From a57b08205fd0b65d74f01f25a25bee52fb6eee7e Mon Sep 17 00:00:00 2001
From: Jamie Pate <jpate@fortinet.com>
Date: Mon, 7 Jun 2021 09:51:34 -0700
Subject: [PATCH 1/2] Don't write payloads to disk, they may contain sensitive
 info.

Signed-off-by: Jamie Pate <jpate@fortinet.com>
---
 assets/check     | 40 +++++++++++++++----------------
 assets/common.sh | 28 +++++++++++-----------
 assets/in        | 62 +++++++++++++++++++++++-------------------------
 assets/out       | 44 ++++++++++++++++------------------
 4 files changed, 84 insertions(+), 90 deletions(-)

diff --git a/assets/check b/assets/check
index 79b7d49..4a81bb1 100755
--- a/assets/check
+++ b/assets/check
@@ -11,27 +11,25 @@ source $(dirname $0)/common.sh
 # for jq
 PATH=/usr/local/bin:$PATH
 
-payload=$TMPDIR/git-resource-request
-
-cat > $payload <&0
-
-load_pubkey $payload
-configure_https_tunnel $payload
-configure_git_ssl_verification $payload
-configure_credentials $payload
-
-uri=$(jq -r '.source.uri // ""' < $payload)
-branch=$(jq -r '.source.branch // ""' < $payload)
-paths="$(jq -r '(.source.paths // ["."])[]' < $payload)" # those "'s are important
-ignore_paths="$(jq -r '":!" + (.source.ignore_paths // [])[]' < $payload)" # these ones too
-tag_filter=$(jq -r '.source.tag_filter // ""' < $payload)
-tag_regex=$(jq -r '.source.tag_regex // ""' < $payload)
-git_config_payload=$(jq -r '.source.git_config // []' < $payload)
-ref=$(jq -r '.version.ref // ""' < $payload)
-skip_ci_disabled=$(jq -r '.source.disable_ci_skip // false' < $payload)
-filter_whitelist=$(jq -r '.source.commit_filter.include // []' < $payload)
-filter_blacklist=$(jq -r '.source.commit_filter.exclude // []' < $payload)
-version_depth=$(jq -r '.source.version_depth // 1' < $payload)
+payload="$(cat <&0)"
+
+load_pubkey "$payload"
+configure_https_tunnel "$payload"
+configure_git_ssl_verification "$payload"
+configure_credentials "$payload"
+
+uri=$(jq -r '.source.uri // ""' <<< "$payload")
+branch=$(jq -r '.source.branch // ""' <<< "$payload")
+paths="$(jq -r '(.source.paths // ["."])[]' <<< "$payload")" # those "'s are important
+ignore_paths="$(jq -r '":!" + (.source.ignore_paths // [])[]' <<< "$payload")" # these ones too
+tag_filter=$(jq -r '.source.tag_filter // ""' <<< "$payload")
+tag_regex=$(jq -r '.source.tag_regex // ""' <<< "$payload")
+git_config_payload=$(jq -r '.source.git_config // []' <<< "$payload")
+ref=$(jq -r '.version.ref // ""' <<< "$payload")
+skip_ci_disabled=$(jq -r '.source.disable_ci_skip // false' <<< "$payload")
+filter_whitelist=$(jq -r '.source.commit_filter.include // []' <<< "$payload")
+filter_blacklist=$(jq -r '.source.commit_filter.exclude // []' <<< "$payload")
+version_depth=$(jq -r '.source.version_depth // 1' <<< "$payload")
 reverse=false
 
 configure_git_global "${git_config_payload}"
diff --git a/assets/common.sh b/assets/common.sh
index bf6aa47..0f81a24 100644
--- a/assets/common.sh
+++ b/assets/common.sh
@@ -3,11 +3,11 @@ export GIT_CRYPT_KEY_PATH=~/git-crypt.key
 
 load_pubkey() {
   local private_key_path=$TMPDIR/git-resource-private-key
-  local private_key_user=$(jq -r '.source.private_key_user // empty' < $1)
-  local forward_agent=$(jq -r '.source.forward_agent // false' < $1)
-  local passphrase="$(jq -r '.source.private_key_passphrase // empty' < $1)"
+  local private_key_user=$(jq -r '.source.private_key_user // empty' <<< "$1")
+  local forward_agent=$(jq -r '.source.forward_agent // false' <<< "$1")
+  local passphrase="$(jq -r '.source.private_key_passphrase // empty' <<< "$1")"
 
