From 24012f5c84f1778762ad67e3b3d3a9dcf33d8e62 Mon Sep 17 00:00:00 2001 From: Peter Evans Date: Fri, 17 Jul 2020 20:54:39 +0900 Subject: [PATCH] Refactor extraheader auth handling --- __test__/create-or-update-branch.int.test.ts | 4 - __test__/git-auth-helper.int.test.ts | 49 +++ __test__/git-config-helper.int.test.ts | 117 ------ dist/index.js | 356 +++++++++++-------- src/create-pull-request.ts | 47 +-- src/git-auth-helper.ts | 126 +++++++ src/git-command-manager.ts | 69 ++-- src/git-config-helper.ts | 64 ---- src/git-identity-helper.ts | 47 ++- 9 files changed, 460 insertions(+), 419 deletions(-) create mode 100644 __test__/git-auth-helper.int.test.ts delete mode 100644 __test__/git-config-helper.int.test.ts create mode 100644 src/git-auth-helper.ts delete mode 100644 src/git-config-helper.ts diff --git a/__test__/create-or-update-branch.int.test.ts b/__test__/create-or-update-branch.int.test.ts index 3b65052..fa49e51 100644 --- a/__test__/create-or-update-branch.int.test.ts +++ b/__test__/create-or-update-branch.int.test.ts @@ -82,10 +82,6 @@ describe('create-or-update-branch tests', () => { beforeAll(async () => { git = await GitCommandManager.create(REPO_PATH) - git.setAuthGitOptions([ - '-c', - 'http.https://github.com/.extraheader=AUTHORIZATION: basic xxx' - ]) git.setIdentityGitOptions([ '-c', 'author.name=Author Name', diff --git a/__test__/git-auth-helper.int.test.ts b/__test__/git-auth-helper.int.test.ts new file mode 100644 index 0000000..69d5c90 --- /dev/null +++ b/__test__/git-auth-helper.int.test.ts @@ -0,0 +1,49 @@ +import {GitCommandManager} from '../lib/git-command-manager' +import {GitAuthHelper} from '../lib/git-auth-helper' + +const REPO_PATH = '/git/test-repo' + +const extraheaderConfigKey = 'http.https://github.com/.extraheader' + +describe('git-auth-helper tests', () => { + let git: GitCommandManager + let gitAuthHelper: GitAuthHelper + + beforeAll(async () => { + git = await GitCommandManager.create(REPO_PATH) + gitAuthHelper = new GitAuthHelper(git) + }) + + it('tests save and restore with no persisted auth', async () => { + await gitAuthHelper.savePersistedAuth() + await gitAuthHelper.restorePersistedAuth() + }) + + it('tests configure and removal of auth', async () => { + await gitAuthHelper.configureToken('github-token') + expect(await git.configExists(extraheaderConfigKey)).toBeTruthy() + expect(await git.getConfigValue(extraheaderConfigKey)).toEqual( + 'AUTHORIZATION: basic eC1hY2Nlc3MtdG9rZW46Z2l0aHViLXRva2Vu' + ) + + await gitAuthHelper.removeAuth() + expect(await git.configExists(extraheaderConfigKey)).toBeFalsy() + }) + + it('tests save and restore of persisted auth', async () => { + const extraheaderConfigValue = 'AUTHORIZATION: basic ***persisted-auth***' + await git.config(extraheaderConfigKey, extraheaderConfigValue) + + await gitAuthHelper.savePersistedAuth() + + const exists = await git.configExists(extraheaderConfigKey) + expect(exists).toBeFalsy() + + await gitAuthHelper.restorePersistedAuth() + + const configValue = await git.getConfigValue(extraheaderConfigKey) + expect(configValue).toEqual(extraheaderConfigValue) + + await gitAuthHelper.removeAuth() + }) +}) diff --git a/__test__/git-config-helper.int.test.ts b/__test__/git-config-helper.int.test.ts deleted file mode 100644 index 4ff160b..0000000 --- a/__test__/git-config-helper.int.test.ts +++ /dev/null @@ -1,117 +0,0 @@ -import {GitCommandManager} from '../lib/git-command-manager' -import {GitConfigHelper} from '../lib/git-config-helper' - -const REPO_PATH = '/git/test-repo' - -describe('git-config-helper tests', () => { - let gitConfigHelper: GitConfigHelper - - beforeAll(async () => { - const git = await GitCommandManager.create(REPO_PATH) - gitConfigHelper = new GitConfigHelper(git) - }) - - it('adds and unsets a config option', async () => { - const add = await gitConfigHelper.addConfigOption( - 'test.add.and.unset.config.option', - 'foo' - ) - expect(add).toBeTruthy() - const unset = await gitConfigHelper.unsetConfigOption( - 'test.add.and.unset.config.option' - ) - expect(unset).toBeTruthy() - }) - - it('adds and unsets a config option with value regex', async () => { - const add = await gitConfigHelper.addConfigOption( - 'test.add.and.unset.config.option', - 'foo bar' - ) - expect(add).toBeTruthy() - const unset = await gitConfigHelper.unsetConfigOption( - 'test.add.and.unset.config.option', - '^foo' - ) - expect(unset).toBeTruthy() - }) - - it('determines that a config option exists', async () => { - const result = await gitConfigHelper.configOptionExists('remote.origin.url') - expect(result).toBeTruthy() - }) - - it('determines