wip: refactor the git-initializer (#1952)

Signed-off-by: Kent Rancourt <kent.rancourt@microsoft.com>

Author: krancour

v2/git-initializer-windows/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.17.2-windowsservercore-1809 as builder
+FROM golang:1.18.1-windowsservercore-1809 as builder
 
 ARG VERSION
 ARG COMMIT
@@ -19,6 +19,12 @@ RUN go build \
 
 FROM mcr.microsoft.com/windows/nanoserver:1809
 
+COPY --chown=ContainerUser:ContainerUser v2/git-initializer/ssh_config /Users/ContainerUser/.ssh/config
+COPY --from=builder /git /git/
 COPY --from=builder /src/bin/ /brigade/bin/
 
+USER ContainerAdministrator
+RUN setx /M PATH "%PATH%;C:\git\cmd"
+USER ContainerUser
+
 ENTRYPOINT ["/brigade/bin/git-initializer.exe"]

v2/git-initializer/Dockerfile

@@ -20,8 +20,16 @@ RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build \
   -ldflags "-w -X github.com/brigadecore/brigade-foundations/version.version=$VERSION -X github.com/brigadecore/brigade-foundations/version.commit=$COMMIT" \
   ./git-initializer
 
-FROM gcr.io/distroless/static:nonroot as final
+FROM alpine:3.15.4 as final
 
+RUN apk update \
+    && apk add git openssh-client \
+    && addgroup -S -g 65532 nonroot \
+    && adduser -S -D -u 65532 -g nonroot -G nonroot nonroot
+
+COPY --chown=nonroot:nonroot v2/git-initializer/ssh_config /home/nonroot/.ssh/config
 COPY --from=builder /src/bin/ /brigade/bin/
 
+USER nonroot
+
 ENTRYPOINT ["/brigade/bin/git-initializer"]

v2/git-initializer/auth.go

@@ -0,0 +1,106 @@
+package main
+
+import (
+	"io/ioutil"
+	"net/url"
+	"path"
+
+	"github.com/go-git/go-git/v5/plumbing/transport"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	gitssh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
+	"github.com/mitchellh/go-homedir"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
+)
+
+// setupAuth, if necessary, configures the git CLI for authentication using
+// either SSH or the "store" (username/password-based) credential helper since
+// the git-initializer component does fall back on the git CLI for certain
+// operations. It additionally returns an appropriate implementation of
+// transport.AuthMethod for operations that interact with remote repositories
+// programmatically.
+func setupAuth(evt event) (transport.AuthMethod, error) {
+	homeDir, err := homedir.Dir()
+	if err != nil {
+		return nil, errors.Wrap(err, "error finding user's home directory")
+	}
+
+	// If an SSH key was provided, use that.
+	if key, ok := evt.Project.Secrets["gitSSHKey"]; ok {
+		// If a passphrase was supplied for the key, decrypt the key now.
+		keyPass, ok := evt.Project.Secrets["gitSSHKeyPassword"]
+		if ok {
+			var err error
+			if key, err = decryptKey(key, keyPass); err != nil {
+				return nil, errors.Wrap(err, "error decrypting SSH key")
+			}
+		}
+		rsaKeyPath := path.Join(homeDir, ".ssh", "id_rsa")
+		if err := ioutil.WriteFile(rsaKeyPath, []byte(key), 0600); err != nil {
+			return nil, errors.Wrapf(err, "error writing SSH key to %q", rsaKeyPath)
+		}
+
+		// This is the implementation of the transport.AuthMethod interface that can
+		// be used for operations that interact with the remote repository
+		// interactively.
+		publicKeys, err := gitssh.NewPublicKeys("git", []byte(key), keyPass)
+		if err != nil {
+			return nil,
+				errors.Wrap(err, "error getting transport.AuthMethod using SSH key")
+		}
+
+		// This prevents the CLI from interactively requesting the user to allow
+		// connection to a new/unrecognized host.
+		publicKeys.HostKeyCallback = ssh.InsecureIgnoreHostKey() // nolint: gosec
+		return publicKeys, nil                                   // We're done
+	}
+
+	// If a password was provided, use that.
+	if password, ok := evt.Project.Secrets["gitPassword"]; ok {
+		credentialURL, err := url.Parse(evt.Worker.Git.CloneURL)
+		if err != nil {
+			return nil,
+				errors.Wrapf(err, "error parsing URL %q", evt.Worker.Git.CloneURL)
+		}
+		// If a username was provided, use it. One may not have been because some
+		// git providers, like GitHub, for instance, will allow any non-empty
+		// username to be used in conjunction with a personal access token.
+		username, ok := evt.Project.Secrets["gitUsername"]
+		// If a username wasn't provided, we can ALSO try to pick it out of the URL.
+		if !ok && credentialURL.User != nil {
+			username = credentialURL.User.Username()
+		}
+		// If the username is still the empty string, we assume we're working with a
+		// git provider like GitHub that only requires the username to be non-empty.
+		// We arbitrarily set it to "git".
+		if username == "" {
+			username = "git"
+		}
+		// Remove path and query string components from the URL
+		credentialURL.Path = ""
+		credentialURL.RawQuery = ""
+		// Augment the URL with user/pass information.
+		credentialURL.User = url.UserPassword(username, password)
+		// Write the URL to the location used by the "stored" credential helper.
+		credentialsPath := path.Join(homeDir, ".git-credentials")
+		if err := ioutil.WriteFile(
+			credentialsPath,
+			[]byte(credentialURL.String()),
+			0600,
+		); err != nil {
+			return nil,
+				errors.Wrapf(err, "error writing credentials to %q", credentialsPath)
+		}
+
+		// This is the implementation of the transport.AuthMethod interface that can
+		// be used for operations that interact with the remote repository
+		// interactively.
+		return &http.BasicAuth{
+			Username: username,
+			Password: password,
+		}, nil // We're done
+	}
+
+	// No auth setup required if we get to here.
+	return nil, nil
+}

