saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

git.latest: add auth to merge/reset calls when LFS used with SSH auth

Browse source 
In these cases, if the commands are not auth'ed then the git LFS
subcommands don't know which identity file to use and will fall back to
the one from `~/.ssh/config`. By ensuring that the command is auth'ed,
the LFS subcommands are able to download files when needed.

Normally we don't need to auth to the remote repo for this, since we
have made sure that we already have the needed objects downloaded, and
that is why these commands were not auth'ed before.
This commit is contained in:
Erik Johnson 2019-01-24 15:04:17 -06:00
parent aacc047686
commit f8c3e44f0b
No known key found for this signature in database
GPG key ID: 5E5583C437808F3F
2 changed files with 60 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
salt/modules/git.py
View file

@ -979,7 +979,7 @@ def clone(cwd,
information on securing the keypair from the remote side in the
``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE%20FORMAT
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionchanged:: 2015.8.7
@ -2035,7 +2035,7 @@ def fetch(cwd,
information on securing the keypair from the remote side in the
``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE%20FORMAT
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionchanged:: 2015.8.7
@ -2847,7 +2847,7 @@ def ls_remote(cwd=None,
information on securing the keypair from the remote side in the
``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE%20FORMAT
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionchanged:: 2015.8.7
@ -2940,6 +2940,7 @@ def merge(cwd,
git_opts='',
user=None,
password=None,
identity=None,
ignore_retcode=False,
output_encoding=None,
**kwargs):
@ -2983,6 +2984,22 @@ def merge(cwd,
.. versionadded:: 2016.3.4
identity
Path to a private key to use for ssh URLs. Salt will not attempt to use
passphrase-protected keys unless invoked from the minion using
``salt-call``, to prevent blocking waiting for user input. Key can also
be specified as a SaltStack file server URL, eg.
``salt://location/identity_file``.
.. note::
For greater security with passphraseless private keys, see the
`sshd(8)`_ manpage for information on securing the keypair from the
remote side in the ``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionadded:: 2018.3.5,2019.2.1,Neon
ignore_retcode : False
If ``True``, do not log an error to the minion log if the git command
returns a nonzero exit status.
@ -3024,10 +3041,12 @@ def merge(cwd,
command.extend(_format_opts(opts))
if rev:
command.append(rev)
return _git_run(command,
cwd=cwd,
user=user,
password=password,
identity=identity,
ignore_retcode=ignore_retcode,
output_encoding=output_encoding)['stdout']
@ -3382,7 +3401,7 @@ def pull(cwd,
information on securing the keypair from the remote side in the
``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE%20FORMAT
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionchanged:: 2015.8.7
@ -3508,7 +3527,7 @@ def push(cwd,
information on securing the keypair from the remote side in the
``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE%20FORMAT
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionchanged:: 2015.8.7
@ -3792,7 +3811,7 @@ def remote_refs(url,
information on securing the keypair from the remote side in the
``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE%20FORMAT
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionchanged:: 2015.8.7
@ -4101,6 +4120,7 @@ def reset(cwd,
git_opts='',
user=None,
password=None,
identity=None,
ignore_retcode=False,
output_encoding=None):
'''
@ -4137,6 +4157,22 @@ def reset(cwd,
.. versionadded:: 2016.3.4
identity
Path to a private key to use for ssh URLs. Salt will not attempt to use
passphrase-protected keys unless invoked from the minion using
``salt-call``, to prevent blocking waiting for user input. Key can also
be specified as a SaltStack file server URL, eg.
``salt://location/identity_file``.
.. note::
For greater security with passphraseless private keys, see the
`sshd(8)`_ manpage for information on securing the keypair from the
remote side in the ``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionadded:: 2018.3.5,2019.2.1,Neon
ignore_retcode : False
If ``True``, do not log an error to the minion log if the git command
returns a nonzero exit status.
@ -4174,6 +4210,7 @@ def reset(cwd,
cwd=cwd,
user=user,
password=password,
identity=identity,
ignore_retcode=ignore_retcode,
output_encoding=output_encoding)['stdout']
@ -4662,7 +4699,7 @@ def submodule(cwd,
information on securing the keypair from the remote side in the
``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE%20FORMAT
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
.. versionchanged:: 2015.8.7

19
salt/states/git.py
View file

@ -685,6 +685,16 @@ def latest(name,
if https_pass is not None and not isinstance(https_pass, six.string_types):
https_pass = six.text_type(https_pass)
# Check for lfs filter settings, and setup lfs_opts accordingly. These opts
# will be passed where appropriate to ensure that these commands are
# authenticated and that the git LFS plugin can download files.
use_lfs = bool(
__salt__['git.config_get_regexp'](
r'filter\.lfs\.',
cwd=target,
**{'global': True}))
lfs_opts = {'identity': identity} if use_lfs else {}
if os.path.isfile(target):
return _fail(
ret,
@ -1560,7 +1570,8 @@ def latest(name,
opts=['--hard', remote_rev],
user=user,
password=password,
output_encoding=output_encoding)
output_encoding=output_encoding,
**lfs_opts)
ret['changes']['forced update'] = True
comments.append(
'Repository was hard-reset to {0}'.format(remote_loc)
@ -1613,7 +1624,8 @@ def latest(name,
opts=merge_opts,
user=user,
password=password,
output_encoding=output_encoding)
output_encoding=output_encoding,
**lfs_opts)
comments.append(
'Repository was fast-forwarded to {0}'
.format(remote_loc)
@ -1633,7 +1645,8 @@ def latest(name,
remote_rev if rev == 'HEAD' else rev],
user=user,
password=password,
output_encoding=output_encoding)
output_encoding=output_encoding,
**lfs_opts)
comments.append(
'Repository was reset to {0} (fast-forward)'
.format(rev)