From 9bf8bc505d7784a72c771984cb772d52815bb5e3 Mon Sep 17 00:00:00 2001 From: jasquat Date: Fri, 20 Jan 2023 15:11:23 -0500 Subject: [PATCH] allow specifying an ssh key for git instead of a username and password w/ burnettk --- .../bin/git_commit_bpmn_models_repo | 27 +++++++++++++++---- .../spiffworkflow_backend/config/default.py | 1 + .../services/git_service.py | 10 ++++--- 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/spiffworkflow-backend/bin/git_commit_bpmn_models_repo b/spiffworkflow-backend/bin/git_commit_bpmn_models_repo index 0ba51202..c05d7587 100755 --- a/spiffworkflow-backend/bin/git_commit_bpmn_models_repo +++ b/spiffworkflow-backend/bin/git_commit_bpmn_models_repo @@ -16,11 +16,16 @@ git_commit_username="$4" git_commit_email="$5" git_commit_password="$6" -if [[ -z "${6:-}" ]]; then +if [[ -z "${5:-}" ]]; then >&2 echo "usage: $(basename "$0") [bpmn_models_absolute_dir] [git_commit_message] [git_branch] [git_commit_username] [git_commit_email]" exit 1 fi +if [[ -z "$git_commit_password" && -z "${GIT_SSH_PRIVATE_KEY:-}" ]]; then + >&2 echo "ERROR: A git password or GIT_SSH_PRIVATE_KEY must be provided" + exit 1 +fi + function failed_to_get_lock() { >&2 echo "ERROR: Failed to get lock." exit 1 @@ -34,15 +39,27 @@ function run() { if [ -z "$(git status --porcelain)" ]; then echo "No changes to commit" else - PAT="${git_commit_username}:${git_commit_password}" - AUTH=$(echo -n "$PAT" | openssl base64 | tr -d '\n') git config --local user.name "$git_commit_username" git config --local user.email "$git_commit_email" - git config --local http.extraHeader "Authorization: Basic $AUTH" + + if [[ -n "${GIT_SSH_PRIVATE_KEY:-}" ]]; then + tmpfile=$(mktemp /tmp/tmp_git.XXXXXX) + chmod 600 "$tmpfile" + echo "$GIT_SSH_PRIVATE_KEY" >"$tmpfile" + export GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -i ${tmpfile} -F /dev/null" + else + PAT="${git_commit_username}:${git_commit_password}" + AUTH=$(echo -n "$PAT" | openssl base64 | tr -d '\n') + git config --local http.extraHeader "Authorization: Basic $AUTH" + fi + git commit -m "$git_commit_message" git push --set-upstream origin "$git_branch" - git config --unset --local http.extraHeader + + if [[ -z "${GIT_SSH_PRIVATE_KEY:-}" ]]; then + git config --unset --local http.extraHeader + fi fi } diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py index 80cfb919..db0baeba 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py @@ -68,6 +68,7 @@ GIT_BRANCH_TO_PUBLISH_TO = environ.get("GIT_BRANCH_TO_PUBLISH_TO") GIT_BRANCH = environ.get("GIT_BRANCH") GIT_CLONE_URL_FOR_PUBLISHING = environ.get("GIT_CLONE_URL") GIT_COMMIT_ON_SAVE = environ.get("GIT_COMMIT_ON_SAVE", default="false") == "true" +GIT_SSH_PRIVATE_KEY = environ.get("GIT_SSH_PRIVATE_KEY") # Datbase Configuration SPIFF_DATABASE_TYPE = environ.get( diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py index 43c18edc..7dbb4c08 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py @@ -219,10 +219,12 @@ class GitService: # we are adding a guid to this so the flake8 issue has been mitigated destination_process_root = f"/tmp/{clone_dir}" # noqa - git_clone_url = current_app.config["GIT_CLONE_URL_FOR_PUBLISHING"].replace( - "https://", - f"https://{current_app.config['GIT_USERNAME']}:{current_app.config['GIT_USER_PASSWORD']}@", - ) + git_clone_url = current_app.config["GIT_CLONE_URL_FOR_PUBLISHING"] + if git_clone_url.startswith('https://'): + git_clone_url = git_clone_url.replace( + "https://", + f"https://{current_app.config['GIT_USERNAME']}:{current_app.config['GIT_USER_PASSWORD']}@", + ) cmd = ["git", "clone", git_clone_url, destination_process_root] cls.run_shell_command(cmd)