It seems that the code checkout using Jenkinsfile is using http for the remote origin and we do want to use ssh instead.
#!groovy
stage 'build'
node {
checkout scm
sh "cat .git/config"
}
This will output a https origin instead of a ssh one. The job is configured using github-organization-pipeline plugin, so there is no way to control the source from the job configuration in jenkins.
Here is my current approach, which is ugly, I am not going to defend that.
tokens = "${env.JOB_NAME}".tokenize('/')
org = tokens[0]
repo = tokens[1]
branch = tokens[2]
sh "git remote set-url origin git#github.com:${org}/${repo}.git"
This works because github-organization-plugin generate jobs names that look like org/repo/branch.
The organization folder’s configuration screen has an option to use specific checkout credentials, typically an SSH private key. By default it uses the API scan credentials, typically an access token which can be used for HTTPS checkouts (GitHub’s own recommendation).
Related
I would like to clone git project stored on cloud source repository from Python code.
I am using git.Repo.clone_from method and it is working. However, only after I authenticate using procedure described here:
https://cloud.google.com/source-repositories/docs/authentication
in "Authenticate by using manually generated credentials" section.
This procedure creates .gitcookies file and setup git to use it with my repository. When I use git.Repo.clone_from method, the same cookie is used as this method probably internally runs git command, which also uses .gitcookies file.
I would like to be independent from local git configuration and pass some login/password or token directly in my application to git.Repo.clone_from method. Is it possible? I even tried to get the cookie from .gitcookies and pass it to git.Repo.clone_from method using env parameter and set there GIT_ASKPASS variable. Unfortunately without success as I do not know what exactly should be set in it.
I just installed Libsecret and pointed it to be where my git credentials get saved:
git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret
But I really don't understand how to use it at all.. like at ALL.
It's been a pretty bleak experience to work with this, and actually seems like the only good solution on Linux at this point (its only been 2 years since the last update, rather than like 3+ for other options).
Is there a way to revoke a username/password stored on Libsecret? Like I have 0 clue how to wipe it other than to do --unset credential.helper, which just wipes everything. Can I not narrow it down by the repo/link the password being stored is related to? The Credential Manager on Windows makes this rediculously straightforward via the UI
Sorry to complain and talk about Windows' equivalent, but can anyone shine a light on that?
By all means, not set on using Libsecret if there are better alternatives to what I'm trying to do here. Please, any advance would be so greatly appreciated
It is not clear at all how to do this and the libsecret documentation -- https://developer.gnome.org/libsecret/0.18/ -- is just API/library documentation. Which is great, if you are programming an interface into libsecret. But is not great if you are an end user and want to update or remove an entry.
Also, I found that unsetting the git global config entry credential.helper just reverts git to using un-cached credentials. But when I pointed that setting back to git-credential-libsecret, my old password was still saved.
So, the answer to removing or updating a single entry turns out to be relatively simple. But NOT OBVIOUS.
Install Seahorse (https://wiki.gnome.org/Apps/Seahorse) if it isn't already installed. It will show up in your app menu as "Passwords and Keys"
Run Seahorse
Login (keychain) -> https://#github.com | Network Password
Double click or Right-click on it and edit, copy, or delete
As the other answer mentions, Seahorse is a GUI frontend to the same keyring, but there is also a CLI frontend called secret-tool that can access the same things.
No need to fiddle with what is behind a git credential helper.
Any git credential helper supports an "erase" method, as shown, for instance, in the sources of contrib/credential/libsecret/git-credential-libsecret.c:
/*
* Table with helper operation callbacks, used by generic
* credential helper main function.
*/
static struct credential_operation const credential_helper_ops[] = {
{ "get", keyring_get },
{ "store", keyring_store },
{ "erase", keyring_erase },
CREDENTIAL_OP_END
};
So, to erase a credential entry, you would need to type:
printf "protocol=https\nhost=github.com\nusername=<me>" | \
git-credential-libsecret erase
Replace "github.com" and <me> with the actual remote site and remote account username.
