
-			expectedErr: errors.New("ssh: cert has expired"),
+			desc:             "expired cert",
+			cert:             userCert(t, ssh.UserCert, time.Now().Add(-time.Hour)),
+			featureFlagValue: "1",
+			expectedErr:      errors.New("ssh: cert has expired"),
 		}, {
-			desc:        "API error",
-			cert:        userCert(t, ssh.UserCert, time.Now().Add(time.Hour)),
-			expectedErr: &client.ApiError{Msg: "Internal API unreachable"},
+			desc:             "API error",
+			cert:             userCert(t, ssh.UserCert, time.Now().Add(time.Hour)),
+			featureFlagValue: "1",
+			expectedErr:      &client.ApiError{Msg: "Internal API unreachable"},
 		}, {
-			desc: "successful request",
-			cert: validUserCert,
+			desc:             "successful request",
+			cert:             validUserCert,
+			featureFlagValue: "1",
 			expectedPermissions: &ssh.Permissions{
 				Extensions: map[string]string{
 					"username":  "root",
 					"namespace": "namespace",
 				},
 			},
+		}, {
+			desc:                "feature flag is not enabled",
+			cert:                validUserCert,
+			expectedErr:         errors.New("handleUserCertificate: feature is disabled"),
+			expectedPermissions: nil,
+		}, {
+			desc:                "feature flag is disabled",
+			cert:                validUserCert,
+			featureFlagValue:    "0",
+			expectedErr:         errors.New("handleUserCertificate: feature is disabled"),
+			expectedPermissions: nil,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
+			t.Setenv("FF_GITLAB_SHELL_SSH_CERTIFICATES", tc.featureFlagValue)
 			permissions, err := cfg.handleUserCertificate(context.Background(), "user", tc.cert)
 			require.Equal(t, tc.expectedErr, err)
 			require.Equal(t, tc.expectedPermissions, permissions)

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,10 @@ func (s *serverConfig) handleUserKey(ctx context.Context, user string, key ssh.P`
`162`	`162`	`}`
`163`	`163`
`164`	`164`	`func (s serverConfig) handleUserCertificate(ctx context.Context, user string, cert ssh.Certificate) (*ssh.Permissions, error) {`
	`165`	`+ if os.Getenv("FF_GITLAB_SHELL_SSH_CERTIFICATES") != "1" {`
	`166`	`+ return nil, fmt.Errorf("handleUserCertificate: feature is disabled")`
	`167`	`+ }`
	`168`	`+`
`165`	`169`	`fingerprint := ssh.FingerprintSHA256(cert.SignatureKey)`
`166`	`170`
`167`	`171`	`if cert.CertType != ssh.UserCert {`