From 05af074f7d6f66ce400241e869e623eb72b85c01 Mon Sep 17 00:00:00 2001 From: Karen Arutyunov Date: Mon, 4 Jun 2018 18:47:16 +0300 Subject: Fix mrrepo script to filter out remote URL credentials from diagnostics --- server/mrrepo | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/server/mrrepo b/server/mrrepo index aae1e54..029ce35 100755 --- a/server/mrrepo +++ b/server/mrrepo @@ -134,10 +134,13 @@ function field () # [] } # Collect new repositories (in the new array) and while at it fix up remote -# URLs with credentials (in the remotes map). +# URLs with credentials (in the auth_remotes map). Note that we still save +# original remote URLs to use them for diagnostics not to expose credentials +# (think about cron job diagnostics sent by email). # new=() -declare -A remotes +declare -A orig_remotes +declare -A auth_remotes while read l || [ -n "$l" ]; do r=$(field "$l" 1 'path') @@ -149,6 +152,8 @@ while read l || [ -n "$l" ]; do # Note that currently we only support adding credentials for https URLs. # if [ -n "$u" ]; then + orig_remotes["$r"]="$u" + for p in "${!credentials[@]}"; do if [[ "$u" == "$p"* ]]; then c="${credentials[$p]}" @@ -157,7 +162,7 @@ while read l || [ -n "$l" ]; do fi done - remotes["$r"]="$u" + auth_remotes["$r"]="$u" fi done < <(sed -e '/^\s*#/d;/^\s*$/d;s/\s\s*/ /g' manifest) @@ -201,17 +206,31 @@ for r in "${new[@]}"; do # Mirror to the remote URL, if present. # - u="${remotes[$r]}" - if [ -n "$u" ]; then + au="${auth_remotes[$r]}" + if [ -n "$au" ]; then + cmd=( git -C "$r" push "${git_ops[@]}" --mirror "$au" ) + + # Note that in the verbose mode, for troubleshooting, we still print the + # URLs that possibly contain credentials. + # if [ "$verb" -ge 1 ]; then - info "remote URL $u for repository $r, pushing" - info git -C "$r" push "${git_ops[@]}" --mirror "$u" + info "remote URL $au for repository $r, pushing" + info "${cmd[@]}" fi # Disable prompting for username/password if credentials are missing for # the remote URL and fail instead. # - GIT_TERMINAL_PROMPT=0 git -C "$r" push "${git_ops[@]}" --mirror "$u" + # If the remote URL differs from the original one then it contains + # credentials. It may potentially appear in git's STDERR, so we replace all + # its occurrences with the original one, not containing credentials. + # + ou="${orig_remotes[$r]}" + if [ "$au" != "$ou" ]; then + GIT_TERMINAL_PROMPT=0 "${cmd[@]}" 2>&1 | sed "s%$au%$ou%g" >&2 + else + GIT_TERMINAL_PROMPT=0 "${cmd[@]}" + fi fi done -- cgit v1.1