[BE]:Add ssh support for git commit (#527)

* Add ssh support for git commit

* Add comma

* Change url

* Change the way how to get private key

* Update

* Update

* Refactor

* Up version

* Change image repository

* Wip

* Refactor

* empty commit

* empty commit

* empty commit

* empty commit

* empty commit

* empty commit

* empty commit

* Rename ssh folder

* empty commit

* empty commit

* empty commit

* empty commit

* empty commit

* empty commit

* Update git commit version

* Change use_ssh description

* Wip

* Wip

* Refactor

Co-authored-by: admin <[email protected]>
Co-authored-by: Mikhail Klimko <[email protected]>

Author: 3 people

incubating/git-commit/Dockerfile

@@ -0,0 +1,15 @@
+# Moving to ubuntu instead of debian to solve high vulnerabilities 
+FROM ubuntu:jammy-20221101
+
+RUN apt-get update -y && \
+    apt-get upgrade -y && \
+    apt-get install git bash openssl busybox -y && \
+    ln -s /bin/busybox /usr/bin/[[
+
+# Add ssh record on which ssh key to use
+COPY ./ssh/ /root/.ssh/
+
+# USER nodeuser
+RUN addgroup --gid 3000 nodegroup && \
+    adduser --uid 3000 --ingroup nodegroup --shell /bin/sh --disabled-password nodeuser
+USER nodeuser

incubating/git-commit/ssh/config

@@ -0,0 +1 @@
+IdentityFile ~/.ssh/codefresh

incubating/git-commit/ssh/known_hosts

@@ -2,7 +2,7 @@ kind: step-type
 version: '1.0'
 metadata:
   name: git-commit
-  version: 0.0.19
+  version: 0.1.0
   isPublic: true
   description: Commit and push changes to repository
   icon:
@@ -126,6 +126,11 @@ spec:
               "type": "boolean",
               "description": "pull remote changes with rebase flag before push",
               "default": false
+          },
+          "use_ssh": {
+              "type": "boolean",
+              "description": "Is use ssh or https (ssh key will be taken from git integration defined in git argument)",
+              "default": false
           }
       }
     }
@@ -141,6 +146,8 @@ spec:
         - export GIT_ACCESS_TOKEN=$(codefresh get context $GIT_INTEGRATION_NAME --decrypt --prepare -o yaml | yq -r -c .spec.data.auth.password)
         - echo GIT_ACCESS_TOKEN=$GIT_ACCESS_TOKEN >> /meta/env_vars_to_export
         - export GIT_ACCESS_TOKEN_USER=$(codefresh get context $GIT_INTEGRATION_NAME --decrypt --prepare -o yaml | yq -r -c .spec.data.auth.username)
+        - export PRIVATE_KEY=$(codefresh get context $GIT_INTEGRATION_NAME --decrypt --prepare -o yaml | yq .spec.data.auth.sshPrivateKey)
+        - echo PRIVATE_KEY=$PRIVATE_KEY >> /meta/env_vars_to_export
         # If the git integration does not include the auth username, then default to the git_user_name argument
         - if [ "$GIT_ACCESS_TOKEN_USER" = "null" ]; then export GIT_ACCESS_TOKEN_USER=$GIT_USER_NAME; fi
         - echo GIT_ACCESS_TOKEN_USER=$GIT_ACCESS_TOKEN_USER >> /meta/env_vars_to_export
@@ -151,7 +158,7 @@ spec:
 
     commit_and_push:
       title: "Commit and push"
-      image: bitnami/git
+      image: codefreshplugins/git-commit:0.1.0
       shell: bash
       environment:
         - REPO=${{repo}}
@@ -163,6 +170,8 @@ spec:
         - GPG_SECRET_KEY=${{gpg_secret_key}}
         - FORCE_PUSH=${{force_push}}
         - REBASE=${{rebase}}
+        - USE_SSH=${{use_ssh}}
+        - GIT_INTEGRATION_NAME=${{git}}
       commands:
         - |-
           if [[ -n ${GPG_KEY_ID} && -n ${GPG_SECRET_KEY} ]]; then
@@ -180,14 +189,34 @@ spec:
         - git add ${ADD_FILES}
         - git commit ${ALLOW_EMPTY} -m "${COMMIT_MESSAGE}"
         - git status
+        - |-
+          REPO_URL="https://$GIT_ACCESS_TOKEN_USER:$GIT_ACCESS_TOKEN@$GIT_FQDN/$REPO.git"
+          if [ "$USE_SSH" = "true" ]; then
+            [ -z "$PRIVATE_KEY" ] && (echo "missing PRIVATE_KEY var" | tee /dev/stderr) && exit 1
+            echo ${PRIVATE_KEY:1:-1} | sed 's/\\n/\n/g' > ~/.ssh/codefresh
+            chmod 0600 ~/.ssh/*
+            chmod 0700 ~/.ssh/
+
+            # ssh://[email protected]:username/repo.git
+            # match "github.com" from ssh uri
+            REPO=${REPO#"ssh://"}
+            SSH_HOST=$(echo "$REPO" | cut -d ":" -f 1 | cut -d "@" -f 2)
+            echo "Adding "$SSH_HOST" to known_hosts"
+            
+            # removes all keys belonging to hostname from a known_hosts file
+            ssh-keygen -R $SSH_HOST 2>/dev/null
+
+            ssh-keyscan -H $SSH_HOST >> ~/.ssh/known_hosts 2> >(grep -v '^#' >&2)
+            REPO_URL=$REPO
+          fi
         - |-
           if [ "$REBASE" = true ]; then
-            git pull --rebase "https://$GIT_ACCESS_TOKEN_USER:$GIT_ACCESS_TOKEN@$GIT_FQDN/$REPO.git"
+            git pull --rebase $REPO_URL
           fi
-        - echo git push "https://$GIT_ACCESS_TOKEN_USER:REDACTED@$GIT_FQDN/$REPO.git"
+        - echo git push $REPO_URL
         - |-
           if [ "$FORCE_PUSH" = true ]; then
-            git push --force "https://$GIT_ACCESS_TOKEN_USER:$GIT_ACCESS_TOKEN@$GIT_FQDN/$REPO.git"
+            git push --force $REPO_URL
           else
-            git push "https://$GIT_ACCESS_TOKEN_USER:$GIT_ACCESS_TOKEN@$GIT_FQDN/$REPO.git"
+            git push $REPO_URL
           fi