ManageIQ · carbonin · Aug 8, 2019 · Aug 8, 2019 · Aug 8, 2019 · NickLaMuro
@@ -9,7 +9,7 @@ class GitRepository < ApplicationRecord
 
   attr_reader :git_lock
 
-  validates :url, :format => URI::regexp(%w(http https file)), :allow_nil => false
+  validates :url, :format => URI.regexp(%w[http https file ssh]), :allow_nil => false
 
   default_value_for :verify_ssl, OpenSSL::SSL::VERIFY_PEER
   validates :verify_ssl, :inclusion => {:in => [OpenSSL::SSL::VERIFY_NONE, OpenSSL::SSL::VERIFY_PEER]}
@@ -84,7 +84,7 @@ def update_repo
     with_worktree do |worktree|
       message = "Updating #{url} in #{directory_name}..."
       _log.info(message)
-      worktree.send(:fetch_and_merge)
+      worktree.send(:pull)
       _log.info("#{message}...Complete")
     end
     @updated_repo = true
@@ -219,7 +219,12 @@ def worktree_params
     params[:certificate_check] = method(:self_signed_cert_cb) if verify_ssl == OpenSSL::SSL::VERIFY_NONE
     if (auth = authentication || default_authentication)
       params[:username] = auth.userid
-      params[:password] = auth.password
+      if auth.auth_key
+        params[:ssh_private_key] = auth.auth_key
+        params[:password] = auth.auth_key_password.presence
+      else
+        params[:password] = auth.password
+      end
     end
     params
   end

@@ -10,19 +10,23 @@ def initialize(options = {})
     require 'rugged'
 
     raise ArgumentError, "Must specify path" unless options.key?(:path)
-    @path          = options[:path]
-    @email         = options[:email]
-    @username      = options[:username] || ""
-    @bare          = options[:bare]
-    @commit_sha    = options[:commit_sha]
-    @password      = options[:password] || ""
-    @fast_forward_merge = options[:ff] || true
-    @remote_name   = 'origin'
-    @cred          = Rugged::Credentials::UserPassword.new(:username => @username,
-                                                           :password => @password)
-    @credentials_set = false
-    @base_name = File.basename(@path)
+    @path                 = options[:path]
+    @email                = options[:email]
+    @username             = options[:username]
+    @bare                 = options[:bare]
+    @commit_sha           = options[:commit_sha]
+    @password             = options[:password]
+    @ssh_private_key      = options[:ssh_private_key]
+    @fast_forward_merge   = options[:ff] || true
     @certificate_check_cb = options[:certificate_check]
+
+    @remote_name = 'origin'
+    @base_name   = File.basename(@path)
+
+    if @ssh_private_key && !Rugged.features.include?(:ssh)
+      raise GitWorktreeException::InvalidCredentialType, "ssh credentials are not enabled for use. Recompile the rugged/libgit2 gem with ssh support to enable it."
+    end
+
     process_repo(options)
   end
 
@@ -201,17 +205,47 @@ def checkout(target_directory)
     @repo.checkout_tree(tree, :target_directory => target_directory, :strategy => :force)
   end
 
-  def credentials_cb(url, _username, _types)
-    if @credentials_set
-      raise GitWorktreeException::InvalidCredentials, "Please provide username and password for URL #{url}" if @username.blank? || @password.blank?
-      raise GitWorktreeException::InvalidCredentials, "Invalid credentials for URL #{url}"
+  def with_credential_options
+    if @ssh_private_key
+      @ssh_private_key_file = Tempfile.new
+      @ssh_private_key_file.write(@ssh_private_key)
+      @ssh_private_key_file.close
+    end
+
+    options = {:credentials => method(:credentials_cb)}
+    options[:certificate_check] = @certificate_check_cb if @certificate_check_cb
+
+    yield options
+  ensure
+    if @ssh_private_key_file
+      @ssh_private_key_file.unlink
+      @ssh_private_key_file = nil
     end
-    @credentials_set = true
-    @cred
   end
 
   private
 
+  def credentials_cb(url, username_from_url, _allowed_types)
+    username = @username || username_from_url
+
+    if @ssh_private_key_file
+      raise GitWorktreeException::InvalidCredentials, "Please provide username for URL #{url}" if username.blank?
+
+      Rugged::Credentials::SshKey.new(
+        :username   => username,
+        :privatekey => @ssh_private_key_file.path,
+        :passphrase => @password.presence
+      )
+    else
+      raise GitWorktreeException::InvalidCredentials, "Please provide username and password for URL #{url}" if @username.blank? || @password.blank?
+
+      Rugged::Credentials::UserPassword.new(
+        :username => @username,
+        :password => @password
+      )
+    end
+  end
+
   def current_branch
     @repo.head_unborn? ? 'master' : @repo.head.name.sub(/^refs\/heads\//, '')
   end
@@ -231,9 +265,9 @@ def fetch_and_merge
   end
 
   def fetch
-    @credentials_set = false
-    options = {:credentials => method(:credentials_cb), :certificate_check => @certificate_check_cb}
-    @repo.fetch(@remote_name, options)
+    with_credential_options do |cred_options|
+      @repo.fetch(@remote_name, cred_options)
+    end
   end
 
   def pull
@@ -246,8 +280,9 @@ def merge_and_push(commit)
       @saved_cid = @repo.ref(local_ref).target.oid
       merge(commit, rebase)
       rebase = true
-      @credentials_set = false
-      @repo.push(@remote_name, [local_ref], :credentials => method(:credentials_cb))
+      with_credential_options do |cred_options|
+        @repo.push(@remote_name, [local_ref], cred_options)
+      end
     end
   end
 
