Compare commits
1 Commits
users/vanz
...
dependabot
| Author | SHA1 | Date | |
|---|---|---|---|
|
bedfb1fd4f |
@@ -94,11 +94,11 @@ describe('git-auth-helper tests', () => {
|
||||
`x-access-token:${settings.authToken}`,
|
||||
'utf8'
|
||||
).toString('base64')
|
||||
// expect(
|
||||
// configContent.indexOf(
|
||||
// `http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}`
|
||||
// )
|
||||
// ).toBeGreaterThanOrEqual(0)
|
||||
expect(
|
||||
configContent.indexOf(
|
||||
`http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}`
|
||||
)
|
||||
).toBeGreaterThanOrEqual(0)
|
||||
}
|
||||
|
||||
const configureAuth_configuresAuthHeader =
|
||||
@@ -145,11 +145,11 @@ describe('git-auth-helper tests', () => {
|
||||
const configContent = (
|
||||
await fs.promises.readFile(localGitConfigPath)
|
||||
).toString()
|
||||
// expect(
|
||||
// configContent.indexOf(
|
||||
// `http.https://github.com/.extraheader AUTHORIZATION`
|
||||
// )
|
||||
// ).toBeGreaterThanOrEqual(0)
|
||||
expect(
|
||||
configContent.indexOf(
|
||||
`http.https://github.com/.extraheader AUTHORIZATION`
|
||||
)
|
||||
).toBeGreaterThanOrEqual(0)
|
||||
}
|
||||
)
|
||||
|
||||
@@ -419,11 +419,11 @@ describe('git-auth-helper tests', () => {
|
||||
expect(
|
||||
configContent.indexOf('value-from-global-config')
|
||||
).toBeGreaterThanOrEqual(0)
|
||||
// expect(
|
||||
// configContent.indexOf(
|
||||
// `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
|
||||
// )
|
||||
// ).toBeGreaterThanOrEqual(0)
|
||||
expect(
|
||||
configContent.indexOf(
|
||||
`http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
|
||||
)
|
||||
).toBeGreaterThanOrEqual(0)
|
||||
})
|
||||
|
||||
const configureGlobalAuth_createsNewGlobalGitConfigWhenGlobalDoesNotExist =
|
||||
@@ -463,11 +463,11 @@ describe('git-auth-helper tests', () => {
|
||||
const configContent = (
|
||||
await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
|
||||
).toString()
|
||||
// expect(
|
||||
// configContent.indexOf(
|
||||
// `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
|
||||
// )
|
||||
// ).toBeGreaterThanOrEqual(0)
|
||||
expect(
|
||||
configContent.indexOf(
|
||||
`http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
|
||||
)
|
||||
).toBeGreaterThanOrEqual(0)
|
||||
}
|
||||
)
|
||||
|
||||
@@ -554,7 +554,7 @@ describe('git-auth-helper tests', () => {
|
||||
expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
|
||||
/unset-all.*insteadOf/
|
||||
)
|
||||
// expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
|
||||
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
|
||||
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
|
||||
/url.*insteadOf.*git@github.com:/
|
||||
)
|
||||
@@ -593,7 +593,7 @@ describe('git-auth-helper tests', () => {
|
||||
expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
|
||||
/unset-all.*insteadOf/
|
||||
)
|
||||
// expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
|
||||
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
|
||||
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
|
||||
}
|
||||
)
|
||||
|
||||
59
dist/index.js
vendored
59
dist/index.js
vendored
@@ -159,11 +159,11 @@ class GitAuthHelper {
|
||||
this.sshKeyPath = '';
|
||||
this.sshKnownHostsPath = '';
|
||||
this.temporaryHomePath = '';
|
||||
this.gitConfigPath = '';
|
||||
this.git = gitCommandManager;
|
||||
this.settings = gitSourceSettings || {};
|
||||
// Token auth header
|
||||
const serverUrl = urlHelper.getServerUrl(this.settings.githubServerUrl);
|
||||
