Merge pull request #571 from thockin/v3_askpass_helper_simpler

v3: Clean up askpass_URL
2022-07-07 05:05:35 -07:00 · 2022-07-07 05:05:35 -07:00 · 7f8cfa7746
parent 25b93107c5 81c8b2f39e
commit 7f8cfa7746
3 changed files with 24 additions and 31 deletions
--- a/README.md
+++ b/README.md
@ -123,7 +123,7 @@ docker run -d \
 | `--ssh-known-hosts-file`   | GIT_SSH_KNOWN_HOSTS_FILE        | "/etc/git-secret/known_hosts" | the known_hosts file to use |
 | `--add-user`               | GIT_SYNC_ADD_USER               | false                         | add a record to /etc/passwd for the current UID/GID (needed to use SSH with a different UID) |
 | `--cookie-file`            | GIT_COOKIE_FILE                 | false                         | use git cookiefile |
-| `--askpass-url`            | GIT_ASKPASS_URL                 | ""                            | the URL for GIT_ASKPASS callback |
+| `--askpass-url`            | GIT_ASKPASS_URL                 | ""                            | the URL to query for a username and password for git auth |

 ## Flags which configure hooks

--- a/askpass_git.sh
+++ b/askpass_git.sh
@ -14,31 +14,24 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-# Ask pass when cloning new repo, fail if it mismatched the magic password.
+# This script uses the in-container shell which is limited.  For example, it
+# does not support the 'pipefail' option.
+set -o errexit
+set -o nounset

-mkdir -p "${XDG_CONFIG_HOME}/git/"
-# Override the default 'git --global' config location, the default location
-# outside the e2e test environment. See https://git-scm.com/docs/git-config
-touch "${XDG_CONFIG_HOME}/git/config"
-# Override the default 'git credential store' config location, the default location
-# outside the e2e test environment. See https://git-scm.com/docs/git-credential-store
-touch "${XDG_CONFIG_HOME}/git/credentials"
-
-if [ "$1" != "clone" -a "$1" != "ls-remote" -a "$1" != "fetch" ]; then
-  git "$@"
-  exit $?
-fi
-
-# `git credential fill` requires the repo url match to consume the credentials stored by git-sync.
-# Askpass git only support repo started with "file://" which is used in test_e2e.sh.
-REPO=$(echo "$@" | grep -o "file://[^ ]*")
-OUTPUT=$(echo "url=${REPO}" | git credential fill)
-USERNAME=$(echo "${OUTPUT}" | grep "^username=.*")
-PASSWD=$(echo "${OUTPUT}" | grep "^password=.*")
-# Test case must match the magic username and password below.
-if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then
-  echo "invalid test username/password pair: ${USERNAME}:${PASSWD}"
-  exit 1
+# Ask pass some ops, fail if it mismatched the magic password.
+if [ "$1" = "clone" -o "$1" = "ls-remote" -o "$1" = "fetch" ]; then
+    # `git credential fill` requires the repo url match to consume the credentials stored by git-sync.
+    # Askpass git only support repo started with "file://" which is used in test_e2e.sh.
+    REPO=$(echo "$@" | grep -o "file://[^ ]*")
+    OUTPUT=$(echo "url=${REPO}" | git credential fill)
+    USERNAME=$(echo "${OUTPUT}" | grep "^username=.*")
+    PASSWD=$(echo "${OUTPUT}" | grep "^password=.*")
+    # Test case must match the magic username and password below.
+    if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then
+        echo "invalid test username/password pair: ${USERNAME}:${PASSWD}"
+        exit 1
+    fi
 fi

 git "$@"
--- a/cmd/git-sync/main.go
+++ b/cmd/git-sync/main.go
@ -121,7 +121,7 @@ var flCookieFile = flag.Bool("cookie-file", envBool("GIT_COOKIE_FILE", false),
 	"use git cookiefile")

 var flAskPassURL = flag.String("askpass-url", envString("GIT_ASKPASS_URL", ""),
-	"the URL for GIT_ASKPASS callback")
+	"the URL to query for a username and password for git auth")

 var flGitCmd = flag.String("git", envString("GIT_SYNC_GIT", "git"),
 	"the git command to run (subject to PATH search, mostly for testing)")
@ -1025,11 +1025,11 @@ func revIsHash(ctx context.Context, rev, gitRoot string) (bool, error) {
 // returns (1) whether a change occured, (2) the new hash, and (3) an error if one happened
 func syncRepo(ctx context.Context, repo, branch, rev string, depth int, gitRoot, dest string, authURL string, submoduleMode string) (bool, string, error) {
 	if authURL != "" {
-		// For ASKPASS Callback URL, the credentials behind is dynamic, it needs to be
+		// When using an auth URL, the credentials can be dynamic, it needs to be
 		// re-fetched each time.
 		if err := callGitAskPassURL(ctx, authURL); err != nil {
 			askpassCount.WithLabelValues(metricKeyError).Inc()
-			return false, "", fmt.Errorf("failed to call GIT_ASKPASS_URL: %v", err)
+			return false, "", fmt.Errorf("failed to get credentials from auth URL: %v", err)
 		}
 		askpassCount.WithLabelValues(metricKeySuccess).Inc()
 	}
@ -1093,7 +1093,7 @@ func getRevs(ctx context.Context, repo, localDir, branch, rev string) (string, s
 }

 func setupGitAuth(ctx context.Context, username, password, gitURL string) error {
-	log.V(1).Info("setting up git credential store")
+	log.V(3).Info("storing git credentials")

 	_, err := cmdRunner.Run(ctx, "", nil, *flGitCmd, "config", "--global", "credential.helper", "store")
 	if err != nil {
@ -1155,12 +1155,12 @@ func setupGitCookieFile(ctx context.Context) error {
 	return nil
 }

-// The expected ASKPASS callback output are below,
+// The expected URL callback output is below,
 // see https://git-scm.com/docs/gitcredentials for more examples:
 // username=xxx@example.com
 // password=xxxyyyzzz
 func callGitAskPassURL(ctx context.Context, url string) error {
-	log.V(1).Info("calling GIT_ASKPASS URL to get credentials")
+	log.V(2).Info("calling auth URL to get credentials")

 	var netClient = &http.Client{
 		Timeout: time.Second * 1,