Unify identity/provisioned_key into key block #235
@@ -390,11 +390,11 @@ def _provision_dynamic_key(
|
|||||||
can inject it into the GitGateUpstream as `identity_file`."""
|
can inject it into the GitGateUpstream as `identity_file`."""
|
||||||
from .deploy_key_provisioner import get_provisioner
|
from .deploy_key_provisioner import get_provisioner
|
||||||
pk = entry.Key
|
pk = entry.Key
|
||||||
token = os.environ.get(pk.provisioner_token)
|
token = os.environ.get(pk.forge_token_env)
|
||||||
if token is None:
|
if token is None:
|
||||||
raise RuntimeError(
|
raise RuntimeError(
|
||||||
f"git-gate.repos[{entry.Name!r}] key.provisioner_token"
|
f"git-gate.repos[{entry.Name!r}] key.forge_token_env"
|
||||||
f" = {pk.provisioner_token!r}: env var is not set"
|
f" = {pk.forge_token_env!r}: env var is not set"
|
||||||
)
|
)
|
||||||
api_url = pk.api_url or f"https://{entry.UpstreamHost}"
|
api_url = pk.api_url or f"https://{entry.UpstreamHost}"
|
||||||
provisioner = get_provisioner(pk.provider, token, api_url)
|
provisioner = get_provisioner(pk.provider, token, api_url)
|
||||||
@@ -434,11 +434,11 @@ def revoke_git_gate_provisioned_keys(bottle: ManifestBottle, stage_dir: Path) ->
|
|||||||
if not id_file.exists():
|
if not id_file.exists():
|
||||||
continue
|
continue
|
||||||
key_id = id_file.read_text().strip()
|
key_id = id_file.read_text().strip()
|
||||||
token = os.environ.get(pk.provisioner_token)
|
token = os.environ.get(pk.forge_token_env)
|
||||||
if token is None:
|
if token is None:
|
||||||
raise RuntimeError(
|
raise RuntimeError(
|
||||||
f"git-gate.repos[{entry.Name!r}] key.provisioner_token"
|
f"git-gate.repos[{entry.Name!r}] key.forge_token_env"
|
||||||
f" = {pk.provisioner_token!r}: env var is not set;"
|
f" = {pk.forge_token_env!r}: env var is not set;"
|
||||||
f" cannot revoke deploy key {key_id}"
|
f" cannot revoke deploy key {key_id}"
|
||||||
)
|
)
|
||||||
api_url = pk.api_url or f"https://{entry.UpstreamHost}"
|
api_url = pk.api_url or f"https://{entry.UpstreamHost}"
|
||||||
|
|||||||
@@ -78,14 +78,14 @@ class ManifestKeyConfig:
|
|||||||
|
|
||||||
For `static`: `path` is the host-side absolute path to the SSH private key.
|
For `static`: `path` is the host-side absolute path to the SSH private key.
|
||||||
|
|
||||||
For `gitea`: `provisioner_token` is the name of a host-side env var
|
For `gitea`: `forge_token_env` is the name of a host-side env var
|
||||||
carrying the Gitea API token; the value is read at provision time,
|
carrying the Gitea API token; the value is read at provision time,
|
||||||
never stored on the plan. `api_url` is the forge's HTTP API root; if
|
never stored on the plan. `api_url` is the forge's HTTP API root; if
|
||||||
empty, it is derived from the upstream URL's host at provision time."""
|
empty, it is derived from the upstream URL's host at provision time."""
