On Wed, Sep 17, 2014 at 9:49 AM, JCM <[email protected]> wrote:
> Hi all - > > I've hit a blocker when using the git module in combination with > Github's token method: > > https://developer.github.com/guides/managing-deploy-keys/#https-cloning-with-oauth-tokens > . > This email also outlines an additional problem I've noticed. I'd be > really grateful for any suggestions of what I'm doing wrong or if > there really are problems. > > The place I'm trying to get to is this: > > * Call Github API to create new limited-scope token > * Use Ansible to clone (*or* update, depending on the git module's > idea of if it can update in place) using an HTTPS repo URI with this > new token, passed in as an extra-var/envvar. > * Revoke token via the API > > # Problem 1: > The only way I can see to use a passworded HTTPS URI with the git > module and github is as per > https://help.github.com/articles/git-automation-with-oauth-tokens. > > i.e. "repo=https://<token>:[email protected]/path/to/remote/repo.git". > > Unfortunately, Ansible (although it may just be git itself, behind the > scenes) appears to freeze the username/password combination into the > repo's .git/config file, as part of the URI. > > This means that, after the first deployment, the next > git-update/-pull/-fetch operation fails due to the initial token now > being revoked. > > I can't think of anything in the current git module that would help with this directly. You could workaround it by including a task to edit the git config after this initial checkout. > # Problem 2: > The git module must know that the URI contains a username and > password, because it blanks out (*only*) the password in its logged > output. However, using this with github method outlined above means > that it blanks out the fixed string "x-oauth-basic" and not the token. > Of course this is a result of Github's implementation choices, but > they're a big enough target for use by the git module that I believe > Ansible should deal with their choice. > The password blanking that ansible does is best effort and somewhat limited because there's just so many variations on how sensitive information can be arbitrarily formatted.. In any non-standard case, it's probably better to explicitly specify the no_log attribute to your task: http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook -Toshio -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG9juEr5N%3DP18JFYFmKDLW%3DtPzFQc2ysf40GbkXpRb1t9ABVow%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
