create-pull-request/src/git-auth-helper.ts

import * as core from '@actions/core'
import * as fs from 'fs'
import {GitCommandManager} from './git-command-manager'
import * as path from 'path'
import {URL} from 'url'
import * as utils from './utils'

export class GitAuthHelper {
  private git: GitCommandManager
  private gitConfigPath = ''
  private workingDirectory: string
  private safeDirectoryConfigKey = 'safe.directory'
  private safeDirectoryAdded = false
  private extraheaderConfigKey: string
  private extraheaderConfigPlaceholderValue = 'AUTHORIZATION: basic ***'
  private extraheaderConfigValueRegex = '^AUTHORIZATION:'
  private persistedExtraheaderConfigValue = ''

  constructor(git: GitCommandManager) {
    this.git = git
    this.workingDirectory = this.git.getWorkingDirectory()
    const serverUrl = this.getServerUrl()
    this.extraheaderConfigKey = `http.${serverUrl.origin}/.extraheader`
  }

  async addSafeDirectory(): Promise<void> {
    const exists = await this.git.configExists(
      this.safeDirectoryConfigKey,
      this.workingDirectory,
      true
    )
    if (!exists) {
      await this.git.config(
        this.safeDirectoryConfigKey,
        this.workingDirectory,
        true,
        true
      )
      this.safeDirectoryAdded = true
    }
  }

  async removeSafeDirectory(): Promise<void> {
    if (this.safeDirectoryAdded) {
      await this.git.tryConfigUnset(
        this.safeDirectoryConfigKey,
        this.workingDirectory,
        true
      )
    }
  }

  async savePersistedAuth(): Promise<void> {
    // Save and unset persisted extraheader credential in git config if it exists
    this.persistedExtraheaderConfigValue = await this.getAndUnset()
  }

  async restorePersistedAuth(): Promise<void> {
    if (this.persistedExtraheaderConfigValue) {
      try {
        await this.setExtraheaderConfig(this.persistedExtraheaderConfigValue)
        core.info('Persisted git credentials restored')
      } catch (e) {
        core.warning(utils.getErrorMessage(e))
      }
    }
  }

  async configureToken(token: string): Promise<void> {
    // Encode and configure the basic credential for HTTPS access
    const basicCredential = Buffer.from(
      `x-access-token:${token}`,
      'utf8'
    ).toString('base64')
    core.setSecret(basicCredential)
    const extraheaderConfigValue = `AUTHORIZATION: basic ${basicCredential}`
    await this.setExtraheaderConfig(extraheaderConfigValue)
  }

  async removeAuth(): Promise<void> {
    await this.getAndUnset()
  }

  private async setExtraheaderConfig(
    extraheaderConfigValue: string
  ): Promise<void> {
    // Configure a placeholder value. This approach avoids the credential being captured
    // by process creation audit events, which are commonly logged. For more information,
    // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
    // See https://github.com/actions/checkout/blob/main/src/git-auth-helper.ts#L267-L274
    await this.git.config(
      this.extraheaderConfigKey,
      this.extraheaderConfigPlaceholderValue
    )
    // Replace the placeholder
    await this.gitConfigStringReplace(
      this.extraheaderConfigPlaceholderValue,
      extraheaderConfigValue
    )
  }

  private async getAndUnset(): Promise<string> {
    let configValue = ''
    // Save and unset persisted extraheader credential in git config if it exists
    if (
      await this.git.configExists(
        this.extraheaderConfigKey,
        this.extraheaderConfigValueRegex
      )
    ) {
      configValue = await this.git.getConfigValue(
        this.extraheaderConfigKey,
        this.extraheaderConfigValueRegex
      )
      if (
        await this.git.tryConfigUnset(
          this.extraheaderConfigKey,
          this.extraheaderConfigValueRegex
        )
      ) {
        core.info(`Unset config key '${this.extraheaderConfigKey}'`)
      } else {
        core.warning(
          `Failed to unset config key '${this.extraheaderConfigKey}'`
        )
      }
    }
    return configValue
  }

  private async gitConfigStringReplace(
    find: string,
    replace: string
  ): Promise<void> {
    if (this.gitConfigPath.length === 0) {
      const gitDir = await this.git.getGitDirectory()
      this.gitConfigPath = path.join(this.workingDirectory, gitDir, 'config')
    }
    let content = (await fs.promises.readFile(this.gitConfigPath)).toString()
    const index = content.indexOf(find)
    if (index < 0 || index != content.lastIndexOf(find)) {
      throw new Error(`Unable to replace '${find}' in ${this.gitConfigPath}`)
    }
    content = content.replace(find, replace)
    await fs.promises.writeFile(this.gitConfigPath, content)
  }