this.tokenConfigKey = `http.${serverUrl.origin}/.extraheader`; // "origin" is SCHEME://HOSTNAME[:PORT]
|
||||
const basicCredential = Buffer.from(`x-access-token:${this.settings.authToken}`, 'utf8').toString('base64');
|
||||
core.setSecret(basicCredential);
|
||||
this.tokenPlaceholderConfigValue = `AUTHORIZATION: basic ***`;
|
||||
@@ -181,15 +181,12 @@ class GitAuthHelper {
|
||||
yield this.removeAuth();
|
||||
// Configure new values
|
||||
yield this.configureSsh();
|
||||
yield this.configureCredentialsHelper();
|
||||
yield this.configureToken();
|
||||
});
|
||||
}
|
||||
configureTempGlobalConfig() {
|
||||
var _a, _b;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
if (!!this.gitConfigPath) {
|
||||
return this.gitConfigPath;
|
||||
}
|
||||
// Already setup global config
|
||||
if (((_a = this.temporaryHomePath) === null || _a === void 0 ? void 0 : _a.length) > 0) {
|
||||
return path.join(this.temporaryHomePath, '.gitconfig');
|
||||
@@ -202,7 +199,7 @@ class GitAuthHelper {
|
||||
yield fs.promises.mkdir(this.temporaryHomePath, { recursive: true });
|
||||
// Copy the global git config
|
||||
const gitConfigPath = path.join(process.env['HOME'] || os.homedir(), '.gitconfig');
|
||||
this.gitConfigPath = path.join(this.temporaryHomePath, '.gitconfig');
|
||||
const newGitConfigPath = path.join(this.temporaryHomePath, '.gitconfig');
|
||||
let configExists = false;
|
||||
try {
|
||||
yield fs.promises.stat(gitConfigPath);
|
||||
@@ -214,31 +211,16 @@ class GitAuthHelper {
|
||||
}
|
||||
}
|
||||
if (configExists) {
|
||||
core.info(`Copying '${gitConfigPath}' to '${this.gitConfigPath}'`);
|
||||
yield io.cp(gitConfigPath, this.gitConfigPath);
|
||||
core.info(`Copying '${gitConfigPath}' to '${newGitConfigPath}'`);
|
||||
yield io.cp(gitConfigPath, newGitConfigPath);
|
||||
}
|
||||
else {
|
||||
yield fs.promises.writeFile(this.gitConfigPath, '');
|
||||
yield fs.promises.writeFile(newGitConfigPath, '');
|
||||
}
|
||||
// Override HOME
|
||||
core.info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`);
|
||||
this.git.setEnvironmentVariable('HOME', this.temporaryHomePath);
|
||||
return this.gitConfigPath;
|
||||
});
|
||||
}
|
||||
configureCredentialsHelper() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
if (this.settings.lfs) {
|
||||
core.info(`lfs disabled, skipping custom credentials helper`);
|
||||
return;
|
||||
}
|
||||
const newGitConfigPath = yield this.configureTempGlobalConfig();
|
||||
const credentialHelper = `
|
||||
[credential]
|
||||
helper = "!f() { echo username=x-access-token; echo password=${this.tokenConfigValue}; };f"
|
||||
`;
|
||||
core.info(`Configuring git to use a custom credential helper for aut to handle git lfs`);
|
||||
yield fs.promises.appendFile(newGitConfigPath, credentialHelper);
|
||||
return newGitConfigPath;
|
||||
});
|
||||
}
|
||||
configureGlobalAuth() {
|
||||
@@ -247,6 +229,7 @@ class GitAuthHelper {
|
||||
const newGitConfigPath = yield this.configureTempGlobalConfig();
|
||||
try {
|
||||
// Configure the token
|
||||
yield this.configureToken(newGitConfigPath, true);
|
||||
// Configure HTTPS instead of SSH
|
||||
yield this.git.tryConfigUnset(this.insteadOfKey, true);
|
||||
if (!this.settings.sshKey) {
|
||||
@@ -258,6 +241,7 @@ class GitAuthHelper {
|
||||
catch (err) {
|
||||
// Unset in case somehow written to the real global config
|
||||
core.info('Encountered an error when attempting to configure token. Attempting unconfigure.');
|
||||
yield this.git.tryConfigUnset(this.tokenConfigKey, true);
|
||||
throw err;
|
||||
}
|
||||
});
|
||||
