From patchwork Sun Feb 4 18:54:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quentin Bouget X-Patchwork-Id: 13544767 Received: from 2.mo583.mail-out.ovh.net (2.mo583.mail-out.ovh.net [178.33.109.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53C7124B2B for ; Sun, 4 Feb 2024 19:10:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.33.109.111 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707073848; cv=none; b=aog2Lxcay5Si+h7bruOhVBYv+NU0JNO7NQxnF64s0l9Gq00q7T7Lry5Hyvbih49PpUc8Kv4IcpWgZFkRqQkq797XJ3Wh+7aOZfDkyI8b6nTTDm75Jnr9ERLhXV+B/jmDeVDNSKZepbizd0gnCeYDHZXRtW9LdlGzYj6nJR2BxcI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707073848; c=relaxed/simple; bh=uFAtNeA7KtVLs6s07qvXBcKTSZoQoWNGoODfORwedXk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UL7i21hAqgdeMVTZEoVpDu3z/UYuNrmvYXc9+2MA5qMDvFOKniErajNvHYkrFMpSXvUKqka9l6lDoWlQKr8M66VRQcjisrDdmm/WZbhUFjpoag4dwR5j6Sn2AFEqagoXhsSA3a1KFbnt1OjeHLxuOQ0xfrJNn9uTq1OvNefe4b8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=devyard.org; spf=pass smtp.mailfrom=devyard.org; arc=none smtp.client-ip=178.33.109.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=devyard.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=devyard.org Received: from director8.ghost.mail-out.ovh.net (unknown [10.109.140.177]) by mo583.mail-out.ovh.net (Postfix) with ESMTP id D918927EC5 for ; Sun, 4 Feb 2024 18:54:32 +0000 (UTC) Received: from ghost-submission-6684bf9d7b-z4d9m (unknown [10.108.54.55]) by director8.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 9B65B1FE89; Sun, 4 Feb 2024 18:54:32 +0000 (UTC) Received: from devyard.org ([37.59.142.107]) by ghost-submission-6684bf9d7b-z4d9m with ESMTPSA id qFQ5JGjdv2XGEgAAbck5jQ (envelope-from ); Sun, 04 Feb 2024 18:54:32 +0000 Authentication-Results: garm.ovh; auth=pass (GARM-107S00125edca4a-f3bb-4b47-9875-ad8106406f7b, 2F615BA836ACE59B185ACC479DFD3D80C8A04DFC) smtp.auth=ashpy@devyard.org X-OVh-ClientIp: 213.10.167.74 From: Quentin Bouget To: git@vger.kernel.org Cc: Quentin Bouget Subject: [PATCH 1/2] http: only reject basic auth credentials once they have been tried Date: Sun, 4 Feb 2024 19:54:26 +0100 Message-ID: <20240204185427.39664-2-ypsah@devyard.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240204185427.39664-1-ypsah@devyard.org> References: <20240204185427.39664-1-ypsah@devyard.org> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Ovh-Tracer-Id: 15954001683923056053 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvkedrfedukedguddujecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepsfhuvghnthhinhcuuehouhhgvghtuceohihpshgrhhesuggvvhihrghrugdrohhrgheqnecuggftrfgrthhtvghrnhepheetjeeiteehffevfedtvdeigfeludekteejgfejgfdutddvhfduudelgfehuedvnecuffhomhgrihhnpehgihhtlhgrsgdrtghomhdpkhgvrhgsvghrohhsrdhmugenucfkphepuddvjedrtddrtddruddpvddufedruddtrdduieejrdejgedpfeejrdehledrudegvddruddtjeenucevlhhushhtvghrufhiiigvpedunecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepoeihphhsrghhseguvghvhigrrhgurdhorhhgqedpnhgspghrtghpthhtohepuddprhgtphhtthhopehgihhtsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdfovfetjfhoshhtpehmohehkeefpdhmohguvgepshhmthhpohhuth When CURLAUTH_GSSNEGOTIATE is enabled, it is currently assumed that the provided username/password relate to a GSSAPI auth attempt. In practice, forges such as gitlab can be deployed with HTTP basic auth and GSSAPI auth both listening on the same port, meaning just because the server supports GSSAPI and failed an authentication attempt using the provided credentials, it does not mean the credentials are not valid HTTP basic auth credentials. This is documented as a long running bug here [1] and breaks token-based authentication when the token is provided in the remote's URL itself. This commit makes it so credentials are only dropped once they have been tried both as GSSAPI credentials and HTTP basic auth credentials. [1] https://gitlab.com/gitlab-org/gitlab/-/blob/b0e0d25646d1992fefda863febdcba8d4c7a1bbf/doc/integration/kerberos.md#L250 Signed-off-by: Quentin Bouget --- http.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/http.c b/http.c index e73b136e58..ccea19ac47 100644 --- a/http.c +++ b/http.c @@ -1758,10 +1758,7 @@ static int handle_curl_result(struct slot_results *results) } else if (missing_target(results)) return HTTP_MISSING_TARGET; else if (results->http_code == 401) { - if (http_auth.username && http_auth.password) { - credential_reject(&http_auth); - return HTTP_NOAUTH; - } else { + if ((http_auth_methods & CURLAUTH_GSSNEGOTIATE) == CURLAUTH_GSSNEGOTIATE) { http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE; if (results->auth_avail) { http_auth_methods &= results->auth_avail; @@ -1769,6 +1766,9 @@ static int handle_curl_result(struct slot_results *results) } return HTTP_REAUTH; } + if (http_auth.username && http_auth.password) + credential_reject(&http_auth); + return HTTP_NOAUTH; } else { if (results->http_connectcode == 407) credential_reject(&proxy_auth); From patchwork Sun Feb 4 18:54:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quentin Bouget X-Patchwork-Id: 13544843 Received: from 9.mo550.mail-out.ovh.net (9.mo550.mail-out.ovh.net [178.32.108.