-  (jq -r '.source.private_key // empty' < $1) > $private_key_path
+  (jq -r '.source.private_key // empty' <<< "$1") > $private_key_path
 
   if [ -s $private_key_path ]; then
     chmod 0600 $private_key_path
@@ -36,7 +36,7 @@ EOF
 }
 
 configure_https_tunnel() {
-  tunnel=$(jq -r '.source.https_tunnel // empty' < $1)
+  tunnel=$(jq -r '.source.https_tunnel // empty' <<< "$1")
 
   if [ ! -z "$tunnel" ]; then
     host=$(echo "$tunnel" | jq -r '.proxy_host // empty')
@@ -67,7 +67,7 @@ configure_git_global() {
 }
 
 configure_git_ssl_verification() {
-  skip_ssl_verification=$(jq -r '.source.skip_ssl_verification // false' < $1)
+  skip_ssl_verification=$(jq -r '.source.skip_ssl_verification // false' <<< "$1")
   if [ "$skip_ssl_verification" = "true" ]; then
     export GIT_SSL_NO_VERIFY=true
   fi
@@ -187,14 +187,14 @@ git_metadata() {
 configure_submodule_credentials() {
   local username
   local password
-  if [[ "$(jq -r '.source.submodule_credentials // ""' < "$1")" == "" ]]; then
+  if [[ "$(jq -r '.source.submodule_credentials // ""' <<< "$1")" == "" ]]; then
     return
   fi
 
-  for k in $(jq -r '.source.submodule_credentials | keys | .[]' < "$1"); do
-    host=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].host // ""' < "$1")
-    username=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].username // ""' < "$1")
-    password=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].password // ""' < "$1")
+  for k in $(jq -r '.source.submodule_credentials | keys | .[]' <<< "$1"); do
+    host=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].host // ""' <<< "$1")
+    username=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].username // ""' <<< "$1")
+    password=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].password // ""' <<< "$1")
     if [ "$username" != "" -a "$password" != "" -a "$host" != "" ]; then
       echo "machine $host login $username password $password" >> "${HOME}/.netrc"
     fi
@@ -202,8 +202,8 @@ configure_submodule_credentials() {
 }
 
 configure_credentials() {
-  local username=$(jq -r '.source.username // ""' < $1)
-  local password=$(jq -r '.source.password // ""' < $1)
+  local username=$(jq -r '.source.username // ""' <<< "$1")
+  local password=$(jq -r '.source.password // ""' <<< "$1")
 
   rm -f $HOME/.netrc
   configure_submodule_credentials "$1"
@@ -216,7 +216,7 @@ configure_credentials() {
 load_git_crypt_key() {
   local git_crypt_tmp_key_path=$TMPDIR/git-resource-git-crypt-key
 
-  (jq -r '.source.git_crypt_key // empty' < $1) > $git_crypt_tmp_key_path
+  (jq -r '.source.git_crypt_key // empty' <<< "$1") > $git_crypt_tmp_key_path
 
   if [ -s $git_crypt_tmp_key_path ]; then
       cat $git_crypt_tmp_key_path | tr ' ' '\n' | base64 -d > $GIT_CRYPT_KEY_PATH
diff --git a/assets/in b/assets/in
index dfb2e60..b023b9f 100755
--- a/assets/in
+++ b/assets/in
@@ -23,41 +23,39 @@ if [ "${bin_dir#/}" == "$bin_dir" ]; then
   bin_dir="$PWD/$bin_dir"
 fi
 
