SSH push mirroring support

19a94b8b · Nick Thomas · e530930a · 19a94b8b · 19a94b8b · 19a94b8b
Commit 19a94b8b authored Oct 26, 2018 by Nick Thomas
38 changed files
--- a/ee/app/assets/javascripts/mirrors/constants.js
+++ b/ee/app/assets/javascripts/mirrors/constants.js
--- a/app/assets/javascripts/pages/projects/settings/repository/show/mirror_repos.js
+++ b/app/assets/javascripts/pages/projects/settings/repository/show/mirror_repos.js
@@ -3,10 +3,12 @@ import _ from 'underscore';
 import { __ } from '~/locale';
 import Flash from '~/flash';
 import axios from '~/lib/utils/axios_utils';
+import SSHMirror from './ssh_mirror';
 export default class MirrorRepos {
  constructor(container) {
    this.$container = $(container);
+    this.$password = null;
    this.$form = $('.js-mirror-form', this.$container);
    this.$urlInput = $('.js-mirror-url', this.$form);
    this.$protectedBranchesInput = $('.js-mirror-protected', this.$form);
@@ -26,6 +28,18 @@ export default class MirrorRepos {
    this.$authMethod.on('change', () => this.togglePassword());
    this.$password.on('input.updateUrl', () => this.debouncedUpdateUrl());
+    this.initMirrorSSH();
+  }
+  initMirrorSSH() {
+    if (this.$password) {
+      this.$password.off('input.updateUrl');
+    }
+    this.$password = undefined;
+    this.sshMirror = new SSHMirror('.js-mirror-form');
+    this.sshMirror.init();
  }
  updateUrl() {

--- a/ee/app/assets/javascripts/mirrors/mirror_pull.js
+++ b/ee/app/assets/javascripts/mirrors/mirror_pull.js
@@ -6,7 +6,7 @@ import Flash from '~/flash';
 import { backOff } from '~/lib/utils/common_utils';
 import AUTH_METHOD from './constants';
-export default class MirrorPull {
+export default class SSHMirror {
  constructor(formSelector) {
    this.backOffRequestCounter = 0;
@@ -19,7 +19,7 @@ export default class MirrorPull {
    this.$hostKeysInformation = this.$form.find('.js-fingerprint-ssh-info');
    this.$btnDetectHostKeys = this.$form.find('.js-detect-host-keys');
    this.$btnSSHHostsShowAdvanced = this.$form.find('.btn-show-advanced');
-    this.$dropdownAuthType = this.$form.find('.js-pull-mirror-auth-type');
+    this.$dropdownAuthType = this.$form.find('.js-mirror-auth-type');
    this.$wellAuthTypeChanging = this.$form.find('.js-well-changing-auth');
    this.$wellPasswordAuth = this.$form.find('.js-well-password-auth');
@@ -151,9 +151,10 @@ export default class MirrorPull {
   */
  handleSSHHostsAdvanced() {
    const $knownHost = this.$sectionSSHHostKeys.find('.js-ssh-known-hosts');
+    const toggleShowAdvanced = $knownHost.hasClass('show');
    $knownHost.collapse('toggle');
-    this.$btnSSHHostsShowAdvanced.toggleClass('show-advanced', !$knownHost.hasClass('in'));
+    this.$btnSSHHostsShowAdvanced.toggleClass('show-advanced', toggleShowAdvanced);
  }
  /**
@@ -164,21 +165,21 @@ export default class MirrorPull {
    const $sshPublicKey = this.$sshPublicKeyWrap.find('.ssh-public-key');
    const selectedAuthType = this.$dropdownAuthType.val();
-    // Construct request body
-    const authTypeData = {
-      project: {
-        import_data_attributes: {
-          regenerate_ssh_private_key: true,
-        },
-      },
-    };
    this.$wellPasswordAuth.collapse('hide');
    this.$wellSSHAuth.collapse('hide');
    // This request should happen only if selected Auth type was SSH
    // and SSH Public key was not present on page load
    if (selectedAuthType === AUTH_METHOD.SSH && !$sshPublicKey.text().trim()) {
+      if (!this.$wellSSHAuth.length) return;
+      // Construct request body
+      const authTypeData = {
+        project: {
+          ...this.$regeneratePublicSshKeyButton.data().projectData,
+        },
+      };
      this.$wellAuthTypeChanging.collapse('show');
      this.$dropdownAuthType.disable();
@@ -263,12 +264,17 @@ export default class MirrorPull {
    const button = this.$regeneratePublicSshKeyButton;
    const spinner = $('.js-spinner', button);
    const endpoint = button.data('endpoint');
+    const authTypeData = {
+      project: {
+        ...this.$regeneratePublicSshKeyButton.data().projectData,
+      },
+    };
    button.attr('disabled', 'disabled');
    spinner.removeClass('d-none');
    axios
-      .patch(endpoint)
+      .patch(endpoint, authTypeData)
      .then(({ data }) => {
        button.removeAttr('disabled');
        spinner.addClass('d-none');

--- a/app/assets/javascripts/pages/projects/settings/repository/show/index.js
+++ b/app/assets/javascripts/pages/projects/settings/repository/show/index.js
 import initForm from '../form';
-import MirrorRepos from './mirror_repos';
+import MirrorRepos from '~/mirrors/mirror_repos';
 document.addEventListener('DOMContentLoaded', () => {
  initForm();

--- a/app/assets/stylesheets/pages/projects.scss
+++ b/app/assets/stylesheets/pages/projects.scss
@@ -1224,3 +1224,27 @@ pre.light-well {
    opacity: 1;
  }
 }
+.project-mirror-settings {
+  .btn-show-advanced {
+    min-width: 135px;
+    .label-show {
+      display: none;
+    }
+    .label-hide {
+      display: inline;
+    }
+    &.show-advanced {
+      .label-show {
+        display: inline;
+      }
+      .label-hide {
+        display: none;
+      }
+    }
+  }
+}
--- a/app/controllers/projects/mirrors_controller.rb
+++ b/app/controllers/projects/mirrors_controller.rb
@@ -77,6 +77,10 @@ class Projects::MirrorsController < Projects::ApplicationController
