Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3f5c4c3

Browse files
authored
Fix git SSH clone in docker container (#172)
* Implemented ignore host key check for remote git commands. Added small git url validation.* Use hostkey checking but only log a warning.* Adjusted to re-try failed operation.* Fixed small issues* Added empty known_hosts file to dockerfilers* Fixed error message to warn message* Fixed other tests and made a test with SSH key usage.* Added one more test for gitCloneRepo.* Added another test for updating a repo.* Increase coverage.
1 parent6987967 commit3f5c4c3

File tree

11 files changed

+302
-47
lines changed

11 files changed

+302
-47
lines changed

‎docker/Dockerfile‎

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -240,8 +240,11 @@ WORKDIR /app
240240
# Copy gaia binary into docker image
241241
COPY gaia-linux-amd64 /app
242242

243-
# Fix permissions
244-
RUN chmod +x ./gaia-linux-amd64
243+
# Fix permissions & setup known hosts file for ssh agent.
244+
RUN chmod +x ./gaia-linux-amd64 \
245+
&& mkdir -p /root/.ssh \
246+
&& touch /root/.ssh/known_hosts \
247+
&& chmod 600 /root/.ssh
245248

246249
# Set homepath as volume
247250
VOLUME ["${GAIA_HOMEPATH}" ]

‎docker/Dockerfile.cpp‎

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,8 +28,11 @@ WORKDIR /app
2828
# Copy gaia binary into docker image
2929
COPY gaia-linux-amd64 /app
3030

31-
# Fix permissions
32-
RUN chmod +x ./gaia-linux-amd64
31+
# Fix permissions & setup known hosts filefor ssh agent.
32+
RUN chmod +x ./gaia-linux-amd64 \
33+
&& mkdir -p /root/.ssh \
34+
&& touch /root/.ssh/known_hosts \
35+
&& chmod600 /root/.ssh
3336

3437
# Set homepath as volume
3538
VOLUME ["${GAIA_HOMEPATH}" ]

‎docker/Dockerfile.golang‎

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,13 @@ WORKDIR /app
1111
# Copy gaia binary into docker image
1212
COPY gaia-linux-amd64 /app
1313

14-
# Fix permissions and install git
15-
RUN chmod +x ./gaia-linux-amd64 && \
16-
apk add --no-cache --virtual git
14+
# Fix permissions & setup known hosts file for ssh agent.
15+
# Install git.
16+
RUN chmod +x ./gaia-linux-amd64 \
17+
&& apk add --no-cache --virtual git \
18+
&& mkdir -p /root/.ssh \
19+
&& touch /root/.ssh/known_hosts \
20+
&& chmod 600 /root/.ssh
1721

1822
# Set homepath as volume
1923
VOLUME [ "${GAIA_HOMEPATH}" ]

‎docker/Dockerfile.java‎

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,11 @@
1111
#Copygaiabinaryintodockerimage
1212
COPYgaia-linux-amd64 /app
1313

14-
#Fixpermissionsandinstallgit
15-
RUNchmod +x ./gaia-linux-amd64
14+
#Fixpermissions &setupknownhostsfileforsshagent.
15+
RUNchmod +x ./gaia-linux-amd64 \
16+
&&mkdir -p /root/.ssh \
17+
&&touch /root/.ssh/known_hosts \
18+
&&chmod600 /root/.ssh
1619

1720
#Sethomepathasvolume
1821
VOLUME ["${GAIA_HOMEPATH}" ]

‎docker/Dockerfile.python‎

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,11 @@ WORKDIR /app
1616
# Copy gaia binary into docker image
1717
COPY gaia-linux-amd64 /app
1818

19-
# Fix permissions
20-
RUN chmod +x ./gaia-linux-amd64
19+
# Fix permissions & setup known hosts file for ssh agent.
20+
RUN chmod +x ./gaia-linux-amd64 \
21+
&& mkdir -p /root/.ssh \
22+
&& touch /root/.ssh/known_hosts \
23+
&& chmod 600 /root/.ssh
2124

