From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 04 04:16:58 2020 Received: (at 38320) by debbugs.gnu.org; 4 Feb 2020 09:16:58 +0000 Received: from localhost ([127.0.0.1]:42592 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iyuKI-0007rm-DV for submit@debbugs.gnu.org; Tue, 04 Feb 2020 04:16:58 -0500 Received: from mail-wr1-f45.google.com ([209.85.221.45]:33438) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iyuKG-0007rZ-N7 for 38320@debbugs.gnu.org; Tue, 04 Feb 2020 04:16:57 -0500 Received: by mail-wr1-f45.google.com with SMTP id u6so8688508wrt.0 for <38320@debbugs.gnu.org>; Tue, 04 Feb 2020 01:16:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:date :message-id:mime-version; bh=2JeyEHPVQKDdrlArPfqVBVEhVPXh6FxQUFu3VQyT6Gg=; b=cnpgnq+D6qvTu5wDZW5Uunx1nptvNjP7WekKhNs6vk9VEDSaCwCKRap5FpKJy9+BUB sOsvOFHYIAqHFd2UfchN92ntO3Qw1h7VOFrupCmXHQ9Jf8xvh9BCdQ9h1SUCr5DC3ou6 CVXwUs3a3158HKWR/D3RXWLTY18iajqMt19liojUo8wfKn8q56YJGdeYJBfMETpsHfTZ AXO/8ry5UnhAt1aLK6mwnMD1lHwRp8fASVNlwDUs5S78nA4gkdwDGjgIaKX7ueKtjs8j JdGSd7aVeW09W6+9wz5bRLHiyzeEoTDzy+2jdU2D6QrlBmckeoGNGz8LS+FvNvbDGxNR I9VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:date:message-id:mime-version; bh=2JeyEHPVQKDdrlArPfqVBVEhVPXh6FxQUFu3VQyT6Gg=; b=qAahmhFK5WgCh1l6OhZiIu8wR18sSkB5bCjbEBr36fZajNTByOpUaDB6DZOu968+BF ffbIz13C8326nbLE9UcVzc5LKeIx3yZwkPGwQQeXhLqHUTtNhZGz3o0AcpbvnMpSGDrg kPqffyehl1DNz4DS5leMSQ1KZ5KLrnG1YJWfCOQ36kgT8s6hyJ1AVLMCKdaj+0SMzKUv /cvtRy9MXG82kSBPdOvAAVYNwA537+H4AaRQiZyMiRjiDy26d8W8DiT1MfoHzqvwhgdo 4Jqrb1n1L70XClS/r6JdJTyhq4SeTZ9eWCKc0Bfle91rkmA91qE9OxfV2ioesKWNeexc NDAQ== X-Gm-Message-State: APjAAAVSIv5vUHlA3H3LNcLRX92bBZci5uUnDxqp5mCOP6HVGR2yVMqf JJ4wK5pGN1zrODKoc7k0OXU= X-Google-Smtp-Source: APXvYqwHbDoUHgTyHLQLc6AE+5OuLZLcWzP7uoFGnMBvL2YlR/JOuCMmgrM/ZCvibC2bJn5J4JzkDQ== X-Received: by 2002:a05:6000:108b:: with SMTP id y11mr16405341wrw.187.1580807810621; Tue, 04 Feb 2020 01:16:50 -0800 (PST) Received: from meru (lfbn-ann-1-237-90.w86-200.abo.wanadoo.fr. [86.200.196.90]) by smtp.gmail.com with ESMTPSA id x17sm28634893wrt.74.2020.02.04.01.16.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Feb 2020 01:16:49 -0800 (PST) References: <875zjc8ciz.fsf@lassieur.org> <878so4t6mk.fsf@gmail.com> <87r21v9cmi.fsf@gnu.org> <87h829sb73.fsf@gmail.com> <877e34z24m.fsf@gnu.org> <87wob3xepy.fsf@gmail.com> <87zhfyvppi.fsf@lassieur.org> <8736dp8z2p.fsf@gnu.org> User-agent: mu4e 1.2.0; emacs 26.3 From: Mathieu Othacehe To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#38320: Cuirass: Allow to use authenticated Git repositories as inputs In-reply-to: <8736dp8z2p.fsf@gnu.org> Date: Tue, 04 Feb 2020 10:16:47 +0100 Message-ID: <87tv4667b4.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 38320 Cc: 38320@debbugs.gnu.org, Erik Edrosa , =?utf-8?Q?Cl=C3=A9ment?= Lassieur X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Hello, Here's a small patch to (guix git) so that cloning/fetching from ssh authenticated repositories is supported using ssh agent. I tested: * guix pull --url=git@gitlab.com:mothacehe/private.git * guix pull with the following channel configuration --8<---------------cut here---------------start------------->8--- (cons* (channel (name 'gitlab) (url "git@gitlab.com:mothacehe/test-channel.git")) %default-channels) --8<---------------cut