        id
        enabled
        only_protected_branches
+        auth_method
+        password
+        ssh_known_hosts
+        regenerate_ssh_private_key
      ]
    ]
  end

--- a/app/helpers/mirror_helper.rb
+++ b/app/helpers/mirror_helper.rb
@@ -2,6 +2,9 @@
 module MirrorHelper
  def mirrors_form_data_attributes
-    { project_mirror_endpoint: project_mirror_path(@project) }
+    {
+      project_mirror_ssh_endpoint: ssh_host_keys_project_mirror_path(@project, :json),
+      project_mirror_endpoint: project_mirror_path(@project, :json)
+    }
  end
 end
--- a/app/models/concerns/mirror_authentication.rb
+++ b/app/models/concerns/mirror_authentication.rb
@@ -9,24 +9,44 @@ module MirrorAuthentication
    bits: 4096
  }.freeze
-  CREDENTIALS_FIELDS = %i[
-    auth_method
-    password
-    ssh_known_hosts
-    ssh_known_hosts_verified_at
-    ssh_known_hosts_verified_by_id
-    ssh_private_key
-    user
-  ].freeze
  extend ActiveSupport::Concern
  included do
    validates :auth_method, inclusion: { in: %w[password ssh_public_key] }, allow_blank: true
    # We should generate a key even if there's no SSH URL present
-    before_validation :generate_ssh_private_key!, if: ->(data) do
+    before_validation :generate_ssh_private_key!, if: -> {
      regenerate_ssh_private_key || ( auth_method == 'ssh_public_key' && ssh_private_key.blank? )
+    }
+    credentials_field :auth_method, reader: false
+    credentials_field :ssh_known_hosts
+    credentials_field :ssh_known_hosts_verified_at
+    credentials_field :ssh_known_hosts_verified_by_id
+    credentials_field :ssh_private_key
+    credentials_field :user
+    credentials_field :password
+  end
+  class_methods do
+    def credentials_field(name, reader: true)
+      if reader
+        define_method(name) do
+          credentials[name] if credentials.present?
+        end
+      end
+      define_method("#{name}=") do |value|
+        self.credentials ||= {}
+        # Removal of the password, username, etc, generally causes an update of
+        # the value to the empty string. Detect and gracefully handle this case.
+        if value.present?
+          self.credentials[name] = value
+        else
+          self.credentials.delete(name)
+        end
+      end
    end
  end
@@ -44,25 +64,6 @@ module MirrorAuthentication
    url&.start_with?('ssh://')
  end
-  CREDENTIALS_FIELDS.each do |name|
-    define_method(name) do
-      credentials[name] if credentials.present?
-    end
-    define_method("#{name}=") do |value|
-      self.credentials ||= {}
-      # Removal of the password, username, etc, generally causes an update of
-      # the value to the empty string. Detect and gracefully handle this case.
-      if value.present?
-        self.credentials[name] = value
-      else
-        self.credentials.delete(name)
-        nil
-      end
-    end
-  end
  def ssh_known_hosts_verified_by
    @ssh_known_hosts_verified_by ||= ::User.find_by(id: ssh_known_hosts_verified_by_id)
  end

--- a/app/models/remote_mirror.rb
+++ b/app/models/remote_mirror.rb
@@ -2,6 +2,7 @@
 class RemoteMirror < ActiveRecord::Base
  include AfterCommitQueue
+  include MirrorAuthentication
  PROTECTED_BACKOFF_DELAY   = 1.minute
  UNPROTECTED_BACKOFF_DELAY = 5.minutes
@@ -28,6 +29,8 @@ class RemoteMirror < ActiveRecord::Base
  after_commit :remove_remote, on: :destroy
+  before_validation :store_credentials
  scope :enabled, -> { where(enabled: true) }
  scope :started, -> { with_update_status(:started) }
  scope :stuck,   -> { started.where('last_update_at < ? OR (last_update_at IS NULL AND updated_at < ?)', 1.day.ago, 1.day.ago) }
@@ -84,7 +87,21 @@ class RemoteMirror < ActiveRecord::Base
  end
  def update_repository(options)
-    raw.update(options)
+    if ssh_mirror_url?
+      if ssh_key_auth? && ssh_private_key.present?
+        options[:ssh_key] = ssh_private_key
+      end
+      if ssh_known_hosts.present?
+        options[:known_hosts] = ssh_known_hosts
+      end
+    end
+    Gitlab::Git::RemoteMirror.new(
+      project.repository.raw,
+      remote_name,
+      **options
+    ).update
  end
  def sync?
@@ -128,7 +145,8 @@ class RemoteMirror < ActiveRecord::Base
    super(value) && return unless Gitlab::UrlSanitizer.valid?(value)
    mirror_url = Gitlab::UrlSanitizer.new(value)
-    self.credentials = mirror_url.credentials
+    self.credentials ||= {}
+    self.credentials = self.credentials.merge(mirror_url.credentials)
    super(mirror_url.sanitized_url)
  end
@@ -152,17 +170,28 @@ class RemoteMirror < ActiveRecord::Base
  def ensure_remote!
    return unless project
-    return unless remote_name && url
+    return unless remote_name && remote_url
    # If this fails or the remote already exists, we won't know due to
    # https://gitlab.com/gitlab-org/gitaly/issues/1317
-    project.repository.add_remote(remote_name, url)
+    project.repository.add_remote(remote_name, remote_url)
  end
  private
-  def raw
+  def store_credentials
-    @raw ||= Gitlab::Git::RemoteMirror.new(project.repository.raw, remote_name)
+    # This is a necessary workaround for attr_encrypted, which doesn't otherwise
+    # notice that the credentials have changed
+    self.credentials = self.credentials
+  end
+  # The remote URL omits any password if SSH public-key authentication is in use
+  def remote_url
+    return url unless ssh_key_auth? && password.present?