-payload=$(mktemp $TMPDIR/git-resource-request.XXXXXX)
-
-cat > $payload <&0
-
-load_pubkey $payload
-load_git_crypt_key $payload
-configure_https_tunnel $payload
-configure_git_ssl_verification $payload
-configure_credentials $payload
-
-uri=$(jq -r '.source.uri // ""' < $payload)
-branch=$(jq -r '.source.branch // ""' < $payload)
-git_config_payload=$(jq -r '.source.git_config // []' < $payload)
-ref=$(jq -r '.version.ref // "HEAD"' < $payload)
-override_branch=$(jq -r '.version.branch // ""' < $payload)
-depth=$(jq -r '(.params.depth // 0)' < $payload)
-fetch=$(jq -r '(.params.fetch // [])[]' < $payload)
-submodules=$(jq -r '(.params.submodules // "all")' < $payload)
-submodule_recursive=$(jq -r '(.params.submodule_recursive // true)' < $payload)
-submodule_remote=$(jq -r '(.params.submodule_remote // false)' < $payload)
-commit_verification_key_ids=$(jq -r '(.source.commit_verification_key_ids // [])[]' < $payload)
-commit_verification_keys=$(jq -r '(.source.commit_verification_keys // [])[]' < $payload)
-tag_filter=$(jq -r '.source.tag_filter // ""' < $payload)
-tag_regex=$(jq -r '.source.tag_regex // ""' < $payload)
-fetch_tags=$(jq -r '.params.fetch_tags' < $payload)
-gpg_keyserver=$(jq -r '.source.gpg_keyserver // "hkp://ipv4.pool.sks-keyservers.net/"' < $payload)
-disable_git_lfs=$(jq -r '(.params.disable_git_lfs // false)' < $payload)
-clean_tags=$(jq -r '(.params.clean_tags // false)' < $payload)
-short_ref_format=$(jq -r '(.params.short_ref_format // "%s")' < $payload)
-timestamp_format=$(jq -r '(.params.timestamp_format // "iso8601")' < $payload)
-describe_ref_options=$(jq -r '(.params.describe_ref_options // "--always --dirty --broken")' < $payload)
+payload="$(cat <&0)"
+
+load_pubkey "$payload"
+load_git_crypt_key "$payload"
+configure_https_tunnel "$payload"
+configure_git_ssl_verification "$payload"
+configure_credentials "$payload"
+
+uri=$(jq -r '.source.uri // ""' <<< "$payload")
+branch=$(jq -r '.source.branch // ""' <<< "$payload")
+git_config_payload=$(jq -r '.source.git_config // []' <<< "$payload")
+ref=$(jq -r '.version.ref // "HEAD"' <<< "$payload")
+override_branch=$(jq -r '.version.branch // ""' <<< "$payload")
+depth=$(jq -r '(.params.depth // 0)' <<< "$payload")
+fetch=$(jq -r '(.params.fetch // [])[]' <<< "$payload")
+submodules=$(jq -r '(.params.submodules // "all")' <<< "$payload")
+submodule_recursive=$(jq -r '(.params.submodule_recursive // true)' <<< "$payload")
+submodule_remote=$(jq -r '(.params.submodule_remote // false)' <<< "$payload")
+commit_verification_key_ids=$(jq -r '(.source.commit_verification_key_ids // [])[]' <<< "$payload")
+commit_verification_keys=$(jq -r '(.source.commit_verification_keys // [])[]' <<< "$payload")
+tag_filter=$(jq -r '.source.tag_filter // ""' <<< "$payload")
+tag_regex=$(jq -r '.source.tag_regex // ""' <<< "$payload")
+fetch_tags=$(jq -r '.params.fetch_tags' <<< "$payload")
+gpg_keyserver=$(jq -r '.source.gpg_keyserver // "hkp://ipv4.pool.sks-keyservers.net/"' <<< "$payload")
+disable_git_lfs=$(jq -r '(.params.disable_git_lfs // false)' <<< "$payload")
+clean_tags=$(jq -r '(.params.clean_tags // false)' <<< "$payload")
+short_ref_format=$(jq -r '(.params.short_ref_format // "%s")' <<< "$payload")
+timestamp_format=$(jq -r '(.params.timestamp_format // "iso8601")' <<< "$payload")
+describe_ref_options=$(jq -r '(.params.describe_ref_options // "--always --dirty --broken")' <<< "$payload")
 
