fix: Use CredsStore for GoogleCloudCreds (argoproj#12391)

david-becher · pull[bot] · commit dbf64fa0fad8 · 2023-09-06T12:15:48.000Z
git-ask-pass.sh is no longer supported for credentials

Signed-off-by: David Becher &lt;becher.david@googlemail.com&gt;
diff --git a/pkg/apis/application/v1alpha1/repository_types.go b/pkg/apis/application/v1alpha1/repository_types.go
@@ -202,7 +202,7 @@ func (repo *Repository) GetGitCreds(store git.CredsStore) git.Creds {
 		return git.NewGitHubAppCreds(repo.GithubAppId, repo.GithubAppInstallationId, repo.GithubAppPrivateKey, repo.GitHubAppEnterpriseBaseURL, repo.Repo, repo.TLSClientCertData, repo.TLSClientCertKey, repo.IsInsecure(), repo.Proxy, store)
 	}
 	if repo.GCPServiceAccountKey != "" {
-		return git.NewGoogleCloudCreds(repo.GCPServiceAccountKey)
+		return git.NewGoogleCloudCreds(repo.GCPServiceAccountKey, store)
 	}
 	return git.NopCreds{}
 }
diff --git a/util/git/creds.go b/util/git/creds.go
@@ -456,15 +456,16 @@ func (g GitHubAppCreds) GetClientCertKey() string {
 // GoogleCloudCreds to authenticate to Google Cloud Source repositories
 type GoogleCloudCreds struct {
 	creds *google.Credentials
+	store CredsStore
 }
 
-func NewGoogleCloudCreds(jsonData string) GoogleCloudCreds {
+func NewGoogleCloudCreds(jsonData string, store CredsStore) GoogleCloudCreds {
 	creds, err := google.CredentialsFromJSON(context.Background(), []byte(jsonData), "https://www.googleapis.com/auth/cloud-platform")
 	if err != nil {
 		// Invalid JSON
 		log.Errorf("Failed reading credentials from JSON: %+v", err)
 	}
-	return GoogleCloudCreds{creds}
+	return GoogleCloudCreds{creds, store}
 }
 
 func (c GoogleCloudCreds) Environ() (io.Closer, []string, error) {
@@ -477,9 +478,13 @@ func (c GoogleCloudCreds) Environ() (io.Closer, []string, error) {
 		return NopCloser{}, nil, fmt.Errorf("failed to get access token from creds: %w", err)
 	}
 
-	env := []string{fmt.Sprintf("GIT_ASKPASS=%s", "git-ask-pass.sh"), fmt.Sprintf("GIT_USERNAME=%s", username), fmt.Sprintf("GIT_PASSWORD=%s", token)}
+	nonce := c.store.Add(username, token)
+	env := getGitAskPassEnv(nonce)
 
-	return NopCloser{}, env, nil
+	return argoioutils.NewCloser(func() error {
+		c.store.Remove(nonce)
+		return NopCloser{}.Close()
+	}), env, nil
 }
 
 func (c GoogleCloudCreds) getUsername() (string, error) {
diff --git a/util/git/creds_test.go b/util/git/creds_test.go
@@ -12,11 +12,11 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
 
 	"github.com/argoproj/argo-cd/v2/util/cert"
 	"github.com/argoproj/argo-cd/v2/util/io"
-	"golang.org/x/oauth2"
-	"golang.org/x/oauth2/google"
 )
 
 type cred struct {
@@ -251,12 +251,14 @@ const invalidJSON = `{
 `
 
 func TestNewGoogleCloudCreds(t *testing.T) {
-	googleCloudCreds := NewGoogleCloudCreds(gcpServiceAccountKeyJSON)
+	store := &memoryCredsStore{creds: make(map[string]cred)}
+	googleCloudCreds := NewGoogleCloudCreds(gcpServiceAccountKeyJSON, store)
 	assert.NotNil(t, googleCloudCreds)
 }
 
 func TestNewGoogleCloudCreds_invalidJSON(t *testing.T) {
-	googleCloudCreds := NewGoogleCloudCreds(invalidJSON)
+	store := &memoryCredsStore{creds: make(map[string]cred)}
+	googleCloudCreds := NewGoogleCloudCreds(invalidJSON, store)
 	assert.Nil(t, googleCloudCreds.creds)
 
 	token, err := googleCloudCreds.getAccessToken()
@@ -273,17 +275,25 @@ func TestNewGoogleCloudCreds_invalidJSON(t *testing.T) {
 	assert.NotNil(t, err)
 }
 
