Bug 1884270 - Git clone does not support SCP-style ssh locations
Summary: Git clone does not support SCP-style ssh locations
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.7.0
Assignee: Gabe Montero
QA Contact: wewang
Rolfe Dlugy-Hegwer
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-01 13:54 UTC by Adam Kaplan
Modified: 2021-07-15 14:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
* Previously, OpenShift Builds failed on Git clone when SCP-style ssh locations were specified. This was caused by Golang URL parsing, which does not accommodate Git SCP-styled ssh locations. As a result, OpenShift builds and OpenShift S2I failed when those types of source URLs were supplied. The current release fixes this issue: It augments OpenShift Builds and OpenShift S2I to bypass Golang URL parsing and strip the 'ssh://' prefix. Now, OpenShift Builds and OpenShift S2I accommodate Git SCP-styled ssh locations (link:https://bugzilla.redhat.com/show_bug.cgi?id=1884270[*BZ#1884270*])
Clone Of:
Environment:
Last Closed: 2021-02-24 15:22:14 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift builder pull 179 0 None closed Bug 1884270: bump(*): s2i, klog 2021-02-06 18:01:53 UTC
Github openshift oc pull 610 0 None closed Bug 1884270: bypass golang url parsing with scp styled ssh git URLs; refactor URL for older git clients 2021-02-06 18:01:54 UTC
Github openshift openshift-apiserver pull 147 0 None closed Bug 1884270: bypass golang url parsing with scp styled ssh git URLs; refactor URL for older git clients 2021-02-06 18:01:53 UTC
Github openshift source-to-image pull 1054 0 None closed Bug 1884270: bypass golang url parsing with scp styled ssh git URLs; refactor URL for older git clients 2021-02-06 18:01:54 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:22:54 UTC

Description Adam Kaplan 2020-10-01 13:54:32 UTC
Description of problem:

Git v2 supports ssh clones that use "scp-like" repo locations, which are often referenced in SSH clone instructions on platforms like GitHub:

```
$ git clone ssh://[user@]server:repo.git
```

When specifying such a location in a BuildConfig, this fails OpenShift's api validation:

```
spec.source.git.uri: Invalid value: "ssh://git:sclorg/nodejs-ex": parse ssh://git:sclorg/nodejs-ex: invalid port ":sclorg" after host
```

Version-Release number of selected component (if applicable): 4.6.0


How reproducible: Always


Steps to Reproduce:
1. Create a BuildConfig YAML that clones source via the scp-style ssh location.
2. Attempt to create the BuildConfig via `oc create -f` or `oc apply -f`


Actual results:

Fails to create the BuildConfig with error:

The BuildConfig "nodejs-git-clone" is invalid: spec.source.git.uri: Invalid value: "ssh://git:sclorg/nodejs-ex": parse ssh://git:sclorg/nodejs-ex: invalid port ":sclorg" after host


Expected results:

BuildConfig can be created.

Additional info:

Comment 2 Gabe Montero 2020-10-05 20:55:04 UTC
Reproduced with a new unit test in https://github.com/openshift/source-to-image/blob/master/pkg/scm/git/url_test.go

Stepping through it with the debugger,
Turns out, the golang url.Parse at https://github.com/openshift/source-to-image/blob/09e6ac0ca6febdc8afef8bbf9dcc5afbddd8b3f1/pkg/scm/git/url.go#L90 is complaining
so we are going to have to do some pre-processing of the URL to circumvent this.

And then vendor in this s2i change in openshift/openshift-apiserver, openshift/builder, and openshift/oc to cover all the bases.

Also reproduced with `oc apply` on 

kind: BuildConfig
apiVersion: v1
metadata:
    name: sample-build
spec:
    source:
      type: Git
      git:
        uri: ssh://git:sclorg/nodejs-ex
    strategy:
      type: Source
      sourceStrategy:
        env:
        - name: BUILD_LOGLEVEL
          value: '5'
        from:
          kind: ImageStreamTag
          name: nodejs:12-ubi8


where the openshift/openshift-apiserver use of s2igit.Parse in https://github.com/openshift/source-to-image/blob/09e6ac0ca6febdc8afef8bbf9dcc5afbddd8b3f1/pkg/scm/git/url.go#L90 in `validateGitSource` at https://github.com/openshift/openshift-apiserver/blob/7babe09b1ddd5429893bc4c90a994a711139d8d4/pkg/build/apis/build/validation/validation.go#L264 flags the error

Comment 4 wewang 2020-10-15 03:39:30 UTC
Verified in version:
4.7.0-0.nightly-2020-10-14-043821

Using oc create -f or oc apply of to create buildconfig successfully
```
kind: BuildConfig
apiVersion: v1
metadata:
    name: sample-build1
spec:
    source:
      type: Git
      git:
        uri: ssh://git:sclorg/nodejs-ex
    strategy:
      type: Source
      sourceStrategy:
```

Comment 10 errata-xmlrpc 2021-02-24 15:22:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Comment 11 Adam Kaplan 2021-07-15 14:27:02 UTC
We got this wrong in the initial bug request - when cloning using SCP style users call

```
git clone [user@]server:org/repo.git
```

with no "ssh://" prefix

Using SCP style URIs with the ssh:// prefix led us to break pattern matching for SSH urls in https://bugzilla.redhat.com/show_bug.cgi?id=1971332.

We still need to accept SCP style URIs, just with the knowledge that these do _not_ have an ssh:// prefix.


Note You need to log in before you can comment on or make changes to this bug.