Merge pull request #338 from SomtochiAma/private-keyy-passwd

hiddeco · web-flow · commit 069328990c6b · 2021-04-12T17:44:36.000+02:00
diff --git a/pkg/git/gogit/transport.go b/pkg/git/gogit/transport.go
@@ -88,7 +88,8 @@ func (s *PublicKeyAuth) Method(secret corev1.Secret) (*git.Auth, error) {
 		user = git.DefaultPublicKeyAuthUser
 	}
 
-	pk, err := ssh.NewPublicKeys(user, identity, "")
+	password := secret.Data["password"]
+	pk, err := ssh.NewPublicKeys(user, identity, string(password))
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/git/gogit/transport_test.go b/pkg/git/gogit/transport_test.go
@@ -43,6 +43,21 @@ v2MYnxRjc9INpi/Dyzz2MMvOnOW+aDuOh/If2AtVCmeJUx1pf4CFk3viQwJBAKyC
 t824+evjv+NQBlme3AOF6PgxtV4D4wWoJ5Uk/dTejER0j/Hbl6sqPxuiILRRV9qJ
 Ngkgu4mLjc3RfenEhJECQAx8zjWUE6kHHPGAd9DfiAIQ4bChqnyS0Nwb9+Gd4hSE
 P0Ah10mHiK/M0o3T8Eanwum0gbQHPnOwqZgsPkwXRqQ=
+-----END RSA PRIVATE KEY-----`
+
+	// secretKeyFixture is a randomly generated
+	// 512bit RSA private key with password foobar.
+	secretPassphraseFixture = `-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,0B016973B2A761D31E6B388D0F327C35
+
+X9GET/qAyZkAJBl/RK+1XX75NxONgdUfZDw7PIYi/g+Efh3Z5zH5kh/dx9lxH5ZG
+HGCqPAeMO/ofGDGtDULWW6iqDUFRu5gPgEVSCnnbqoHNU325WHhXdhejVAItwObC
+IpL/zYfs2+gDHXct/n9FJ/9D/EGXZihwPqYaK8GQSfZAxz0QjLuh0wU1qpbm3y3N
+q+o9FLv3b2Ys/tCJOUsYVQOYLSrZEI77y1ii3nWgQ8lXiTJbBUKzuq4f1YWeO8Ah
+RZbdhTa57AF5lUaRtL7Nrm3HJUrK1alBbU7HHyjeW4Q4n/D3fiRDC1Mh2Bi4EOOn
+wGctSx4kHsZGhJv5qwKqqPEFPhUzph8D2tm2TABk8HJa5KJFDbGrcfvk2uODAoZr
+MbcpIxCfl8oB09bWfY6tDQjyvwSYYo2Phdwm7kT92xc=
 -----END RSA PRIVATE KEY-----`
 
 	// knownHostsFixture is known_hosts fixture in the expected
@@ -63,6 +78,13 @@ var (
 			"known_hosts": []byte(knownHostsFixture),
 		},
 	}
+	privateKeySecretWithPassphraseFixture = corev1.Secret{
+		Data: map[string][]byte{
+			"identity":    []byte(secretPassphraseFixture),
+			"known_hosts": []byte(knownHostsFixture),
+			"password":    []byte("foobar"),
+		},
+	}
 )
 
 func TestAuthSecretStrategyForURL(t *testing.T) {
@@ -131,10 +153,13 @@ func TestPublicKeyStrategy_Method(t *testing.T) {
 		wantErr bool
 	}{
 		{"private key and known_hosts", privateKeySecretFixture, nil, false},
+		{"private key with passphrase and known_hosts", privateKeySecretWithPassphraseFixture, nil, false},
 		{"missing private key", privateKeySecretFixture, func(s *corev1.Secret) { delete(s.Data, "identity") }, true},
 		{"invalid private key", privateKeySecretFixture, func(s *corev1.Secret) { s.Data["identity"] = []byte(`-----BEGIN RSA PRIVATE KEY-----`) }, true},
 		{"missing known_hosts", privateKeySecretFixture, func(s *corev1.Secret) { delete(s.Data, "known_hosts") }, true},
 		{"invalid known_hosts", privateKeySecretFixture, func(s *corev1.Secret) { s.Data["known_hosts"] = []byte(`invalid`) }, true},
+		{"missing password", privateKeySecretWithPassphraseFixture, func(s *corev1.Secret) { delete(s.Data, "password") }, true},
+		{"wrong password", privateKeySecretWithPassphraseFixture, func(s *corev1.Secret) { s.Data["password"] = []byte("pass") }, true},
 		{"empty", corev1.Secret{}, nil, true},
 	}
 	for _, tt := range tests {
diff --git a/pkg/git/libgit2/transport.go b/pkg/git/libgit2/transport.go
@@ -121,7 +121,13 @@ func (s *PublicKeyAuth) Method(secret corev1.Secret) (*git.Auth, error) {
 
