Simplest way to pass username & password to Git, when using http(s)?

[er...@tibco.com]

I'm using Ansible to clone / update a Git repository that I'm accessing via HTTP, using username & password. Except that the "git" task really doesn't help me.

I can't put those credentials in the URL, because they then end up stashed in the config of the git repository. That causes problems downstream, including disclosure of the password to anyone else who has access to the box, and if the password changes, failures in the Ansible script.

One work-around I came up with was the following:

# set up the Git credential cache...
- name: Set up credential cache
  command: git config --global credential.helper cache

# shove credentials into it...
- name: Fetch git repositories
  shell: printf 'protocol=http\nhost=git.example.com\nusername={{ username }}\npassword={{ password }}\n' | git credential approve ; if [ -d reponame.git ]; then (cd reponame.git && git pull); else git clone http://{{ username }}@git.example.com/git/reponame reponame.git ; fi

This works, but doesn't take care of various corner cases that the Ansible "git" task does take care of. Also potentially puts the password in the log file. Next approximation is to write the input to git credential approve to a file, using the "template" task, but that leaves behind a file I have to delete. So at that point, rather than using credential "cache", use the "store".

So I ended up with this:

- name: Install temp file with personal git credentials
  template: src="git_creds.txt.j2" dest="{{ ansible_env.HOME }}/git_creds.txt" mode=0600

- name: Approve credentials for Git.
  command: /bin/bash -c "git config --global credential.helper store; cat git_creds.txt | git credential approve"

- name: Fetch Git repository
  git: dest={{ ansible_env.HOME }}/reponame repo=http://git.example.com/git/reponame

- name: remove stored creds
  command: /bin/bash -c "cat git_creds.txt | git credential reject ; rm git_creds.txt"

This has a bad failure mode, though - if the script fails, then the credentials get left behind on the box.

Is there any better way to do this?!?!

Should I file a bug to have the "git" task take username and password, and perform the steps that I'm going through above, but then also able to do the cleanup if the Git command fails? Or should the "git" task be able to push the password on stdin?

Thanks for any help!

Eric.

[Matt Martz]

Can't you just do?

repo=http://username:pass...@git.example.com/git/reponame

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b086e2fc-0978-43e7-ba4f-bc154b428e88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Matt Martz
@sivel
sivel.net

[er...@tibco.com]

On Saturday, February 20, 2016 at 8:45:17 AM UTC-8, Matt Martz wrote:

Can't you just do?

repo=http://username:password@git.example.com/git/reponame

As I said in my original post, that causes problems downstream, including breakage if the password changes, as well as password disclosure to anyone who has access to the same part of the file system on the box.

And that's just the problems I've discovered so far.

Eric.

[Toshio Kuratomi]

This wouldn't be a bug but it might be a feature.  I'm not sure if we'd want to do all the credential cache stuff inside of the git module or might like to split that out into a separate module.

If the password can be given to git on stdin in your case, that does seem like a way to add it to the current git module.  A pr for that would be welcome.

-Toshio