fix(git): write deploy key to per-deployment path, not root's id_rsa

2026-06-28 07:07:34 +00:00 · 2026-05-27 00:57:07 +03:00
parent dd8a0d501d
commit ddd84e5adc
3 changed files with 149 additions and 30 deletions
@@ -0,0 +1,112 @@
+<?php
+
+use App\Models\Application;
+use App\Models\ApplicationSetting;
+use App\Models\GitlabApp;
+use App\Models\PrivateKey;
+
+afterEach(function () {
+    Mockery::close();
+});
+
+/**
+ * Git operations authenticate with the SSH key assigned in the UI. Coolify writes that key to a
+ * per-deployment path (/root/.ssh/id_rsa_coolify_<deployment_uuid>) instead of the shared
+ * /root/.ssh/id_rsa, so it can neither overwrite the server root's own key nor race with other
+ * concurrent operations on the same host. `-o IdentitiesOnly=yes` makes ssh offer only that key.
+ * On the host path an EXIT trap removes the key when the shell finishes; the docker path runs in an
+ * ephemeral container, so it needs no cleanup.
+ */
+$keyPath = '/root/.ssh/id_rsa_coolify_test-deployment-uuid';
+
+it('writes a deploy key to a per-deployment path and cleans it up for ls-remote on the host', function () use ($keyPath) {
+    $privateKey = Mockery::mock(PrivateKey::class)->makePartial();
+    $privateKey->shouldReceive('getAttribute')->with('private_key')->andReturn('fake-private-key');
+
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->git_branch = 'main';
+    $application->shouldReceive('deploymentType')->andReturn('deploy_key');
+    $application->shouldReceive('customRepository')->andReturn(['repository' => 'git@gitlab.com:user/repo.git', 'port' => 22]);
+    $application->shouldReceive('getAttribute')->with('private_key')->andReturn($privateKey);
+
+    $result = $application->generateGitLsRemoteCommands('test-deployment-uuid', false);
+
+    expect($result['commands'])
+        ->toContain("tee {$keyPath}")
+        ->toContain("-i {$keyPath} -o IdentitiesOnly=yes")
+        ->toContain("trap 'rm -f {$keyPath}' EXIT") // removed when the shell exits
+        ->not->toContain('tee /root/.ssh/id_rsa >'); // never overwrites the host root's own key
+});
+
+it('writes a deploy key to a per-deployment path for ls-remote inside docker without a trap', function () use ($keyPath) {
+    $privateKey = Mockery::mock(PrivateKey::class)->makePartial();
+    $privateKey->shouldReceive('getAttribute')->with('private_key')->andReturn('fake-private-key');
+
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->git_branch = 'main';
+    $application->shouldReceive('deploymentType')->andReturn('deploy_key');
+    $application->shouldReceive('customRepository')->andReturn(['repository' => 'git@gitlab.com:user/repo.git', 'port' => 22]);
+    $application->shouldReceive('getAttribute')->with('private_key')->andReturn($privateKey);
+
+    $result = $application->generateGitLsRemoteCommands('test-deployment-uuid', true);
+
+    expect($result['commands'])
+        ->toContain("tee {$keyPath}")
+        ->toContain("-i {$keyPath} -o IdentitiesOnly=yes")
+        ->not->toContain('trap ') // ephemeral container, no cleanup needed
+        ->not->toContain('tee /root/.ssh/id_rsa >');
+});
+
+it('writes a GitLab source private key to a per-deployment path with cleanup on the host', function () use ($keyPath) {
+    $privateKey = Mockery::mock(PrivateKey::class)->makePartial();
+    $privateKey->shouldReceive('getAttribute')->with('private_key')->andReturn('fake-private-key');
+
+    $gitlabSource = Mockery::mock(GitlabApp::class)->makePartial();
+    $gitlabSource->shouldReceive('getMorphClass')->andReturn(GitlabApp::class);
+    $gitlabSource->shouldReceive('getAttribute')->with('html_url')->andReturn('https://gitlab.com');
+    $gitlabSource->shouldReceive('getAttribute')->with('privateKey')->andReturn($privateKey);
+    $gitlabSource->shouldReceive('getAttribute')->with('private_key_id')->andReturn(1);
+    $gitlabSource->shouldReceive('getAttribute')->with('custom_port')->andReturn(22);
+
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->git_branch = 'main';
+    $application->shouldReceive('deploymentType')->andReturn('source');
+    $application->shouldReceive('customRepository')->andReturn(['repository' => 'git@gitlab.com:user/repo.git', 'port' => 22]);
+    $application->shouldReceive('getAttribute')->with('source')->andReturn($gitlabSource);
+    $application->source = $gitlabSource;
+
+    $result = $application->generateGitLsRemoteCommands('test-deployment-uuid', false);
+
+    expect($result['commands'])
+        ->toContain("tee {$keyPath}")
+        ->toContain("-i {$keyPath} -o IdentitiesOnly=yes")
+        ->toContain("trap 'rm -f {$keyPath}' EXIT")
+        ->not->toContain('tee /root/.ssh/id_rsa >');
+});
+
+it('writes a deploy key to a per-deployment path and cleans it up when cloning on the host', function () use ($keyPath) {
+    $privateKey = Mockery::mock(PrivateKey::class)->makePartial();
+    $privateKey->shouldReceive('getAttribute')->with('private_key')->andReturn('fake-private-key');
+
+    $settings = Mockery::mock(ApplicationSetting::class)->makePartial();
+    $settings->shouldReceive('getAttribute')->with('is_git_shallow_clone_enabled')->andReturn(false);
+    $settings->shouldReceive('getAttribute')->with('is_git_submodules_enabled')->andReturn(false);
+    $settings->shouldReceive('getAttribute')->with('is_git_lfs_enabled')->andReturn(false);
+
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->git_branch = 'main';
+    $application->shouldReceive('deploymentType')->andReturn('deploy_key');
+    $application->shouldReceive('customRepository')->andReturn(['repository' => 'git@gitlab.com:user/repo.git', 'port' => 22]);
+    $application->shouldReceive('getAttribute')->with('private_key')->andReturn($privateKey);
+    $application->shouldReceive('getAttribute')->with('settings')->andReturn($settings);
+    $application->shouldReceive('getAttribute')->with('git_commit_sha')->andReturn('HEAD');
+
+    // exec_in_docker = false → the loadComposeFile / host clone path
+    $result = $application->generateGitImportCommands('test-deployment-uuid', 0, null, false);
+
+    expect($result['commands'])
+        ->toContain("tee {$keyPath}")
+        ->toContain("-i {$keyPath} -o IdentitiesOnly=yes")
+        ->toContain("trap 'rm -f {$keyPath}' EXIT")
+        ->not->toContain('tee /root/.ssh/id_rsa >');
+});