add ssh support

actions · Mar 10, 2020 · eb22d79 · eb22d79
1 parent 80602fa
commit eb22d79
Show file tree

Hide file tree

Showing 9 changed files with 586 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -45,14 +45,32 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     # Otherwise, defaults to `master`.
     ref: ''
 
-    # Auth token used to fetch the repository. The token is stored in the local git
-    # config, which enables your scripts to run authenticated git commands. The
-    # post-job step removes the token from the git config. [Learn more about creating
-    # and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    # Personal access token (PAT) used to fetch the repository. The PAT is configured
+    # with the local git config, which enables your scripts to run authenticated git
+    # commands. The post-job step removes the PAT. [Learn more about creating and
+    # using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     # Default: ${{ github.token }}
     token: ''
 
-    # Whether to persist the token in the git config
+    # SSH key used to fetch the repository. SSH key is configured with the local git
+    # config, which enables your scripts to run authenticated git commands. The
+    # post-job step removes the SSH key. [Learn more about creating and using
+    # encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    ssh-key: ''
+
+    # Known hosts in addition to the user and global host key database. The public SSH
+    # keys for a host may be obtained using the utility `ssh-keyscan`. For example,
+    # `ssh-keyscan github.com`. The public key for github.com is always implicitly
+    # added.
+    ssh-known-hosts: ''
+
+    # Whether to perform strict host key checking. When true, adds the options
+    # `StrictHostKeyChecking=yes` and `CheckHostIP=no` to the SSH command line. Use
+    # the input `ssh-known-hosts` to configure additional hosts.
+    # Default: true
+    ssh-strict: ''
+
+    # Whether to configure the token or SSH key with the local git config
     # Default: true
     persist-credentials: ''
 

diff --git a/__test__/git-auth-helper.test.ts b/__test__/git-auth-helper.test.ts
@@ -16,9 +16,13 @@ let runnerTemp: string
 let tempHomedir: string
 let git: IGitCommandManager & {env: {[key: string]: string}}
 let settings: IGitSourceSettings
+let sshPath: string
 
 describe('git-auth-helper tests', () => {
   beforeAll(async () => {
+    // SSH
+    sshPath = await io.which('ssh')
+
     // Clear test workspace
     await io.rmRF(testWorkspace)
   })
@@ -108,6 +112,51 @@ describe('git-auth-helper tests', () => {
     }
   )
 
+  const configureAuth_copiesUserKnownHosts = 'configureAuth copies user known hosts'
+  it(configureAuth_copiesUserKnownHosts, async () => {
+    if (!sshPath) {
+      process.stdout.write(
+        `Skipped test "${configureAuth_copiesUserKnownHosts}". Executable 'ssh' not found in the PATH.\n`
+      )
+      return
+    }
+
+    // Arange
+    await setup(configureAuth_copiesUserKnownHosts)
+    expect(settings.sshKey).toBeTruthy() // sanity check
+
+    // Mock fs.promises.readFile
+    const realReadFile = fs.promises.readFile
+    jest.spyOn(fs.promises, 'readFile').mockImplementation(
+      async (file: any, options: any): Promise<Buffer> => {
+        const userKnownHostsPath = path.join(
+          os.homedir(),
+          '.ssh',
+          'known_hosts'
+        )
+        if (file === userKnownHostsPath) {
+          return Buffer.from('some-domain.com ssh-rsa ABCDEF')
+        }
+
+        return await realReadFile(file, options)
+      }
+    )
+
+    // Act
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+    await authHelper.configureAuth()
+
+    // Assert known hosts
+    const actualSshKnownHostsPath = await getActualSshKnownHostsPath()
+    const actualSshKnownHostsContent = (
+      await fs.promises.readFile(actualSshKnownHostsPath)
+    ).toString()
+    expect(actualSshKnownHostsContent).toMatch(
+      /some-domain\.com ssh-rsa ABCDEF/
+    )
+    expect(actualSshKnownHostsContent).toMatch(/github\.com ssh-rsa AAAAB3N/)
+  })
+
   const configureAuth_registersBasicCredentialAsSecret =
     'configureAuth registers basic credential as secret'
   it(configureAuth_registersBasicCredentialAsSecret, async () => {
@@ -129,6 +178,151 @@ describe('git-auth-helper tests', () => {
     expect(setSecretSpy).toHaveBeenCalledWith(expectedSecret)
   })
 
