From patchwork Sun Mar 24 01:12:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600757 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90E7A10F4 for ; Sun, 24 Mar 2024 01:20:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711243213; cv=none; b=azQAFjhlrEaPTSBotUTfrP4wHtLyCG0ubXtzIkyrfcaXO1N1wW9p34r3CdQo3ZwEs7C3A5gpeVWOAtFK9XasJkfSuWQDDUmqNJeHV6sCY1geoMWT3nvftKuEB5XRkkCofElAZjvSi410x+XAd9MC2CaCB4fuTdbduHlTCul7wCA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711243213; c=relaxed/simple; bh=3Rn148Tb27U7Koze/W8bg0Ri3gJwwh7RJc898Sg4wXc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=akpP+9pPX0XrkGGbcX3hP0Qh+6w64s/Ijobsgc7JsU6O3Hq88GHdtLemC+kL1UNUt+2x/KELR5GvZReK8Z1opDvSpYfIIIu/mZoXCbGgtxvQCl9IWe4hHm8LuM+jRUURuITK/ohMGlmuZvNlmHHh4m7hEyBG7XuOvu6sQL6EW4U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=JAafURWr; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="JAafURWr" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id B611A5B452; Sun, 24 Mar 2024 01:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242785; bh=3Rn148Tb27U7Koze/W8bg0Ri3gJwwh7RJc898Sg4wXc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=JAafURWrPlfH29DJCYxFE1Isp9vK0MlmRQcLMf71n0Cc89YkqFN9e1+kfBJ/MLAe5 3/zlCdtbstHFvdPAzg2wUigHYH6D5+pK4b4QkEMprPS+ELehf6R1JGzinVZBnnVxea xaYS6Wy23tk+dSNzN6cqId7Z7/Sz7cxOArV2Yi1FKU/puDr+ozylaeJXWhNcSFOKsH QAiZwtxaV7/1wdJR+1Yf9uFbKz5kRra3DsToYoju45ga56uz+X/V3LbqqPuXy4u+/9 RMQ6v8mGwo7SAN6nuD1BAHOhTX89O2Z4Lz6V5T84djROsKybSp6P1UEi7hvmDnv592 ZpwdwfhtcGwoh5UqAFzdrqlRL6KX0/iNsmufHD3A8TkU9udryK3ps9LSyuExLBtObF vKUNI6zd7N+MTD7mDXIyw8+fKJmx0YdNgaoAqV++tTg1qWe1m4c+tXJ6/vSBDt/zLp 7ecwAPknL3j8eK9nnVbherZVnT4jWdy/NYwfYDmGAdaUnAD9efZ From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 01/13] credential: add an authtype field Date: Sun, 24 Mar 2024 01:12:49 +0000 Message-ID: <20240324011301.1553072-2-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When Git makes an HTTP request, it can negotiate the type of authentication to use with the server provided the authentication scheme is one of a few well-known types (Basic, Digest, NTLM, or Negotiate). However, some servers wish to use other types of authentication, such as the Bearer type from OAuth2. Since libcurl doesn't natively support this type, it isn't possible to use it, and the user is forced to specify the Authorization header using the http.extraheader setting. However, storing a plaintext token in the repository configuration is not very secure, especially if a repository can be shared by multiple parties. We already have support for many types of secure credential storage by using credential helpers, so let's teach credential helpers how to produce credentials for an arbitrary scheme. If the credential helper specifies an authtype field, then it specifies an authentication scheme (e.g., Bearer) and the password field specifies the raw authentication token, with any encoding already specified. We reuse the password field for this because some credential helpers store the metadata without encryption even though the password is encrypted, and we'd like to avoid insecure storage if an older version of the credential helper gets ahold of the data. The username is not used in this case, but it is still preserved for the purpose of finding the right credential if the user has multiple accounts. If the authtype field is not specified, then the password behaves as normal and it is passed along with the username to libcurl. Signed-off-by: brian m. carlson --- credential.c | 5 +++++ credential.h | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/credential.c b/credential.c index 18098bd35e..3dec433df5 100644 --- a/credential.c +++ b/credential.c @@ -26,6 +26,7 @@ void credential_clear(struct credential *c) free(c->username); free(c->password); free(c->oauth_refresh_token); + free(c->authtype); string_list_clear(&c->helpers, 0); strvec_clear(&c->wwwauth_headers); @@ -252,6 +253,9 @@ int credential_read(struct credential *c, FILE *fp) } else if (!strcmp(key, "oauth_refresh_token")) { free(c->oauth_refresh_token); c->oauth_refresh_token = xstrdup(value); + } else if (!strcmp(key, "authtype")) { + free(c->authtype); + c->authtype = xstrdup(value); } else if (!strcmp(key, "url")) { credential_from_url(c, value); } else if (!strcmp(key, "quit")) { @@ -295,6 +299,7 @@ void credential_write(const struct credential *c, FILE *fp) } for (size_t i = 0; i < c->wwwauth_headers.nr; i++) credential_write_item(fp, "wwwauth[]", c->wwwauth_headers.v[i], 0); + credential_write_item(fp, "authtype", c->authtype, 0); } static int run_credential_helper(struct credential *c, diff --git a/credential.h b/credential.h index acc41adf54..dc96ca0318 100644 --- a/credential.h +++ b/credential.h @@ -143,6 +143,12 @@ struct credential { char *path; char *oauth_refresh_token; timestamp_t password_expiry_utc; + + /** + * The authorization scheme to use. If this is NULL, libcurl is free to + * negotiate any scheme it likes. + */ + char *authtype; }; #define CREDENTIAL_INIT { \ From patchwork Sun Mar 24 01:12:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600753 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90DFFEC4 for ; Sun, 24 Mar 2024 01:20:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711243212; cv=none; b=VOvmEQRQYOjDk487YmJb9+N8i9TVwSzBNZvAZ1MfN73fRERQU+X8Pph2axhEWpT2wij9subVe1gVXVNSJa8+a+EnabcTDnlI99wzD9uwdRc98aiTCskT/ysBWwWuSvQrqw0VWIMVHeU4p5+2YyFhMw7y9tdIiGYE1CGO4aqLyXM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711243212; c=relaxed/simple; bh=/9gJP+E+JQoaZgFAJNZO8fswMIkX3MIP1Cv0Zg/zORY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZyoXLNk4+jUq3Lt3/gDhPd2oSTYtATEPeNfxpjYGO5D1TYAhpaBc6XJMyMBpxTdATdAPemiN8N0W0Sct/3hE0V76U+gv93mhNOYKSh4wbP65z2Uh8VOCY/0HbDfpbw/Iyv+mFj/5I/hneAggf053uyoxLUO9nWemJQFpToKoDRE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=IprqqCtN; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="IprqqCtN" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id C263E5B470; Sun, 24 Mar 2024 01:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242785; bh=/9gJP+E+JQoaZgFAJNZO8fswMIkX3MIP1Cv0Zg/zORY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=IprqqCtN0a+xH49zRj8/ETbHGNY3BDLFOmo3qtR2WP4JxEo2bizeepcd1KtntztIo 6SieOJ0lh2uBsgECWZMtwcSUe1ik36GEAIVIf5aUQIGjnL/7gqwTFaGIcXHoO58d1l a5eIuxTvrSmf7EWSYEOD3fc4eqkoxDXr/eNYn3uEIoFlk4HEiaeJmnGMmJas8R0hd/ dM1WeHW5mH4KMOjNbS1Z09+xCVrxPpsB4NqYW4yAerHGoCuCjw8+EJ3H1Oj5kgHS2O T9Wb1T8Kc8DqJc8LY4jApGMi9Y2mp+SluYm37yeaFgMkbuAeBfpcXm6vFIncvfdzPx wKSEk8UJtedj7PaR6Kgo5MOzjq/BrdWuAcbDL3JjuKK+SWDOizdDXLzKRrjJDDFVa+ tiUwWF/DahwFnfBaPOUx5pbSVDs3Mi5/RGF8ra8h/EYpW7FqnhwXqYUcLcUIwsFuO4 W6ZnI7WlmFTja8Yw4Ls01nbUY4SN+rHbGQxqylVBldBHPXWWUoe From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 02/13] remote-curl: reset headers on new request Date: Sun, 24 Mar 2024 01:12:50 +0000 Message-ID: <20240324011301.1553072-3-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When we retry a post_rpc request, we currently reuse the same headers as before. In the future, we'd like to be able to modify them based on the result we get back, so let's reset them on each retry so we can avoid sending potentially duplicate headers if the values change. Signed-off-by: brian m. carlson --- remote-curl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/remote-curl.c b/remote-curl.c index 1161dc7fed..e37eaa17b7 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -893,7 +893,7 @@ static curl_off_t xcurl_off_t(size_t len) static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_received) { struct active_request_slot *slot; - struct curl_slist *headers = http_copy_default_headers(); + struct curl_slist *headers = NULL; int use_gzip = rpc->gzip_request; char *gzip_body = NULL; size_t gzip_size = 0; @@ -935,6 +935,8 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece needs_100_continue = 1; } +retry: + headers = http_copy_default_headers(); headers = curl_slist_append(headers, rpc->hdr_content_type); headers = curl_slist_append(headers, rpc->hdr_accept); headers = curl_slist_append(headers, needs_100_continue ? @@ -948,7 +950,6 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece if (rpc->protocol_header) headers = curl_slist_append(headers, rpc->protocol_header); -retry: slot = get_active_slot(); curl_easy_setopt(slot->curl, CURLOPT_NOBODY, 0); @@ -1044,6 +1045,7 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece err = run_slot(slot, NULL); if (err == HTTP_REAUTH && !large_request) { credential_fill(&http_auth); + curl_slist_free_all(headers); goto retry; } if (err != HTTP_OK) From patchwork Sun Mar 24 01:12:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600755 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90E5810E4 for ; Sun, 24 Mar 2024 01:20:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711243213; cv=none; b=QR3eDXAArZG8cVYKfKyv3mWDaCznBlTIWd66z1OdcgKVZYW4WjTQ87SKKsMb93KmbAomXU5wiBkhMIocv9JXwN8oI3/ksZW7Lo8BA1PHUP32AnJhPIedXL3qOLaXfU8JXfdVQh56W4FA3fMkbHz+WfrvHtfPOsuhGLSTjDSyFkE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711243213; c=relaxed/simple; bh=flc2Wc51u+HIaZDdabkjLz+DJAqbvsiiDqu2NGfVorQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=X/tN0m9gzja8/xWGp5w7yYtNYQz3IzsfjczlDt87UEFtK9O2HdkdiQ4iCx9TKgIl0/MWLGIyuweYYJsGDvJc6JAB6G1NJ811cddVTzHf9bVXeGHgBBVE0r77ouBTS3RldY3Cj1kRzlHU1j94a+VhshZnolHYbSjQy4MF1VuyeY4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=KaWh+XSV; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="KaWh+XSV" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id CD9615CBB4; Sun, 24 Mar 2024 01:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242785; bh=flc2Wc51u+HIaZDdabkjLz+DJAqbvsiiDqu2NGfVorQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=KaWh+XSV3jF6rljHM/fRYUmLyw4Bqc7hbrhe+hrx5/9uxwKjfAeYlbOeAyNbVxp9l hzlCowsBGHHRu4lvgOa+Bu+qi0Z1bYq5FKu+ngyEZj+e4jgxxrRRyzGc6vK38os8Gk lMLQETb4Ugvl+avN4ElaVqu9UB5u+1+wJEjLYeOrDjnR+kMUSWHV0CJof27HVeOLVJ P/97E+FydONuK0cFQMVgB0jzKQeZgxHLaCloKKjNxsteT8XgP6iF23+JClyoQgXI20 2oqGJMrd3n2nVit33GPhXI1E0KFE0NM0whiHAVIZNvATSHT4mGzZhhSdaFj4pJJqo5 C84tAsyMp6nLK5AWT+1wwkwtvNlxu0naYlGbdIPkDQLKOD4kKb89yEXDHArQk7Rb/v jnQr5J04MPjqq8UCkIBA89HIqLL5pyPyniRElIzaciGTl+nbYmfg/v5k9hslVaPQNW DcvG/t6BV5jRdMp6RDJbwwj4TktDwn2bbSESeM7EHSN2GPRkvgc From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 03/13] http: use new headers for each object request Date: Sun, 24 Mar 2024 01:12:51 +0000 Message-ID: <20240324011301.1553072-4-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Currently we create one set of headers for all object requests and reuse it. However, we'll need to adjust the headers for authentication purposes in the future, so let's create a new set for each request so that we can adjust them if the authentication changes. Note that the cost of allocation here is tiny compared to the fact that we're making a network call, not to mention probably a full TLS connection, so this shouldn't have a significant impact on performance. Moreover, nobody who cares about performance is using the dumb HTTP protocol anyway, since it often makes huge numbers of requests compared to the smart protocol. Signed-off-by: brian m. carlson --- http.c | 19 +++++++++++-------- http.h | 2 ++ 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/http.c b/http.c index e73b136e58..1c2200da77 100644 --- a/http.c +++ b/http.c @@ -128,7 +128,6 @@ static unsigned long empty_auth_useless = | CURLAUTH_DIGEST; static struct curl_slist *pragma_header; -static struct curl_slist *no_pragma_header; static struct string_list extra_http_headers = STRING_LIST_INIT_DUP; static struct curl_slist *host_resolutions; @@ -299,6 +298,11 @@ size_t fwrite_null(char *ptr UNUSED, size_t eltsize UNUSED, size_t nmemb, return nmemb; } +static struct curl_slist *object_request_headers(void) +{ + return curl_slist_append(http_copy_default_headers(), "Pragma:"); +} + static void closedown_active_slot(struct active_request_slot *slot) { active_requests--; @@ -1275,8 +1279,6 @@ void http_init(struct remote *remote, const char *url, int proactive_auth) pragma_header = curl_slist_append(http_copy_default_headers(), "Pragma: no-cache"); - no_pragma_header = curl_slist_append(http_copy_default_headers(), - "Pragma:"); { char *http_max_requests = getenv("GIT_HTTP_MAX_REQUESTS"); @@ -1360,8 +1362,6 @@ void http_cleanup(void) curl_slist_free_all(pragma_header); pragma_header = NULL; - curl_slist_free_all(no_pragma_header); - no_pragma_header = NULL; curl_slist_free_all(host_resolutions); host_resolutions = NULL; @@ -2370,6 +2370,7 @@ void release_http_pack_request(struct http_pack_request *preq) } preq->slot = NULL; strbuf_release(&preq->tmpfile); + curl_slist_free_all(preq->headers); free(preq->url); free(preq); } @@ -2454,11 +2455,11 @@ struct http_pack_request *new_direct_http_pack_request( } preq->slot = get_active_slot(); + preq->headers = object_request_headers(); curl_easy_setopt(preq->slot->curl, CURLOPT_WRITEDATA, preq->packfile); curl_easy_setopt(preq->slot->curl, CURLOPT_WRITEFUNCTION, fwrite); curl_easy_setopt(preq->slot->curl, CURLOPT_URL, preq->url); - curl_easy_setopt(preq->slot->curl, CURLOPT_HTTPHEADER, - no_pragma_header); + curl_easy_setopt(preq->slot->curl, CURLOPT_HTTPHEADER, preq->headers); /* * If there is data present from a previous transfer attempt, @@ -2624,13 +2625,14 @@ struct http_object_request *new_http_object_request(const char *base_url, } freq->slot = get_active_slot(); + freq->headers = object_request_headers(); curl_easy_setopt(freq->slot->curl, CURLOPT_WRITEDATA, freq); curl_easy_setopt(freq->slot->curl, CURLOPT_FAILONERROR, 0); curl_easy_setopt(freq->slot->curl, CURLOPT_WRITEFUNCTION, fwrite_sha1_file); curl_easy_setopt(freq->slot->curl, CURLOPT_ERRORBUFFER, freq->errorstr); curl_easy_setopt(freq->slot->curl, CURLOPT_URL, freq->url); - curl_easy_setopt(freq->slot->curl, CURLOPT_HTTPHEADER, no_pragma_header); + curl_easy_setopt(freq->slot->curl, CURLOPT_HTTPHEADER, freq->headers); /* * If we have successfully processed data from a previous fetch @@ -2718,5 +2720,6 @@ void release_http_object_request(struct http_object_request *freq) release_active_slot(freq->slot); freq->slot = NULL; } + curl_slist_free_all(freq->headers); strbuf_release(&freq->tmpfile); } diff --git a/http.h b/http.h index 3af19a8bf5..c5f8cc4620 100644 --- a/http.h +++ b/http.h @@ -196,6 +196,7 @@ struct http_pack_request { FILE *packfile; struct strbuf tmpfile; struct active_request_slot *slot; + struct curl_slist *headers; }; struct http_pack_request *new_http_pack_request( @@ -229,6 +230,7 @@ struct http_object_request { int zret; int rename; struct active_request_slot *slot; + struct curl_slist *headers; }; struct http_object_request *new_http_object_request( From patchwork Sun Mar 24 01:12:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600756 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90E31ECF for ; Sun, 24 Mar 2024 01:20:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711243213; cv=none; b=thwMehFplPwYCLvVxPHlcmNCpkSUKBEqTl95qp0mhGo6+jb5R/amGX/YBjP3mqGSUx2RW/N90Agmfj8ysMwJ1rR8y7BiAGKqgHu105sK8g15wMVsb0E2YxaxObQ4P4PV5L99FH31DKCMpAZcYOo3KJTXjxw1vZATMAqPMRLfg/E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711243213; c=relaxed/simple; bh=8TxfuBxsWtpSLU/4F9w2T/UCfwNMMCASchJnroJ1l/o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=al9MPSJ5nq/cGIeKE0CuewF7Vjtfn+kjAvT88ZUxAcvzGckQscaXn6hAnMHEk3BfHbeYuangnZXdXqcsT++s4mvhnkzHewDNRyP841a7smmPYd9ciOIXxZwKnLtS7Tfx7jMLY29Zabzt1Iw8caI49+UjSzvV+fQKczj6pPANFZ4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=s8RJ2Epo; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="s8RJ2Epo" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id DA9155D3B9; Sun, 24 Mar 2024 01:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242785; bh=8TxfuBxsWtpSLU/4F9w2T/UCfwNMMCASchJnroJ1l/o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=s8RJ2Epo6pwN55aeaeP/G6LroBAzxY6eToIm79svuO5dAM6uJcdJqJDct2+FL/H53 IsQbQNX8btpH0i/7oj5+q9D/3nFyP9wIs/pWVliRF4f6SJg0JFY43YZynmqE1keUof bkViluKFntc/lbNwTx7j9g4Y29VRBuCzte6qM4lfs48LaXxwTjnGURUfEPGgm+Vwia