@@ -272,7 +256,7 @@ class GitAuthHelper {
|
||||
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
|
||||
const output = yield this.git.submoduleForeach(
|
||||
// wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
|
||||
`sh -c "git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
|
||||
`sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
|
||||
// Replace the placeholder
|
||||
const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
|
||||
for (const configPath of configPaths) {
|
||||
@@ -295,6 +279,7 @@ class GitAuthHelper {
|
||||
removeAuth() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
yield this.removeSsh();
|
||||
yield this.removeToken();
|
||||
});
|
||||
}
|
||||
removeGlobalConfig() {
|
||||
@@ -364,6 +349,22 @@ class GitAuthHelper {
|
||||
}
|
||||
});
|
||||
}
|
||||
configureToken(configPath, globalConfig) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
// Validate args
|
||||
assert.ok((configPath && globalConfig) || (!configPath && !globalConfig), 'Unexpected configureToken parameter combinations');
|
||||
// Default config path
|
||||
if (!configPath && !globalConfig) {
|
||||
configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config');
|
||||
}
|
||||
// Configure a placeholder value. This approach avoids the credential being captured
|
||||
// by process creation audit events, which are commonly logged. For more information,
|
||||
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
|
||||
yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, globalConfig);
|
||||
// Replace the placeholder
|
||||
yield this.replaceTokenPlaceholder(configPath || '');
|
||||
});
|
||||
}
|
||||
replaceTokenPlaceholder(configPath) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
assert.ok(configPath, 'configPath is not defined');
|
||||
@@ -406,6 +407,12 @@ class GitAuthHelper {
|
||||
yield this.removeGitConfig(SSH_COMMAND_KEY);
|
||||
});
|
||||
}
|
||||
removeToken() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
// HTTP extra header
|
||||
yield this.removeGitConfig(this.tokenConfigKey);
|
||||
});
|
||||
}
|
||||
removeGitConfig(configKey, submoduleOnly = false) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
if (!submoduleOnly) {
|
||||
|
||||
74
package-lock.json
generated
74
package-lock.json
generated
@@ -16917,6 +16917,12 @@
|
||||
"url": "https://github.com/sponsors/ljharb"
|
||||
}
|
||||
},
|
||||
"node_modules/querystringify": {
|
||||
"version": "2.2.0",
|
||||
"resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz",
|
||||
"integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/queue-microtask": {
|
||||
"version": "1.2.3",
|
||||
"resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
|
||||
@@ -16967,6 +16973,12 @@
|
||||
"node": ">=0.10.0"
|
||||
}
|
||||
},
|
||||
"node_modules/requires-port": {
|
||||
"version": "1.0.0",
|
||||
"resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
|
||||
"integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/resolve-cwd": {
|
||||
"version": "3.0.0",
|
||||
"resolved": "https://registry.npmjs.org/resolve-cwd/-/resolve-cwd-3.0.0.tgz",
|
||||
@@ -17510,14 +17522,15 @@
|
||||
}
|
||||
},
|
||||
"node_modules/tough-cookie": {
|
||||
"version": "4.0.0",
|
||||
"resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.0.0.tgz",
|
||||
"integrity": "sha512-tHdtEpQCMrc1YLrMaqXXcj6AxhYi/xgit6mZu1+EDWUn+qhUf8wMQoFIy9NXuq23zAwtcB0t/MjACGR18pcRbg==",
|
||||
"version": "4.1.3",
|
||||
"resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.3.tgz",
|
||||
