git-clone: Set up git creds

Supports two formats:
1. .git-credentials and .gitconfig files (copied directly)
2. username and password files (kubernetes.io/basic-auth secret format)

Assisted-by: Claude Opus 4.5
Signed-off-by: Tomáš Nevrlka <tnevrlka@redhat.com>

Author: tnevrlka

pkg/commands/git_clone/git_clone.go

@@ -77,6 +77,11 @@ func (c *GitClone) Run() error {
 		return err
 	}
 
+	// Setup authentication
+	if err := c.setupBasicAuth(); err != nil {
+		return err
+	}
+
 	// Clean checkout directory if requested
 	if c.Params.DeleteExisting {
 		if err := c.cleanCheckoutDir(); err != nil {

pkg/commands/git_clone/setup.go

@@ -2,8 +2,11 @@ package git_clone
 
 import (
 	"fmt"
+	"io"
+	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 
 	l "github.com/konflux-ci/konflux-build-cli/pkg/logger"
 )
@@ -45,24 +48,192 @@ func (c *GitClone) cleanCheckoutDir() error {
 }
 
 // setupGitConfig configures git settings for SSL verification and CA bundle.
+// Uses environment variables instead of git config to avoid modifying global git state.
 func (c *GitClone) setupGitConfig() error {
 	if !c.Params.SSLVerify {
-		l.Logger.Info("Disabling SSL verification (http.sslVerify=false)")
-		if err := c.CliWrappers.GitCli.ConfigLocal("", "http.sslVerify", "false"); err != nil {
-			return fmt.Errorf("failed to configure http.sslVerify: %w", err)
+		l.Logger.Info("Disabling SSL verification (GIT_SSL_NO_VERIFY=true)")
+		if err := os.Setenv("GIT_SSL_NO_VERIFY", "true"); err != nil {
+			return err
 		}
 	}
 
-	caBundlePath := c.Params.CaBundlePath
-	if caBundlePath == "" {
-		caBundlePath = "/mnt/trusted-ca/ca-bundle.crt"
-	}
-	if _, err := os.Stat(caBundlePath); err == nil {
-		l.Logger.Infof("Using mounted CA bundle: %s", caBundlePath)
-		if err := c.CliWrappers.GitCli.ConfigLocal("", "http.sslCAInfo", caBundlePath); err != nil {
-			return fmt.Errorf("failed to configure http.sslCAInfo: %w", err)
+	if c.Params.CaBundlePath != "" {
+		if _, err := os.Stat(c.Params.CaBundlePath); err == nil {
+			l.Logger.Infof("Using CA bundle: %s", c.Params.CaBundlePath)
+			if err := os.Setenv("GIT_SSL_CAINFO", c.Params.CaBundlePath); err != nil {
+				return err
+			}
+		} else {
+			l.Logger.Warnf("CA bundle path specified but not found: %s", c.Params.CaBundlePath)
 		}
 	}
 