+    Gitlab::UrlSanitizer.new(read_attribute(:url), credentials: { user: user }).full_url
+  rescue
+    super
  end
  def fallback_remote_name
@@ -214,7 +243,7 @@ class RemoteMirror < ActiveRecord::Base
      project.repository.async_remove_remote(prev_remote_name)
    end
-    project.repository.add_remote(remote_name, url)
+    project.repository.add_remote(remote_name, remote_url)
  end
  def remove_remote
@@ -224,7 +253,7 @@ class RemoteMirror < ActiveRecord::Base
  end
  def mirror_url_changed?
-    url_changed? || encrypted_credentials_changed?
+    url_changed? || credentials_changed?
  end
 end

--- a/app/serializers/project_mirror_entity.rb
+++ b/app/serializers/project_mirror_entity.rb
@@ -5,11 +5,7 @@ class ProjectMirrorEntity < Grape::Entity
  expose :id
-  expose :remote_mirrors_attributes do |project|
+  expose :remote_mirrors_attributes, using: RemoteMirrorEntity do |project|
-    next [] unless project.remote_mirrors.present?
+    project.remote_mirrors
-    project.remote_mirrors.map do |remote|
-      remote.as_json(only: %i[id url enabled])
-    end
  end
 end
--- a/app/serializers/remote_mirror_entity.rb
+++ b/app/serializers/remote_mirror_entity.rb
+# frozen_string_literal: true
+class RemoteMirrorEntity < Grape::Entity
+  expose :id
+  expose :url
+  expose :enabled
+  expose :auth_method
+  expose :ssh_known_hosts
+  expose :ssh_public_key
+  expose :ssh_known_hosts_fingerprints do |remote_mirror|
+    remote_mirror.ssh_known_hosts_fingerprints.as_json
+  end
+end
--- a/app/services/projects/update_remote_mirror_service.rb
+++ b/app/services/projects/update_remote_mirror_service.rb
@@ -11,7 +11,7 @@ module Projects
      begin
        remote_mirror.ensure_remote!
-        repository.fetch_remote(remote_mirror.remote_name, no_tags: true)
+        repository.fetch_remote(remote_mirror.remote_name, ssh_auth: remote_mirror, no_tags: true)
        opts = {}
        if remote_mirror.only_protected_branches?

--- a/app/views/projects/mirrors/_authentication_method.html.haml
+++ b/app/views/projects/mirrors/_authentication_method.html.haml
+- mirror = f.object
+- is_push = local_assigns.fetch(:is_push, false)
+- auth_options = [[_('Password'), 'password'], [_('SSH public key'), 'ssh_public_key']]
+- regen_data = { auth_method: 'ssh_public_key', regenerate_ssh_private_key: true }
+- ssh_public_key_present = mirror.ssh_public_key.present?
+.form-group
+  = f.label :auth_method, _('Authentication method'), class: 'label-bold'
+  = f.select :auth_method,
+      options_for_select(auth_options, mirror.auth_method),
+      {}, { class: "form-control js-mirror-auth-type" }
+.form-group
+  .collapse.js-well-changing-auth
+    .changing-auth-method= icon('spinner spin lg')
+  .well-password-auth.collapse.js-well-password-auth
+    = f.label :password, _("Password"), class: "label-bold"
+    = f.password_field :password, value: mirror.password, class: 'form-control'
+  - unless is_push
+    .well-ssh-auth.collapse.js-well-ssh-auth
+      %p.js-ssh-public-key-present{ class: ('collapse' unless ssh_public_key_present) }
+        = _('Here is the public SSH key that needs to be added to the remote server. For more information, please refer to the documentation.')
+      %p.js-ssh-public-key-pending{ class: ('collapse' if ssh_public_key_present) }
+        = _('An SSH key will be automatically generated when the form is submitted. For more information, please refer to the documentation.')
+      .clearfix.js-ssh-public-key-wrap{ class: ('collapse' unless ssh_public_key_present) }
+        %code.prepend-top-10.ssh-public-key
+          = mirror.ssh_public_key
+        = clipboard_button(text: mirror.ssh_public_key, title: _("Copy SSH public key to clipboard"), class: 'prepend-top-10 btn-copy-ssh-public-key')
+      = button_tag type: 'button',
+        data: { endpoint: project_mirror_path(@project), project_data: { import_data_attributes: regen_data } },
+        class: "btn btn-inverted btn-warning prepend-top-10 js-btn-regenerate-ssh-key#{ ' collapse' unless ssh_public_key_present }" do
+        = icon('spinner spin', class: 'js-spinner d-none')
+        = _('Regenerate key')
+      = render 'projects/mirrors/regenerate_public_ssh_key_confirm_modal'
--- a/app/views/projects/mirrors/_mirror_repos.html.haml
+++ b/app/views/projects/mirrors/_mirror_repos.html.haml
@@ -59,5 +59,7 @@
                      .badge.mirror-error-badge{ data: { toggle: 'tooltip', html: 'true' }, title: html_escape(mirror.last_error.try(:strip)) }= _('Error')
                  %td.mirror-action-buttons
                    .btn-group.mirror-actions-group.pull-right{ role: 'group' }
+                      - if mirror.ssh_key_auth?