that a config option does not exist', async () => { - const result = await gitConfigHelper.configOptionExists( - 'this.key.does.not.exist' - ) - expect(result).toBeFalsy() - }) - - it('successfully retrieves a config option', async () => { - const add = await gitConfigHelper.addConfigOption( - 'test.get.config.option', - 'foo' - ) - expect(add).toBeTruthy() - const option = await gitConfigHelper.getConfigOption( - 'test.get.config.option' - ) - expect(option.value).toEqual('foo') - const unset = await gitConfigHelper.unsetConfigOption( - 'test.get.config.option' - ) - expect(unset).toBeTruthy() - }) - - it('gets a config option with value regex', async () => { - const add = await gitConfigHelper.addConfigOption( - 'test.get.config.option', - 'foo bar' - ) - expect(add).toBeTruthy() - const option = await gitConfigHelper.getConfigOption( - 'test.get.config.option', - '^foo' - ) - expect(option.value).toEqual('foo bar') - const unset = await gitConfigHelper.unsetConfigOption( - 'test.get.config.option', - '^foo' - ) - expect(unset).toBeTruthy() - }) - - it('gets and unsets a config option', async () => { - const add = await gitConfigHelper.addConfigOption( - 'test.get.and.unset.config.option', - 'foo' - ) - expect(add).toBeTruthy() - const getAndUnset = await gitConfigHelper.getAndUnsetConfigOption( - 'test.get.and.unset.config.option' - ) - expect(getAndUnset.value).toEqual('foo') - }) - - it('gets and unsets a config option with value regex', async () => { - const add = await gitConfigHelper.addConfigOption( - 'test.get.and.unset.config.option', - 'foo bar' - ) - expect(add).toBeTruthy() - const getAndUnset = await gitConfigHelper.getAndUnsetConfigOption( - 'test.get.and.unset.config.option', - '^foo' - ) - expect(getAndUnset.value).toEqual('foo bar') - }) - - it('fails to get and unset a config option', async () => { - const getAndUnset = await gitConfigHelper.getAndUnsetConfigOption( - 'this.key.does.not.exist' - ) - expect(getAndUnset.name).toEqual('') - expect(getAndUnset.value).toEqual('') - }) -}) diff --git a/dist/index.js b/dist/index.js index 53fb1e7..8fb15ba 100644 --- a/dist/index.js +++ b/dist/index.js @@ -1645,6 +1645,139 @@ function register (state, name, method, options) { } +/***/ }), + +/***/ 287: +/***/ (function(__unusedmodule, exports, __webpack_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.GitAuthHelper = void 0; +const core = __importStar(__webpack_require__(470)); +const fs = __importStar(__webpack_require__(747)); +const path = __importStar(__webpack_require__(622)); +const url_1 = __webpack_require__(835); +class GitAuthHelper { + constructor(git) { + this.extraheaderConfigPlaceholderValue = 'AUTHORIZATION: basic ***'; + this.extraheaderConfigValueRegex = '^AUTHORIZATION:'; + this.persistedExtraheaderConfigValue = ''; + this.git = git; + this.gitConfigPath = path.join(this.git.getWorkingDirectory(), '.git', 'config'); + const serverUrl = this.getServerUrl(); + this.extraheaderConfigKey = `http.${serverUrl.origin}/.extraheader`; + } + savePersistedAuth() { + return __awaiter(this, void 0, void 0, function* () { + // Save and unset persisted extraheader credential in git config if it exists + this.persistedExtraheaderConfigValue = yield this.getAndUnset(); + }); + } + restorePersistedAuth() { + return __awaiter(this, void 0, void 0, function* () { + if (this.persistedExtraheaderConfigValue) { + try { + yield this.setExtraheaderConfig(this.persistedExtraheaderConfigValue); + core.info('Persisted git credentials restored'); + } + catch (e) { + core.warning(e); + } + } + }); + } + configureToken(token) { + return __awaiter(this, void 0, void 0, function* () { + // Encode and configure the basic credential for HTTPS access + const basicCredential = Buffer.from(`x-access-token:${token}`, 'utf8').toString('base64'); + core.setSecret(basicCredential); + const extraheaderConfigValue = `AUTHORIZATION: basic ${basicCredential}`; + yield this.setExtraheaderConfig(extraheaderConfigValue); + }); + } + removeAuth() { + return __awaiter(this, void 0, void 0, function* () { + yield this.getAndUnset(); + }); + } + setExtraheaderConfig(extraheaderConfigValue) { + return __awaiter(this, void 0, void 0, function* () { + // Configure a placeholder value. This approach avoids the credential being captured + // by process creation audit events, which are commonly logged. For more information, + // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + // See https://github.com/actions/checkout/blob/main/src/git-auth-helper.ts#L267-L274 + yield this.git.config(this.extraheaderConfigKey, this.extraheaderConfigPlaceholderValue); + // Replace