  private getServerUrl(): URL {
    return new URL(process.env['GITHUB_SERVER_URL'] || 'https://github.com')
  }
}
Refactor extraheader auth handling 2020-07-17 13:54:39 +02:00			`import * as core from '@actions/core'`
			`import * as fs from 'fs'`
			`import {GitCommandManager} from './git-command-manager'`
			`import * as path from 'path'`
			`import {URL} from 'url'`
fix: replace use of any type (#1251) 2022-09-21 08:42:50 +02:00			`import * as utils from './utils'`
Refactor extraheader auth handling 2020-07-17 13:54:39 +02:00
			`export class GitAuthHelper {`
			`private git: GitCommandManager`
v5 (#1792) * feat: restore working base branch and uncommitted changes * docs: uncommitted changes are stashed and restored * docs: add major version notes * fix: update package version * fix: update package-lock * feat: revise proxy implementation * docs: add notes for the revised proxy implementation * feat: set and remove git safe directory * docs: add notes for the git safe directory feature * fix: use base url for proxy check * feat: determine the git dir with rev-parse * build: update package lock * fix: remove support for ghes alpha * feat: revise handling of team reviewers * docs: update notes * feat: body-path * docs: update to v5 * docs: update to v5 * build: fix package lock 2023-04-05 01:41:18 +02:00			`private gitConfigPath = ''`
			`private workingDirectory: string`
			`private safeDirectoryConfigKey = 'safe.directory'`
			`private safeDirectoryAdded = false`
Refactor extraheader auth handling 2020-07-17 13:54:39 +02:00			`private extraheaderConfigKey: string`
			`private extraheaderConfigPlaceholderValue = 'AUTHORIZATION: basic ***'`
			`private extraheaderConfigValueRegex = '^AUTHORIZATION:'`
			`private persistedExtraheaderConfigValue = ''`

			`constructor(git: GitCommandManager) {`
			`this.git = git`
v5 (#1792) * feat: restore working base branch and uncommitted changes * docs: uncommitted changes are stashed and restored * docs: add major version notes * fix: update package version * fix: update package-lock * feat: revise proxy implementation * docs: add notes for the revised proxy implementation * feat: set and remove git safe directory * docs: add notes for the git safe directory feature * fix: use base url for proxy check * feat: determine the git dir with rev-parse * build: update package lock * fix: remove support for ghes alpha * feat: revise handling of team reviewers * docs: update notes * feat: body-path * docs: update to v5 * docs: update to v5 * build: fix package lock 2023-04-05 01:41:18 +02:00			`this.workingDirectory = this.git.getWorkingDirectory()`
Refactor extraheader auth handling 2020-07-17 13:54:39 +02:00			`const serverUrl = this.getServerUrl()`
			this.extraheaderConfigKey = `http.${serverUrl.origin}/.extraheader`
			`}`

v5 (#1792) * feat: restore working base branch and uncommitted changes * docs: uncommitted changes are stashed and restored * docs: add major version notes * fix: update package version * fix: update package-lock * feat: revise proxy implementation * docs: add notes for the revised proxy implementation * feat: set and remove git safe directory * docs: add notes for the git safe directory feature * fix: use base url for proxy check * feat: determine the git dir with rev-parse * build: update package lock * fix: remove support for ghes alpha * feat: revise handling of team reviewers * docs: update notes * feat: body-path * docs: update to v5 * docs: update to v5 * build: fix package lock 2023-04-05 01:41:18 +02:00			`async addSafeDirectory(): Promise<void> {`
			`const exists = await this.git.configExists(`
			`this.safeDirectoryConfigKey,`
			`this.workingDirectory,`
			`true`
			`)`
			`if (!exists) {`
			`await this.git.config(`
			`this.safeDirectoryConfigKey,`
			`this.workingDirectory,`
			`true,`
			`true`
			`)`
			`this.safeDirectoryAdded = true`
			`}`
			`}`

			`async removeSafeDirectory(): Promise<void> {`
			`if (this.safeDirectoryAdded) {`
			`await this.git.tryConfigUnset(`
			`this.safeDirectoryConfigKey,`
			`this.workingDirectory,`
			`true`
			`)`
			`}`
			`}`

Refactor extraheader auth handling 2020-07-17 13:54:39 +02:00			`async savePersistedAuth(): Promise<void> {`
			`// Save and unset persisted extraheader credential in git config if it exists`
			`this.persistedExtraheaderConfigValue = await this.getAndUnset()`
			`}`

			`async restorePersistedAuth(): Promise<void> {`
			`if (this.persistedExtraheaderConfigValue) {`
			`try {`
			`await this.setExtraheaderConfig(this.persistedExtraheaderConfigValue)`
			`core.info('Persisted git credentials restored')`
fix: replace use of any type (#1251) 2022-09-21 08:42:50 +02:00			`} catch (e) {`
			`core.warning(utils.getErrorMessage(e))`
Refactor extraheader auth handling 2020-07-17 13:54:39 +02:00			`}`
			`}`
			`}`

