Merge pull request #1051 from renyunkang/check-access

stoneshi-yunify · web-flow · commit 0d504b80e9d0 · 2025-04-23T11:19:47.000+08:00
add git repository reachability validation
diff --git a/.gitignore b/.gitignore
@@ -20,6 +20,7 @@ scripts
 
 # editor and IDE paraphernalia
 .idea
+.nocalhost
 *.swp
 *.swo
 *~
diff --git a/pkg/client/git/client.go b/pkg/client/git/client.go
@@ -63,7 +63,7 @@ func (c *ClientFactory) GetClient() (client *goscm.Client, err error) {
 	var token string
 	username := ""
 	if c.secretRef != nil {
-		if token, username, err = c.getTokenFromSecret(c.secretRef); err != nil {
+		if token, username, _, err = c.GetTokenFromSecret(c.secretRef); err != nil {
 			return
 		}
 	}
@@ -73,7 +73,7 @@ func (c *ClientFactory) GetClient() (client *goscm.Client, err error) {
 	return
 }
 
-func (c *ClientFactory) getTokenFromSecret(secretRef *v1.SecretReference) (token, username string, err error) {
+func (c *ClientFactory) GetTokenFromSecret(secretRef *v1.SecretReference) (token, username string, privateKey []byte, err error) {
 	var gitSecret *v1.Secret
 	if gitSecret, err = c.getSecret(secretRef); err != nil {
 		return
@@ -86,7 +86,12 @@ func (c *ClientFactory) getTokenFromSecret(secretRef *v1.SecretReference) (token
 	case v1.SecretTypeOpaque:
 		token = string(gitSecret.Data[v1.ServiceAccountTokenKey])
 	case v1alpha3.SecretTypeSecretText:
-		token = string(gitSecret.Data["secret"])
+		username = string(gitSecret.Data[v1.BasicAuthUsernameKey])
+		token = string(gitSecret.Data[v1alpha3.SecretTextSecretKey])
+	case v1alpha3.SecretTypeSSHAuth:
+		privateKey = gitSecret.Data[v1alpha3.SSHAuthPrivateKey]
+		token = string(gitSecret.Data[v1alpha3.SSHAuthPassphraseKey])
+		username = string(gitSecret.Data[v1alpha3.SSHAuthUsernameKey])
 	}
 	return
 }
diff --git a/pkg/kapis/devops/v1alpha3/scm/gitrepository_handler.go b/pkg/kapis/devops/v1alpha3/scm/gitrepository_handler.go
@@ -48,7 +48,7 @@ func (h *handler) createGitRepositories(req *restful.Request, res *restful.Respo
 	namespace := common.GetPathParameter(req, common.NamespacePathParameter)
 	repo := &v1alpha3.GitRepository{}
 	err := req.ReadEntity(repo)
-	ctx := context.Background()
+	ctx := req.Request.Context()
 
 	if err == nil {
 		repo.Namespace = namespace
diff --git a/pkg/kapis/devops/v1alpha3/scm/scmhandler.go b/pkg/kapis/devops/v1alpha3/scm/scmhandler.go
@@ -19,14 +19,19 @@ package scm
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"strings"
+
 	"github.com/emicklei/go-restful/v3"
+	gogit "github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/storage/memory"
 	goscm "github.com/jenkins-x/go-scm/scm"
 	"github.com/kubesphere/ks-devops/pkg/client/git"
 	"github.com/kubesphere/ks-devops/pkg/kapis"
 	"github.com/kubesphere/ks-devops/pkg/kapis/common"
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"strings"
 )
 
 // handler holds all the API handlers of SCM
@@ -48,14 +53,58 @@ func (h *handler) verify(request *restful.Request, response *restful.Response) {
 	secretNamespace := request.QueryParameter("secretNamespace")
 	server := common.GetQueryParameter(request, queryParameterServer)
 
-	_, code, err := h.getOrganizations(scm, server, secretName, secretNamespace, 1, 1, false)
+	code, err := 0, error(nil)
+	switch scm {
+	case "git":
+		if server == "" {
+			err := fmt.Errorf("server is required")
+			kapis.HandleError(request, response, err)
+			response.WriteHeaderAndEntity(http.StatusBadRequest, err)
+			return
+		}
+		code, err = h.checkRepoAccess(server, secretName, secretNamespace)
+
+	default:
+		_, code, err = h.getOrganizations(scm, server, secretName, secretNamespace, 1, 1, false)
+	}
 
 	response.Header().Set(restful.HEADER_ContentType, restful.MIME_JSON)
 	verifyResult := git.VerifyResult(err, code)
 	verifyResult.CredentialID = secretName
 	_ = response.WriteAsJson(verifyResult)
 }
 