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 113A62C68D for ; Sun, 4 Feb 2024 21:59:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.32.108.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707083966; cv=none; b=GP9xeTmgpwsDGPFAgsabalN5Pc5OaCztUTHVIGvWKtPAqCLEVe0TRKkYvIrXZKHQw38SMg6Hjz0huZAbyIDKL2UYsQ7hkw82JzDTzVNqI/0E1UBJ/N8urTB6JH/UfsRoFgWQbCI+SQ7xgToe1SZLtrSf+i08/LBURWAwiIFSlJk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707083966; c=relaxed/simple; bh=ZbW0XBpXgAowPyaT9yOwoFzX1r1BPzgzsjU18I1tZjM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ul2F35/EApxUqQh/KIyFksiBrcyHnxNkBlzk6Wo7L6HP64ekiXrsWTTDARQGihi6gT2eSKYJrzRL+x7fPEfhdNVvUPe7JcZk1lh1SZQ5v6sE3SIyrvSNMWNOW62B8+SQVCH6JFtzNtbvaek6vqa0/NxZVLs/OF5io0xtPDxbbVw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=devyard.org; spf=pass smtp.mailfrom=devyard.org; arc=none smtp.client-ip=178.32.108.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=devyard.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=devyard.org Received: from director8.ghost.mail-out.ovh.net (unknown [10.108.25.166]) by mo550.mail-out.ovh.net (Postfix) with ESMTP id 37E0C2668F for ; Sun, 4 Feb 2024 18:54:33 +0000 (UTC) Received: from ghost-submission-6684bf9d7b-z4d9m (unknown [10.108.54.55]) by director8.ghost.mail-out.ovh.net (Postfix) with ESMTPS id EC8671FD65; Sun, 4 Feb 2024 18:54:32 +0000 (UTC) Received: from devyard.org ([37.59.142.107]) by ghost-submission-6684bf9d7b-z4d9m with ESMTPSA id UDPCN2jdv2XGEgAAbck5jQ (envelope-from ); Sun, 04 Feb 2024 18:54:32 +0000 Authentication-Results: garm.ovh; auth=pass (GARM-107S00188968416-08b6-4ec3-8d22-14fa806dc18e, 2F615BA836ACE59B185ACC479DFD3D80C8A04DFC) smtp.auth=ashpy@devyard.org X-OVh-ClientIp: 213.10.167.74 From: Quentin Bouget To: git@vger.kernel.org Cc: Quentin Bouget Subject: [PATCH 2/2] http: prevent redirect from dropping credentials during reauth Date: Sun, 4 Feb 2024 19:54:27 +0100 Message-ID: <20240204185427.39664-3-ypsah@devyard.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240204185427.39664-1-ypsah@devyard.org> References: <20240204185427.39664-1-ypsah@devyard.org> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Ovh-Tracer-Id: 15954283154963412405 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvkedrfedukedguddujecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepsfhuvghnthhinhcuuehouhhgvghtuceohihpshgrhhesuggvvhihrghrugdrohhrgheqnecuggftrfgrthhtvghrnhepveelgefhtdekffejtdeiffevheehgfefjedtffdvkefgudeghfeigeeugeehfffhnecukfhppeduvdejrddtrddtrddupddvudefrddutddrudeijedrjeegpdefjedrheelrddugedvrddutdejnecuvehluhhsthgvrhfuihiivgepfeenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpeeohihpshgrhhesuggvvhihrghrugdrohhrgheqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepghhithesvhhgvghrrdhkvghrnhgvlhdrohhrghdpoffvtefjohhsthepmhhoheehtddpmhhouggvpehsmhhtphhouhht During a re-authentication (second attempt at authenticating with a remote, e.g. after a failed GSSAPI attempt), git allows the remote to provide credential overrides in the redirect URL and unconditionnaly drops the current HTTP credentials in favors of those, even when there aren't any. This commit makes it so HTTP credentials are only overridden when the redirect URL actually contains credentials itself. Signed-off-by: Quentin Bouget --- http.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/http.c b/http.c index ccea19ac47..caba9cac1e 100644 --- a/http.c +++ b/http.c @@ -2160,7 +2160,25 @@ static int http_request_reauth(const char *url, if (options && options->effective_url && options->base_url) { if (update_url_from_redirect(options->base_url, url, options->effective_url)) { + char *username = NULL, *password = NULL; + + if (http_auth.username) + username = xstrdup(http_auth.username); + if (http_auth.password) + password = xstrdup(http_auth.password); + credential_from_url(&http_auth, options->base_url->buf); + + if (http_auth.username) + free(username); + else if (username) + http_auth.username = username; + + if (http_auth.password) + free(password); + else if (password) + http_auth.password = password; + url = options->effective_url->buf; } }