Remove Git-specific auth and use local keys for Docker.

Removes the git-specific username/password authentication and instead assumes that SSH keys will already be set up for git/svn/hg to use. Modifies the docker container to mount the user's SSH keys into the container so that the VCS sync management commands run using the user's local keys. This isn't a significant change in security mainly because previously the user's local keys were being used anyway since the app was run locally instead of being run in a container.
SilphRoad · May 28, 2015 · b315ac5 · b315ac5
1 parent 21673da
commit b315ac5
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 22 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,6 +9,7 @@ web:
     - "8000:8000"
   volumes:
     - .:/pontoon
+    - ~/.ssh:/root/.ssh:ro
   links:
     - db
   dns:

diff --git a/pontoon/administration/vcs.py b/pontoon/administration/vcs.py
@@ -1,12 +1,8 @@
 # -*- coding: utf8 -*-
 from __future__ import absolute_import
-import base64
 import logging
 import os
 import subprocess
-import urlparse
-
-from django.conf import settings
 
 
 log = logging.getLogger('pontoon')
@@ -144,12 +140,6 @@ class CommitToGit(CommitToRepository):
     def commit(self, path=None, message=None, user=None):
         log.debug("Git: Commit to repository.")
 
-        # Bail early if we lack credentials.
-        if not settings.GIT_USERNAME or not settings.GIT_PASSWORD:
-            raise CommitToRepositoryException(
-                'GIT_USERNAME and GIT_PASSWORD settings are not defined and '
-                'are required for committing to git repositories.')
-
         path = path or self.path
         message = message or self.message
         user = user or self.user
@@ -168,15 +158,8 @@ def commit(self, path=None, message=None, user=None):
         if code != 0 and len(error):
             raise CommitToRepositoryException(unicode(error))
 
-        # Add auth credentials to URL for push.
-        url_parts = urlparse.urlparse(self.url)
-        netloc = '{username}:{password}@{netloc}'.format(
-            username=settings.GIT_USERNAME, password=settings.GIT_PASSWORD,
-            netloc=url_parts.netloc)
-        url = url_parts._replace(netloc=netloc).geturl()
-
         # Push
-        push = ["git", "push", url]
+        push = ["git", "push", self.url]
         code, output, error = execute(push, path)
         if code != 0:
             raise CommitToRepositoryException(unicode(error))

diff --git a/pontoon/settings/base.py b/pontoon/settings/base.py
@@ -63,10 +63,6 @@ def path(*args):
 # Raygun.io API Key
 RAYGUN4PY_API_KEY = os.environ.get('RAYGUN_APIKEY', '')
 
-# Git(hub) Credentials
-GIT_USERNAME = os.environ.get('GIT_USERNAME', '')
-GIT_PASSWORD = os.environ.get('GIT_PASSWORD', '')
-
 # Email settings
 EMAIL_HOST_USER = os.environ.get('SENDGRID_USERNAME', '')
 EMAIL_HOST = 'smtp.sendgrid.net'