b2CrBmHm9qDXSC7WAwkXSp0c/oESTFpTf16YQfY5BlsLhk9OARNGyFnxprZs73ShpK KuysNPYvnWDY5g59Pd/Fv0IKCZ7ezQa+CQFhXo+h3HdQlxHw+Ieo8dGRyM/MXHNgld cJoduRDp/eQBtM0BJcnv78OCpakVw9QaKrP2gc1AHL8U13aQm9aRrRutbKwKNk1+ie m2sMj0Ck1UZCVXUij3+abYdQwUSaJX0dQT0hY+EZEWUIGmAliciOQWtIhw+Ipx+h3l ZiAnCrMvZ3kMFok0OgpVTNfXESmfj53C3q2ThkSD2OEDOLDRvw3 From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 04/13] credential: add a field for pre-encoded credentials Date: Sun, 24 Mar 2024 01:12:52 +0000 Message-ID: <20240324011301.1553072-5-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 At the moment, our credential code wants to find a username and password for access, which, for HTTP, it will pass to libcurl to encode and process. However, many users want to use authentication schemes that libcurl doesn't support, such as Bearer authentication. In these schemes, the secret is not a username and password pair, but some sort of token that meets the production for authentication data in the RFC. In fact, in general, it's useful to allow our credential helper to have knowledge about what specifically to put in the protocol header. Thus, add a field, credential, which contains data that's preencoded to be suitable for the protocol in question. If we have such data, we need neither a username nor a password, so make that adjustment as well. It is in theory possible to reuse the password field for this. However, if we do so, we must know whether the credential helper supports our new scheme before sending it data, which necessitates some sort of capability inquiry, because otherwise an uninformed credential helper would store our preencoded data as a password, which would fail the next time we attempted to connect to the remote server. This design is substantially simpler, and we can hint to the credential helper that we support this approach with a simple new field instead of needing to query it first. Signed-off-by: brian m. carlson --- credential.c | 14 ++++++++++---- credential.h | 1 + 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/credential.c b/credential.c index 3dec433df5..c521822e5a 100644 --- a/credential.c +++ b/credential.c @@ -25,6 +25,7 @@ void credential_clear(struct credential *c) free(c->path); free(c->username); free(c->password); + free(c->credential); free(c->oauth_refresh_token); free(c->authtype); string_list_clear(&c->helpers, 0); @@ -234,6 +235,9 @@ int credential_read(struct credential *c, FILE *fp) } else if (!strcmp(key, "password")) { free(c->password); c->password = xstrdup(value); + } else if (!strcmp(key, "credential")) { + free(c->credential); + c->credential = xstrdup(value); } else if (!strcmp(key, "protocol")) { free(c->protocol); c->protocol = xstrdup(value); @@ -291,6 +295,7 @@ void credential_write(const struct credential *c, FILE *fp) credential_write_item(fp, "path", c->path, 0); credential_write_item(fp, "username", c->username, 0); credential_write_item(fp, "password", c->password, 0); + credential_write_item(fp, "credential", c->credential, 0); credential_write_item(fp, "oauth_refresh_token", c->oauth_refresh_token, 0); if (c->password_expiry_utc != TIME_MAX) { char *s = xstrfmt("%"PRItime, c->password_expiry_utc); @@ -366,7 +371,7 @@ void credential_fill(struct credential *c) { int i; - if (c->username && c->password) + if ((c->username && c->password) || c->credential) return; credential_apply_config(c); @@ -379,7 +384,7 @@ void credential_fill(struct credential *c) /* Reset expiry to maintain consistency */ c->password_expiry_utc = TIME_MAX; } - if (c->username && c->password) + if ((c->username && c->password) || c->credential) return; if (c->quit) die("credential helper '%s' told us to quit", @@ -387,7 +392,7 @@ void credential_fill(struct credential *c) } credential_getpass(c); - if (!c->username && !c->password) + if (!c->username && !c->password && !c->credential) die("unable to get password from user"); } @@ -397,7 +402,7 @@ void credential_approve(struct credential *c) if (c->approved) return; - if (!c->username || !c->password || c->password_expiry_utc < time(NULL)) + if (((!c->username || !c->password) && !c->credential) || c->password_expiry_utc < time(NULL)) return; credential_apply_config(c); @@ -418,6 +423,7 @@ void credential_reject(struct credential *c) FREE_AND_NULL(c->username); FREE_AND_NULL(c->password); + FREE_AND_NULL(c->credential); FREE_AND_NULL(c->oauth_refresh_token); c->password_expiry_utc = TIME_MAX; c->approved = 0; diff --git a/credential.h b/credential.h index dc96ca0318..9db892cf4d 100644 --- a/credential.h +++ b/credential.h @@ -138,6 +138,7 @@ struct credential { char *username; char *password; + char *credential; char *protocol; char *host; char *path; From patchwork Sun Mar 24 01:12:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600750 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 298FD7F9 for ; Sun, 24 Mar 2024 01:13:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242796; cv=none; b=cej+vavY+CSkkifa0JrYl8H8nYZKF151sbkNxZwgFTsBqI99+bcgAvkLhBfgVmM90uC0xce1XFQXfcET3ifBUBjnlxFC7QvoK/0HfGMb2qqvLNSeckZ0j/fKkkXleLeWx4Z/8W+MyLCUFmpw32sIn28Fy2/m8T+VW/Lx/QiEL8M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242796; c=relaxed/simple; bh=XmB1wDth2UHFOpBW+uAchrTW+yV6jfNAWG0U+edYu6s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VfSx5kCCZ8yCtPMYm7dlgOzGMGQ8WxDIE6osPJPV7Ed4zkC+i+9T7lQi1dpX6Or8/bZv5jAIb3X/mE/dg6EqffPceTXWp4jeSs2qgZqHt6t1AcxryoudfCIGc1ZZWijnzjR008RukIfKi+2aecL22qdTnfK6fDVzzP39sFfHgjE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=sfUo87kf; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="sfUo87kf" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id EA65A5D405; Sun, 24 Mar 2024 01:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=XmB1wDth2UHFOpBW+uAchrTW+yV6jfNAWG0U+edYu6s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=sfUo87kfoV5otLnBbaIJb7FfSPedgh8SHw6eiNgIKqJFAxx8mJopM9t8njERcS/48 3f9ZEweGPmGZ1a/fxYGMOE73lcUlQjpsg/8nZYW7If+Nl9SiHFaHLj/jYTVTo8IvrS KF4URQkIbRTj1daqqw3XJ3rud6VGGGYU5cZ84jDI3sqtugfF40Yl9ktj/2JTz0j03d vCbx5/aONRP5IhCLRsoMv0jgM6P3hLE4sOl8dSswwJ/OnadX7DAv44hKIg6AnD7X7G tpLnvG0EHevBn5WgB5iCRzsNQDiZ+f/7a/jTg1LH6KDeRP4/LrI7pgi4a/Qfxir3vU 9oVEpATXczw0nLmyYdjjkVvswoJAM1ky2Ojmway12jmgv99xm90DHA+Eri2PV/H559 8sB25FIkOJB4fVUHhiJEL7LDDt7r27LObDdkFOm1IgelOE6p4xXkGa9SFUKfJ9eNma /91nVQQ4YjuXJiNOv2RYq0b5hUfKH6W2SiC3MffIK6QIu/cxQx4 From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 05/13] credential: gate new fields on capability Date: Sun, 24 Mar 2024 01:12:53 +0000 Message-ID: <20240324011301.1553072-6-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 We support the new credential and authtype fields, but we lack a way to indicate to a credential helper that we'd like them to be used. Without some sort of indication, the credential helper doesn't know if it should try to provide us a username and password, or a pre-encoded credential. For example, the helper might prefer a more restricted Bearer token if pre-encoded credentials are possible, but might have to fall back to more general username and password if not. Let's provide a simple way to indicate whether Git (or, for that matter, the helper) is capable of understanding the authtype and credential fields. We send this capability when we generate a request, and the other side may reply to indicate to us that it does, too. For now, don't enable sending capabilities for the HTTP code. In a future commit, we'll introduce appropriate handling for that code, which requires more in-depth work. The logic for determining whether a capability is supported may seem complex, but it is not. At each stage, we emit the capability to the following stage if all preceding stages have declared it. Thus, if the caller to git credential fill didn't declare it, then we won't send it to the helper, and if fill's caller did send but the helper doesn't understand it, then we won't send it on in the response. If we're an internal user, then we know about all capabilities and will request them. Signed-off-by: brian m. carlson --- builtin/credential-cache--daemon.c | 2 +- builtin/credential-store.c | 2 +- builtin/credential.c | 6 +- credential.c | 58 ++++++++++++++-- credential.h | 30 +++++++- http.c | 10 +-- imap-send.c | 2 +- remote-curl.c | 4 +- t/t0300-credentials.sh | 107 ++++++++++++++++++++++++++++- 9 files changed, 197 insertions(+), 24 deletions(-) diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c index 3a6a750a8e..ccbcf99ac1 100644 --- a/builtin/credential-cache--daemon.c +++ b/builtin/credential-cache--daemon.c @@ -115,7 +115,7 @@ static int read_request(FILE *fh, struct credential *c, return error("client sent bogus timeout line: %s", item.buf); *timeout = atoi(p); - if (credential_read(c, fh) < 0) + if (credential_read(c, fh, CREDENTIAL_OP_HELPER) < 0) return -1; return 0; } diff --git a/builtin/credential-store.c b/builtin/credential-store.c index 4a492411bb..494c809332 100644 --- a/builtin/credential-store.c +++ b/builtin/credential-store.c @@ -205,7 +205,7 @@ int cmd_credential_store(int argc, const char **argv, const char *prefix) if (!fns.nr) die("unable to set up default path; use --file"); - if (credential_read(&c, stdin) < 0) + if (credential_read(&c, stdin, CREDENTIAL_OP_HELPER) < 0) die("unable to read credential"); if (!strcmp(op, "get")) diff --git a/builtin/credential.c b/builtin/credential.c index 7010752987..5123dabcf1 100644 --- a/builtin/credential.c +++ b/builtin/credential.c @@ -17,12 +17,12 @@ int cmd_credential(int argc, const char **argv, const char *prefix UNUSED) usage(usage_msg); op = argv[1]; - if (credential_read(&c, stdin) < 0) + if (credential_read(&c, stdin, CREDENTIAL_OP_INITIAL) < 0) die("unable to read credential from stdin"); if (!strcmp(op, "fill")) { - credential_fill(&c); - credential_write(&c, stdout); + credential_fill(&c, 0); + credential_write(&c, stdout, CREDENTIAL_OP_RESPONSE); } else if (!strcmp(op, "approve")) { credential_approve(&c); } else if (!strcmp(op, "reject")) { diff --git a/credential.c b/credential.c index c521822e5a..f2a26b8672 100644 --- a/credential.c +++ b/credential.c @@ -34,6 +34,11 @@ void credential_clear(struct credential *c) credential_init(c); } +static void credential_set_all_capabilities(struct credential *c) +{ + c->capa_authtype.request_initial = 1; +} + int credential_match(const struct credential *want, const struct credential *have, int match_password) { @@ -210,7 +215,39 @@ static void credential_getpass(struct credential *c) PROMPT_ASKPASS); } -int credential_read(struct credential *c, FILE *fp) +static void credential_set_capability(struct credential_capability *capa, int op_type) +{ + switch (op_type) { + case CREDENTIAL_OP_INITIAL: + capa->request_initial = 1; + break; + case CREDENTIAL_OP_HELPER: + capa->request_helper = 1; + break; + case CREDENTIAL_OP_RESPONSE: + capa->response = 1; + break; + } +} + +static int credential_has_capability(const struct credential_capability *capa, int op_type) +{ + /* + * We're checking here if each previous step indicated that we had the + * capability. If it did, then we want to pass it along; conversely, if + * it did not, we don't want to report that to our caller. + */ + switch (op_type) { + case CREDENTIAL_OP_HELPER: + return capa->request_initial; + case CREDENTIAL_OP_RESPONSE: + return capa->request_initial && capa->request_helper; + default: + return 0; + } +} + +int credential_read(struct credential *c, FILE *fp, int op_type) { struct strbuf line = STRBUF_INIT; @@ -249,6 +286,8 @@ int credential_read(struct credential *c, FILE *fp) c->path = xstrdup(value); } else if (!strcmp(key, "wwwauth[]")) { strvec_push(&c->wwwauth_headers, value); + } else if (!strcmp(key, "capability[]") && !strcmp(value, "authtype")) { + credential_set_capability(&c->capa_authtype, op_type); } else if (!strcmp(key, "password_expiry_utc")) { errno = 0; c->password_expiry_utc = parse_timestamp(value, NULL, 10); @@ -288,14 +327,18 @@ static void credential_write_item(FILE *fp, const char *key, const char *value, fprintf(fp, "%s=%s\n", key, value); } -void credential_write(const struct credential *c, FILE *fp) +void credential_write(const struct credential *c, FILE *fp, int op_type) { + if (credential_has_capability(&c->capa_authtype, op_type)) { + credential_write_item(fp, "capability[]", "authtype", 0); + credential_write_item(fp, "authtype", c->authtype, 0); + credential_write_item(fp, "credential", c->credential, 0); + } credential_write_item(fp, "protocol", c->protocol, 1); credential_write_item(fp, "host", c->host, 1); credential_write_item(fp, "path", c->path, 0); credential_write_item(fp, "username", c->username, 0); credential_write_item(fp, "password", c->password, 0); - credential_write_item(fp, "credential", c->credential, 0); credential_write_item(fp, "oauth_refresh_token", c->oauth_refresh_token, 0); if (c->password_expiry_utc != TIME_MAX) { char *s = xstrfmt("%"PRItime, c->password_expiry_utc); @@ -304,7 +347,6 @@ void credential_write(const struct credential *c, FILE *fp) } for (size_t i = 0; i < c->wwwauth_headers.nr; i++) credential_write_item(fp, "wwwauth[]", c->wwwauth_headers.v[i], 0); - credential_write_item(fp, "authtype", c->authtype, 0); } static int run_credential_helper(struct credential *c, @@ -327,14 +369,14 @@ static int run_credential_helper(struct credential *c, fp = xfdopen(helper.in, "w"); sigchain_push(SIGPIPE, SIG_IGN); - credential_write(c, fp); + credential_write(c, fp, want_output ? CREDENTIAL_OP_HELPER : CREDENTIAL_OP_RESPONSE); fclose(fp); sigchain_pop(SIGPIPE); if (want_output) { int r; fp = xfdopen(helper.out, "r"); - r = credential_read(c, fp); + r = credential_read(c, fp, CREDENTIAL_OP_HELPER); fclose(fp); if (r < 0) { finish_command(&helper); @@ -367,7 +409,7 @@ static int credential_do(struct credential *c, const char *helper, return r; } -void credential_fill(struct credential *c) +void credential_fill(struct credential *c, int all_capabilities) { int i; @@ -375,6 +417,8 @@ void credential_fill(struct credential *c) return; credential_apply_config(c); + if (all_capabilities) + credential_set_all_capabilities(c); for (i = 0; i < c->helpers.nr; i++) { credential_do(c, c->helpers.items[i].string, "get"); diff --git a/credential.h b/credential.h index 9db892cf4d..2051d04c5a 100644 --- a/credential.h +++ b/credential.h @@ -93,6 +93,25 @@ * ----------------------------------------------------------------------- */ +/* + * These values define the kind of operation we're performing and the + * capabilities at each stage. The first is either an external request (via git + * credential fill) or an internal request (e.g., via the HTTP) code. The + * second is the call to the credential helper, and the third is the response + * we're providing. + * + * At each stage, we will emit the capability only if the previous stage + * supported it. + */ +#define CREDENTIAL_OP_INITIAL 1 +#define CREDENTIAL_OP_HELPER 2 +#define CREDENTIAL_OP_RESPONSE 3 + +struct credential_capability { + unsigned request_initial:1, + request_helper:1, + response:1; +}; /** * This struct represents a single username/password combination @@ -136,6 +155,8 @@ struct credential { use_http_path:1, username_from_proto:1; + struct credential_capability capa_authtype; + char *username; char *password; char *credential; @@ -174,8 +195,11 @@ void credential_clear(struct credential *); * returns, the username and password fields of the credential are * guaranteed to be non-NULL. If an error occurs, the function will * die(). + * + * If all_capabilities is set, this is an internal user that is prepared + * to deal with all known capabilities, and we should advertise that fact. */ -void credential_fill(struct credential *); +void credential_fill(struct credential *, int all_capabilities); /** * Inform the credential subsystem that the provided credentials @@ -198,8 +222,8 @@ void credential_approve(struct credential *); */ void credential_reject(struct credential *); -int credential_read(struct credential *, FILE *); -void credential_write(const struct credential *, FILE *); +int credential_read(struct credential *, FILE *, int); +void credential_write(const struct credential *, FILE *, int); /* * Parse a url into a credential struct, replacing any existing contents. diff --git a/http.c b/http.c index 1c2200da77..4f5df6fb14 100644 --- a/http.c +++ b/http.c @@ -569,7 +569,7 @@ static void init_curl_http_auth(CURL *result) return; } - credential_fill(&http_auth); + credential_fill(&http_auth, 0); curl_easy_setopt(result, CURLOPT_USERNAME, http_auth.username); curl_easy_setopt(result, CURLOPT_PASSWORD, http_auth.password); @@ -596,7 +596,7 @@ static void init_curl_proxy_auth(CURL *result) { if (proxy_auth.username) { if (!proxy_auth.password) - credential_fill(&proxy_auth); + credential_fill(&proxy_auth, 0); set_proxyauth_name_password(result); } @@ -630,7 +630,7 @@ static int has_cert_password(void) cert_auth.host = xstrdup(""); cert_auth.username = xstrdup(""); cert_auth.path = xstrdup(ssl_cert); - credential_fill(&cert_auth); + credential_fill(&cert_auth, 0); } return 1; } @@ -645,7 +645,7 @@ static int has_proxy_cert_password(void) proxy_cert_auth.host = xstrdup(""); proxy_cert_auth.username = xstrdup(""); proxy_cert_auth.path = xstrdup(http_proxy_ssl_cert); - credential_fill(&proxy_cert_auth); + credential_fill(&proxy_cert_auth, 0); } return 1; } @@ -2191,7 +2191,7 @@ static int http_request_reauth(const char *url, BUG("Unknown http_request target"); } - credential_fill(&http_auth); + credential_fill(&http_auth, 0); return http_request(url, result, target, options); } diff --git a/imap-send.c b/imap-send.c index f2e1947e63..8c89e866b6 100644 --- a/imap-send.c +++ b/imap-send.c @@ -944,7 +944,7 @@ static void server_fill_credential(struct imap_server_conf *srvc, struct credent cred->username = xstrdup_or_null(srvc->user); cred->password = xstrdup_or_null(srvc->pass); - credential_fill(cred); + credential_fill(cred, 1); if (!srvc->user) srvc->user = xstrdup(cred->username); diff --git a/remote-curl.c b/remote-curl.c index e37eaa17b7..f96bda2431 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -926,7 +926,7 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece do { err = probe_rpc(rpc, &results); if (err == HTTP_REAUTH) - credential_fill(&http_auth); + credential_fill(&http_auth, 0); } while (err == HTTP_REAUTH); if (err != HTTP_OK) return -1; @@ -1044,7 +1044,7 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece rpc->any_written = 0; err = run_slot(slot, NULL); if (err == HTTP_REAUTH && !large_request) { - credential_fill(&http_auth); + credential_fill(&http_auth, 0); curl_slist_free_all(headers); goto retry; } diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh index 400f6bdbca..8477108b28 100755 --- a/t/t0300-credentials.sh +++ b/t/t0300-credentials.sh @@ -12,7 +12,13 @@ test_expect_success 'setup helper scripts' ' IFS== while read key value; do echo >&2 "$whoami: $key=$value" - eval "$key=$value" + if test -z "${key%%*\[\]}" + then + key=${key%%\[\]} + eval "$key=\"\$$key $value\"" + else + eval "$key=$value" + fi done IFS=$OIFS EOF @@ -35,6 +41,16 @@ test_expect_success 'setup helper scripts' ' test -z "$pass" || echo password=$pass EOF + write_script git-credential-verbatim-cred <<-\EOF && + authtype=$1; shift + credential=$1; shift + . ./dump + echo capability[]=authtype + test -z "${capability##*authtype*}" || return + test -z "$authtype" || echo authtype=$authtype + test -z "$credential" || echo credential=$credential + EOF + write_script git-credential-verbatim-with-expiry <<-\EOF && user=$1; shift pass=$1; shift @@ -64,6 +80,26 @@ test_expect_success 'credential_fill invokes helper' ' EOF ' +test_expect_success 'credential_fill invokes helper with credential' ' + check fill "verbatim-cred Bearer token" <<-\EOF + capability[]=authtype + protocol=http + host=example.com + -- + capability[]=authtype + authtype=Bearer + credential=token + protocol=http + host=example.com + -- + verbatim-cred: get + verbatim-cred: capability[]=authtype + verbatim-cred: protocol=http + verbatim-cred: host=example.com + EOF +' + + test_expect_success 'credential_fill invokes multiple helpers' ' check fill useless "verbatim foo bar" <<-\EOF protocol=http @@ -83,6 +119,42 @@ test_expect_success 'credential_fill invokes multiple helpers' ' EOF ' +test_expect_success 'credential_fill response does not get capabilities when helpers are incapable' ' + check fill useless "verbatim foo bar" <<-\EOF + capability[]=authtype + protocol=http + host=example.com + -- + protocol=http + host=example.com + username=foo + password=bar + -- + useless: get + useless: capability[]=authtype + useless: protocol=http + useless: host=example.com + verbatim: get + verbatim: capability[]=authtype + verbatim: protocol=http + verbatim: host=example.com + EOF +' + +test_expect_success 'credential_fill response does not get capabilities when caller is incapable' ' + check fill "verbatim-cred Bearer token" <<-\EOF + protocol=http + host=example.com + -- + protocol=http + host=example.com + -- + verbatim-cred: get + verbatim-cred: protocol=http + verbatim-cred: host=example.com + EOF +' + test_expect_success 'credential_fill stops when we get a full response' ' check fill "verbatim one two" "verbatim three four" <<-\EOF protocol=http @@ -99,6 +171,25 @@ test_expect_success 'credential_fill stops when we get a full response' ' EOF ' +test_expect_success 'credential_fill thinks a credential is a full response' ' + check fill "verbatim-cred Bearer token" "verbatim three four" <<-\EOF + capability[]=authtype + protocol=http + host=example.com + -- + capability[]=authtype + authtype=Bearer + credential=token + protocol=http + host=example.com + -- + verbatim-cred: get + verbatim-cred: capability[]=authtype + verbatim-cred: protocol=http + verbatim-cred: host=example.com + EOF +' + test_expect_success 'credential_fill continues through partial response' ' check fill "verbatim one \"\"" "verbatim two three" <<-\EOF protocol=http @@ -175,6 +266,20 @@ test_expect_success 'credential_fill passes along metadata' ' EOF ' +test_expect_success 'credential_fill produces no credential without capability' ' + check fill "verbatim-cred Bearer token" <<-\EOF + protocol=http + host=example.com + -- + protocol=http + host=example.com + -- + verbatim-cred: get + verbatim-cred: protocol=http + verbatim-cred: host=example.com + EOF +' + test_expect_success 'credential_approve calls all helpers' ' check approve useless "verbatim one two" <<-\EOF protocol=http From patchwork Sun Mar 24 01:12:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600752 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 298A263B for ; Sun, 24 Mar 2024 01:13:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242798; cv=none; b=OOe7xgIOC90qTj2y/toa1x7rrZ6S7ccCh5LmTKfEWTZUVV1O8/pWZ7ZqLDGNzPyBuLt6qflXrV4ZNKzdhza7ZyCUQVQamEt4iaa3NV8CxyIv/eWewkDqYQOMIY1wrIRLA3+QRxOfDlSDSiwOZlZPCFELnom00Fy2KZu/rfzx+R8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242798; c=relaxed/simple; bh=7Ulw9Q79yAh4T6HWJyFx3Sz5OWBYpwI8IR1SDRUOcvM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZDUdgLJ5R5HX15PpgEOHdIySqFc2/BvavTdyTes0vD3gdKVVhusTvrfMxU2r9Oxg4oFTqPOzloXVKL+4XqDbkjWfihHKgdXSF4uiIKsMVGrg+ZtANSi8TBqq2U2BbHCcTcC52bH3+kJPVvWUL5NZPnGstr49LyVVGTviAjhO6L4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=mUTnGNgh; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="mUTnGNgh" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 0F5F25D40F; Sun, 24 Mar 2024 01:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=7Ulw9Q79yAh4T6HWJyFx3Sz5OWBYpwI8IR1SDRUOcvM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=mUTnGNghL9DpCdo03OYzb2KL2vfO5C+D4kR0Dze1iJvktYm4XkESWYKKz7AA0Z5D3 CMBwMCNCyxCcy0HW/qS3VcO78zCStMZBOJWE8M99PvsJR66YiLZMH3mPXaBT7vW9Pj oZPYT8BSase8SaO4UJr94101xC3JaUxzAwYvGqz/kCTFnSGCkHLktfqZyoHE6N8ssa VN9n3ZzMU9ZimMjfZzX36JTZcYsvzOR5jIva3igOq5CWIsLw7Vuyy2eDOD6DXcMRx2 xsVgESkh7l3Cz/4sl5JHnstWvnr2HH7zdG+m+9u19ei8M+E/glaYE6WmnYZ4bgCv1n NCTCCSFFSrX+e7POzlFZnWQdByK8qqgjF+FJGJ2vYi9ZSXj2jcw3FX41EKZct/8Z8r