diff --git a/askpass_git.sh b/askpass_git.sh index cac75eb..cde34ee 100755 --- a/askpass_git.sh +++ b/askpass_git.sh @@ -14,31 +14,24 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Ask pass when cloning new repo, fail if it mismatched the magic password. +# This script uses the in-container shell which is limited. For example, it +# does not support the 'pipefail' option. +set -o errexit +set -o nounset -mkdir -p "${XDG_CONFIG_HOME}/git/" -# Override the default 'git --global' config location, the default location -# outside the e2e test environment. See https://git-scm.com/docs/git-config -touch "${XDG_CONFIG_HOME}/git/config" -# Override the default 'git credential store' config location, the default location -# outside the e2e test environment. See https://git-scm.com/docs/git-credential-store -touch "${XDG_CONFIG_HOME}/git/credentials" - -if [ "$1" != "clone" -a "$1" != "ls-remote" -a "$1" != "fetch" ]; then - git "$@" - exit $? -fi - -# `git credential fill` requires the repo url match to consume the credentials stored by git-sync. -# Askpass git only support repo started with "file://" which is used in test_e2e.sh. -REPO=$(echo "$@" | grep -o "file://[^ ]*") -OUTPUT=$(echo "url=${REPO}" | git credential fill) -USERNAME=$(echo "${OUTPUT}" | grep "^username=.*") -PASSWD=$(echo "${OUTPUT}" | grep "^password=.*") -# Test case must match the magic username and password below. -if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then - echo "invalid test username/password pair: ${USERNAME}:${PASSWD}" - exit 1 +# Ask pass some ops, fail if it mismatched the magic password. +if [ "$1" = "clone" -o "$1" = "ls-remote" -o "$1" = "fetch" ]; then + # `git credential fill` requires the repo url match to consume the credentials stored by git-sync. + # Askpass git only support repo started with "file://" which is used in test_e2e.sh. + REPO=$(echo "$@" | grep -o "file://[^ ]*") + OUTPUT=$(echo "url=${REPO}" | git credential fill) + USERNAME=$(echo "${OUTPUT}" | grep "^username=.*") + PASSWD=$(echo "${OUTPUT}" | grep "^password=.*") + # Test case must match the magic username and password below. + if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then + echo "invalid test username/password pair: ${USERNAME}:${PASSWD}" + exit 1 + fi fi git "$@" diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go index 3f05586..cdb1839 100644 --- a/cmd/git-sync/main.go +++ b/cmd/git-sync/main.go @@ -1246,11 +1246,11 @@ func (git *repoSync) ResolveRef(ctx context.Context, ref string) (string, error) // returns (1) whether a change occured, (2) the new hash, and (3) an error if one happened func (git *repoSync) SyncRepo(ctx context.Context) (bool, string, error) { if git.authURL != "" { - // For ASKPASS Callback URL, the credentials behind is dynamic, it needs to be + // When using an auth URL, the credentials can be dynamic, it needs to be // re-fetched each time. if err := git.CallAskPassURL(ctx); err != nil { askpassCount.WithLabelValues(metricKeyError).Inc() - return false, "", fmt.Errorf("failed to call GIT_ASKPASS_URL: %v", err) + return false, "", fmt.Errorf("failed to get credentials from auth URL: %v", err) } askpassCount.WithLabelValues(metricKeySuccess).Inc() } @@ -1317,7 +1317,7 @@ func (git *repoSync) GetRevs(ctx context.Context) (string, string, error) { // SetupAuth configures the local git repo to use a username and password when // accessing the repo. func (git *repoSync) SetupAuth(ctx context.Context, username, password string) error { - git.log.V(1).Info("setting up git credential store") + git.log.V(3).Info("storing git credentials") _, err := git.run.Run(ctx, "", nil, git.cmd, "config", "--global", "credential.helper", "store") if err != nil { @@ -1379,12 +1379,12 @@ func (git *repoSync) SetupCookieFile(ctx context.Context) error { // CallAskPassURL consults the specified URL looking for git credentials in the // response. // -// The expected ASKPASS callback output are below, +// The expected URL callback output is below, // see https://git-scm.com/docs/gitcredentials for more examples: // username=xxx@example.com // password=xxxyyyzzz func (git *repoSync) CallAskPassURL(ctx context.Context) error { - git.log.V(1).Info("calling GIT_ASKPASS URL to get credentials") + git.log.V(2).Info("calling auth URL to get credentials") var netClient = &http.Client{ Timeout: time.Second * 1,