sztab

Sztabina Embedded Git – Phase 1 Internal Authless Access (SZ-90)

rk@tigase.net opened 7 days ago

Summary

Implement Phase 1 security policy for the Sztabina embedded Git server: internal-only, authentication-free Git access.

This phase satisfies the immediate requirement:

no Git users
no Git authentication
internal-only visibility
zero developer friction

Git authentication is explicitly out of scope in this phase.

Scope

In Scope

Sztabina runs as an internal Git HTTP server
No authentication or authorization logic inside Sztabina
Access restricted by network topology only
Caddy acts as a simple reverse proxy
Internal DNS name only

Out of Scope

Personal Access Tokens
User-based Git permissions
External / public Git access
SSH access
Git-layer authentication

Activities

rk@tigase.net commented 7 days ago
Architecture

Trust boundary:

Internal network => Caddy => Sztabina

Caddy configuration:

git.internal.sztab.local reverse_proxy sztabina:8085

Security relies on:

Docker network isolation

Internal DNS

Firewall rules

Implementation Tasks

Remove any authentication logic from Sztabina (if present)

Ensure Git HTTP endpoints work without Authorization headers

Configure Caddy with a single internal virtual host

Verify Sztab backend can create repositories via Sztabina API

Validate shared /repos volume between Sztab and Sztabina

End-to-end testing:

create repo

clone repo

push commits

browse via Sztab UI

Testing

Health endpoint responds

Repository lifecycle APIs work

git clone works without credentials

git push works from trusted network

JGit browsing works in Sztab UI

Pull request workflow works end-to-end

Risks

Accidental external exposure if firewall/DNS is misconfigured

Misunderstanding that lack of auth is intentional

Mitigation:

Explicit documentation

Internal-only DNS

No public port exposure
rk@tigase.net commented 7 days ago

Time Estimate

Design confirmation: 0.5h Sztabina cleanup / validation: 1.0h Caddy configuration: 0.5h Docker / network validation: 0.5h End-to-end testing: 2.0h Documentation update: 0.5h

Total estimate: 5.0 hours
rk@tigase.net changed state to 'In Progress' 7 days ago
Previous Value Current Value
Open

In Progress

Previous Value	Current Value
Open	In Progress

rk@tigase.net commented 7 days ago

rksuma@Ramakrishnans-MacBook-Pro sztab % git checkout wolnosc
Switched to branch 'wolnosc'
Your branch is up to date with 'origin/wolnosc'.
rksuma@Ramakrishnans-MacBook-Pro sztab % git pull origin wolnosc
From https://tigase.dev/sztab
 * branch            wolnosc    -> FETCH_HEAD
Already up to date.
rksuma@Ramakrishnans-MacBook-Pro sztab % git merge feature/sz-embedded-git-server
Updating b8ebe1f..c37e780
Fast-forward
 backend/src/main/java/com/sztab/service/impl/ProjectServiceImpl.java             | 148 +++++++++++++++++++++------
 backend/src/main/java/com/sztab/sztabina/client/GitRepositoryClient.java         |  52 ++++++++++
 backend/src/main/java/com/sztab/sztabina/client/dto/CreateRepositoryRequest.java |  17 ++++
 backend/src/main/java/com/sztab/sztabina/client/dto/RepositoryResponse.java      |  12 +++
 backend/src/main/java/com/sztab/sztabina/client/impl/SztabinaClient.java         |  71 ++++++++++++-
 backend/src/test/java/com/sztab/service/ProjectServiceImplTest.java              | 396 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
 deploy/docker/caddy/Caddyfile                                                    |  32 ++++--
 deploy/docker/docker-compose.yml                                                 |  79 ++++++++++-----
 docs/EMBEDDED-GIT-SERVER/sztabina-embedded-git-auth-plan.md                      | 185 ++++++++++++++++++++++++++++++++++
 docs/deployment/sztabina-deployment.md                                           |  53 ++++++++++
 sztabina/cmd/sztabina/main.go                                                    |  88 ++++++++++------
 sztabina/docker/Dockerfile                                                       |  10 +-
 sztabina/handlers/git_http_handler.go                                            |  61 +++++++++++
 sztabina/handlers/repo_handler.go                                                | 163 ++++++++++++++++++++++++++++++
 sztabina/service/gitservice.go                                                   |   3 +-
 15 files changed, 1175 insertions(+), 195 deletions(-)
 create mode 100644 backend/src/main/java/com/sztab/sztabina/client/GitRepositoryClient.java
 create mode 100644 backend/src/main/java/com/sztab/sztabina/client/dto/CreateRepositoryRequest.java
 create mode 100644 backend/src/main/java/com/sztab/sztabina/client/dto/RepositoryResponse.java
 create mode 100644 docs/EMBEDDED-GIT-SERVER/sztabina-embedded-git-auth-plan.md
 create mode 100644 docs/deployment/sztabina-deployment.md
 create mode 100644 sztabina/handlers/git_http_handler.go
 create mode 100644 sztabina/handlers/repo_handler.go
rksuma@Ramakrishnans-MacBook-Pro sztab % git push origin wolnosc
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
To https://tigase.dev/sztab.git
   b8ebe1f..c37e780  wolnosc -> wolnosc
rksuma@Ramakrishnans-MacBook-Pro sztab % git branch -d feature/sz-embedded-git-server
Deleted branch feature/sz-embedded-git-server (was c37e780).
rksuma@Ramakrishnans-MacBook-Pro sztab % git push origin --delete feature/sz-embedded-git-server
remote:  
remote: Create a pull request for 'feature/sz-embedded-git-server' by visiting:
remote:     https://tigase.dev/sztab/~pulls/new?target=1325:wolnosc&source=1325:feature/sz-embedded-git-server
remote:  
To https://tigase.dev/sztab.git
 - [deleted]         feature/sz-embedded-git-server
rksuma@Ramakrishnans-MacBook-Pro sztab %

rk@tigase.net changed state to 'Closed' 7 days ago
Previous Value Current Value
In Progress

Closed
Login to comment

Previous Value	Current Value
In Progress	Closed

Type	New Feature
Priority	Major
Assignee	rk@tigase.net
Version	none
Sprints	n/a
Customer	n/a

Issue Votes (0)

Watchers (3)

Reference

SZ-90

Summary

Scope

In Scope

Out of Scope

Architecture

Implementation Tasks

Testing

Risks

Time Estimate