ivXs/OdUnLzWygt7KyYMMeS9H0GWj2gWXSqydUCM8jYRKbc06JbBQpwPo+E+TfX1kj i3XNAQZ2J+mvzpidSAcZbhzrHqY1jW+mqeadJi70Ys8BK7bnaG8 From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 06/13] docs: indicate new credential protocol fields Date: Sun, 24 Mar 2024 01:12:54 +0000 Message-ID: <20240324011301.1553072-7-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Now that we have new fields (authtype and credential), let's document them for users and credential helper implementers. Indicate specifically what common values of authtype are and what values are allowed. Note that, while common, digest and NTLM authentication are insecure because they require unsalted, uniterated password hashes to be stored. Tell users that they can continue to use a username and password even if the new capability is supported. Signed-off-by: brian m. carlson --- Documentation/git-credential.txt | 34 +++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/Documentation/git-credential.txt b/Documentation/git-credential.txt index 918a0aa42b..f3ed3a82fa 100644 --- a/Documentation/git-credential.txt +++ b/Documentation/git-credential.txt @@ -178,6 +178,24 @@ empty string. Components which are missing from the URL (e.g., there is no username in the example above) will be left unset. +`authtype`:: + This indicates that the authentication scheme in question should be used. + Common values for HTTP and HTTPS include `basic`, `digest`, and `ntlm`, + although the latter two are insecure and should not be used. If `credential` + is used, this may be set to an arbitrary string suitable for the protocol in + question (usually HTTP). ++ +This value should not be sent unless the appropriate capability (see below) is +provided on input. + +`credential`:: + The pre-encoded credential, suitable for the protocol in question (usually + HTTP). If this key is sent, `authtype` is mandatory, and `username` and + `password` are not used. ++ +This value should not be sent unless the appropriate capability (see below) is +provided on input. + `wwwauth[]`:: When an HTTP response is received by Git that includes one or more @@ -189,7 +207,21 @@ attribute 'wwwauth[]', where the order of the attributes is the same as they appear in the HTTP response. This attribute is 'one-way' from Git to pass additional information to credential helpers. -Unrecognised attributes are silently discarded. +`capability[]`:: + This signals that the caller supports the capability in question. + This can be used to provide better, more specific data as part of the + protocol. ++ +The only capability currently supported is `authtype`, which indicates that the +`authtype` and `credential` values are understood. It is not obligatory to use +these values in such a case, but they should not be provided without this +capability. ++ +Callers of `git credential` and credential helpers should emit the +capabilities they support unconditionally, and Git will gracefully +handle passing them on. + +Unrecognised attributes and capabilities are silently discarded. GIT --- From patchwork Sun Mar 24 01:12:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600751 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2992381E for ; Sun, 24 Mar 2024 01:13:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242797; cv=none; b=D62kswI9zHBCdLTnbvBsYN0tV4yS8MSs8TXlreWGXR/WXawYngBqgFqjH9LGpm58VUrQhRnb1oK3t7R58NO0BgGKNj9X+33NFvof4ZOhUZG1nyA2jdXjCsCOZRGJmvoFJKWpzz4ZQcRDKRGtU78g0cOmE3FbEWAjE0kwW7xxvZE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242797; c=relaxed/simple; bh=qGU6XNgtV2kXpA80MARJyjobtj3uvHtnP78Flo7vlCs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=p39hFlMfEk9DRSaghtU1SnPgHJ7rtT5hlzs985R+zUgK4z8QLIw0h5R3cLZkoPlShrUVGTDOFVNFXxPpynkvLmBiZBmB9RrVldxUPBvnm4yuB6UT6PoW+v6RuZjJQ6imAz1FiP+FvTzkNgrz6pl7gK6GzQ+vVedf89CgrPIGjjI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=BJNYOgwi; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="BJNYOgwi" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 25F1C5D410; Sun, 24 Mar 2024 01:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=qGU6XNgtV2kXpA80MARJyjobtj3uvHtnP78Flo7vlCs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=BJNYOgwiIbTwlnKwsKJaXS2afvDFhW/dQlRdandI7d7EhMfUcRvEG6PnALv1KErPb uodFDXIRvIqDTiZSrbXCMcdE9uwbme2DjY9J011kGpT93+/AGWXOVmJSdOVSiUcJFD QciPbTml4dThYky+Wy5s7d0rRe5lsJ0QdWj8FUIFikQipadxIKYHweQiV0JA1VL263 uWNQD6zImLslhdPVKyk7IO5kNjGG3+0D1HIFG0qGwmPb0BfnGVO/c+wo3pZerKrv+T lulv/VPtzWEjTj5vPC8tPcKOXNSt8JhwXsY9PeejKt+GyF9pKnZARLaUBe+VgLXaGM eiNrbYTszd3RK5mEuQoCGnAcucRVpTsNW70xujjINdHeY7Osj696mp+tyGLnpzAFcx 2eSEH4rfCz40+kUTd9MPF9vc2ewbH8g59SmFpzunApg3Sgi5YGOOsbl2iYk7wEd4uc 6yrlLZQv+YzggHOtbsUBmZ15NXk2sjXaDkEvczOLnuuDzhiuvlf From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 07/13] http: add support for authtype and credential Date: Sun, 24 Mar 2024 01:12:55 +0000 Message-ID: <20240324011301.1553072-8-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Now that we have the credential helper code set up to handle arbitrary authentications schemes, let's add support for this in the HTTP code, where we really want to use it. If we're using this new functionality, don't set a username and password, and instead set a header wherever we'd normally do so, including for proxy authentication. Since we can now handle this case, ask the credential helper to enable the appropriate capabilities. Finally, if we're using the authtype value, set "Expect: 100-continue". Any type of authentication that requires multiple rounds (such as NTLM or Kerberos) requires a 100 Continue (if we're larger than http.postBuffer) because otherwise we send the pack data before we're authenticated, the push gets a 401 response, and we can't rewind the stream. We don't know for certain what other custom schemes might require this, the HTTP/1.1 standard has required handling this since 1999, the broken HTTP server for which we disabled this (Google's) is now fixed and has been for some time, and libcurl has a 1-second fallback in case the HTTP server is still broken. In addition, it is not unreasonable to require compliance with a 25-year old standard to use new Git features. For all of these reasons, do so here. Signed-off-by: brian m. carlson --- http.c | 48 ++++++++++--- http.h | 3 + remote-curl.c | 4 +- t/t5563-simple-http-auth.sh | 133 ++++++++++++++++++++++++++++++++++++ 4 files changed, 176 insertions(+), 12 deletions(-) diff --git a/http.c b/http.c index 4f5df6fb14..f98c520924 100644 --- a/http.c +++ b/http.c @@ -561,18 +561,34 @@ static int curl_empty_auth_enabled(void) return 0; } +struct curl_slist *http_append_auth_header(const struct credential *c, + struct curl_slist *headers) +{ + if (c->authtype && c->credential) { + struct strbuf auth = STRBUF_INIT; + strbuf_addf(&auth, "Authorization: %s %s", + c->authtype, c->credential); + headers = curl_slist_append(headers, auth.buf); + strbuf_release(&auth); + } + return headers; +} + static void init_curl_http_auth(CURL *result) { - if (!http_auth.username || !*http_auth.username) { + if ((!http_auth.username || !*http_auth.username) && + (!http_auth.credential || !