Add main logic, unit test and integration test for build controller validates spec.source.url

refine the main logic of build validates sourceURL

return validate error and update error

only return updateError when validate sourceURL failed

rename verify sourceURL annotation and make verifySourceURL by default

update test cases again

revert verifySourceURL

verify sourceURL by default

add unit test for validateSourceURL

return a same error when list remote repo failed

output different errors and update tests

Signed-off-by: Enrique Encalada <encalada@de.ibm.com>

Author: xiujuan95

pkg/apis/build/v1alpha1/build_types.go

@@ -22,6 +22,11 @@ const (
 	// AnnotationBuildRefSecret is an annotation that tells the Build Controller to reconcile on
 	// events of the secret only if is referenced by a Build in the same namespace
 	AnnotationBuildRefSecret = "build.build.dev/referenced.secret"
+
+	// AnnotationBuildVerifyRepository tells the Build Controller to check a remote repository. If the annotation is not set
+	// or has a value of 'true', the controller triggers the validation. A value of 'false' means the controller
+	// will bypass checking the remote repository.
+	AnnotationBuildVerifyRepository = "build.build.dev/verify.repository"
 )
 
 // BuildSpec defines the desired state of Build

pkg/controller/build/build_controller.go

@@ -32,6 +32,7 @@ import (
 	"github.com/shipwright-io/build/pkg/config"
 	"github.com/shipwright-io/build/pkg/controller/utils"
 	"github.com/shipwright-io/build/pkg/ctxlog"
+	"github.com/shipwright-io/build/pkg/git"
 	buildmetrics "github.com/shipwright-io/build/pkg/metrics"
 )
 
@@ -240,6 +241,17 @@ func (r *ReconcileBuild) Reconcile(request reconcile.Request) (reconcile.Result,
 	b.Status.Registered = corev1.ConditionFalse
 	b.Status.Reason = succeedStatus
 
+	// Validate if remote repository exists
+	if b.Spec.Source.SecretRef == nil {
+		if err := r.validateSourceURL(ctx, b, b.Spec.Source.URL); err != nil {
+			b.Status.Reason = err.Error()
+			if updateErr := r.client.Status().Update(ctx, b); updateErr != nil {
+				return reconcile.Result{}, updateErr
+			}
+			return reconcile.Result{}, nil
+		}
+	}
+
 	// Validate if the referenced secrets exist in the namespace
 	var secretNames []string
 	if b.Spec.Output.SecretRef != nil && b.Spec.Output.SecretRef.Name != "" {
@@ -459,6 +471,21 @@ func (r *ReconcileBuild) validateBuildRunOwnerReferences(ctx context.Context, b
 	return nil
 }
 
+// validateSourceURL returns error message if remote repository doesn't exist
+func (r *ReconcileBuild) validateSourceURL(ctx context.Context, b *build.Build, sourceURL string) error {
+	switch b.GetAnnotations()[build.AnnotationBuildVerifyRepository] {
+	case "", "true":
+		return git.ValidateGitURLExists(sourceURL)
+	case "false":
+		ctxlog.Info(ctx, fmt.Sprintf("the annotation %s is set to %s, nothing to do", build.AnnotationBuildVerifyRepository, b.GetAnnotations()[build.AnnotationBuildVerifyRepository]))
+		return nil
+	default:
+		var annoErr = fmt.Errorf("the annotation %s was not properly defined, supported values are true or false", build.AnnotationBuildVerifyRepository)
+		ctxlog.Error(ctx, annoErr, namespace, b.Namespace, name, b.Name)
+		return annoErr
+	}
+}
+
 // validateOwnerReferences returns an index value if a Build is owning a reference or -1 if this is not the case
 func (r *ReconcileBuild) validateBuildOwnerReference(references []metav1.OwnerReference, build *build.Build) int {
 	for i, ownerRef := range references {

