admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #17262 from Homebrew/github-auth-seteuid

Browse Source 
utils/github/api: use real UID for auth fetching
This commit is contained in:
Mike McQuaid 2024-05-09 12:19:44 +01:00 committed by GitHub
commit 78a812b234
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 49 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
Library/Homebrew/utils/github/api.rb
View File

@ -5,6 +5,7 @@ require "system_command"
require "tempfile" require "tempfile"
require "utils/shell" require "utils/shell"
require "utils/formatter" require "utils/formatter"
require "utils/uid"
module GitHub module GitHub
def self.pat_blurb(scopes = ALL_SCOPES) def self.pat_blurb(scopes = ALL_SCOPES)
@ -138,37 +139,45 @@ module GitHub
# Gets the token from the GitHub CLI for github.com. # Gets the token from the GitHub CLI for github.com.
sig { returns(T.nilable(String)) } sig { returns(T.nilable(String)) }
def self.github_cli_token def self.github_cli_token
# Avoid `Formula["gh"].opt_bin` so this method works even with `HOMEBREW_DISABLE_LOAD_FORMULA`. Utils::UID.drop_euid do
env = { "PATH" => PATH.new(HOMEBREW_PREFIX/"opt/gh/bin", ENV.fetch("PATH")) } # Avoid `Formula["gh"].opt_bin` so this method works even with `HOMEBREW_DISABLE_LOAD_FORMULA`.
gh_out, _, result = system_command "gh", env = {
args: ["auth", "token", "--hostname", "github.com"], "PATH" => PATH.new(HOMEBREW_PREFIX/"opt/gh/bin", ENV.fetch("PATH")),
env:, "HOME" => Etc.getpwuid(Process.uid)&.dir,
print_stderr: false }
return unless result.success? gh_out, _, result = system_command "gh",
args: ["auth", "token", "--hostname", "github.com"],
env:,
print_stderr: false
return unless result.success?
gh_out.chomp gh_out.chomp
end
end end
# Gets the password field from `git-credential-osxkeychain` for github.com, # Gets the password field from `git-credential-osxkeychain` for github.com,
# but only if that password looks like a GitHub Personal Access Token. # but only if that password looks like a GitHub Personal Access Token.
sig { returns(T.nilable(String)) } sig { returns(T.nilable(String)) }
def self.keychain_username_password def self.keychain_username_password
git_credential_out, _, result = system_command "git", Utils::UID.drop_euid do
args: ["credential-osxkeychain", "get"], git_credential_out, _, result = system_command "git",
input: ["protocol=https\n", "host=github.com\n"], args: ["credential-osxkeychain", "get"],
print_stderr: false input: ["protocol=https\n", "host=github.com\n"],
return unless result.success? env: { "HOME" => Etc.getpwuid(Process.uid)&.dir },
print_stderr: false
return unless result.success?
github_username = git_credential_out[/username=(.+)/, 1] github_username = git_credential_out[/username=(.+)/, 1]
github_password = git_credential_out[/password=(.+)/, 1] github_password = git_credential_out[/password=(.+)/, 1]
return unless github_username return unless github_username
# Don't use passwords from the keychain unless they look like # Don't use passwords from the keychain unless they look like
# GitHub Personal Access Tokens: # GitHub Personal Access Tokens:
# https://github.com/Homebrew/brew/issues/6862#issuecomment-572610344 # https://github.com/Homebrew/brew/issues/6862#issuecomment-572610344
return unless GITHUB_PERSONAL_ACCESS_TOKEN_REGEX.match?(github_password) return unless GITHUB_PERSONAL_ACCESS_TOKEN_REGEX.match?(github_password)
github_password github_password
end
end end
def self.credentials def self.credentials

19
Library/Homebrew/utils/uid.rb Normal file
View File

@ -0,0 +1,19 @@
# typed: strict
# frozen_string_literal: true
module Utils
module UID
sig { type_parameters(:U).params(_block: T.proc.returns(T.type_parameter(:U))).returns(T.type_parameter(:U)) }
def self.drop_euid(&_block)
return yield if Process.euid == Process.uid
original_euid = Process.euid
begin
Process::Sys.seteuid(Process.uid)
yield
ensure
Process::Sys.seteuid(original_euid)
end
end
end
end