-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modified to use Git with PAT #4571
base: master
Are you sure you want to change the base?
Conversation
Sorry... |
0cbfcc1
to
028e54d
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4571 +/- ##
==========================================
- Coverage 29.23% 28.93% -0.30%
==========================================
Files 318 317 -1
Lines 40597 40413 -184
==========================================
- Hits 11870 11695 -175
+ Misses 27787 27786 -1
+ Partials 940 932 -8 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Left a comment. PTAL 👀
pkg/config/piped_test.go
Outdated
func TestPipeGitValidate(t *testing.T) { | ||
t.Parallel() | ||
testcases := []struct { | ||
git PipedGit | ||
err error | ||
}{ | ||
{ | ||
git: PipedGit{ | ||
SSHKeyData: "sshkey1", | ||
PersonalAccessToken: PipedGitPersonalAccessToken{ | ||
UserName: "UserName", | ||
UserToken: "UserToken", | ||
}, | ||
}, | ||
err: errors.New("cannot configure both sshKeyData or sshKeyFile and personalAccessToken"), | ||
}, | ||
{ | ||
git: PipedGit{ | ||
SSHKeyData: "sshkey2", | ||
}, | ||
err: nil, | ||
}, | ||
{ | ||
git: PipedGit{ | ||
PersonalAccessToken: PipedGitPersonalAccessToken{ | ||
UserName: "UserName", | ||
UserToken: "UserToken", | ||
}, | ||
}, | ||
err: nil, | ||
}, | ||
{ | ||
git: PipedGit{ }, | ||
err: nil, | ||
}, | ||
} | ||
for _, tc := range testcases { | ||
tc := tc | ||
t.Run(tc.git.SSHKeyData, func(t *testing.T) { | ||
t.Parallel() | ||
err := tc.git.Validate() | ||
assert.Equal(t, tc.err, err) | ||
}) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO, the test above misses some cases.
Can you copy and paste the test bellow, fix TODO
s, and run it?
func TestPipeGitValidate(t *testing.T) {
t.Parallel()
testcases := []struct {
name string
git PipedGit
err error
}{
{
name: "both SSH and PAT are valid",
git: PipedGit{
SSHKeyData: "sshkey1",
PersonalAccessToken: PipedGitPersonalAccessToken{
UserName: "UserName",
UserToken: "UserToken",
},
},
err: errors.New("cannot configure both sshKeyData or sshKeyFile and personalAccessToken"),
},
{
name: "Both SSH and PAT is not valid",
git: PipedGit{
SSHKeyFile: "sshkeyfile",
SSHKeyData: "sshkeydata",
PersonalAccessToken: PipedGitPersonalAccessToken{
UserName: "",
UserToken: "UserToken",
},
},
// TODO: should return error
},
{
name: "SSH key data is not empty",
git: PipedGit{
SSHKeyData: "sshkey2",
},
err: nil,
},
{
name: "SSH key file is not empty",
git: PipedGit{
SSHKeyFile: "sshkey2",
},
err: nil,
},
{
name: "Both SSH file and data is not empty",
git: PipedGit{
SSHKeyData: "sshkeydata",
SSHKeyFile: "sshkeyfile",
},
// TODO: should return error
},
{
name: "PAT is valid",
git: PipedGit{
PersonalAccessToken: PipedGitPersonalAccessToken{
UserName: "UserName",
UserToken: "UserToken",
},
},
err: nil,
},
{
name: "PAT username is empty",
git: PipedGit{
PersonalAccessToken: PipedGitPersonalAccessToken{
UserName: "UserName",
UserToken: "",
},
},
// TODO: should return error
},
{
name: "PAT token is empty",
git: PipedGit{
PersonalAccessToken: PipedGitPersonalAccessToken{
UserName: "",
UserToken: "UserToken",
},
},
// TODO: should return error
},
{
name: "Git config is empty",
git: PipedGit{},
err: nil,
},
}
for _, tc := range testcases {
tc := tc
t.Run(tc.git.SSHKeyData, func(t *testing.T) {
t.Parallel()
err := tc.git.Validate()
assert.Equal(t, tc.err, err)
})
}
}
ab21a52
to
4256c8f
Compare
4256c8f
to
bd09e24
Compare
@@ -49,6 +49,13 @@ spec: | |||
| hostName | string | The hostname or IP address of the remote git server. Default is the same value with Host. | No | | |||
| sshKeyFile | string | The path to the private ssh key file. This will be used to clone the source code of the specified git repositories. | No | | |||
| sshKeyData | string | Base64 encoded string of SSH key. | No | | |||
| personalAccessToken | [PipedGitPersonalAccessToken](#gitPersonalAccessToken) | Configuration for personal access token. | No | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just realized that;
PipeCD supports not only GitHub but also Git services(GitLab, self-host Git server, etc.).
So, it should be how this configuration can be used for other Git services.
