GitHub proxy part 6: proxing Git using SSH transport

[greedy52]

Related:

• GitHub proxy #48762

will stack another PR for tsh git ssh/config/clone commands on top of this

[espadolini]

Are you sure that hooking into lib/srv/forward.Server to essentially add a completely separate mode gated by a flag (or like three different and potentially conflicting flags) is easier than writing something new that's going to be structurally guaranteed to work as intended just for the purpose of forwarding the ssh git protocol?

[espadolini]

If ClientI already has a way to get a gitserver.Client which has GetGitServer and ListGitServers, why do we need to extend ClientI with methods at the top level?

[greedy52]

We are casting ClientI to ProxyAccessPoint in a few places, which forces authclient to have same interface as Cache. Also gitserver.Client is not suitable for "AccessPoint".

one other option is to have a gitserver.ReadOnlyClient or decouple ClientI from ProxyAccessPoint somehow. any recommendation is welcome.

[greedy52]

Are you sure that hooking into lib/srv/forward.Server to essentially add a completely separate mode gated by a flag (or like three different and potentially conflicting flags) is easier than writing something new that's going to be structurally guaranteed to work as intended just for the purpose of forwarding the ssh git protocol?

will do 👍

[greedy52]

i am splitting out some parts of this PR to separate ones like

• GitHub proxy: git command recorder #50505

[public-teleport-github-review-bot]

@greedy52 - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

[greedy52]

@espadolini PTAL

[espadolini]

This will also do regular RBAC on the TargetServer unless you also change the check for h.c.Component == teleport.ComponentForwardingNode in authhandlers.go

[greedy52]

there is a check to avoid that:

teleport/lib/srv/authhandlers.go

Lines 471 to 473 in 67c298b

	if h.isProxy() || h.c.Component == teleport.ComponentForwardingGit {
	return permissions, nil
	}

but in the long run, we should do some refactoring to have dedicated auth handler for each type.

[espadolini]

Do we ever want and/or need envvars in the ssh git protocol?

[greedy52]

openssh sends LANG and GIT_PROTOCOL (when using v2 protocol). they are optional but it would be nice to forward them.

[Tener]

A few comments.

In general, I wonder about the decision to reuse ssh connection functionality for this. If we ever want to support other protocols then suddenly we need to reinvent a lot of things. The implementation ends up rather intrusive as we need to hijack a number of bits, e.g. the routing to nodes.

I assume this point was discussed before, so I'm keen to learn the rationale behind this vs e.g. reusing the infrastructure for TCP apps.

[espadolini]

In general, I wonder about the decision to reuse ssh connection functionality for this. If we ever want to support other protocols then suddenly we need to reinvent a lot of things.

I can't speak for the decision to use the git ssh protocol vs the git http protocol, but if we're going to use the git ssh protocol, reusing our existing SSH transport makes sense IMO. My initial recommendation was to actually make the configuration bits real static nodes in a similar fashion to the openssh ones, but we've decided to use a dedicated configuration type for git servers.

[greedy52]

In general, I wonder about the decision to reuse ssh connection functionality for this. If we ever want to support other protocols then suddenly we need to reinvent a lot of things.

I can't speak for the decision to use the git ssh protocol vs the git http protocol, but if we're going to use the git ssh protocol, reusing our existing SSH transport makes sense IMO. My initial recommendation was to actually make the configuration bits real static nodes in a similar fashion to the openssh ones, but we've decided to use a dedicated configuration type for git servers.

The very first git proxy poc is actually http-based for AWS CodeCommit using AWS app access. But AWS CodeCommit is dead now.

Like Edoardo said, this is what we end up with after a few iterations of poc and RFD discussions. GitLab supports SSH CA as well. Even if we have to do HTTP later, I don't think it's that difficult.

[greedy52]

@espadolini @Tener could you take another look? thanks!