Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adjust gitconfig in case if git credentials file are going to be mounted into the workspace #17445

Merged
merged 8 commits into from
Jul 23, 2020
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,10 @@
@Singleton
public class GitConfigProvisioner implements ConfigurationProvisioner<KubernetesEnvironment> {

private final String GIT_CONFIG_MAP_NAME_SUFFIX = "-gitconfig";
public static final String GIT_CONFIG_MAP_NAME_SUFFIX = "-gitconfig";

private static final String GIT_BASE_CONFIG_PATH = "/etc/";
private static final String GIT_CONFIG = "gitconfig";
public static final String GIT_CONFIG = "gitconfig";
private static final String GIT_CONFIG_PATH = GIT_BASE_CONFIG_PATH + GIT_CONFIG;
private static final String PREFERENCES_KEY_FILTER = "theia-user-preferences";
private static final String GIT_USER_NAME_PROPERTY = "git.user.name";
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
/*
* Copyright (c) 2012-2018 Red Hat, Inc.
skabashnyuk marked this conversation as resolved.
Show resolved Hide resolved
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*
* Contributors:
* Red Hat, Inc. - initial API and implementation
*/
package org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret;

import static java.lang.String.format;
import static org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret.SecretAsContainerResourceProvisioner.ANNOTATION_PREFIX;

import io.fabric8.kubernetes.api.model.ConfigMap;
import io.fabric8.kubernetes.api.model.Secret;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import org.eclipse.che.api.core.model.workspace.runtime.RuntimeIdentity;
import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment;
import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.K8sVersion;
import org.eclipse.che.workspace.infrastructure.kubernetes.provision.GitConfigProvisioner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
* An instance of {@link FileSecretApplier} that is trying to adjust the content of git-config that
* was added by {@link GitConfigProvisioner}. The adjustment is adding configuration of git
* credentials store, which is pointing to the file that is going to be mount to the container from
* the secret.
*/
public class GitCredentialStorageFileSecretApplier extends FileSecretApplier {
skabashnyuk marked this conversation as resolved.
Show resolved Hide resolved

private static final Logger LOG =
LoggerFactory.getLogger(GitCredentialStorageFileSecretApplier.class);

public static final String ANNOTATION_GIT_CREDENTIALS =
ANNOTATION_PREFIX + "/" + "git-credential";

@Inject
public GitCredentialStorageFileSecretApplier(K8sVersion k8sVersion) {
super(k8sVersion);
}

@Override
public void applySecret(KubernetesEnvironment env, RuntimeIdentity runtimeIdentity, Secret secret)
throws InfrastructureException {
super.applySecret(env, runtimeIdentity, secret);
final String secretMountPath = secret.getMetadata().getAnnotations().get(ANNOTATION_MOUNT_PATH);
Set<String> keys = secret.getData().keySet();
if (keys.size() != 1) {
throw new InfrastructureException(
format(
"Invalid git credential secret data. It should contain only 1 data item but it have %d",
keys.size()));
}
Path gitSecretFilePath = Paths.get(secretMountPath, keys.iterator().next());
ConfigMap gitConfigMap =
env.getConfigMaps()
.get(
runtimeIdentity.getWorkspaceId() + GitConfigProvisioner.GIT_CONFIG_MAP_NAME_SUFFIX);
if (gitConfigMap != null) {
Map<String, String> gitConfigMapData = gitConfigMap.getData();
String gitConfig = gitConfigMapData.get(GitConfigProvisioner.GIT_CONFIG);
if (gitConfig != null) {
if (gitConfig.contains("helper = store --file ") && gitConfig.contains("[credential]")) {
skabashnyuk marked this conversation as resolved.
Show resolved Hide resolved
throw new InfrastructureException(
"Multiple git credentials secrets found. Please remove duplication.");
}

StringBuilder gitConfigBuilder = new StringBuilder(gitConfig);
skabashnyuk marked this conversation as resolved.
Show resolved Hide resolved
gitConfigBuilder
.append('\n')
.append("[credential]")
.append('\n')
.append('\t')
.append("helper = store --file ")
.append(gitSecretFilePath.toString())
.append('\n');
HashMap<String, String> newGitConfigMapData = new HashMap<>(gitConfigMapData);
newGitConfigMapData.put(GitConfigProvisioner.GIT_CONFIG, gitConfigBuilder.toString());
LOG.info(gitConfigBuilder.toString());
skabashnyuk marked this conversation as resolved.
Show resolved Hide resolved
gitConfigMap.setData(newGitConfigMapData);
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,10 @@
*/
package org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret;

