follow proxy settings

5 years ago · 2285ac189f
parent 090d9c9dfd
commit 2285ac189f
6 changed files with 1845 additions and 787 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -83,7 +83,7 @@ jobs:
        shell: bash
        run: __test__/verify-lfs.sh

-  test-job-container:
+  test-rest-api:
    runs-on: ubuntu-latest
    container: alpine:latest
    steps:
@ -99,3 +99,42 @@ jobs:
          path: basic
      - name: Verify basic
        run: __test__/verify-basic.sh --archive
+
+  test-proxy:
+    runs-on: ubuntu-latest
+    container:
+      image: alpine/git:latest
+      options: --dns 127.0.0.1
+    services:
+      squid-proxy:
+        image: datadog/squid:latest
+        ports:
+          - 3128:3128
+    env:
+      https_proxy: http://squid-proxy:3128
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@users/ericsciple/m165proxy # todo: switch to v2
+
+      # Basic checkout using git
+      - name: Basic checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh
+      - name: Remove basic
+        run: rm -rf basic
+
+      # Basic checkout using REST API
+      - name: Override git version
+        run: __test__/override-git-version.sh
+      - name: Basic checkout using REST API
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive
--- a/test/override-git-version.sh
+++ b/test/override-git-version.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+mkdir override-git-version
+cd override-git-version
+echo "#!/bin/sh" > git
+echo "echo override git version 1.2.3" >> git
+chmod +x git
+echo "::add-path::$(pwd)"
+cd ..
--- a/dist/index.js
+++ b/dist/index.js
--- a/package-lock.json
+++ b/package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "checkout",
-  "version": "2.0.0",
+  "version": "2.0.2",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
@ -15,14 +15,30 @@
      "integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ=="
    },
    "@actions/github": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.0.0.tgz",
-      "integrity": "sha512-sNpZ5dJyJyfJIO5lNYx8r/Gha4Tlm8R0MLO2cBkGdOnAAEn3t1M/MHVcoBhY/VPfjGVe5RNAUPz+6INrViiUPA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.1.0.tgz",
+      "integrity": "sha512-G4ncMlh4pLLAvNgHUYUtpWQ1zPf/VYqmRH9oshxLabdaOOnp7i1hgSgzr2xne2YUaSND3uqemd3YYTIsm2f/KQ==",
      "requires": {
+        "@actions/http-client": "^1.0.3",
        "@octokit/graphql": "^4.3.1",
        "@octokit/rest": "^16.15.0"
      }
    },
+    "@actions/http-client": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.3.tgz",
+      "integrity": "sha512-wFwh1U4adB/Zsk4cc9kVqaBOHoknhp/pJQk+aWTocbAZWpIl4Zx/At83WFRLXvxB+5HVTWOACM6qjULMZfQSfw==",
+      "requires": {
+        "tunnel": "0.0.6"
+      },
+      "dependencies": {
+        "tunnel": {
+          "version": "0.0.6",
+          "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+          "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+        }
+      }
+    },
    "@actions/io": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.0.1.tgz",
@ -597,6 +613,14 @@
        "@types/yargs": "^13.0.0"
      }
    },
+    "@octokit/auth-token": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.4.0.tgz",
+      "integrity": "sha512-eoOVMjILna7FVQf96iWc3+ZtE/ZT6y8ob8ZzcqKY1ibSQCnu4O/B7pJvzMx5cyZ/RjAff6DAdEb0O0Cjcxidkg==",
+      "requires": {
+        "@octokit/types": "^2.0.0"
+      }
+    },
    "@octokit/endpoint": {
      "version": "5.5.1",
      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-5.5.1.tgz",
@ -643,10 +667,11 @@
      }
    },
    "@octokit/rest": {
-      "version": "16.35.0",
-      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.35.0.tgz",
-      "integrity": "sha512-9ShFqYWo0CLoGYhA1FdtdykJuMzS/9H6vSbbQWDX4pWr4p9v+15MsH/wpd/3fIU+tSxylaNO48+PIHqOkBRx3w==",
+      "version": "16.38.1",
+      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.38.1.tgz",
+      "integrity": "sha512-zyNFx+/Bd1EXt7LQjfrc6H4wryBQ/oDuZeZhGMBSFr1eMPFDmpEweFQR3R25zjKwBQpDY7L5GQO6A3XSaOfV1w==",
      "requires": {
+        "@octokit/auth-token": "^2.4.0",
        "@octokit/request": "^5.2.0",
        "@octokit/request-error": "^1.0.2",
        "atob-lite": "^2.0.0",
@ -662,9 +687,9 @@
      }
    },
    "@octokit/types": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.0.2.tgz",
-      "integrity": "sha512-StASIL2lgT3TRjxv17z9pAqbnI7HGu9DrJlg3sEBFfCLaMEqp+O3IQPUF6EZtQ4xkAu2ml6kMBBCtGxjvmtmuQ==",
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.1.1.tgz",
+      "integrity": "sha512-89LOYH+d/vsbDX785NOfLxTW88GjNd0lWRz1DVPVsZgg9Yett5O+3MOvwo7iHgvUwbFz0mf/yPIjBkUbs4kxoQ==",
      "requires": {
        "@types/node": ">= 8"
      }
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "checkout",
-  "version": "2.0.1",
+  "version": "2.0.2",
  "description": "checkout action",
  "main": "lib/main.js",
  "scripts": {
@ -31,7 +31,8 @@
  "dependencies": {
    "@actions/core": "^1.1.3",
    "@actions/exec": "^1.0.1",
-    "@actions/github": "^2.0.0",
+    "@actions/github": "^2.0.2",
+    "@actions/http-client": "^1.0.3",
    "@actions/io": "^1.0.1",
    "@actions/tool-cache": "^1.1.2",
    "uuid": "^3.3.3"
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@ -3,13 +3,17 @@ import * as fs from 'fs'
 import * as fsHelper from './fs-helper'
 import * as gitCommandManager from './git-command-manager'
 import * as githubApiHelper from './github-api-helper'
+import * as httpClient from '@actions/http-client'
 import * as io from '@actions/io'
 import * as path from 'path'
 import * as refHelper from './ref-helper'
 import * as stateHelper from './state-helper'
+import * as url from 'url'
 import {IGitCommandManager} from './git-command-manager'

