CR-9195 validate git source token (#244)

* validate git source token

* wip

* removed option for different repo for git source
added PAT flag

* change strings in wizard

* modify strings

* modified token type to personal

* bump

* lint error
bug fixed

* lint err

* handle prompt errors better

* docs update

* small fix

* removed security fix from release notes

* bump

* handle prompt errors

* added initializeGitSourceCloneOpts

* removed recognizing ^C error

* taking values from variable and not flag

Author: rotem-codefresh

Makefile

@@ -1,4 +1,4 @@
-VERSION=v0.0.226
+VERSION=v0.0.227
 
 OUT_DIR=dist
 YEAR?=$(shell date +"%Y")

cmd/commands/common.go

@@ -105,13 +105,14 @@ func askUserIfToInstallDemoResources(cmd *cobra.Command, sampleInstall *bool) er
 
 		_, result, err := prompt.Run()
 		if err != nil {
-			return fmt.Errorf("Prompt error: %w", err)
+			return err
 		}
 
 		if result == "No" {
 			*sampleInstall = false
 		}
 	}
+
 	return nil
 }
 
@@ -152,9 +153,11 @@ func getRepoFromUserInput(cmd *cobra.Command) error {
 	}
 	repoInput, err := repoPrompt.Run()
 	if err != nil {
-		return fmt.Errorf("Prompt error: %w", err)
+		return err
 	}
+
 	die(cmd.Flags().Set("repo", repoInput))
+
 	return nil
 }
 
@@ -179,11 +182,14 @@ func getRuntimeNameFromUserInput(runtimeName *string) error {
 		Default: "codefresh",
 		Pointer: promptui.PipeCursor,
 	}
+
 	runtimeNameInput, err := runtimeNamePrompt.Run()
 	if err != nil {
-		return fmt.Errorf("Prompt error: %w", err)
+		return err
 	}
+
 	*runtimeName = runtimeNameInput
+
 	return nil
 }
 
@@ -218,7 +224,7 @@ func getRuntimeNameFromUserSelect(ctx context.Context, runtimeName *string) erro
 
 		_, result, err := prompt.Run()
 		if err != nil {
-			return fmt.Errorf("Prompt error: %w", err)
+			return err
 		}
 
 		*runtimeName = result
@@ -241,7 +247,7 @@ func getIngressClassFromUserSelect(ctx context.Context, ingressClassNames []stri
 
 	_, result, err := prompt.Run()
 	if err != nil {
-		return fmt.Errorf("Prompt error: %w", err)
+		return err
 	}
 
 	*ingressClass = result
@@ -271,7 +277,7 @@ func ensureGitToken(cmd *cobra.Command, cloneOpts *git.CloneOptions, verify bool
 	}
 
 	if verify {
-		err := cfgit.VerifyToken(cmd.Context(), cloneOpts.Provider, cloneOpts.Auth.Password)
+		err := cfgit.VerifyToken(cmd.Context(), cloneOpts.Provider, cloneOpts.Auth.Password, cfgit.RuntimeToken)
 		if err != nil {
 			return fmt.Errorf("failed to verify git token: %w", err)
 		}
@@ -282,23 +288,35 @@ func ensureGitToken(cmd *cobra.Command, cloneOpts *git.CloneOptions, verify bool
 
 func ensureGitPAT(cmd *cobra.Command, opts *RuntimeInstallOptions) error {
 	var err error
-	if !store.Get().Silent {
-		return getGitPATFromUserInput(cmd, opts)
+	tokenFromFlag := opts.GitIntegrationRegistrationOpts.Token
+
+	if  tokenFromFlag == "" {
+		if !store.Get().Silent {
+			err = getGitPATFromUserInput(cmd, opts)
+			if err != nil {
+				return err
+			}
+		} else {
+			log.G(cmd.Context()).Info("Using runtime token as personal user token")
+			opts.GitIntegrationRegistrationOpts.Token = opts.InsCloneOpts.Auth.Password
+			if err != nil {
+				return err
+			}
+		}
 	}
 
