| Message ID | 20240225103413.9845-1-julian@swagemakers.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | send-email: implement SMTP bearer authentication | expand |
Neat idea. I recall it was awkward to configure git-send-email to send with Gmail. I had to configure a security-compromising 'app password' [1][2]. OAuth is a great improvement. [1] https://support.google.com/mail/answer/185833 [2] https://security.google.com/settings/security/apppasswords
Hello, Sorry to bother but what had happened to this patch? It is more useful now since outlook also switched to oauth2 only mode. Best regards, Shengyu 在 2024/2/25 18:34, Julian Swagemakers 写道: > Manually send SMTP AUTH command for auth type OAUTHBEARER and XOAUTH2. > This is necessary since they are currently not supported by the Perls > Authen::SASL module. > > The bearer token needs to be passed in as the password. This can be done > with git-credential-oauth[0] after minor modifications[1]. Which will > allow using git send-email with Gmail and oauth2 authentication: > > ``` > [credential] > helper = cache --timeout 7200 # two hours > helper = oauth > [sendemail] > smtpEncryption = tls > smtpServer = smtp.gmail.com > smtpUser = example@gmail.com > smtpServerPort = 587 > smtpauth = OAUTHBEARER > ``` > > As well as Office 365 accounts: > > ``` > [credential] > helper = cache --timeout 7200 # two hours > helper = oauth > [sendemail] > smtpEncryption = tls > smtpServer = smtp.office365.com > smtpUser = example@example.com > smtpServerPort = 587 > smtpauth = XOAUTH2 > ``` > > [0] https://github.com/hickford/git-credential-oauth > [1] https://github.com/hickford/git-credential-oauth/issues/48 > > Signed-off-by: Julian Swagemakers <julian@swagemakers.org> > --- > git-send-email.perl | 65 +++++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 63 insertions(+), 2 deletions(-) > > diff --git a/git-send-email.perl b/git-send-email.perl > index 821b2b3a13..72d378f6fd 100755 > --- a/git-send-email.perl > +++ b/git-send-email.perl > @@ -1359,6 +1359,63 @@ sub smtp_host_string { > } > } > > +sub generate_oauthbearer_string { > + # This will generate the oauthbearer string used for authentication. > + # > + # "n,a=" {User} ",^Ahost=" {Host} "^Aport=" {Port} "^Aauth=Bearer " {Access Token} "^A^A > + # > + # The first part `n,a=" {User} ",` is the gs2 header described in RFC5801. > + # * gs2-cb-flag `n` -> client does not support CB > + # * gs2-authzid `a=" {User} "` > + # > + # The second part are key value pairs containing host, port and auth as > + # described in RFC7628. > + # > + # https://datatracker.ietf.org/doc/html/rfc5801 > + # https://datatracker.ietf.org/doc/html/rfc7628 > + my $username = shift; > + my $token = shift; > + return "n,a=$username,\001port=$smtp_server_port\001auth=Bearer $token\001\001"; > +} > + > +sub generate_xoauth2_string { > + # "user=" {User} "^Aauth=Bearer " {Access Token} "^A^A" > + # https://developers.google.com/gmail/imap/xoauth2-protocol#initial_client_response > + my $username = shift; > + my $token = shift; > + return "user=$username\001auth=Bearer $token\001\001"; > +} > + > +sub smtp_bearer_auth { > + my $username = shift; > + my $token = shift; > + my $auth_string; > + if ($smtp_encryption ne "tls") { > + # As described in RFC7628 TLS is required and will be will > + # be enforced at this point. > + # > + # https://datatracker.ietf.org/doc/html/rfc7628#section-3 > + die __("For $smtp_auth TLS is required.") > + } > + if ($smtp_auth eq "OAUTHBEARER") { > + $auth_string = generate_oauthbearer_string($username, $token); > + } elsif ($smtp_auth eq "XOAUTH2") { > + $auth_string = generate_xoauth2_string($username, $token); > + } > + my $encoded_auth_string = MIME::Base64::encode($auth_string, ""); > + $smtp->command("AUTH $smtp_auth $encoded_auth_string\r\n"); > + use Net::Cmd qw(CMD_OK); > + if ($smtp->response() == CMD_OK){ > + return 1; > + } else { > + # Send dummy request on authentication failure according to rfc7628. > + # https://datatracker.ietf.org/doc/html/rfc7628#section-3.2.3 > + $smtp->command(MIME::Base64::encode("\001")); > + $smtp->response(); > + return 0; > + } > +} > + > # Returns 1 if authentication succeeded or was not necessary > # (smtp_user was not specified), and 0 otherwise. > > @@ -1392,8 +1449,12 @@ sub smtp_auth_maybe { > 'password' => $smtp_authpass > }, sub { > my $cred = shift; > - > - if ($smtp_auth) { > + if ($smtp_auth eq "OAUTHBEARER" or $smtp_auth eq "XOAUTH2") { > + # Since Authen:SASL does not support XOAUTH2 nor OAUTHBEARER we will > + # manuall authenticate for tese types. The password field should > + # contain the auth token at this point. > + return smtp_bearer_auth($cred->{'username'}, $cred->{'password'}); > + } elsif ($smtp_auth) { > my $sasl = Authen::SASL->new( > mechanism => $smtp_auth, > callback => {
Shengyu Qu <wiagn233@outlook.com> writes: > Sorry to bother but what had happened to this patch? It is more useful now > since outlook also switched to oauth2 only mode. You are the second person to mention that what the change wants to do is sensible, but nobody gave any review that verified that the change does what the change says it wants to do, so it was left in the mailing list archive. Thanks for pinging. Perhaps it would remind and encourage others (or even better, yourself) to review the patch to help it move forward.