the placeholder + yield this.gitConfigStringReplace(this.extraheaderConfigPlaceholderValue, extraheaderConfigValue); + }); + } + getAndUnset() { + return __awaiter(this, void 0, void 0, function* () { + let configValue = ''; + // Save and unset persisted extraheader credential in git config if it exists + if (yield this.git.configExists(this.extraheaderConfigKey, this.extraheaderConfigValueRegex)) { + configValue = yield this.git.getConfigValue(this.extraheaderConfigKey, this.extraheaderConfigValueRegex); + if (yield this.git.tryConfigUnset(this.extraheaderConfigKey, this.extraheaderConfigValueRegex)) { + core.info(`Unset config key '${this.extraheaderConfigKey}'`); + } + else { + core.warning(`Failed to unset config key '${this.extraheaderConfigKey}'`); + } + } + return configValue; + }); + } + gitConfigStringReplace(find, replace) { + return __awaiter(this, void 0, void 0, function* () { + let content = (yield fs.promises.readFile(this.gitConfigPath)).toString(); + const index = content.indexOf(find); + if (index < 0 || index != content.lastIndexOf(find)) { + throw new Error(`Unable to replace '${find}' in ${this.gitConfigPath}`); + } + content = content.replace(find, replace); + yield fs.promises.writeFile(this.gitConfigPath, content); + }); + } + getServerUrl() { + // todo: remove GITHUB_URL after support for GHES Alpha is no longer needed + // See https://github.com/actions/checkout/blob/main/src/url-helper.ts#L22-L29 + return new url_1.URL(process.env['GITHUB_SERVER_URL'] || + process.env['GITHUB_URL'] || + 'https://github.com'); + } +} +exports.GitAuthHelper = GitAuthHelper; + + /***/ }), /***/ 289: @@ -1696,9 +1829,6 @@ class GitCommandManager { return new GitCommandManager(workingDirectory, gitPath); }); } - setAuthGitOptions(authGitOptions) { - this.authGitOptions = authGitOptions; - } setIdentityGitOptions(identityGitOptions) { this.identityGitOptions = identityGitOptions; } @@ -1738,6 +1868,29 @@ class GitCommandManager { yield this.exec(args); }); } + config(configKey, configValue, globalConfig) { + return __awaiter(this, void 0, void 0, function* () { + yield this.exec([ + 'config', + globalConfig ? '--global' : '--local', + configKey, + configValue + ]); + }); + } + configExists(configKey, configValue = '.', globalConfig) { + return __awaiter(this, void 0, void 0, function* () { + const output = yield this.exec([ + 'config', + globalConfig ? '--global' : '--local', + '--name-only', + '--get-regexp', + configKey, + configValue + ], true); + return output.exitCode === 0; + }); + } diff(options) { return __awaiter(this, void 0, void 0, function* () { const args = ['-c', 'core.pager=cat', 'diff']; @@ -1750,11 +1903,7 @@ class GitCommandManager { } fetch(refSpec, remoteName, options) { return __awaiter(this, void 0, void 0, function* () { - const args = ['-c', 'protocol.version=2']; - if (this.authGitOptions) { - args.push(...this.authGitOptions); - } - args.push('fetch'); + const args = ['-c', 'protocol.version=2', 'fetch']; if (!refSpec.some(x => x === tagsRefSpec)) { args.push('--no-tags'); } @@ -1774,6 +1923,18 @@ class GitCommandManager { yield this.exec(args); }); } + getConfigValue(configKey, configValue = '.') { + return __awaiter(this, void 0, void 0, function* () { + const output = yield this.exec([ + 'config', + '--local', + '--get-regexp', + configKey, + configValue + ]); + return output.stdout.trim().split(`${configKey} `)[1]; + }); + } getWorkingDirectory() { return this.workingDirectory; } @@ -1798,9 +1959,6 @@ class GitCommandManager { push(options) { return __awaiter(this, void 0, void 0, function* () { const args = ['push']; - if (this.authGitOptions) { - args.unshift(...this.authGitOptions); - } if (options) { args.push(...options); } @@ -1849,18 +2007,19 @@ class GitCommandManager { return output.stdout.trim(); }); } - tryConfigUnset(configKey, globalConfig) { + tryConfigUnset(configKey, configValue = '.', globalConfig) { return __awaiter(this, void 0, void 0, function* () { const output = yield this.exec([ 'config', globalConfig ? '--global' : '--local', - '--unset-all', - configKey + '--unset', + configKey, + configValue ], true); return output.exitCode === 0; }); } - tryGetFetchUrl() { + tryGetRemoteUrl() { return __awaiter(this, void 0, void 0, function* () { const output = yield this.exec(['config', '--local', '--get', 'remote.origin.url'], true); if (output.exitCode !