Merge pull request #727 from antoviaque/edxapp-git-auth

edxapp-git-auth: allow authenticated edx-platform/edx-theme checkouts

playbooks/roles/edxapp/defaults/main.yml

@@ -131,6 +131,10 @@ EDXAPP_SANDBOX_ENFORCE: true
 EDXAPP_INCLUDE_AUTOMATOR_ROLE: false
 EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []
 
+EDXAPP_USE_GIT_IDENTITY: false
+# Example: "{{ secure_dir }}/files/git-identity"
+EDXAPP_LOCAL_GIT_IDENTITY: !!null
+
 #-------- Everything below this line is internal to the role ------------
 
 #Use YAML references (& and *) and hash merge <<: to factor out shared settings
@@ -154,6 +158,8 @@ edxapp_staticfile_dir: "{{ edxapp_data_dir }}/staticfiles"
 edxapp_course_data_dir: "{{ edxapp_data_dir }}/data"
 edxapp_upload_dir: "{{ edxapp_data_dir }}/uploads"
 edxapp_theme_dir: "{{ edxapp_data_dir }}/themes"
+edxapp_git_identity: "{{ edxapp_app_dir }}/{{ EDXAPP_LOCAL_GIT_IDENTITY|basename }}"
+edxapp_git_ssh: "/tmp/edxapp_git_ssh.sh"
 edxapp_pypi_local_mirror: "http://localhost:{{ devpi_port }}/root/pypi/+simple"
 edxapp_workers:
   - queue: low
@@ -509,4 +515,4 @@ worker_django_settings_module: 'aws'
 # commands listed here will be symlinked to ~/bin/ for
 # the automator user.
 edxapp_automated_rbash_links:
-  - /usr/bin/sudo
\ No newline at end of file
+  - /usr/bin/sudo

playbooks/roles/edxapp/tasks/deploy.yml

@@ -7,11 +7,32 @@
     owner={{ edxapp_user }}  group={{ common_web_user }}
     mode=0644
 
+# Optional auth for git
+- name: create ssh script for git (not authenticated)
+  template: >
+    src=git_ssh_noauth.sh.j2 dest={{ edxapp_git_ssh }}
+    owner={{ edxapp_user }} mode=750
+  when: not EDXAPP_USE_GIT_IDENTITY
+
+- name: create ssh script for git (authenticated)
+  template: >
+    src=git_ssh_auth.sh.j2 dest={{ edxapp_git_ssh }}
+    owner={{ edxapp_user }} mode=750
+  when: EDXAPP_USE_GIT_IDENTITY
+
+- name: install read-only ssh key
+  copy: >
+    src={{ EDXAPP_LOCAL_GIT_IDENTITY }} dest={{ edxapp_git_identity }}
+    force=yes owner={{ edxapp_user }} mode=0600
+  when: EDXAPP_USE_GIT_IDENTITY
+
 # Do A Checkout
 - name: checkout edx-platform repo into {{edxapp_code_dir}}
   git: dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
   register: chkout
   sudo_user: "{{ edxapp_user }}"
+  environment:
+    GIT_SSH: "{{ edxapp_git_ssh }}"
   notify:
   - "restart edxapp"
   - "restart edxapp_workers"
@@ -27,10 +48,16 @@
   git: dest={{ edxapp_app_dir }}/themes/{{edxapp_theme_name}} repo={{edxapp_theme_source_repo}} version={{edxapp_theme_version}}
   when: edxapp_theme_name != ''
   sudo_user: "{{ edxapp_user }}"
+  environment:
+    GIT_SSH: "{{ edxapp_git_ssh }}"
   notify:
   - "restart edxapp"
   - "restart edxapp_workers"
 
+- name: remove read-only ssh key
+  file: path={{ edxapp_git_identity }} state=absent
+  when: EDXAPP_USE_GIT_IDENTITY
+
 - name: create checksum for requirements, package.json and Gemfile
   shell: >
     /usr/bin/md5sum {{ " ".join(edxapp_chksum_req_files) }} 2>/dev/null > /var/tmp/edxapp.req.new

playbooks/roles/edxapp/templates/git_ssh_auth.sh.j2

+#!/bin/sh
+exec /usr/bin/ssh -o StrictHostKeyChecking=no -i {{ edxapp_git_identity }} "$@"

playbooks/roles/edxapp/templates/git_ssh_noauth.sh.j2

+#!/bin/sh
+exec /usr/bin/ssh -o StrictHostKeyChecking=no "$@"