From efb851ae6ab42b9aa49764dd1c53b4846852d6cc Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Fri, 29 May 2020 12:46:21 +0200
Subject: [PATCH] feat: write git private key (#6321)
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
---
docs/usage/self-hosted-configuration.md | 9 +++++
lib/config/common.ts | 1 +
lib/constants/error-messages.ts | 1 +
lib/platform/bitbucket-server/index.ts | 2 --
lib/platform/common.ts | 1 -
lib/platform/git/private-key.spec.ts | 35 +++++++++++++++++++
lib/platform/git/private-key.ts | 45 +++++++++++++++++++++++++
lib/platform/git/storage.ts | 16 ++++-----
lib/platform/gitea/index.ts | 3 --
lib/platform/github/index.ts | 2 --
lib/platform/github/types.ts | 1 -
lib/platform/gitlab/index.ts | 3 --
lib/platform/index.ts | 2 ++
lib/workers/repository/init/apis.ts | 1 -
14 files changed, 100 insertions(+), 22 deletions(-)
create mode 100644 lib/platform/git/private-key.spec.ts
create mode 100644 lib/platform/git/private-key.ts
diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
index b45d28f04a..36b803d423 100644
--- a/docs/usage/self-hosted-configuration.md
+++ b/docs/usage/self-hosted-configuration.md
@@ -77,6 +77,15 @@ RFC5322-compliant string if you wish to customise the git author for commits.
## gitPrivateKey
+This should be an armored private key, e.g. the type you get from running `gpg --export-secret-keys --armor 92066A17F0D1707B4E96863955FEF5171C45FAE5 > private.key`. Replace the newlines with `\n` before adding the resulting single-line value to your bot's config.
+
+It will be loaded _lazily_. Before the first commit in a repository, Renovate will:
+
+- First, run `gpg import` if it hasn't been run before
+- Then, run `git config user.signingkey` and `git config commit.gpgsign true`
+
+The `git` commands are run locally in the cloned repo instead of globally to reduce the chance of causing unintended consequences with global git configs on shared systems.
+
## logContext
`logContext` is included with each log entry only if `logFormat="json"` - it is not included in the pretty log output. If left as default (null), a random short ID will be selected.
diff --git a/lib/config/common.ts b/lib/config/common.ts
index 4be8e8a8b3..2401e793ce 100644
--- a/lib/config/common.ts
+++ b/lib/config/common.ts
@@ -92,6 +92,7 @@ export interface RenovateAdminConfig {
requireConfig?: boolean;
trustLevel?: 'low' | 'high';
redisUrl?: string;
+ gitPrivateKey?: string;
}
export type PostUpgradeTasks = {
diff --git a/lib/constants/error-messages.ts b/lib/constants/error-messages.ts
index d477d8da0d..b1bb53ef6d 100644
--- a/lib/constants/error-messages.ts
+++ b/lib/constants/error-messages.ts
@@ -6,6 +6,7 @@ export const SYSTEM_INSUFFICIENT_MEMORY = 'out-of-memory';
export const PLATFORM_AUTHENTICATION_ERROR = 'authentication-error';
export const PLATFORM_BAD_CREDENTIALS = 'bad-credentials';
export const PLATFORM_FAILURE = 'platform-failure';
+export const PLATFORM_GPG_FAILED = 'gpg-failed';
export const PLATFORM_INTEGRATION_UNAUTHORIZED = 'integration-unauthorized';
export const PLATFORM_NOT_FOUND = 'platform-not-found';
export const PLATFORM_RATE_LIMIT_EXCEEDED = 'rate-limit-exceeded';
diff --git a/lib/platform/bitbucket-server/index.ts b/lib/platform/bitbucket-server/index.ts
index d9990be694..1147ab5d03 100644
--- a/lib/platform/bitbucket-server/index.ts
+++ b/lib/platform/bitbucket-server/index.ts
@@ -112,7 +112,6 @@ export function cleanRepo(): Promise<void> {
// Initialize GitLab by getting base branch
export async function initRepo({
repository,
- gitPrivateKey,
localDir,
optimizeForDisabled,
bbUseDefaultReviewers,
@@ -161,7 +160,6 @@ export async function initRepo({
config = {
projectKey,
repositorySlug,
- gitPrivateKey,
repository,
prVersions: new Map<number, number>(),
username: opts.username,
diff --git a/lib/platform/common.ts b/lib/platform/common.ts
index 77ba0ff104..bea0d28640 100644
--- a/lib/platform/common.ts
+++ b/lib/platform/common.ts
@@ -85,7 +85,6 @@ export interface RepoConfig {
export interface RepoParams {
azureWorkItemId?: number; // shouldn't this be configurable within a renovate.json?
bbUseDefaultReviewers?: boolean; // shouldn't this be configurable within a renovate.json?