			`async configureToken(token: string): Promise<void> {`
			`// Encode and configure the basic credential for HTTPS access`
			`const basicCredential = Buffer.from(`
			`x-access-token:${token}`,
			`'utf8'`
			`).toString('base64')`
			`core.setSecret(basicCredential)`
			const extraheaderConfigValue = `AUTHORIZATION: basic ${basicCredential}`
			`await this.setExtraheaderConfig(extraheaderConfigValue)`
			`}`

			`async removeAuth(): Promise<void> {`
			`await this.getAndUnset()`
			`}`

			`private async setExtraheaderConfig(`
			`extraheaderConfigValue: string`
			`): Promise<void> {`
			`// Configure a placeholder value. This approach avoids the credential being captured`
			`// by process creation audit events, which are commonly logged. For more information,`
			`// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing`
			`// See https://github.com/actions/checkout/blob/main/src/git-auth-helper.ts#L267-L274`
			`await this.git.config(`
			`this.extraheaderConfigKey,`
			`this.extraheaderConfigPlaceholderValue`
			`)`
			`// Replace the placeholder`
			`await this.gitConfigStringReplace(`
			`this.extraheaderConfigPlaceholderValue,`
			`extraheaderConfigValue`
			`)`
			`}`

			`private async getAndUnset(): Promise<string> {`
			`let configValue = ''`
			`// Save and unset persisted extraheader credential in git config if it exists`
			`if (`
			`await this.git.configExists(`
			`this.extraheaderConfigKey,`
			`this.extraheaderConfigValueRegex`
			`)`
			`) {`
			`configValue = await this.git.getConfigValue(`
			`this.extraheaderConfigKey,`
			`this.extraheaderConfigValueRegex`
			`)`
			`if (`
			`await this.git.tryConfigUnset(`
			`this.extraheaderConfigKey,`
			`this.extraheaderConfigValueRegex`
			`)`
			`) {`
			core.info(`Unset config key '${this.extraheaderConfigKey}'`)
			`} else {`
			`core.warning(`
			`Failed to unset config key '${this.extraheaderConfigKey}'`
			`)`
			`}`
			`}`
			`return configValue`
			`}`

			`private async gitConfigStringReplace(`
			`find: string,`
			`replace: string`
			`): Promise<void> {`
v5 (#1792) * feat: restore working base branch and uncommitted changes * docs: uncommitted changes are stashed and restored * docs: add major version notes * fix: update package version * fix: update package-lock * feat: revise proxy implementation * docs: add notes for the revised proxy implementation * feat: set and remove git safe directory * docs: add notes for the git safe directory feature * fix: use base url for proxy check * feat: determine the git dir with rev-parse * build: update package lock * fix: remove support for ghes alpha * feat: revise handling of team reviewers * docs: update notes * feat: body-path * docs: update to v5 * docs: update to v5 * build: fix package lock 2023-04-05 01:41:18 +02:00			`if (this.gitConfigPath.length === 0) {`
			`const gitDir = await this.git.getGitDirectory()`
			`this.gitConfigPath = path.join(this.workingDirectory, gitDir, 'config')`
			`}`
Refactor extraheader auth handling 2020-07-17 13:54:39 +02:00			`let content = (await fs.promises.readFile(this.gitConfigPath)).toString()`
			`const index = content.indexOf(find)`
			`if (index < 0 \|\| index != content.lastIndexOf(find)) {`
			throw new Error(`Unable to replace '${find}' in ${this.gitConfigPath}`)
			`}`
			`content = content.replace(find, replace)`
			`await fs.promises.writeFile(this.gitConfigPath, content)`
			`}`

			`private getServerUrl(): URL {`
v5 (#1792) * feat: restore working base branch and uncommitted changes * docs: uncommitted changes are stashed and restored * docs: add major version notes * fix: update package version * fix: update package-lock * feat: revise proxy implementation * docs: add notes for the revised proxy implementation * feat: set and remove git safe directory * docs: add notes for the git safe directory feature * fix: use base url for proxy check * feat: determine the git dir with rev-parse * build: update package lock * fix: remove support for ghes alpha * feat: revise handling of team reviewers * docs: update notes * feat: body-path * docs: update to v5 * docs: update to v5 * build: fix package lock 2023-04-05 01:41:18 +02:00			`return new URL(process.env['GITHUB_SERVER_URL'] \|\| 'https://github.com')`
Refactor extraheader auth handling 2020-07-17 13:54:39 +02:00			`}`
			`}`