kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up askpass_URL 

* Tighten git e2e shim
  - exit on errors
  - simpler
  - don't set XDG_CONFIG_HOME

* Reword logs
This commit is contained in:
Tim Hockin 2022-06-25 11:08:31 -07:00
parent 3719d0385e
commit e40079fa8d
2 changed files with 22 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
askpass_git.sh
View File

@ -14,31 +14,24 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
# Ask pass when cloning new repo, fail if it mismatched the magic password. # This script uses the in-container shell which is limited. For example, it
# does not support the 'pipefail' option.
set -o errexit
set -o nounset
mkdir -p "${XDG_CONFIG_HOME}/git/" # Ask pass some ops, fail if it mismatched the magic password.
# Override the default 'git --global' config location, the default location if [ "$1" = "clone" -o "$1" = "ls-remote" -o "$1" = "fetch" ]; then
# outside the e2e test environment. See https://git-scm.com/docs/git-config # `git credential fill` requires the repo url match to consume the credentials stored by git-sync.
touch "${XDG_CONFIG_HOME}/git/config" # Askpass git only support repo started with "file://" which is used in test_e2e.sh.
# Override the default 'git credential store' config location, the default location REPO=$(echo "$@" | grep -o "file://[^ ]*")
# outside the e2e test environment. See https://git-scm.com/docs/git-credential-store OUTPUT=$(echo "url=${REPO}" | git credential fill)
touch "${XDG_CONFIG_HOME}/git/credentials" USERNAME=$(echo "${OUTPUT}" | grep "^username=.*")
PASSWD=$(echo "${OUTPUT}" | grep "^password=.*")
if [ "$1" != "clone" -a "$1" != "ls-remote" -a "$1" != "fetch" ]; then # Test case must match the magic username and password below.
git "$@" if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then
exit $?
fi
# `git credential fill` requires the repo url match to consume the credentials stored by git-sync.
# Askpass git only support repo started with "file://" which is used in test_e2e.sh.
REPO=$(echo "$@" | grep -o "file://[^ ]*")
OUTPUT=$(echo "url=${REPO}" | git credential fill)
USERNAME=$(echo "${OUTPUT}" | grep "^username=.*")
PASSWD=$(echo "${OUTPUT}" | grep "^password=.*")
# Test case must match the magic username and password below.
if [ "${USERNAME}" != "username=my-username" -o "${PASSWD}" != "password=my-password" ]; then
echo "invalid test username/password pair: ${USERNAME}:${PASSWD}" echo "invalid test username/password pair: ${USERNAME}:${PASSWD}"
exit 1 exit 1
fi
fi fi
git "$@" git "$@"

10
cmd/git-sync/main.go
View File

@ -1246,11 +1246,11 @@ func (git *repoSync) ResolveRef(ctx context.Context, ref string) (string, error)
// returns (1) whether a change occured, (2) the new hash, and (3) an error if one happened // returns (1) whether a change occured, (2) the new hash, and (3) an error if one happened
func (git *repoSync) SyncRepo(ctx context.Context) (bool, string, error) { func (git *repoSync) SyncRepo(ctx context.Context) (bool, string, error) {
if git.authURL != "" { if git.authURL != "" {
// For ASKPASS Callback URL, the credentials behind is dynamic, it needs to be // When using an auth URL, the credentials can be dynamic, it needs to be
// re-fetched each time. // re-fetched each time.
if err := git.CallAskPassURL(ctx); err != nil { if err := git.CallAskPassURL(ctx); err != nil {
askpassCount.WithLabelValues(metricKeyError).Inc() askpassCount.WithLabelValues(metricKeyError).Inc()
return false, "", fmt.Errorf("failed to call GIT_ASKPASS_URL: %v", err) return false, "", fmt.Errorf("failed to get credentials from auth URL: %v", err)
} }
askpassCount.WithLabelValues(metricKeySuccess).Inc() askpassCount.WithLabelValues(metricKeySuccess).Inc()
} }
@ -1317,7 +1317,7 @@ func (git *repoSync) GetRevs(ctx context.Context) (string, string, error) {
// SetupAuth configures the local git repo to use a username and password when // SetupAuth configures the local git repo to use a username and password when
// accessing the repo. // accessing the repo.
func (git *repoSync) SetupAuth(ctx context.Context, username, password string) error { func (git *repoSync) SetupAuth(ctx context.Context, username, password string) error {
git.log.V(1).Info("setting up git credential store") git.log.V(3).Info("storing git credentials")
_, err := git.run.Run(ctx, "", nil, git.cmd, "config", "--global", "credential.helper", "store") _, err := git.run.Run(ctx, "", nil, git.cmd, "config", "--global", "credential.helper", "store")
if err != nil { if err != nil {
@ -1379,12 +1379,12 @@ func (git *repoSync) SetupCookieFile(ctx context.Context) error {
// CallAskPassURL consults the specified URL looking for git credentials in the // CallAskPassURL consults the specified URL looking for git credentials in the
// response. // response.
// //
// The expected ASKPASS callback output are below, // The expected URL callback output is below,
// see https://git-scm.com/docs/gitcredentials for more examples: // see https://git-scm.com/docs/gitcredentials for more examples:
// username=xxx@example.com // username=xxx@example.com
// password=xxxyyyzzz // password=xxxyyyzzz
func (git *repoSync) CallAskPassURL(ctx context.Context) error { func (git *repoSync) CallAskPassURL(ctx context.Context) error {
git.log.V(1).Info("calling GIT_ASKPASS URL to get credentials") git.log.V(2).Info("calling auth URL to get credentials")
var netClient = &http.Client{ var netClient = &http.Client{
Timeout: time.Second * 1, Timeout: time.Second * 1,