Fix issue checking out branches/tags on private repos

amisevsk · amisevsk · commit c4a087ef2e32 · 2022-12-20T21:02:15.000-05:00
Use authentication for remote repository operations that use go-git to
ensure we can read remote references in private repositories.

Project clone now always checks for a credentials file mounted to the
DWO hard-coded credentials path (/.git-credentials/credentials) and
attempts to use credentials from there if they match on hostname.

For information purposes, project clone now logs whether or not a
personal-access-token was found.

Signed-off-by: Angel Misevski &lt;amisevsk@redhat.com&gt;
diff --git a/project-clone/internal/git/operations.go b/project-clone/internal/git/operations.go
@@ -24,6 +24,7 @@ import (
 	gitConfig "github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
 
+	"github.com/devfile/devworkspace-operator/project-clone/internal"
 	"github.com/devfile/devworkspace-operator/project-clone/internal/shell"
 )
 
@@ -113,7 +114,13 @@ func CheckoutReference(repo *git.Repository, project *dw.Project, projectPath st
 		return fmt.Errorf("could not find remote %s: %s", defaultRemoteName, err)
 	}
 
-	refs, err := remote.List(&git.ListOptions{})
+	auth, err := internal.GetAuthForHost(remote.Config().URLs[0])
+	if err != nil {
+		log.Printf("Error reading credentials file: %s", err)
+	}
+	refs, err := remote.List(&git.ListOptions{
+		Auth: auth,
+	})
 	if err != nil {
 		return fmt.Errorf("failed to read remote %s: %s", defaultRemoteName, err)
 	}
diff --git a/project-clone/internal/global.go b/project-clone/internal/global.go
@@ -16,15 +16,28 @@
 package internal
 
 import (
+	"errors"
+	"fmt"
 	"log"
 	"os"
+	"regexp"
 
 	"github.com/devfile/devworkspace-operator/pkg/library/constants"
+	gittransport "github.com/go-git/go-git/v5/plumbing/transport"
+	githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
+	gitssh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
+)
+
+const (
+	credentialsMountPath = "/.git-credentials/credentials"
 )
 
 var (
-	ProjectsRoot string
-	CloneTmpDir  string
+	ProjectsRoot     string
+	CloneTmpDir      string
+	tokenAuthMethod  map[string]*githttp.BasicAuth
+	sshAuthMethod    *gitssh.PublicKeys
+	credentialsRegex = regexp.MustCompile(`https://(.+):(.+)@(.+)`)
 )
 
 // Read and store ProjectsRoot env var for reuse throughout project-clone.
@@ -43,4 +56,60 @@ func init() {
 	}
 	log.Printf("Using temporary directory %s", tmpDir)
 	CloneTmpDir = tmpDir
+
+	setupAuth()
+}
+
+func GetAuthForHost(repoURLStr string) (gittransport.AuthMethod, error) {
+	endpoint, err := gittransport.NewEndpoint(repoURLStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse url: %w", err)
+	}
+	switch endpoint.Protocol {
+	case "ssh":
+		// TODO
+		return nil, fmt.Errorf("SSH support not yet implemented")
+	case "http", "https":
+		authMethod, ok := tokenAuthMethod[endpoint.Host]
+		if !ok {
+			log.Printf("No personal access token found for URL %s", repoURLStr)
+			return nil, nil
+		}
+		log.Printf("Found personal access token for URL %s", repoURLStr)
+		return authMethod, nil
+	default:
+		log.Printf("No personal access token for URL %s; unsupported protocol: %s", repoURLStr, endpoint.Protocol)
+	}
+	return nil, nil
+}
+
+func setupAuth() {
+	gitCredentials, err := os.ReadFile(credentialsMountPath)
+	if err != nil {
+		// If file does not exist, no credentials to mount
+		if !errors.Is(err, os.ErrNotExist) {
+			log.Printf("Unexpected error reading git credentials file: %s", err)
+			os.Exit(1)
+		}
+	} else {
+		tokenAuthMethod = parseCredentialsFile(string(gitCredentials))
+	}
+}
+
+func parseCredentialsFile(gitCredentials string) map[string]*githttp.BasicAuth {
+	result := map[string]*githttp.BasicAuth{}
+	matches := credentialsRegex.FindAllStringSubmatch(gitCredentials, -1)
+	for idx, credential := range matches {
+		if len(credential) != 4 {
+			log.Printf("Malformed credential found in credentials file on line %d. Skipping", idx+1)
+		}
+		username := credential[1]
+		pat := credential[2]
+		url := credential[3]
+		result[url] = &githttp.BasicAuth{
+			Username: username,
+			Password: pat,
+		}
+	}
+	return result
 }
diff --git a/project-clone/main.go b/project-clone/main.go
@@ -34,7 +34,6 @@ const (
 )
 
 // TODO: Handle sparse checkout
-// TODO: Add support for auth
 func main() {
 	f, err := os.Create(tmpLogFilePath)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ import (`
`24`	`24`	`gitConfig "github.com/go-git/go-git/v5/config"`
`25`	`25`	`"github.com/go-git/go-git/v5/plumbing"`
`26`	`26`
	`27`	`+ "github.com/devfile/devworkspace-operator/project-clone/internal"`
`27`	`28`	`"github.com/devfile/devworkspace-operator/project-clone/internal/shell"`
`28`	`29`	`)`
`29`	`30`
`@@ -113,7 +114,13 @@ func CheckoutReference(repo git.Repository, project dw.Project, projectPath st`
`113`	`114`	`return fmt.Errorf("could not find remote %s: %s", defaultRemoteName, err)`
`114`	`115`	`}`
`115`	`116`
`116`		`- refs, err := remote.List(&git.ListOptions{})`
	`117`	`+ auth, err := internal.GetAuthForHost(remote.Config().URLs[0])`
	`118`	`+ if err != nil {`
	`119`	`+ log.Printf("Error reading credentials file: %s", err)`
	`120`	`+ }`
	`121`	`+ refs, err := remote.List(&git.ListOptions{`
	`122`	`+ Auth: auth,`
	`123`	`+ })`
`117`	`124`	`if err != nil {`
`118`	`125`	`return fmt.Errorf("failed to read remote %s: %s", defaultRemoteName, err)`
`119`	`126`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,6 @@ const (`
`34`	`34`	`)`
`35`	`35`
`36`	`36`	`// TODO: Handle sparse checkout`
`37`		`-// TODO: Add support for auth`
`38`	`37`	`func main() {`
`39`	`38`	`f, err := os.Create(tmpLogFilePath)`
`40`	`39`	`if err != nil {`