-func TestGoogleCloudCreds_Environ(t *testing.T) {
+func TestGoogleCloudCreds_Environ_cleanup(t *testing.T) {
+	store := &memoryCredsStore{creds: make(map[string]cred)}
 	staticToken := &oauth2.Token{AccessToken: "token"}
 	googleCloudCreds := GoogleCloudCreds{&google.Credentials{
 		ProjectID:   "my-google-project",
 		TokenSource: oauth2.StaticTokenSource(staticToken),
 		JSON:        []byte(gcpServiceAccountKeyJSON),
-	}}
+	}, store}
 
 	closer, env, err := googleCloudCreds.Environ()
 	assert.NoError(t, err)
-	defer func() { _ = closer.Close() }()
-
-	assert.Equal(t, []string{"GIT_ASKPASS=git-ask-pass.sh", "GIT_USERNAME=argocd-service-account@my-google-project.iam.gserviceaccount.com", "GIT_PASSWORD=token"}, env)
+	var nonce string
+	for _, envVar := range env {
+		if strings.HasPrefix(envVar, ASKPASS_NONCE_ENV) {
+			nonce = envVar[len(ASKPASS_NONCE_ENV)+1:]
+			break
+		}
+	}
+	assert.Contains(t, store.creds, nonce)
+	io.Close(closer)
+	assert.NotContains(t, store.creds, nonce)
 }

Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ func (repo *Repository) GetGitCreds(store git.CredsStore) git.Creds {`
`202`	`202`	`return git.NewGitHubAppCreds(repo.GithubAppId, repo.GithubAppInstallationId, repo.GithubAppPrivateKey, repo.GitHubAppEnterpriseBaseURL, repo.Repo, repo.TLSClientCertData, repo.TLSClientCertKey, repo.IsInsecure(), repo.Proxy, store)`
`203`	`203`	`}`
`204`	`204`	`if repo.GCPServiceAccountKey != "" {`
`205`		`- return git.NewGoogleCloudCreds(repo.GCPServiceAccountKey)`
	`205`	`+ return git.NewGoogleCloudCreds(repo.GCPServiceAccountKey, store)`
`206`	`206`	`}`
`207`	`207`	`return git.NopCreds{}`
`208`	`208`	`}`
Original file line number	Diff line number	Diff line change
`@@ -456,15 +456,16 @@ func (g GitHubAppCreds) GetClientCertKey() string {`
`456`	`456`	`// GoogleCloudCreds to authenticate to Google Cloud Source repositories`
`457`	`457`	`type GoogleCloudCreds struct {`
`458`	`458`	`creds *google.Credentials`
	`459`	`+ store CredsStore`
`459`	`460`	`}`
`460`	`461`
`461`		`-func NewGoogleCloudCreds(jsonData string) GoogleCloudCreds {`
	`462`	`+func NewGoogleCloudCreds(jsonData string, store CredsStore) GoogleCloudCreds {`
`462`	`463`	`creds, err := google.CredentialsFromJSON(context.Background(), []byte(jsonData), "https://www.googleapis.com/auth/cloud-platform")`
`463`	`464`	`if err != nil {`
`464`	`465`	`// Invalid JSON`
`465`	`466`	`log.Errorf("Failed reading credentials from JSON: %+v", err)`
`466`	`467`	`}`
`467`		`- return GoogleCloudCreds{creds}`
	`468`	`+ return GoogleCloudCreds{creds, store}`
`468`	`469`	`}`
`469`	`470`
`470`	`471`	`func (c GoogleCloudCreds) Environ() (io.Closer, []string, error) {`
`@@ -477,9 +478,13 @@ func (c GoogleCloudCreds) Environ() (io.Closer, []string, error) {`
`477`	`478`	`return NopCloser{}, nil, fmt.Errorf("failed to get access token from creds: %w", err)`
`478`	`479`	`}`
`479`	`480`
`480`		`- env := []string{fmt.Sprintf("GIT_ASKPASS=%s", "git-ask-pass.sh"), fmt.Sprintf("GIT_USERNAME=%s", username), fmt.Sprintf("GIT_PASSWORD=%s", token)}`
	`481`	`+ nonce := c.store.Add(username, token)`
	`482`	`+ env := getGitAskPassEnv(nonce)`
`481`	`483`
`482`		`- return NopCloser{}, env, nil`
	`484`	`+ return argoioutils.NewCloser(func() error {`
	`485`	`+ c.store.Remove(nonce)`
	`486`	`+ return NopCloser{}.Close()`
	`487`	`+ }), env, nil`
`483`	`488`	`}`
`484`	`489`
`485`	`490`	`func (c GoogleCloudCreds) getUsername() (string, error) {`