- gitPrivateKey?: string;
localDir: string;
optimizeForDisabled: boolean;
repository: string;
diff --git a/lib/platform/git/private-key.spec.ts b/lib/platform/git/private-key.spec.ts
new file mode 100644
index 0000000000..7a8cdf6335
--- /dev/null
+++ b/lib/platform/git/private-key.spec.ts
@@ -0,0 +1,35 @@
+import { getName, mocked } from '../../../test/util';
+import * as exec_ from '../../util/exec';
+import { setPrivateKey, writePrivateKey } from './private-key';
+
+jest.mock('fs-extra');
+jest.mock('../../util/exec');
+
+const exec = mocked(exec_);
+
+describe(getName(__filename), () => {
+ describe('writePrivateKey()', () => {
+ it('returns if no private key', async () => {
+ await expect(writePrivateKey('/tmp/some-repo')).resolves.not.toThrow();
+ });
+ it('throws error if failing', async () => {
+ setPrivateKey('some-key');
+ exec.exec.mockResolvedValueOnce({
+ stderr: `something wrong`,
+ stdout: '',
+ });
+ await expect(writePrivateKey('/tmp/some-repo')).rejects.toThrow();
+ });
+ it('imports the private key', async () => {
+ setPrivateKey('some-key');
+ exec.exec.mockResolvedValueOnce({
+ stderr: `gpg: key BADC0FFEE: secret key imported\nfoo\n`,
+ stdout: '',
+ });
+ await expect(writePrivateKey('/tmp/some-repo')).resolves.not.toThrow();
+ });
+ it('does not import the key again', async () => {
+ await expect(writePrivateKey('/tmp/some-repo')).resolves.not.toThrow();
+ });
+ });
+});
diff --git a/lib/platform/git/private-key.ts b/lib/platform/git/private-key.ts
new file mode 100644
index 0000000000..680134f4b5
--- /dev/null
+++ b/lib/platform/git/private-key.ts
@@ -0,0 +1,45 @@
+import os from 'os';
+import path from 'path';
+import fs from 'fs-extra';
+import { PLATFORM_GPG_FAILED } from '../../constants/error-messages';
+import { logger } from '../../logger';
+import { exec } from '../../util/exec';
+
+let gitPrivateKey: string;
+let keyId: string;
+
+export function setPrivateKey(key: string): void {
+ gitPrivateKey = key;
+}
+
+async function importKey(): Promise<void> {
+ if (keyId) {
+ return;
+ }
+ const keyFileName = path.join(os.tmpdir() + '/git-private.key');
+ await fs.outputFile(keyFileName, gitPrivateKey);
+ const { stdout, stderr } = await exec(`gpg --import ${keyFileName}`);
+ logger.debug({ stdout, stderr }, 'Private key import result');
+ keyId = (stdout + stderr)
+ .split('\n')
+ .find((line) => line.includes('secret key imported'))
+ .replace('gpg: key ', '')
+ .split(':')
+ .shift();
+ await fs.remove(keyFileName);
+}
+
+export async function writePrivateKey(cwd: string): Promise<void> {
+ if (!gitPrivateKey) {
+ return;
+ }
+ logger.debug('Setting git private key');
+ try {
+ await importKey();
+ await exec(`git config user.signingkey ${keyId}`, { cwd });
+ await exec(`git config commit.gpgsign true`, { cwd });
+ } catch (err) {
+ logger.warn({ err }, 'Error writing git private key');
+ throw new Error(PLATFORM_GPG_FAILED);
+ }
+}
diff --git a/lib/platform/git/storage.ts b/lib/platform/git/storage.ts
index b3253f1b3e..a94eede648 100644
--- a/lib/platform/git/storage.ts
+++ b/lib/platform/git/storage.ts
@@ -13,6 +13,7 @@ import {
import { logger } from '../../logger';
import * as limits from '../../workers/global/limits';
import { CommitFilesConfig } from '../common';
+import { writePrivateKey } from './private-key';
declare module 'fs-extra' {
export function exists(pathLike: string): Promise<boolean>;
@@ -24,7 +25,6 @@ interface StorageConfig {
localDir: string;
baseBranch?: string;
url: string;
- gitPrivateKey?: string;
extraCloneOpts?: Git.Options;
}
@@ -84,6 +84,8 @@ export class Storage {
private _cwd: string | undefined;
+ private _privateKeySet = false;
+
private async _resetToBranch(branchName: string): Promise<void> {
logger.debug(`resetToBranch(${branchName})`);
await this._git.raw(['reset', '--hard']);
@@ -196,14 +198,6 @@ export class Storage {
}
logger.warn({ err }, 'Cannot retrieve latest commit date');
}
- // istanbul ignore if
- if (config.gitPrivateKey) {
- logger.debug('Git private key configured, but not being set');
- } else {
- logger.debug('No git private key present - commits will be unsigned');
- await this._git.raw(['config', 'commit.gpgsign', 'false']);