import static java.lang.Boolean.parseBoolean;
import static java.lang.String.format;
import static java.util.stream.Collectors.toMap;
import static org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret.GitCredentialStorageFileSecretApplier.ANNOTATION_GIT_CREDENTIALS;

import com.google.common.annotations.Beta;
import io.fabric8.kubernetes.api.model.LabelSelector;
Expand Down Expand Up @@ -44,15 +46,18 @@ public class SecretAsContainerResourceProvisioner<E extends KubernetesEnvironmen
private final FileSecretApplier fileSecretApplier;
private final EnvironmentVariableSecretApplier environmentVariableSecretApplier;

private final GitCredentialStorageFileSecretApplier gitCredentialStorageFileSecretApplier;
private final Map<String, String> secretLabels;

@Inject
public SecretAsContainerResourceProvisioner(
FileSecretApplier fileSecretApplier,
EnvironmentVariableSecretApplier environmentVariableSecretApplier,
GitCredentialStorageFileSecretApplier gitCredentialStorageFileSecretApplier,
@Named("che.workspace.provision.secret.labels") String[] labels) {
this.fileSecretApplier = fileSecretApplier;
this.environmentVariableSecretApplier = environmentVariableSecretApplier;
this.gitCredentialStorageFileSecretApplier = gitCredentialStorageFileSecretApplier;
this.secretLabels =
Arrays.stream(labels)
.map(item -> item.split("=", 2))
Expand All @@ -73,7 +78,12 @@ public void provision(E env, RuntimeIdentity runtimeIdentity, KubernetesNamespac
if ("env".equalsIgnoreCase(mountType)) {
environmentVariableSecretApplier.applySecret(env, runtimeIdentity, secret);
} else if ("file".equalsIgnoreCase(mountType)) {
fileSecretApplier.applySecret(env, runtimeIdentity, secret);
if (parseBoolean(secret.getMetadata().getAnnotations().get(ANNOTATION_GIT_CREDENTIALS))) {
gitCredentialStorageFileSecretApplier.applySecret(env, runtimeIdentity, secret);
} else {
fileSecretApplier.applySecret(env, runtimeIdentity, secret);
}

} else {
throw new InfrastructureException(
format(
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
/*
* Copyright (c) 2012-2018 Red Hat, Inc.
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*
* Contributors:
* Red Hat, Inc. - initial API and implementation
*/
package org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret;

import static java.util.Collections.emptyMap;
import static java.util.Collections.singletonMap;
import static org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret.FileSecretApplier.ANNOTATION_MOUNT_PATH;
import static org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret.KubernetesSecretApplier.ANNOTATION_AUTOMOUNT;
import static org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret.SecretAsContainerResourceProvisioner.ANNOTATION_MOUNT_AS;
import static org.mockito.Mockito.lenient;
import static org.mockito.Mockito.when;
import static org.testng.Assert.assertTrue;

import com.google.common.collect.ImmutableMap;
import io.fabric8.kubernetes.api.model.ConfigMap;
import io.fabric8.kubernetes.api.model.ConfigMapBuilder;
import io.fabric8.kubernetes.api.model.ObjectMetaBuilder;
import io.fabric8.kubernetes.api.model.PodSpec;
import io.fabric8.kubernetes.api.model.Secret;
import io.fabric8.kubernetes.api.model.SecretBuilder;
import org.eclipse.che.api.core.model.workspace.runtime.RuntimeIdentity;
import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment;
import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.K8sVersion;
import org.eclipse.che.workspace.infrastructure.kubernetes.provision.GitConfigProvisioner;
import org.mockito.Mock;
import org.mockito.testng.MockitoTestNGListener;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Listeners;
import org.testng.annotations.Test;

@Listeners(MockitoTestNGListener.class)
public class GitCredentialStorageFileSecretApplierTest {

@Mock private KubernetesEnvironment environment;

@Mock private KubernetesEnvironment.PodData podData;

@Mock private PodSpec podSpec;

@Mock private RuntimeIdentity runtimeIdentity;

@Mock private K8sVersion kubernetesVersion;

GitCredentialStorageFileSecretApplier secretApplier;

public static final String GIT_CONFIG_CONTENT =
"[user]\n\tname = Michelangelo Merisi da Caravaggio\n\tmail = mcaravag@email.not.exists.com";