|
||||||
|
|
||||||
provider: str
|
provider: str
|
||||||
path: str = ""
|
path: str = ""
|
||||||
provisioner_token: str = ""
|
forge_token_env: str = ""
|
||||||
api_url: str = ""
|
api_url: str = ""
|
||||||
|
|
||||||
|
|
||||||
@@ -212,16 +212,16 @@ def _parse_key_config(
|
|||||||
|
|
||||||
# provider == "gitea"
|
# provider == "gitea"
|
||||||
for k in d:
|
for k in d:
|
||||||
if k not in {"provider", "provisioner_token", "api_url"}:
|
if k not in {"provider", "forge_token_env", "api_url"}:
|
||||||
raise ManifestError(
|
raise ManifestError(
|
||||||
f"bottle '{bottle_name}' {label}.key has unknown key {k!r} "
|
f"bottle '{bottle_name}' {label}.key has unknown key {k!r} "
|
||||||
f"for provider 'gitea'; allowed: provider, provisioner_token, api_url"
|
f"for provider 'gitea'; allowed: provider, forge_token_env, api_url"
|
||||||
)
|
)
|
||||||
provisioner_token = d.get("provisioner_token")
|
forge_token_env = d.get("forge_token_env")
|
||||||
if not isinstance(provisioner_token, str) or not provisioner_token:
|
if not isinstance(forge_token_env, str) or not forge_token_env:
|
||||||
raise ManifestError(
|
raise ManifestError(
|
||||||
f"bottle '{bottle_name}' {label}.key missing required "
|
f"bottle '{bottle_name}' {label}.key missing required "
|
||||||
f"string field 'provisioner_token' for provider 'gitea'"
|
f"string field 'forge_token_env' for provider 'gitea'"
|
||||||
)
|
)
|
||||||
api_url_raw = d.get("api_url", "")
|
api_url_raw = d.get("api_url", "")
|
||||||
if not isinstance(api_url_raw, str):
|
if not isinstance(api_url_raw, str):
|
||||||
@@ -230,7 +230,7 @@ def _parse_key_config(
|
|||||||
)
|
)
|
||||||
return ManifestKeyConfig(
|
return ManifestKeyConfig(
|
||||||
provider=provider,
|
provider=provider,
|
||||||
provisioner_token=provisioner_token,
|
forge_token_env=forge_token_env,
|
||||||
api_url=api_url_raw,
|
api_url=api_url_raw,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
@@ -296,14 +296,14 @@ class TestGiteaKey(unittest.TestCase):
|
|||||||
"url": "ssh://git@gitea.dideric.is:30009/didericis/bot-bottle.git",
|
"url": "ssh://git@gitea.dideric.is:30009/didericis/bot-bottle.git",
|
||||||
"key": {
|
"key": {
|
||||||
"provider": "gitea",
|
"provider": "gitea",
|
||||||
"provisioner_token": "GITEA_TOKEN",
|
"forge_token_env": "GITEA_TOKEN",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}))
|
}))
|
||||||
e = m.bottles["dev"].git[0]
|
e = m.bottles["dev"].git[0]
|
||||||
self.assertEqual("bot-bottle", e.Name)
|
self.assertEqual("bot-bottle", e.Name)
|
||||||
self.assertEqual("gitea", e.Key.provider)
|
self.assertEqual("gitea", e.Key.provider)
|
||||||
self.assertEqual("GITEA_TOKEN", e.Key.provisioner_token)
|
self.assertEqual("GITEA_TOKEN", e.Key.forge_token_env)
|
||||||
self.assertEqual("", e.Key.api_url)
|
self.assertEqual("", e.Key.api_url)
|
||||||
self.assertEqual("", e.IdentityFile)
|
self.assertEqual("", e.IdentityFile)
|
||||||
|
|
||||||
@@ -313,7 +313,7 @@ class TestGiteaKey(unittest.TestCase):
|
|||||||
"url": "ssh://git@gitea.example.com/org/repo.git",
|
"url": "ssh://git@gitea.example.com/org/repo.git",
|
||||||
"key": {
|
"key": {
|
||||||
"provider": "gitea",
|
"provider": "gitea",
|
||||||
"provisioner_token": "MY_TOKEN",
|
"forge_token_env": "MY_TOKEN",
|
||||||
"api_url": "https://gitea.example.com",
|
"api_url": "https://gitea.example.com",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -324,12 +324,12 @@ class TestGiteaKey(unittest.TestCase):
|
|||||||
m = Manifest.from_json_obj(_manifest({
|
m = Manifest.from_json_obj(_manifest({
|
||||||
"foo": {
|
"foo": {
|
||||||
"url": "ssh://git@github.com/didericis/foo.git",
|
"url": "ssh://git@github.com/didericis/foo.git",
|
||||||
"key": {"provider": "gitea", "provisioner_token": "T"},
|
"key": {"provider": "gitea", "forge_token_env": "T"},
|
||||||
},
|
},
|
||||||
}))
|
}))
|
||||||
self.assertEqual("", m.bottles["dev"].git[0].IdentityFile)
|
self.assertEqual("", m.bottles["dev"].git[0].IdentityFile)
|
||||||
|
|
||||||
def test_gitea_key_missing_provisioner_token_dies(self):
|
def test_gitea_key_missing_forge_token_env_dies(self):
|
||||||
with self.assertRaises(ManifestError):
|
with self.assertRaises(ManifestError):
|
||||||
Manifest.from_json_obj(_manifest({
|
Manifest.from_json_obj(_manifest({
|
||||||
"foo": {
|
"foo": {
|
||||||
@@ -345,7 +345,7 @@ class TestGiteaKey(unittest.TestCase):
|
|||||||
"url": "ssh://git@github.com/foo.git",
|
"url": "ssh://git@github.com/foo.git",
|
||||||
"key": {
|
"key": {
|
||||||
"provider": "gitea",
|
"provider": "gitea",
|
||||||
"provisioner_token": "T",
|
"forge_token_env": "T",
|
||||||
"key_type": "rsa", # not allowed
|
"key_type": "rsa", # not allowed
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|||||||
Reference in New Issue
Block a user