Merge pull request #9806 from hercules-ci/fix-git-auth

Fix git auth

src/libfetchers/git-utils.cc

@@ -139,6 +139,7 @@ T peelObject(git_repository * repo, git_object * obj, git_object_t type)
 
 struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
 {
+    /** Location of the repository on disk. */
     CanonPath path;
     Repository repo;
 
@@ -382,27 +383,20 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
     {
         Activity act(*logger, lvlTalkative, actFetchTree, fmt("fetching Git repository '%s'", url));
 
-        Remote remote;
+        // TODO: implement git-credential helper support (preferably via libgit2, which as of 2024-01 does not support that)
+        //       then use code that was removed in this commit (see blame)
 
-        if (git_remote_create_anonymous(Setter(remote), *this, url.c_str()))
+        auto dir = this->path;
-            throw Error("cannot create Git remote '%s': %s", url, git_error_last()->message);
 
-        char * refspecs[] = {(char *) refspec.c_str()};
+        runProgram(RunOptions {
-        git_strarray refspecs2 {
+            .program = "git",
-            .strings = refspecs,
+            .searchPath = true,
-            .count = 1
+            // FIXME: git stderr messes up our progress indicator, so
-        };
+            // we're using --quiet for now. Should process its stderr.
-
+            .args = { "-C", path.abs(), "fetch", "--quiet", "--force", "--", url, refspec },
-        git_fetch_options opts = GIT_FETCH_OPTIONS_INIT;
+            .input = {},
-        // FIXME: for some reason, shallow fetching over ssh barfs
+            .isInteractive = true
-        // with "could not read from remote repository".
+        });
-        opts.depth = shallow && parseURL(url).scheme != "ssh" ? 1 : GIT_FETCH_DEPTH_FULL;
-        opts.callbacks.payload = &act;
-        opts.callbacks.sideband_progress = sidebandProgressCallback;
-        opts.callbacks.transfer_progress = transferProgressCallback;
-
-        if (git_remote_fetch(remote.get(), &refspecs2, &opts, nullptr))
-            throw Error("fetching '%s' from '%s': %s", refspec, url, git_error_last()->message);
     }
 
     void verifyCommit(

tests/nixos/fetch-git/test-cases/http-auth/default.nix

@@ -0,0 +1,40 @@
+{ config, ... }:
+{
+  description = "can fetch a private git repo via http";
+  repo.private = true;
+  script = ''
+    # add a file to the repo
+    client.succeed(f"""
+      echo ${config.name /* to make the git tree and store path unique */} > {repo.path}/test-case \
+      && echo lutyabrook > {repo.path}/new-york-state \
+      && {repo.git} add test-case new-york-state \
+      && {repo.git} commit -m 'commit1'
+    """)
+
+    # memoize the revision
+    rev1 = client.succeed(f"""
+      {repo.git} rev-parse HEAD
+    """).strip()
+
+    # push to the server
+    client.succeed(f"""
+      {repo.git} push origin main
+    """)
+
+    # fetch the repo via nix
+    fetched1 = client.succeed(f"""
+      nix eval --impure --raw --expr "(builtins.fetchGit {repo.remote}).outPath"
+    """)
+
+    # check if the committed file is there
+    client.succeed(f"""
+      test -f {fetched1}/new-york-state
+    """)
+
+    # check if the revision is the same
+    rev1_fetched = client.succeed(f"""
+      nix eval --impure --raw --expr "(builtins.fetchGit {repo.remote}).rev"
+    """).strip()
+    assert rev1 == rev1_fetched, f"rev1: {rev1} != rev1_fetched: {rev1_fetched}"
+  '';
+}

tests/nixos/fetch-git/testsupport/gitea-repo.nix

@@ -1,11 +1,31 @@
 { lib, ... }:
 let
-  inherit (lib) mkOption types;
+  inherit (lib)
+    mkIf
+    mkOption
+    types
+    ;
+
+  boolPyLiteral = b: if b then "True" else "False";
 
   testCaseExtension = { config, ... }: {
-    setupScript = ''
+    options = {
-      repo = Repo("${config.name}")
+      repo.enable = mkOption {
-    '';
+        type = types.bool;
+        default = true;
+        description = "Whether to provide a repo variable - automatic repo creation.";
+      };
+      repo.private = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether the repo should be private.";
+      };
+    };
+    config = mkIf config.repo.enable {
+      setupScript = ''
+        repo = Repo("${config.name}", private=${boolPyLiteral config.repo.private})
+      '';
+    };
   };
 in
 {
@@ -16,16 +36,20 @@ in
   };
   config = {
     setupScript = ''
+      def boolToJSON(b):
+        return "true" if b else "false"
+
       class Repo:
         """
         A class to create a git repository on the gitea server and locally.
         """
-        def __init__(self, name):
+        def __init__(self, name, private=False):
           self.name = name
           self.path = "/tmp/repos/" + name
           self.remote = "http://gitea:3000/test/" + name
           self.remote_ssh = "ssh://gitea/root/" + name
           self.git = f"git -C {self.path}"
+          self.private = private
           self.create()
 
         def create(self):
@@ -37,7 +61,7 @@ in
           gitea.succeed(f"""
             curl --fail -X POST http://{gitea_admin}:{gitea_admin_password}@gitea:3000/api/v1/user/repos \
               -H 'Accept: application/json' -H 'Content-Type: application/json' \
-              -d {shlex.quote( f'{{"name":"{self.name}", "default_branch": "main"}}' )}
+              -d {shlex.quote( f'{{"name":"{self.name}", "default_branch": "main", "private": {boolToJSON(self.private)}}}' )}
           """)
           # setup git remotes on client
           client.succeed(f"""