v2/git-initializer/cmd.go

@@ -0,0 +1,48 @@
+package main
+
+import (
+	"bufio"
+	"log"
+	"os/exec"
+	"sync"
+
+	"github.com/pkg/errors"
+)
+
+// execCommand executes a commands and pipes its stdout and stderr out to the
+// git-initializer's own logs.
+func execCommand(cmd *exec.Cmd) error {
+	stdoutReader, err := cmd.StdoutPipe()
+	if err != nil {
+		return errors.Wrap(err, "error obtaining stdout pipe")
+	}
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		scanner := bufio.NewScanner(stdoutReader)
+		for scanner.Scan() {
+			log.Println(scanner.Text())
+		}
+	}()
+	stderrReader, err := cmd.StderrPipe()
+	if err != nil {
+		return errors.Wrap(err, "error obtaining stderr pipe")
+	}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		scanner := bufio.NewScanner(stderrReader)
+		for scanner.Scan() {
+			log.Println(scanner.Text())
+		}
+	}()
+	if err = cmd.Start(); err != nil {
+		return errors.Wrapf(err, "error starting command %q", cmd.String())
+	}
+	if err = cmd.Wait(); err != nil {
+		return errors.Wrapf(err, "error waiting for command %q", cmd.String())
+	}
+	wg.Wait() // Make sure we got all the output before returning
+	return nil
+}

v2/git-initializer/config.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"os/exec"
+
+	"github.com/pkg/errors"
+)
+
+// applyGlobalConfig applies global git CLI configuration options. Specifically,
+// it adds /var/vcs as a "safe" directory. This is required due to the fact that
+// the nonroot user the git-initializer process runs as doesn't OWN /var/vcs.
+// (Kubernetes security context is applied to make /var/vcs group writable, but
+// git can be pickier about file permissions than one would normally expect.)
+func applyGlobalConfig() error {
+	return errors.Wrapf(
+		execCommand(
+			exec.Command(
+				"git",
+				"config",
+				"--global",
+				"--add",
+				"safe.directory",
+				workspace,
+			),
+		),
+		"error setting %q as a safe directory",
+		workspace,
+	)
+}

v2/git-initializer/crypto.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"bytes"
+	"crypto/x509"
+	"encoding/pem"
+
+	"github.com/pkg/errors"
+)
+
+// decryptKey decrypts a PEM-encoded RSA private key and returns a PEM-encoded
+// RSA private key sans encryption. This is useful for cases where the key is
+// being used in conjunction with the git CLI and we wish to avoid interactively
+// requesting the key's passphrase.
+func decryptKey(key, pass string) (string, error) {
+	block, _ := pem.Decode([]byte(key))
+	if block == nil {
+		return "", errors.Errorf("key is not PEM-encoded")
+	}
+	const supportedType = "RSA PRIVATE KEY"
+	if block.Type != supportedType {
+		return "", errors.Errorf(
+			"unsupported key type %q; only %q is supported",
+			block.Type,
+			supportedType,
+		)
+	}
+	var err error
+	if block.Bytes, err = x509.DecryptPEMBlock(block, []byte(pass)); err != nil {
+		return "", errors.Wrap(err, "error decrypting private key")
+	}
+	block.Headers = nil
+	buf := &bytes.Buffer{}
+	if err = pem.Encode(buf, block); err != nil {
+		return "", errors.Wrap(err, "error PEM-encoding decrypted private key")
+	}
+	return buf.String(), nil
+}

v2/git-initializer/doc.go

@@ -0,0 +1,14 @@
+package main
+
+// This package implements a "hybrid" approach to interacting with remote git
+// repositories to acquire source code required by a Brigade Worker or Job. The
+// "hybrid" approach does whatever it can using the (pure Go) go-git library,
+// but falls back on exec'ing git CLI commands when necessary. This is necessary
+// because go-git cannot fetch from remotes hosted by certain git providers --
+// namely Azure DevOps, but possibly others.
+//
+// In an ideal world, we'd have a library that addressed all out needs. libgit2
+// (via Go bindings provided by git2go) comes close to meeting our needs, but
+// cannot use refspecs that use a sha. I (krancour) expect this to be fixed
+// within a few months of this writing (May 2022), and we can possibly revisit
+// this component at that time.

v2/git-initializer/events.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/brigadecore/brigade/sdk/v3"
+	"github.com/pkg/errors"
+)
+
+// event is a git-initializer-specific representation of a Brigade Event.
+type event struct {
+	Project struct {
+		Secrets map[string]string `json:"secrets"`
+	} `json:"project"`
+	Worker struct {
+		Git *sdk.GitConfig `json:"git"`
+	} `json:"worker"`
+}
+
+// getEvent loads an Event from a JSON file on the file system.
+func getEvent() (event, error) {
+	evt := event{}
+	eventPath := "/var/event/event.json"
+	data, err := ioutil.ReadFile(eventPath)
+	if err != nil {
+		return evt, errors.Wrapf(err, "unable read the event file %q", eventPath)
+	}
+	err = json.Unmarshal(data, &evt)
+	return evt, errors.Wrap(err, "error unmarshaling the event")
+}