2225
# Set homepath as volume
2326
VOLUME [ "${GAIA_HOMEPATH}" ]

‎docker/Dockerfile.ruby‎

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,11 @@ WORKDIR /app
1111
# Copy gaia binary into docker image
1212
COPYgaia-linux-amd64 /app
1313

14-
# Fix permissions
15-
RUNchmod +x./gaia-linux-amd64
14+
# Fix permissions & setup known hosts file for ssh agent.
15+
RUNchmod +x./gaia-linux-amd64 \
16+
&&mkdir -p /root/.ssh \
17+
&&touch /root/.ssh/known_hosts \
18+
&&chmod600/root/.ssh
1619

1720
# Set homepath as volume
1821
VOLUME["${GAIA_HOMEPATH}"]

‎go.mod‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ require (
4040
github.com/valyala/bytebufferpoolv1.0.0// indirect
4141
github.com/valyala/fasttemplatev0.0.0-20170224212429-dcecefd839c4// indirect
4242
github.com/xanzy/ssh-agentv0.2.0// indirect
43-
golang.org/x/cryptov0.0.0-20190103213133-ff983b9c42bc
43+
golang.org/x/cryptov0.0.0-20190211182817-74369b46fc67
4444
golang.org/x/netv0.0.0-20180826012351-8a410e7b638d
4545
golang.org/x/oauth2v0.0.0-20180821212333-d2e6202438be
4646
golang.org/x/syncv0.0.0-20181221193216-37e7f081c4d4// indirect

‎go.sum‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,8 +55,6 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
5555
github.com/kr/ptyv1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
5656
github.com/kr/textv0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
5757
github.com/kr/textv0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
58-
github.com/labstack/echov3.3.5+incompatible h1:Y3vG4kINVWNQN8Y6Jdur8uLat7fSLV5n5yLE8n+JbF4=
59-
github.com/labstack/echov3.3.5+incompatible/go.mod h1:0INS7j/VjnFxD4E2wkz67b8cVwCLbBmJyDaka6Cmk1s=
6058
github.com/labstack/echov3.3.10+incompatible h1:pGRcYk231ExFAyoAjAfD85kQzRJCRI8bbnE7CX5OEgg=
6159
github.com/labstack/echov3.3.10+incompatible/go.mod h1:0INS7j/VjnFxD4E2wkz67b8cVwCLbBmJyDaka6Cmk1s=
6260
github.com/labstack/gommonv0.0.0-20180613044413-d6898124de91 h1:6R2WAx0PYNGtK2ZED9xKlTGEha51GsCFZijom+NMGEk=
@@ -96,6 +94,8 @@ github.com/xanzy/ssh-agent v0.2.0 h1:Adglfbi5p9Z0BmK2oKU9nTG+zKfniSfnaMYB+ULd+Ro
9694
github.com/xanzy/ssh-agentv0.2.0/go.mod h1:0NyE30eGUDliuLEHJgYte/zncp2zdTStcOnWhgSqHD8=
9795
golang.org/x/cryptov0.0.0-20190103213133-ff983b9c42bc h1:F5tKCVGp+MUAHhKp5MZtGqAlGX3+oCsiL1Q629FL90M=
9896
golang.org/x/cryptov0.0.0-20190103213133-ff983b9c42bc/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
97+
golang.org/x/cryptov0.0.0-20190211182817-74369b46fc67 h1:ng3VDlRp5/DHpSWl02R4rM9I+8M2rhmsuLwAMmkLQWE=
98+
golang.org/x/cryptov0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
9999
golang.org/x/lintv0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
100100
golang.org/x/netv0.0.0-20180826012351-8a410e7b638d h1:g9qWBGx4puODJTMVyoPrpoxPFgVGd+z1DZwjfRu4d0I=
101101
golang.org/x/netv0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

‎handlers/pipeline_test.go‎

Lines changed: 67 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ import (
88
"net/http"
99
"net/http/httptest"
1010
"os"
11+
"path/filepath"
12+
"strings"
1113
"testing"
1214
"time"
1315

