fix: keep SSH known_hosts temp file alive until repository cleanup

creydr · creydr · commit 32f8e52cd156 · 2026-05-20T13:12:07.000+02:00
The known_hosts temp file was deleted via defer in getSSHClientOptions,
which runs before the SSH connection is established in CloneRepository.
This caused host key verification to fail silently when known_hosts data
was provided.

The temp file is now tracked in Repository.knownHostFile and cleaned up
by Cleanup(). A defer in CloneRepository ensures cleanup on error paths
where no Repository is returned.
diff --git a/internal/git/manager.go b/internal/git/manager.go
@@ -54,10 +54,15 @@ func (m *managerImpl) CloneRepository(ctx context.Context, repoUrl, subPath, ref
 		return nil, fmt.Errorf("failed to create temporary directory: %w", err)
 	}
 
-	clientOpts, err := m.getClientOptions(parsedURL.Scheme, auth)
+	clientOpts, tempFile, err := m.getClientOptions(parsedURL.Scheme, auth)
 	if err != nil {
 		return nil, fmt.Errorf("failed to configure auth: %w", err)
 	}
+	defer func() {
+		if err != nil && tempFile != "" {
+			_ = os.Remove(tempFile)
+		}
+	}()
 
 	repo, err := git.PlainCloneContext(ctx, targetDir, &git.CloneOptions{
 		URL:           repoUrl,
@@ -76,18 +81,20 @@ func (m *managerImpl) CloneRepository(ctx context.Context, repoUrl, subPath, ref
 	}
 
 	return &Repository{
-		CloneDir: targetDir,
-		SubPath:  subPath,
-		Commit:   head.Hash().String(),
-		Branch:   reference,
+		CloneDir:      targetDir,
+		SubPath:       subPath,
+		Commit:        head.Hash().String(),
+		Branch:        reference,
+		knownHostFile: tempFile,
 	}, nil
 }
 
-func (m *managerImpl) getClientOptions(scheme string, authSecret map[string][]byte) ([]client.Option, error) {
+func (m *managerImpl) getClientOptions(scheme string, authSecret map[string][]byte) ([]client.Option, string, error) {
 	if scheme == "ssh" {
 		return m.getSSHClientOptions(authSecret)
 	}
-	return m.getHTTPClientOptions(authSecret), nil
+	opts := m.getHTTPClientOptions(authSecret)
+	return opts, "", nil
 }
 
 func (m *managerImpl) getHTTPClientOptions(authSecret map[string][]byte) []client.Option {
@@ -130,37 +137,38 @@ func ensureKnownHostsExists() error {
 	return nil
 }
 
-func (m *managerImpl) getSSHClientOptions(authSecret map[string][]byte) ([]client.Option, error) {
+func (m *managerImpl) getSSHClientOptions(authSecret map[string][]byte) ([]client.Option, string, error) {
 	privateKey, hasKey := authSecret["sshPrivateKey"]
 	if !hasKey {
 		return []client.Option{
 			client.WithSSHAuth(&gitssh.Password{
 				User:                  "git",
 				HostKeyCallbackHelper: gitssh.HostKeyCallbackHelper{HostKeyCallback: gossh.InsecureIgnoreHostKey()},
 			}),
-		}, nil
+		}, "", nil
 	}
 
 	password := string(authSecret["sshPrivateKeyPassword"])
 	auth, err := gitssh.NewPublicKeys("git", privateKey, password)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse SSH private key: %w", err)
+		return nil, "", fmt.Errorf("failed to parse SSH private key: %w", err)
 	}
 	auth.HostKeyCallback = gossh.InsecureIgnoreHostKey()
 
+	var tempFilePath string
 	if knownHostsData, ok := authSecret["known_hosts"]; ok {
 		tmpFile, err := os.CreateTemp("", "known_hosts-*")
 		if err == nil {
-			defer os.Remove(tmpFile.Name())
 			if _, err := tmpFile.Write(knownHostsData); err == nil {
 				_ = tmpFile.Close()
-				cb, err := gitssh.NewKnownHostsCallback(tmpFile.Name())
+				tempFilePath = tmpFile.Name()
+				cb, err := gitssh.NewKnownHostsCallback(tempFilePath)
 				if err == nil {
 					auth.HostKeyCallback = cb
 				}
 			}
 		}
 	}
 