- }
-
if (global.gitAuthor) {
logger.debug({ gitAuthor: global.gitAuthor }, 'Setting git author');
try {
@@ -470,6 +464,10 @@ export class Storage {
message,
}: CommitFilesConfig): Promise<string | null> {
logger.debug(`Committing files to branch ${branchName}`);
+ if (!this._privateKeySet) {
+ await writePrivateKey(this._cwd);
+ this._privateKeySet = true;
+ }
try {
await this._git.reset('hard');
await this._git.raw(['clean', '-fd']);
diff --git a/lib/platform/gitea/index.ts b/lib/platform/gitea/index.ts
index f470d407c7..520e01636d 100644
--- a/lib/platform/gitea/index.ts
+++ b/lib/platform/gitea/index.ts
@@ -45,7 +45,6 @@ type GiteaRenovateConfig = {
interface GiteaRepoConfig {
storage: GitStorage;
- gitPrivateKey?: string;
repository: string;
localDir: string;
defaultBranch: string;
@@ -248,7 +247,6 @@ const platform: Platform = {
async initRepo({
repository,
- gitPrivateKey,
localDir,
optimizeForDisabled,
}: RepoParams): Promise<RepoConfig> {
@@ -257,7 +255,6 @@ const platform: Platform = {
config = {} as any;
config.repository = repository;
- config.gitPrivateKey = gitPrivateKey;
config.localDir = localDir;
// Attempt to fetch information about repository
diff --git a/lib/platform/github/index.ts b/lib/platform/github/index.ts
index adf62069eb..a03c648cc5 100644
--- a/lib/platform/github/index.ts
+++ b/lib/platform/github/index.ts
@@ -204,7 +204,6 @@ export async function initRepo({
repository,
forkMode,
forkToken,
- gitPrivateKey,
localDir,
includeForks,
renovateUsername,
@@ -229,7 +228,6 @@ export async function initRepo({
config.localDir = localDir;
config.repository = repository;
[config.repositoryOwner, config.repositoryName] = repository.split('/');
- config.gitPrivateKey = gitPrivateKey;
let res;
try {
res = await githubApi.getJson<{ fork: boolean }>(`repos/${repository}`);
diff --git a/lib/platform/github/types.ts b/lib/platform/github/types.ts
index a4f6ea91b6..1dad39f300 100644
--- a/lib/platform/github/types.ts
+++ b/lib/platform/github/types.ts
@@ -43,7 +43,6 @@ export interface LocalRepoConfig {
baseBranch: string;
defaultBranch: string;
enterpriseVersion: string;
- gitPrivateKey?: string;
repositoryOwner: string;
repository: string | null;
localDir: string;
diff --git a/lib/platform/gitlab/index.ts b/lib/platform/gitlab/index.ts
index 486dc278d6..a22c27afcd 100644
--- a/lib/platform/gitlab/index.ts
+++ b/lib/platform/gitlab/index.ts
@@ -47,7 +47,6 @@ type MergeMethod = 'merge' | 'rebase_merge' | 'ff';
const defaultConfigFile = configFileNames[0];
let config: {
storage: GitStorage;
- gitPrivateKey?: string;
repository: string;
localDir: string;
defaultBranch: string;
@@ -140,13 +139,11 @@ export function cleanRepo(): Promise<void> {
// Initialize GitLab by getting base branch
export async function initRepo({
repository,
- gitPrivateKey,
localDir,
optimizeForDisabled,
}: RepoParams): Promise<RepoConfig> {
config = {} as any;
config.repository = urlEscape(repository);
- config.gitPrivateKey = gitPrivateKey;
config.localDir = localDir;
type RepoResponse = {
diff --git a/lib/platform/index.ts b/lib/platform/index.ts
index ff4dec6229..531be8c536 100644
--- a/lib/platform/index.ts
+++ b/lib/platform/index.ts
@@ -6,6 +6,7 @@ import { logger } from '../logger';
import * as hostRules from '../util/host-rules';
import platforms from './api.generated';
import { Platform } from './common';
+import { setPrivateKey } from './git/private-key';
export * from './common';
@@ -39,6 +40,7 @@ export function setPlatformApi(name: string): void {
export async function initPlatform(
config: RenovateConfig
): Promise<RenovateConfig> {
+ setPrivateKey(config.gitPrivateKey);
setPlatformApi(config.platform);
// TODO: types
const platformInfo = await platform.initPlatform(config);
diff --git a/lib/workers/repository/init/apis.ts b/lib/workers/repository/init/apis.ts
index 5268255400..497474c5cf 100644
--- a/lib/workers/repository/init/apis.ts
+++ b/lib/workers/repository/init/apis.ts
@@ -26,6 +26,5 @@ export async function initApis(
config = await getPlatformConfig(config as never);
npmApi.resetMemCache();
npmApi.setNpmrc(config.npmrc);
- delete config.gitPrivateKey;
return config;
}
--
GitLab