allow specifying an ssh key for git instead of a username and password w/ burnettk

2023-01-20 15:11:23 -05:00 · 2023-01-20 15:11:23 -05:00 · 9fa2f982b9
parent 09337070f2
commit 9fa2f982b9
3 changed files with 29 additions and 9 deletions
--- a/bin/git_commit_bpmn_models_repo
+++ b/bin/git_commit_bpmn_models_repo
@ -16,11 +16,16 @@ git_commit_username="$4"
 git_commit_email="$5"
 git_commit_password="$6"

-if [[ -z "${6:-}" ]]; then
+if [[ -z "${5:-}" ]]; then
  >&2 echo "usage: $(basename "$0") [bpmn_models_absolute_dir] [git_commit_message] [git_branch] [git_commit_username] [git_commit_email]"
  exit 1
 fi

+if [[ -z "$git_commit_password" && -z "${GIT_SSH_PRIVATE_KEY:-}" ]]; then
+  >&2 echo "ERROR: A git password or GIT_SSH_PRIVATE_KEY must be provided"
+  exit 1
+fi
+
 function failed_to_get_lock() {
  >&2 echo "ERROR: Failed to get lock."
  exit 1
@ -34,15 +39,27 @@ function run() {
  if [ -z "$(git status --porcelain)" ]; then
    echo "No changes to commit"
  else
-    PAT="${git_commit_username}:${git_commit_password}"
-    AUTH=$(echo -n "$PAT" | openssl base64 | tr -d '\n')

    git config --local user.name "$git_commit_username"
    git config --local user.email "$git_commit_email"
-    git config --local http.extraHeader "Authorization: Basic $AUTH"
+
+    if [[ -n "${GIT_SSH_PRIVATE_KEY:-}" ]]; then
+      tmpfile=$(mktemp /tmp/tmp_git.XXXXXX)
+      chmod 600 "$tmpfile"
+      echo "$GIT_SSH_PRIVATE_KEY" >"$tmpfile"
+      export GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -i ${tmpfile} -F /dev/null"
+    else
+      PAT="${git_commit_username}:${git_commit_password}"
+      AUTH=$(echo -n "$PAT" | openssl base64 | tr -d '\n')
+      git config --local http.extraHeader "Authorization: Basic $AUTH"
+    fi
+
    git commit -m "$git_commit_message"
    git push --set-upstream origin "$git_branch"
-    git config --unset --local http.extraHeader
+
+    if [[ -z "${GIT_SSH_PRIVATE_KEY:-}" ]]; then
+      git config --unset --local http.extraHeader
+    fi
  fi
 }

--- a/src/spiffworkflow_backend/config/default.py
+++ b/src/spiffworkflow_backend/config/default.py
@ -68,6 +68,7 @@ GIT_BRANCH_TO_PUBLISH_TO = environ.get("GIT_BRANCH_TO_PUBLISH_TO")
 GIT_BRANCH = environ.get("GIT_BRANCH")
 GIT_CLONE_URL_FOR_PUBLISHING = environ.get("GIT_CLONE_URL")
 GIT_COMMIT_ON_SAVE = environ.get("GIT_COMMIT_ON_SAVE", default="false") == "true"
+GIT_SSH_PRIVATE_KEY = environ.get("GIT_SSH_PRIVATE_KEY")

 # Datbase Configuration
 SPIFF_DATABASE_TYPE = environ.get(
--- a/src/spiffworkflow_backend/services/git_service.py
+++ b/src/spiffworkflow_backend/services/git_service.py
@ -219,10 +219,12 @@ class GitService:
        # we are adding a guid to this so the flake8 issue has been mitigated
        destination_process_root = f"/tmp/{clone_dir}"  # noqa

-        git_clone_url = current_app.config["GIT_CLONE_URL_FOR_PUBLISHING"].replace(
-            "https://",
-            f"https://{current_app.config['GIT_USERNAME']}:{current_app.config['GIT_USER_PASSWORD']}@",
-        )
+        git_clone_url = current_app.config["GIT_CLONE_URL_FOR_PUBLISHING"]
+        if git_clone_url.startswith('https://'):
+            git_clone_url = git_clone_url.replace(
+                "https://",
+                f"https://{current_app.config['GIT_USERNAME']}:{current_app.config['GIT_USER_PASSWORD']}@",
+            )
        cmd = ["git", "clone", git_clone_url, destination_process_root]

        cls.run_shell_command(cmd)