separate managed and unmanaged code

Signed-off-by: Sanskar Jaiswal <[email protected]>

Author: aryan9600

controllers/gitrepository_controller.go

@@ -455,26 +455,8 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context,
 		return sreconcile.ResultEmpty, e
 	}
 
-	repositoryURL := obj.Spec.URL
-	// managed GIT transport only affects the libgit2 implementation
-	if managed.Enabled() && obj.Spec.GitImplementation == sourcev1.LibGit2Implementation {
-		// We set the TransportAuthID of this set of authentication options here by constructing
-		// a unique ID that won't clash in a multi tenant environment. This unique ID is used by
-		// libgit2 managed transports. This enables us to bypass the inbuilt credentials callback in
-		// libgit2, which is inflexible and unstable.
-		if strings.HasPrefix(repositoryURL, "http") {
-			authOpts.TransportAuthID = fmt.Sprintf("http://%s/%s/%d", obj.Name, obj.UID, obj.Generation)
-		}
-		if strings.HasPrefix(repositoryURL, "ssh") {
-			authOpts.TransportAuthID = fmt.Sprintf("ssh://%s/%s/%d", obj.Name, obj.UID, obj.Generation)
-		}
-	}
-
 	// Fetch the included artifact metadata.
 	artifacts, err := r.fetchIncludes(ctx, obj)
-	if err != nil {
-		return sreconcile.ResultEmpty, err
-	}
 
 	// Observe if the artifacts still match the previous included ones
 	if artifacts.Diff(obj.Status.IncludedArtifacts) {
@@ -491,7 +473,27 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context,
 		optimizedClone = true
 	}
 
-	c, err := r.gitCheckout(ctx, obj, repositoryURL, authOpts, dir, optimizedClone)
+	// managed GIT transport only affects the libgit2 implementation
+	if managed.Enabled() && obj.Spec.GitImplementation == sourcev1.LibGit2Implementation {
+		// We set the TransportAuthID of this set of authentication options here by constructing
+		// a unique ID that won't clash in a multi tenant environment. This unique ID is used by
+		// libgit2 managed transports. This enables us to bypass the inbuilt credentials callback in
+		// libgit2, which is inflexible and unstable.
+		if strings.HasPrefix(obj.Spec.URL, "http") {
+			authOpts.TransportAuthID = fmt.Sprintf("http://%s/%s/%d", obj.Name, obj.UID, obj.Generation)
+		} else if strings.HasPrefix(obj.Spec.URL, "ssh") {
+			authOpts.TransportAuthID = fmt.Sprintf("ssh://%s/%s/%d", obj.Name, obj.UID, obj.Generation)
+		} else {
+			e := &serror.Stalling{
+				Err:    fmt.Errorf("git repository URL has invalid transport type: '%s'", obj.Spec.URL),
+				Reason: sourcev1.GitOperationFailedReason,
+			}
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+			return sreconcile.ResultEmpty, e
+		}
+	}
+
+	c, err := r.gitCheckout(ctx, obj, obj.Spec.URL, authOpts, dir, optimizedClone)
 	if err != nil {
 		e := serror.NewGeneric(
 			fmt.Errorf("failed to checkout and determine revision: %w", err),
@@ -530,7 +532,7 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context,
 
 		// If we can't skip the reconciliation, checkout again without any
 		// optimization.
-		c, err := r.gitCheckout(ctx, obj, repositoryURL, authOpts, dir, false)
+		c, err := r.gitCheckout(ctx, obj, obj.Spec.URL, authOpts, dir, false)
 		if err != nil {
 			e := serror.NewGeneric(
 				fmt.Errorf("failed to checkout and determine revision: %w", err),