+                        = clipboard_button(text: mirror.ssh_public_key, class: 'btn btn-default', title: _('Copy SSH public key'))
                      = render 'shared/remote_mirror_update_button', remote_mirror: mirror
                      %button.js-delete-mirror.btn.btn-danger{ type: 'button', data: { mirror_id: mirror.id, toggle: 'tooltip', container: 'body' }, title: _('Remove') }= icon('trash-o')
--- a/app/views/projects/mirrors/_mirror_repos_form.html.haml
+++ b/app/views/projects/mirrors/_mirror_repos_form.html.haml
- protocols = Gitlab::UrlSanitizer::ALLOWED_SCHEMES.join('|')
 .form-group
  = label_tag :mirror_direction, _('Mirror direction'), class: 'label-light'
  = select_tag :mirror_direction, options_for_select([[_('Push'), 'push']]), class: 'form-control js-mirror-direction', disabled: true
-= f.fields_for :remote_mirrors, @project.remote_mirrors.build do |rm_f|
+= render partial: "projects/mirrors/mirror_repos_push", locals: { f: f }
-  = rm_f.hidden_field :enabled, value: '1'
-  = rm_f.hidden_field :url, class: 'js-mirror-url-hidden', required: true, pattern: "(#{protocols}):\/\/.+"
-  = rm_f.hidden_field :only_protected_branches, class: 'js-mirror-protected-hidden'
-.form-group
-  = label_tag :auth_method, _('Authentication method'), class: 'label-bold'
-  = select_tag :auth_method, options_for_select([[_('None'), 'none'], [_('Password'), 'password']], 'none'), { class: "form-control js-auth-method" }
-.form-group.js-password-group.collapse
-  = label_tag :password, _('Password'), class: 'label-bold'
-  = text_field_tag :password, '', class: 'form-control js-password'
--- a/app/views/projects/mirrors/_mirror_repos_push.html.haml
+++ b/app/views/projects/mirrors/_mirror_repos_push.html.haml
+- protocols = Gitlab::UrlSanitizer::ALLOWED_SCHEMES.join('|')
+= f.fields_for :remote_mirrors, @project.remote_mirrors.build do |rm_f|
+  = rm_f.hidden_field :enabled, value: '1'
+  = rm_f.hidden_field :url, class: 'js-mirror-url-hidden', required: true, pattern: "(#{protocols}):\/\/.+"
+  = rm_f.hidden_field :only_protected_branches, class: 'js-mirror-protected-hidden'
+  = render partial: 'projects/mirrors/ssh_host_keys', locals: { f: rm_f }
+  = render partial: 'projects/mirrors/authentication_method', locals: { f: rm_f, is_push: true }
--- a/ee/app/views/projects/mirrors/pull/_regenerate_public_ssh_key_confirm_modal.html.haml
+++ b/ee/app/views/projects/mirrors/pull/_regenerate_public_ssh_key_confirm_modal.html.haml
--- a/ee/app/views/projects/mirrors/pull/_ssh_host_keys.html.haml
+++ b/ee/app/views/projects/mirrors/pull/_ssh_host_keys.html.haml
- import_data = f.object
+- mirror = f.object
- verified_by = import_data.ssh_known_hosts_verified_by
+- verified_by = mirror.ssh_known_hosts_verified_by
- verified_at = import_data.ssh_known_hosts_verified_at
+- verified_at = mirror.ssh_known_hosts_verified_at
-.form-group.js-ssh-host-keys-section{ class: ('collapse' unless import_data.ssh_import?) }
+.form-group.js-ssh-host-keys-section{ class: ('collapse' unless mirror.ssh_mirror_url?) }
  %button.btn.btn-inverted.btn-success.inline.js-detect-host-keys.append-right-10{ type: 'button' }
    = icon('spinner spin', class: 'js-spinner d-none')
    = _('Detect host keys')
-  .fingerprint-ssh-info.js-fingerprint-ssh-info.prepend-top-10.append-bottom-10{ class: ('collapse' unless import_data.ssh_import?) }
+  .fingerprint-ssh-info.js-fingerprint-ssh-info.prepend-top-10.append-bottom-10{ class: ('collapse' unless mirror.ssh_mirror_url?) }
    %label.label-bold
      = _('Fingerprints')
    .fingerprints-list.js-fingerprints-list
-      - import_data.ssh_known_hosts_fingerprints.each do |fp|
+      - mirror.ssh_known_hosts_fingerprints.each do |fp|
        %code= fp.fingerprint
-    - if verified_by || verified_at
+    - if verified_at
      .form-text.text-muted.js-fingerprint-verification
        %i.fa.fa-check.fingerprint-verified
        Verified by

--- a/changelogs/unreleased/49565-ssh-push-mirroring.yml
+++ b/changelogs/unreleased/49565-ssh-push-mirroring.yml
+---
+title: Allow SSH public-key authentication for push mirroring
+merge_request: 22982
+author:
+type: added
--- a/doc/workflow/repository_mirroring.md
+++ b/doc/workflow/repository_mirroring.md
@@ -135,23 +135,25 @@ If the mirror updates successfully, it will be enqueued once again with a small
 If the mirror fails (for example, a branch diverged from upstream), the project's backoff period is
 increased each time it fails, up to a maximum amount of time.
-### SSH authentication **[STARTER]**
+### SSH authentication
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2551) in [GitLab Starter](https://about.gitlab.com/pricing/) 9.5.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2551) for Push mirroring in [GitLab Starter](https://about.gitlab.com/pricing/) 9.5.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22982) for Pull mirroring in [GitLab Core](https://about.gitlab.com/pricing/) 11.6
 SSH authentication is mutual:
 - You have to prove to the server that you're allowed to access the repository.
 - The server also has to prove to *you* that it's who it claims to be.
-You provide your credentials as a password or public key. The server that the source repository
+You provide your credentials as a password or public key. The server that the
-resides on provides its credentials as a "host key", the fingerprint of which needs to be verified manually.
+other repository resides on provides its credentials as a "host key", the
+fingerprint of which needs to be verified manually.
 If you're mirroring over SSH (that is, using an `ssh://` URL), you can authenticate using:
 - Password-based authentication, just as over HTTPS.
- Public key authentication. This is often more secure than password authentication, especially when
+- Public key authentication. This is often more secure than password authentication,
-  the source repository supports [Deploy Keys](../ssh/README.md#deploy-keys).
+  especially when the other repository supports [Deploy Keys](../ssh/README.md#deploy-keys).
 To get started:
@@ -171,9 +173,9 @@ If you click the:
 - **Detect host keys** button, GitLab will fetch the host keys from the server and display the fingerprints.
 - **Input host keys manually** button, a field is displayed where you can paste in host keys.
