bearer token only for git repos

Signed-off-by: reggie-k <[email protected]>
reggie-k · Jan 17, 2025 · c2c8d92 · c2c8d92
1 parent 986cbb7
commit c2c8d92
Show file tree

Hide file tree

Showing 11 changed files with 235 additions and 286 deletions.
diff --git a/cmd/argocd/commands/admin/repo.go b/cmd/argocd/commands/admin/repo.go
@@ -24,14 +24,6 @@ const (
 	repoSecretPrefix = "repo"
 )
 
-func validateBearerTokenAndPasswordCombo(bearerToken string, password string) {
-	// Either the password or the bearer token must be set, but not both
-	if bearerToken != "" && password != "" {
-		err := stderrors.New("only --bearer-token or --password is allowed, not both")
-		errors.CheckError(err)
-	}
-}
-
 func NewRepoCommand() *cobra.Command {
 	command := &cobra.Command{
 		Use:   "repo",
@@ -148,7 +140,8 @@ func NewGenRepoSpecCommand() *cobra.Command {
 				repoOpts.Repo.Password = cli.PromptPassword(repoOpts.Repo.Password)
 			}
 
-			validateBearerTokenAndPasswordCombo(repoOpts.Repo.BearerToken, repoOpts.Repo.Password)
+			cmdutil.ValidateBearerTokenAndPasswordCombo(repoOpts.Repo.BearerToken, repoOpts.Repo.Password)
+			cmdutil.ValidateBearerTokenForGitOnly(repoOpts.Repo.BearerToken, repoOpts.Repo.Type)
 
 			argoCDCM := &corev1.ConfigMap{
 				TypeMeta: metav1.TypeMeta{

diff --git a/cmd/argocd/commands/admin/repo_test.go b/cmd/argocd/commands/admin/repo_test.go
diff --git a/cmd/argocd/commands/repo.go b/cmd/argocd/commands/repo.go
@@ -22,14 +22,6 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/io"
 )
 
-func validateBearerTokenAndPasswordCombo(bearerToken string, password string) {
-	// Either the password or the bearer token must be set, but not both
-	if bearerToken != "" && password != "" {
-		err := stderrors.New("only --bearer-token or --password is allowed, not both")
-		errors.CheckError(err)
-	}
-}
-
 // NewRepoCommand returns a new instance of an `argocd repo` command
 func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command := &cobra.Command{
@@ -204,7 +196,8 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				repoOpts.Repo.Password = cli.PromptPassword(repoOpts.Repo.Password)
 			}
 
-			validateBearerTokenAndPasswordCombo(repoOpts.Repo.BearerToken, repoOpts.Repo.Password)
+			cmdutil.ValidateBearerTokenAndPasswordCombo(repoOpts.Repo.BearerToken, repoOpts.Repo.Password)
+			cmdutil.ValidateBearerTokenForGitOnly(repoOpts.Repo.BearerToken, repoOpts.Repo.Type)
 
 			// We let the server check access to the repository before adding it. If
 			// it is a private repo, but we cannot access with with the credentials

diff --git a/cmd/argocd/commands/repo_test.go b/cmd/argocd/commands/repo_test.go
diff --git a/cmd/argocd/commands/repocreds.go b/cmd/argocd/commands/repocreds.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/argoproj/argo-cd/v3/cmd/argocd/commands/headless"
 	"github.com/argoproj/argo-cd/v3/cmd/argocd/commands/utils"
+	cmdutil "github.com/argoproj/argo-cd/v3/cmd/util"
 	"github.com/argoproj/argo-cd/v3/common"
 	argocdclient "github.com/argoproj/argo-cd/v3/pkg/apiclient"
 	repocredspkg "github.com/argoproj/argo-cd/v3/pkg/apiclient/repocreds"
@@ -49,16 +50,6 @@ func NewRepoCredsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 	return command
 }
 
-func validateBearerTokenForHTTPSRepoOnly(bearerToken string, isHTTPS bool) {
-	// Specifying bearerToken is only valid for HTTPS repositories
-	if bearerToken != "" {
-		if !isHTTPS {
-			err := stderrors.New("--bearer-token is only supported for HTTPS repositories")
-			errors.CheckError(err)
-		}
-	}
-}
-
 // NewRepoCredsAddCommand returns a new instance of an `argocd repocreds add` command
 func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
@@ -170,15 +161,16 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 			defer io.Close(conn)
 
 			// Specifying bearerToken is only valid for HTTPS repositories
-			validateBearerTokenForHTTPSRepoOnly(repo.BearerToken, git.IsHTTPSURL(repo.URL))
+			cmdutil.ValidateBearerTokenForHTTPSRepoOnly(repo.BearerToken, git.IsHTTPSURL(repo.URL))
 
 			// If the user set a username, but didn't supply password via --password,
 			// then we prompt for it
 			if repo.Username != "" && repo.Password == "" {
 				repo.Password = cli.PromptPassword(repo.Password)
 			}
 
-			validateBearerTokenAndPasswordCombo(repo.BearerToken, repo.Password)
+			cmdutil.ValidateBearerTokenAndPasswordCombo(repo.BearerToken, repo.Password)
+			cmdutil.ValidateBearerTokenForGitOnly(repo.BearerToken, repo.Type)
 
 			repoCreateReq := repocredspkg.RepoCredsCreateRequest{
 				Creds:  &repo,

diff --git a/cmd/argocd/commands/repocreds_test.go b/cmd/argocd/commands/repocreds_test.go
diff --git a/cmd/util/common.go b/cmd/util/common.go
@@ -1,6 +1,38 @@
 package util
 
+import (
+	stderrors "errors"
+
+	"github.com/argoproj/argo-cd/v3/util/errors"
+)
+
 var (
 	LogFormat string
 	LogLevel  string
 )
+
+func ValidateBearerTokenForHTTPSRepoOnly(bearerToken string, isHTTPS bool) {
+	// Bearer token is only valid for HTTPS repositories
+	if bearerToken != "" {
+		if !isHTTPS {
+			err := stderrors.New("--bearer-token is only supported for HTTPS repositories")
+			errors.CheckError(err)
+		}
+	}
+}
+
+func ValidateBearerTokenForGitOnly(bearerToken string, repoType string) {
+	// Bearer token is only valid for Git repositories
+	if bearerToken != "" && repoType != "git" {
+		err := stderrors.New("--bearer-token is only supported for Git repositories")
+		errors.CheckError(err)
+	}
+}
+
+func ValidateBearerTokenAndPasswordCombo(bearerToken string, password string) {
+	// Either the password or the bearer token must be set, but not both
+	if bearerToken != "" && password != "" {
+		err := stderrors.New("only --bearer-token or --password is allowed, not both")
+		errors.CheckError(err)
+	}
+}