pipe-cd · ffjlabo · Sep 5, 2024 · Aug 30, 2024 · Sep 5, 2024 · Sep 5, 2024
@@ -49,6 +49,7 @@ spec:
 | hostName | string | The hostname or IP address of the remote git server. Default is the same value with Host. | No |
 | sshKeyFile | string | The path to the private ssh key file. This will be used to clone the source code of the specified git repositories. | No |
 | sshKeyData | string | Base64 encoded string of SSH key. | No |
+| password | string | The base64 encoded password for git used while cloning above Git repository. | No |
 
 ## GitRepository
 

@@ -278,11 +278,18 @@
 		})
 	}
 
+	password, err := cfg.Git.DecodedPassword()
+	if err != nil {
+		input.Logger.Error("failed to decode password", zap.Error(err))
+		return err
+	}
+
 	// Initialize git client.
 	gitOptions := []git.Option{
 		git.WithUserName(cfg.Git.Username),
 		git.WithEmail(cfg.Git.Email),
 		git.WithLogger(input.Logger),
+		git.WithPassword(password),
 	}
 	for _, repo := range cfg.GitHelmChartRepositories() {
 		if f := repo.SSHKeyFile; f != "" {
@@ -462,12 +469,19 @@
 
 	// Start running planpreview handler.
 	{
+		// Decode password for plan-preview feature.
+		password, err := cfg.Git.DecodedPassword()
+		if err != nil {
+			input.Logger.Error("failed to decode password", zap.Error(err))
+			return err
+		}
 		// Initialize a dedicated git client for plan-preview feature.
 		// Basically, this feature is an utility so it should not share any resource with the main components of piped.
 		gc, err := git.NewClient(
 			git.WithUserName(cfg.Git.Username),
 			git.WithEmail(cfg.Git.Email),
 			git.WithLogger(input.Logger),
+			git.WithPassword(password),
 		)
 		if err != nil {
 			input.Logger.Error("failed to initialize git client for plan-preview", zap.Error(err))

@@ -119,6 +119,9 @@
 	if s.SyncInterval < 0 {
 		return errors.New("syncInterval must be greater than or equal to 0")
 	}
+	if err := s.Git.Validate(); err != nil {
+		return err
+	}
 	for _, r := range s.ChartRepositories {
 		if err := r.Validate(); err != nil {
 			return err
@@ -326,6 +329,9 @@
 	SSHKeyFile string `json:"sshKeyFile,omitempty"`
 	// Base64 encoded string of ssh-key.
 	SSHKeyData string `json:"sshKeyData,omitempty"`
+	// Base64 encoded string of password.
+	// This will be used to clone the source repo with https basic auth.
+	Password string `json:"password,omitempty"`
 }
 
 func (g PipedGit) ShouldConfigureSSHConfig() bool {
@@ -345,6 +351,21 @@
 	return nil, errors.New("either sshKeyFile or sshKeyData must be set")
 }
 
+func (g *PipedGit) Validate() error {
+	isPassword := g.Password != ""
+	isSSH := g.ShouldConfigureSSHConfig()
+	if isSSH && isPassword {
+		return errors.New("cannot configure both sshKeyData or sshKeyFile and password authentication")
+	}
+	if isSSH && (g.SSHKeyData != "" && g.SSHKeyFile != "") {
+		return errors.New("only either sshKeyFile or sshKeyData can be set")
+	}
+	if isPassword && (g.Username == "" || g.Password == "") {
+		return errors.New("both username and password must be set")
+	}
+	return nil
+}
+
 func (g *PipedGit) Mask() {
 	if len(g.SSHConfigFilePath) != 0 {
 		g.SSHConfigFilePath = maskString
@@ -355,6 +376,20 @@
 	if len(g.SSHKeyData) != 0 {
 		g.SSHKeyData = maskString
 	}
+	if len(g.Password) != 0 {
+		g.Password = maskString
+	}
+}
+
+func (g *PipedGit) DecodedPassword() (string, error) {
+	if len(g.Password) == 0 {
+		return "", nil
+	}
+	decoded, err := base64.StdEncoding.DecodeString(g.Password)
+	if err != nil {
+		return "", err
+	}
+	return string(decoded), nil
 }
 
 type PipedRepository struct {

@@ -15,6 +15,7 @@
 package config
 
 import (
+	"errors"
 	"testing"
 	"time"
 