-You now need to verify that the fingerprints are those you expect. GitLab.com
+Assuming you used the former, you now need to verify that the fingerprints are
-and other code hosting sites publish their fingerprints in the open for you
+those you expect. GitLab.com and other code hosting sites publish their
-to check:
+fingerprints in the open for you to check:
 - [AWS CodeCommit](http://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-fingerprints)
 - [Bitbucket](https://confluence.atlassian.com/bitbucket/use-the-ssh-protocol-with-bitbucket-cloud-221449711.html#UsetheSSHprotocolwithBitbucketCloud-KnownhostorBitbucket%27spublickeyfingerprints)
@@ -184,7 +186,8 @@ to check:
 - [SourceForge](https://sourceforge.net/p/forge/documentation/SSH%20Key%20Fingerprints/)
 Other providers will vary. If you're running self-managed GitLab, or otherwise
-have access to the source server, you can securely gather the key fingerprints:
+have access to the server for the other repository, you can securely gather the
+key fingerprints:
 ```sh
 $ cat /etc/ssh/ssh_host*pub | ssh-keygen -E md5 -l -f -
@@ -196,25 +199,27 @@ $ cat /etc/ssh/ssh_host*pub | ssh-keygen -E md5 -l -f -
 NOTE: **Note:**
 You may need to exclude `-E md5` for some older versions of SSH.
-When pulling changes from the source repository, GitLab will now check that at least one of the stored
+When mirroring the repository, GitLab will now check that at least one of the
-host keys matches before connecting. This can prevent malicious code from being injected into your
+stored host keys matches before connecting. This can prevent malicious code from
-mirror, or your password being stolen.
+being injected into your mirror, or your password being stolen.
 ### SSH public key authentication
-To use SSH public key authentication, you'll also need to choose that option from the **Authentication method**
+To use SSH public key authentication, you'll also need to choose that option
-dropdown. GitLab will generate a 4096-bit RSA key and display the public component of that key to you.
+from the **Authentication method** dropdown. GitLab will generate a 4096-bit RSA
+key and display the public component of that key to you.
-You then need to add the public SSH key to the source repository configuration. If:
+You then need to add the public SSH key to the other repository's configuration:
- The source is hosted on GitLab, you should add the public SSH key as a [Deploy Key](../ssh/README.md#deploy-keys).
+- If the other repository is hosted on GitLab, you should add the public SSH key
- The source is hosted elsewhere, you may need to add the key to your user's `authorized_keys` file.
+  as a [Deploy Key](../ssh/README.md#deploy-keys).
-  Paste the entire public SSH key into the file on its own line and save it.
+- If the other repository is hosted elsewhere, you may need to add the key to
+  your user's  `authorized_keys` file. Paste the entire public SSH key into the
+  file on its own line and save it.
-Once the public key is set up on the source repository, click the **Mirror repository** button and
+If you need to change the key at any time, you can remove and re-add the mirror
-your mirror will begin working.
+to generate a new key. You'll have to update the other repository with the new
+key to keep the mirror running.
-If you need to change the key at any time, you can click the **Regenerate key** button to do so. You'll have to update the source repository with the new key to keep the mirror running.
 ### Overwrite diverged branches **[STARTER]**

--- a/ee/app/assets/javascripts/pages/projects/settings/repository/show/ee_mirror_repos.js
+++ b/ee/app/assets/javascripts/pages/projects/settings/repository/show/ee_mirror_repos.js
 import $ from 'jquery';
 import { __ } from '~/locale';
 import Flash from '~/flash';
-import MirrorRepos from '~/pages/projects/settings/repository/show/mirror_repos';
+import MirrorRepos from '~/mirrors/mirror_repos';
-import MirrorPull from 'ee/mirrors/mirror_pull';
 export default class EEMirrorRepos extends MirrorRepos {
  constructor(...args) {
    super(...args);
-    this.$password = undefined;
    this.$mirrorDirectionSelect = $('.js-mirror-direction', this.$form);
    this.$insertionPoint = $('.js-form-insertion-point', this.$form);
    this.$repoCount = $('.js-mirrored-repo-count', this.$container);
@@ -67,18 +65,13 @@ export default class EEMirrorRepos extends MirrorRepos {
    this.updateUrl();
    this.updateProtectedBranches();
+    if (this.sshMirror) this.sshMirror.destroy();
    if (direction === 'pull') return this.initMirrorPull();
-    if (this.mirrorPull) this.mirrorPull.destroy();
    return this.initMirrorPush();
  }
  initMirrorPull() {
-    this.$password.off('input.updateUrl');
+    this.initMirrorSSH();
-    this.$password = undefined;
-    this.mirrorPull = new MirrorPull('.js-mirror-form');
-    this.mirrorPull.init();
    this.initSelect2();
  }

--- a/ee/app/assets/stylesheets/pages/projects.scss
+++ b/ee/app/assets/stylesheets/pages/projects.scss
@@ -33,36 +33,6 @@
    font-family: $monospace-font;
  }
-  .btn-show-advanced {
-    min-width: 135px;
-    .label-show {
-      display: none;
-    }
-    .label-hide {
-      display: inline;
-    }
-    .fa.fa-chevron::before {
-      content: '\f077';
-    }
-    &.show-advanced {
-      .label-show {
-        display: inline;
-      }
-      .label-hide {
-        display: none;
-      }
-      .fa.fa-chevron::before {
-        content: '\f078';
-      }
-    }
-  }
  .fingerprints-list {
    code {
      display: block;

--- a/ee/app/views/projects/mirrors/_mirror_repos_form.html.haml
+++ b/ee/app/views/projects/mirrors/_mirror_repos_form.html.haml
@@ -14,18 +14,7 @@
 .js-form-insertion-point
 %template.js-push-mirrors-form
-  = f.fields_for :remote_mirrors, @project.remote_mirrors.build do |rm_f|
+  = render partial: "projects/mirrors/mirror_repos_push", locals: { f: f }
-    = rm_f.hidden_field :enabled, value: '1'
-    = rm_f.hidden_field :url, class: 'js-mirror-url-hidden', required: true, pattern: "(#{protocols}):\/\/.+"
-    = rm_f.hidden_field :only_protected_branches, class: 'js-mirror-protected-hidden'
-  .form-group
-    = label_tag :auth_method, _('Authentication method'), class: 'label-bold'
-    = select_tag :auth_method, options_for_select([[_('None'), 'none'], [_('Password'), 'password']], 'none'), { class: "form-control js-auth-method" }
-  .form-group.js-password-group.collapse
-    = label_tag :password, _('Password'), class: 'label-bold'
-    = text_field_tag :password, '', type: 'password', class: 'form-control js-password'
 %template.js-pull-mirrors-form
  = f.hidden_field :mirror, value: '1'
@@ -33,8 +22,8 @@
  = f.hidden_field :only_mirror_protected_branches, class: 'js-mirror-protected-hidden'
  = f.fields_for :import_data, import_data do |import_form|
-    = render partial: 'projects/mirrors/pull/ssh_host_keys', locals: { f: import_form }
+    = render partial: 'projects/mirrors/ssh_host_keys', locals: { f: import_form }
-    = render partial: 'projects/mirrors/pull/authentication_method', locals: { f: import_form }
+    = render partial: 'projects/mirrors/authentication_method', locals: { f: import_form }
  .form-group
    = f.label :mirror_user_id, _('Mirror user'), class: 'label-light'

--- a/ee/app/views/projects/mirrors/pull/_authentication_method.html.haml
+++ b/ee/app/views/projects/mirrors/pull/_authentication_method.html.haml
- import_data = f.object
- regen_data = { auth_method: 'ssh_public_key', regenerate_ssh_private_key: true }
- ssh_public_key_present = import_data.ssh_public_key.present?