How about simply adding password
instead of personalAccessToken
?
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you suggesting replacing the Personal Access Token with a password?
Using a password might lead to confusion, so maybe we could stick with some form of access token instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right. It can be confusing for GitHub users. But, IMHO, using the word password should be better because Personal access tokens can be used in GitHub (and GitLab as well), but it is not required for being a Git server. PipeCD supports Git (not GitHub) so it should respect Git terminology.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since 'Password' overlaps with the variable name, 'PersonalAccessToken' renamed to 'PasswordAuth' and 'userToken' to 'Password'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kentakozuka
Sorry I forgot to add a mentions...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sZma5a @kentakozuka
To clarify this discussion, I want to organize your opinions and give my opinion 👀
Feel free to tell me if there is a misunderstanding :)
The point is whether to define a variable only for PAT or not.
For me, each opinion of yours seems to be like below 👀
[@kentakozuka 's opinion]
GitHub's PAT behaves like a password on the git. It's just a password on the git.
[@sZma5a 's opinion]
PAT is a different role from a password. So It's confusing to define it as a Password.
I think both opinions are important points 👍
So I will try to give my opinion after considering those opinions!
[IMO]
- Define the variable as a
Password
(spec.git.password
on piped config) because PAT is just a password on git. (ref: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#using-a-personal-access-token-on-the-command-line) - The
Password
is like a base64 encoded value to avoid the security risk. (the same assshKeyData
) - Add documents and comments to explain that we can use both PAT and a password for
spec.git.password
.- The example is "the password for git. You can also use GitHub's Personal Access Token."
Maybe this PR is like a supporting password for git on piped :)
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Understood, thank you very much!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ffjlabo @kentakozuka
Sorry it took so long to fix.
I have modified the PAT settings to use a password, and updated it to work with the existing Git username!
How does this look?
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
a358cde
to
ffeea16
Compare
Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: Your Name <you@example.com> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: swallow <masaaki@haribote-lab.net> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: Your Name <you@example.com> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: swallow <masaaki@haribote-lab.net> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: Your Name <you@example.com> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: swallow <masaaki@haribote-lab.net> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: Your Name <you@example.com> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: swallow <masaaki@haribote-lab.net> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: swallow <masaaki@haribote-lab.net> Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
authentication instead of personal access token Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com> Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
…ation in git client Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: 鈴木 優耀 <suzuki_masaaki@cyberagent.co.jp> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
…ction Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
…on-reference.md Co-authored-by: Yoshiki Fujikane <40124947+ffjlabo@users.noreply.github.com> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Co-authored-by: Yoshiki Fujikane <40124947+ffjlabo@users.noreply.github.com> Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
Signed-off-by: sZma5a <masaaki.haribote@gmail.com>
0546cb7
to
1291bab
Compare
@sZma5a Thank you for the fix! I'm checking 👍 |
authArgs := []string{} | ||
if c.username != "" && c.password != "" { | ||
token := fmt.Sprintf("%s:%s", c.username, c.password) | ||
encodedToken := base64.StdEncoding.EncodeToString([]byte(token)) | ||
header := fmt.Sprintf("Authorization: Basic %s", encodedToken) | ||
authArgs = append(authArgs, "-c", fmt.Sprintf("http.extraHeader=%s", header)) | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At first, thank you for investigating and the fix 🙏 I don't know such an option! It's so helpful 👍
noted: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpextraHeader
I tried the expected command with a private repo git -c http.extraHeader="Authorization: Basic <base64 encoded value of username:password>" clone https://github.com/ffjlabo-playground/git-test.git
on mac.
I encountered the behaviors written below. Does below also reproduce on your machine? Could you try it?
- It shows the prompts for username and password like this↓
% git -c http.extraHeader="Authorization: Basic <base64 encoded value of username:password>" clone https://github.com/ffjlabo-playground/git-test.git
Cloning into 'git-test'...
Username for 'https://github.com':
- When I input the username and password as empty, then It shows the auth error like this↓
% git -c http.extraHeader="Authorization: Basic <base64 encoded value of username:password>" clone https://github.com/ffjlabo-playground/git-test.git
Cloning into 'git-test'...
Username for 'https://github.com':
Password for 'https://github.com':
remote: Support for password authentication was removed on August 13, 2021.
remote: Please see https://docs.github.com/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls for information on currently recommended modes of authentication.
fatal: Authentication failed for 'https://github.com/ffjlabo-playground/git-test.git/'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry...
It worked when we looked into it before, but we will look into it again and verify.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! Don't worry! I think this is a challenging. I'm so helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @sZma5a ! Do you have any updates on the above? If you want some helps, feel free to ping me 👍
What this PR does / why we need it: Modified to use Personal Access Token since currently only SSH can control the Git repository.
Which issue(s) this PR fixes:
Fixes #4106
Does this PR introduce a user-facing change?: Yes