Clean up askpass_URL

* Tighten git e2e shim
  - exit on errors'
  - simpler
  - don't set XDG_CONFIG_HOME

* Reword help strings and logs

README.md

@@ -123,7 +123,7 @@ docker run -d \
 | `--ssh-known-hosts-file`   | GIT_SSH_KNOWN_HOSTS_FILE        | "/etc/git-secret/known_hosts" | the known_hosts file to use |
 | `--add-user`               | GIT_SYNC_ADD_USER               | false                         | add a record to /etc/passwd for the current UID/GID (needed to use SSH with a different UID) |
 | `--cookie-file`            | GIT_COOKIE_FILE                 | false                         | use git cookiefile |
-| `--askpass-url`            | GIT_ASKPASS_URL                 | ""                            | the URL for GIT_ASKPASS callback |
+| `--askpass-url`            | GIT_ASKPASS_URL                 | ""                            | the URL to query for a username and password for git auth |
 
 ## Flags which configure hooks
 

askpass_git.sh

@@ -14,31 +14,24 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Ask pass when cloning new repo, fail if it mismatched the magic password.
+# This script uses the in-container shell which is limited.  For example, it
+# does not support the 'pipefail' option.
+set -o errexit
+set -o nounset
 
-mkdir -p "${XDG_CONFIG_HOME}/git/"
+# Ask pass some ops, fail if it mismatched the magic password.
-# Override the default 'git --global' config location, the default location
+if [ "$1" = "clone" -o "$1" = "ls-remote" -o "$1" = "fetch" ]; then
-# outside the e2e test environment. See https://git-scm.com/docs/git-config
+    # `git credential fill` requires the repo url match to consume the credentials stored by git-sync.
-touch "${XDG_CONFIG_HOME}/git/config"
+    # Askpass git only support repo started with "file://" which is used in test_e2e.sh.
-# Override the default 'git credential store' config location, the default location
+    REPO=$(echo "$@" | grep -o "file://[^ ]*")
-# outside the e2e test environment. See https://git-scm.com/docs/git-credential-store
+    OUTPUT=$(echo "url=${REPO}" | git credential fill)
-touch "${XDG_CONFIG_HOME}/git/credentials"
+    USERNAME=$(echo "${OUTPUT}" | grep "^username=.*")
-
+    PASSWD=$(echo "${OUTPUT}" | grep "^password=.*")
-if [ "$1" != "clone" -a "$1" != "ls-remote" -a "$1" != "fetch" ]; then
+    # Test case must match the magic username and password below.
-  git "$@"
+    if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then
-  exit $?
+        echo "invalid test username/password pair: ${USERNAME}:${PASSWD}"
-fi
+        exit 1
-
+    fi
-# `git credential fill` requires the repo url match to consume the credentials stored by git-sync.
-# Askpass git only support repo started with "file://" which is used in test_e2e.sh.
-REPO=$(echo "$@" | grep -o "file://[^ ]*")
-OUTPUT=$(echo "url=${REPO}" | git credential fill)
-USERNAME=$(echo "${OUTPUT}" | grep "^username=.*")
-PASSWD=$(echo "${OUTPUT}" | grep "^password=.*")
-# Test case must match the magic username and password below.
-if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then
-  echo "invalid test username/password pair: ${USERNAME}:${PASSWD}"
-  exit 1
 fi
 
 git "$@"

cmd/git-sync/main.go

@@ -121,7 +121,7 @@ var flCookieFile = flag.Bool("cookie-file", envBool("GIT_COOKIE_FILE", false),
 	"use git cookiefile")
 
 var flAskPassURL = flag.String("askpass-url", envString("GIT_ASKPASS_URL", ""),
-	"the URL for GIT_ASKPASS callback")
+	"the URL to query for a username and password for git auth")
 
 var flGitCmd = flag.String("git", envString("GIT_SYNC_GIT", "git"),
 	"the git command to run (subject to PATH search, mostly for testing)")
@@ -1025,11 +1025,11 @@ func revIsHash(ctx context.Context, rev, gitRoot string) (bool, error) {
 // returns (1) whether a change occured, (2) the new hash, and (3) an error if one happened
 func syncRepo(ctx context.Context, repo, branch, rev string, depth int, gitRoot, dest string, authURL string, submoduleMode string) (bool, string, error) {
 	if authURL != "" {
-		// For ASKPASS Callback URL, the credentials behind is dynamic, it needs to be
+		// When using an auth URL, the credentials can be dynamic, it needs to be
 		// re-fetched each time.
 		if err := callGitAskPassURL(ctx, authURL); err != nil {
 			askpassCount.WithLabelValues(metricKeyError).Inc()
-			return false, "", fmt.Errorf("failed to call GIT_ASKPASS_URL: %v", err)
+			return false, "", fmt.Errorf("failed to get credentials from auth URL: %v", err)
 		}
 		askpassCount.WithLabelValues(metricKeySuccess).Inc()
 	}
@@ -1093,7 +1093,7 @@ func getRevs(ctx context.Context, repo, localDir, branch, rev string) (string, s
 }
 
 func setupGitAuth(ctx context.Context, username, password, gitURL string) error {
-	log.V(1).Info("setting up git credential store")
+	log.V(3).Info("storing git credentials")
 
 	_, err := cmdRunner.Run(ctx, "", nil, *flGitCmd, "config", "--global", "credential.helper", "store")
 	if err != nil {
@@ -1155,12 +1155,12 @@ func setupGitCookieFile(ctx context.Context) error {
 	return nil
 }
 
-// The expected ASKPASS callback output are below,
+// The expected URL callback output is below,
 // see https://git-scm.com/docs/gitcredentials for more examples:
 // username=xxx@example.com
 // password=xxxyyyzzz
 func callGitAskPassURL(ctx context.Context, url string) error {
-	log.V(1).Info("calling GIT_ASKPASS URL to get credentials")
+	log.V(2).Info("calling auth URL to get credentials")
 
 	var netClient = &http.Client{
 		Timeout: time.Second * 1,