-.form-group
-  = f.label :auth_method, _('Authentication method'), class: 'label-bold'
-  = f.select :auth_method,
-      options_for_select([[_('Password'), 'password'], [_('SSH public key'), 'ssh_public_key']], import_data.auth_method),
-      {}, { class: "form-control js-pull-mirror-auth-type" }
-.form-group
-  .collapse.js-well-changing-auth
-    .changing-auth-method= icon('spinner spin lg')
-  .well-password-auth.collapse.js-well-password-auth
-    = f.label :password, _("Password"), class: "label-bold"
-    = f.password_field :password, value: import_data.password, class: 'form-control', autocomplete: 'new-password'
-  .well-ssh-auth.collapse.js-well-ssh-auth
-    %p.js-ssh-public-key-present{ class: ('collapse' unless ssh_public_key_present) }
-      = _('Here is the public SSH key that needs to be added to the remote server. For more information, please refer to the documentation.')
-    %p.js-ssh-public-key-pending{ class: ('collapse' if ssh_public_key_present) }
-      = _('An SSH key will be automatically generated when the form is submitted. For more information, please refer to the documentation.')
-    .clearfix.js-ssh-public-key-wrap{ class: ('collapse' unless ssh_public_key_present) }
-      %code.prepend-top-10.ssh-public-key
-        = import_data.ssh_public_key
-      = clipboard_button(text: import_data.ssh_public_key, title: _("Copy SSH public key to clipboard"), class: 'prepend-top-10 btn-copy-ssh-public-key')
-    = button_tag type: 'button',
-      data: { endpoint: project_mirror_path(@project, project: { import_data_attributes: regen_data }) },
-      class: "btn btn-inverted btn-warning prepend-top-10 js-btn-regenerate-ssh-key#{ ' collapse' unless ssh_public_key_present }" do
-      = icon('spinner spin', class: 'js-spinner d-none')
-      = _('Regenerate key')
-    = render 'projects/mirrors/pull/regenerate_public_ssh_key_confirm_modal'
--- a/ee/spec/models/project_import_data_spec.rb
+++ b/ee/spec/models/project_import_data_spec.rb
@@ -63,29 +63,33 @@ describe ProjectImportData do
  end
  describe 'credential fields accessors' do
-    let(:accessors) { %i[auth_method password ssh_known_hosts ssh_known_hosts_verified_at ssh_known_hosts_verified_by_id ssh_private_key user] }
+    %i[
+      auth_method
-    it { expect(described_class::CREDENTIALS_FIELDS).to contain_exactly(*accessors) }
+      password
+      ssh_known_hosts
-    where(:field) { described_class::CREDENTIALS_FIELDS }
+      ssh_known_hosts_verified_at
+      ssh_known_hosts_verified_by_id
-    with_them do
+      ssh_private_key
-      it 'sets the value in the credentials hash' do
+      user
-        import_data.send("#{field}=", 'foo')
+    ].each do |field|
+      context "#{field} accessor" do
-        expect(import_data.credentials[field]).to eq('foo')
+        it 'sets the value in the credentials hash' do
-      end
+          import_data.send("#{field}=", 'foo')
+          expect(import_data.credentials[field]).to eq('foo')
+        end
-      it 'sets a not-present value to nil' do
+        it 'sets a not-present value to nil' do
-        import_data.send("#{field}=", '')
+          import_data.send("#{field}=", '')
-        expect(import_data.credentials[field]).to be_nil
+          expect(import_data.credentials[field]).to be_nil
-      end
+        end
-      it 'returns the data in the credentials hash' do
+        it 'returns the data in the credentials hash' do
-        import_data.credentials[field] = 'foo'
+          import_data.credentials[field] = 'foo'
-        expect(import_data.send(field)).to eq('foo')
+          expect(import_data.send(field)).to eq('foo')
+        end
      end
    end
  end

--- a/lib/gitlab/git/remote_mirror.rb
+++ b/lib/gitlab/git/remote_mirror.rb
@@ -5,14 +5,24 @@ module Gitlab
    class RemoteMirror
      include Gitlab::Git::WrapsGitalyErrors
-      def initialize(repository, ref_name)
+      attr_reader :repository, :ref_name, :only_branches_matching, :ssh_key, :known_hosts
+      def initialize(repository, ref_name, only_branches_matching: [], ssh_key: nil, known_hosts: nil)
        @repository = repository
        @ref_name = ref_name
+        @only_branches_matching = only_branches_matching
+        @ssh_key = ssh_key
+        @known_hosts = known_hosts
      end
-      def update(only_branches_matching: [])
+      def update
        wrapped_gitaly_errors do
-          @repository.gitaly_remote_client.update_remote_mirror(@ref_name, only_branches_matching)
+          repository.gitaly_remote_client.update_remote_mirror(
+            ref_name,
+            only_branches_matching,
+            ssh_key: ssh_key,
+            known_hosts: known_hosts
+          )
        end
      end
    end

--- a/lib/gitlab/gitaly_client/remote_service.rb
+++ b/lib/gitlab/gitaly_client/remote_service.rb
@@ -68,13 +68,18 @@ module Gitlab
        encode_utf8(response.ref)
      end
-      def update_remote_mirror(ref_name, only_branches_matching)
+      def update_remote_mirror(ref_name, only_branches_matching, ssh_key: nil, known_hosts: nil)
        req_enum = Enumerator.new do |y|
-          y.yield Gitaly::UpdateRemoteMirrorRequest.new(
+          first_request = Gitaly::UpdateRemoteMirrorRequest.new(
            repository: @gitaly_repo,
            ref_name: ref_name
          )
+          first_request.ssh_key = ssh_key if ssh_key.present?
