From a3c5219a942729482c4797336aa8218de6502d09 Mon Sep 17 00:00:00 2001
From: Bret Mogilefsky <bret.mogilefsky@gsa.gov>
Date: Tue, 3 Dec 2024 03:48:56 -0800
Subject: [PATCH] Enable using read-only HTTPS repositories (#2171)

* Enable using read-only HTTPS repositories

If someone wants to clone read-only from an `https://github.com/...` URL, that should be permitted, and in that case they shouldn't be required to provide an SSH key.

* Add comment on ssh vs https behavior
---
 spiffworkflow-backend/bin/clone_process_models | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/spiffworkflow-backend/bin/clone_process_models b/spiffworkflow-backend/bin/clone_process_models
index 90fee5f7f..99937cf62 100755
--- a/spiffworkflow-backend/bin/clone_process_models
+++ b/spiffworkflow-backend/bin/clone_process_models
@@ -24,18 +24,23 @@ fi
 
 if [[ -z "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH:-}" ]]; then
   if [[ -n "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY:-}" ]]; then
-    export SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH=$(mktemp /tmp/ssh_private_key.XXXXXX)
+    SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH=$(mktemp /tmp/ssh_private_key.XXXXXX)
+    export SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH
     chmod 600 "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}"
     echo "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY}" >"${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}"
   fi
 fi
 
+# Only configure SSH if a private key is available; CLONE_URL might be HTTPS, which is still valid
+if [[ -n "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}" ]]; then
+  export GIT_SSH_COMMAND="ssh -F /dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}"
+fi
+
 if [[ ! -d "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR}/.git" ]]; then
   # otherwise git clone will not clone since the directory is not empty
   if [[ -d "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR}/lost+found" ]]; then
     rm -r "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR}/lost+found"
   fi
 
-  export GIT_SSH_COMMAND="ssh -F /dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}"
   git clone -b "$SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH" "$SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL" "$SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
 fi