fix: allow HTTPS credentials when SSH configured

Allow a pipeline to request HTTPS credentials of a repository that has been configured for SSH, as long as the requested repository matches the configured repository.
chinmina · May 27, 2024 · c573bdc · c573bdc
1 parent 1332f34
commit c573bdc
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 0 deletions.
diff --git a/internal/vendor/vendor.go b/internal/vendor/vendor.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/url"
+	"regexp"
 	"strconv"
 	"time"
 
@@ -60,6 +61,9 @@ func New(
 			return nil, fmt.Errorf("could not find repository for pipeline %s: %w", claims.PipelineSlug, err)
 		}
 
+		// allow HTTPS credentials if the pipeline is configured for an equivalent SSH URL
+		pipelineRepoURL = TranslateSSHToHTTPS(pipelineRepoURL)
+
 		if requestedRepoURL != "" && pipelineRepoURL != requestedRepoURL {
 			// git is asking for a different repo than we can handle: return nil
 			// to indicate that the handler should return a successful (but
@@ -89,3 +93,14 @@ func New(
 		}, nil
 	}
 }
+
+var sshUrl = regexp.MustCompile(`^[email protected]:([^/].+)$`)
+
+func TranslateSSHToHTTPS(url string) string {
+	groups := sshUrl.FindStringSubmatch(url)
+	if groups == nil {
+		return url
+	}
+
+	return fmt.Sprintf("https://github.com/%s", groups[1])
+}
diff --git a/internal/vendor/vendor_test.go b/internal/vendor/vendor_test.go
@@ -151,3 +151,69 @@ func TestPipelineRepositoryToken_ExpiryUnix(t *testing.T) {
 		})
 	}
 }
+
+func TestTransformSSHToHTTPS(t *testing.T) {
+	testCases := []struct {
+		name     string
+		url      string
+		expected string
+	}{
+		{
+			name:     "ssh, valid GitHub",
+			url:      "[email protected]:organization/chinmina.git",
+			expected: "https://github.com/organization/chinmina.git",
+		},
+		{
+			name:     "ssh, no user",
+			url:      "github.com:organization/chinmina.git",
+			expected: "github.com:organization/chinmina.git",
+		},
+		{
+			name:     "ssh, different host",
+			url:      "[email protected]:organization/chinmina.git",
+			expected: "[email protected]:organization/chinmina.git",
+		},
+		{
+			name:     "ssh, invalid path specifier",
+			url:      "[email protected]/organization/chinmina.git",
+			expected: "[email protected]/organization/chinmina.git",
+		},
+		{
+			name:     "ssh, zero length path",
+			url:      "[email protected]:",
+			expected: "[email protected]:",
+		},
+		{
+			name:     "ssh, no extension",
+			url:      "[email protected]:organization/chinmina",
+			expected: "https://github.com/organization/chinmina",
+		},
+		{
+			name:     "https, valid",
+			url:      "https://github.com/organization/chinmina.git",
+			expected: "https://github.com/organization/chinmina.git",
+		},
+		{
+			name:     "https, nonsense",
+			url:      "https://github.com/organization/chinmina.git",
+			expected: "https://github.com/organization/chinmina.git",
+		},
+		{
+			name:     "http, valid",
+			url:      "http://github.com/organization/chinmina.git",
+			expected: "http://github.com/organization/chinmina.git",
+		},
+		{
+			name:     "pure nonsense",
+			url:      "molybdenum://mo",
+			expected: "molybdenum://mo",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			actual := vendor.TranslateSSHToHTTPS(tc.url)
+			assert.Equal(t, tc.expected, actual)
+		})
+	}
+}