== 0) { @@ -4715,98 +4874,6 @@ exports.RequestError = RequestError; //# sourceMappingURL=index.js.map -/***/ }), - -/***/ 468: -/***/ (function(__unusedmodule, exports, __webpack_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.GitConfigHelper = exports.ConfigOption = void 0; -const core = __importStar(__webpack_require__(470)); -class ConfigOption { - constructor() { - this.name = ''; - this.value = ''; - } -} -exports.ConfigOption = ConfigOption; -class GitConfigHelper { - constructor(git) { - this.git = git; - } - addConfigOption(name, value) { - return __awaiter(this, void 0, void 0, function* () { - const result = yield this.git.exec(['config', '--local', '--add', name, value], true); - return result.exitCode === 0; - }); - } - unsetConfigOption(name, valueRegex = '.') { - return __awaiter(this, void 0, void 0, function* () { - const result = yield this.git.exec(['config', '--local', '--unset', name, valueRegex], true); - return result.exitCode === 0; - }); - } - configOptionExists(name, valueRegex = '.') { - return __awaiter(this, void 0, void 0, function* () { - const result = yield this.git.exec(['config', '--local', '--name-only', '--get-regexp', name, valueRegex], true); - return result.exitCode === 0; - }); - } - getConfigOption(name, valueRegex = '.') { - return __awaiter(this, void 0, void 0, function* () { - const option = new ConfigOption(); - const result = yield this.git.exec(['config', '--local', '--get-regexp', name, valueRegex], true); - option.name = name; - option.value = result.stdout.trim().split(`${name} `)[1]; - return option; - }); - } - getAndUnsetConfigOption(name, valueRegex = '.') { - return __awaiter(this, void 0, void 0, function* () { - if (yield this.configOptionExists(name, valueRegex)) { - const option = yield this.getConfigOption(name, valueRegex); - if (yield this.unsetConfigOption(name, valueRegex)) { - core.debug(`Unset config option '${name}'`); - return option; - } - } - return new ConfigOption(); - }); - } -} -exports.GitConfigHelper = GitConfigHelper; - - /***/ }), /***/ 470: @@ -8173,7 +8240,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge Object.defineProperty(exports, "__esModule", { value: true }); exports.GitIdentityHelper = void 0; const core = __importStar(__webpack_require__(470)); -const git_config_helper_1 = __webpack_require__(468); const utils = __importStar(__webpack_require__(611)); // Default the committer and author to the GitHub Actions bot const DEFAULT_COMMITTER = 'GitHub '; @@ -8184,31 +8250,30 @@ class GitIdentityHelper { } getGitIdentityFromConfig() { return __awaiter(this, void 0, void 0, function* () { - const gitConfigHelper = new git_config_helper_1.GitConfigHelper(this.git); - if ((yield gitConfigHelper.configOptionExists('user.name')) && - (yield gitConfigHelper.configOptionExists('user.email'))) { - const userName = yield gitConfigHelper.getConfigOption('user.name'); - const userEmail = yield gitConfigHelper.getConfigOption('user.email'); + if ((yield this.git.configExists('user.name')) && + (yield this.git.configExists('user.email'))) { + const userName = yield this.git.getConfigValue('user.name'); + const userEmail = yield this.git.getConfigValue('user.email'); return { - authorName: userName.value, - authorEmail: userEmail.value, - committerName: userName.value, - committerEmail: userEmail.value + authorName: userName, + authorEmail: userEmail, + committerName: userName, + committerEmail: userEmail }; } - if ((yield gitConfigHelper.configOptionExists('committer.name')) && - (yield gitConfigHelper.configOptionExists('committer.email')) && - (yield gitConfigHelper.configOptionExists('author.name')) && - (yield gitConfigHelper.configOptionExists('author.email'))) { - const committerName = yield gitConfigHelper.getConfigOption('committer.name'); - const committerEmail = yield gitConfigHelper.getConfigOption('committer.email'); - const authorName = yield gitConfigHelper.getConfigOption('author.name'); - const authorEmail = yield gitConfigHelper.getConfigOption('author.email'); + if ((yield this.git.configExists('committer.name')) && + (yield this.git.configExists('committer.email')) && + (yield this.git.configExists('author.name')) && + (yield this.git.configExists('author.email'))) { + const committerName = yield this.git.getConfigValue('committer.name'); + const committerEmail = yield this.git.getConfigValue('committer.email'); + const authorName = yield this.git.getConfigValue('author.name'); + const authorEmail = yield this.git.getConfigValue('author.email'); return { - authorName: authorName.value, - authorEmail: authorEmail.value, - committerName: committerName.value, - committerEmail: committerEmail.value + authorName: authorName, + authorEmail: authorEmail, + committerName: committerName, + committerEmail: committerEmail }; } return undefined; @@ -10489,28 +10554,25 @@ const core = __importStar(__webpack_require__(470)); const create_or_update_branch_1 = __webpack_require__(159); const github_helper_1 = __webpack_require__(718); const git_command_manager_1 = __webpack_require__(289); -const git_config_helper_1 = __webpack_require__(468); +const git_auth_helper_1 = __webpack_require__(287); const git_identity_helper_1 = __webpack_require__(723); const utils = __importStar(__webpack_require__(611)); -const EXTRAHEADER_OPTION = 'http.https://github.com/.extraheader'; -const EXTRAHEADER_VALUE_REGEX = '^AUTHORIZATION:'; const DEFAULT_COMMIT_MESSAGE = '[create-pull-request] automated change'; const DEFAULT_TITLE = 'Changes by create-pull-request action'; const DEFAULT_BODY = 'Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action'; const DEFAULT_BRANCH = 'create-pull-request/patch'; function createPullRequest(inputs) { return __awaiter(this, void 0, void 0, function* () { - let gitConfigHelper; - let extraHeaderOption = new git_config_helper_1.ConfigOption(); + let gitAuthHelper; try { // Get the repository path const repoPath = utils.getRepoPath(inputs.path); // Create a git command manager const git = yield git_command_manager_1.GitCommandManager.create(repoPath); - // Unset and save the extraheader config option if it exists + // Save and unset the extraheader auth config if it exists core.startGroup('Save persisted git credentials'); - gitConfigHelper = new git_config_helper_1.GitConfigHelper(git); - extraHeaderOption = yield gitConfigHelper.getAndUnsetConfigOption(EXTRAHEADER_OPTION, EXTRAHEADER_VALUE_REGEX); + gitAuthHelper = new git_auth_helper_1.GitAuthHelper(git); + yield gitAuthHelper.savePersistedAuth(); core.endGroup(); // Set defaults inputs.commitMessage = inputs.commitMessage @@ -10522,19 +10584,13 @@ function createPullRequest(inputs) { // Determine the GitHub repository from git config // This will be the target repository for the pull request branch core.startGroup('Determining the checked out repository'); - const remoteOriginUrlConfig = yield gitConfigHelper.getConfigOption('remote.origin.url'); - const remote = utils.getRemoteDetail(remoteOriginUrlConfig.value); + const remoteUrl = yield git.tryGetRemoteUrl(); + const remote = utils.getRemoteDetail(remoteUrl); core.endGroup(); core.info(`Pull request branch target repository set to ${remote.repository}`); if (remote.protocol == 'HTTPS') { core.startGroup('Configuring credential for HTTPS authentication'); - // Encode and configure the basic credential for HTTPS access - const basicCredential = Buffer.from(`x-access-token:${inputs.token}`, 'utf8').toString('base64'); - core.setSecret(basicCredential); - git.setAuthGitOptions([ - '-c', - `http.https://github.com/.extraheader=AUTHORIZATION: basic ${basicCredential}` - ]); + yield gitAuthHelper.configureAuth(inputs.token); core.endGroup(); } // Determine if the checked out ref is a valid base for a pull request @@ -10634,12 +10690,10 @@ function createPullRequest(inputs) { core.setFailed(error.message); } finally { - // Restore the extraheader config option + // Remove auth and restore persisted auth config if it existed core.startGroup('Restore persisted git credentials'); - if (extraHeaderOption.value != '') { - if (yield gitConfigHelper.addConfigOption(EXTRAHEADER_OPTION, extraHeaderOption.value)) - core.debug(`Restored config option '${EXTRAHEADER_OPTION}'`); - } + yield gitAuthHelper.removeAuth(); + yield gitAuthHelper.restorePersistedAuth(); core.endGroup(); } }); diff --git a/src/create-pull-request.ts b/src/create-pull-request.ts index 41e921d..f5b371c 100644 --- a/src/create-pull-request.ts +++ b/src/create-pull-request.ts @@ -2,13 +2,10 @@ import * as core from '@actions/core' import {createOrUpdateBranch} from './create-or-update-branch' import {GitHubHelper} from './github-helper' import {GitCommandManager} from './git-command-manager' -import {ConfigOption, GitConfigHelper} from './git-config-helper' +import {GitAuthHelper} from './git-auth-helper' import {GitIdentityHelper} from './git-identity-helper' import * as utils from './utils' -const EXTRAHEADER_OPTION = 'http.https://github.com/.extraheader' -const EXTRAHEADER_VALUE_REGEX = '^AUTHORIZATION:' - const DEFAULT_COMMIT_MESSAGE = '[create-pull-request] automated change' const DEFAULT_TITLE = 'Changes by create-pull-request action' const DEFAULT_BODY = @@ -36,21 +33,17 @@ export interface Inputs { } export async function createPullRequest(inputs: Inputs): Promise { - let gitConfigHelper - let extraHeaderOption = new ConfigOption() + let gitAuthHelper