"integrity": "sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"psl": "^1.1.33",
|
||||
"punycode": "^2.1.1",
|
||||
"universalify": "^0.1.2"
|
||||
"universalify": "^0.2.0",
|
||||
"url-parse": "^1.5.3"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=6"
|
||||
@@ -17734,9 +17747,9 @@
|
||||
"integrity": "sha512-isyNax3wXoKaulPDZWHQqbmIx1k2tb9fb3GGDBRxCscfYV2Ch7WxPArBsFEG8s/safwXTT7H4QGhaIkTp9447w=="
|
||||
},
|
||||
"node_modules/universalify": {
|
||||
"version": "0.1.2",
|
||||
"resolved": "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz",
|
||||
"integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==",
|
||||
"version": "0.2.0",
|
||||
"resolved": "https://registry.npmjs.org/universalify/-/universalify-0.2.0.tgz",
|
||||
"integrity": "sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==",
|
||||
"dev": true,
|
||||
"engines": {
|
||||
"node": ">= 4.0.0"
|
||||
@@ -17777,6 +17790,16 @@
|
||||
"punycode": "^2.1.0"
|
||||
}
|
||||
},
|
||||
"node_modules/url-parse": {
|
||||
"version": "1.5.10",
|
||||
"resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz",
|
||||
"integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"querystringify": "^2.1.1",
|
||||
"requires-port": "^1.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/uuid": {
|
||||
"version": "3.3.3",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.3.3.tgz",
|
||||
@@ -31106,6 +31129,12 @@
|
||||
"side-channel": "^1.0.4"
|
||||
}
|
||||
},
|
||||
"querystringify": {
|
||||
"version": "2.2.0",
|
||||
"resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz",
|
||||
"integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==",
|
||||
"dev": true
|
||||
},
|
||||
"queue-microtask": {
|
||||
"version": "1.2.3",
|
||||
"resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
|
||||
@@ -31130,6 +31159,12 @@
|
||||
"integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
|
||||
"dev": true
|
||||
},
|
||||
"requires-port": {
|
||||
"version": "1.0.0",
|
||||
"resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
|
||||
"integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==",
|
||||
"dev": true
|
||||
},
|
||||
"resolve-cwd": {
|
||||
"version": "3.0.0",
|
||||
"resolved": "https://registry.npmjs.org/resolve-cwd/-/resolve-cwd-3.0.0.tgz",
|
||||
@@ -31543,14 +31578,15 @@
|
||||
}
|
||||
},
|
||||
"tough-cookie": {
|
||||
"version": "4.0.0",
|
||||
"resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.0.0.tgz",
|
||||
"integrity": "sha512-tHdtEpQCMrc1YLrMaqXXcj6AxhYi/xgit6mZu1+EDWUn+qhUf8wMQoFIy9NXuq23zAwtcB0t/MjACGR18pcRbg==",
|
||||
"version": "4.1.3",
|
||||
"resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.3.tgz",
|
||||
"integrity": "sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==",
|
||||
"dev": true,
|
||||
"requires": {
|
||||
"psl": "^1.1.33",
|
||||
"punycode": "^2.1.1",
|
||||
"universalify": "^0.1.2"
|
||||
"universalify": "^0.2.0",
|
||||
"url-parse": "^1.5.3"
|
||||
}
|
||||
},
|
||||
"tr46": {
|
||||
@@ -31701,9 +31737,9 @@
|
||||
"integrity": "sha512-isyNax3wXoKaulPDZWHQqbmIx1k2tb9fb3GGDBRxCscfYV2Ch7WxPArBsFEG8s/safwXTT7H4QGhaIkTp9447w=="
|
||||
},
|
||||
"universalify": {
|
||||
"version": "0.1.2",
|
||||
"resolved": "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz",
|
||||
"integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==",
|
||||
"version": "0.2.0",
|
||||
"resolved": "https://registry.npmjs.org/universalify/-/universalify-0.2.0.tgz",
|
||||
"integrity": "sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==",
|
||||
"dev": true
|
||||
},
|
||||
