WIP: Allow credential helper to provide SSH password #14578
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR try to resolve?
I'm currently working on extending docs.rs to support our internal crate registry that usually uses SSH keys for authentication. However, since our crate registry is permissioned, we don't want all users to see all crates, nor should the docs.rs instance have unfettered access to the registry. Users authenticate to the docs.rs instance using an ephemeral OAuth token, and in turn we're using that token to pull from the registry if a new crate is discovered.
This works great for the pulling of .crate files since crates.io uses its own libgit2 instance we can hook into to provide credentials, however in the case of actually building the documentation it shells out to cargo to fetch dependencies. In this case, since Cargo uses the credential-helper as part of its authentication hooks for libgit2, we'd like to use that instead.
The credential-helper in this case is a very simple script that reads from the environment variables passed through on the
Command
invoked by docs.rs,git config --global credential.helper '!echo "username=oauth-token\npassword=${GIT_PASSWORD}"'
. With this, we can use our ephemeral OAuth tokens as SSH passwords.How should we test and review this PR?
The easiest way to test is temporarily removing your ssh keys from your agent and using username/password auth to depend on a Github repository.
Additional information
This is in draft whilst I keep hacking to see if there's a way around this by other means (maybe smuggling the token in the username via ssh_config and using git-fetch-with-cli or something, I did want to avoid that though for various reasons - or potentially pulling in Cargo as a library in docs.rs).