aboutsummaryrefslogtreecommitdiff
path: root/server
diff options
context:
space:
mode:
authorKaren Arutyunov <karen@codesynthesis.com>2018-06-04 18:47:16 +0300
committerKaren Arutyunov <karen@codesynthesis.com>2018-06-04 18:47:16 +0300
commit05af074f7d6f66ce400241e869e623eb72b85c01 (patch)
tree69cbcb5ade770a5781304c3a9af08d9e476d86ee /server
parent9605ad02c9dcb7cd50e064f654149071784e1e5a (diff)
Fix mrrepo script to filter out remote URL credentials from diagnostics
Diffstat (limited to 'server')
-rwxr-xr-xserver/mrrepo35
1 files changed, 27 insertions, 8 deletions
diff --git a/server/mrrepo b/server/mrrepo
index aae1e54..029ce35 100755
--- a/server/mrrepo
+++ b/server/mrrepo
@@ -134,10 +134,13 @@ function field () # <line> <num> [<name>]
}
# Collect new repositories (in the new array) and while at it fix up remote
-# URLs with credentials (in the remotes map).
+# URLs with credentials (in the auth_remotes map). Note that we still save
+# original remote URLs to use them for diagnostics not to expose credentials
+# (think about cron job diagnostics sent by email).
#
new=()
-declare -A remotes
+declare -A orig_remotes
+declare -A auth_remotes
while read l || [ -n "$l" ]; do
r=$(field "$l" 1 'path')
@@ -149,6 +152,8 @@ while read l || [ -n "$l" ]; do
# Note that currently we only support adding credentials for https URLs.
#
if [ -n "$u" ]; then
+ orig_remotes["$r"]="$u"
+
for p in "${!credentials[@]}"; do
if [[ "$u" == "$p"* ]]; then
c="${credentials[$p]}"
@@ -157,7 +162,7 @@ while read l || [ -n "$l" ]; do
fi
done
- remotes["$r"]="$u"
+ auth_remotes["$r"]="$u"
fi
done < <(sed -e '/^\s*#/d;/^\s*$/d;s/\s\s*/ /g' manifest)
@@ -201,17 +206,31 @@ for r in "${new[@]}"; do
# Mirror to the remote URL, if present.
#
- u="${remotes[$r]}"
- if [ -n "$u" ]; then
+ au="${auth_remotes[$r]}"
+ if [ -n "$au" ]; then
+ cmd=( git -C "$r" push "${git_ops[@]}" --mirror "$au" )
+
+ # Note that in the verbose mode, for troubleshooting, we still print the
+ # URLs that possibly contain credentials.
+ #
if [ "$verb" -ge 1 ]; then
- info "remote URL $u for repository $r, pushing"
- info git -C "$r" push "${git_ops[@]}" --mirror "$u"
+ info "remote URL $au for repository $r, pushing"
+ info "${cmd[@]}"
fi
# Disable prompting for username/password if credentials are missing for
# the remote URL and fail instead.
#
- GIT_TERMINAL_PROMPT=0 git -C "$r" push "${git_ops[@]}" --mirror "$u"
+ # If the remote URL differs from the original one then it contains
+ # credentials. It may potentially appear in git's STDERR, so we replace all
+ # its occurrences with the original one, not containing credentials.
+ #
+ ou="${orig_remotes[$r]}"
+ if [ "$au" != "$ou" ]; then
+ GIT_TERMINAL_PROMPT=0 "${cmd[@]}" 2>&1 | sed "s%$au%$ou%g" >&2
+ else
+ GIT_TERMINAL_PROMPT=0 "${cmd[@]}"
+ fi
fi
done