Hello Junio, Seems you didn't CCed all relative people about this patch so that maintainers about this file might didn't notice this patch, you can try the script mentioned here[1] and resend this patch. Best regards, Shengyu [1] https://git-scm.com/docs/SubmittingPatches#send-patches 在 2024/10/12 2:05, Junio C Hamano 写道: > Shengyu Qu <wiagn233@outlook.com> writes: > >> Sorry to bother but what had happened to this patch? It is more useful now >> since outlook also switched to oauth2 only mode. > > You are the second person to mention that what the change wants to > do is sensible, but nobody gave any review that verified that the > change does what the change says it wants to do, so it was left in > the mailing list archive. > > Thanks for pinging. Perhaps it would remind and encourage others > (or even better, yourself) to review the patch to help it move > forward.
Hi Shengyu, > Seems you didn't CCed all relative people about this patch so that > maintainers about this file might didn't notice this patch, you can try > the script mentioned here[1] and resend this patch. I did see that, but the output is just Junio, and I assumed as he is the maintainer, he would be following the list and did not need the extra CC. I don't know who else could be interested in this patch and is willing to test and review it. Regards Julian
diff --git a/git-send-email.perl b/git-send-email.perl index 821b2b3a13..72d378f6fd 100755 --- a/git-send-email.perl +++ b/git-send-email.perl @@ -1359,6 +1359,63 @@ sub smtp_host_string { } } +sub generate_oauthbearer_string { + # This will generate the oauthbearer string used for authentication. + # + # "n,a=" {User} ",^Ahost=" {Host} "^Aport=" {Port} "^Aauth=Bearer " {Access Token} "^A^A + # + # The first part `n,a=" {User} ",` is the gs2 header described in RFC5801. + # * gs2-cb-flag `n` -> client does not support CB + # * gs2-authzid `a=" {User} "` + # + # The second part are key value pairs containing host, port and auth as + # described in RFC7628. + # + # https://datatracker.ietf.org/doc/html/rfc5801 + # https://datatracker.ietf.org/doc/html/rfc7628 + my $username = shift; + my $token = shift; + return "n,a=$username,\001port=$smtp_server_port\001auth=Bearer $token\001\001"; +} + +sub generate_xoauth2_string { + # "user=" {User} "^Aauth=Bearer " {Access Token} "^A^A" + # https://developers.google.com/gmail/imap/xoauth2-protocol#initial_client_response + my $username = shift; + my $token = shift; + return "user=$username\001auth=Bearer $token\001\001"; +} + +sub smtp_bearer_auth { + my $username = shift; + my $token = shift; + my $auth_string; + if ($smtp_encryption ne "tls") { + # As described in RFC7628 TLS is required and will be will + # be enforced at this point. + # + # https://datatracker.ietf.org/doc/html/rfc7628#section-3 + die __("For $smtp_auth TLS is required.") + } + if ($smtp_auth eq "OAUTHBEARER") { + $auth_string = generate_oauthbearer_string($username, $token); + } elsif ($smtp_auth eq "XOAUTH2") { + $auth_string = generate_xoauth2_string($username, $token); + } + my $encoded_auth_string = MIME::Base64::encode($auth_string, ""); + $smtp->command("AUTH $smtp_auth $encoded_auth_string\r\n"); + use Net::Cmd qw(CMD_OK); + if ($smtp->response() == CMD_OK){ + return 1; + } else { + # Send dummy request on authentication failure according to rfc7628. + # https://datatracker.ietf.org/doc/html/rfc7628#section-3.2.3 + $smtp->command(MIME::Base64::encode("\001")); + $smtp->response(); + return 0; + } +} + # Returns 1 if authentication succeeded or was not necessary # (smtp_user was not specified), and 0 otherwise. @@ -1392,8 +1449,12 @@ sub smtp_auth_maybe { 'password' => $smtp_authpass }, sub { my $cred = shift; - - if ($smtp_auth) { + if ($smtp_auth eq "OAUTHBEARER" or $smtp_auth eq "XOAUTH2") { + # Since Authen:SASL does not support XOAUTH2 nor OAUTHBEARER we will + # manuall authenticate for tese types. The password field should + # contain the auth token at this point. + return smtp_bearer_auth($cred->{'username'}, $cred->{'password'}); + } elsif ($smtp_auth) { my $sasl = Authen::SASL->new( mechanism => $smtp_auth, callback => {
Manually send SMTP AUTH command for auth type OAUTHBEARER and XOAUTH2. This is necessary since they are currently not supported by the Perls Authen::SASL module. The bearer token needs to be passed in as the password. This can be done with git-credential-oauth[0] after minor modifications[1]. Which will allow using git send-email with Gmail and oauth2 authentication: ``` [credential] helper = cache --timeout 7200 # two hours helper = oauth [sendemail] smtpEncryption = tls smtpServer = smtp.gmail.com smtpUser = example@gmail.com smtpServerPort = 587 smtpauth = OAUTHBEARER ``` As well as Office 365 accounts: ``` [credential] helper = cache --timeout 7200 # two hours helper = oauth [sendemail] smtpEncryption = tls smtpServer = smtp.office365.com smtpUser = example@example.com smtpServerPort = 587 smtpauth = XOAUTH2 ``` [0] https://github.com/hickford/git-credential-oauth [1] https://github.com/hickford/git-credential-oauth/issues/48 Signed-off-by: Julian Swagemakers <julian@swagemakers.org> --- git-send-email.perl | 65 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 63 insertions(+), 2 deletions(-)