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/fluxcd/pkg/helmtestserver v0.5.0
 	github.com/fluxcd/pkg/lockedfile v0.1.0
 	github.com/fluxcd/pkg/runtime v0.16.0
-	github.com/fluxcd/pkg/ssh v0.3.4
+	github.com/fluxcd/pkg/ssh v0.4.0
 	github.com/fluxcd/pkg/testserver v0.2.0
 	github.com/fluxcd/pkg/untar v0.1.0
 	github.com/fluxcd/pkg/version v0.1.0

go.sum

@@ -350,8 +350,8 @@ github.com/fluxcd/pkg/lockedfile v0.1.0 h1:YsYFAkd6wawMCcD74ikadAKXA4s2sukdxrn7w
 github.com/fluxcd/pkg/lockedfile v0.1.0/go.mod h1:EJLan8t9MiOcgTs8+puDjbE6I/KAfHbdvIy9VUgIjm8=
 github.com/fluxcd/pkg/runtime v0.16.0 h1:ynzvkOedFFZHlsa47EE7XtxZe8qs8edhtmjVZBEWi1Y=
 github.com/fluxcd/pkg/runtime v0.16.0/go.mod h1:Iklg+r/Jnqc9cNf2NK+iaosvw49CxX07Pyn0r3zSg/o=
-github.com/fluxcd/pkg/ssh v0.3.4 h1:Ko+MUNiiQG3evyoMO19iRk7d4X0VJ6w6+GEeVQ1jLC0=
-github.com/fluxcd/pkg/ssh v0.3.4/go.mod h1:KGgOUOy1uI6RC6+qxIBLvP1AeOOs/nLB25Ca6TZMIXE=
+github.com/fluxcd/pkg/ssh v0.4.0 h1:2HY88irZ5BCSMlzZExR6cnhRkjxCDsK/lTHHQqCJDJQ=
+github.com/fluxcd/pkg/ssh v0.4.0/go.mod h1:KGgOUOy1uI6RC6+qxIBLvP1AeOOs/nLB25Ca6TZMIXE=
 github.com/fluxcd/pkg/testserver v0.2.0 h1:Mj0TapmKaywI6Fi5wvt1LAZpakUHmtzWQpJNKQ0Krt4=
 github.com/fluxcd/pkg/testserver v0.2.0/go.mod h1:bgjjydkXsZTeFzjz9Cr4heGANr41uTB1Aj1Q5qzuYVk=
 github.com/fluxcd/pkg/untar v0.1.0 h1:k97V/xV5hFrAkIkVPuv5AVhyxh1ZzzAKba/lbDfGo6o=

pkg/git/libgit2/checkout.go

@@ -69,6 +69,8 @@ type CheckoutBranch struct {
 func (c *CheckoutBranch) Checkout(ctx context.Context, path, url string, opts *git.AuthOptions) (_ *git.Commit, err error) {
 	defer recoverPanic(&err)
 
+	remoteCallBacks := RemoteCallbacks(ctx, opts)
+
 	if managed.Enabled() {
 		// We store the target url and auth options mapped to a unique ID. We overwrite the target url
 		// with the TransportAuthID, because managed transports don't provide a way for any kind of
@@ -77,15 +79,18 @@ func (c *CheckoutBranch) Checkout(ctx context.Context, path, url string, opts *g
 		// Performing all fetch operations with the TransportAuthID as the url, lets the managed
 		// transport action use it to fetch the registered transport options which contains the
 		// _actual_ target url and the correct credentials to use.
+		if opts.TransportAuthID == "" {
+			return nil, fmt.Errorf("can't use managed transport without a valid transport auth id.")
+		}
 		managed.AddTransportOptions(opts.TransportAuthID, managed.TransportOptions{
 			TargetURL: url,
 			AuthOpts:  opts,
 		})
 		url = opts.TransportAuthID
+		remoteCallBacks = managed.RemoteCallbacks()
 		defer managed.RemoveTransportOptions(opts.TransportAuthID)
 	}
 