pkg/controller/build/build_controller_test.go

@@ -511,5 +511,115 @@ var _ = Describe("Reconcile Build", func() {
 				Expect(reconcile.Result{}).To(Equal(result))
 			})
 		})
+
+		Context("when source URL is specified", func() {
+			// validate file protocol
+			It("fails when source URL is invalid", func() {
+				buildSample.Spec.Source.URL = "foobar"
+
+				// Fake some client LIST calls and ensure we populate all
+				// different resources we could get during reconciliation
+				client.ListCalls(func(context context.Context, object runtime.Object, _ ...crc.ListOption) error {
+					switch object := object.(type) {
+					case *corev1.SecretList:
+						list := ctl.FakeSecretList()
+						list.DeepCopyInto(object)
+					case *build.ClusterBuildStrategyList:
+						list := ctl.ClusterBuildStrategyList(buildStrategyName)
+						list.DeepCopyInto(object)
+					}
+					return nil
+				})
+
+				statusCall := ctl.StubFunc(corev1.ConditionFalse, "invalid source url")
+				statusWriter.UpdateCalls(statusCall)
+
+				_, err := reconciler.Reconcile(request)
+				Expect(err).To(BeNil())
+				Expect(statusWriter.UpdateCallCount()).To(Equal(1))
+			})
+
+			// validate https protocol
+			It("fails when public source URL is unreachable", func() {
+				buildSample.Spec.Source.URL = "https://github.com/sbose78/taxi-fake"
+
+				// Fake some client LIST calls and ensure we populate all
+				// different resources we could get during reconciliation
+				client.ListCalls(func(context context.Context, object runtime.Object, _ ...crc.ListOption) error {
+					switch object := object.(type) {
+					case *corev1.SecretList:
+						list := ctl.FakeSecretList()
+						list.DeepCopyInto(object)
+					case *build.ClusterBuildStrategyList:
+						list := ctl.ClusterBuildStrategyList(buildStrategyName)
+						list.DeepCopyInto(object)
+					}
+					return nil
+				})
+
+				statusCall := ctl.StubFunc(corev1.ConditionFalse, "remote repository unreachable")
+				statusWriter.UpdateCalls(statusCall)
+
+				_, err := reconciler.Reconcile(request)
+				Expect(err).To(BeNil())
+				Expect(statusWriter.UpdateCallCount()).To(Equal(1))
+			})
+
+			// skip validation because of false sourceURL annotation
+			It("succeed when source URL is invalid because source annotation is false", func() {
+				buildSample = ctl.BuildWithClusterBuildStrategyAndFalseSourceAnnotation(buildName, namespace, buildStrategyName)
+
+				// Fake some client LIST calls and ensure we populate all
+				// different resources we could get during reconciliation
+				client.ListCalls(func(context context.Context, object runtime.Object, _ ...crc.ListOption) error {
+					switch object := object.(type) {
+					case *corev1.SecretList:
+						list := ctl.FakeSecretList()
+						list.DeepCopyInto(object)
+					case *build.ClusterBuildStrategyList:
+						list := ctl.ClusterBuildStrategyList(buildStrategyName)
+						list.DeepCopyInto(object)
+					}
+					return nil
+				})
+
+				statusCall := ctl.StubFunc(corev1.ConditionTrue, "Succeeded")
+				statusWriter.UpdateCalls(statusCall)
+
+				result, err := reconciler.Reconcile(request)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(statusWriter.UpdateCallCount()).To(Equal(1))
+				Expect(reconcile.Result{}).To(Equal(result))
+			})
+
+			// skip validation because build references a sourceURL secret
+			It("succeed when source URL is fake private URL because build reference a sourceURL secret", func() {
+				buildSample := ctl.BuildWithClusterBuildStrategyAndSourceSecret(buildName, namespace, buildStrategyName)
+				buildSample.Spec.Source.URL = "https://github.yourco.com/org/build-fake"
+				buildSample.Spec.Source.SecretRef.Name = registrySecret
+
+				// Fake some client LIST calls and ensure we populate all
+				// different resources we could get during reconciliation
+				client.ListCalls(func(context context.Context, object runtime.Object, _ ...crc.ListOption) error {
+					switch object := object.(type) {
+					case *corev1.SecretList:
+						list := ctl.SecretList(registrySecret)
+						list.DeepCopyInto(object)
+					case *build.ClusterBuildStrategyList:
+						list := ctl.ClusterBuildStrategyList(buildStrategyName)
+						list.DeepCopyInto(object)
+					}
+					return nil
+				})
+
+				statusCall := ctl.StubFunc(corev1.ConditionTrue, "Succeeded")
+				statusWriter.UpdateCalls(statusCall)
+
+				result, err := reconciler.Reconcile(request)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(statusWriter.UpdateCallCount()).To(Equal(1))
+				Expect(reconcile.Result{}).To(Equal(result))
+			})
+		})
 	})
 })