try { // Get the repository path const repoPath = utils.getRepoPath(inputs.path) // Create a git command manager const git = await GitCommandManager.create(repoPath) - // Unset and save the extraheader config option if it exists + // Save and unset the extraheader auth config if it exists core.startGroup('Save persisted git credentials') - gitConfigHelper = new GitConfigHelper(git) - extraHeaderOption = await gitConfigHelper.getAndUnsetConfigOption( - EXTRAHEADER_OPTION, - EXTRAHEADER_VALUE_REGEX - ) + gitAuthHelper = new GitAuthHelper(git) + await gitAuthHelper.savePersistedAuth() core.endGroup() // Set defaults @@ -64,10 +57,8 @@ export async function createPullRequest(inputs: Inputs): Promise { // Determine the GitHub repository from git config // This will be the target repository for the pull request branch core.startGroup('Determining the checked out repository') - const remoteOriginUrlConfig = await gitConfigHelper.getConfigOption( - 'remote.origin.url' - ) - const remote = utils.getRemoteDetail(remoteOriginUrlConfig.value) + const remoteUrl = await git.tryGetRemoteUrl() + const remote = utils.getRemoteDetail(remoteUrl) core.endGroup() core.info( `Pull request branch target repository set to ${remote.repository}` @@ -75,16 +66,7 @@ export async function createPullRequest(inputs: Inputs): Promise { if (remote.protocol == 'HTTPS') { core.startGroup('Configuring credential for HTTPS authentication') - // Encode and configure the basic credential for HTTPS access - const basicCredential = Buffer.from( - `x-access-token:${inputs.token}`, - 'utf8' - ).toString('base64') - core.setSecret(basicCredential) - git.setAuthGitOptions([ - '-c', - `http.https://github.com/.extraheader=AUTHORIZATION: basic ${basicCredential}` - ]) + await gitAuthHelper.configureAuth(inputs.token) core.endGroup() } @@ -216,17 +198,10 @@ export async function createPullRequest(inputs: Inputs): Promise { } catch (error) { core.setFailed(error.message) } finally { - // Restore the extraheader config option + // Remove auth and restore persisted auth config if it existed core.startGroup('Restore persisted git credentials') - if (extraHeaderOption.value != '') { - if ( - await gitConfigHelper.addConfigOption( - EXTRAHEADER_OPTION, - extraHeaderOption.value - ) - ) - core.debug(`Restored config option '${EXTRAHEADER_OPTION}'`) - } + await gitAuthHelper.removeAuth() + await gitAuthHelper.restorePersistedAuth() core.endGroup() } } diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts new file mode 100644 index 0000000..0a24c0a --- /dev/null +++ b/src/git-auth-helper.ts @@ -0,0 +1,126 @@ +import * as core from '@actions/core' +import * as fs from 'fs' +import {GitCommandManager} from './git-command-manager' +import * as path from 'path' +import {URL} from 'url' + +export class GitAuthHelper { + private git: GitCommandManager + private gitConfigPath: string + private extraheaderConfigKey: string + private extraheaderConfigPlaceholderValue = 'AUTHORIZATION: basic ***' + private extraheaderConfigValueRegex = '^AUTHORIZATION:' + private persistedExtraheaderConfigValue = '' + + constructor(git: GitCommandManager) { + this.git = git + this.gitConfigPath = path.join( + this.git.getWorkingDirectory(), + '.git', + 'config' + ) + const serverUrl = this.getServerUrl() + this.extraheaderConfigKey = `http.${serverUrl.origin}/.extraheader` + } + + async savePersistedAuth(): Promise { + // Save and unset persisted extraheader credential in git config if it exists + this.persistedExtraheaderConfigValue = await this.getAndUnset() + } + + async restorePersistedAuth(): Promise { + if (this.persistedExtraheaderConfigValue) { + try { + await this.setExtraheaderConfig(this.persistedExtraheaderConfigValue) + core.info('Persisted git credentials restored') + } catch (e) { + core.warning(e) + } + } + } + + async configureToken(token: string): Promise { + // Encode and configure the basic credential for HTTPS access + const basicCredential = Buffer.from( + `x-access-token:${token}`, + 'utf8' + ).toString('base64') + core.setSecret(basicCredential) + const extraheaderConfigValue = `AUTHORIZATION: basic ${basicCredential}` + await this.setExtraheaderConfig(extraheaderConfigValue) + } + + async removeAuth(): Promise { + await this.getAndUnset() + } + + private async setExtraheaderConfig( + extraheaderConfigValue: string + ): Promise { + // Configure a placeholder value. This approach avoids the credential being captured + // by process creation audit events, which are commonly logged. For more information, + // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + // See