Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-91
Sztabina external Git Access with PAT Authentication (Caddy-enforced) (SZ-91)
rk@tigase.net opened 7 days ago

Summary

Implement Phase 2 security policy for the Sztabina embedded Git server: external Git access protected by Personal Access Tokens (PATs).

Authentication is enforced strictly at the reverse-proxy boundary. Sztabina itself remains completely authentication-free.

Background

Phase 1 establishes Sztabina as an internal, trusted Git server with no authentication.

Phase 2 extends this design to support external Git access while preserving the same architectural principle:

  • Git server stays dumb
  • Authentication and authorization live outside the Git layer
  • Sztab remains the single authority

This mirrors OneDev-like workflows while improving separation of concerns.

Scope

In Scope

  • External Git access via a public domain
  • PAT-based authentication
  • Authentication enforced via Caddy forward_auth
  • Stateless, fast request validation in Sztab

Out of Scope

  • Git user accounts inside Sztabina
  • SSH-based Git access
  • Role-based Git permissions at the transport layer
  • Credential storage inside the Git server
  • rk@tigase.net commented 7 days ago

    Architecture

    Trust boundary:

    External Git client → Caddy → Sztab (auth) → Sztabina

    Caddy configuration:

    git.sztab.company.com forward_auth sztab:8080 uri /api/auth/validate-git-request copy_headers Authorization reverse_proxy sztabina:8085

    Key properties:

    • Caddy blocks unauthorized requests
    • Sztabina never sees authentication failures
    • Git protocol semantics remain unchanged

    Authentication Contract

    Validation endpoint implemented in Sztab:

    /api/auth/validate-git-request

    Requirements:

    • Stateless
    • Low latency
    • Safe for repeated calls per Git operation
    • No redirects, cookies, or HTML

    Expected behavior:

    • HTTP 200 → request allowed
    • HTTP 401 / 403 → request denied

    This endpoint acts as a gatekeeper, not a login flow.

    Implementation Tasks

    1. Define Personal Access Token (PAT) model and validation rules
    2. Implement /api/auth/validate-git-request endpoint in Sztab
    3. Integrate Caddy forward_auth with Sztab
    4. Add external Git domain and TLS configuration
    5. Verify correct behavior for:
      • git clone
      • git fetch
      • git push
    6. Ensure clean failure modes (401/403)
    7. Add minimal logging for auth failures

    Testing

    • Requests without PAT are rejected
    • Requests with invalid or expired PAT are rejected
    • Requests with valid PAT succeed
    • Internal authless access continues to work
    • No authentication logic exists in Sztabina
    • Git operations behave correctly under repeated auth checks

    Risks

    • Auth endpoint latency affecting Git operations
    • Misconfigured headers breaking Git HTTP semantics

    Mitigation:

    • Keep auth endpoint minimal and stateless
    • Load-test with repeated Git operations
    • Add explicit logging at the proxy and auth boundary

    Acceptance Criteria

    • External Git access requires a valid PAT
    • Invalid or missing PAT always results in 401/403
    • Internal Git access remains auth-free
    • No authentication code exists in Sztabina
    • Design is documented and reproducible
  • rk@tigase.net commented 7 days ago

    Time Estimate

    • Auth design review: 0.5 h
    • PAT validation logic (backend): 2.0 h
    • Auth endpoint implementation: 1.5 h
    • Caddy forward_auth integration: 1.0 h
    • External domain + TLS setup: 1.0 h
    • End-to-end Git testing: 2.0 h
    • Documentation update: 0.5 h

    Total estimate: 8.5 hours

  • rk@tigase.net commented 7 days ago 
    rksuma@Ramakrishnans-MacBook-Pro sztab % git checkout -b feature/sz-91-sztabina-external-git-pat-auth
Switched to a new branch 'feature/sz-91-sztabina-external-git-pat-auth'
rksuma@Ramakrishnans-MacBook-Pro sztab %
  • rk@tigase.net changed state to 'In Progress' 7 days ago
    Previous Value Current Value 
    Open
    		 
    In Progress
  • rk@tigase.net commented 5 days ago

    end to end tested, merged into wolnosc

  • rk@tigase.net changed state to 'Closed' 5 days ago
    Previous Value Current Value 
    In Progress
    		 
    Closed
issue 1 of 1
Type
New Feature
Priority
Major
Assignee
rk@tigase.net
Version
1.10
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-91
Please wait...
Page is in error, reload to recover