@@ -300,9 +335,10 @@ def open_repo
   end
 
   def clone(url)
-    @credentials_set = false
-    options = {:credentials => method(:credentials_cb), :bare => true, :remote => @remote_name, :certificate_check => @certificate_check_cb}
-    @repo = Rugged::Repository.clone_at(url, @path, options)
+    @repo = with_credential_options do |cred_options|
+      options = cred_options.merge(:bare => true, :remote => @remote_name)
+      Rugged::Repository.clone_at(url, @path, options)
+    end
   end
 
   def fetch_entry(path)
@@ -356,7 +392,7 @@ def current_index
   end
 
   def create_commit(message, tree, parents)
-    author = {:email => @email, :name => @username, :time => Time.now}
+    author = {:email => @email, :name => @username || @email, :time => Time.now}
     # Create the actual commit but dont update the reference
     Rugged::Commit.create(@repo, :author  => author,  :committer  => author,
                                  :message => message, :parents    => parents,

@@ -14,4 +14,5 @@ class BranchMissing < RuntimeError; end
   class TagMissing < RuntimeError; end
   class RefMissing < RuntimeError; end
   class InvalidCredentials < RuntimeError; end
+  class InvalidCredentialType < RuntimeError; end
 end
@@ -324,27 +324,92 @@ def open_existing_repo
     end
   end
 
-  shared_examples_for '#credentials_cb' do |error_regex|
+  describe "#new" do
     let(:git_repo_path) { Rails.root.join("spec", "fixtures", "git_repos", "branch_and_tag.git") }
-    let(:test_repo) { GitWorktree.new(:path => git_repo_path.to_s, :username => username, :password => password) }
 
-    it "call the credentials callback" do
-      expect(test_repo.credentials_cb("url", nil, nil).class).to eq(Rugged::Credentials::UserPassword)
-      expect { test_repo.credentials_cb("url", nil, nil) }.to raise_error(GitWorktreeException::InvalidCredentials, error_regex)
+    it "raises an exception if SSH requested, but rugged is not compiled with SSH support" do
+      require "rugged"
+      expect(Rugged).to receive(:features).and_return([:threads, :https])
+
+      expect {
+        GitWorktree.new(:path => git_repo_path, :ssh_private_key => "fake key\nfile content")
+      }.to raise_error(GitWorktreeException::InvalidCredentialType)
     end
   end
 
-  context "no username and password set" do
-    let(:username) { nil }
-    let(:password) { nil }
+  describe "#with_credential_options" do
+    let(:git_repo_path) { Rails.root.join("spec", "fixtures", "git_repos", "branch_and_tag.git") }
 
-    it_behaves_like '#credentials_cb', /provide username and password/
-  end
+    subject do
+      repo.with_credential_options do |cred_options|
+        cred_options[:credentials].call("url", nil, [])
+      end
+    end
+
+    describe "via plaintext" do
+      let(:repo) { described_class.new(:path => git_repo_path.to_s, :username => username, :password => password) }
+      let(:username) { "fred" }
+      let(:password) { "pa$$w0rd" }
+
+      it "with both username and password" do
+        expect(subject).to be_a Rugged::Credentials::UserPassword
+      end
+
+      context "with no username" do
+        let(:username) { nil }
+
+        it "raises an exception" do
+          expect { subject }.to raise_error(GitWorktreeException::InvalidCredentials, /provide username and password for/)
+        end
+      end
+
+      context "with no password" do
+        let(:password) { nil }
+
+        it "raises an exception" do
+          expect { subject }.to raise_error(GitWorktreeException::InvalidCredentials, /provide username and password for/)
+        end
+      end
+    end
+
+    describe "via SSH" do
+      let(:repo) { described_class.new(:path => git_repo_path.to_s, :username => username, :ssh_private_key => ssh_private_key, :password => password) }
+      let(:username) { "git" }
+      let(:ssh_private_key) { "fake key\nfile content" }
+      let(:password) { "pa$$w0rd" }
+
+      before do
+        require "rugged"
+        allow(Rugged).to receive(:features).and_return([:threads, :https, :ssh])
+      end
+
+      it "with username, ssh_private_key, and password" do
+        expect(subject).to be_a Rugged::Credentials::SshKey
+      end
+
+      context "with no username" do
+        let(:username) { nil }
 
