Fix #358 Add support for passphrase protected private key files. (#359)

Signed-off-by: Jamie Pate <jpate@fortinet.com>
concourse · May 13, 2021 · e29d794 · e29d794
1 parent 61d45dd
commit e29d794
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -21,7 +21,9 @@ Tracks the commits in a [git](http://git-scm.com/) repository.
       -----END RSA PRIVATE KEY-----
     ```
 
-* `private_key_user`: *Optional.* Enables setting User in the ssh config
+* `private_key_user`: *Optional.* Enables setting User in the ssh config.
+
+* `private_key_passphrase`: *Optional.* To unlock `private_key` if it is protected by a passphrase.
 
 * `forward_agent`: *Optional* Enables ForwardAgent SSH option when set to true. Useful when using proxy/jump hosts. Defaults to false.
 

diff --git a/assets/askpass.sh b/assets/askpass.sh
@@ -1,3 +1,6 @@
 #!/bin/bash
-echo "Private keys with passphrases are not supported." >&2
-exit 1
+if [ -z "$GIT_SSH_PRIVATE_KEY_PASS" ]; then
+    echo "Private key has a passphrase but private_key_passphrase has not been set." >&2
+    exit 1
+fi
+echo "$GIT_SSH_PRIVATE_KEY_PASS"
diff --git a/assets/common.sh b/assets/common.sh
@@ -5,6 +5,7 @@ load_pubkey() {
   local private_key_path=$TMPDIR/git-resource-private-key
   local private_key_user=$(jq -r '.source.private_key_user // empty' < $1)
   local forward_agent=$(jq -r '.source.forward_agent // false' < $1)
+  local passphrase="$(jq -r '.source.private_key_passphrase // empty' < $1)"
 
   (jq -r '.source.private_key // empty' < $1) > $private_key_path
 
@@ -13,8 +14,7 @@ load_pubkey() {
 
     eval $(ssh-agent) >/dev/null 2>&1
     trap "kill $SSH_AGENT_PID" EXIT
-
-    SSH_ASKPASS_REQUIRE=force SSH_ASKPASS=$(dirname $0)/askpass.sh DISPLAY= ssh-add $private_key_path >/dev/null
+    SSH_ASKPASS_REQUIRE=force SSH_ASKPASS=$(dirname $0)/askpass.sh GIT_SSH_PRIVATE_KEY_PASS="$passphrase" DISPLAY= ssh-add $private_key_path >/dev/null
 
     mkdir -p ~/.ssh
     cat > ~/.ssh/config <<EOF

diff --git a/test/check.sh b/test/check.sh
@@ -26,7 +26,7 @@ it_can_check_from_head_only_fetching_single_branch() {
   ! git -C $cachedir rev-parse origin/bogus
 }
 
-it_fails_if_key_has_password() {
+it_fails_if_key_has_password_not_provided() {
   local repo=$(init_repo)
   local ref=$(make_commit $repo)
 
@@ -39,9 +39,22 @@ it_fails_if_key_has_password() {
     return 1
   fi
 
-  grep "Private keys with passphrases are not supported." $failed_output
+  grep "Private key has a passphrase but private_key_passphrase has not been set." $failed_output
 }
 
+it_can_unlock_key_with_password() {
+  local repo=$(init_repo)
+  local ref=$(make_commit $repo)
+  local passphrase='some passphrase with spaces!'
+
+  local key=$TMPDIR/key-with-passphrase
+  ssh-keygen -f $key -N "$passphrase"
+
+  local failed_output=$TMPDIR/failed-output
+  check_uri_with_key_and_passphrase $repo $key "$passphrase" 2>$failed_output
+}
+
+
 it_configures_forward_agent() {
   local repo=$(init_repo)
   local key=$TMPDIR/key-no-passphrase
@@ -956,7 +969,8 @@ run it_skips_excluded_commits_conventional
 run it_skips_non_included_commits
 run it_skips_non_included_and_excluded_commits
 run it_does_not_skip_marked_commits_when_disable_skip_configured
-run it_fails_if_key_has_password
+run it_fails_if_key_has_password_not_provided
+run it_can_unlock_key_with_password
 run it_configures_forward_agent
 run it_skips_forward_agent_configuration
 run it_can_check_with_credentials

diff --git a/test/helpers.sh b/test/helpers.sh
@@ -298,6 +298,16 @@ check_uri_with_key() {
   }" | ${resource_dir}/check | tee /dev/stderr
 }
 
+check_uri_with_key_and_passphrase() {
+  jq -n "{
+    source: {
+      uri: $(echo $1 | jq -R .),
+      private_key: $(cat $2 | jq -s -R .),
+      private_key_passphrase: $(echo $3 | jq -R .)
+    }
+  }" | ${resource_dir}/check | tee /dev/stderr
+}
+
 check_uri_with_credentials() {
   jq -n "{
     source: {