Sztabina Embedded Git – Phase 1 Internal Authless Access (SZ-90)
rk@tigase.net opened 7 days ago

Summary

Implement Phase 1 security policy for the Sztabina embedded Git server: internal-only, authentication-free Git access.

This phase satisfies the immediate requirement:

  • no Git users
  • no Git authentication
  • internal-only visibility
  • zero developer friction

Git authentication is explicitly out of scope in this phase.


Scope

In Scope

  • Sztabina runs as an internal Git HTTP server
  • No authentication or authorization logic inside Sztabina
  • Access restricted by network topology only
  • Caddy acts as a simple reverse proxy
  • Internal DNS name only

Out of Scope

  • Personal Access Tokens
  • User-based Git permissions
  • External / public Git access
  • SSH access
  • Git-layer authentication
  • rk@tigase.net commented 7 days ago

    Architecture

    Trust boundary:

    Internal network => Caddy => Sztabina

    Caddy configuration:

    git.internal.sztab.local reverse_proxy sztabina:8085

    Security relies on:

    • Docker network isolation
    • Internal DNS
    • Firewall rules

    Implementation Tasks

    1. Remove any authentication logic from Sztabina (if present)
    2. Ensure Git HTTP endpoints work without Authorization headers
    3. Configure Caddy with a single internal virtual host
    4. Verify Sztab backend can create repositories via Sztabina API
    5. Validate shared /repos volume between Sztab and Sztabina
    6. End-to-end testing:
      • create repo
      • clone repo
      • push commits
      • browse via Sztab UI

    Testing

    • Health endpoint responds
    • Repository lifecycle APIs work
    • git clone works without credentials
    • git push works from trusted network
    • JGit browsing works in Sztab UI
    • Pull request workflow works end-to-end

    Risks

    • Accidental external exposure if firewall/DNS is misconfigured
    • Misunderstanding that lack of auth is intentional

    Mitigation:

    • Explicit documentation
    • Internal-only DNS
    • No public port exposure

  • rk@tigase.net commented 7 days ago

    Time Estimate

    Design confirmation: 0.5h Sztabina cleanup / validation: 1.0h Caddy configuration: 0.5h Docker / network validation: 0.5h End-to-end testing: 2.0h Documentation update: 0.5h

    Total estimate: 5.0 hours

  • rk@tigase.net changed state to 'In Progress' 7 days ago
    Previous Value Current Value
    Open
    In Progress
  • rk@tigase.net commented 7 days ago
    rksuma@Ramakrishnans-MacBook-Pro sztab % git checkout wolnosc
    Switched to branch 'wolnosc'
    Your branch is up to date with 'origin/wolnosc'.
    rksuma@Ramakrishnans-MacBook-Pro sztab % git pull origin wolnosc
    From https://tigase.dev/sztab
     * branch            wolnosc    -> FETCH_HEAD
    Already up to date.
    rksuma@Ramakrishnans-MacBook-Pro sztab % git merge feature/sz-embedded-git-server
    Updating b8ebe1f..c37e780
    Fast-forward
     backend/src/main/java/com/sztab/service/impl/ProjectServiceImpl.java             | 148 +++++++++++++++++++++------
     backend/src/main/java/com/sztab/sztabina/client/GitRepositoryClient.java         |  52 ++++++++++
     backend/src/main/java/com/sztab/sztabina/client/dto/CreateRepositoryRequest.java |  17 ++++
     backend/src/main/java/com/sztab/sztabina/client/dto/RepositoryResponse.java      |  12 +++
     backend/src/main/java/com/sztab/sztabina/client/impl/SztabinaClient.java         |  71 ++++++++++++-
     backend/src/test/java/com/sztab/service/ProjectServiceImplTest.java              | 396 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
     deploy/docker/caddy/Caddyfile                                                    |  32 ++++--
     deploy/docker/docker-compose.yml                                                 |  79 ++++++++++-----
     docs/EMBEDDED-GIT-SERVER/sztabina-embedded-git-auth-plan.md                      | 185 ++++++++++++++++++++++++++++++++++
     docs/deployment/sztabina-deployment.md                                           |  53 ++++++++++
     sztabina/cmd/sztabina/main.go                                                    |  88 ++++++++++------
     sztabina/docker/Dockerfile                                                       |  10 +-
     sztabina/handlers/git_http_handler.go                                            |  61 +++++++++++
     sztabina/handlers/repo_handler.go                                                | 163 ++++++++++++++++++++++++++++++
     sztabina/service/gitservice.go                                                   |   3 +-
     15 files changed, 1175 insertions(+), 195 deletions(-)
     create mode 100644 backend/src/main/java/com/sztab/sztabina/client/GitRepositoryClient.java
     create mode 100644 backend/src/main/java/com/sztab/sztabina/client/dto/CreateRepositoryRequest.java
     create mode 100644 backend/src/main/java/com/sztab/sztabina/client/dto/RepositoryResponse.java
     create mode 100644 docs/EMBEDDED-GIT-SERVER/sztabina-embedded-git-auth-plan.md
     create mode 100644 docs/deployment/sztabina-deployment.md
     create mode 100644 sztabina/handlers/git_http_handler.go
     create mode 100644 sztabina/handlers/repo_handler.go
    rksuma@Ramakrishnans-MacBook-Pro sztab % git push origin wolnosc
    Total 0 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
    To https://tigase.dev/sztab.git
       b8ebe1f..c37e780  wolnosc -> wolnosc
    rksuma@Ramakrishnans-MacBook-Pro sztab % git branch -d feature/sz-embedded-git-server
    Deleted branch feature/sz-embedded-git-server (was c37e780).
    rksuma@Ramakrishnans-MacBook-Pro sztab % git push origin --delete feature/sz-embedded-git-server
    remote:  
    remote: Create a pull request for 'feature/sz-embedded-git-server' by visiting:
    remote:     https://tigase.dev/sztab/~pulls/new?target=1325:wolnosc&source=1325:feature/sz-embedded-git-server
    remote:  
    To https://tigase.dev/sztab.git
     - [deleted]         feature/sz-embedded-git-server
    rksuma@Ramakrishnans-MacBook-Pro sztab % 
    
    
  • rk@tigase.net changed state to 'Closed' 7 days ago
    Previous Value Current Value
    In Progress
    Closed
issue 1 of 1
Type
New Feature
Priority
Major
Assignee
Version
none
Sprints
n/a
Customer
n/a
Issue Votes (0)
Watchers (3)
Reference
SZ-90
Please wait...
Page is in error, reload to recover