"update-browserslist-db": {
|
||||
@@ -31725,6 +31761,16 @@
|
||||
"punycode": "^2.1.0"
|
||||
}
|
||||
},
|
||||
"url-parse": {
|
||||
"version": "1.5.10",
|
||||
"resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz",
|
||||
"integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==",
|
||||
"dev": true,
|
||||
"requires": {
|
||||
"querystringify": "^2.1.1",
|
||||
"requires-port": "^1.0.0"
|
||||
}
|
||||
},
|
||||
"uuid": {
|
||||
"version": "3.3.3",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.3.3.tgz",
|
||||
|
||||
@@ -20,7 +20,6 @@ export interface IGitAuthHelper {
|
||||
configureGlobalAuth(): Promise<void>
|
||||
configureSubmoduleAuth(): Promise<void>
|
||||
configureTempGlobalConfig(): Promise<string>
|
||||
configureCredentialsHelper(): Promise<void>
|
||||
removeAuth(): Promise<void>
|
||||
removeGlobalConfig(): Promise<void>
|
||||
}
|
||||
@@ -35,6 +34,7 @@ export function createAuthHelper(
|
||||
class GitAuthHelper {
|
||||
private readonly git: IGitCommandManager
|
||||
private readonly settings: IGitSourceSettings
|
||||
private readonly tokenConfigKey: string
|
||||
private readonly tokenConfigValue: string
|
||||
private readonly tokenPlaceholderConfigValue: string
|
||||
private readonly insteadOfKey: string
|
||||
@@ -43,7 +43,6 @@ class GitAuthHelper {
|
||||
private sshKeyPath = ''
|
||||
private sshKnownHostsPath = ''
|
||||
private temporaryHomePath = ''
|
||||
private gitConfigPath = ''
|
||||
|
||||
constructor(
|
||||
gitCommandManager: IGitCommandManager,
|
||||
@@ -54,6 +53,7 @@ class GitAuthHelper {
|
||||
|
||||
// Token auth header
|
||||
const serverUrl = urlHelper.getServerUrl(this.settings.githubServerUrl)
|
||||
this.tokenConfigKey = `http.${serverUrl.origin}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
|
||||
const basicCredential = Buffer.from(
|
||||
`x-access-token:${this.settings.authToken}`,
|
||||
'utf8'
|
||||
@@ -78,13 +78,10 @@ class GitAuthHelper {
|
||||
|
||||
// Configure new values
|
||||
await this.configureSsh()
|
||||
await this.configureCredentialsHelper()
|
||||
await this.configureToken()
|
||||
}
|
||||
|
||||
async configureTempGlobalConfig(): Promise<string> {
|
||||
if (!!this.gitConfigPath) {
|
||||
return this.gitConfigPath
|
||||
}
|
||||
// Already setup global config
|
||||
if (this.temporaryHomePath?.length > 0) {
|
||||
return path.join(this.temporaryHomePath, '.gitconfig')
|
||||
@@ -101,7 +98,7 @@ class GitAuthHelper {
|
||||
process.env['HOME'] || os.homedir(),
|
||||
'.gitconfig'
|
||||
)
|
||||
this.gitConfigPath = path.join(this.temporaryHomePath, '.gitconfig')
|
||||
const newGitConfigPath = path.join(this.temporaryHomePath, '.gitconfig')
|
||||
let configExists = false
|
||||
try {
|
||||
await fs.promises.stat(gitConfigPath)
|
||||
@@ -112,10 +109,10 @@ class GitAuthHelper {
|
||||
}
|
||||
}
|
||||
if (configExists) {
|
||||
core.info(`Copying '${gitConfigPath}' to '${this.gitConfigPath}'`)
|
||||
await io.cp(gitConfigPath, this.gitConfigPath)
|
||||
core.info(`Copying '${gitConfigPath}' to '${newGitConfigPath}'`)
|
||||
await io.cp(gitConfigPath, newGitConfigPath)
|
||||
} else {
|
||||
await fs.promises.writeFile(this.gitConfigPath, '')
|
||||
await fs.promises.writeFile(newGitConfigPath, '')
|
||||
}
|
||||
|
||||
// Override HOME
|
||||
@@ -124,25 +121,7 @@ class GitAuthHelper {
|
||||
)
|
||||
this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
|
||||
|
||||
return this.gitConfigPath
|
||||
}
|
||||
|
||||
async configureCredentialsHelper(): Promise<void> {
|
||||
if (this.settings.lfs) {
|
