feat(git/auth): Support hostrules with username and password when authenticating git commands

lib/modules/manager/git-submodules/extract.spec.ts

@@ -136,6 +136,35 @@ describe('modules/manager/git-submodules/extract', () => {
       );
     });
 
+    it('combined username+pwd from host rule is used to detect branch for gitlab', async () => {
+      gitMock.listRemote.mockResolvedValueOnce(
+        'ref: refs/heads/main HEAD\n5701164b9f5edba1f6ca114c491a564ffb55a964        HEAD'
+      );
+      hostRules.add({
+        hostType: 'gitlab',
+        matchHost: 'gitlab.com',
+        username: 'username',
+        password: 'password',
+      });
+      const res = await extractPackageFile('', '.gitmodules.2', {});
+      expect(res?.deps).toHaveLength(1);
+      expect(res?.deps[0].currentValue).toBe('main');
+      expect(gitMock.env).toHaveBeenCalledWith({
+        GIT_CONFIG_COUNT: '3',
+        GIT_CONFIG_KEY_0: 'url.https://username:[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_1: 'url.https://username:[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_2: 'url.https://username:[email protected]/.insteadOf',
+        GIT_CONFIG_VALUE_0: 'ssh://[email protected]/',
+        GIT_CONFIG_VALUE_1: '[email protected]:',
+        GIT_CONFIG_VALUE_2: 'https://gitlab.com/',
+      });
+      expect(gitMock.listRemote).toHaveBeenCalledWith([
+        '--symref',
+        'https://github.com/PowerShell/PowerShell-Docs',
+        'HEAD',
+      ]);
+    });
+
     it('extracts multiple submodules', async () => {
       hostRules.add({ matchHost: 'github.com', token: '123test' });
       hostRules.add({

lib/modules/manager/git-submodules/readme.md

@@ -20,7 +20,7 @@ The following logic is executed prior to "submodules" updating:
 The token from the `hostRules` entry matching `hostType=github` and `matchHost=api.github.com` is added as the default authentication for `github.com`.
 For those running against `github.com`, this token will be the default platform token.
 
-Next, all `hostRules` with both a token and `matchHost` will be fetched, except for any github.com one from above.
+Next, all `hostRules` with both a token or username/password and `matchHost` will be fetched, except for any github.com one from above.
 
 Rules from this list are converted to environment variable directives if they match _any_ of the following characteristics:
 

lib/modules/manager/gomod/readme.md

@@ -35,7 +35,7 @@ The following logic is executed prior to "artifacts" updating:
 The token from the `hostRules` entry matching `hostType=github` and `matchHost=api.github.com` is added as the default authentication for `github.com`.
 For those running against `github.com`, this token will be the default platform token.
 
-Next, all `hostRules` with both a token and `matchHost` will be fetched, except for any github.com one from above.
+Next, all `hostRules` with both a token or username/password and `matchHost` will be fetched, except for any github.com one from above.
 
 Rules from this list are converted to environment variable directives if they match _any_ of the following characteristics:
 

lib/util/git/auth.spec.ts

@@ -28,6 +28,48 @@ describe('util/git/auth', () => {
       });
     });
 
+    it('returns url with username and password', () => {
+      expect(
+        getGitAuthenticatedEnvironmentVariables('https://example.com/', {
+          username: 'username',
+          password: 'password',
+          hostType: 'github',
+          matchHost: 'example.com',
+        })
+      ).toStrictEqual({
+        GIT_CONFIG_COUNT: '3',
+        GIT_CONFIG_KEY_0:
+          'url.https://username:[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_1:
+          'url.https://username:[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_2:
+          'url.https://username:[email protected]/.insteadOf',
+        GIT_CONFIG_VALUE_0: 'ssh://[email protected]/',
+        GIT_CONFIG_VALUE_1: '[email protected]:',
+        GIT_CONFIG_VALUE_2: 'https://example.com/',
+      });
+    });
+
+    it('prefers token over username and password', () => {
+      expect(
+        getGitAuthenticatedEnvironmentVariables('https://github.com/', {
+          username: 'username',
+          password: 'password',
+          token: 'token1234',
+          hostType: 'github',
+          matchHost: 'github.com',
+        })
+      ).toStrictEqual({
+        GIT_CONFIG_COUNT: '3',
+        GIT_CONFIG_KEY_0: 'url.https://ssh:[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_1: 'url.https://git:[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_2: 'url.https://[email protected]/.insteadOf',
+        GIT_CONFIG_VALUE_0: 'ssh://[email protected]/',
+        GIT_CONFIG_VALUE_1: '[email protected]:',
+        GIT_CONFIG_VALUE_2: 'https://github.com/',
+      });
+    });
+
     it('returns url with token for different protocols', () => {
       expect(
         getGitAuthenticatedEnvironmentVariables('foobar://github.com/', {
@@ -219,10 +261,8 @@ describe('util/git/auth', () => {
         getGitAuthenticatedEnvironmentVariables(
           'https://gitlab.com/',
           {
-            username: 'testing',
-            password: '1234',
             hostType: 'gitlab',
-            matchHost: 'github.com',
+            matchHost: 'gitlab.com',
           },
           { env: 'value' }
         )
@@ -402,6 +442,48 @@ describe('util/git/auth', () => {
       });
     });
 