+  const setsSshCommandEnvVarWhenPersistCredentialsFalse =
+    'sets SSH command env var when persist-credentials false'
+  it(setsSshCommandEnvVarWhenPersistCredentialsFalse, async () => {
+    if (!sshPath) {
+      process.stdout.write(
+        `Skipped test "${setsSshCommandEnvVarWhenPersistCredentialsFalse}". Executable 'ssh' not found in the PATH.\n`
+      )
+      return
+    }
+
+    // Arrange
+    await setup(setsSshCommandEnvVarWhenPersistCredentialsFalse)
+    settings.persistCredentials = false
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+
+    // Act
+    await authHelper.configureAuth()
+
+    // Assert git env var
+    const actualKeyPath = await getActualSshKeyPath()
+    const actualKnownHostsPath = await getActualSshKnownHostsPath()
+    const expectedSshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(
+      actualKeyPath
+    )}" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(
+      actualKnownHostsPath
+    )}"`
+    expect(git.setEnvironmentVariable).toHaveBeenCalledWith(
+      'GIT_SSH_COMMAND',
+      expectedSshCommand
+    )
+
+    // Asserty git config
+    const gitConfigLines = (await fs.promises.readFile(gitConfigPath))
+      .toString()
+      .split('\n')
+      .filter(x => x)
+    expect(gitConfigLines).toHaveLength(1)
+    expect(gitConfigLines[0]).toMatch(/^http\./)
+  })
+
+  const configureAuth_setsSshCommandWhenPersistCredentialsTrue =
+    'sets SSH command when persist-credentials true'
+  it(configureAuth_setsSshCommandWhenPersistCredentialsTrue, async () => {
+    if (!sshPath) {
+      process.stdout.write(
+        `Skipped test "${configureAuth_setsSshCommandWhenPersistCredentialsTrue}". Executable 'ssh' not found in the PATH.\n`
+      )
+      return
+    }
+
+    // Arrange
+    await setup(configureAuth_setsSshCommandWhenPersistCredentialsTrue)
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+
+    // Act
+    await authHelper.configureAuth()
+
+    // Assert git env var
+    const actualKeyPath = await getActualSshKeyPath()
+    const actualKnownHostsPath = await getActualSshKnownHostsPath()
+    const expectedSshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(
+      actualKeyPath
+    )}" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(
+      actualKnownHostsPath
+    )}"`
+    expect(git.setEnvironmentVariable).toHaveBeenCalledWith(
+      'GIT_SSH_COMMAND',
+      expectedSshCommand
+    )
+
+    // Asserty git config
+    expect(git.config).toHaveBeenCalledWith(
+      'core.sshCommand',
+      expectedSshCommand
+    )
+  })
+
+  const configureAuth_writesExplicitKnownHosts = 'writes explicit known hosts'
+  it(configureAuth_writesExplicitKnownHosts, async () => {
+    if (!sshPath) {
+      process.stdout.write(
+        `Skipped test "${configureAuth_writesExplicitKnownHosts}". Executable 'ssh' not found in the PATH.\n`
+      )
+      return
+    }
+
+    // Arrange
+    await setup(configureAuth_writesExplicitKnownHosts)
+    expect(settings.sshKey).toBeTruthy() // sanity check
+    settings.sshKnownHosts = 'my-custom-host.com ssh-rsa ABC123'
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+
+    // Act
+    await authHelper.configureAuth()
+
+    // Assert known hosts
+    const actualSshKnownHostsPath = await getActualSshKnownHostsPath()
+    const actualSshKnownHostsContent = (
+      await fs.promises.readFile(actualSshKnownHostsPath)
+    ).toString()
+    expect(actualSshKnownHostsContent).toMatch(
+      /my-custom-host\.com ssh-rsa ABC123/
+    )
+    expect(actualSshKnownHostsContent).toMatch(/github\.com ssh-rsa AAAAB3N/)
+  })
+
+  const configureAuth_writesSshKeyAndImplicitKnownHosts =
+    'writes SSH key and implicit known hosts'
+  it(configureAuth_writesSshKeyAndImplicitKnownHosts, async () => {
+    if (!sshPath) {
+      process.stdout.write(
+        `Skipped test "${configureAuth_writesSshKeyAndImplicitKnownHosts}". Executable 'ssh' not found in the PATH.\n`
+      )
+      return
+    }
+
+    // Arrange
+    await setup(configureAuth_writesSshKeyAndImplicitKnownHosts)
+    expect(settings.sshKey).toBeTruthy() // sanity check
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+
+    // Act
+    await authHelper.configureAuth()
+
+    // Assert SSH key
+    const actualSshKeyPath = await getActualSshKeyPath()
+    expect(actualSshKeyPath).toBeTruthy()
+    const actualSshKeyContent = (
+      await fs.promises.readFile(actualSshKeyPath)
+    ).toString()
+    expect(actualSshKeyContent).toBe(settings.sshKey + '\n')
+    if (!isWindows) {
+      expect((await fs.promises.stat(actualSshKeyPath)).mode & 0o777).toBe(
+        0o600
+      )
+    }
+
+    // Assert known hosts
+    const actualSshKnownHostsPath = await getActualSshKnownHostsPath()
+    const actualSshKnownHostsContent = (
+      await fs.promises.readFile(actualSshKnownHostsPath)
+    ).toString()
+    expect(actualSshKnownHostsContent).toMatch(/github\.com ssh-rsa AAAAB3N/)
+  })
+
   const configureGlobalAuth_copiesGlobalGitConfig =
     'configureGlobalAuth copies global git config'
   it(configureGlobalAuth_copiesGlobalGitConfig, async () => {
@@ -254,6 +448,60 @@ describe('git-auth-helper tests', () => {
     }
   )
 