 # If params not defined, get it from source
 if [ -z "$fetch_tags" ] || [ "$fetch_tags" == "null" ]  ; then
-  fetch_tags=$(jq -r '.source.fetch_tags' < $payload)
+  fetch_tags=$(jq -r '.source.fetch_tags' <<< "$payload")
 fi
 
 configure_git_global "${git_config_payload}"
diff --git a/assets/out b/assets/out
index 47b7fe5..93b3363 100755
--- a/assets/out
+++ b/assets/out
@@ -18,29 +18,27 @@ fi
 # for jq
 PATH=/usr/local/bin:$PATH
 
-payload=$(mktemp $TMPDIR/git-resource-request.XXXXXX)
-
-cat > $payload <&0
-
-load_pubkey $payload
-configure_https_tunnel $payload
-configure_git_ssl_verification $payload
-configure_credentials $payload
-
-uri=$(jq -r '.source.uri // ""' < $payload)
-branch=$(jq -r '.source.branch // ""' < $payload)
-git_config_payload=$(jq -r '.source.git_config // []' < $payload)
-repository=$(jq -r '.params.repository // ""' < $payload)
-tag=$(jq -r '.params.tag // ""' < $payload)
-tag_prefix=$(jq -r '.params.tag_prefix // ""' < $payload)
-rebase=$(jq -r '.params.rebase // false' < $payload)
-merge=$(jq -r '.params.merge // false' < $payload)
-returning=$(jq -r '.params.returning // "merged"' < $payload)
-force=$(jq -r '.params.force // false' < $payload)
-only_tag=$(jq -r '.params.only_tag // false' < $payload)
-annotation_file=$(jq -r '.params.annotate // ""' < $payload)
-notes_file=$(jq -r '.params.notes // ""' < $payload)
-override_branch=$(jq -r '.params.branch // ""' < $payload)
+payload="$(cat <&0)"
+
+load_pubkey "$payload"
+configure_https_tunnel "$payload"
+configure_git_ssl_verification "$payload"
+configure_credentials "$payload"
+
+uri=$(jq -r '.source.uri // ""' <<< "$payload")
+branch=$(jq -r '.source.branch // ""' <<< "$payload")
+git_config_payload=$(jq -r '.source.git_config // []' <<< "$payload")
+repository=$(jq -r '.params.repository // ""' <<< "$payload")
+tag=$(jq -r '.params.tag // ""' <<< "$payload")
+tag_prefix=$(jq -r '.params.tag_prefix // ""' <<< "$payload")
+rebase=$(jq -r '.params.rebase // false' <<< "$payload")
+merge=$(jq -r '.params.merge // false' <<< "$payload")
+returning=$(jq -r '.params.returning // "merged"' <<< "$payload")
+force=$(jq -r '.params.force // false' <<< "$payload")
+only_tag=$(jq -r '.params.only_tag // false' <<< "$payload")
+annotation_file=$(jq -r '.params.annotate // ""' <<< "$payload")
+notes_file=$(jq -r '.params.notes // ""' <<< "$payload")
+override_branch=$(jq -r '.params.branch // ""' <<< "$payload")
 
 configure_git_global "${git_config_payload}"
 

From cc85431792b3f846842156a2765ddd6a174d3dd6 Mon Sep 17 00:00:00 2001
From: Jamie Pate <jpate@fortinet.com>
Date: Wed, 1 Sep 2021 18:29:43 -0700
Subject: [PATCH 2/2] Add the ability to set refs_prefix for the push

Normal branches all exist in refs/heads but some git workflows require
pushing to a different type of reference.

