[EXP-23262]: S7: support subrepo cloning via GH_USER / GH_TOKEN#92
[EXP-23262]: S7: support subrepo cloning via GH_USER / GH_TOKEN#92oleksandrhleba wants to merge 1 commit into
Conversation
pastey
left a comment
There was a problem hiding this comment.
I'm still not sure if we need GH_USER/GH_TOKEN in the s7 code. What are your thoughts?
|
|
||
| [self logSelectedAuthPathOnce]; | ||
|
|
||
| // Inject the HTTPS auth config via the child's environment (see |
There was a problem hiding this comment.
maybe a nitpicking, but anyway...
s7 spawns many git operations during its work. Now we will run this env calculation on every git call, even though it will produce exactly the same result we call it. We already have dispatch_once in some of the new methods, so probably would be ok to add "once" here too. It may affect the unit tests and require some refactoring.
| // Username for HTTPS subrepo auth. S7_GIT_TOKEN, falling back to GH_TOKEN. | ||
| + (nullable NSString *)envGitAuthUser { | ||
| NSDictionary<NSString *, NSString *> *const env = NSProcessInfo.processInfo.environment; | ||
| NSString *const user = env[@"S7_GIT_USER"]; |
There was a problem hiding this comment.
Please document the new env variables in the printHelp in main.m. From the client's standpoint.
| return traceEnabled; | ||
| } | ||
|
|
||
| // Username for HTTPS subrepo auth. S7_GIT_TOKEN, falling back to GH_TOKEN. |
There was a problem hiding this comment.
comment seems to have been copy/pasted. Tells about the token. I would rather remove both comments. If we change the code, the comment will get outdated.
| + (void)logSelectedAuthPathOnce { | ||
| static dispatch_once_t onceToken; | ||
| dispatch_once(&onceToken, ^{ | ||
| if ([self envGitHubTokenAuthEnabled]) { |
There was a problem hiding this comment.
envGitHubTokenAuthEnabled method seems to be an overkill for a single time usage.
const BOOL envGitHubTokenAuthEnabled = [self envGitAuthUser].length > 0 && [self envGitAuthToken].length > 0; would be just fine.
| static dispatch_once_t onceToken; | ||
| dispatch_once(&onceToken, ^{ | ||
| if ([self envGitHubTokenAuthEnabled]) { | ||
| fprintf(stderr, "s7: subrepo network auth: HTTPS via token\n"); |
| // GIT_CONFIG_COUNT) doesn't clobber it. | ||
| + (NSDictionary<NSString *, NSString *> *)gitHubTokenConfigEnvironmentForUser:(nullable NSString *)user | ||
| token:(nullable NSString *)token | ||
| existingConfigCount:(NSInteger)existingConfigCount |
There was a problem hiding this comment.
instead of passing existingConfigCount argument, I would directly access the
NSDictionary<NSString *, NSString *> *const env = NSProcessInfo.processInfo.environment;
const NSInteger existingConfigCount = MAX(0, [env[@"GIT_CONFIG_COUNT"] integerValue]);
here. This way all the logic managing GIT_CONFIG_COUNT would be in a single place. Now it's spread out by two methods.
Plus NSInteger seems odd. Why not unsigned?
| NSString *const userColonToken = [NSString stringWithFormat:@"%@:%@", user, token]; | ||
| NSString *const basic = [[userColonToken dataUsingEncoding:NSUTF8StringEncoding] base64EncodedStringWithOptions:0]; |
There was a problem hiding this comment.
can we move this down to 1576, where it's actually used?
| result[[NSString stringWithFormat:@"GIT_CONFIG_KEY_%ld", (long)index]] = @"url.https://github.com/.insteadOf"; | ||
| result[[NSString stringWithFormat:@"GIT_CONFIG_VALUE_%ld", (long)index]] = source; | ||
| ++index; |
There was a problem hiding this comment.
I'd rather add a local closure that will take key/value, and incapsulate this logic. Something like:
__block nextConfigPairIndex = MAX(0, ...);
__auto_type addConfigKV = ^(NSString *key, NSString *value) {
result[[NSString stringWithFormat:@"GIT_CONFIG_KEY_%ld", (long)nextConfigPairIndex]] = key;
result[[NSString stringWithFormat:@"GIT_CONFIG_VALUE_%ld", (long)nextConfigPairIndex]] = value;
++nextConfigPairIndex;
};
addConfigKV(url, authorization);
Ticket link
EXP-23262
Summary
Adds native support in s7 for authenticating GitHub subrepo network operations over HTTPS with a Personal Access Token, instead of relying on an SSH key.
When S7_GIT_USER + S7_GIT_TOKEN (or the GH_USER / GH_TOKEN fallback) are present, s7 makes git rewrite SSH github.com URLs to HTTPS and supplies the PAT as an HTTP Authorization header. When they're absent, behavior is unchanged — SSH as before.
How it works
All git invocations funnel through +[GitRepository runGitWithArguments:…]. When both credentials are present, s7 injects three GIT_CONFIG_* entries into the child git process's environment:
insteadOf moves the subrepo URL onto HTTPS transport; the github.com‑scoped extraheader authenticates it — the same approach actions/checkout uses. This is git ≥ 2.31's env-based config; no git config file is touched.
Security properties
Behavior details
Testing
Scope & follow-ups