+          first_request.known_hosts = known_hosts if known_hosts.present?
+          y.yield(first_request)
          current_size = 0
          slices = only_branches_matching.slice_before do |branch_name|

--- a/lib/gitlab/gitaly_client/repository_service.rb
+++ b/lib/gitlab/gitaly_client/repository_service.rb
@@ -69,7 +69,7 @@ module Gitlab
          no_tags: no_tags, timeout: timeout, no_prune: !prune
        )
-        if ssh_auth&.ssh_import?
+        if ssh_auth&.ssh_mirror_url?
          if ssh_auth.ssh_key_auth? && ssh_auth.ssh_private_key.present?
            request.ssh_key = ssh_auth.ssh_private_key
          end

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2354,6 +2354,9 @@ msgstr ""
 msgid "Copy SSH clone URL"
 msgstr ""
+msgid "Copy SSH public key"
+msgstr ""
 msgid "Copy SSH public key to clipboard"
 msgstr ""

--- a/spec/controllers/projects/mirrors_controller_spec.rb
+++ b/spec/controllers/projects/mirrors_controller_spec.rb
@@ -15,6 +15,31 @@ describe Projects::MirrorsController do
        end.to change { RemoteMirror.count }.to(1)
      end
    end
+    context 'setting up SSH public-key authentication' do
+      let(:ssh_mirror_attributes) do
+        {
+          'auth_method' => 'ssh_public_key',
+          'url' => 'ssh://git@example.com',
+          'ssh_known_hosts' => 'test'
+        }
+      end
+      it 'processes a successful update' do
+        sign_in(project.owner)
+        do_put(project, remote_mirrors_attributes: { '0' => ssh_mirror_attributes })
+        expect(response).to redirect_to(project_settings_repository_path(project, anchor: 'js-push-remote-settings'))
+        expect(RemoteMirror.count).to eq(1)
+        expect(RemoteMirror.first).to have_attributes(
+          auth_method: 'ssh_public_key',
+          url: 'ssh://git@example.com',
+          ssh_public_key: match(/\Assh-rsa /),
+          ssh_known_hosts: 'test'
+        )
+      end
+    end
  end
  describe '#update' do

--- a/spec/features/projects/settings/repository_settings_spec.rb
+++ b/spec/features/projects/settings/repository_settings_spec.rb
@@ -132,6 +132,27 @@ describe 'Projects > Settings > Repository settings' do
      it 'shows push mirror settings', :js do
        expect(page).to have_selector('#mirror_direction')
      end
+      it 'generates an SSH public key on submission', :js do
+        fill_in 'url', with: 'ssh://user@localhost/project.git'
+        select 'SSH public key', from: 'Authentication method'
+        direction_select = find('#mirror_direction')
+        # In CE, this select box is disabled, but in EE, it is enabled
+        if direction_select.disabled?
+          expect(direction_select.value).to eq('push')
+        else
+          direction_select.select('Push')
+        end
+        Sidekiq::Testing.fake! do
+          click_button 'Mirror repository'
+        end
+        expect(page).to have_content('Mirroring settings were successfully updated')
+        expect(page).to have_selector('[title="Copy SSH public key"]')
+      end
    end
  end
 end
--- a/spec/lib/gitlab/git/remote_mirror_spec.rb
+++ b/spec/lib/gitlab/git/remote_mirror_spec.rb
+require 'spec_helper'
+describe Gitlab::Git::RemoteMirror do
+  describe '#update' do
+    let(:project) { create(:project, :repository) }
+    let(:repository) { project.repository }
+    let(:ref_name) { 'foo' }
+    let(:options) { { only_branches_matching: ['master'], ssh_key: 'KEY', known_hosts: 'KNOWN HOSTS' } }
+    subject(:remote_mirror) { described_class.new(repository, ref_name, **options) }
+    it 'delegates to the Gitaly client' do
+      expect(repository.gitaly_remote_client)
+        .to receive(:update_remote_mirror)
+        .with(ref_name, ['master'], ssh_key: 'KEY', known_hosts: 'KNOWN HOSTS')
+      remote_mirror.update
+    end
+    it 'wraps gitaly errors' do
+      expect(repository.gitaly_remote_client)
+        .to receive(:update_remote_mirror)
+        .and_raise(StandardError)
+      expect { remote_mirror.update }.to raise_error(StandardError)
+    end
+  end
+end
--- a/spec/lib/gitlab/gitaly_client/remote_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/remote_service_spec.rb
@@ -68,6 +68,8 @@ describe Gitlab::GitalyClient::RemoteService do
  describe '#update_remote_mirror' do
    let(:ref_name) { 'remote_mirror_1' }
    let(:only_branches_matching) { ['my-branch', 'master'] }
+    let(:ssh_key) { 'KEY' }
+    let(:known_hosts) { 'KNOWN HOSTS' }
    it 'sends an update_remote_mirror message' do
      expect_any_instance_of(Gitaly::RemoteService::Stub)
@@ -75,7 +77,7 @@ describe Gitlab::GitalyClient::RemoteService do
        .with(kind_of(Enumerator), kind_of(Hash))
        .and_return(double(:update_remote_mirror_response))
-      client.update_remote_mirror(ref_name, only_branches_matching)
+      client.update_remote_mirror(ref_name, only_branches_matching, ssh_key: ssh_key, known_hosts: known_hosts)
    end
  end

--- a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
@@ -130,7 +130,7 @@ describe Gitlab::GitalyClient::RepositoryService do
    end
    context 'SSH auth' do