+func (h *handler) checkRepoAccess(repourl, secretName, secretNamespace string) (int, error) {
+	storage := memory.NewStorage()
+	remote := gogit.NewRemote(storage, &config.RemoteConfig{
+		Name: "origin",
+		URLs: []string{repourl},
+	})
+
+	listOption := &gogit.ListOptions{}
+	if secretName != "" && secretNamespace != "" {
+		factory := git.NewClientFactory("git", &v1.SecretReference{
+			Namespace: secretNamespace, Name: secretName,
+		}, h.Client)
+		token, user, privateKey, err := factory.GetTokenFromSecret(&v1.SecretReference{Namespace: secretNamespace, Name: secretName})
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+
+		listOption.Auth, err = getAuthMethod(repourl, user, token, privateKey)
+		if err != nil {
+			return http.StatusBadRequest, err
+		}
+	}
+
+	_, err := remote.List(listOption)
+	if err != nil {
+		return http.StatusForbidden, fmt.Errorf("access verification failed: %v", err)
+	}
+
+	return http.StatusOK, nil
+}
+
 func (h *handler) getOrganizations(scm, server, secret, namespace string, page, size int, includeUser bool) (orgs []*goscm.Organization, code int, err error) {
 	factory := git.NewClientFactory(scm, &v1.SecretReference{
 		Namespace: namespace, Name: secret,
diff --git a/pkg/kapis/devops/v1alpha3/scm/utils.go b/pkg/kapis/devops/v1alpha3/scm/utils.go
@@ -0,0 +1,40 @@
+package scm
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/go-git/go-git/v5/plumbing/transport"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
+	gossh "golang.org/x/crypto/ssh"
+)
+
+func getAuthMethod(repoURL, username, password string, sshKey []byte) (transport.AuthMethod, error) {
+	switch {
+	case strings.HasPrefix(repoURL, "http://"), strings.HasPrefix(repoURL, "https://"):
+		if password == "" {
+			return nil, errors.New("password/token required for HTTP URLs")
+		}
+		return &http.BasicAuth{Username: username, Password: password}, nil
+
+	case strings.HasPrefix(repoURL, "git@"):
+		fallthrough
+	case strings.Contains(repoURL, "ssh://"):
+		if len(sshKey) == 0 {
+			return nil, errors.New("SSH private key required for SSH URLs")
+		}
+
+		publicKeys, err := ssh.NewPublicKeys(username, sshKey, password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create SSH auth: %w", err)
+		}
+		publicKeys.HostKeyCallback = gossh.InsecureIgnoreHostKey()
+
+		return publicKeys, nil
+
+	default:
+		return nil, errors.New("unsupported repository URL scheme")
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func (c ClientFactory) GetClient() (client goscm.Client, err error) {`
`63`	`63`	`var token string`
`64`	`64`	`username := ""`
`65`	`65`	`if c.secretRef != nil {`
`66`		`- if token, username, err = c.getTokenFromSecret(c.secretRef); err != nil {`
	`66`	`+ if token, username, _, err = c.GetTokenFromSecret(c.secretRef); err != nil {`
`67`	`67`	`return`
`68`	`68`	`}`
`69`	`69`	`}`
`@@ -73,7 +73,7 @@ func (c ClientFactory) GetClient() (client goscm.Client, err error) {`
`73`	`73`	`return`
`74`	`74`	`}`
`75`	`75`
`76`		`-func (c ClientFactory) getTokenFromSecret(secretRef v1.SecretReference) (token, username string, err error) {`
	`76`	`+func (c ClientFactory) GetTokenFromSecret(secretRef v1.SecretReference) (token, username string, privateKey []byte, err error) {`
`77`	`77`	`var gitSecret *v1.Secret`
`78`	`78`	`if gitSecret, err = c.getSecret(secretRef); err != nil {`
`79`	`79`	`return`
`@@ -86,7 +86,12 @@ func (c ClientFactory) getTokenFromSecret(secretRef v1.SecretReference) (token`
`86`	`86`	`case v1.SecretTypeOpaque:`
`87`	`87`	`token = string(gitSecret.Data[v1.ServiceAccountTokenKey])`
`88`	`88`	`case v1alpha3.SecretTypeSecretText:`
`89`		`- token = string(gitSecret.Data["secret"])`
	`89`	`+ username = string(gitSecret.Data[v1.BasicAuthUsernameKey])`
	`90`	`+ token = string(gitSecret.Data[v1alpha3.SecretTextSecretKey])`
	`91`	`+ case v1alpha3.SecretTypeSSHAuth:`
	`92`	`+ privateKey = gitSecret.Data[v1alpha3.SSHAuthPrivateKey]`
	`93`	`+ token = string(gitSecret.Data[v1alpha3.SSHAuthPassphraseKey])`
	`94`	`+ username = string(gitSecret.Data[v1alpha3.SSHAuthUsernameKey])`
`90`	`95`	`}`
`91`	`96`	`return`
`92`	`97`	`}`