Change git credential from cache to store and also add test for username/password case #217
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username/password case. For cache to store change: * By default, cache only last 900 seconds, gitsync will break after that. See https://git-scm.com/docs/git-credential-cache. * The test won't work with cache since the test don't have access to the default unix socket location; XDG_CACHE_HOME override also can pre-create a socket in advance. * `store` put the credential into a file, much easier to debug than cache. * Considering anyone have access to the pod already able to get the credential via environment variables or yaml configs, so put it in file won't make it less secure. For the new password test: 1. askpass_git.sh provided to simulate a git with password challenge. 2. Need and only need to similate "clone" action, need to bypass other actions like config/credential setup. 3. See `credential fill` is the official git action to ask password, see https://git-scm.com/docs/git-credential. This change resolved issue kubernetes#196.
k8s-ci-robot
added
cncf-cla: yes
Contributor
Author
|
/assign @thockin |
thockin
reviewed
Dec 19, 2019
cydu-cloud
added a commit
to cydu-cloud/git-sync
that referenced
this pull request
Dec 19, 2019
thockin
reviewed
Dec 19, 2019
k8s-ci-robot
added
the
lgtm
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Member
|
If there were a bug and we didn't feed in the username properly, we would
not see it...
…On Wed, Dec 18, 2019 at 10:07 PM Chuanying ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In askpass_git.sh
<#217 (comment)>:
> +touch "${XDG_CONFIG_HOME}/git/config"
+# Override the default 'git credential store' config location, the default location
+# outside the e2e test environment. See https://git-scm.com/docs/git-credential-store
+touch "${XDG_CONFIG_HOME}/git/credentials"
+
+if [ "$1" != "clone" ]; then
+ git "$@"
+ exit $?
+fi
+
+# `git credential fill` requires the repo url match to consume the credentials stored by git-sync.
+# Askpass git only support repo started with "file://" which is used in test_e2e.sh.
+REPO=$(echo "$@" | grep -o "file://[^ ]*")
+PASSWD=$(echo "url=${REPO}" | git credential fill | grep -o "password=.*")
+# Test case much match the magic password below.
+if [ "${PASSWD}" != "password=Lov3!k0os" ]; then
We can, but don't think it's necessary, the magic password can match
already approved the whole process working as intended.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#217?email_source=notifications&email_token=ABKWAVECACWE7WNXZC3QAXLQZMFSVA5CNFSM4J4O4RQ2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCPXOOTY#discussion_r359699357>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVFRA5YIILTUOMJZ3EDQZMFSVANCNFSM4J4O4RQQ>
.
|
Contributor
Author
|
Yeah, that’s possible in theory, |
Member
|
If it's not a big deal, it would be one less thing in the back of my mind.
…On Wed, Dec 18, 2019 at 10:57 PM Chuanying ***@***.***> wrote:
Yeah, that’s possible in theory,
I can file a follow up PR to add the username check if you have strong opinion about it.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For cache to store change:
cacheonly last 900 seconds, gitsync will break afterthat for password setup. See https://git-scm.com/docs/git-credential-cache.
the default unix socket location; XDG_CACHE_HOME override also cann't
pre-create a socket in advance.
storeput the credential into a file, much easier to debug than cache.credential via environment variables or yaml configs, so put it in
file won't make it less secure.
For the new password test:
askpass_git.shprovided to simulate a git with password challenge.actions like config/credential setup.
credential fillis the official git action to ask password,see https://git-scm.com/docs/git-credential.
Fixes #196.