https://github.com/actions/checkout/blob/main/src/git-auth-helper.ts#L267-L274 + await this.git.config( + this.extraheaderConfigKey, + this.extraheaderConfigPlaceholderValue + ) + // Replace the placeholder + await this.gitConfigStringReplace( + this.extraheaderConfigPlaceholderValue, + extraheaderConfigValue + ) + } + + private async getAndUnset(): Promise { + let configValue = '' + // Save and unset persisted extraheader credential in git config if it exists + if ( + await this.git.configExists( + this.extraheaderConfigKey, + this.extraheaderConfigValueRegex + ) + ) { + configValue = await this.git.getConfigValue( + this.extraheaderConfigKey, + this.extraheaderConfigValueRegex + ) + if ( + await this.git.tryConfigUnset( + this.extraheaderConfigKey, + this.extraheaderConfigValueRegex + ) + ) { + core.info(`Unset config key '${this.extraheaderConfigKey}'`) + } else { + core.warning( + `Failed to unset config key '${this.extraheaderConfigKey}'` + ) + } + } + return configValue + } + + private async gitConfigStringReplace( + find: string, + replace: string + ): Promise { + let content = (await fs.promises.readFile(this.gitConfigPath)).toString() + const index = content.indexOf(find) + if (index < 0 || index != content.lastIndexOf(find)) { + throw new Error(`Unable to replace '${find}' in ${this.gitConfigPath}`) + } + content = content.replace(find, replace) + await fs.promises.writeFile(this.gitConfigPath, content) + } + + private getServerUrl(): URL { + // todo: remove GITHUB_URL after support for GHES Alpha is no longer needed + // See https://github.com/actions/checkout/blob/main/src/url-helper.ts#L22-L29 + return new URL( + process.env['GITHUB_SERVER_URL'] || + process.env['GITHUB_URL'] || + 'https://github.com' + ) + } +} diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts index 2125533..dae1447 100644 --- a/src/git-command-manager.ts +++ b/src/git-command-manager.ts @@ -6,8 +6,6 @@ const tagsRefSpec = '+refs/tags/*:refs/tags/*' export class GitCommandManager { private gitPath: string private workingDirectory: string - // Git options used when commands require auth - private authGitOptions?: string[] // Git options used when commands require an identity private identityGitOptions?: string[] @@ -21,10 +19,6 @@ export class GitCommandManager { return new GitCommandManager(workingDirectory, gitPath) } - setAuthGitOptions(authGitOptions: string[]): void { - this.authGitOptions = authGitOptions - } - setIdentityGitOptions(identityGitOptions: string[]): void { this.identityGitOptions = identityGitOptions } @@ -68,6 +62,38 @@ export class GitCommandManager { await this.exec(args) } + async config( + configKey: string, + configValue: string, + globalConfig?: boolean + ): Promise { + await this.exec([ + 'config', + globalConfig ? '--global' : '--local', + configKey, + configValue + ]) + } + + async configExists( + configKey: string, + configValue = '.', + globalConfig?: boolean + ): Promise { + const output = await this.exec( + [ + 'config', + globalConfig ? '--global' : '--local', + '--name-only', + '--get-regexp', + configKey, + configValue + ], + true + ) + return output.exitCode === 0 + } + async diff(options?: string[]): Promise { const args = ['-c', 'core.pager=cat', 'diff'] if (options) { @@ -82,12 +108,7 @@ export class GitCommandManager { remoteName?: string, options?: string[] ): Promise { - const args = ['-c', 'protocol.version=2'] - if (this.authGitOptions) { - args.push(...this.authGitOptions) - } - args.push('fetch') - + const args = ['-c', 'protocol.version=2', 'fetch'] if (!refSpec.some(x => x === tagsRefSpec)) { args.push('--no-tags') } @@ -110,6 +131,17 @@ export class GitCommandManager { await this.exec(args) } + async getConfigValue(configKey: string, configValue = '.'): Promise { + const output = await this.exec([ + 'config', + '--local', + '--get-regexp', + configKey, + configValue + ]) + return output.stdout.trim().split(`${configKey} `)[1] + } + getWorkingDirectory(): string { return this.workingDirectory } @@ -133,14 +165,9 @@ export class GitCommandManager { async push(options?: string[]): Promise { const args = ['push'] - if (this.authGitOptions) { - args.unshift(...this.authGitOptions) - } - if (options) { args.push(...options) } - await this.exec(args) } @@ -187,21 +214,23 @@ export class GitCommandManager { async tryConfigUnset( configKey: string, + configValue = '.', globalConfig?: boolean ): Promise { const output = await this.exec( [ 'config', globalConfig ? '--global' : '--local', - '--unset-all', - configKey + '--unset', + configKey, + configValue ], true ) return output.exitCode === 0 } - async