||||
core.info(`lfs disabled, skipping custom credentials helper`)
|
||||
return
|
||||
}
|
||||
const newGitConfigPath = await this.configureTempGlobalConfig()
|
||||
|
||||
const credentialHelper = `
|
||||
[credential]
|
||||
helper = "!f() { echo username=x-access-token; echo password=${this.tokenConfigValue}; };f"
|
||||
`
|
||||
|
||||
core.info(
|
||||
`Configuring git to use a custom credential helper for aut to handle git lfs`
|
||||
)
|
||||
await fs.promises.appendFile(newGitConfigPath, credentialHelper)
|
||||
return newGitConfigPath
|
||||
}
|
||||
|
||||
async configureGlobalAuth(): Promise<void> {
|
||||
@@ -150,6 +129,8 @@ class GitAuthHelper {
|
||||
const newGitConfigPath = await this.configureTempGlobalConfig()
|
||||
try {
|
||||
// Configure the token
|
||||
await this.configureToken(newGitConfigPath, true)
|
||||
|
||||
// Configure HTTPS instead of SSH
|
||||
await this.git.tryConfigUnset(this.insteadOfKey, true)
|
||||
if (!this.settings.sshKey) {
|
||||
@@ -162,6 +143,7 @@ class GitAuthHelper {
|
||||
core.info(
|
||||
'Encountered an error when attempting to configure token. Attempting unconfigure.'
|
||||
)
|
||||
await this.git.tryConfigUnset(this.tokenConfigKey, true)
|
||||
throw err
|
||||
}
|
||||
}
|
||||
@@ -176,7 +158,7 @@ class GitAuthHelper {
|
||||
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
|
||||
const output = await this.git.submoduleForeach(
|
||||
// wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
|
||||
`sh -c "git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
|
||||
`sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
|
||||
this.settings.nestedSubmodules
|
||||
)
|
||||
|
||||
@@ -208,6 +190,7 @@ class GitAuthHelper {
|
||||
|
||||
async removeAuth(): Promise<void> {
|
||||
await this.removeSsh()
|
||||
await this.removeToken()
|
||||
}
|
||||
|
||||
async removeGlobalConfig(): Promise<void> {
|
||||
@@ -289,6 +272,34 @@ class GitAuthHelper {
|
||||
}
|
||||
}
|
||||
|
||||
private async configureToken(
|
||||
configPath?: string,
|
||||
globalConfig?: boolean
|
||||
): Promise<void> {
|
||||
// Validate args
|
||||
assert.ok(
|
||||
(configPath && globalConfig) || (!configPath && !globalConfig),
|
||||
'Unexpected configureToken parameter combinations'
|
||||
)
|
||||
|
||||
// Default config path
|
||||
if (!configPath && !globalConfig) {
|
||||
configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config')
|
||||
}
|
||||
|
||||
// Configure a placeholder value. This approach avoids the credential being captured
|
||||
// by process creation audit events, which are commonly logged. For more information,
|
||||
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
|
||||
await this.git.config(
|
||||
this.tokenConfigKey,
|
||||
this.tokenPlaceholderConfigValue,
|
||||
globalConfig
|
||||
)
|
||||
|
||||
// Replace the placeholder
|
||||
await this.replaceTokenPlaceholder(configPath || '')
|
||||
}
|
||||
|
||||
private async replaceTokenPlaceholder(configPath: string): Promise<void> {
|
||||
assert.ok(configPath, 'configPath is not defined')
|
||||
let content = (await fs.promises.readFile(configPath)).toString()
|
||||
@@ -334,6 +345,11 @@ class GitAuthHelper {
|
||||
await this.removeGitConfig(SSH_COMMAND_KEY)
|
||||
}
|
||||
|
||||
private async removeToken(): Promise<void> {
|
||||
// HTTP extra header
|
||||
await this.removeGitConfig(this.tokenConfigKey)
|
||||
}
|
||||
|
||||
private async removeGitConfig(
|
||||
configKey: string,
|
||||
submoduleOnly: boolean = false
|
||||
|
||||
Reference in New Issue
Block a user