Add pure SSH LFS support

[ConcurrentCrab]

Fixes #17554
/claim #17554

Docs PR https://gitea.com/gitea/docs/pulls/49

To test, run pushes like: GIT_TRACE=1 git push. The trace output should mention "pure SSH connection".

[ConcurrentCrab]

@lunny added copyright headers.

[ConcurrentCrab]

Improved error handling.

[ConcurrentCrab]

Accidentally resolved the conversation about DB connections above, but reiterating:

Pushes and clones work... but there's sometimes (by which I mean decently reproducible) bug where after transferring and verification and everything... the connection just hangs for almost exactly 120 seconds. After which it just ends gracefully and git proceeds with its push.

It's particularly nasty, I have no leads on it yet. The best I can figure out is that it looks like the git-lfs client seems to not send the quit command that it should at the end of the protocol, or that it isn't coming through.

[ConcurrentCrab]

Added locking API support.

Well at least I figured out what's causing the hang. Setting lfs.ssh.automultiplex to false on the client side:
https://github.com/git-lfs/git-lfs/blob/8e36a03d85bf05bbca004dd7e8b55b147809b3e0/docs/man/git-lfs-config.adoc?plain=1#L90
gets rid of the hang. The bad news is that it's true by default.

I think this is feature interacting badly with the SSH server?

I traced the traffic, and indeed, something weird is happening on the client side. Git LFS spawns several workers each making its own connection. In a multiplexed connection, only the "first" spawn of the our commands gets a quit message. The rest of them have to wait 120 seconds for an EOF. I'm almost tempted to believe this is a bug on the git-lfs client side.

Can you check and see if this is reproducible in your environments?

[ConcurrentCrab]

Yeah, I'm not going crazy. This commit:
git-lfs/git-lfs@44b8801
breaks pure SSH LFS sessions.

And this has history, it isn't even the first time lol:
git-lfs/git-lfs#5537

[ConcurrentCrab]

just made: git-lfs/git-lfs#5816

[lafriks]

As pointed in quite some places already but all should be fixed

[ConcurrentCrab]

@lafriks adressed the url joins.

[lunny]

Yes

[ConcurrentCrab]

Okay, I see, that was the part I was missing. This conversation would've been a lot shorter otherwise. This way it's not an obvious bug because the paths don't conflict with the existing public paths (though I still don't quite grasp to what ends).

[ConcurrentCrab]

@lunny added private API. Used a /repo prefix so the path parameters don't accidentally match other internal APIs.

[lunny]

@lunny added private API. Used a /repo prefix so the path parameters don't accidentally match other internal APIs.

Thank you for the change and I think you also need to change the client code.

[ConcurrentCrab]

Ah right, my bad.

[ConcurrentCrab]

Just a sec, missed adding the internal token header there...

[ConcurrentCrab]

So this is getting ugly pretty quick. The LFS handler APIs are hardcoded to require a JWT token (and this is necessary to check user permissions on the repo) as the Authorisation header. But the internal APIs need the header for their own token.

[6543]

I would be fine with the current state, just mention the lfs pull on the docu and the example ini next to tje enable option

[lunny]

It looks like LFS_ALLOW_PURE_SSH hasn't been read from [lfs] but [server]. Otherwise I can test it successfully. And you need to add an example in app.example.ini file.

[ConcurrentCrab]

It looks like LFS_ALLOW_PURE_SSH hasn't been read from [lfs] but [server]. Otherwise I can test it successfully. And you need to add an example in app.example.ini file.

I added it under server because LFS_START_SERVER was there already.

[lunny]

It looks like LFS_ALLOW_PURE_SSH hasn't been read from [lfs] but [server]. Otherwise I can test it successfully. And you need to add an example in app.example.ini file.

I added it under server because LFS_START_SERVER was there already.

OK. It's a legacy problem. So could you add example in app.example.ini?

[ConcurrentCrab]

@lunny added it to the example config.