fix: handle non-passphrase SSH prompts in askpass script

[vinokurig]

What does this PR do?

Add early exit for SSH prompts that aren't requesting passphrase input. This prevents the askpass script from attempting to provide a passphrase for other SSH prompts like host key verification.

What issues does this PR fix or reference?

fixes eclipse-che/che#23874

Is it tested? How?

1. Apply a DevWorkspace with a private git repository e.g.

apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: private
spec:
  started: true
  template:
    components:
      - container:
          env:
            - name: HOST_USERS
              value: 'true'
          image: 'quay.io/devfile/universal-developer-image:ubi9-latest'
          sourceMapping: /projects
        name: universal-developer-image
    projects:
      - git:
          remotes:
            origin: 'https://github.com/vinokurig/private.git'
        name: private

2. Check the project-clone container logs and see no error messages.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Bug Fixes
  • Improved SSH askpass handling so it only responds to passphrase prompts for keys.
  • Non-passphrase prompts, such as username/password requests, are now ignored instead of being answered incorrectly.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vinokurig
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @vinokurig. Thanks for your PR.

I'm waiting for a devfile member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

ssh-askpass.sh gains a four-line guard that matches the first argument against the pattern "Enter passphrase for key …". Any prompt that does not match—such as an HTTPS username or password request—causes the script to exit silently with status 0.

Changes

ssh-askpass prompt filtering

Layer / File(s)	Summary
Prompt-type guard pkg/provision/workspace/ssh-askpass.sh	Adds a conditional check on the first argument: if it does not match "Enter passphrase for key …", the script exits with status 0 without producing output, preventing the askpass helper from intercepting HTTPS credential prompts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 A rabbit guards the gate with care,
Only passphrases may enter there!
HTTPS knocks? No reply, no sound —
The askpass helper stays firmly bound.
Wrong prompt? We hop away! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: skipping non-passphrase SSH prompts in the askpass script.
Linked Issues check	✅ Passed	The change addresses the reported askpass error by ignoring non-passphrase prompts and matches the issue's cloning-startup failure.
Out of Scope Changes check	✅ Passed	The patch is narrowly scoped to ssh-askpass handling and does not introduce unrelated changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[tolusha]

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

• /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
• /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
• /che-ai-assistant help — Show this help message

[rohanKanojia]

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/provision/workspace/ssh-askpass.sh`:
- Around line 3-5: The askpass guard in ssh-askpass.sh is using a bash-only
conditional even though the script is declared with a POSIX shell shebang.
Update the prompt check in the top-level guard to use POSIX-compatible syntax
such as a case statement, and keep the behavior in the script’s early-exit path
the same so only prompts matching the passphrase prefix continue while all other
prompts exit cleanly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 340019fc-3154-459d-b6e7-ea31c75e11ea

📥 Commits

Reviewing files that changed from the base of the PR and between af782ad and a31023f.

📒 Files selected for processing (1)

• pkg/provision/workspace/ssh-askpass.sh

[coderabbitai]

🎯 Functional Correctness | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find the base image / interpreter used for the project-clone container that runs this script
rg -nP -C3 '(project-clone|projectClone|PROJECT_CLONE|/bin/sh|dash|busybox)' --type=go --type=docker -g '!**/vendor/**'
fd -i -e dockerfile
fd -t f 'Dockerfile*' --exec cat -n {}

Repository: devfile/devworkspace-operator

Length of output: 167

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== ssh-askpass.sh =="
git ls-files pkg/provision/workspace/ssh-askpass.sh
cat -n pkg/provision/workspace/ssh-askpass.sh

echo
echo "== search for where script is embedded/invoked =="
rg -n --hidden --no-ignore-vcs -C 3 'ssh-askpass\.sh|SSH_ASKPASS|askpass' pkg .github .devcontainer .docker . | sed -n '1,220p'

echo
echo "== locate container/Dockerfile references =="
fd -a -i -e dockerfile -e Dockerfile -t f .
fd -a -t f 'Dockerfile*' .

echo
echo "== search for base image / shell in workspace provisioning =="
rg -n --hidden --no-ignore-vcs -C 3 '(project-clone|projectClone|PROJECT_CLONE|/bin/sh|dash|busybox|alpine|debian|ubuntu)' pkg .github .devcontainer .docker . | sed -n '1,240p'

Repository: devfile/devworkspace-operator

Length of output: 6846

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== ssh-askpass.sh =="
git ls-files pkg/provision/workspace/ssh-askpass.sh
cat -n pkg/provision/workspace/ssh-askpass.sh

echo
echo "== search for where script is embedded/invoked =="
rg -n --hidden --no-ignore-vcs -C 3 'ssh-askpass\.sh|SSH_ASKPASS|askpass' pkg .github .devcontainer .docker . | sed -n '1,220p'

echo
echo "== locate container/Dockerfile references =="
fd -a -i -e dockerfile -e Dockerfile -t f .
fd -a -t f 'Dockerfile*' .

echo
echo "== search for base image / shell in workspace provisioning =="
rg -n --hidden --no-ignore-vcs -C 3 '(project-clone|projectClone|PROJECT_CLONE|/bin/sh|dash|busybox|alpine|debian|ubuntu)' pkg .github .devcontainer .docker . | sed -n '1,240p'

