Fix Git LFS SSH issues

* Adds support for NIX_SSHOPTS * Properly uses the parsed port from URL (fixes #13337) * Don't guess the HTTP endpoint, use the response of git-lfs-authenticate * Add an SSH Git LFS test * Removed some unused test code
2025-12-15 13:31:05 +01:00 · 2025-08-13 16:40:55 +02:00 · 2025-08-13 16:40:55 +02:00 · ccf658ed5c
commit ccf658ed5c
parent 68839b9545
7 changed files with 128 additions and 85 deletions
--- a/tests/nixos/fetch-git/test-cases/lfs/default.nix
+++ b/tests/nixos/fetch-git/test-cases/lfs/default.nix
@ -224,5 +224,25 @@
        """)

    client.succeed(f"cmp {repo.path}/beeg {fetched_self_lfs}/beeg >&2")
+
+
+    with subtest("Ensure fetching with SSH generates the same output"):
+      client.succeed(f"{repo.git} push origin-ssh main >&2")
+      client.succeed("rm -rf ~/.cache/nix") # Avoid using the cached output of the http fetch
+
+      fetchGit_ssh_expr = f"""
+        builtins.fetchGit {{
+          url = "{repo.remote_ssh}";
+          rev = "{lfs_file_rev}";
+          ref = "main";
+          lfs = true;
+        }}
+      """
+      fetched_ssh = client.succeed(f"""
+        nix eval --debug --impure --raw --expr '({fetchGit_ssh_expr}).outPath'
+      """)
+
+      assert fetched_ssh == fetched_lfs, \
+        f"fetching with ssh (store path {fetched_ssh}) yielded a different result than using http (store path {fetched_lfs})"
  '';
 }
--- a/tests/nixos/fetch-git/testsupport/gitea-repo.nix
+++ b/tests/nixos/fetch-git/testsupport/gitea-repo.nix
@ -49,19 +49,15 @@ in
          self.name = name
          self.path = "/tmp/repos/" + name
          self.remote = "http://gitea:3000/test/" + name
-          self.remote_ssh = "ssh://gitea/root/" + name
+          self.remote_ssh = "ssh://gitea:3001/test/" + name
          self.git = f"git -C {self.path}"
          self.private = private
          self.create()

        def create(self):
-          # create ssh remote repo
+          # create remote repo
          gitea.succeed(f"""
-            git init --bare -b main /root/{self.name}
-          """)
-          # create http remote repo
-          gitea.succeed(f"""
-            curl --fail -X POST http://{gitea_admin}:{gitea_admin_password}@gitea:3000/api/v1/user/repos \
+            curl --fail -X POST http://{gitea_user}:{gitea_password}@gitea:3000/api/v1/user/repos \
              -H 'Accept: application/json' -H 'Content-Type: application/json' \
              -d {shlex.quote( f'{{"name":"{self.name}", "default_branch": "main", "private": {boolToJSON(self.private)}}}' )}
          """)
@ -70,7 +66,7 @@ in
            mkdir -p {self.path} \
            && git init -b main {self.path} \
            && {self.git} remote add origin {self.remote} \
-            && {self.git} remote add origin-ssh root@gitea:{self.name}
+            && {self.git} remote add origin-ssh {self.remote_ssh}
          """)
    '';
  };
--- a/tests/nixos/fetch-git/testsupport/gitea.nix
+++ b/tests/nixos/fetch-git/testsupport/gitea.nix
@ -35,28 +35,20 @@ in
          server = {
            DOMAIN = "gitea";
            HTTP_PORT = 3000;
+            SSH_PORT = 3001;
+            START_SSH_SERVER = true;
          };
          log.LEVEL = "Info";
          database.LOG_SQL = false;
        };
-        services.openssh.enable = true;
-        networking.firewall.allowedTCPPorts = [ 3000 ];
+        networking.firewall.allowedTCPPorts = [
+          3000
+          3001
+        ];
        environment.systemPackages = [
          pkgs.git
          pkgs.gitea
        ];
-
-        users.users.root.openssh.authorizedKeys.keys = [ clientPublicKey ];
-
-        # TODO: remove this after updating to nixos-23.11
-        nixpkgs.pkgs = lib.mkForce (
-          import nixpkgs {
-            inherit system;
-            config.permittedInsecurePackages = [
-              "gitea-1.19.4"
-            ];
-          }
-        );
      };
    client =
      { pkgs, ... }:
@ -67,38 +59,33 @@ in
        ];
      };
  };
-  defaults =
-    { pkgs, ... }:
-    {
-      environment.systemPackages = [ pkgs.jq ];
-    };

  setupScript = ''
    import shlex

    gitea.wait_for_unit("gitea.service")

-    gitea_admin = "test"
-    gitea_admin_password = "test123test"
+    gitea_user = "test"
+    gitea_password = "test123test"

    gitea.succeed(f"""
      gitea --version >&2
      su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea admin user create \
-        --username {gitea_admin} --password {gitea_admin_password} --email test@client'
+        --username {gitea_user} --password {gitea_password} --email test@client'
    """)

    client.wait_for_unit("multi-user.target")
    gitea.wait_for_open_port(3000)
+    gitea.wait_for_open_port(3001)

-    gitea_admin_token = gitea.succeed(f"""
-      curl --fail -X POST http://{gitea_admin}:{gitea_admin_password}@gitea:3000/api/v1/users/test/tokens \
+    gitea.succeed(f"""
+      curl --fail -X POST http://{gitea_user}:{gitea_password}@gitea:3000/api/v1/user/keys \
        -H 'Accept: application/json' -H 'Content-Type: application/json' \
-        -d {shlex.quote( '{"name":"token", "scopes":["all"]}' )} \
-        | jq -r '.sha1'
-    """).strip()
+        -d {shlex.quote( '{"title":"key", "key":"${clientPublicKey}", "read_only": false}' )} >&2
+    """)

    client.succeed(f"""
-      echo "http://{gitea_admin}:{gitea_admin_password}@gitea:3000" >~/.git-credentials-admin
+      echo "http://{gitea_user}:{gitea_password}@gitea:3000" >~/.git-credentials-admin
      git config --global credential.helper 'store --file ~/.git-credentials-admin'
      git config --global user.email "test@client"
      git config --global user.name "Test User"
@ -118,13 +105,7 @@ in
      echo "Host gitea" >>~/.ssh/config
      echo "  StrictHostKeyChecking no" >>~/.ssh/config
      echo "  UserKnownHostsFile /dev/null" >>~/.ssh/config
-      echo "  User root" >>~/.ssh/config
+      echo "  User gitea" >>~/.ssh/config
    """)
-
-    # ensure ssh from client to gitea works
-    client.succeed("""
-      ssh root@gitea true
-    """)
-
  '';
 }