+    it('returns environment variables with username and password', () => {
+      add({
+        hostType: 'gitlab',
+        matchHost: 'https://gitlab.example.com',
+        username: 'user1234',
+        password: 'pass1234',
+      });
+      expect(getGitEnvironmentVariables()).toStrictEqual({
+        GIT_CONFIG_COUNT: '3',
+        GIT_CONFIG_KEY_0:
+          'url.https://user1234:[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_1:
+          'url.https://user1234:[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_2:
+          'url.https://user1234:[email protected]/.insteadOf',
+        GIT_CONFIG_VALUE_0: 'ssh://[email protected]/',
+        GIT_CONFIG_VALUE_1: '[email protected]:',
+        GIT_CONFIG_VALUE_2: 'https://gitlab.example.com/',
+      });
+    });
+
+    it('returns environment variables with URL encoded username and password', () => {
+      add({
+        hostType: 'gitlab',
+        matchHost: 'https://gitlab.example.com',
+        username: 'user @ :$ abc',
+        password: 'abc @ blub pass0:',
+      });
+      expect(getGitEnvironmentVariables()).toStrictEqual({
+        GIT_CONFIG_COUNT: '3',
+        GIT_CONFIG_KEY_0:
+          'url.https://user%20%40%20%3A%24%20abc:abc%20%40%20blub%20pass0%[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_1:
+          'url.https://user%20%40%20%3A%24%20abc:abc%20%40%20blub%20pass0%[email protected]/.insteadOf',
+        GIT_CONFIG_KEY_2:
+          'url.https://user%20%40%20%3A%24%20abc:abc%20%40%20blub%20pass0%[email protected]/.insteadOf',
+        GIT_CONFIG_VALUE_0: 'ssh://[email protected]/',
+        GIT_CONFIG_VALUE_1: '[email protected]:',
+        GIT_CONFIG_VALUE_2: 'https://gitlab.example.com/',
+      });
+    });
+
     it('returns no environment variables when hostType is not supported', () => {
       add({
         hostType: 'custom',
@@ -411,6 +493,24 @@ describe('util/git/auth', () => {
       expect(getGitEnvironmentVariables()).toStrictEqual({});
     });
 
+    it('returns no environment variables when only username is set', () => {
+      add({
+        hostType: 'custom',
+        matchHost: 'https://custom.example.com',
+        username: 'user123',
+      });
+      expect(getGitEnvironmentVariables()).toStrictEqual({});
+    });
+
+    it('returns no environment variables when only password is set', () => {
+      add({
+        hostType: 'custom',
+        matchHost: 'https://custom.example.com',
+        password: 'pass123',
+      });
+      expect(getGitEnvironmentVariables()).toStrictEqual({});
+    });
+
     it('returns environment variables when hostType is explicitly set', () => {
       add({
         hostType: 'custom',

lib/util/git/auth.ts

@@ -31,13 +31,13 @@ const standardGitAllowedHostTypes = [
  */
 export function getGitAuthenticatedEnvironmentVariables(
   originalGitUrl: string,
-  { token, hostType, matchHost }: HostRule,
+  { token, username, password, hostType, matchHost }: HostRule,
   environmentVariables?: NodeJS.ProcessEnv
 ): NodeJS.ProcessEnv {
-  if (!token) {
+  if (!token && !(username && password)) {
     logger.warn(
       // TODO: types (#22198)
-      `Could not create environment variable for ${matchHost!} as token was empty`
+      `Could not create environment variable for ${matchHost!} as neither token or username and password was set`
     );
     return { ...environmentVariables };
   }
@@ -58,12 +58,22 @@ export function getGitAuthenticatedEnvironmentVariables(
       gitConfigCount = 0;
     }
   }
+  let authenticationRules: AuthenticationRule[];
+  if (token) {
+    authenticationRules = getAuthenticationRulesWithToken(
+      originalGitUrl,
+      hostType,
+      token
+    );
+  } else {
+    const encodedUsername = encodeURIComponent(username!);
+    const encodedPassword = encodeURIComponent(password!);
 
-  const authenticationRules = getAuthenticationRulesWithToken(
-    originalGitUrl,
-    hostType,
-    token
-  );
+    authenticationRules = getAuthenticationRules(
+      originalGitUrl,
+      `${encodedUsername}:${encodedPassword}`
+    );
+  }
 
   // create a shallow copy of the environmentVariables as base so we don't modify the input parameter object
   // add the two new config key and value to the returnEnvironmentVariables object
@@ -151,15 +161,15 @@ export function getGitEnvironmentVariables(
   let environmentVariables: NodeJS.ProcessEnv = {};
 
   // hard-coded logic to use authentication for github.com based on the githubToken for api.github.com
-  const githubToken = find({
+  const gitHubHostRule = find({
     hostType: 'github',
     url: 'https://api.github.com/',
   });
 
-  if (githubToken?.token) {
+  if (gitHubHostRule?.token) {
     environmentVariables = getGitAuthenticatedEnvironmentVariables(
       'https://github.com/',
-      githubToken
+      gitHubHostRule
     );
   }
 
@@ -170,10 +180,10 @@ export function getGitEnvironmentVariables(
     ...additionalHostTypes,
   ]);
 
-  // filter rules without `matchHost` and `token` and github api github rules
+  // filter rules without `matchHost` and `token` or username and password and github api github rules
   const hostRules = getAll()
-    .filter((r) => r.matchHost && r.token)
-    .filter((r) => !githubToken || !githubApiUrls.has(r.matchHost!));
+    .filter((r) => r.matchHost && (r.token ?? (r.username && r.password)))
+    .filter((r) => !gitHubHostRule || !githubApiUrls.has(r.matchHost!));
 
   // for each hostRule without hostType we add additional authentication variables to the environmentVariables
   // for each hostRule with hostType we add additional authentication variables to the environmentVariables