pkg/git/git.go

@@ -0,0 +1,58 @@
+// Copyright The Shipwright Contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package git
+
+import (
+	"fmt"
+
+	"github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/plumbing/transport"
+	"github.com/go-git/go-git/v5/storage/memory"
+
+	gogitv5 "github.com/go-git/go-git/v5"
+)
+
+const (
+	defaultRemote = "origin"
+	httpsProtocol = "https"
+	httpProtocol  = "http"
+	fileProtocol  = "file"
+	gitProtocol   = "ssh"
+)
+
+// ValidateGitURLExists validate if a source URL exists or not
+// Note: We have an upcoming PR for the Build Status, where we
+// intend to define a single Status.Reason in the form of 'remoteRepositoryUnreachable',
+// where the Status.Message will contain the longer text, like 'invalid source url
+func ValidateGitURLExists(urlPath string) error {
+
+	endpoint, err := transport.NewEndpoint(urlPath)
+	if err != nil {
+		return err
+	}
+
+	switch endpoint.Protocol {
+	case httpsProtocol, httpProtocol:
+		repo := gogitv5.NewRemote(memory.NewStorage(), &config.RemoteConfig{
+			Name: defaultRemote,
+			URLs: []string{urlPath},
+		})
+		// Note: When the urlPath is an valid public path, however, this path doesn't exist, func will return `authentication required`, this maybe mislead
+		// So convert this error message to `repository not found`
+		_, err := repo.List(&gogitv5.ListOptions{})
+		if err != nil && err == transport.ErrAuthenticationRequired {
+			return fmt.Errorf("remote repository unreachable")
+		} else if err != nil {
+			return err
+		}
+	case fileProtocol:
+		return fmt.Errorf("invalid source url")
+	case gitProtocol:
+		return fmt.Errorf("the source url requires authentication")
+	default:
+		return nil
+	}
+	return nil
+}

pkg/git/git_suite_test.go

@@ -0,0 +1,17 @@
+// Copyright The Shipwright Contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package git_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestGit(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Git Suite")
+}

pkg/git/git_test.go

@@ -0,0 +1,29 @@
+// Copyright The Shipwright Contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package git_test
+
+import (
+	"errors"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/extensions/table"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/types"
+	"github.com/shipwright-io/build/pkg/git"
+)
+
+var _ = Describe("Git", func() {
+
+	DescribeTable("the source url validation errors",
+		func(url string, expected types.GomegaMatcher) {
+			Expect(git.ValidateGitURLExists(url)).To(expected)
+		},
+		Entry("Check remote https public repository", "https://github.com/shipwright-io/build", BeNil()),
+		Entry("Check remote fake https public repository", "https://github.com/shipwright-io/build-fake", Equal(errors.New("remote repository unreachable"))),
+		Entry("Check invalid repository", "foobar", Equal(errors.New("invalid source url"))),
+		Entry("Check git repository which requires authentication", "git@github.com:shipwright-io/build-fake.git", Equal(errors.New("the source url requires authentication"))),
+		Entry("Check ssh repository which requires authentication", "ssh://github.com/shipwright-io/build-fake", Equal(errors.New("the source url requires authentication"))),
+	)
+})

test/build_samples.go

@@ -214,6 +214,33 @@ spec:
     image: image-registry.openshift-image-registry.svc:5000/example/buildpacks-app
 `
 
+// BuildCBSWithVerifyRepositoryAnnotation defines a Build
+// with the verify repository annotation key
+const BuildCBSWithVerifyRepositoryAnnotation = `
+apiVersion: build.dev/v1alpha1
+kind: Build
+metadata:
+  annotations:
+    build.build.dev/verify.repository: ""
+spec:
+  strategy:
+    kind: ClusterBuildStrategy
+  output:
+    image: image-registry.openshift-image-registry.svc:5000/example/buildpacks-app
+`
+
+// BuildCBSWithoutVerifyRepositoryAnnotation defines a minimal
+// Build without source url and annotation
+const BuildCBSWithoutVerifyRepositoryAnnotation = `
+apiVersion: build.dev/v1alpha1
+kind: Build
+spec:
+  strategy:
+    kind: ClusterBuildStrategy
+  output:
+    image: image-registry.openshift-image-registry.svc:5000/example/buildpacks-app
+`
+
 // BuildCBSWithBuildRunDeletion defines a Build with a
 // ClusterBuildStrategy and the annotation for automatic BuildRun
 // deletion