-const authConfigKey = `http.https://github.com/.extraheader`
+const serverUrl = 'https://github.com/'
+const authConfigKey = `http.${serverUrl}.extraheader`
+const proxyConfigKey = `http.${serverUrl}.proxy`

 export interface ISourceSettings {
  repositoryPath: string
@ -91,11 +95,13 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
      )
    }

-    // Remove possible previous extraheader
+    // Remove possible previous proxy and extraheader
+    await removeGitConfig(git, proxyConfigKey)
    await removeGitConfig(git, authConfigKey)

    try {
-      // Config auth token
+      // Config proxy and extraheader
+      await configureProxy(git)
      await configureAuthToken(git, settings.authToken)

      // LFS install
@ -128,6 +134,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
      await git.log1()
    } finally {
      if (!settings.persistCredentials) {
+        await removeGitConfig(git, proxyConfigKey)
        await removeGitConfig(git, authConfigKey)
      }
    }
@ -136,16 +143,22 @@ export async function getSource(settings: ISourceSettings): Promise<void> {

 export async function cleanup(repositoryPath: string): Promise<void> {
  // Repo exists?
-  if (!fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))) {
+  if (
+    !repositoryPath ||
+    !fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))
+  ) {
    return
  }
-  fsHelper.directoryExistsSync(repositoryPath, true)

-  // Remove the config key
-  const git = await gitCommandManager.CreateCommandManager(
-    repositoryPath,
-    false
-  )
+  // Remove proxy and extraheader
+  let git: IGitCommandManager
+  try {
+    git = await gitCommandManager.CreateCommandManager(repositoryPath, false)
+  } catch {
+    return
+  }
+
+  await removeGitConfig(git, proxyConfigKey)
  await removeGitConfig(git, authConfigKey)
 }

@ -255,6 +268,34 @@ async function prepareExistingDirectory(
  }
 }

+async function configureProxy(git: IGitCommandManager): Promise<void> {
+  const proxyUrl = httpClient.getProxyUrl(serverUrl)
+  const parsedUrl = url.parse(proxyUrl)
+  const placeholder = parsedUrl.auth
+    ? proxyUrl.replace(parsedUrl.auth, '***')
+    : ''
+
+  // Configure a placeholder value. This approach avoids the credential being captured
+  // by process creation audit events, which are commonly logged. For more information,
+  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+  await git.config(proxyConfigKey, placeholder || proxyUrl)
+
+  if (placeholder) {
+    // Replace the value in the config file
+    const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+    let content = (await fs.promises.readFile(configPath)).toString()
+    const placeholderIndex = content.indexOf(placeholder)
+    if (
+      placeholderIndex < 0 ||
+      placeholderIndex != content.lastIndexOf(placeholder)
+    ) {
+      throw new Error('Unable to replace auth placeholder in .git/config')
+    }
+    content = content.replace(placeholder, proxyUrl)
+    await fs.promises.writeFile(configPath, content)
+  }
+}
+
 async function configureAuthToken(
  git: IGitCommandManager,
  authToken: string