Skip to content

Fix auth issues with FF_GIT_URLS_WITHOUT_TOKENS: 1

Hannes Hörlrequested to merge
hhoerl/no-cred-leaks-fixes into main

What does this MR do?

  • ensures the new cred helper is correctly used for submodules
  • fixes the cred helper on windows
  • circumvents a caching issue when git-credential-manager is at play

Why was this MR needed?

Pulling submodules from private repos fails. The cred helper was set up for the repo only, and therefore was not considered when pulling in the submodules. The helper is now externalized, and included in the mother repo, and explicitly included for submodule operations.

On windows, when the cred helper was called with "erase", powershell made it fall back to the "erase" built-in (and alias to "Remove-Item"). This has changed: the cred helper now only implements "get", all other commands (also unknown ones) are no-ops.

Then, when git-credential-manager (or any other credential helper which caches creds) is at play, which it is on e.g. default wingit installations, GCM caches creds. That means, that e.g. when using the shell executor on windows, the cached creds might be CI_JOB_TOKEN from a previous run, which then is not valid anymore, and fails the build. Therefor we try to prune those creds before we pull repos.

What's the best way to test this MR?

  • run against a repo with submodules, which need auth

  • run the shell executor on windows

    config.tom 
    listen_address = ":9252"
concurrent = 3
check_interval = 1
log_level = "debug"
shutdown_timeout = 0
[session_server]
  session_timeout = 1800
[[runners]]
  name = "dm"
  limit = 3
  url = "https://gitlab.com/"
  id = 0
  token = "glrt-NOPENOPE"
  token_obtained_at = 0001-01-01T00:00:00Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "shell"
  shell = "pwsh"
    .gitlab-ci.yaml 
    stages:
- test

variables:
  # DOCKER_HOST: tcp://docker:2376
  # DOCKER_TLS_CERTDIR: "/certs"
  # DOCKER_TLS_VERIFY: 1
  # DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
  GIT_TRACE: 1
  GIT_CURL_VERBOSE: 1
  GIT_TRANSFER_TRACE: 1

  FF_GIT_URLS_WITHOUT_TOKENS: 1

  GIT_SUBMODULE_STRATEGY: recursive
  GIT_SUBMODULE_DEPTH: 10
  GIT_SUBMODULE_FORCE_HTTPS: 1

  CI_DEBUG_TRACE: 1

default:
  image: docker

Test:
  stage: test
  retry:
    max: 2
    when: runner_system_failure
  hooks:
    pre_get_sources_script: |
        git config --show-origin -l
  script:
    - |
      git config --show-origin -l

  • run the same job multiple times in a row

  • see that:

    • pulling in the submodules works
    • git calls the cred helper successfully
    • the job token is nowhere to be found in the git config or on git calls

What are the relevant issue numbers?

closes: #38268 (closed)

Edited by Hannes Hörl

Merge request reports