-	opts.GitIntegrationRegistrationOpts.Token, err = cmd.Flags().GetString("git-token")
-	return err
+	return cfgit.VerifyToken(cmd.Context(), opts.InsCloneOpts.Provider, opts.GitIntegrationRegistrationOpts.Token, cfgit.PersonalToken)
 }
 
 func getGitPATFromUserInput(cmd *cobra.Command, opts *RuntimeInstallOptions) error {
 	gitPATPrompt := promptui.Prompt{
-		Label: "Enter your Personal Git Access Token (leave blank to use runtime token. Can be changed later)",
+		Label: "Personal git token for your user (skip to use runtime token)",
 		Mask:  '*',
 	}
 
 	gitPAT, err := gitPATPrompt.Run()
 	if err != nil {
-		return fmt.Errorf("prompt error: %w", err)
+		return err
 	}
 
 	if gitPAT == "" {
@@ -314,14 +332,16 @@ func getGitPATFromUserInput(cmd *cobra.Command, opts *RuntimeInstallOptions) err
 
 func getGitTokenFromUserInput(cmd *cobra.Command) error {
 	gitTokenPrompt := promptui.Prompt{
-		Label: "Git provider api token",
+		Label: "Runtime git api token",
 		Mask:  '*',
 	}
 	gitTokenInput, err := gitTokenPrompt.Run()
 	if err != nil {
-		return fmt.Errorf("Prompt error: %w", err)
+		return err
 	}
+
 	die(cmd.Flags().Set("git-token", gitTokenInput))
+
 	return nil
 }
 
@@ -361,7 +381,7 @@ func promptSummaryToUser(ctx context.Context, finalParameters map[string]string,
 
 	_, result, err := prompt.Run()
 	if err != nil {
-		return false, fmt.Errorf("Prompt error: %w", err)
+		return false, err
 	}
 
 	if result == "Yes" {
@@ -409,7 +429,7 @@ func getKubeContextNameFromUserSelect(cmd *cobra.Command, kubeContextName *strin
 
 	index, _, err := prompt.Run()
 	if err != nil {
-		return fmt.Errorf("Prompt error: %w", err)
+		return err
 	}
 
 	result := contextsIndex[index]
@@ -429,7 +449,7 @@ func getIngressHostFromUserInput(ctx context.Context, opts *RuntimeInstallOption
 
 	ingressHostInput, err := ingressHostPrompt.Run()
 	if err != nil {
-		return fmt.Errorf("Prompt error: %w", err)
+		return err
 	}
 
 	opts.IngressHost = ingressHostInput
@@ -471,7 +491,7 @@ func setIngressHost(ctx context.Context, opts *RuntimeInstallOptions) error {
 		}
 	}
 
-	if opts.IngressController == "" {
+	if opts.IngressHost == "" {
 		return fmt.Errorf("please provide an ingress host via --ingress-host or installation wizard")
 	}
 
@@ -558,7 +578,7 @@ func askUserIfToProceedWithInsecure(ctx context.Context) error {
 
 	_, result, err := prompt.Run()
 	if err != nil {
-		return fmt.Errorf("Prompt error: %w", err)
+		return err
 	}
 
 	if result == "Yes" {

cmd/commands/runtime.go

@@ -215,6 +215,7 @@ func NewRuntimeInstallCommand() *cobra.Command {
 
 	cmd.Flags().StringVar(&installationOpts.IngressHost, "ingress-host", "", "The ingress host")
 	cmd.Flags().StringVar(&installationOpts.IngressClass, "ingress-class", "", "The ingress class name")
+	cmd.Flags().StringVar(&installationOpts.GitIntegrationRegistrationOpts.Token, "personal-git-token", "", "The Personal git token for your user")
 	cmd.Flags().StringVar(&installationOpts.versionStr, "version", "", "The runtime version to install (default: latest)")
 	cmd.Flags().BoolVar(&installationOpts.InstallDemoResources, "demo-resources", true, "Installs demo resources (default: true)")
 	cmd.Flags().DurationVar(&store.Get().WaitTimeout, "wait-timeout", store.Get().WaitTimeout, "How long to wait for the runtime components to be ready")
@@ -224,11 +225,12 @@ func NewRuntimeInstallCommand() *cobra.Command {
 	installationOpts.InsCloneOpts = apu.AddCloneFlags(cmd, &apu.CloneFlagsOptions{
 		CreateIfNotExist: true,
 	})
-	installationOpts.GsCloneOpts = apu.AddCloneFlags(cmd, &apu.CloneFlagsOptions{
-		Prefix:           "git-src",
-		Optional:         true,
+
+	installationOpts.GsCloneOpts = &git.CloneOptions{
+		FS: fs.Create(memfs.New()),
 		CreateIfNotExist: true,
-	})
+	}
+
 	installationOpts.KubeFactory = kube.AddFlags(cmd.Flags())
 