If your credential helper is not libsecret but "manager-core" (using the Microsoft GCM which is cross-platform) , that would be:
printf "protocol=https\nhost=github.com\nusername=<me>" | \
git-credential-manager-core erase
If your credential helper is not libsecret but "xxx" (any other helper, "store", "cache", ...):
printf "protocol=https\nhost=github.com\nusername=<me>" | \
git-credential-xxx erase
Simply type your credential helper command: it will display its commands.
In my case:
git-credential-manager-core
Required command was not provided.
Usage:
git-credential-manager-core [options] [command]
Options:
--version Show version information
-?, -h, --help Show help and usage information
Commands:
get [Git] Return a stored credential
store [Git] Store a credential
erase [Git] Erase a stored credential
configure Configure Git Credential Manager as the Git credential helper
unconfigure Unconfigure Git Credential Manager as the Git credential helper
azure-repos Commands for interacting with the Azure Repos host provider
Just make sure it is in your $PATH (it should be in /usr/bin, if not: /usr/lib/git-core)
Older helpers do not display all "action" commands, and use older synonyms for erase (remove or delete)
To check the erase/remove/delete has worked, display your stored password first ("get"), then "erase", then try and display it again, using again the "get" action:
printf "protocol=https\nhost=github.com\nusername=<me>" | \
git-credential-xxx get
If it prompts for you to enter your username/password, that means you have succeeded in deleting your cached entry.
I have also ran into this issue, and did a little bit of research. From what I can understand, under the hood, libsecret saves credentials to the local user keyring (like gnome-keyring). As the other answer mentions, Seahorse is a GUI frontend to the same keyring, but there is also a CLI frontend called secret-tool that can access the same things.
See https://ece.engr.uvic.ca/~frodo/courses/cpp/documents/github_authentication.pdf and http://manpages.ubuntu.com/manpages/bionic/man1/secret-tool.1.html for more details.
I'm new in Perforce and I not understand how to configure the p4 client command.
If typing p4 set command I get this:
C:\Program Files\Perforce>p4 set
P4CLIENT=aronTest (set)
P4EDITOR=C:\Windows\SysWOW64\notepad.ex
P4PORT=******:1666 (set)
P4USER=aron (set)
P4_*******:1666_CHARSET=none (set)
1) If I type p4 client the result as below:
Client: aronTest
....
....
View:
//Depot_1/... //aronTest/Depot_1/...
-//depot/... //aronTest/depot/...
"//Depot_1/ ARCS II/Test Code/*" "//aronTest/Depot_1/ ARCS II/Test Code/*"
"-//Depot_1/Book Store NET/..." "//aronTest/Depot_1/Book Store NET/..."
2) If I type - p4 client cli the result as below:
Client: cli
...
...
View:
//Depot_1/... //cli/Depot_1/...
//depot/... //cli/depot/...
I want that every client I'll create will get the view of the current P4CLIENT, but with the second command I've got the view of all depots (Depot1 & depot).
How to configure it, means every creation of client\workspace I'll get the same view of the current environment variable P4CLIENT (in other words I want the view like aronTest for every p4 client <client_name>)?
Thanks!
Unfortunately, there isn't a trivial way to configure the default client view; all the ways I know of take a certain amount of work.
One widely-used technique is to use what is called a template client; this is a workspace that already exists, and has the appropriate client view, client options, etc. In your case, the aronTest client could be used as a template for the creation of new workspaces. To use aronTest as a template for the new client cli, you'd simply type p4 client -t aronTest cli instead of p4 client cli.
If your Perforce server is running release 2014.1 or later, you can set the 'template.client' configurable on the server to specify a default template client to be used when the -t argument is omitted.
You can use any client as a template for the creation of another client, but if you always have a specific template client that you want to use, the template.client configurable might do the trick for you.
If you have a 2016.1 or higher version of the p4 command line tool, you can also define a command line alias (or even several command line aliases) to specify the -t argument to the p4 client command. This could be useful if your server is older than 2014.1 and can't make use of the template.client configurable.
