This repository contains multiple implementations of credential helpers that are used to pass credentials managed by ORT Server to external tools.
A credential helper is a small executable that is called by external tools to retrieve credentials for a given URL. The protocol how to invoke the helper and how to return the credentials is defined by the external tool; also, the configuration how to use the helper is tool-specific.
The Gradle build in this repository produces multiple executables in different modules making use of Kotlin Native. The binaries are included in the ORT Server worker container images, so that they are available in the single steps of a run. They could also be used in other contexts though. Typically, they implement specific functionality required for ORT Server which is not part of already existing credential helper implementations.
The implementation strategy is to have a common framework that defines the format of the credentials and provides the logic to match them against requested URLs. Concrete credential helper implementations then mainly focus on the protocol used by the external tool they interact with.
Since the credential helpers have their own release cycle and can be used independently of ORT Server, they are hosted in a separate repository.
This is a credentials helper implementation for Git. It uses the same .git-credentials file as the built-in Git credential helper, but adds support for multiple entries with the same host, but different paths. This is needed for ORT Server, which has to support hosting platforms used by different development teams with different credentials. The implementation tries to find the best-matching entry for a given URL based on the host and path. For instance, given the following entries in the credentials file:
https://user1:password1@github.com
https://user2:password2@github.com/org1
https://user3:password3@github.com/org1/repo1.git
- a request for the URL
https://github.com/org1/repo1.gitwould return the credentialsuser3:password3(full match) - a request for the URL
https://github.com/org1/another-repo.gitwould return the credentialsuser2:password2(match for the organization) - a request for the URL
https://github.com/another-org/repo1.gitwould return the credentialsuser1:password1(match for the host)
To use the credential helper for GIT, add the following configuration to .gitconfig:
[credential]
helper = "/path/to/executable/credentialhelper.kexe"
useHttpPath = true
This implementation targets Bazel.
Bazel can use .netrc files to retrieve credentials for HTTP requests. However, this has the limitation of supporting only one entry per host, which is not sufficient for ORT Server. It is, however, possible to configure Bazel to use an external credential helper for HTTP requests, which has to follow the credential helpers specification. The binary produced by this module implements this specification and works around the limitations of the .netrc file.
The Bazel credential helper shares the same configuration format as the Git credential helper. Also, the matching logic is the same.
To use the credential helper for Bazel, add the following configuration to .bazelrc:
common --credential_helper=/path/to/executable/bazel_cred_helper.kexe