diff options
| author | Gabriel Mazetto <gabriel@gitlab.com> | 2022-01-13 21:01:59 +0300 |
|---|---|---|
| committer | Gabriel Mazetto <gabriel@gitlab.com> | 2022-02-22 19:43:55 +0300 |
| commit | f613c980c82f2f0970f89b9c2c255c14f7618fe9 (patch) | |
| tree | f034b389c28d0376a244eb9d364be22210b16577 | |
| parent | e796325f55fd03126cf948699de6d7f31308e147 (diff) | |
repository: Use optional auth token for cloningbrodock/gitaly-clone-improvements
This can be used by Geo to authenticate against a primary node
Changelog: changed
4 files changed, 34 insertions, 5 deletions
diff --git a/internal/gitaly/service/repository/create_repository_from_url.go b/internal/gitaly/service/repository/create_repository_from_url.go index 3c3b09484..1280d78fb 100644 --- a/internal/gitaly/service/repository/create_repository_from_url.go +++ b/internal/gitaly/service/repository/create_repository_from_url.go @@ -18,7 +18,7 @@ import ( func (s *server) cloneFromURLCommand( ctx context.Context, - repoURL, repoHost, repositoryFullPath string, + repoURL, repoHost, repositoryFullPath, authorizationToken string, opts ...git.CmdOpt, ) (*command.Command, error) { u, err := url.Parse(repoURL) @@ -46,6 +46,11 @@ func (s *server) cloneFromURLCommand( u.User = nil authHeader := fmt.Sprintf("Authorization: Basic %s", base64.StdEncoding.EncodeToString([]byte(creds))) config = append(config, git.ConfigPair{Key: "http.extraHeader", Value: authHeader}) + } else { + if len(authorizationToken) > 0 { + authHeader := fmt.Sprintf("Authorization: %s", authorizationToken) + config = append(config, git.ConfigPair{Key: "http.extraHeader", Value: authHeader}) + } } if repoHost != "" { @@ -86,6 +91,7 @@ func (s *server) CreateRepositoryFromURL(ctx context.Context, req *gitalypb.Crea req.GetUrl(), req.GetHttpHost(), targetPath, + req.GetHttpAuthorizationHeader(), git.WithStderr(&stderr), git.WithDisabledHooks(), ) diff --git a/internal/gitaly/service/repository/create_repository_from_url_test.go b/internal/gitaly/service/repository/create_repository_from_url_test.go index 77fbd486c..959c9717d 100644 --- a/internal/gitaly/service/repository/create_repository_from_url_test.go +++ b/internal/gitaly/service/repository/create_repository_from_url_test.go @@ -135,10 +135,11 @@ func TestCreateRepositoryFromURL_redirect(t *testing.T) { require.Contains(t, err.Error(), "The requested URL returned error: 301") } -func TestCloneRepositoryFromUrlCommand(t *testing.T) { +func TestServer_CloneFromURLCommand(t *testing.T) { t.Parallel() ctx := testhelper.Context(t) + var authToken string userInfo := "user:pass%21%3F%40" repositoryFullPath := "full/path/to/repository" url := fmt.Sprintf("https://%s@192.0.2.1/secretrepo.git", userInfo) @@ -146,7 +147,7 @@ func TestCloneRepositoryFromUrlCommand(t *testing.T) { cfg := testcfg.Build(t) s := server{cfg: cfg, gitCmdFactory: gittest.NewCommandFactory(t, cfg)} - cmd, err := s.cloneFromURLCommand(ctx, url, host, repositoryFullPath, git.WithDisabledHooks()) + cmd, err := s.cloneFromURLCommand(ctx, url, host, repositoryFullPath, authToken, git.WithDisabledHooks()) require.NoError(t, err) expectedScrubbedURL := "https://192.0.2.1/secretrepo.git" @@ -161,6 +162,28 @@ func TestCloneRepositoryFromUrlCommand(t *testing.T) { require.NotContains(t, args, userInfo) } +func TestServer_CloneFromURLCommand_withToken(t *testing.T) { + t.Parallel() + ctx := testhelper.Context(t) + + repositoryFullPath := "full/path/to/repository" + url := "https://www.example.com/secretrepo.git" + authToken := "GL-Geo EhEhKSUk_385GSLnS7BI:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjoie1wic2NvcGVcIjpcInJvb3QvZ2l0bGFiLWNlXCJ9IiwianRpIjoiNmQ4ZDM1NGQtZjUxYS00MDQ5LWExZjctMjUyMjk4YmQwMTI4IiwiaWF0IjoxNjQyMDk1MzY5LCJuYmYiOjE2NDIwOTUzNjQsImV4cCI6MTY0MjA5NTk2OX0.YEpfzg8305dUqkYOiB7_dhbL0FVSaUPgpSpMuKrgNrg" + + cfg := testcfg.Build(t) + s := server{cfg: cfg, gitCmdFactory: gittest.NewCommandFactory(t, cfg)} + cmd, err := s.cloneFromURLCommand(ctx, url, "", repositoryFullPath, authToken, git.WithDisabledHooks()) + require.NoError(t, err) + + expectedScrubbedURL := "https://www.example.com/secretrepo.git" + expectedBasicAuthHeader := fmt.Sprintf("Authorization: %s", authToken) + expectedHeader := fmt.Sprintf("http.extraHeader=%s", expectedBasicAuthHeader) + + args := cmd.Args() + require.Contains(t, args, expectedScrubbedURL) + require.Contains(t, args, expectedHeader) +} + func gitServerWithBasicAuth(ctx context.Context, t testing.TB, gitCmdFactory git.CommandFactory, user, pass, repoPath string) (int, func() error) { return gittest.HTTPServer(ctx, t, gitCmdFactory, repoPath, basicAuthMiddleware(t, user, pass)) } diff --git a/proto/go/gitalypb/repository-service.pb.go b/proto/go/gitalypb/repository-service.pb.go index e70994342..1e99d9746 100644 --- a/proto/go/gitalypb/repository-service.pb.go +++ b/proto/go/gitalypb/repository-service.pb.go @@ -2167,7 +2167,7 @@ type CreateRepositoryFromURLRequest struct { // URL hostname has already been resolved to an IP address to prevent DNS // rebinding. HttpHost string `protobuf:"bytes,3,opt,name=http_host,json=httpHost,proto3" json:"http_host,omitempty"` - // http_authorization_header is the HTTP header which should be added to + // http_authorization_header is the HTTP header which can be added to // the request in order to authenticate against the repository. HttpAuthorizationHeader string `protobuf:"bytes,4,opt,name=http_authorization_header,json=httpAuthorizationHeader,proto3" json:"http_authorization_header,omitempty"` } diff --git a/proto/repository-service.proto b/proto/repository-service.proto index 5228a0392..cbdd2c434 100644 --- a/proto/repository-service.proto +++ b/proto/repository-service.proto @@ -519,7 +519,7 @@ message CreateRepositoryFromURLRequest { // URL hostname has already been resolved to an IP address to prevent DNS // rebinding. string http_host = 3; - // http_authorization_header is the HTTP header which should be added to + // http_authorization_header is the HTTP header which can be added to // the request in order to authenticate against the repository. string http_authorization_header = 4; } |