A second widely-used technique is to write a form-out trigger for the client spec. The form-out trigger is invoked at the time that the server is preparing the initial default client spec, and you can modify that automatically-generated spec in your trigger.
Here's an example of using the form-out trigger to control the client view: https://www.perforce.com/perforce/doc.current/manuals/p4sag/chapter.scripting.html#scripting.triggers.forms.out
You have to write (and debug) that trigger, but once it's developed and deployed, the flow is trouble-free, with no extra arguments for your developers to remember.
Yet a third approach is to adopt the 'streams' development process, in which you define your stream mappings using the p4 stream command, and switch between streams using the p4 switch command. Streams are very powerful; one particular aspect of streams which is relevant here is that client workspaces no longer have to worry about the View: section of the client spec because the server takes over the task of maintaining the client view entirely. (That is, the server generates the client's view automatically, based on the definition of the stream in use for that client.)
Here's a nice, if somewhat advanced, discussion of the power of stream definitions to simplify client spec issues: https://www.perforce.com/blog/160122/pro-tip-use-ignored-paths-slim-down-workspaces
I hope some of these ideas help; let us know what approach you choose!
Add an alias that uses your current client (P4CLIENT) as a template when you create a new client using the "p4 client CLIENT" command:
echo client $(arg) = client -t $(P4CLIENT) $(arg) > %USERPROFILE%\p4aliases.txt
Note that you need a 2016.1 p4.exe for this to work.
I have a private repository on a GitLab server and using the SSH I can pull a project using git clone.
But I want to run a script on linux command line directly from the server (more specific, a Drupal / Drush .make file)
I tried to run it using the raw file:
drush make http://server.com/user/project/raw/master/file.make
(for the convenience of non Drupal users let’s say)
curl http://server.com/user/project/raw/master/file.make
Without success. Of course, it returns me the login page.
Is it possible?
With Chris's valuable help, here is how you can run a script (drupal .make file in my case) from a GitLab server. (Probably it works for GitHub but I didn't test it. Maybe the syntax will be a bit different). (Of course this works for any type of script)
It can be done using the authentication tokens. Here is the documentation of the GitLab's API and here is the GitHub's API
For convenient I will use the https://gitlab.com as the example server.
Go to https://gitlab.com/profile/account and find your "Private token"
Then print the list of the projects and find the id of your project you are looking for
curl https://gitlab.com/api/v3/projects?private_token=<your_private_token>
or go there with your browser (a json viewer will help a lot)
Then print the list of the files that are on this project and find the id of your file you are looking for
curl https://gitlab.com/api/v3/projects/<project_id>/repository/tree?private_token=<your_private_token>
Finally get / run the file!
curl https://gitlab.com/api/v3/projects/<project_id>/repository/raw_blobs/<file_id>?private_token=<your_private_token>
In case you want to run the script (drupal .make)
drush make https://gitlab.com/api/v3/projects/<project_id>/repository/raw_blobs/<file_id>?private_token=<your_private_token> <drupal_folder>
(If you are here looking for a workflow to integrate GitLab with Aegir .make platforms without using tokens (maybe SSH?) please make a thread and paste here the link.)
EDIT
You can get the file without the project_id by using the encoded project name. For example the my-user-name/my-project will become: my-user-name%2Fmy-project
Update 2018-12-25:
as long as you're not downloading huge files, this should work:
curl -s -H "Private-Token: <token>" "https://gitlab.com/api/v4/projects/<urlencode("gitlab_username/project_name")>/repository/files/<path/to/file>/raw?ref=<branch_name>"
, a real example, downloading the file /README.md from the private repository https://gitlab.com/divinity76/Yur17, where the web download url is https://gitlab.com/divinity76/Yur17/raw/master/README.md?inline=false, is:
curl -s -H "Private-Token: afF2s1xgk6xcwXHy3J4C" "https://gitlab.com/api/v4/projects/divinity76%2Fyur17/repository/files/README%2Emd/raw?ref=master"
take special note of how the gitlab_username/repo_name was url-encoded, eg / became %2F (you can check how your username & repo name is as url-encoded by opening your browser javascript terminal and write encodeURIComponent("your_username/repo_name"); in the terminal and press enter.)
thanks to Jonathan Hall # gitlab at mg.gitlab.com, and https://docs.gitlab.com/ee/api/repository_files.html , and tvl for helping reach a solution.