-	remoteCallBacks := RemoteCallbacks(ctx, opts)
 	proxyOpts := &git2go.ProxyOptions{Type: git2go.ProxyTypeAuto}
 
 	repo, remote, err := initializeRepoWithRemote(ctx, path, url, opts)
@@ -186,16 +191,21 @@ type CheckoutTag struct {
 func (c *CheckoutTag) Checkout(ctx context.Context, path, url string, opts *git.AuthOptions) (_ *git.Commit, err error) {
 	defer recoverPanic(&err)
 
+	remoteCallBacks := RemoteCallbacks(ctx, opts)
+
 	if managed.Enabled() {
+		if opts.TransportAuthID == "" {
+			return nil, fmt.Errorf("can't use managed transport without a valid transport auth id.")
+		}
 		managed.AddTransportOptions(opts.TransportAuthID, managed.TransportOptions{
 			TargetURL: url,
 			AuthOpts:  opts,
 		})
 		url = opts.TransportAuthID
+		remoteCallBacks = managed.RemoteCallbacks()
 		defer managed.RemoveTransportOptions(opts.TransportAuthID)
 	}
 
-	remoteCallBacks := RemoteCallbacks(ctx, opts)
 	proxyOpts := &git2go.ProxyOptions{Type: git2go.ProxyTypeAuto}
 
 	repo, remote, err := initializeRepoWithRemote(ctx, path, url, opts)
@@ -274,19 +284,25 @@ type CheckoutCommit struct {
 func (c *CheckoutCommit) Checkout(ctx context.Context, path, url string, opts *git.AuthOptions) (_ *git.Commit, err error) {
 	defer recoverPanic(&err)
 
+	remoteCallBacks := RemoteCallbacks(ctx, opts)
+
 	if managed.Enabled() {
+		if opts.TransportAuthID == "" {
+			return nil, fmt.Errorf("can't use managed transport without a valid transport auth id.")
+		}
 		managed.AddTransportOptions(opts.TransportAuthID, managed.TransportOptions{
 			TargetURL: url,
 			AuthOpts:  opts,
 		})
 		url = opts.TransportAuthID
+		remoteCallBacks = managed.RemoteCallbacks()
 		defer managed.RemoveTransportOptions(opts.TransportAuthID)
 	}
 
 	repo, err := git2go.Clone(url, path, &git2go.CloneOptions{
 		FetchOptions: git2go.FetchOptions{
 			DownloadTags:    git2go.DownloadTagsNone,
-			RemoteCallbacks: RemoteCallbacks(ctx, opts),
+			RemoteCallbacks: remoteCallBacks,
 			ProxyOptions:    git2go.ProxyOptions{Type: git2go.ProxyTypeAuto},
 		},
 	})
@@ -312,12 +328,18 @@ type CheckoutSemVer struct {
 func (c *CheckoutSemVer) Checkout(ctx context.Context, path, url string, opts *git.AuthOptions) (_ *git.Commit, err error) {
 	defer recoverPanic(&err)
 
+	remoteCallBacks := RemoteCallbacks(ctx, opts)
+
 	if managed.Enabled() {
+		if opts.TransportAuthID == "" {
+			return nil, fmt.Errorf("can't use managed transport without a valid transport auth id.")
+		}
 		managed.AddTransportOptions(opts.TransportAuthID, managed.TransportOptions{
 			TargetURL: url,
 			AuthOpts:  opts,
 		})
 		url = opts.TransportAuthID
+		remoteCallBacks = managed.RemoteCallbacks()
 		defer managed.RemoveTransportOptions(opts.TransportAuthID)
 	}
 
@@ -329,7 +351,7 @@ func (c *CheckoutSemVer) Checkout(ctx context.Context, path, url string, opts *g
 	repo, err := git2go.Clone(url, path, &git2go.CloneOptions{
 		FetchOptions: git2go.FetchOptions{
 			DownloadTags:    git2go.DownloadTagsAll,
-			RemoteCallbacks: RemoteCallbacks(ctx, opts),
+			RemoteCallbacks: remoteCallBacks,
 			ProxyOptions:    git2go.ProxyOptions{Type: git2go.ProxyTypeAuto},
 		},
 	})

pkg/git/libgit2/managed/http.go

@@ -157,6 +157,10 @@ func createClientRequest(transportAuthID string, action git2go.SmartServiceActio
 	}
 	targetURL := opts.TargetURL
 
