ssh support for submodule

jpmorin · jpmorin · commit 73c01ed1fb8b · 2022-09-06T09:33:05.000-04:00
Signed-off-by: Jean-Philippe Morin &lt;animationjpm@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -64,19 +64,32 @@ Tracks the commits in a [git](http://git-scm.com/) repository.
 * `fetch_tags`: *Optional.* If `true` the flag `--tags` will be used to fetch
   all tags in the repository. If `false` no tags will be fetched.
 
-* `submodule_credentials`: *Optional.* List of credentials for HTTP(s) auth when pulling/pushing private git submodules which are not stored in the same git server as the container repository.
-    Example:
+* `submodule_credentials`: *Optional.* List of credentials for HTTP(s) or SSH auth when pulling git submodules which are not stored in the same git server as the container repository or are protected by a different private key.
+  * http(s) credentials
+    * `host` : The host to connect too. Note that `host` is specified with no protocol extensions.
+    * `username` : Username for HTTP(S) auth when pulling submodule.
+    * `password` : Password for HTTP(S) auth when pulling submodule.
+  * ssh credentials
+    * `private_key` : Private key for SSH auth when pulling submodule.
+    * `private_key_passphrase` : *Optional.* To unlock `private_key` if it is protected by a passphrase.
 
-    ```
+    ```yaml
     submodule_credentials:
+    # http(s) credentials
     - host: github.com
       username: git-user
       password: git-password
+    # ssh credentials
+    - private_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        MIIEowIBAAKCAQEAtCS10/f7W7lkQaSgD/mVeaSOvSF9ql4hf/zfMwfVGgHWjj+W
+        <Lots more text>
+        DWiJL+OFeg9kawcUL6hQ8JeXPhlImG6RTUffma9+iGQyyBMCGd1l
+        -----END RSA PRIVATE KEY-----
+      private_key_passphrase: ssh-passphrase # (optionnal)
     - <another-configuration>
     ```
 
-    Note that `host` is specified with no protocol extensions.
-
 * `git_config`: *Optional.* If specified as (list of pairs `name` and `value`)
   it will configure git global options, setting each name with each value.
 
diff --git a/assets/in b/assets/in
@@ -176,7 +176,67 @@ if [ "$submodules" != "none" ]; then
       continue
     fi
 
+    set +e
     git submodule update --init --no-fetch $depthflag $submodule_parameters "$submodule_path"
+    code=$?
+    set -e
+
+    if [[ ${code} -eq 1 ]]; then
+
+      credentials=$(jq '.source.submodule_credentials // [] | [.[] | select(has("private_key"))]' <<< ${payload})
+      credentials_length=$(jq 'length' <<< ${credentials})
+
+      if [[ ${credentials_length} -gt 0 ]]; then
+
+        echo "Could not read from remote submodule repository with current credentials. Retry with submodule ssh credentials."
+
+        # kill main ssh-agent (if exist)
+        kill $SSH_AGENT_PID > /dev/null || true
+        trap - EXIT
+        
+        for ((i = 0 ; i < ${credentials_length} ; i++)); do
+
+          creds=$(jq --argjson i $i '.[$i]' <<< ${credentials})
+          private_key=$(jq -r '.private_key' <<< ${creds})
+          passphrase=$(jq -r '.private_key_passphrase // empty' <<< ${creds})
+
+          private_key_path="${TMPDIR}/git-resource-submodule-private-key-$i"
+          echo "${private_key}" > ${private_key_path}
+          chmod 0600 ${private_key_path}
+
+          # short-lived ssh-agent
+          eval $(ssh-agent) >/dev/null 2>&1
+          trap "kill $SSH_AGENT_PID" EXIT
+          SSH_ASKPASS_REQUIRE=force SSH_ASKPASS=$(dirname $0)/askpass.sh GIT_SSH_PRIVATE_KEY_PASS="$passphrase" DISPLAY= ssh-add $private_key_path > /dev/null
+
+          set +e
+          git submodule update --init --no-fetch $depthflag $submodule_parameters "$submodule_path" 2> /dev/null
+          code=$?
+          set -e
+
+          # kill short-lived ssh-agent
+          ssh-agent -k > /dev/null || true
+          trap - EXIT
+
+          if [[ ${code} -eq 0 ]]; then
+            break;
+          fi
+
+        done
+
+        # restore main ssh-agent (if needed)
+        load_pubkey "${git_config_payloadd}"
+
+      fi
+
+      if [[ ${code} -ne 0 ]]; then
+        echo $'\e[31m'"warning: failed to clone submodule: $submodule_path"$'\e[0m'
+        exit ${code}
+      fi
+
+    elif [[ ${code} -ne 0 ]]; then
+      exit ${code}
+    fi
 
     if [ "$depth" -gt 0 ]; then
       git config --unset "submodule.${submodule_name}.update"