 	return nil
 }
+
+// setupBasicAuth sets up git credentials from a basic-auth workspace.
+// Supports two formats:
+// 1. .git-credentials and .gitconfig files (copied directly)
+// 2. username and password files (kubernetes.io/basic-auth secret format)
+func (c *GitClone) setupBasicAuth() error {
+	if c.Params.BasicAuthDirectory == "" {
+		return nil
+	}
+
+	authDir := c.Params.BasicAuthDirectory
+
+	if _, err := os.Stat(authDir); os.IsNotExist(err) {
+		l.Logger.Infof("Basic auth directory not found: %s", authDir)
+		return nil
+	}
+
+	gitCredentialsPath := filepath.Join(authDir, ".git-credentials")
+	gitConfigPath := filepath.Join(authDir, ".gitconfig")
+	usernamePath := filepath.Join(authDir, "username")
+	passwordPath := filepath.Join(authDir, "password")
+
+	destCredentials := filepath.Join(c.internalDir, ".git-credentials")
+	destConfig := filepath.Join(c.internalDir, ".gitconfig")
+
+	// Format 1: .git-credentials and .gitconfig files
+	if fileExists(gitCredentialsPath) && fileExists(gitConfigPath) {
+		l.Logger.Info("Setting up basic auth from .git-credentials and .gitconfig")
+
+		if err := copyFile(gitCredentialsPath, destCredentials, 0400); err != nil {
+			return fmt.Errorf("failed to copy .git-credentials: %w", err)
+		}
+
+		configContent, err := readFileWithLimit(gitConfigPath, maxAuthFileSize)
+		if err != nil {
+			return fmt.Errorf("failed to read .gitconfig: %w", err)
+		}
+		rewritten := rewriteGitConfigCredentialHelper(string(configContent), destCredentials)
+		if err := os.WriteFile(destConfig, []byte(rewritten), 0400); err != nil {
+			return fmt.Errorf("failed to write .gitconfig: %w", err)
+		}
+
+		if err := os.Setenv("GIT_CONFIG_GLOBAL", destConfig); err != nil {
+			return err
+		}
+
+		l.Logger.Info("Basic auth credentials configured")
+		return nil
+	}
+
+	// Format 2: kubernetes.io/basic-auth secret (username and password files)
+	if fileExists(usernamePath) && fileExists(passwordPath) {
+		l.Logger.Info("Setting up basic auth from username/password files")
+
+		username, err := readFileWithLimit(usernamePath, maxAuthFileSize)
+		if err != nil {
+			return fmt.Errorf("failed to read username file: %w", err)
+		}
+
+		password, err := readFileWithLimit(passwordPath, maxAuthFileSize)
+		if err != nil {
+			return fmt.Errorf("failed to read password file: %w", err)
+		}
+
+		parsedURL, err := url.Parse(c.Params.URL)
+		if err != nil {
+			return fmt.Errorf("failed to parse repository URL: %w", err)
+		}
+		hostname := parsedURL.Host
+
+		credentialsContent := fmt.Sprintf("https://%s:%s@%s\n",
+			url.PathEscape(strings.TrimSpace(string(username))),
+			url.PathEscape(strings.TrimSpace(string(password))),
+			hostname)
+
+		if err := os.WriteFile(destCredentials, []byte(credentialsContent), 0400); err != nil {
+			return fmt.Errorf("failed to write .git-credentials: %w", err)
+		}
+
+		gitConfigContent := fmt.Sprintf("[credential \"https://%s\"]\n  helper = store --file=%s\n", hostname, destCredentials)
+		if err := os.WriteFile(destConfig, []byte(gitConfigContent), 0400); err != nil {
+			return fmt.Errorf("failed to write .gitconfig: %w", err)
+		}
+
+		if err := os.Setenv("GIT_CONFIG_GLOBAL", destConfig); err != nil {
+			return err
+		}
+
+		l.Logger.Infof("Basic auth credentials configured for %s", hostname)
+		return nil
+	}
+
+	return fmt.Errorf("unknown basic-auth workspace format: expected .git-credentials/.gitconfig or username/password files")
+}
+
+// rewriteGitConfigCredentialHelper rewrites "helper = store" lines in a git config
+// to include an explicit --file flag pointing to the given credentials path.
+func rewriteGitConfigCredentialHelper(configContent, credentialsPath string) string {
+	lines := strings.Split(configContent, "\n")
+	for i, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if trimmed == "helper = store" {
+			indent := line[:len(line)-len(strings.TrimLeft(line, " \t"))]
+			lines[i] = fmt.Sprintf("%shelper = store --file=%s", indent, credentialsPath)
+		}
+	}
+	return strings.Join(lines, "\n")
+}
+
+// fileExists checks if a file exists and is not a directory.
+func fileExists(path string) bool {
+	info, err := os.Stat(path)
+	if os.IsNotExist(err) {
+		return false
+	}
+	return err == nil && !info.IsDir()
+}
+
+// maxAuthFileSize is the maximum allowed size for auth-related files
+// (.gitconfig, .git-credentials, SSH keys, username, password).
+const maxAuthFileSize = 1 << 20 // 1MB
+
+// readFileWithLimit reads a file, rejecting files larger than maxSize.
+// Uses file-descriptor-based stat and limited read to avoid TOCTOU races.
+func readFileWithLimit(path string, maxSize int64) (data []byte, err error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if cerr := f.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()
+
+	info, err := f.Stat()
+	if err != nil {
+		return nil, err
+	}
+	if info.Size() > maxSize {
+		return nil, fmt.Errorf("authentication file exceeds maximum allowed size (%d bytes)", maxSize)
+	}
+
+	// Use LimitReader to enforce the size cap during read, even if the file
+	// was extended between Stat and Read (belt-and-suspenders).
+	data, err = io.ReadAll(io.LimitReader(f, maxSize+1))
+	if err != nil {
+		return nil, err
+	}
+	if int64(len(data)) > maxSize {
+		return nil, fmt.Errorf("authentication file exceeds maximum allowed size (%d bytes)", maxSize)
+	}
+	return data, nil
+}
+
+// copyFile copies a file from src to dest with the specified permissions.
+func copyFile(src, dest string, perm os.FileMode) error {
+	if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
+		return err
+	}
+
+	data, err := readFileWithLimit(src, maxAuthFileSize)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(dest, data, perm)
+}