Update 2018-12-11: this method no longer works, now it just serves the login page, with a message saying need to log in to continue, even using HTTP 200 OK (shame on them), will update if i find out why ( #XavierStuvw claims it's security concerns related)
i found a much easier way to do it than #tvl 's answer,
first create an access token with API access here: https://gitlab.com/profile/personal_access_tokens ,
then do:
wget --header 'PRIVATE-TOKEN: <token>' 'https://gitlab.com/<username>/<repo>/raw/master/path/to/file.ext'
i found the solution here.
If you would like to access a file from private GitLab, you could use the below approach which worked for me:)
Construct the URL:
https://url/api/v4/projects/projectId/repository/files/fileName/raw?ref=master&private_token=Generated_private_token
url is your Gitlab url ex: git.lab.com.
/api/v4/projects is a constant.
projectId is the projectId of your project, which you can find below the name of your project in gitlab.
/repository/files is again a constant.
fileName is the name of the file ex: sagar.txt
/raw?ref= is a constant and the value of ref can be master or any branch which you would like to take the file from. I am retrieving the file from Master.
Generated_private_token should be generated from gitlab, please follow the steps in mentioned in the link :
Generate Private Token
I'm using git and Codebase for a project.
I just did a test and I'm able to commit to the git repository with a different email address and name set which causes it to tag the commit as being by a different user. I pushed this to the repository and it showed up as that user having committed even though it was me.
Is there a way to prevent users from committing or pushing with someone else's user details (effectively so they can't "forge" commits as being from a different user)?
Edit:
I assume this authentication would need to happen at the stage of pushing commits to the server since in the local working copy it's simply a repository which the user has full access to, to do whatever they want with. Is this therefore something I should ask Codebase about maybe?
Edit 2:
Git config as requested:
(repo/.git/config)
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = git#codebasehq.com:<redacted company name>/<redacted project name>/test.git
[branch "master"]
remote = origin
merge = refs/heads/master
Ooops: While this is a valid technique, it assumes you have effectively full control over the server. If you're using a hosted solution all bets are off.
You can validate the author name and email in the repository's update hook. You can get both values like this:
#!/bin/sh
set -- refname sha1_old sha1_new
author_name=$(git log --pretty=format:%an $sha1_new)
author_email=$(git log --pretty=format:%ae $sha1_new)
The trick, of course, is figuring out whether or not these are valid. Here's one trick:
You can use the command="" option in your ssh configuration to make a wrapper around git-receive-pack that maps ssh keys to author information. For example, something like this:
#!/bin/sh
GV_AUTHOR_NAME="$1"
GV_AUTHOR_EMAIL="$2"
export GV_AUTHOR_EMAIL GV_AUTHOR_NAME
eval exec $SSH_ORIGINAL_COMMAND
And you would use an authorized_keys line something like this:
command="~/bin/gitvalidator 'Lars Kellogg-Stedman' 'lars#seas.harvard.edu'" ssh-rsa ...
The result of all this is that your update script would have the environment variables GV_AUTHOR_NAME and GV_AUTHOR_EMAIL available, and could check these against the commit and exit with an error if they didn't match.
Sorry my post got deleted before I submitted my latest update:
You can commit as someone else when you have their credentials.
Just to clarify, the scenario you are asking about is as follows:
Users Foo and Bar can commit to the repo. You want to prevent user Foo from committing to the repo as user Bar.
In this case, user Bar would have to protect their private SSH key, just like they would protect a password. As that is used to authenticate your commit.