@BeforeMethod
public void setUp() throws Exception {
lenient().when(kubernetesVersion.newerOrEqualThan(1, 13)).thenReturn(true);
lenient().when(kubernetesVersion.olderThan(1, 13)).thenReturn(false);
secretApplier = new GitCredentialStorageFileSecretApplier(kubernetesVersion);
when(environment.getPodsData()).thenReturn(singletonMap("pod1", podData));
when(podData.getRole()).thenReturn(KubernetesEnvironment.PodRole.DEPLOYMENT);
when(podData.getSpec()).thenReturn(podSpec);
when(runtimeIdentity.getWorkspaceId()).thenReturn("ws-1234598");
}

@Test(
expectedExceptions = InfrastructureException.class,
expectedExceptionsMessageRegExp =
"Invalid git credential secret data. It should contain only 1 data item but it have 2")
public void shouldThrowInfrastructureExceptionIfSecretsHasMoreOrLessWhen1Data()
throws InfrastructureException {
// given
Secret secret =
new SecretBuilder()
.withData(ImmutableMap.of("credentials", "random", "credentials2", "random"))
.withMetadata(
new ObjectMetaBuilder()
.withName("test_secret")
.withAnnotations(
ImmutableMap.of(
ANNOTATION_MOUNT_AS,
"file",
ANNOTATION_MOUNT_PATH,
"/home/user/.git",
GitCredentialStorageFileSecretApplier.ANNOTATION_GIT_CREDENTIALS,
"true",
ANNOTATION_AUTOMOUNT,
"true"))
.withLabels(emptyMap())
.build())
.build();
// when
secretApplier.applySecret(environment, runtimeIdentity, secret);
}

@Test
public void shouldBeAbleToAdjustGiConfigConfigMap() throws InfrastructureException {
// given
Secret secret =
new SecretBuilder()
.withData(ImmutableMap.of("credentials", "random"))
.withMetadata(
new ObjectMetaBuilder()
.withName("test_secret")
.withAnnotations(
ImmutableMap.of(
ANNOTATION_MOUNT_AS,
"file",
ANNOTATION_MOUNT_PATH,
"/home/user/.git",
GitCredentialStorageFileSecretApplier.ANNOTATION_GIT_CREDENTIALS,
"true",
ANNOTATION_AUTOMOUNT,
"true"))
.withLabels(emptyMap())
.build())
.build();

ConfigMap configMap =
new ConfigMapBuilder()
.withData(ImmutableMap.of(GitConfigProvisioner.GIT_CONFIG, GIT_CONFIG_CONTENT))
.build();
when(environment.getConfigMaps())
.thenReturn(
ImmutableMap.of(
"ws-1234598" + GitConfigProvisioner.GIT_CONFIG_MAP_NAME_SUFFIX, configMap));
// when
secretApplier.applySecret(environment, runtimeIdentity, secret);
// then
String data = configMap.getData().get(GitConfigProvisioner.GIT_CONFIG);
assertTrue(
data.endsWith("[credential]\n\thelper = store --file /home/user/.git/credentials\n"));
}

@Test(
expectedExceptions = InfrastructureException.class,
expectedExceptionsMessageRegExp =
"Multiple git credentials secrets found. Please remove duplication.")
public void shouldThrowInfrastructureExceptionIfGitConfigAlreadyContainsSecretConfig()
throws InfrastructureException {
// given
Secret secret =
new SecretBuilder()
.withData(ImmutableMap.of("credentials", "random"))
.withMetadata(
new ObjectMetaBuilder()
.withName("test_secret")
.withAnnotations(
ImmutableMap.of(
ANNOTATION_MOUNT_AS,
"file",
ANNOTATION_MOUNT_PATH,
"/home/user/.git",
GitCredentialStorageFileSecretApplier.ANNOTATION_GIT_CREDENTIALS,
"true",
ANNOTATION_AUTOMOUNT,
"true"))
.withLabels(emptyMap())
.build())
.build();

ConfigMap configMap =
new ConfigMapBuilder()
.withData(
ImmutableMap.of(
GitConfigProvisioner.GIT_CONFIG,
GIT_CONFIG_CONTENT
+ "[credential]\n\thelper = store --file /home/user/.git/credentials\n"))
.build();
when(environment.getConfigMaps())
.thenReturn(
ImmutableMap.of(
"ws-1234598" + GitConfigProvisioner.GIT_CONFIG_MAP_NAME_SUFFIX, configMap));
// when
secretApplier.applySecret(environment, runtimeIdentity, secret);
}
}
Loading