@@ -62,7 +64,7 @@ func TestPipelineGitLSRemote(t *testing.T) {
6264
repoURL:="https://example.com"
6365
body:=map[string]string{
6466
"url":repoURL,
65-
"username":"admin",
67+
"user":"admin",
6668
"password":"admin",
6769
}
6870
bodyBytes,_:=json.Marshal(body)
@@ -81,9 +83,7 @@ func TestPipelineGitLSRemote(t *testing.T) {
8183
t.Run("otherwise succeed",func(t*testing.T) {
8284
repoURL:="https://github.com/gaia-pipeline/pipeline-test"
8385
body:=map[string]string{
84-
"url":repoURL,
85-
"username":"admin",
86-
"password":"admin",
86+
"url":repoURL,
8787
}
8888
bodyBytes,_:=json.Marshal(body)
8989
req:=httptest.NewRequest(echo.POST,"/api/"+gaia.APIVersion+"/pipeline/gitlsremote",bytes.NewBuffer(bodyBytes))
@@ -99,6 +99,69 @@ func TestPipelineGitLSRemote(t *testing.T) {
9999
})
100100
}
101101

102+
funcTestPipelineGitLSRemoteWithKeys(t*testing.T) {
103+
samplePrivateKey:=`
104+
-----BEGIN RSA PRIVATE KEY-----
105+
MD8CAQACCQDB9DczYvFuZQIDAQABAgkAtqAKvH9QoQECBQDjAl9BAgUA2rkqJQIE
106+
Xbs5AQIEIzWnmQIFAOEml+E=
107+
-----END RSA PRIVATE KEY-----
108+
`
109+
dataDir,_:=ioutil.TempDir("","TestPipelineGitLSRemoteWithKeys")
110+
111+
deferfunc() {
112+
gaia.Cfg=nil
113+
}()
114+
115+
gaia.Cfg=&gaia.Config{
116+
Logger:hclog.NewNullLogger(),
117+
DataPath:dataDir,
118+
}
119+
120+
e:=echo.New()
121+
InitHandlers(e)
122+
123+
t.Run("invalid hostconfig for github in known_hosts file",func(t*testing.T) {
124+
buf:=new(bytes.Buffer)
125+
gaia.Cfg.Logger=hclog.New(&hclog.LoggerOptions{
126+
Level:hclog.Trace,
127+
Output:buf,
128+
Name:"Gaia",
129+
})
130+
hostConfig:="github.comom,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
131+
knownHostsLocation:=filepath.Join(dataDir,".known_hosts")
132+
ioutil.WriteFile(knownHostsLocation, []byte(hostConfig),0766)
133+
os.Setenv("SSH_KNOWN_HOSTS",knownHostsLocation)
134+
repoURL:="github.com:gaia-pipeline/pipeline-test"
135+
gr:= gaia.GitRepo{
136+
URL:repoURL,
137+
PrivateKey: gaia.PrivateKey{
138+
Key:samplePrivateKey,
139+
Username:"git",
140+
Password:"",
141+
},
142+
}
143+
bodyBytes,_:=json.Marshal(gr)
144+
req:=httptest.NewRequest(echo.POST,"/api/"+gaia.APIVersion+"/pipeline/gitlsremote",bytes.NewBuffer(bodyBytes))
145+
req.Header.Set("Content-Type","application/json")
146+
rec:=httptest.NewRecorder()
147+
c:=e.NewContext(req,rec)
148+
149+
PipelineGitLSRemote(c)
150+
151+
// This will fail because the above SSH key is invalid. But that is fine,
152+
// because the initial host file will fail earlier than that.
153+
ifrec.Code!=http.StatusForbidden {
154+
t.Fatalf("expected response code %v got %v",http.StatusForbidden,rec.Code)
155+
}
156+
157+
// This is the important bit that needs to be tested.
158+
want:="knownhosts: key is unknown"
159+
if!strings.Contains(buf.String(),want) {
160+
t.Fatalf("wanted buf to contain: '%s', got: '%s'",want,buf.String())
161+
}
162+
})
163+
}
164+
102165
funcTestPipelineUpdate(t*testing.T) {
103166
tmp,_:=ioutil.TempDir("","TestPipelineUpdate")
104167
dataDir:=tmp

