`fe9e5c4`

ssh-dispatch: inherit os.Environ() so hooks see SHITHUB_DATABASE_URL

Pre-fix: buildSSHEnv built a minimal explicit env list with just
SHITHUB_USER_ID/USERNAME/REPO_ID/REPO_FULL_NAME/PROTOCOL/REMOTE_IP/
REQUEST_ID/PATH + the safe.directory GIT_CONFIG_* triple.

When git-receive-pack forked the pre-receive hook ('shithubd hook
pre-receive', via the shim in internal/git/hooks/install.go), the
hook called config.Load(nil) and exited with 'DB URL not set'
because SHITHUB_DATABASE_URL wasn't in the env. User saw:

remote: shithub: server error: DB URL not set
remote: shithubd: DB URL not set
! [remote rejected] trunk -> trunk (pre-receive hook declined)

The HTTPS-git path didn't hit this because shithubd-web's systemd
unit sources /etc/shithub/web.env via EnvironmentFile= and
receive-pack inherits the env directly.

Fix: base the SSH env on os.Environ() so the SHITHUB_* config keys
the git-shell-commands wrapper sourced from web.env propagate
through receive-pack into the hook. Push-event metadata
(SHITHUB_USER_ID/REPO_ID/...) is appended after the inheritance
so any stale value in the parent env is shadowed by the dispatcher's
real value (last-wins on duplicate env keys).

PATH no longer needs an explicit copy; it's part of os.Environ().

Tests:
- TestBuildSSHEnv_InheritsParentEnv pins SHITHUB_DATABASE_URL +
SHITHUB_STORAGE__REPOS_ROOT propagation.
- TestBuildSSHEnv_ExplicitOverridesInheritance pins last-wins
semantics on the SHITHUB_REQUEST_ID collision case.

Both run without a DB so they fire on every CI invocation, not
just the dbtest-equipped ones.

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 3 days ago

SHA: fe9e5c46639af1b0c1f122aa7f68b880d5712eec
Parents: 9f6ec52
Tree: f2ad1d0

2 changed files

Status	File	+	-
M	`internal/git/protocol/ssh_dispatch.go`	29	14
A	`internal/git/protocol/ssh_dispatch_env_test.go`	92	0

internal/git/protocol/ssh_dispatch.gomodified

  	return "shithub: internal error (request_id=" + requestID + ")"
+ }
 -// buildSSHEnv assembles the SHITHUB_* env vars that S14's hooks read.
 -// The shape matches the HTTP path so receive-pack hooks see identical
 -// vars regardless of transport.
 +// buildSSHEnv assembles the env we exec git-{upload,receive}-pack
 +// with. The shape matches the HTTP path so receive-pack hooks see
 +// identical vars regardless of transport.
 +//
 +// We INHERIT os.Environ() rather than building from scratch — the
 +// receive-pack process forks the pre-receive / post-receive hooks
 +// (`shithubd hook ...`), which call config.Load() and need the
 +// SHITHUB_* config keys (DATABASE_URL, REPOS_ROOT, etc.) sourced
 +// from /etc/shithub/web.env via the git-shell-commands wrapper.
 +//
 +// Pre-fix this function returned a minimal explicit list, so the
 +// hook's loadHookCtx exited with "DB URL not set" the moment a
 +// push tried to commit anything. The HTTPS-git path didn't see
 +// this because shithubd-web's systemd unit sources web.env and
 +// receive-pack inherits it directly.
 +//
 +// Push-event metadata (SHITHUB_USER_ID/REPO_ID/...) is appended
 +// AFTER inherited env so the explicit values win on collision.
  func buildSSHEnv(user usersdb.User, ownerName string, repo reposdb.Repo, remoteIP, requestID string) []string {
 -	return []string{
 -		"SHITHUB_USER_ID=" + strconv.FormatInt(user.ID, 10),
 -		"SHITHUB_USERNAME=" + user.Username,
 -		"SHITHUB_REPO_ID=" + strconv.FormatInt(repo.ID, 10),
 -		"SHITHUB_REPO_FULL_NAME=" + ownerName + "/" + repo.Name,
 +	env := os.Environ()
 +	env = append(
 +		env,
 +		"SHITHUB_USER_ID="+strconv.FormatInt(user.ID, 10),
 +		"SHITHUB_USERNAME="+user.Username,
 +		"SHITHUB_REPO_ID="+strconv.FormatInt(repo.ID, 10),
 +		"SHITHUB_REPO_FULL_NAME="+ownerName+"/"+repo.Name,
  		"SHITHUB_PROTOCOL=ssh",
 -		"SHITHUB_REMOTE_IP=" + remoteIP,
 -		"SHITHUB_REQUEST_ID=" + requestID,
 -		// PATH must be inherited so the exec'd git binary can find its
 -		// sub-helpers (git-pack-objects, git-index-pack, etc.).
 -		"PATH=" + os.Getenv("PATH"),
 +		"SHITHUB_REMOTE_IP="+remoteIP,
 +		"SHITHUB_REQUEST_ID="+requestID,
  		// safe.directory: when sshd runs ssh-shell as the `git` user
  		// but the bare repo dir is owned by `shithub`, git's
  		// dubious-ownership check rejects the invocation. We're
  		"GIT_CONFIG_COUNT=1",
  		"GIT_CONFIG_KEY_0=safe.directory",
  		"GIT_CONFIG_VALUE_0=*",
 -	}
 +	)
 +	return env
+ }
  // newRequestID returns a 16-byte hex token suitable for log

