https asking for username/password

Question

https asking for username/password

Closed this issue 2 years ago · 10 comments

I am trying to use https as auth method but when I run the playbook locally I get the prompt for my gitlab username and password, it seems the module is not recognising my username/token.

  - name: "Checkout new branch"
    command:
      cmd: "git checkout -B {{ testvar }}"

  - name: "Create new file to upload"
    copy:
      src: mytest.txt
      dest: "{{ testvar }}.txt"

  - name: "Upload config files to gitlab"
    lvrfrc87.git_acp.git_acp:
      user: "myusername"
      token: "mytoken"
      path: "{{ playbook_dir }}"
      branch: "{{ testvar }}"
      add: ["{{ testvar }}.txt"]
      comment: '"{{ git_comment }}"'
      mode: https
      url: https://gitlab.mydomain.com/ansible/test-playbook.git
      user_name: "{{ awx_user_name }}"
      user_email: "{{ awx_user_email }}"
    vars:
      git_comment: "adding..."
      awx_user_name: "myusername"
      awx_user_email: "myname@myemail.com"

  - name: "Checkout back to master"
    command:
      cmd: "git checkout master"

Log:

TASK [Upload config files to gitlab] ************************************************************************************************************************************************************************
task path: /home/username/scripts/test-playbook/test2.yml:29
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: username
<localhost> EXEC /bin/sh -c 'echo ~username && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/username/.ansible/tmp `"&& mkdir "` echo /home/username/.ansible/tmp/ansible-tmp-1660210601.6489577-394703-105101875950356 `" && echo ansible-tmp-1660210601.6489577-394703-105101875950356="` echo /home/username/.ansible/tmp/ansible-tmp-1660210601.6489577-394703-105101875950356 `" ) && sleep 0'
Using module file /home/username/scripts/test-playbook/collections/ansible_collections/lvrfrc87/git_acp/plugins/modules/git_acp.py
<localhost> PUT /home/username/.ansible/tmp/ansible-local-394595usq90jg0/tmpglg58whh TO /home/username/.ansible/tmp/ansible-tmp-1660210601.6489577-394703-105101875950356/AnsiballZ_git_acp.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/username/.ansible/tmp/ansible-tmp-1660210601.6489577-394703-105101875950356/ /home/username/.ansible/tmp/ansible-tmp-1660210601.6489577-394703-105101875950356/AnsiballZ_git_acp.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python /home/username/.ansible/tmp/ansible-tmp-1660210601.6489577-394703-105101875950356/AnsiballZ_git_acp.py && sleep 0'
Username for 'https://gitlab.mydomain.com': ^C [ERROR]: User interrupted execution.   <<<< here

In my .git/config I did have the ssh url which was using my local ssh key to push code, however, after swapping to https I get this error.
Is it possible that the collection is just using my .git/config and disregarding my ansible config parameters?

Answer 1 · 2022-08-11T10:01:12.000Z

Hello!

When https mode is chosen, the URL get formatted in this way

                        command = [
                            self.git_path,
                            'remote',
                            'add',
                            origin,
                            'https://{0}:{1}@{2}'.format(user, token, url[8:])
                        ]

So you should see a remote with your user and token. Can you verify if that is created?

As side note, git_acp uses all the git settings from your local repo. I do not know (yet) if .git/config takes priority over the hard coded origin created during module execution

Answer 2 · 2022-08-11T10:17:46.000Z

Hi @lvrfrc87, thanks for the quick reply.
Actually I just tried to remove the lines under: [remote "origin"] and re-ran the playbook from your comments, it seems to have worked that time.
I then checked inside of .git/config again, and I can see the lines are added by the module.

I wonder if there is a way to detect or override them values if you specify using the module?
I haven't checked the code, but I am assuming you are detecting already because before, them lines were not added, so it must have seen my url with no user:token and tried to auth.
It sure would be good to add a temp config file and use that for the duration of the play.

Answer 3 · 2022-08-11T10:34:57.000Z

Here you could add a simple check:

if ":" not in _output:
    msg = "Git config found, but no username/password set."
    FailingMessage(self.module, rc, command, msg, _error)

Or something similar.
I'm not sure in git/config if there is a way to override values, maybe there is.

Answer 4 · 2022-08-11T10:36:43.000Z

Thanks for the hint! I will look into it as soon as I can find some time. I might reach you out again for more info/tests if that's ok with you.

Answer 5 · 2022-08-11T10:44:37.000Z

No problem, it definitely is a hint because I just tried in locally and that didn't work. Guess that's what I get for not knowing the code :)

Feel free to reach out.

Answer 6 · 2022-08-11T10:58:07.000Z

Ok this seems to work for my use case under def set_url()::

            if rc == 0:
                if mode == "https:
                    if ":" not in _output[8:]:
                        msg = "Git config found, but no username/password is set."
                        return FailingMessage(self.module, rc, command, msg, _error)
                return

But maybe searching for : is not the right thing to do, if a user is using a different port they will add an extra : to their url, e.g. https://gitlab.mydomain.com:8888/project/repo.git which means my check will fail.
Not sure if you wanted to introduce regex, but that would most likely work, or you could potentially just use splitting... just some of my thoughts there :)

Answer 7 · 2022-08-11T12:14:14.000Z

Hi @lvrfrc87, thanks for the quick reply. Actually I just tried to remove the lines under: [remote "origin"] and re-ran the playbook from your comments, it seems to have worked that time. I then checked inside of .git/config again, and I can see the lines are added by the module.

I wonder if there is a way to detect or override them values if you specify using the module? I haven't checked the code, but I am assuming you are detecting already because before, them lines were not added, so it must have seen my url with no user:token and tried to auth. It sure would be good to add a temp config file and use that for the duration of the play.

In which part of the code are you referring for [remote "origin"] ?

Answer 8 · 2022-08-11T12:22:10.000Z

I would be should me more something like this:

ommand = [self.git_path, 'remote', 'get-url', '--all', origin]

            rc, output, _error = self.module.run_command(command, cwd=self.path)

            if rc == 0:
               if ':' in output:
                  if output.split(':')[0] != self.user and output.split(':')[1] != self.token
                    command = [
                            self.git_path,
                            'remote',
                            'add',
                            origin,
                            'https://{0}:{1}@{2}'.format(user, token, url[8:])
                        ]
               bla...bla...bla

Need to have a better conditional for checking : into url but pretty much that is the idea.

Would you like to submit a PR ?

Thanks for reporting this btw!

Answer 9 · 2022-08-11T12:34:45.000Z

You just read my mind about submitting a PR, first draft is in, if you wanted to check.

I tried to keep the code consistent with your style :)

Feel free to discuss and change things around etc.

Edit: I approached this differently, your method is also viable and OK.

Answer 10 · 2022-09-27T15:07:59.000Z

Done on #50

@tom0010 thank you very much for your time and your work! Till next time ;)