Open
Description
Description
When a user pushes code via the Git Proxy, they authenticate with their SSH key, which is also required for the final push to the remote repository (e.g., GitHub/GitLab). Currently, after approval, the user must manually re-authenticate. To automate this, the proxy must securely retain the user's SSH key during approval and reuse it for the final push—without exposing it or requiring user re-entry.
Key Requirements
1. Key Reuse for Push
- Once approved, the proxy uses the same key to push to the remote repo
- Immediately wipe the key after push (success or failure)
2. Security Constraints
- No long-term storage: Keys are discarded if:
- Approval is rejected
- Approval timeout (e.g., 24 hours) is reached
- Isolation: Keys are never accessible to other users/processes
3. Audit Trail
- Log key usage:
[PROXY] Push executed with key for user:X, request:Y, approved-by:Z
Task
- Add unit tests for key capture and storage
- Add integration tests for key usage
- Add security tests for key handling
- Add cleanup verification tests
- Acceptance Criteria:
- All key operations are properly tested
- Security measures are verified
- Cleanup is verified
- System handles key operations securely
Metadata
Metadata
Assignees
Labels
No labels