‎workers/pipeline/git.go‎

Lines changed: 69 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ import (
55
"crypto/rand"
66
"encoding/base64"
77
"errors"
8-
"log"
98
gohttp"net/http"
109
"path"
1110
"regexp"
@@ -15,6 +14,7 @@ import (
1514
"github.com/gaia-pipeline/gaia"
1615
"github.com/gaia-pipeline/gaia/services"
1716
"github.com/google/go-github/github"
17+
gossh"golang.org/x/crypto/ssh"
1818
"golang.org/x/oauth2"
1919
git"gopkg.in/src-d/go-git.v4"
2020
"gopkg.in/src-d/go-git.v4/plumbing"
@@ -32,14 +32,19 @@ const (
3232
// without actually cloning the repo. This is great
3333
// for looking if we have access to this repo.
3434
funcGitLSRemote(repo*gaia.GitRepo)error {
35+
// Validate provided git url
36+
ifstrings.Contains(repo.URL,"@") {
37+
returnerrors.New("git url should not include username and/or password")
38+
}
39+
3540
// Create new endpoint
3641
ep,err:=transport.NewEndpoint(repo.URL)
3742
iferr!=nil {
3843
returnerr
3944
}
4045

4146
// Attach credentials if provided
42-
auth,err:=getAuthInfo(repo)
47+
auth,err:=getAuthInfo(repo,nil)
4348
iferr!=nil {
4449
returnerr
4550
}
@@ -53,7 +58,19 @@ func GitLSRemote(repo *gaia.GitRepo) error {
5358
// Open new session
5459
s,err:=cl.NewUploadPackSession(ep,auth)
5560
iferr!=nil {
56-
returnerr
61+
ifstrings.Contains(err.Error(),"knownhosts: key is unknown") {
62+
gaia.Cfg.Logger.Warn("Warning: Unknown host key.","error",err.Error(),"URL",repo.URL)
63+
auth,err:=getAuthInfo(repo,gossh.InsecureIgnoreHostKey())
64+
iferr!=nil {
65+
returnerr
66+
}
67+
s,err=cl.NewUploadPackSession(ep,auth)
68+
iferr!=nil {
69+
returnerr
70+
}
71+
}else {
72+
returnerr
73+
}
5774
}
5875
defers.Close()
5976

@@ -79,7 +96,6 @@ func GitLSRemote(repo *gaia.GitRepo) error {
7996
// it by pulling in new code if it's available.
8097
funcUpdateRepository(pipe*gaia.Pipeline)error {
8198
r,err:=git.PlainOpen(pipe.Repo.LocalDest)
82-
log.Println(pipe.Repo.LocalDest)
8399
iferr!=nil {
84100
// We don't stop gaia working because of an automated update failed.
85101
// So we just move on.
@@ -88,23 +104,37 @@ func UpdateRepository(pipe *gaia.Pipeline) error {
88104
}
89105
gaia.Cfg.Logger.Debug("checking pipeline: ","message",pipe.Name)
90106
gaia.Cfg.Logger.Debug("selected branch: ","message",pipe.Repo.SelectedBranch)
91-
auth,err:=getAuthInfo(&pipe.Repo)
107+
auth,err:=getAuthInfo(&pipe.Repo,nil)
92108
iferr!=nil {
93109
// It's also an error if the repo is already up to date so we just move on.
94110
gaia.Cfg.Logger.Error("error getting auth info while doing a pull request: ","error",err.Error())
95111
returnerr
96112
}
97113
tree,_:=r.Worktree()
98-
err=tree.Pull(&git.PullOptions{
114+
o:=&git.PullOptions{
99115
ReferenceName:plumbing.ReferenceName(pipe.Repo.SelectedBranch),
100116
SingleBranch:true,
101117
RemoteName:"origin",
102118
Auth:auth,
103-
})
119+
}
120+
err=tree.Pull(o)
104121
iferr!=nil {
105-
// It's also an error if the repo is already up to date so we just move on.
106-
gaia.Cfg.Logger.Error("error while doing a pull request: ","error",err.Error())
107-
returnerr
122+
ifstrings.Contains(err.Error(),"knownhosts: key is unknown") {
123+
gaia.Cfg.Logger.Warn("Warning: Unknown host key.","error",err.Error(),"host","URL",pipe.Repo.URL)
124+
auth,err=getAuthInfo(&pipe.Repo,gossh.InsecureIgnoreHostKey())
125+
iferr!=nil {
126+
returnerr
127+
}
128+
o.Auth=auth
129+
err=tree.Pull(o)
130+
iferr!=nil {
131+
returnerr
132+
}
133+
}else {
134+
// It's also an error if the repo is already up to date so we just move on.
135+
gaia.Cfg.Logger.Error("error while doing a pull request: ","error",err.Error())
136+
returnerr
137+
}
108138
}
109139

