Added url parameter to submodule_credentials

jpmorin · jpmorin · commit 3b4a09c711d3 · 2022-09-06T09:33:05.000-04:00
Signed-off-by: Jean-Philippe Morin &lt;animationjpm@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -65,29 +65,39 @@ Tracks the commits in a [git](http://git-scm.com/) repository.
   all tags in the repository. If `false` no tags will be fetched.
 
 * `submodule_credentials`: *Optional.* List of credentials for HTTP(s) or SSH auth when pulling git submodules which are not stored in the same git server as the container repository or are protected by a different private key.
-  * http(s) credentials
+  * http(s) credentials:
     * `host` : The host to connect too. Note that `host` is specified with no protocol extensions.
     * `username` : Username for HTTP(S) auth when pulling submodule.
     * `password` : Password for HTTP(S) auth when pulling submodule.
-  * ssh credentials
+  * ssh credentials:
+    * `url` : Submodule url, as specified in the `.gitmodule` file. Support full or relative ssh url.
     * `private_key` : Private key for SSH auth when pulling submodule.
     * `private_key_passphrase` : *Optional.* To unlock `private_key` if it is protected by a passphrase.
-
+  * exemple:
     ```yaml
     submodule_credentials:
-    # http(s) credentials
+      # http(s) credentials
     - host: github.com
       username: git-user
       password: git-password
-    # ssh credentials
-    - private_key: |
+      # ssh credentials
+    - url: git@github.com:org-name/repo-name.git
+      private_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        MIIEowIBAAKCAQEAtCS10/f7W7lkQaSgD/mVeaSOvSF9ql4hf/zfMwfVGgHWjj+W
+        <Lots more text>
+        DWiJL+OFeg9kawcUL6hQ8JeXPhlImG6RTUffma9+iGQyyBMCGd1l
+        -----END RSA PRIVATE KEY-----
+      private_key_passphrase: ssh-passphrase # (optionnal)
+      # ssh credentials with relative url
+    - url: ../org-name/repo-name.git
+      private_key: |
         -----BEGIN RSA PRIVATE KEY-----
         MIIEowIBAAKCAQEAtCS10/f7W7lkQaSgD/mVeaSOvSF9ql4hf/zfMwfVGgHWjj+W
         <Lots more text>
         DWiJL+OFeg9kawcUL6hQ8JeXPhlImG6RTUffma9+iGQyyBMCGd1l
         -----END RSA PRIVATE KEY-----
       private_key_passphrase: ssh-passphrase # (optionnal)
-    - <another-configuration>
     ```
 
 * `git_config`: *Optional.* If specified as (list of pairs `name` and `value`)
@@ -303,7 +313,7 @@ the case.
 
 * `.git/commit_message`: For publishing the Git commit message on successful builds.
 
- * `.git/commit_timestamp`: For tagging builds with a timestamp.
+* `.git/commit_timestamp`: For tagging builds with a timestamp.
 
 * `.git/describe_ref`: Version reference detected and checked out. Can be templated with `describe_ref_options` parameter.
  By default, it will contain the `<latest annoted git tag>-<the number of commit since the tag>-g<short_ref>` (eg. `v1.6.2-1-g13dfd7b`).
diff --git a/assets/common.sh b/assets/common.sh
@@ -12,9 +12,10 @@ load_pubkey() {
   if [ -s $private_key_path ]; then
     chmod 0600 $private_key_path
 
-    eval $(ssh-agent) >/dev/null 2>&1
-    trap "kill $SSH_AGENT_PID" EXIT
-    SSH_ASKPASS_REQUIRE=force SSH_ASKPASS=$(dirname $0)/askpass.sh GIT_SSH_PRIVATE_KEY_PASS="$passphrase" DISPLAY= ssh-add $private_key_path >/dev/null
+    # create or re-initialize ssh-agent
+    init_ssh_agent
+
+    SSH_ASKPASS_REQUIRE=force SSH_ASKPASS=$(dirname $0)/askpass.sh GIT_SSH_PRIVATE_KEY_PASS="$passphrase" DISPLAY= ssh-add $private_key_path > /dev/null
 
     mkdir -p ~/.ssh
     cat > ~/.ssh/config <<EOF
@@ -35,6 +36,25 @@ EOF
   fi
 }
 
+init_ssh_agent() {
+
+  # validate if ssh-agent exist
+  set +e
+  ssh-add -l &> /dev/null
+  exit_code=$?
+  set -e
+  
+  if [[ ${exit_code} -eq 2 ]]; then
+    # ssh-agent does not exist, create ssh-agent
+    eval $(ssh-agent) > /dev/null 2>&1
+    trap "kill $SSH_AGENT_PID" EXIT
+  else
+    # ssh-agent exist, remove all identities
+    ssh-add -D &> /dev/null
+  fi
+
+}
+
 configure_https_tunnel() {
   tunnel=$(jq -r '.source.https_tunnel // empty' <<< "$1")
 