+  const removeAuth_removesSshCommand = 'removeAuth removes SSH command'
+  it(removeAuth_removesSshCommand, async () => {
+    if (!sshPath) {
+      process.stdout.write(
+        `Skipped test "${removeAuth_removesSshCommand}". Executable 'ssh' not found in the PATH.\n`
+      )
+      return
+    }
+
+    // Arrange
+    await setup(removeAuth_removesSshCommand)
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+    await authHelper.configureAuth()
+    let gitConfigContent = (
+      await fs.promises.readFile(gitConfigPath)
+    ).toString()
+    expect(gitConfigContent.indexOf('core.sshCommand')).toBeGreaterThanOrEqual(
+      0
+    ) // sanity check
+    const actualKeyPath = await getActualSshKeyPath()
+    expect(actualKeyPath).toBeTruthy()
+    await fs.promises.stat(actualKeyPath)
+    const actualKnownHostsPath = await getActualSshKnownHostsPath()
+    expect(actualKnownHostsPath).toBeTruthy()
+    await fs.promises.stat(actualKnownHostsPath)
+
+    // Act
+    await authHelper.removeAuth()
+
+    // Assert git config
+    gitConfigContent = (await fs.promises.readFile(gitConfigPath)).toString()
+    expect(gitConfigContent.indexOf('core.sshCommand')).toBeLessThan(0)
+
+    // Assert SSH key file
+    try {
+      await fs.promises.stat(actualKeyPath)
+      throw new Error('SSH key should have been deleted')
+    } catch (err) {
+      if (err.code !== 'ENOENT') {
+        throw err
+      }
+    }
+
+    // Assert known hosts file
+    try {
+      await fs.promises.stat(actualKnownHostsPath)
+      throw new Error('SSH known hosts should have been deleted')
+    } catch (err) {
+      if (err.code !== 'ENOENT') {
+        throw err
+      }
+    }
+  })
+
   const removeAuth_removesToken = 'removeAuth removes token'
   it(removeAuth_removesToken, async () => {
     // Arrange
@@ -401,6 +649,36 @@ async function setup(testName: string): Promise<void> {
     ref: 'refs/heads/master',
     repositoryName: 'my-repo',
     repositoryOwner: 'my-org',
-    repositoryPath: ''
+    repositoryPath: '',
+    sshKey: sshPath ? 'some ssh private key' : '',
+    sshKnownHosts: '',
+    sshStrict: true
+  }
+}
+
+async function getActualSshKeyPath(): Promise<string> {
+  let actualTempFiles = (await fs.promises.readdir(runnerTemp))
+    .sort()
+    .map(x => path.join(runnerTemp, x))
+  if (actualTempFiles.length === 0) {
+    return ''
   }
+
+  expect(actualTempFiles).toHaveLength(2)
+  expect(actualTempFiles[0].endsWith('_known_hosts')).toBeFalsy()
+  return actualTempFiles[0]
 }
+
+async function getActualSshKnownHostsPath(): Promise<string> {
+  let actualTempFiles = (await fs.promises.readdir(runnerTemp))
+    .sort()
+    .map(x => path.join(runnerTemp, x))
+  if (actualTempFiles.length === 0) {
+    return ''
+  }
+
+  expect(actualTempFiles).toHaveLength(2)
+  expect(actualTempFiles[1].endsWith('_known_hosts')).toBeTruthy()
+  expect(actualTempFiles[1].startsWith(actualTempFiles[0])).toBeTruthy()
+  return actualTempFiles[1]
+}
diff --git a/action.yml b/action.yml
@@ -11,13 +11,30 @@ inputs:
       event.  Otherwise, defaults to `master`.
   token:
     description: >
-      Auth token used to fetch the repository. The token is stored in the local
-      git config, which enables your scripts to run authenticated git commands.
-      The post-job step removes the token from the git config. [Learn more about
-      creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+      Personal access token (PAT) used to fetch the repository. The PAT is configured
+      with the local git config, which enables your scripts to run authenticated git
+      commands. The post-job step removes the PAT. [Learn more about creating and using
+      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     default: ${{ github.token }}
+  ssh-key:
+    description: >
+      SSH key used to fetch the repository. SSH key is configured with the local
+      git config, which enables your scripts to run authenticated git commands.
+      The post-job step removes the SSH key. [Learn more about creating and using
+      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+  ssh-known-hosts:
+    description: >
+      Known hosts in addition to the user and global host key database. The public
+      SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example,
+      `ssh-keyscan github.com`. The public key for github.com is always implicitly added.
+  ssh-strict:
+    description: >
+      Whether to perform strict host key checking. When true, adds the options `StrictHostKeyChecking=yes`
+      and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
+      configure additional hosts.
+    default: true
   persist-credentials:
-    description: 'Whether to persist the token in the git config'
+    description: 'Whether to configure the token or SSH key with the local git config'
     default: true
   path:
     description: 'Relative path under $GITHUB_WORKSPACE to place the repository'