From 81c8b2f39edc9b83a38959a9a901e439bbd9bcc6 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Sat, 25 Jun 2022 11:08:31 -0700 Subject: [PATCH] Clean up askpass_URL * Tighten git e2e shim - exit on errors' - simpler - don't set XDG_CONFIG_HOME * Reword help strings and logs --- README.md | 2 +- askpass_git.sh | 41 +++++++++++++++++------------------------ cmd/git-sync/main.go | 12 ++++++------ 3 files changed, 24 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index d65fd80..f12e878 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ docker run -d \ | `--ssh-known-hosts-file` | GIT_SSH_KNOWN_HOSTS_FILE | "/etc/git-secret/known_hosts" | the known_hosts file to use | | `--add-user` | GIT_SYNC_ADD_USER | false | add a record to /etc/passwd for the current UID/GID (needed to use SSH with a different UID) | | `--cookie-file` | GIT_COOKIE_FILE | false | use git cookiefile | -| `--askpass-url` | GIT_ASKPASS_URL | "" | the URL for GIT_ASKPASS callback | +| `--askpass-url` | GIT_ASKPASS_URL | "" | the URL to query for a username and password for git auth | ## Flags which configure hooks diff --git a/askpass_git.sh b/askpass_git.sh index cac75eb..cde34ee 100755 --- a/askpass_git.sh +++ b/askpass_git.sh @@ -14,31 +14,24 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Ask pass when cloning new repo, fail if it mismatched the magic password. +# This script uses the in-container shell which is limited. For example, it +# does not support the 'pipefail' option. +set -o errexit +set -o nounset -mkdir -p "${XDG_CONFIG_HOME}/git/" -# Override the default 'git --global' config location, the default location -# outside the e2e test environment. See https://git-scm.com/docs/git-config -touch "${XDG_CONFIG_HOME}/git/config" -# Override the default 'git credential store' config location, the default location -# outside the e2e test environment. See https://git-scm.com/docs/git-credential-store -touch "${XDG_CONFIG_HOME}/git/credentials" - -if [ "$1" != "clone" -a "$1" != "ls-remote" -a "$1" != "fetch" ]; then - git "$@" - exit $? -fi - -# `git credential fill` requires the repo url match to consume the credentials stored by git-sync. -# Askpass git only support repo started with "file://" which is used in test_e2e.sh. -REPO=$(echo "$@" | grep -o "file://[^ ]*") -OUTPUT=$(echo "url=${REPO}" | git credential fill) -USERNAME=$(echo "${OUTPUT}" | grep "^username=.*") -PASSWD=$(echo "${OUTPUT}" | grep "^password=.*") -# Test case must match the magic username and password below. -if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then - echo "invalid test username/password pair: ${USERNAME}:${PASSWD}" - exit 1 +# Ask pass some ops, fail if it mismatched the magic password. +if [ "$1" = "clone" -o "$1" = "ls-remote" -o "$1" = "fetch" ]; then + # `git credential fill` requires the repo url match to consume the credentials stored by git-sync. + # Askpass git only support repo started with "file://" which is used in test_e2e.sh. + REPO=$(echo "$@" | grep -o "file://[^ ]*") + OUTPUT=$(echo "url=${REPO}" | git credential fill) + USERNAME=$(echo "${OUTPUT}" | grep "^username=.*") + PASSWD=$(echo "${OUTPUT}" | grep "^password=.*") + # Test case must match the magic username and password below. + if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then + echo "invalid test username/password pair: ${USERNAME}:${PASSWD}" + exit 1 + fi fi git "$@" diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go index c9c107e..083d04c 100644 --- a/cmd/git-sync/main.go +++ b/cmd/git-sync/main.go @@ -121,7 +121,7 @@ var flCookieFile = flag.Bool("cookie-file", envBool("GIT_COOKIE_FILE", false), "use git cookiefile") var flAskPassURL = flag.String("askpass-url", envString("GIT_ASKPASS_URL", ""), - "the URL for GIT_ASKPASS callback") + "the URL to query for a username and password for git auth") var flGitCmd = flag.String("git", envString("GIT_SYNC_GIT", "git"), "the git command to run (subject to PATH search, mostly for testing)") @@ -1025,11 +1025,11 @@ func revIsHash(ctx context.Context, rev, gitRoot string) (bool, error) { // returns (1) whether a change occured, (2) the new hash, and (3) an error if one happened func syncRepo(ctx context.Context, repo, branch, rev string, depth int, gitRoot, dest string, authURL string, submoduleMode string) (bool, string, error) { if authURL != "" { - // For ASKPASS Callback URL, the credentials behind is dynamic, it needs to be + // When using an auth URL, the credentials can be dynamic, it needs to be // re-fetched each time. if err := callGitAskPassURL(ctx, authURL); err != nil { askpassCount.WithLabelValues(metricKeyError).Inc() - return false, "", fmt.Errorf("failed to call GIT_ASKPASS_URL: %v", err) + return false, "", fmt.Errorf("failed to get credentials from auth URL: %v", err) } askpassCount.WithLabelValues(metricKeySuccess).Inc() } @@ -1093,7 +1093,7 @@ func getRevs(ctx context.Context, repo, localDir, branch, rev string) (string, s } func setupGitAuth(ctx context.Context, username, password, gitURL string) error { - log.V(1).Info("setting up git credential store") + log.V(3).Info("storing git credentials") _, err := cmdRunner.Run(ctx, "", nil, *flGitCmd, "config", "--global", "credential.helper", "store") if err != nil { @@ -1155,12 +1155,12 @@ func setupGitCookieFile(ctx context.Context) error { return nil } -// The expected ASKPASS callback output are below, +// The expected URL callback output is below, // see https://git-scm.com/docs/gitcredentials for more examples: // username=xxx@example.com // password=xxxyyyzzz func callGitAskPassURL(ctx context.Context, url string) error { - log.V(1).Info("calling GIT_ASKPASS URL to get credentials") + log.V(2).Info("calling auth URL to get credentials") var netClient = &http.Client{ Timeout: time.Second * 1,