110140
gaia.Cfg.Logger.Debug("updating pipeline: ","message",pipe.Name)
@@ -121,21 +151,35 @@ func UpdateRepository(pipe *gaia.Pipeline) error {
121151
// The destination will be attached to the given repo obj.
122152
funcgitCloneRepo(repo*gaia.GitRepo)error {
123153
// Check if credentials were provided
124-
auth,err:=getAuthInfo(repo)
154+
auth,err:=getAuthInfo(repo,nil)
125155
iferr!=nil {
126156
returnerr
127157
}
128-
129-
// Clone repo
130-
_,err=git.PlainClone(repo.LocalDest,false,&git.CloneOptions{
158+
o:=&git.CloneOptions{
131159
Auth:auth,
132160
URL:repo.URL,
133161
RecurseSubmodules:git.DefaultSubmoduleRecursionDepth,
134162
SingleBranch:true,
135163
ReferenceName:plumbing.ReferenceName(repo.SelectedBranch),
136-
})
164+
}
165+
// Clone repo
166+
_,err=git.PlainClone(repo.LocalDest,false,o)
137167
iferr!=nil {
138-
returnerr
168+
ifstrings.Contains(err.Error(),"knownhosts: key is unknown") {
169+
gaia.Cfg.Logger.Warn("Warning: Unknown host key.","error",err.Error(),"URL",repo.URL)
170+
auth,err=getAuthInfo(repo,gossh.InsecureIgnoreHostKey())
171+
iferr!=nil {
172+
returnerr
173+
}
174+
o.Auth=auth
175+
// Clone repo again with no host key verification.
176+
_,err=git.PlainClone(repo.LocalDest,false,o)
177+
iferr!=nil {
178+
returnerr
179+
}
180+
}else {
181+
returnerr
182+
}
139183
}
140184

141185
returnnil
@@ -255,7 +299,7 @@ func generateWebhookSecret() string {
255299
returnstrings.TrimSuffix(based,"==")
256300
}
257301

258-
funcgetAuthInfo(repo*gaia.GitRepo) (transport.AuthMethod,error) {
302+
funcgetAuthInfo(repo*gaia.GitRepo,callBack gossh.HostKeyCallback) (transport.AuthMethod,error) {
259303
varauth transport.AuthMethod
260304
ifrepo.Username!=""&&repo.Password!="" {
261305
// Basic auth provided
@@ -269,6 +313,14 @@ func getAuthInfo(repo *gaia.GitRepo) (transport.AuthMethod, error) {
269313
iferr!=nil {
270314
returnnil,err
271315
}
316+
317+
ifcallBack==nil {
318+
callBack,err=ssh.NewKnownHostsCallback()
319+
iferr!=nil {
320+
returnnil,err
321+
}
322+
}
323+
auth.(*ssh.PublicKeys).HostKeyCallback=callBack
272324
}
273325
returnauth,nil
274326
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp