Open
Description
Description
When a user pushes code via the Git Proxy, they authenticate with their SSH key, which is also required for the final push to the remote repository (e.g., GitHub/GitLab). Currently, after approval, the user must manually re-authenticate. To automate this, the proxy must securely retain the user's SSH key during approval and reuse it for the final push—without exposing it or requiring user re-entry.
Key Requirements
1. Key Reuse for Push
- Once approved, the proxy uses the same key to push to the remote repo
- Immediately wipe the key after push (success or failure)
2. Security Constraints
- No long-term storage: Keys are discarded if:
- Approval is rejected
- Approval timeout (e.g., 24 hours) is reached
- Isolation: Keys are never accessible to other users/processes
3. Audit Trail
- Log key usage:
[PROXY] Push executed with key for user:X, request:Y, approved-by:Z
Task
- Modify authorization flow to handle private key
- Implement key usage during authorized operations
- Add key validation during authorization
- Acceptance Criteria:
- Authorized actions can use stored private key
- Key is validated before use
- Authorization flow properly manages key state
Metadata
Metadata
Assignees
Labels
No labels