 	// Need to validate private key as it is not
 	// done by git2go when loading the key
-	_, err = ssh.ParsePrivateKey(identity)
+	password, ok := secret.Data["password"]
+	if ok {
+		_, err = ssh.ParsePrivateKeyWithPassphrase(identity, password)
+	} else {
+		_, err = ssh.ParsePrivateKey(identity)
+	}
+
 	if err != nil {
 		return nil, err
 	}
@@ -132,7 +138,7 @@ func (s *PublicKeyAuth) Method(secret corev1.Secret) (*git.Auth, error) {
 	}
 
 	credCallback := func(url string, usernameFromURL string, allowedTypes git2go.CredType) (*git2go.Cred, error) {
-		cred, err := git2go.NewCredSshKeyFromMemory(user, "", string(identity), "")
+		cred, err := git2go.NewCredSshKeyFromMemory(user, "", string(identity), string(password))
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/git/libgit2/transport_test.go b/pkg/git/libgit2/transport_test.go
@@ -44,6 +44,21 @@ v2MYnxRjc9INpi/Dyzz2MMvOnOW+aDuOh/If2AtVCmeJUx1pf4CFk3viQwJBAKyC
 t824+evjv+NQBlme3AOF6PgxtV4D4wWoJ5Uk/dTejER0j/Hbl6sqPxuiILRRV9qJ
 Ngkgu4mLjc3RfenEhJECQAx8zjWUE6kHHPGAd9DfiAIQ4bChqnyS0Nwb9+Gd4hSE
 P0Ah10mHiK/M0o3T8Eanwum0gbQHPnOwqZgsPkwXRqQ=
+-----END RSA PRIVATE KEY-----`
+
+	// secretKeyFixture is a randomly generated
+	// 512bit RSA private key with password foobar.
+	secretPassphraseFixture = `-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,0B016973B2A761D31E6B388D0F327C35
+
+X9GET/qAyZkAJBl/RK+1XX75NxONgdUfZDw7PIYi/g+Efh3Z5zH5kh/dx9lxH5ZG
+HGCqPAeMO/ofGDGtDULWW6iqDUFRu5gPgEVSCnnbqoHNU325WHhXdhejVAItwObC
+IpL/zYfs2+gDHXct/n9FJ/9D/EGXZihwPqYaK8GQSfZAxz0QjLuh0wU1qpbm3y3N
+q+o9FLv3b2Ys/tCJOUsYVQOYLSrZEI77y1ii3nWgQ8lXiTJbBUKzuq4f1YWeO8Ah
+RZbdhTa57AF5lUaRtL7Nrm3HJUrK1alBbU7HHyjeW4Q4n/D3fiRDC1Mh2Bi4EOOn
+wGctSx4kHsZGhJv5qwKqqPEFPhUzph8D2tm2TABk8HJa5KJFDbGrcfvk2uODAoZr
+MbcpIxCfl8oB09bWfY6tDQjyvwSYYo2Phdwm7kT92xc=
 -----END RSA PRIVATE KEY-----`
 
 	// knownHostsFixture is known_hosts fixture in the expected
@@ -64,6 +79,13 @@ var (
 			"known_hosts": []byte(knownHostsFixture),
 		},
 	}
+	privateKeySecretWithPassphraseFixture = corev1.Secret{
+		Data: map[string][]byte{
+			"identity":    []byte(secretPassphraseFixture),
+			"known_hosts": []byte(knownHostsFixture),
+			"password":    []byte("foobar"),
+		},
+	}
 )
 
 func TestAuthSecretStrategyForURL(t *testing.T) {
@@ -126,10 +148,13 @@ func TestPublicKeyStrategy_Method(t *testing.T) {
 		wantErr bool
 	}{
 		{"private key and known_hosts", privateKeySecretFixture, nil, false},
+		{"private key with passphrase and known_hosts", privateKeySecretWithPassphraseFixture, nil, false},
 		{"missing private key", privateKeySecretFixture, func(s *corev1.Secret) { delete(s.Data, "identity") }, true},
 		{"invalid private key", privateKeySecretFixture, func(s *corev1.Secret) { s.Data["identity"] = []byte(`-----BEGIN RSA PRIVATE KEY-----`) }, true},
 		{"missing known_hosts", privateKeySecretFixture, func(s *corev1.Secret) { delete(s.Data, "known_hosts") }, true},
 		{"invalid known_hosts", privateKeySecretFixture, func(s *corev1.Secret) { s.Data["known_hosts"] = []byte(`invalid`) }, true},
+		{"missing password", privateKeySecretWithPassphraseFixture, func(s *corev1.Secret) { delete(s.Data, "password") }, true},
+		{"invalid password", privateKeySecretWithPassphraseFixture, func(s *corev1.Secret) { s.Data["password"] = []byte("foo") }, true},
 		{"empty", corev1.Secret{}, nil, true},
 	}
 	for _, tt := range tests {

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,8 @@ func (s PublicKeyAuth) Method(secret corev1.Secret) (git.Auth, error) {`
`88`	`88`	`user = git.DefaultPublicKeyAuthUser`
`89`	`89`	`}`
`90`	`90`
`91`		`- pk, err := ssh.NewPublicKeys(user, identity, "")`
	`91`	`+ password := secret.Data["password"]`
	`92`	`+ pk, err := ssh.NewPublicKeys(user, identity, string(password))`
`92`	`93`	`if err != nil {`
`93`	`94`	`return nil, err`
`94`	`95`	`}`