 	util.Die(cmd.Flags().MarkHidden("bypass-ingress-class-check"))
@@ -307,22 +309,7 @@ func runtimeInstallCommandPreRunHandler(cmd *cobra.Command, opts *RuntimeInstall
 		return err
 	}
 
-	if opts.GsCloneOpts.Auth.Username == "" {
-		opts.GsCloneOpts.Auth.Username = opts.InsCloneOpts.Auth.Username
-	}
-
-	if opts.GsCloneOpts.Auth.Password == "" {
-		opts.GsCloneOpts.Auth.Password = opts.InsCloneOpts.Auth.Password
-	}
-
-	if opts.GsCloneOpts.Repo == "" {
-		host, orgRepo, _, _, _, suffix, _ := aputil.ParseGitUrl(opts.InsCloneOpts.Repo)
-		opts.GsCloneOpts.Repo = host + orgRepo + "_git-source" + suffix + "/resources" + "_" + opts.RuntimeName
-	}
-
-	if opts.GsCloneOpts.Provider == "" {
-		opts.GsCloneOpts.Provider = opts.InsCloneOpts.Provider
-	}
+	initializeGitSourceCloneOpts(opts)
 
 	opts.InsCloneOpts.Parse()
 	opts.GsCloneOpts.Parse()
@@ -1864,3 +1851,11 @@ func getVersionIfExists(opts *RuntimeInstallOptions) error {
 	}
 	return nil
 }
+
+func initializeGitSourceCloneOpts(opts *RuntimeInstallOptions) {
+	opts.GsCloneOpts.Provider = opts.InsCloneOpts.Provider
+	opts.GsCloneOpts.Auth = opts.InsCloneOpts.Auth
+	opts.GsCloneOpts.Progress = opts.InsCloneOpts.Progress
+	host, orgRepo, _, _, _, suffix, _ := aputil.ParseGitUrl(opts.InsCloneOpts.Repo)
+	opts.GsCloneOpts.Repo = host + orgRepo + "_git-source" + suffix + "/resources" + "_" + opts.RuntimeName
+}

docs/commands/cli-v2_runtime_install.md

@@ -28,24 +28,21 @@ cli-v2 runtime install [runtime_name] [flags]
 ### Options
 
 ```
-      --context string             The name of the kubeconfig context to use
-      --demo-resources             Installs demo resources (default: true) (default true)
-      --git-src-git-token string   Your git provider api token [GIT_SRC_GIT_TOKEN]
-      --git-src-git-user string    Your git provider user name [GIT_SRC_GIT_USER] (not required in GitHub)
-      --git-src-provider string    The git provider, one of: gitea|github|gitlab
-      --git-src-repo string        Repository URL [GIT_SRC_GIT_REPO]
-  -t, --git-token string           Your git provider api token [GIT_TOKEN]
-  -u, --git-user string            Your git provider user name [GIT_USER] (not required in GitHub)
-  -h, --help                       help for install
-      --ingress-class string       The ingress class name
-      --ingress-host string        The ingress host
-      --kubeconfig string          Path to the kubeconfig file to use for CLI requests.
-  -n, --namespace string           If present, the namespace scope for this CLI request
-      --provider string            The git provider, one of: gitea|github|gitlab
-      --provider-api-url string    Git provider API url
-      --repo string                Repository URL [GIT_REPO]
-      --version string             The runtime version to install (default: latest)
-      --wait-timeout duration      How long to wait for the runtime components to be ready (default 8m0s)
+      --context string              The name of the kubeconfig context to use
+      --demo-resources              Installs demo resources (default: true) (default true)
+  -t, --git-token string            Your git provider api token [GIT_TOKEN]
+  -u, --git-user string             Your git provider user name [GIT_USER] (not required in GitHub)
+  -h, --help                        help for install
+      --ingress-class string        The ingress class name
+      --ingress-host string         The ingress host
+      --kubeconfig string           Path to the kubeconfig file to use for CLI requests.
+  -n, --namespace string            If present, the namespace scope for this CLI request
+      --personal-git-token string   The Personal git token for your user
+      --provider string             The git provider, one of: gitea|github|gitlab
+      --provider-api-url string     Git provider API url
+      --repo string                 Repository URL [GIT_REPO]
+      --version string              The runtime version to install (default: latest)
+      --wait-timeout duration       How long to wait for the runtime components to be ready (default 8m0s)
 ```
 
