Add git_helpers.py w/ function for safe directory handling

[taldcroft]

Description

See https://chandramission.slack.com/archives/G01LN40AXPG/p1688129800711439 for context. See also this blog for more info. Long story short is that git made a security update which requires setting a git config safe.directory in order to do any git operations on a git repo that is not owned by the user running the git command. This would break or greatly slow down the current infrastructure for accessing chandra_models data.

Instead this PR provides a convenient mechanism to restore shared access for select git repos in CXC operations. In practice this is expected to apply only to the chandra_models shared repo. This implies that CXC users trust that the owners of the chandra_models repo to not be placing malicious content in the repo.

If the user config does not permit safe access to the requested chandra_models repo then the user ~/.gitconfig file will be updated (via git config --global) to mark that directory (and only that directory) as safe for access as a non-owner. A warning message to that effect is issued.

On HEAD linux this typically results in adding the following two lines to ~/.gitconfig:

[safe]
	directory = /proj/sot/ska/data/chandra_models

Bonus function utils.get_owner(path)

I needed a platform-independent way to get the user name, which landed in ska_helpers.utils. l'm not sure if this is the only or best way, but it appears to work. Interestingly, if I ask for the owner of a VM-shared directory on Windows it returns "Everyone".

Interface impacts

This may update the user's ~/.gitconfig. See above.

Testing

Unit and functional tests

• Mac (at 35991b8)
• Linux (on HEAD as user aldcroft with ska3-flight 2023.1 activated, otherwise vanilla) (at 35991b8)
• Windows (at 21ba07c)

Mac

ska_helpers/tests/test_git_helpers.py::test_make_git_repo_safe SKIPPED (Chandra models dir ownership is OK)                         [ 43%]

Linux HEAD

The relevant unit test ran to completion and passed (indicating it found a chandra_models with a different owner, verified the not safe condition and then fixed it):

ska_helpers/tests/test_git_helpers.py::test_make_git_repo_safe PASSED                                 [100%]

Note that four tests of ska_helpers.chandra_models failed due the git safe problem. To test correcting this I did:

ipython
>>> from ska_helpers.git_helpers import make_git_repo_safe
>>> from ska_helpers import paths
>>> make_git_repo_safe(paths.chandra_models_repo_path())

This produced the expected warning and updated my ~/.gitconfig to add these two lines:

[safe]
	directory = /proj/sot/ska/data/chandra_models

After doing this then the original four failing tests now pass.

Windows

ska_helpers/tests/test_git_helpers.py::test_make_git_repo_safe PASSED                                            [100%]

Independent check of unit tests by Jean

• Linux

Functional tests

Ran this on Windows where every VM-shared repo is considered unsafe. For example:

In [6]: from ska_helpers.git_helpers import make_git_repo_safe

In [7]: make_git_repo_safe(r'y:\data\chandra_models')
<ipython-input-7-3979d908222d>:1: UserWarning: Updating git config to allow read-only git operations on trusted repository y:\data\chandra_models. Contact Ska team for questions.
  make_git_repo_safe(r'y:\data\chandra_models')

In [8]: make_git_repo_safe(r'y:\data\chandra_models')
# Second time it is already safe

OSX - JC - I can confirm that after changing the permission on /Users/jean/git/chandra_models that this worked as expected

In [1]: from ska_helpers.git_helpers import make_git_repo_safe

In [2]: make_git_repo_safe('/Users/jean/git/chandra_models')
<ipython-input-2-3a5454f91216>:1: UserWarning: Updating git config to allow read-only git operations on trusted repository /Users/jean/git/chandra_models. Contact Ska team for questions.
  make_git_repo_safe('/Users/jean/git/chandra_models')

And that the correct safe directory entry was added to my .gitconfig.

[taldcroft]

As for a unit test, there appears to be no way to change the configuration directories that are read by git.