@@ -607,6 +608,7 @@ func TestPipedConfigMask(t *testing.T) {
 					HostName:          "foo",
 					SSHKeyFile:        "foo",
 					SSHKeyData:        "foo",
+					Password:          "foo",
 				},
 				Repositories: []PipedRepository{
 					{
@@ -770,6 +772,7 @@ func TestPipedConfigMask(t *testing.T) {
 					HostName:          "foo",
 					SSHKeyFile:        maskString,
 					SSHKeyData:        maskString,
+					Password:          maskString,
 				},
 				Repositories: []PipedRepository{
 					{
@@ -948,6 +951,7 @@ func TestPipedSpecClone(t *testing.T) {
 					Username:   "username",
 					Email:      "username@email.com",
 					SSHKeyFile: "/etc/piped-secret/ssh-key",
+					Password:   "Password",
 				},
 				Repositories: []PipedRepository{
 					{
@@ -1145,6 +1149,7 @@ func TestPipedSpecClone(t *testing.T) {
 					Username:   "username",
 					Email:      "username@email.com",
 					SSHKeyFile: "/etc/piped-secret/ssh-key",
+					Password:   "Password",
 				},
 				Repositories: []PipedRepository{
 					{
@@ -1435,3 +1440,81 @@ func TestFindPlatformProvidersByLabel(t *testing.T) {
 		})
 	}
 }
+
+func TestPipeGitValidate(t *testing.T) {
+	t.Parallel()
+	testcases := []struct {
+		name string
+		git  PipedGit
+		err  error
+	}{
+		{
+			name: "Both SSH and Password are not valid",
+			git: PipedGit{
+				SSHKeyData: "sshkey1",
+				Password:   "Password",
+			},
+			err: errors.New("cannot configure both sshKeyData or sshKeyFile and password authentication"),
+		},
+		{
+			name: "Both SSH and Password is not valid",
+			git: PipedGit{
+				SSHKeyFile: "sshkeyfile",
+				SSHKeyData: "sshkeydata",
+				Password:   "Password",
+			},
+			err: errors.New("cannot configure both sshKeyData or sshKeyFile and password authentication"),
+		},
+		{
+			name: "SSH key data is not empty",
+			git: PipedGit{
+				SSHKeyData: "sshkey2",
+			},
+			err: nil,
+		},
+		{
+			name: "SSH key file is not empty",
+			git: PipedGit{
+				SSHKeyFile: "sshkey2",
+			},
+			err: nil,
+		},
+		{
+			name: "Both SSH file and data is not empty",
+			git: PipedGit{
+				SSHKeyData: "sshkeydata",
+				SSHKeyFile: "sshkeyfile",
+			},
+			err: errors.New("only either sshKeyFile or sshKeyData can be set"),
+		},
+		{
+			name: "Password is valid",
+			git: PipedGit{
+				Username: "Username",
+				Password: "Password",
+			},
+			err: nil,
+		},
+		{
+			name: "Username is empty",
+			git: PipedGit{
+				Username: "",
+				Password: "Password",
+			},
+			err: errors.New("both username and password must be set"),
+		},
+		{
+			name: "Git config is empty",
+			git:  PipedGit{},
+			err:  nil,
+		},
+	}
+	for _, tc := range testcases {
+		tc := tc
+		t.Run(tc.git.SSHKeyData, func(t *testing.T) {
+			t.Parallel()
+			err := tc.git.Validate()
+			assert.Equal(t, tc.err, err)
+		})
+	}
+}