+	if targetURL == "" {
+		return nil, nil, fmt.Errorf("repository URL cannot be empty")
+	}
+
 	if len(targetURL) > URLMaxLength {
 		return nil, nil, fmt.Errorf("URL exceeds the max length (%d)", URLMaxLength)
 	}
@@ -197,7 +201,9 @@ func createClientRequest(transportAuthID string, action git2go.SmartServiceActio
 
 	// Add any provided certificate to the http transport.
 	if opts.AuthOpts != nil {
-		req.SetBasicAuth(opts.AuthOpts.Username, opts.AuthOpts.Password)
+		if len(opts.AuthOpts.Username) > 0 {
+			req.SetBasicAuth(opts.AuthOpts.Username, opts.AuthOpts.Password)
+		}
 		if len(opts.AuthOpts.CAFile) > 0 {
 			certPool := x509.NewCertPool()
 			if ok := certPool.AppendCertsFromPEM(opts.AuthOpts.CAFile); !ok {

pkg/git/libgit2/managed/managed_test.go

@@ -35,12 +35,19 @@ var (
 	m             sync.RWMutex
 )
 
+// AddTransportOptions registers a TransportOptions object mapped to the
+// provided id. The id must be a valid url, i.e. prefixed with http or ssh,
+// as the id is used as a dummy url for all git operations and the managed
+// transports will only be invoked for the protocols that they have been
+// registered for.
 func AddTransportOptions(id string, opts TransportOptions) {
 	m.Lock()
 	transportOpts[id] = opts
 	m.Unlock()
 }
 
+// RemoveTransportOptions removes the registerd TransportOptions object
+// mapped to the provided id.
 func RemoveTransportOptions(id string) {
 	m.Lock()
 	delete(transportOpts, id)

pkg/git/libgit2/managed/options.go

@@ -167,7 +167,7 @@ func (t *sshSmartSubtransport) Action(credentialsID string, action git2go.SmartS
 		cert := &git2go.Certificate{
 			Kind: git2go.CertificateHostkey,
 			Hostkey: git2go.HostkeyCertificate{
-				Kind:         git2go.HostkeySHA1 | git2go.HostkeyMD5 | git2go.HostkeySHA256 | git2go.HostkeyRaw,
+				Kind:         git2go.HostkeySHA256,
 				HashMD5:      md5.Sum(marshaledKey),
 				HashSHA1:     sha1.Sum(marshaledKey),
 				HashSHA256:   sha256.Sum256(marshaledKey),
@@ -176,7 +176,10 @@ func (t *sshSmartSubtransport) Action(credentialsID string, action git2go.SmartS
 			},
 		}
 
-		return t.transport.SmartCertificateCheck(cert, true, hostname)
+		if len(opts.AuthOpts.KnownHosts) > 0 {
+			return KnownHostsCallback(hostname, opts.AuthOpts.KnownHosts)(cert, true, hostname)
+		}
+		return nil
 	}
 
 	err = t.createConn(t.addr, sshConfig)

pkg/git/libgit2/managed/ssh.go

@@ -113,7 +113,9 @@ func TestSSHManagedTransport_E2E(t *testing.T) {
 	// We call git2go.Clone with transportID, so that the managed ssh transport can
 	// fetch the correct set of credentials and the actual target url as well.
 	repo, err := git2go.Clone(transportID, tmpDir, &git2go.CloneOptions{
-		FetchOptions: git2go.FetchOptions{},
+		FetchOptions: git2go.FetchOptions{
+			RemoteCallbacks: RemoteCallbacks(),
+		},
 		CheckoutOptions: git2go.CheckoutOptions{
 			Strategy: git2go.CheckoutForce,
 		},