-      where(:ssh_import, :ssh_key_auth, :ssh_private_key, :ssh_known_hosts, :expected_params) do
+      where(:ssh_mirror_url, :ssh_key_auth, :ssh_private_key, :ssh_known_hosts, :expected_params) do
        false | false | 'key' | 'known_hosts' | {}
        false | true  | 'key' | 'known_hosts' | {}
        true  | false | 'key' | 'known_hosts' | { known_hosts: 'known_hosts' }
@@ -145,7 +145,7 @@ describe Gitlab::GitalyClient::RepositoryService do
        let(:ssh_auth) do
          double(
            :ssh_auth,
-            ssh_import?: ssh_import,
+            ssh_mirror_url?: ssh_mirror_url,
            ssh_key_auth?: ssh_key_auth,
            ssh_private_key: ssh_private_key,
            ssh_known_hosts: ssh_known_hosts

--- a/spec/models/remote_mirror_spec.rb
+++ b/spec/models/remote_mirror_spec.rb
@@ -222,14 +222,26 @@ describe RemoteMirror do
  context '#ensure_remote!' do
    let(:remote_mirror) { create(:project, :repository, :remote_mirror).remote_mirrors.first }
+    let(:project) { remote_mirror.project }
+    let(:repository) { project.repository }
    it 'adds a remote multiple times with no errors' do
-      expect(remote_mirror.project.repository).to receive(:add_remote).with(remote_mirror.remote_name, remote_mirror.url).twice.and_call_original
+      expect(repository).to receive(:add_remote).with(remote_mirror.remote_name, remote_mirror.url).twice.and_call_original
      2.times do
        remote_mirror.ensure_remote!
      end
    end
+    context 'SSH public-key authentication' do
+      it 'omits the password from the URL' do
+        remote_mirror.update!(auth_method: 'ssh_public_key', url: 'ssh://git:pass@example.com')
+        expect(repository).to receive(:add_remote).with(remote_mirror.remote_name, 'ssh://git@example.com')
+        remote_mirror.ensure_remote!
+      end
+    end
  end
  context '#updated_since?' do

--- a/spec/serializers/project_mirror_entity_spec.rb
+++ b/spec/serializers/project_mirror_entity_spec.rb
+require 'spec_helper'
+describe ProjectMirrorEntity do
+  let(:project) { create(:project, :repository, :remote_mirror) }
+  let(:entity) { described_class.new(project) }
+  subject { entity.as_json }
+  it 'exposes project-specific elements' do
+    is_expected.to include(:id, :remote_mirrors_attributes)
+  end
+end
--- a/spec/serializers/remote_mirror_entity_spec.rb
+++ b/spec/serializers/remote_mirror_entity_spec.rb
+require 'spec_helper'
+describe RemoteMirrorEntity do
+  let(:project) { create(:project, :repository, :remote_mirror) }
+  let(:remote_mirror) { project.remote_mirrors.first }
+  let(:entity) { described_class.new(remote_mirror) }
+  subject { entity.as_json }
+  it 'exposes remote-mirror-specific elements' do
+    is_expected.to include(
+      :id, :url, :enabled, :auth_method,
+      :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints
+    )
+  end
+end
--- a/spec/services/projects/update_remote_mirror_service_spec.rb
+++ b/spec/services/projects/update_remote_mirror_service_spec.rb
@@ -16,7 +16,7 @@ describe Projects::UpdateRemoteMirrorService do
    end
    it "ensures the remote exists" do
-      stub_fetch_remote(project, remote_name: remote_name)
+      stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
      expect(remote_mirror).to receive(:ensure_remote!)
@@ -26,13 +26,13 @@ describe Projects::UpdateRemoteMirrorService do
    it "fetches the remote repository" do
      expect(project.repository)
        .to receive(:fetch_remote)
-        .with(remote_mirror.remote_name, no_tags: true)
+        .with(remote_mirror.remote_name, no_tags: true, ssh_auth: remote_mirror)
      service.execute(remote_mirror)
    end
    it "returns success when updated succeeds" do
-      stub_fetch_remote(project, remote_name: remote_name)
+      stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
      result = service.execute(remote_mirror)
@@ -41,7 +41,7 @@ describe Projects::UpdateRemoteMirrorService do
    context 'when syncing all branches' do
      it "push all the branches the first time" do
-        stub_fetch_remote(project, remote_name: remote_name)
+        stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
        expect(remote_mirror).to receive(:update_repository).with({})
@@ -51,7 +51,7 @@ describe Projects::UpdateRemoteMirrorService do
    context 'when only syncing protected branches' do
      it "sync updated protected branches" do
-        stub_fetch_remote(project, remote_name: remote_name)
+        stub_fetch_remote(project, remote_name: remote_name, ssh_auth: remote_mirror)
        protected_branch = create_protected_branch(project)
        remote_mirror.only_protected_branches = true
@@ -69,10 +69,10 @@ describe Projects::UpdateRemoteMirrorService do
    end
  end
-  def stub_fetch_remote(project, remote_name:)
+  def stub_fetch_remote(project, remote_name:, ssh_auth:)
    allow(project.repository)
      .to receive(:fetch_remote)
-      .with(remote_name, no_tags: true) { fetch_remote(project.repository, remote_name) }
+      .with(remote_name, no_tags: true, ssh_auth: ssh_auth) { fetch_remote(project.repository, remote_name) }
  end
  def fetch_remote(repository, remote_name)