Repository: devfile/devworkspace-operator

Length of output: 6846

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== file contents =="
cat -n pkg/provision/workspace/ssh-askpass.sh

echo
echo "== find workspace/container definition files =="
find . -path '*/.git' -prune -o \( -name 'Dockerfile*' -o -name '*.dockerfile' -o -name 'devfile.yaml' -o -name 'devfile.yml' -o -name '.devfile.yaml' -o -name '.devfile.yml' -o -name '*.yaml' -o -name '*.yml' \) -print | sed -n '1,200p'

echo
echo "== grep likely relevant files =="
rg -n --hidden --no-ignore-vcs -C 2 'ssh-askpass\.sh|SSH_ASKPASS|SSH_ASKPASS_REQUIRE|/bin/sh|busybox|alpine|dash' . --glob '!**/vendor/**' --glob '!**/node_modules/**' | sed -n '1,260p'

Repository: devfile/devworkspace-operator

Length of output: 33500

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== project-clone/Dockerfile =="
cat -n project-clone/Dockerfile | sed -n '1,120p'

echo
echo "== workspace-related image references =="
rg -n --hidden --no-ignore-vcs -C 2 '(project-clone|workspace image|workspaceImage|image:|container image|base image|ssh-askpass)' .devfile.yaml deploy pkg controllers build project-clone --glob '!**/vendor/**' | sed -n '1,260p'

Repository: devfile/devworkspace-operator

Length of output: 24263

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== project-clone/Dockerfile =="
cat -n project-clone/Dockerfile | sed -n '1,120p'

echo
echo "== workspace-related image references =="
rg -n --hidden --no-ignore-vcs -C 2 '(project-clone|workspace image|workspaceImage|image:|container image|base image|ssh-askpass)' .devfile.yaml deploy pkg controllers build project-clone --glob '!**/vendor/**' | sed -n '1,260p'

Repository: devfile/devworkspace-operator

Length of output: 24163

---

Use POSIX syntax in the askpass guard. #!/bin/sh cannot rely on [[ ... ]]; switch this to case so non-passphrase prompts still exit cleanly.

Suggested replacement

- if [[ "$1" != "Enter passphrase for key '"* ]]; then
-   exit 0
- fi
+ case "$1" in
+   "Enter passphrase for key '"*) ;;
+   *) exit 0 ;;
+ esac

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [[ "$1" != "Enter passphrase for key '"* ]]; then
	exit 0
	fi
	case "$1" in
	"Enter passphrase for key '"*) ;;
	*) exit 0 ;;
	esac

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 3-3: In POSIX sh, [[ ]] is undefined.

(SC3010)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/provision/workspace/ssh-askpass.sh` around lines 3 - 5, The askpass guard
in ssh-askpass.sh is using a bash-only conditional even though the script is
declared with a POSIX shell shebang. Update the prompt check in the top-level
guard to use POSIX-compatible syntax such as a case statement, and keep the
behavior in the script’s early-exit path the same so only prompts matching the
passphrase prefix continue while all other prompts exit cleanly.

Source: Linters/SAST tools

[tolusha]

Comprehensive Review Summary

I've completed a multi-stage review (summary, standard, deep, and impact analysis) of this PR. Here's the consolidated feedback:

Critical Issue - Must Fix Before Merge

POSIX Shell Compatibility (line 3): The script declares #!/bin/sh but uses [[ ]] syntax, which is bash-specific. On workspace containers using Alpine, BusyBox, or other images where /bin/sh is dash/ash, this will produce a syntax error and break all SSH operations.

Fix: Replace with POSIX case statement:

case "$1" in
  "Enter passphrase for key '"*) ;;
  *) exit 0 ;;
esac

This issue was also flagged by CodeRabbit/ShellCheck SC3010.

Suggestions (Non-Blocking)

1. Add test coverage: Consider adding a Go test to validate the embedded script is valid POSIX shell (sh -n syntax check)
2. Observability: The new guard exits silently for non-passphrase prompts. Consider adding optional debug logging (e.g., echo "DEBUG: ignoring non-passphrase prompt: $1" >&2 behind an env var) to aid production debugging
3. Shell best practices: While not introduced by this PR, consider quoting $PASSPHRASE_FILE_PATH in the existing file check to follow POSIX best practices

Does This PR Solve the Issue?

✅ Yes - This correctly fixes eclipse-che/che#23874 by preventing the askpass script from responding to HTTPS credential prompts with misleading SSH passphrase errors.

Positive Feedback

• ✅ Minimal, well-scoped fix
• ✅ Clear comment explaining the intent
• ✅ PR description includes reproduction steps and links to upstream issue
• ✅ Pattern match is specific enough to avoid false positives

Review Verdict

🔄 Request Changes - The POSIX shell compatibility issue must be fixed (straightforward case statement replacement). Everything else looks good.

---

Review generated by Claude Code with ok-pr-review skills: /ok-pr-review:learn-repo, /ok-pr-review:summary, /ok-pr-review:review, /ok-pr-review:deep-review, /ok-pr-review:impact

[tolusha]

Critical: Replace bash-specific syntax with POSIX-compatible case statement

The script uses #!/bin/sh but contains [[ ]] syntax, which is bash-specific. On workspace containers using Alpine, BusyBox, or other images where /bin/sh is dash/ash, this will produce a syntax error and break all SSH operations.

Replace with POSIX case statement:

Suggested change

	if [[ "$1" != "Enter passphrase for key '"* ]]; then
	case "$1" in
	"Enter passphrase for key ''*) ;;
	*) exit 0 ;;
	esac

This was also flagged by CodeRabbit/ShellCheck SC3010.