tryGetFetchUrl(): Promise { + async tryGetRemoteUrl(): Promise { const output = await this.exec( ['config', '--local', '--get', 'remote.origin.url'], true diff --git a/src/git-config-helper.ts b/src/git-config-helper.ts deleted file mode 100644 index 25a9fbc..0000000 --- a/src/git-config-helper.ts +++ /dev/null @@ -1,64 +0,0 @@ -import * as core from '@actions/core' -import {GitCommandManager} from './git-command-manager' - -export class ConfigOption { - name = '' - value = '' -} - -export class GitConfigHelper { - private git: GitCommandManager - - constructor(git: GitCommandManager) { - this.git = git - } - - async addConfigOption(name: string, value: string): Promise { - const result = await this.git.exec( - ['config', '--local', '--add', name, value], - true - ) - return result.exitCode === 0 - } - - async unsetConfigOption(name: string, valueRegex = '.'): Promise { - const result = await this.git.exec( - ['config', '--local', '--unset', name, valueRegex], - true - ) - return result.exitCode === 0 - } - - async configOptionExists(name: string, valueRegex = '.'): Promise { - const result = await this.git.exec( - ['config', '--local', '--name-only', '--get-regexp', name, valueRegex], - true - ) - return result.exitCode === 0 - } - - async getConfigOption(name: string, valueRegex = '.'): Promise { - const option = new ConfigOption() - const result = await this.git.exec( - ['config', '--local', '--get-regexp', name, valueRegex], - true - ) - option.name = name - option.value = result.stdout.trim().split(`${name} `)[1] - return option - } - - async getAndUnsetConfigOption( - name: string, - valueRegex = '.' - ): Promise { - if (await this.configOptionExists(name, valueRegex)) { - const option = await this.getConfigOption(name, valueRegex) - if (await this.unsetConfigOption(name, valueRegex)) { - core.debug(`Unset config option '${name}'`) - return option - } - } - return new ConfigOption() - } -} diff --git a/src/git-identity-helper.ts b/src/git-identity-helper.ts index f9b260f..abe15ea 100644 --- a/src/git-identity-helper.ts +++ b/src/git-identity-helper.ts @@ -1,6 +1,5 @@ import * as core from '@actions/core' import {GitCommandManager} from './git-command-manager' -import {GitConfigHelper} from './git-config-helper' import * as utils from './utils' // Default the committer and author to the GitHub Actions bot @@ -23,41 +22,35 @@ export class GitIdentityHelper { } private async getGitIdentityFromConfig(): Promise { - const gitConfigHelper = new GitConfigHelper(this.git) - if ( - (await gitConfigHelper.configOptionExists('user.name')) && - (await gitConfigHelper.configOptionExists('user.email')) + (await this.git.configExists('user.name')) && + (await this.git.configExists('user.email')) ) { - const userName = await gitConfigHelper.getConfigOption('user.name') - const userEmail = await gitConfigHelper.getConfigOption('user.email') + const userName = await this.git.getConfigValue('user.name') + const userEmail = await this.git.getConfigValue('user.email') return { - authorName: userName.value, - authorEmail: userEmail.value, - committerName: userName.value, - committerEmail: userEmail.value + authorName: userName, + authorEmail: userEmail, + committerName: userName, + committerEmail: userEmail } } if ( - (await gitConfigHelper.configOptionExists('committer.name')) && - (await gitConfigHelper.configOptionExists('committer.email')) && - (await gitConfigHelper.configOptionExists('author.name')) && - (await gitConfigHelper.configOptionExists('author.email')) + (await this.git.configExists('committer.name')) && + (await this.git.configExists('committer.email')) && + (await this.git.configExists('author.name')) && + (await this.git.configExists('author.email')) ) { - const committerName = await gitConfigHelper.getConfigOption( - 'committer.name' - ) - const committerEmail = await gitConfigHelper.getConfigOption( - 'committer.email' - ) - const authorName = await gitConfigHelper.getConfigOption('author.name') - const authorEmail = await gitConfigHelper.getConfigOption('author.email') + const committerName = await this.git.getConfigValue('committer.name') + const committerEmail = await this.git.getConfigValue('committer.email') + const authorName = await this.git.getConfigValue('author.name') + const authorEmail = await this.git.getConfigValue('author.email') return { - authorName: authorName.value, - authorEmail: authorEmail.value, - committerName: committerName.value, - committerEmail: committerEmail.value + authorName: authorName, + authorEmail: authorEmail, + committerName: committerName, + committerEmail: committerEmail } }