fix: return error on invalid SSH private key instead of silent nil

creydr · creydr · commit 137558314d50 · 2026-05-20T11:04:16.000+02:00
When gitssh.NewPublicKeys failed (e.g. corrupted key),
getSSHClientOptions silently returned nil, causing the clone to proceed
without authentication and fail with a confusing error. Now the key
parse error is propagated through getClientOptions to CloneRepository,
giving users a clear "failed to parse SSH private key" message.
diff --git a/internal/git/manager.go b/internal/git/manager.go
@@ -54,12 +54,17 @@ func (m *managerImpl) CloneRepository(ctx context.Context, repoUrl, subPath, ref
 		return nil, fmt.Errorf("failed to create temporary directory: %w", err)
 	}
 
+	clientOpts, err := m.getClientOptions(parsedURL.Scheme, auth)
+	if err != nil {
+		return nil, fmt.Errorf("failed to configure auth: %w", err)
+	}
+
 	repo, err := git.PlainCloneContext(ctx, targetDir, &git.CloneOptions{
 		URL:           repoUrl,
 		ReferenceName: plumbing.ReferenceName(reference),
 		SingleBranch:  true,
 		Depth:         1,
-		ClientOptions: m.getClientOptions(parsedURL.Scheme, auth),
+		ClientOptions: clientOpts,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to clone repo: %w", err)
@@ -78,11 +83,11 @@ func (m *managerImpl) CloneRepository(ctx context.Context, repoUrl, subPath, ref
 	}, nil
 }
 
-func (m *managerImpl) getClientOptions(scheme string, authSecret map[string][]byte) []client.Option {
+func (m *managerImpl) getClientOptions(scheme string, authSecret map[string][]byte) ([]client.Option, error) {
 	if scheme == "ssh" {
 		return m.getSSHClientOptions(authSecret)
 	}
-	return m.getHTTPClientOptions(authSecret)
+	return m.getHTTPClientOptions(authSecret), nil
 }
 
 func (m *managerImpl) getHTTPClientOptions(authSecret map[string][]byte) []client.Option {
@@ -125,21 +130,21 @@ func ensureKnownHostsExists() error {
 	return nil
 }
 
-func (m *managerImpl) getSSHClientOptions(authSecret map[string][]byte) []client.Option {
+func (m *managerImpl) getSSHClientOptions(authSecret map[string][]byte) ([]client.Option, error) {
 	privateKey, hasKey := authSecret["sshPrivateKey"]
 	if !hasKey {
 		return []client.Option{
 			client.WithSSHAuth(&gitssh.Password{
 				User:                  "git",
 				HostKeyCallbackHelper: gitssh.HostKeyCallbackHelper{HostKeyCallback: gossh.InsecureIgnoreHostKey()},
 			}),
-		}
+		}, nil
 	}
 
 	password := string(authSecret["sshPrivateKeyPassword"])
 	auth, err := gitssh.NewPublicKeys("git", privateKey, password)
 	if err != nil {
-		return nil
+		return nil, fmt.Errorf("failed to parse SSH private key: %w", err)
 	}
 	auth.HostKeyCallback = gossh.InsecureIgnoreHostKey()
 
@@ -157,5 +162,5 @@ func (m *managerImpl) getSSHClientOptions(authSecret map[string][]byte) []client
 		}
 	}
 
-	return []client.Option{client.WithSSHAuth(auth)}
+	return []client.Option{client.WithSSHAuth(auth)}, nil
 }
diff --git a/internal/git/manager_test.go b/internal/git/manager_test.go
@@ -20,7 +20,10 @@ JtdGRlLmNzYgECAw==
 func TestGetClientOptions_HTTPToken(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"token": []byte("my-token")}
-	opts := m.getClientOptions("https", secret)
+	opts, err := m.getClientOptions("https", secret)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option, got %d", len(opts))
 	}
@@ -29,31 +32,43 @@ func TestGetClientOptions_HTTPToken(t *testing.T) {
 func TestGetClientOptions_HTTPUsernamePassword(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"username": []byte("user"), "password": []byte("pass")}
-	opts := m.getClientOptions("http", secret)
+	opts, err := m.getClientOptions("http", secret)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option, got %d", len(opts))
 	}
 }
 
 func TestGetClientOptions_HTTPEmpty(t *testing.T) {
 	m := &managerImpl{}
-	opts := m.getClientOptions("https", nil)
+	opts, err := m.getClientOptions("https", nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
 	if opts != nil {
 		t.Fatalf("expected nil options, got %v", opts)
 	}
 }
 
 func TestGetClientOptions_SSHNoSecret(t *testing.T) {
 	m := &managerImpl{}
-	opts := m.getClientOptions(sshScheme, nil)
+	opts, err := m.getClientOptions(sshScheme, nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option for insecure SSH, got %d", len(opts))
 	}
 }
 
 func TestGetClientOptions_SSHEmptySecret(t *testing.T) {
 	m := &managerImpl{}
-	opts := m.getClientOptions(sshScheme, map[string][]byte{})
+	opts, err := m.getClientOptions(sshScheme, map[string][]byte{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option for insecure SSH, got %d", len(opts))
 	}
@@ -62,7 +77,10 @@ func TestGetClientOptions_SSHEmptySecret(t *testing.T) {
 func TestGetClientOptions_SSHWithPrivateKey(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"sshPrivateKey": []byte(testEd25519PrivateKey)}
-	opts := m.getClientOptions(sshScheme, secret)
+	opts, err := m.getClientOptions(sshScheme, secret)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option, got %d", len(opts))
 	}
@@ -71,9 +89,9 @@ func TestGetClientOptions_SSHWithPrivateKey(t *testing.T) {
 func TestGetClientOptions_SSHWithInvalidKey(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"sshPrivateKey": []byte("not-a-valid-key")}
-	opts := m.getClientOptions(sshScheme, secret)
-	if opts != nil {
-		t.Fatalf("expected nil options for invalid key, got %v", opts)
+	_, err := m.getClientOptions(sshScheme, secret)
+	if err == nil {
+		t.Fatal("expected error for invalid SSH key, got nil")
 	}
 }
 
