From 615990b92a5c7066f51c9e4563fcda2deff351d0 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Tue, 28 Jan 2025 14:53:49 +0100
Subject: [PATCH] Use secret-sync for gitpassword (#257)

---------

Co-authored-by: Tim Schumacher <tim@tschumacher.net>
Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>
Co-authored-by: Tim Schumacher <tim.schumacher@dkfz-heidelberg.de>
---
 lib/functions.sh           |  2 +-
 lib/gitlab-token-helper.sh | 11 ++++++++++
 lib/gitpassword.sh         | 41 -----------------------------------
 lib/update-bridgehead.sh   | 44 ++++++++++++++++++++++++++++++++------
 4 files changed, 50 insertions(+), 48 deletions(-)
 create mode 100755 lib/gitlab-token-helper.sh
 delete mode 100755 lib/gitpassword.sh

diff --git a/lib/functions.sh b/lib/functions.sh
index 3fcae38..ed57293 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -116,7 +116,7 @@ assertVarsNotEmpty() {
 	MISSING_VARS=""
 
 	for VAR in $@; do
-	if [ -z "${!VAR}" ]; then
+		if [ -z "${!VAR}" ]; then
 			MISSING_VARS+="$VAR "
 		fi
 	done
diff --git a/lib/gitlab-token-helper.sh b/lib/gitlab-token-helper.sh
new file mode 100755
index 0000000..e618029
--- /dev/null
+++ b/lib/gitlab-token-helper.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+[ "$1" = "get" ] || exit
+
+source /var/cache/bridgehead/secrets/gitlab_token
+
+# Any non-empty username works, only the token matters
+cat << EOF
+username=bk
+password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
+EOF
\ No newline at end of file
diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh
deleted file mode 100755
index 17756d6..0000000
--- a/lib/gitpassword.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/bash
-
-if [ "$1" != "get" ]; then
-	echo "Usage: $0 get"
-	exit 1
-fi
-
-baseDir() {
-	# see https://stackoverflow.com/questions/59895
-	SOURCE=${BASH_SOURCE[0]}
-	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
-		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
-		SOURCE=$(readlink "$SOURCE")
-		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
-        done
-        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
-        echo $DIR
-}
-
-BASE=$(baseDir)
-cd $BASE
-
-source lib/functions.sh
-
-assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
-
-PARAMS="$(cat)"
-GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
-
-fetchVarsFromVault GIT_PASSWORD
-
-if [ -z "${GIT_PASSWORD}" ]; then
-	fail_and_report 1 "gitpassword.sh failed: Git password not found."
-fi
-
-cat <<EOF
-protocol=https
-host=$GITHOST
-username=bk-${SITE_ID}
-password=${GIT_PASSWORD}
-EOF
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 56afb17..ae09716 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -19,7 +19,7 @@ fi
 
 hc_send log "Checking for bridgehead updates ..."
 
-CONFFILE=/etc/bridgehead/$1.conf
+CONFFILE=/etc/bridgehead/$PROJECT.conf
 
 if [ ! -e $CONFFILE ]; then
   fail_and_report 1 "Configuration file $CONFFILE not found."
@@ -33,7 +33,43 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
-CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
+# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+# If it is missing or expired, Secret Sync will create a new token and write it to the file.
+# The git credential helper reads the token from the file during git pull.
+mkdir -p /var/cache/bridgehead/secrets
+touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
+log "INFO" "Running Secret Sync for the GitLab token"
+docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
+docker run --rm \
+  -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
+  -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
+  -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+  -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+  -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
+  -e NO_PROXY=localhost,127.0.0.1 \
+  -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
+  -e PROXY_ID=$PROXY_ID \
+  -e BROKER_URL=$BROKER_URL \
+  -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
+  -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
+  docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+if [ $? -eq 0 ]; then
+  log "INFO" "Secret Sync was successful"
+  # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
+  CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
+  git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
+  # Set the git credential helper
+  git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
+else
+  log "WARN" "Secret Sync failed"
+  # Remove the git credential helper
+  git -C /etc/bridgehead config --unset credential.helper
+fi
+
+# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
+# Let's remove it to avoid confusion. This line can be removed at some point the future when we
+# believe that it was removed on all/most production servers.
+git -C /srv/docker/bridgehead config --unset credential.helper
 
 CHANGES=""
 
@@ -45,10 +81,6 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ -n "$OUT" ]; then
     report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
-  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
-    log "INFO" "Configuring repo to use bridgehead git credential helper."
-    git -C $DIR config credential.helper "$CREDHELPER"
-  fi
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
     log "INFO" "Git is using no proxy!"