 ### Options inherited from parent commands

docs/releases/release_notes.md

@@ -23,7 +23,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.226/cf-linux-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.227/cf-linux-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-linux-amd64 /usr/local/bin/cf
@@ -36,7 +36,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.226/cf-darwin-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.227/cf-darwin-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-darwin-amd64 /usr/local/bin/cf

manifests/runtime.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: "{{ namespace }}"
 spec:
   defVersion: 1.0.0
-  version: 0.0.226
+  version: 0.0.227
   bootstrapSpecifier: github.com/codefresh-io/cli-v2/manifests/argo-cd
   components:
     - name: events

pkg/git/git.go

@@ -23,14 +23,27 @@ import (
 	"github.com/codefresh-io/cli-v2/pkg/log"
 )
 
+type TokenTypes string
+
+const (
+	RuntimeToken TokenTypes = "runtime token"
+	PersonalToken TokenTypes = "personal token"
+)
 
 var (
-	requiredGitHubScopes = []string{ "repo", "admin:repo_hook" }
+	requiredGitHubRuntimeScopes = []string{ "repo", "admin:repo_hook" }
+	requiredGitHubGitSourceScopes = []string{ "repo" }
+	
+	typeToGitHubScopes = map[TokenTypes][]string {
+		RuntimeToken: requiredGitHubRuntimeScopes,
+		PersonalToken: requiredGitHubGitSourceScopes,
+	}
 )
 
 
-func VerifyToken(ctx context.Context, provider string, token string) error {
-	providerToVerifier := map[string]func(context.Context, string)error {
+
+func VerifyToken(ctx context.Context, provider string, token string, tokenType TokenTypes) error {
+	providerToVerifier := map[string]func(context.Context, string, TokenTypes)error {
 		"github": verifyGitHubTokenScope,
 	}
 
@@ -39,11 +52,11 @@ func VerifyToken(ctx context.Context, provider string, token string) error {
 		return verifyTokenScopeFallback(ctx, provider)
 	}
 
-	return verifier(ctx, token)
+	return verifier(ctx, token, tokenType)
 }
 
-func verifyGitHubTokenScope(ctx context.Context, token string) error {
-	errMessage := "the provided git token is missing one or more of the required scopes:" + strings.Join(requiredGitHubScopes, ", ")
+func verifyGitHubTokenScope(ctx context.Context, token string, tokenType TokenTypes) error {
+	errMessage := fmt.Sprintf("the provided %s is missing one or more of the required scopes: %s", tokenType, strings.Join(typeToGitHubScopes[tokenType], ", "))
 
 	req, err := http.NewRequestWithContext(ctx, "HEAD", "https://api.github.com/", nil)
 	if err != nil {
@@ -65,7 +78,7 @@ func verifyGitHubTokenScope(ctx context.Context, token string) error {
 		scopes = strings.Split(rawScopes[0], ", ")
 	}
 
-	for _, rs := range requiredGitHubScopes {
+	for _, rs := range typeToGitHubScopes[tokenType] {
 		var contained bool
 		for _, scope := range scopes {
 			if scope == rs {
@@ -79,6 +92,8 @@ func verifyGitHubTokenScope(ctx context.Context, token string) error {
 		}
 	}
 
+	log.G(ctx).Info("Token verified")
+
 	return nil
 }