-  context "bad username or password" do
-    let(:username) { 'fred' }
-    let(:password) { 'incorrect' }
+        it "raises an exception" do
+          expect { subject }.to raise_error(GitWorktreeException::InvalidCredentials, /provide username for/)
+        end
+      end
+
+      context "with no password" do
+        let(:password) { nil }
+
+        it "creates a password-less ssh key cred" do
+          expect(subject).to be_a Rugged::Credentials::SshKey
+        end
+      end
 
-    it_behaves_like '#credentials_cb', /Invalid credentials/
+      context "with no ssh_private_key" do
+        let(:ssh_private_key) { nil }
+
+        it "treats it like a user/pass" do
+          expect(subject).to be_a Rugged::Credentials::UserPassword
+        end
+      end
+    end
   end
 end
@@ -64,7 +64,7 @@
         repo.update_authentication(:default => {:userid => userid, :password => password})
         expect(GitWorktree).to receive(:new).with(clone_args).and_return(gwt)
         expect(GitWorktree).to receive(:new).with(args).and_return(gwt)
-        expect(gwt).to receive(:fetch_and_merge).with(no_args)
+        expect(gwt).to receive(:pull).with(no_args)
 
         repo.refresh
         expect(repo.default_authentication.userid).to eq(userid)
@@ -79,7 +79,7 @@
           args[:certificate_check] = repo.method(:self_signed_cert_cb)
           expect(GitWorktree).to receive(:new).with(clone_args).and_return(gwt)
           expect(GitWorktree).to receive(:new).with(args).and_return(gwt)
-          expect(gwt).to receive(:fetch_and_merge).with(no_args)
+          expect(gwt).to receive(:pull).with(no_args)
 
           repo.refresh
         end
@@ -99,7 +99,7 @@
 
       expect(repo).to receive(:clone_repo_if_missing).once.with(no_args).and_call_original
       expect(GitWorktree).to receive(:new).with(anything).and_return(gwt)
-      expect(gwt).to receive(:fetch_and_merge).with(no_args)
+      expect(gwt).to receive(:pull).with(no_args)
 
       repo.refresh
       expect(repo.git_branches.collect(&:name)).to match_array(branch_list)
@@ -110,7 +110,7 @@
       expect(GitWorktree).to receive(:new).twice.with(anything).and_return(gwt)
       expect(gwt).to receive(:branches).with(anything).and_return(branch_list)
       expect(gwt).to receive(:tags).with(no_args).and_return(tag_list)
-      expect(gwt).to receive(:fetch_and_merge).with(no_args)
+      expect(gwt).to receive(:pull).with(no_args)
 
       allow(gwt).to receive(:branch_info) do |name|
         branch_info_hash[name]
@@ -127,7 +127,7 @@
       expect(GitWorktree).to receive(:new).twice.with(anything).and_return(gwt)
       expect(gwt).to receive(:branches).with(anything).and_return(branch_list)
       expect(gwt).to receive(:tags).with(no_args).and_return(tag_list)
-      expect(gwt).to receive(:fetch_and_merge).with(no_args)
+      expect(gwt).to receive(:pull).with(no_args)
 
       allow(gwt).to receive(:branch_info) do |name|
         branch_info_hash[name]
@@ -144,7 +144,7 @@
       expect(GitWorktree).to receive(:new).twice.with(anything).and_return(gwt)
       expect(gwt).to receive(:branches).with(anything).and_return(branch_list)
       expect(gwt).to receive(:tags).with(no_args).and_return(tag_list)
-      expect(gwt).to receive(:fetch_and_merge).with(no_args)
+      expect(gwt).to receive(:pull).with(no_args)
 
       allow(gwt).to receive(:branch_info) do |name|
         branch_info_hash[name]
@@ -160,7 +160,7 @@
       expect(GitWorktree).to receive(:new).twice.with(anything).and_return(gwt)
       expect(gwt).to receive(:branches).with(anything).and_return(branch_list)
       expect(gwt).to receive(:tags).with(no_args).and_return(tag_list)
-      expect(gwt).to receive(:fetch_and_merge).with(no_args)
+      expect(gwt).to receive(:pull).with(no_args)
 
       allow(gwt).to receive(:branch_info) do |name|
         branch_info_hash[name]
@@ -174,7 +174,7 @@
 
     it "#refresh branches deleted" do
       expect(GitWorktree).to receive(:new).twice.with(anything).and_return(gwt)
-      expect(gwt).to receive(:fetch_and_merge).twice.with(no_args)
+      expect(gwt).to receive(:pull).twice.with(no_args)
       expect(gwt).to receive(:branches).twice.with(anything).and_return(branch_list)
       expect(gwt).to receive(:tags).twice.with(no_args).and_return(tag_list)
 
@@ -194,7 +194,7 @@
 
     it "#refresh tags deleted" do
       expect(GitWorktree).to receive(:new).twice.with(anything).and_return(gwt)
-      expect(gwt).to receive(:fetch_and_merge).twice.with(no_args)
+      expect(gwt).to receive(:pull).twice.with(no_args)
       expect(gwt).to receive(:branches).twice.with(anything).and_return(branch_list)
       expect(gwt).to receive(:tags).twice.with(no_args).and_return(tag_list)