From c327898faa61b5749716aa9318955da8089787d3 Mon Sep 17 00:00:00 2001 From: Marcin Bilski Date: Fri, 14 Jan 2022 12:35:20 +0100 Subject: [PATCH] Add support for ssh passphrases. --- cmd/gomodproxy/main.go | 3 ++- pkg/api/api.go | 17 +++++++++-------- pkg/vcs/git.go | 2 +- pkg/vcs/vcs.go | 2 +- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/cmd/gomodproxy/main.go b/cmd/gomodproxy/main.go index e6b8607..07c5a0e 100644 --- a/cmd/gomodproxy/main.go +++ b/cmd/gomodproxy/main.go @@ -137,7 +137,8 @@ func main() { if len(kv) != 2 { log.Fatal("bad git path:", path) } - options = append(options, api.GitWithEphemeralTags(kv[0], kv[1])) + password := os.Getenv("SSH_PASSPHRASE") + options = append(options, api.GitWithEphemeralTags(kv[0], kv[1], password)) } for _, path := range vcsPaths { diff --git a/pkg/api/api.go b/pkg/api/api.go index f02b675..55b10ba 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -74,9 +74,9 @@ func GitDir(dir string) Option { return func(api *api) { api.gitdir = dir } } // Git configures API to use a specific git client when trying to download a // repository with the given prefix. Auth string can be a path to the SSK key, // or a colon-separated username:password string. -func Git(prefix string, auth string) Option { - a := vcs.Key(auth) - if creds := strings.SplitN(auth, ":", 2); len(creds) == 2 { +func Git(prefix, key, password string) Option { + a := vcs.Key(key, password) + if creds := strings.SplitN(key, ":", 2); len(creds) == 2 { a = vcs.Password(creds[0], creds[1]) } return func(api *api) { @@ -92,12 +92,13 @@ func Git(prefix string, auth string) Option { // GitWithEphemeralTags configures API to use a specific git client when trying // to download a repository with the given prefix. Auth string can be a path to // the SSK key, or a colon-separated username:password string. -func GitWithEphemeralTags(prefix string, auth string) Option { - +func GitWithEphemeralTags(prefix, key, password string) Option { + // TODO(bilus): Ugly but we don't want to mess with the : encoding so + // we'll work around the issue of having to pass a passphrase + // to decrypt a key. storage := vcs.NewEphemeralTagStorage() - - a := vcs.Key(auth) - if creds := strings.SplitN(auth, ":", 2); len(creds) == 2 { + a := vcs.Key(key, password) + if creds := strings.SplitN(key, ":", 2); len(creds) == 2 { a = vcs.Password(creds[0], creds[1]) } return func(api *api) { diff --git a/pkg/vcs/git.go b/pkg/vcs/git.go index 890d2b8..b197630 100644 --- a/pkg/vcs/git.go +++ b/pkg/vcs/git.go @@ -324,7 +324,7 @@ func (g *gitVCS) commit(ctx context.Context, version Version) (*object.Commit, e func (g *gitVCS) authMethod() (transport.AuthMethod, error) { if g.auth.Key != "" { - return ssh.NewPublicKeysFromFile("git", g.auth.Key, "") + return ssh.NewPublicKeysFromFile("git", g.auth.Key, g.auth.Password) } else if g.auth.Username != "" { return &http.BasicAuth{Username: g.auth.Username, Password: g.auth.Password}, nil } diff --git a/pkg/vcs/vcs.go b/pkg/vcs/vcs.go index dd2ef8f..4914088 100644 --- a/pkg/vcs/vcs.go +++ b/pkg/vcs/vcs.go @@ -61,4 +61,4 @@ func NoAuth() Auth { return Auth{} } func Password(username, password string) Auth { return Auth{Username: username, Password: password} } // Key returns an Auth implementation that uses key file authentication mechanism. -func Key(key string) Auth { return Auth{Key: key} } +func Key(key, password string) Auth { return Auth{Key: key, Password: password} }