Fixes after 20231123

Author: nicholasdille

150_gitlab/030_authentication/slides.md

@@ -55,7 +55,7 @@ Project Deploy SSH Key (read-write) [<i class="fa-solid fa-arrow-up-right-from-s
 
 ---
 
-## Caveats
+## Caveats 1/
 
 ### Token creation can be tricky
 
@@ -76,3 +76,61 @@ Role: Developer
 Scope: `read_repository`
 
 User can pull but not push
+
+---
+
+## Caveats 2/2
+
+Deploy keys belong to a user who can be blocked <i class="fa-solid fa-face-scream"></i> [gitlab-org/gitlab#35779](https://gitlab.com/gitlab-org/gitlab/-/issues/35779)
+
+Find and fix deploy keys using Ruby code in rals console [](https://docs.gitlab.com/ee/user/project/deploy_keys/#identify-deploy-keys-associated-with-non-member-and-blocked-users)
+
+```ruby
+DeployKeysProject.with_write_access.find_each do |deploy_key_mapping|
+  project = deploy_key_mapping.project
+  deploy_key = deploy_key_mapping.deploy_key
+  user = deploy_key.user
+
+  access_checker = Gitlab::DeployKeyAccess.new(deploy_key, container: project)
+  can_push = access_checker.can_do_action?(:push_code)
+  can_push_to_default = access_checker.can_push_for_ref?(project.repository.root_ref)
+
+  next if access_checker.allowed? && can_push && can_push_to_default
+
+  puts "Deploy key: #{deploy_key.id}, Project: #{project.full_path}, Can push?: " + (can_push ? 'YES' : 'NO') +
+       ", Can push to default branch #{project.repository.root_ref}?: " + (can_push_to_default ? 'YES' : 'NO') +
+       ", User: #{user.username}, User ID: #{user.id}, User state: #{user.state}"
+end
+```
+
+---
+
+## Comparison
+
+| | Password | Personal Access Token | Personal SSH Key | Group Access Token | Group Deploy Token | Project Access Token | Project Deploy Token | Project SSH Key (0) |
+|-|-|-|-|-|-|-|-|-|
+| Access to Web UI            | Yes          | No      | No       | No          | No          | No      | No      | No          |
+| Access to API               | Indirect (1) | Yes     | No       | Yes (2)     | No          | Yes (3) | No      | No          |
+| Read git repository         | Yes          | Yes     | Yes      | Yes         | Yes         | Yes     | Yes     | Yes         |
+| Write git repository        | Yes          | Yes     | Yes      | Yes         | No          | Yes     | No      | No          |
+| Access CI variables         | Yes          | Yes (4) | No       | Yes (4)     | No          | Yes (4) | No      | No          |
+| Access scope                | User         | User    | User     | Group       | Group       | Project | Project | Project     |
+| Credential reuse (5)        | Possible     | No      | Possible | No          | No          | No      | No      | Possible    |
+| Impact of security incident | High         | High    | High     | Medium      | Medium      | Low     | Low     | Medium      |
+| Recommendation              | No           | No      | No       | Limited (6) | Limited (6) | Yes     | Yes     | Limited (6) |
+
+<!-- .element: style="font-size: large;" -->
+
+(0) XXX
+
+(1) Username and password can be used to retrieve a personal access token
+
+(2) Group only
+
+(3) Project only
+
+(4) API only
+
+(5) Can be used for multiple accounts and on multiple systems
+
+(6) Acceptable for automation to avoid many project credentials

150_gitlab/090_maintenance/slides.md

@@ -12,10 +12,12 @@
 
 ### Messages
 
-Show a banner announcing maintenance work
+Show a banner announcing maintenance work [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/ee/administration/broadcast_messages.html)
 
 Configure under Menu <i class="fa-regular fa-arrow-right"></i> Admin <i class="fa-regular fa-arrow-right"></i> Messages
 
+Can also show up in git response
+
 ### Maintenance Mode (Premium feature)
 
 Switch GitLab into read-only mode [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/ee/administration/maintenance_mode/)
@@ -26,14 +28,9 @@ Switch GitLab into read-only mode [<i class="fa-solid fa-arrow-up-right-from-squ
 
 <i class="fa-brands fa-git-alt fa-4x" style="float: right;"></i>
 
-Configure under Menu <i class="fa-regular fa-arrow-right"></i> Admin <i class="fa-regular fa-arrow-right"></i> Settings <i class="fa-regular fa-arrow-right"></i> Repository
-
-### Settings
-
-Runs `git fsck` to find silent disk corruption
-
-Incremental `git repack` after 10 pushes
-
-Full `git repack` after 50 pushes
+Configure under Menu <i class="fa-regular fa-arrow-right"></i> Admin <i class="fa-regular fa-arrow-right"></i> Settings <i class="fa-regular fa-arrow-right"></i> Repository <i class="fa-regular fa-arrow-right"></i> Repository Maintenance
 
-`git gc` after 200 pushes
+Regular execution of...
+- `git fsck`
+- `git repack` (incremental and full)
+- `git gc`

150_gitlab/140_troubleshooting/slides.md

@@ -69,6 +69,12 @@ Debug SSH connection and authentication:
 ssh -Tvvv -i id_rsa git@gitlab.<DOMAIN>
 ```
 
+Find user for given SSH key fingerprint:
+
+```bash
+curl --silent --header "Private-Token: admin-private-token" https://gitlab.haufedev.systems/api/v4/keys?fingerprint=d0:6d:2e:bb:fb:27:f1:6e:80:6c:16:b2:be:c6:d8:00 | jq
+```
+
 ---
 
 ## Tokens

150_gitlab/160_runner/slides.md

@@ -32,7 +32,7 @@ New default in 16.0 (May 2023)
 
 Enforcement in 16.6 (November 2023)
 
-Removal of old runne registration in 17.0 (May 2024)
+Removal of old runner registration in 17.0 (May 2024)
 
 ### Old process
 

2023-11-23_heise-GitLab-Ops.html

@@ -167,7 +167,7 @@
 
 ~~2023-11-23: Workshop [GitLab Ops](https://heise-academy.de/schulungen/einfuehrung-in-gitlab) (1 day)~~
 
-2023-11-30 / 2023-11-07: Workshop [GitLab CI](https://heise-academy.de/schulungen/cicd-gitlab) (2 days)
+2023-11-30 / 2023-12-07: Workshop [GitLab CI](https://heise-academy.de/schulungen/cicd-gitlab) (2 days)
 </textarea></section>
 </div>
 </div>

2023-11-23_heise-GitLab-Ops.md

@@ -1,20 +1,6 @@
 # GitLab Ops
 
-Neue UI 16
-
-Tabelle für Tokens
-
-User Preferences - Auth Log
-
-Vorinstallation glab
-
-Messages in git response?!
-https://docs.gitlab.com/ee/administration/broadcast_messages.html
-
 Repo housekeeping fewer options
-
-runne
-
-2023-11-07
+https://docs.gitlab.com/ee/administration/housekeeping.html
 
 https://micro.dev/