For example Gerrit Reviews are created/updated by pushing to a 'magic'
ref at `refs/for/<branch>`

Signed-off-by: Jamie Pate <jpate@fortinet.com>
---
 README.md       |  2 ++
 assets/out      |  4 +++-
 test/helpers.sh | 13 +++++++++++++
 test/put.sh     | 24 ++++++++++++++++++++++++
 4 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 73fe324..4d47461 100644
--- a/README.md
+++ b/README.md
@@ -330,6 +330,8 @@ pushed regardless of the upstream state.
   even if the `branch` differs from the `branch` specified in the source.
   To avoid this, you should use two resources of read-only and write-only.
 
+* `refs_prefix`: *Optional.* Allows pushing to refs other than heads. Defaults to `refs/heads`.
+
 ## Development
 
 ### Prerequisites
diff --git a/assets/out b/assets/out
index 93b3363..54a882a 100755
--- a/assets/out
+++ b/assets/out
@@ -39,6 +39,8 @@ only_tag=$(jq -r '.params.only_tag // false' <<< "$payload")
 annotation_file=$(jq -r '.params.annotate // ""' <<< "$payload")
 notes_file=$(jq -r '.params.notes // ""' <<< "$payload")
 override_branch=$(jq -r '.params.branch // ""' <<< "$payload")
+# useful for pushing to special ref types like refs/for in gerrit.
+refs_prefix=$(jq -r '.params.refs_prefix // "refs/heads"' <<< "$payload")
 
 configure_git_global "${git_config_payload}"
 
@@ -103,7 +105,7 @@ tag() {
 }
 
 push_src_and_tags() {
-  git push --tags push-target HEAD:refs/heads/$branch $forceflag
+  git push --tags push-target HEAD:$refs_prefix/$branch $forceflag
 }
 
 push_tags() {
diff --git a/test/helpers.sh b/test/helpers.sh
index 65466cc..fe5d1db 100644
--- a/test/helpers.sh
+++ b/test/helpers.sh
@@ -1238,3 +1238,16 @@ put_uri_with_config() {
     }
   }" | ${resource_dir}/out "$2" | tee /dev/stderr
 }
+
+put_uri_with_refs_prefix() {
+  jq -n "{
+    source: {
+      uri: $(echo $1 | jq -R .),
+      branch: \"master\"
+    },
+    params: {
+      repository: $(echo $3 | jq -R .),
+      refs_prefix: $(echo $4 | jq -R .),
+    }
+  }" | ${resource_dir}/out "$2" | tee /dev/stderr
+}
\ No newline at end of file
diff --git a/test/put.sh b/test/put.sh
index 8e13ecb..850be6a 100755
--- a/test/put.sh
+++ b/test/put.sh
@@ -585,6 +585,29 @@ it_will_fail_put_with_conflicting_tag_and_not_force_push() {
   test "$(git -C $repo1 rev-parse some-only-tag)" = $expected_ref
 }
 
+it_can_put_with_refs_prefix() {
+  local repo1=$(init_repo)
+
+  local src=$(mktemp -d $TMPDIR/put-src.XXXXXX)
+  local repo2=$src/repo
+  git clone $repo1 $repo2
+
+  local ref=$(make_commit $repo2)
+
+  # cannot push to repo while it's checked out to a branch
+  git -C $repo1 checkout refs/heads/master
+  set -x
+  put_uri_with_refs_prefix $repo1 $src repo refs/for | jq -e "
+    .version == {ref: $(echo $ref | jq -R .)}
+  "
+
+  # switch back to master
+  git -C $repo1 checkout refs/for/master
+
+  test -e $repo1/some-file
+  test "$(git -C $repo1 rev-parse HEAD)" = $ref
+}
+
 run it_can_put_to_url
 run it_can_put_to_url_with_branch
 run it_returns_branch_in_metadata
@@ -605,3 +628,4 @@ run it_will_fail_put_if_conflicts_and_not_force_push
 run it_can_put_and_force_the_push
 run it_can_put_to_url_with_only_tag_and_force_the_push
 run it_will_fail_put_with_conflicting_tag_and_not_force_push
+run it_can_put_with_refs_prefix