diff --git a/assets/in b/assets/in
@@ -166,6 +166,7 @@ if [ "$submodules" != "none" ]; then
       sed -e 's/^submodule\.\(.\+\)\.path$/\1/'
   } | while read submodule_name; do
     submodule_path="$(git config --file .gitmodules --get "submodule.${submodule_name}.path")"
+    submodule_url="$(git config --file .gitmodules --get "submodule.${submodule_name}.url")"
 
     if [ "$depth" -gt 0 ]; then
       git config "submodule.${submodule_name}.update" "!$bin_dir/deepen_shallow_clone_until_ref_is_found_then_check_out $depth"
@@ -176,66 +177,34 @@ if [ "$submodules" != "none" ]; then
       continue
     fi
 
-    set +e
-    git submodule update --init --no-fetch $depthflag $submodule_parameters "$submodule_path"
-    code=$?
-    set -e
+    # check for ssh submodule_credentials
+    submodule_cred=$(jq --arg submodule_url "${submodule_url}" '.source.submodule_credentials // [] | [.[] | select(.url==$submodule_url)] | first // empty' <<< ${payload})
 
-    if [[ ${code} -eq 1 ]]; then
+    if [[ -z ${submodule_cred} ]]; then
 
-      credentials=$(jq '.source.submodule_credentials // [] | [.[] | select(has("private_key"))]' <<< ${payload})
-      credentials_length=$(jq 'length' <<< ${credentials})
+      # update normally
+      git submodule update --init --no-fetch $depthflag $submodule_parameters "$submodule_path"
 
-      if [[ ${credentials_length} -gt 0 ]]; then
-
-        echo "Could not read from remote submodule repository with current credentials. Retry with submodule ssh credentials."
-
-        # kill main ssh-agent (if exist)
-        kill $SSH_AGENT_PID > /dev/null || true
-        trap - EXIT
-        
-        for ((i = 0 ; i < ${credentials_length} ; i++)); do
-
-          creds=$(jq --argjson i $i '.[$i]' <<< ${credentials})
-          private_key=$(jq -r '.private_key' <<< ${creds})
-          passphrase=$(jq -r '.private_key_passphrase // empty' <<< ${creds})
-
-          private_key_path="${TMPDIR}/git-resource-submodule-private-key-$i"
-          echo "${private_key}" > ${private_key_path}
-          chmod 0600 ${private_key_path}
-
-          # short-lived ssh-agent
-          eval $(ssh-agent) >/dev/null 2>&1
-          trap "kill $SSH_AGENT_PID" EXIT
-          SSH_ASKPASS_REQUIRE=force SSH_ASKPASS=$(dirname $0)/askpass.sh GIT_SSH_PRIVATE_KEY_PASS="$passphrase" DISPLAY= ssh-add $private_key_path > /dev/null
-
-          set +e
-          git submodule update --init --no-fetch $depthflag $submodule_parameters "$submodule_path" 2> /dev/null
-          code=$?
-          set -e
+    else
 
-          # kill short-lived ssh-agent
-          ssh-agent -k > /dev/null || true
-          trap - EXIT
+      # create or re-initialize ssh-agent
+      init_ssh_agent
 
-          if [[ ${code} -eq 0 ]]; then
-            break;
-          fi
+      private_key=$(jq -r '.private_key' <<< ${submodule_cred})
+      passphrase=$(jq -r '.private_key_passphrase // empty' <<< ${submodule_cred})
 
-        done
+      private_key_path=$(mktemp -t git-resource-submodule-private-key.XXXXXX)
+      echo "${private_key}" > ${private_key_path}
+      chmod 0600 ${private_key_path}
 
-        # restore main ssh-agent (if needed)
-        load_pubkey "${git_config_payloadd}"
+      # add submodule private_key identity
+      SSH_ASKPASS_REQUIRE=force SSH_ASKPASS=$(dirname $0)/askpass.sh GIT_SSH_PRIVATE_KEY_PASS="$passphrase" DISPLAY= ssh-add $private_key_path > /dev/null
 
-      fi
+      git submodule update --init --no-fetch $depthflag $submodule_parameters "$submodule_path"
 
-      if [[ ${code} -ne 0 ]]; then
-        echo $'\e[31m'"warning: failed to clone submodule: $submodule_path"$'\e[0m'
-        exit ${code}
-      fi
+      # restore main ssh-agent (if needed)
+      load_pubkey "${payload}"
 
-    elif [[ ${code} -ne 0 ]]; then
-      exit ${code}
     fi
 
     if [ "$depth" -gt 0 ]; then