The only thing I can think of is a test only on HEAD which temporarily moves (in a context manager) the user config ~/.gitconfig off to the side. Then running make_git_repo_safe("/proj/sot/ska/data/chandra_models") by any user but aca should generate a new ~/.gitconfig with the expected safe directory setting.

[javierggt]

an alternative is to change the HOME variable within the context, instead of moving the user's .gitconfig

[jeanconn]

Regarding "As for a unit test, there appears to be no way to change the configuration directories that are read by git", I thought the GIT_CONFIG_SYSTEM and GIT_CONFIG_something (GLOBAL) could be used, but I didn't explore that after we decided not to use use them for a solution.

[jeanconn]

I think this makes sense, so the boxes just need to get done and remove from WIP status and then ask for another review.

[javierggt]

The following test works for me (using the match string from the previous comment). It works only on HEAD, so the test stills needs some changes.

import pytest
import tempfile
from ska_helpers import git_helpers
import git
import os


# @pytest.mark.filterwarnings("ignore:Updating git config")
def test_make_git_repo_safe():
    with tempfile.TemporaryDirectory() as d, pytest.warns(
        UserWarning, match="Updating git config"
    ):
        os.environ["HOME"] = d
        repo = git.Repo("/proj/sot/ska/data/chandra_models")
        with pytest.raises(git.exc.GitCommandError):
            repo.is_dirty()
        git_helpers.make_git_repo_safe("/proj/sot/ska/data/chandra_models")
        repo.is_dirty()

[taldcroft]

Thanks for the updates @javierggt this is looking pretty close! Can you document your unit testing? I'll try to run the tests as well.

[taldcroft]

Note to @javierggt - os.getlogin() appears to be useless since it returns 'root' for me on Mac. Instead copilot chat told me to use getpass.getuser(), which rang a bell as something I've used before.

[jeanconn]

This didn't work for me on OSX but maybe we don't care. I set my chandra_models directory to be owned by the 'nx' user (because it was a user on my machine).

(ska3-matlab-2023.4rc6) spark:git jean$ ls -ld chandra_models
drwxr-xr-x  10 nx  staff  320 Jul 10 15:40 chandra_models
(ska3-matlab-2023.4rc6) spark:git jean$ cd chandra_models/
(ska3-matlab-2023.4rc6) spark:chandra_models jean$ git log
fatal: detected dubious ownership in repository at '/Users/jean/git/chandra_models'
To add an exception for this directory, call:

	git config --global --add safe.directory /Users/jean/git/chandra_models

and then tried to run the drift model test from chandra_aca with this version of ska_helpers in my path. And my git config hasn't been modified and the test failed.

========================================================================================= short test summary info =========================================================================================
FAILED chandra_aca/tests/test_drift.py::test_get_aca_offsets_legacy - git.exc.GitCommandError: Cmd('git') failed due to: exit code(129)
======================================================================== 1 failed, 16 passed, 165 deselected, 8 warnings in 6.11s =========================================================================
(ska3-matlab-2023.4rc6) spark:chandra_aca jean$ 

But trying to do this on OSX was a pretty contrived test anyway.

[jeanconn]

Oh wait... does this PR just add the helper function? If so, seems like we need another PR to actually do the handling.

[taldcroft]

Oh wait... does this PR just add the helper function? If so, seems like we need another PR to actually do the handling.

I was coming to this realization. I think in all the discussion this final connection to actually use the new functionality got lost. Do'oh! But maybe that is best left as a separate PR.

[jeanconn]

Well, it didn't get lost ... it just sounds like we didn't get around to defining requirements in its evolution from WIP. But that's fine. A new PR to use it is also fine and then functional testing like I tried above should work.

[taldcroft]

Being honest in my mind it really did get lost because 2 hours ago (before your comment) I asked myself the question "where is this used now"? There are so many PR's open that I thought it might be in one of the others but finally came to the conclusion that it was nowhere.

[taldcroft]

@jeanconn @javierggt - I believe this is ready for final review and testing.

[jeanconn]

LGTM