-	return []client.Option{client.WithSSHAuth(auth)}, nil
+	return []client.Option{client.WithSSHAuth(auth)}, tempFilePath, nil
 }
diff --git a/internal/git/manager_test.go b/internal/git/manager_test.go
@@ -20,19 +20,22 @@ JtdGRlLmNzYgECAw==
 func TestGetClientOptions_HTTPToken(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"token": []byte("my-token")}
-	opts, err := m.getClientOptions("https", secret)
+	opts, tmpFile, err := m.getClientOptions("https", secret)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option, got %d", len(opts))
 	}
+	if tmpFile != "" {
+		t.Fatalf("expected no temp file, got %s", tmpFile)
+	}
 }
 
 func TestGetClientOptions_HTTPUsernamePassword(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"username": []byte("user"), "password": []byte("pass")}
-	opts, err := m.getClientOptions("http", secret)
+	opts, _, err := m.getClientOptions("http", secret)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -43,7 +46,7 @@ func TestGetClientOptions_HTTPUsernamePassword(t *testing.T) {
 
 func TestGetClientOptions_HTTPEmpty(t *testing.T) {
 	m := &managerImpl{}
-	opts, err := m.getClientOptions("https", nil)
+	opts, _, err := m.getClientOptions("https", nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -54,7 +57,7 @@ func TestGetClientOptions_HTTPEmpty(t *testing.T) {
 
 func TestGetClientOptions_SSHNoSecret(t *testing.T) {
 	m := &managerImpl{}
-	opts, err := m.getClientOptions(sshScheme, nil)
+	opts, _, err := m.getClientOptions(sshScheme, nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -65,7 +68,7 @@ func TestGetClientOptions_SSHNoSecret(t *testing.T) {
 
 func TestGetClientOptions_SSHEmptySecret(t *testing.T) {
 	m := &managerImpl{}
-	opts, err := m.getClientOptions(sshScheme, map[string][]byte{})
+	opts, _, err := m.getClientOptions(sshScheme, map[string][]byte{})
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -77,7 +80,7 @@ func TestGetClientOptions_SSHEmptySecret(t *testing.T) {
 func TestGetClientOptions_SSHWithPrivateKey(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"sshPrivateKey": []byte(testEd25519PrivateKey)}
-	opts, err := m.getClientOptions(sshScheme, secret)
+	opts, _, err := m.getClientOptions(sshScheme, secret)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -89,7 +92,7 @@ func TestGetClientOptions_SSHWithPrivateKey(t *testing.T) {
 func TestGetClientOptions_SSHWithInvalidKey(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"sshPrivateKey": []byte("not-a-valid-key")}
-	_, err := m.getClientOptions(sshScheme, secret)
+	_, _, err := m.getClientOptions(sshScheme, secret)
 	if err == nil {
 		t.Fatal("expected error for invalid SSH key, got nil")
 	}
diff --git a/internal/git/repository.go b/internal/git/repository.go
@@ -6,16 +6,20 @@ import (
 )
 
 type Repository struct {
-	CloneDir string
-	SubPath  string
-	Commit   string
-	Branch   string
+	CloneDir      string
+	SubPath       string
+	Commit        string
+	Branch        string
+	knownHostFile string
 }
 
 func (r *Repository) Path() string {
 	return path.Join(r.CloneDir, r.SubPath)
 }
 
 func (r *Repository) Cleanup() error {
+	if r.knownHostFile != "" {
+		_ = os.Remove(r.knownHostFile)
+	}
 	return os.RemoveAll(r.CloneDir)
 }

Original file line number	Diff line number	Diff line change
`@@ -6,16 +6,20 @@ import (`
`6`	`6`	`)`
`7`	`7`
`8`	`8`	`type Repository struct {`
`9`		`- CloneDir string`
`10`		`- SubPath string`
`11`		`- Commit string`
`12`		`- Branch string`
	`9`	`+ CloneDir string`
	`10`	`+ SubPath string`
	`11`	`+ Commit string`
	`12`	`+ Branch string`
	`13`	`+ knownHostFile string`
`13`	`14`	`}`
`14`	`15`
`15`	`16`	`func (r *Repository) Path() string {`
`16`	`17`	`return path.Join(r.CloneDir, r.SubPath)`
`17`	`18`	`}`
`18`	`19`
`19`	`20`	`func (r *Repository) Cleanup() error {`
	`21`	`+ if r.knownHostFile != "" {`
	`22`	`+ _ = os.Remove(r.knownHostFile)`
	`23`	`+ }`
`20`	`24`	`return os.RemoveAll(r.CloneDir)`
`21`	`25`	`}`