here---------------end--------------->8--- This works fine, but we still need to see how it works for Cuirass inputs and (guix git-download) module. Mathieu --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: inline; filename=0001-git-Add-ssh-authentication-support.patch Content-Transfer-Encoding: quoted-printable From ae380c15f1c37e2c94e0954975f5f712e76340ac Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Mon, 3 Feb 2020 18:05:02 +0100 Subject: [PATCH] git: Add ssh authentication support. SSH agent authentication method is used. * guix/git.scm (auth-method): New variable, (clone*): pass previous variable in clone options, (update-cached-checkout): pass previous variable in fetch options. --- guix/git.scm | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/guix/git.scm b/guix/git.scm index a12f1eec8e..aee7b325e0 100644 --- a/guix/git.scm +++ b/guix/git.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright =C2=A9 2017 Mathieu Othacehe +;;; Copyright =C2=A9 2017, 2020 Mathieu Othacehe ;;; Copyright =C2=A9 2018, 2019, 2020 Ludovic Court=C3=A8s ;;; ;;; This file is part of GNU Guix. @@ -108,6 +108,9 @@ the 'SSL_CERT_FILE' and 'SSL_CERT_DIR' environment vari= ables." (string-append "R:" url) url)))))) =20 +;; Default authentication method. +(define auth-method (%make-auth-ssh-agent)) + (define (clone* url directory) "Clone git repository at URL into DIRECTORY. Upon failure, make sure no empty directory is left behind." @@ -119,7 +122,9 @@ make sure no empty directory is left behind." ;; value in Guile-Git: . (if (module-defined? (resolve-interface '(git)) 'clone-init-options) - (clone url directory (clone-init-options)) + (clone url directory + (make-clone-options + #:fetch-options (make-fetch-options auth-method))) (clone url directory))) (lambda _ (false-if-exception (rmdir directory))))) @@ -281,7 +286,8 @@ When RECURSIVE? is true, check out submodules as well, = if any." ;; Only fetch remote if it has not been cloned just before. (when (and cache-exists? (not (reference-available? repository ref))) - (remote-fetch (remote-lookup repository "origin"))) + (remote-fetch (remote-lookup repository "origin") + #:fetch-options (make-fetch-options auth-method))) (when recursive? (update-submodules repository #:log-port log-port)) (let ((oid (switch-to-ref repository canonical-ref))) --=20 2.25.0 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hey ho! > > Cl=C3=A9ment Lassieur skribis: > >> Whoo, nice, thank you so much Mathieu! I'll test everything this >> week-end probably, and start working on the (guix git) / Cuirass >> counterpart (which is 1% of the work :D). > > Neat! > >>> So "latest-repository-commit" could be call with ssh authentication >>> parameters. However, the guix-daemon won't be able to communicate with = the >>> user ssh-agent, and storing an unencrypted private ssh key in the store >>> doesn't feel great to me. >>> >>> Do you see any workaround? >> >> As far as I understand, LATEST-REPOSITORY-COMMIT is never called by the >> daemon, it downloads stuff first and then calls ADD-TO-STORE. So both >> using the SSH agent or passing a private SSH key should be >> straightforward. > > Indeed. =E2=80=98guix pull --url=E2=80=99 and =E2=80=98guix build --with= -git-url=E2=80=99 (and similar) > should work just fine. > > Thanks! > > Ludo=E2=80=99. --=-=-=--