internal/git/protocol/ssh_dispatch_env_test.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package protocol
++
 +import (
 +	"strings"
 +	"testing"
++
 +	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
 +	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
 +)
++
 +// TestBuildSSHEnv_InheritsParentEnv pins the contract that
 +// buildSSHEnv extends os.Environ() so SHITHUB_DATABASE_URL (and any
 +// other config var sourced by the git-shell-commands wrapper from
 +// /etc/shithub/web.env) propagates to the exec'd git binary, which
 +// in turn forks pre-receive / post-receive hooks that need it.
 +//
 +// Pre-fix: the function returned a minimal explicit list, so a
 +// `git push` over SSH made it through auth + dispatch + perms but
 +// crashed at the pre-receive hook with "DB URL not set". The HTTPS
 +// path didn't see this because shithubd-web's systemd unit sources
 +// web.env and receive-pack inherits it directly.
 +//
 +// This test does NOT need a database — buildSSHEnv has no side
 +// effects beyond constructing an env slice.
 +func TestBuildSSHEnv_InheritsParentEnv(t *testing.T) {
 +	t.Setenv("SHITHUB_DATABASE_URL", "postgres://test-marker/x")
 +	t.Setenv("SHITHUB_STORAGE__REPOS_ROOT", "/tmp/test-marker-repos")
++
 +	user := usersdb.User{ID: 7, Username: "alice"}
 +	repo := reposdb.Repo{ID: 42, Name: "rcal"}
 +	env := buildSSHEnv(user, "tenseleyflow", repo, "127.0.0.1", "req-deadbeef")
 +	blob := strings.Join(env, "\n")
++
 +	want := []string{
 +		// Inherited config (the regression):
 +		"SHITHUB_DATABASE_URL=postgres://test-marker/x",
 +		"SHITHUB_STORAGE__REPOS_ROOT=/tmp/test-marker-repos",
 +		// Push-event metadata appended after inheritance:
 +		"SHITHUB_USER_ID=7",
 +		"SHITHUB_USERNAME=alice",
 +		"SHITHUB_REPO_ID=42",
 +		"SHITHUB_REPO_FULL_NAME=tenseleyflow/rcal",
 +		"SHITHUB_PROTOCOL=ssh",
 +		"SHITHUB_REMOTE_IP=127.0.0.1",
 +		"SHITHUB_REQUEST_ID=req-deadbeef",
 +		// safe.directory plumbing intact:
 +		"GIT_CONFIG_COUNT=1",
 +		"GIT_CONFIG_KEY_0=safe.directory",
 +		"GIT_CONFIG_VALUE_0=*",
 +	}
 +	for _, w := range want {
 +		if !strings.Contains(blob, w) {
 +			t.Errorf("buildSSHEnv missing %q in:\n%s", w, blob)
 +		}
 +	}
 +}
++
 +// TestBuildSSHEnv_ExplicitOverridesInheritance pins that push-event
 +// metadata wins over an inherited variable of the same name. This
 +// matters if the wrapping process happened to set, e.g.,
 +// SHITHUB_REQUEST_ID — the dispatcher's value (per-push, generated
 +// here) should take precedence so logs aren't cross-contaminated.
 +func TestBuildSSHEnv_ExplicitOverridesInheritance(t *testing.T) {
 +	// Inject a stale SHITHUB_REQUEST_ID into the parent — buildSSHEnv
 +	// must append the real one AFTER os.Environ so Go's last-wins
 +	// behavior on duplicate env keys gives us the real value.
 +	t.Setenv("SHITHUB_REQUEST_ID", "stale-from-parent")
++
 +	user := usersdb.User{ID: 7, Username: "alice"}
 +	repo := reposdb.Repo{ID: 42, Name: "rcal"}
 +	env := buildSSHEnv(user, "tenseleyflow", repo, "127.0.0.1", "real-req-id")
++
 +	// Find both the stale and real entries; the real one MUST come
 +	// after the stale one (last-wins semantics in os/exec).
 +	staleAt, realAt := -1, -1
 +	for i, kv := range env {
 +		switch kv {
 +		case "SHITHUB_REQUEST_ID=stale-from-parent":
 +			staleAt = i
 +		case "SHITHUB_REQUEST_ID=real-req-id":
 +			realAt = i
 +		}
 +	}
 +	if realAt < 0 {
 +		t.Fatalf("buildSSHEnv missing the real SHITHUB_REQUEST_ID")
 +	}
 +	if staleAt >= 0 && realAt < staleAt {
 +		t.Fatalf("real SHITHUB_REQUEST_ID at idx %d but stale at %d — explicit must win", realAt, staleAt)
 +	}
 +}