*http_auth.credential)) { if (curl_empty_auth_enabled()) curl_easy_setopt(result, CURLOPT_USERPWD, ":"); return; } - credential_fill(&http_auth, 0); + credential_fill(&http_auth, 1); - curl_easy_setopt(result, CURLOPT_USERNAME, http_auth.username); - curl_easy_setopt(result, CURLOPT_PASSWORD, http_auth.password); + if (http_auth.password) { + curl_easy_setopt(result, CURLOPT_USERNAME, http_auth.username); + curl_easy_setopt(result, CURLOPT_PASSWORD, http_auth.password); + } } /* *var must be free-able */ @@ -586,17 +602,22 @@ static void var_override(const char **var, char *value) static void set_proxyauth_name_password(CURL *result) { + if (proxy_auth.password) { curl_easy_setopt(result, CURLOPT_PROXYUSERNAME, proxy_auth.username); curl_easy_setopt(result, CURLOPT_PROXYPASSWORD, proxy_auth.password); + } else if (proxy_auth.authtype && proxy_auth.credential) { + curl_easy_setopt(result, CURLOPT_PROXYHEADER, + http_append_auth_header(&proxy_auth, NULL)); + } } static void init_curl_proxy_auth(CURL *result) { if (proxy_auth.username) { - if (!proxy_auth.password) - credential_fill(&proxy_auth, 0); + if (!proxy_auth.password && !proxy_auth.credential) + credential_fill(&proxy_auth, 1); set_proxyauth_name_password(result); } @@ -1469,7 +1490,7 @@ struct active_request_slot *get_active_slot(void) curl_easy_setopt(slot->curl, CURLOPT_IPRESOLVE, git_curl_ipresolve); curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods); - if (http_auth.password || curl_empty_auth_enabled()) + if (http_auth.password || http_auth.credential || curl_empty_auth_enabled()) init_curl_http_auth(slot->curl); return slot; @@ -1758,7 +1779,8 @@ static int handle_curl_result(struct slot_results *results) } else if (missing_target(results)) return HTTP_MISSING_TARGET; else if (results->http_code == 401) { - if (http_auth.username && http_auth.password) { + if ((http_auth.username && http_auth.password) ||\ + (http_auth.authtype && http_auth.credential)) { credential_reject(&http_auth); return HTTP_NOAUTH; } else { @@ -2066,11 +2088,15 @@ static int http_request(const char *url, /* Add additional headers here */ if (options && options->extra_headers) { const struct string_list_item *item; - for_each_string_list_item(item, options->extra_headers) { - headers = curl_slist_append(headers, item->string); + if (options && options->extra_headers) { + for_each_string_list_item(item, options->extra_headers) { + headers = curl_slist_append(headers, item->string); + } } } + headers = http_append_auth_header(&http_auth, headers); + curl_easy_setopt(slot->curl, CURLOPT_URL, url); curl_easy_setopt(slot->curl, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(slot->curl, CURLOPT_ENCODING, ""); @@ -2191,7 +2217,7 @@ static int http_request_reauth(const char *url, BUG("Unknown http_request target"); } - credential_fill(&http_auth, 0); + credential_fill(&http_auth, 1); return http_request(url, result, target, options); } diff --git a/http.h b/http.h index c5f8cc4620..a516ca4a9a 100644 --- a/http.h +++ b/http.h @@ -175,6 +175,9 @@ int http_get_file(const char *url, const char *filename, int http_fetch_ref(const char *base, struct ref *ref); +struct curl_slist *http_append_auth_header(const struct credential *c, + struct curl_slist *headers); + /* Helpers for fetching packs */ int http_get_info_packs(const char *base_url, struct packed_git **packs_head); diff --git a/remote-curl.c b/remote-curl.c index f96bda2431..1c5416812a 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -931,7 +931,7 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece if (err != HTTP_OK) return -1; - if (results.auth_avail & CURLAUTH_GSSNEGOTIATE) + if (results.auth_avail & CURLAUTH_GSSNEGOTIATE || http_auth.authtype) needs_100_continue = 1; } @@ -942,6 +942,8 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece headers = curl_slist_append(headers, needs_100_continue ? "Expect: 100-continue" : "Expect:"); + headers = http_append_auth_header(&http_auth, headers); + /* Add Accept-Language header */ if (rpc->hdr_accept_language) headers = curl_slist_append(headers, rpc->hdr_accept_language); diff --git a/t/t5563-simple-http-auth.sh b/t/t5563-simple-http-auth.sh index ab8a721ccc..b3ed0d9fc2 100755 --- a/t/t5563-simple-http-auth.sh +++ b/t/t5563-simple-http-auth.sh @@ -74,6 +74,7 @@ test_expect_success 'access using basic auth' ' git ls-remote "$HTTPD_URL/custom_auth/repo.git" && expect_credential_query get <<-EOF && + capability[]=authtype protocol=http host=$HTTPD_DEST wwwauth[]=Basic realm="example.com" @@ -87,6 +88,43 @@ test_expect_success 'access using basic auth' ' EOF ' +test_expect_success 'access using basic auth via authtype' ' + test_when_finished "per_test_cleanup" && + + set_credential_reply get <<-EOF && + capability[]=authtype + authtype=Basic + credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA== + EOF + + # Basic base64(alice:secret-passwd) + cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && + Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + EOF + + cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && + WWW-Authenticate: Basic realm="example.com" + EOF + + test_config_global credential.helper test-helper && + GIT_CURL_VERBOSE=1 git ls-remote "$HTTPD_URL/custom_auth/repo.git" && + + expect_credential_query get <<-EOF && + capability[]=authtype + protocol=http + host=$HTTPD_DEST + wwwauth[]=Basic realm="example.com" + EOF + + expect_credential_query store <<-EOF + capability[]=authtype + authtype=Basic + credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA== + protocol=http + host=$HTTPD_DEST + EOF +' + test_expect_success 'access using basic auth invalid credentials' ' test_when_finished "per_test_cleanup" && @@ -108,6 +146,7 @@ test_expect_success 'access using basic auth invalid credentials' ' test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" && expect_credential_query get <<-EOF && + capability[]=authtype protocol=http host=$HTTPD_DEST wwwauth[]=Basic realm="example.com" @@ -145,6 +184,7 @@ test_expect_success 'access using basic auth with extra challenges' ' git ls-remote "$HTTPD_URL/custom_auth/repo.git" && expect_credential_query get <<-EOF && + capability[]=authtype protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -183,6 +223,7 @@ test_expect_success 'access using basic auth mixed-case wwwauth header name' ' git ls-remote "$HTTPD_URL/custom_auth/repo.git" && expect_credential_query get <<-EOF && + capability[]=authtype protocol=http host=$HTTPD_DEST wwwauth[]=foobar param1="value1" param2="value2" @@ -226,6 +267,7 @@ test_expect_success 'access using basic auth with wwwauth header continuations' git ls-remote "$HTTPD_URL/custom_auth/repo.git" && expect_credential_query get <<-EOF && + capability[]=authtype protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -271,6 +313,7 @@ test_expect_success 'access using basic auth with wwwauth header empty continuat git ls-remote "$HTTPD_URL/custom_auth/repo.git" && expect_credential_query get <<-EOF && + capability[]=authtype protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -312,6 +355,7 @@ test_expect_success 'access using basic auth with wwwauth header mixed line-endi git ls-remote "$HTTPD_URL/custom_auth/repo.git" && expect_credential_query get <<-EOF && + capability[]=authtype protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -326,4 +370,93 @@ test_expect_success 'access using basic auth with wwwauth header mixed line-endi EOF ' +test_expect_success 'access using bearer auth' ' + test_when_finished "per_test_cleanup" && + + set_credential_reply get <<-EOF && + capability[]=authtype + authtype=Bearer + credential=YS1naXQtdG9rZW4= + EOF + + # Basic base64(a-git-token) + cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && + Bearer YS1naXQtdG9rZW4= + EOF + + CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" && + + cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && + WWW-Authenticate: FooBar param1="value1" param2="value2" + WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 + WWW-Authenticate: Basic realm="example.com" + EOF + + test_config_global credential.helper test-helper && + git ls-remote "$HTTPD_URL/custom_auth/repo.git" && + + expect_credential_query get <<-EOF && + capability[]=authtype + protocol=http + host=$HTTPD_DEST + wwwauth[]=FooBar param1="value1" param2="value2" + wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0 + wwwauth[]=Basic realm="example.com" + EOF + + expect_credential_query store <<-EOF + capability[]=authtype + authtype=Bearer + credential=YS1naXQtdG9rZW4= + protocol=http + host=$HTTPD_DEST + EOF +' + +test_expect_success 'access using bearer auth with invalid credentials' ' + test_when_finished "per_test_cleanup" && + + set_credential_reply get <<-EOF && + capability[]=authtype + authtype=Bearer + credential=incorrect-token + EOF + + # Basic base64(a-git-token) + cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && + Bearer YS1naXQtdG9rZW4= + EOF + + CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" && + + cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && + WWW-Authenticate: FooBar param1="value1" param2="value2" + WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 + WWW-Authenticate: Basic realm="example.com" + EOF + + test_config_global credential.helper test-helper && + test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" && + + expect_credential_query get <<-EOF && + capability[]=authtype + protocol=http + host=$HTTPD_DEST + wwwauth[]=FooBar param1="value1" param2="value2" + wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0 + wwwauth[]=Basic realm="example.com" + EOF + + expect_credential_query erase <<-EOF + capability[]=authtype + authtype=Bearer + credential=incorrect-token + protocol=http + host=$HTTPD_DEST + wwwauth[]=FooBar param1="value1" param2="value2" + wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0 + wwwauth[]=Basic realm="example.com" + EOF +' + test_done From patchwork Sun Mar 24 01:12:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600746 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 298D464A for ; Sun, 24 Mar 2024 01:13:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242795; cv=none; b=P0pcMenT3UFUrfWhRkEP0oQ+qqU/+kfRMiHpTvCaTax4i4+wU6mmsHTu5XtgLJMtWgB+BV9ZkuC9hO5YlJO0bNgvBwIGNXYUyZEcdYJO1HlkPelyydbANPQ/wkno5rDcXUZlRoJQ8ndtBVmUMPszTm/W997ezP22TcfWaXEN9x0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242795; c=relaxed/simple; bh=pKtX4IurOShQJ74V2qb9RIIgEn39MetHTFanPotyiJY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WrTHAxfSsHYDCpH1f206/q6LwnO9n2TUOPdt+BuRrcSh1P1Sb4vekwIyH8rL/nfrjLmE2GOMPbkOntsqvFJodQt3PKwl7z93s3LX5771aa51OSlqwdPUD748jf0/Zl8L/vGfKsDqZTrqGWzUoveaOGKneY5wHRCVco4jtzaJ4V8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=k628mKOs; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="k628mKOs" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 323F25D411; Sun, 24 Mar 2024 01:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=pKtX4IurOShQJ74V2qb9RIIgEn39MetHTFanPotyiJY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=k628mKOs4Yhs39LOD4b854uGfpf+oAcxlkJGJmgl1yHLxq7w6BPuG9U7YTAs3Gfmh zHL14/vBX1nsA7PpGOXBhOArHr9Fib93FLs/mvxuIvsPGsoq52G//Z3MPuzWFRnDbH Flp2if7ZWnjqloN2jH9muVl3y842wIvyS3ABA/pIA5a7I8S2knYBlI9r0QluBx9g4L I78VYoCaZCee4CpFZUpSp8Is3rJm20ARppyup1Y2zOYmCuYqgKf029CikEkLxFn1Hc OzlHxQK8zThnOj9Sgny/IDOg2SnB2KLeE67mlUDFZyo6I828HPWD4xZFMeQydJ93Lu Tx5kakznaSAkoMGvvRA7ogEt3CTDbuQRk+NJM5PYJcPHYZu5kpEGZlXxybUcli+Qyp X4Q7ydZjX5+c+RH4LDpmcOyrEMEXxlXTOCNuuWAbLNkYn95V2EwKPgpq+fVXl5zaY/ sA4Jwdc+RWsc2aETARF4hTrH866CwwywNtcN6fSxFTab3FKP1h3 From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 08/13] credential: add an argument to keep state Date: Sun, 24 Mar 2024 01:12:56 +0000 Message-ID: <20240324011301.1553072-9-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Until now, our credential code has mostly deal with usernames and passwords and we've let libcurl deal with the variant of authentication to be used. However, now that we have the credential value, the credential helper can take control of the authentication, so the value provided might be something that's generated, such as a Digest hash value. In such a case, it would be helpful for a credential helper that gets an erase or store command to be able to keep track of an identifier for the original secret that went into the computation. Furthermore, some types of authentication, such as NTLM and Kerberos, actually need two round trips to authenticate, which will require that the credential helper keep some state. In order to allow for these use cases and others, allow storing state in a field called "state[]". This value is passed back to the credential helper that created it, which avoids confusion caused by parsing values from different helpers. Signed-off-by: brian m. carlson --- Documentation/git-credential.txt | 29 ++++++++++++++++++----------- credential.c | 20 +++++++++++++++++--- credential.h | 7 +++++++ t/t0300-credentials.sh | 29 +++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+), 14 deletions(-) diff --git a/Documentation/git-credential.txt b/Documentation/git-credential.txt index f3ed3a82fa..ef30c89c00 100644 --- a/Documentation/git-credential.txt +++ b/Documentation/git-credential.txt @@ -196,6 +196,15 @@ provided on input. This value should not be sent unless the appropriate capability (see below) is provided on input. +`state[]`:: + This value provides an opaque state that will be passed back to this helper + if it is called again. Each different credential helper may specify this + once. The value should include a prefix unique to the credential helper and + should ignore values that don't match its prefix. ++ +This value should not be sent unless the appropriate capability (see below) is +provided on input. + `wwwauth[]`:: When an HTTP response is received by Git that includes one or more @@ -208,18 +217,16 @@ they appear in the HTTP response. This attribute is 'one-way' from Git to pass additional information to credential helpers. `capability[]`:: - This signals that the caller supports the capability in question. - This can be used to provide better, more specific data as part of the - protocol. + This signals that Git, or the helper, as appropriate, supports the + capability in question. This can be used to provide better, more specific + data as part of the protocol. + -The only capability currently supported is `authtype`, which indicates that the -`authtype` and `credential` values are understood. It is not obligatory to use -these values in such a case, but they should not be provided without this -capability. -+ -Callers of `git credential` and credential helpers should emit the -capabilities they support unconditionally, and Git will gracefully -handle passing them on. +There are two currently supported capabilities. The first is `authtype`, which +indicates that the `authtype` and `credential` values are understood. The +second is `state`, which indicates that the `state[]` value is understood. + +It is not obligatory to use the additional features just because the capability +is supported, but they should not be provided without this capability. Unrecognised attributes and capabilities are silently discarded. diff --git a/credential.c b/credential.c index f2a26b8672..0cd7dd2a00 100644 --- a/credential.c +++ b/credential.c @@ -30,6 +30,7 @@ void credential_clear(struct credential *c) free(c->authtype); string_list_clear(&c->helpers, 0); strvec_clear(&c->wwwauth_headers); + strvec_clear(&c->state_headers); credential_init(c); } @@ -286,8 +287,13 @@ int credential_read(struct credential *c, FILE *fp, int op_type) c->path = xstrdup(value); } else if (!strcmp(key, "wwwauth[]")) { strvec_push(&c->wwwauth_headers, value); - } else if (!strcmp(key, "capability[]") && !strcmp(value, "authtype")) { - credential_set_capability(&c->capa_authtype, op_type); + } else if (!strcmp(key, "state[]")) { + strvec_push(&c->state_headers, value); + } else if (!strcmp(key, "capability[]")) { + if (!strcmp(value, "authtype")) + credential_set_capability(&c->capa_authtype, op_type); + else if (!strcmp(value, "state")) + credential_set_capability(&c->capa_state, op_type); } else if (!strcmp(key, "password_expiry_utc")) { errno = 0; c->password_expiry_utc = parse_timestamp(value, NULL, 10); @@ -329,8 +335,12 @@ static void credential_write_item(FILE *fp, const char *key, const char *value, void credential_write(const struct credential *c, FILE *fp, int op_type) { - if (credential_has_capability(&c->capa_authtype, op_type)) { + if (credential_has_capability(&c->capa_authtype, op_type)) credential_write_item(fp, "capability[]", "authtype", 0); + if (credential_has_capability(&c->capa_state, op_type)) + credential_write_item(fp, "capability[]", "state", 0); + + if (credential_has_capability(&c->capa_authtype, op_type)) { credential_write_item(fp, "authtype", c->authtype, 0); credential_write_item(fp, "credential", c->credential, 0); } @@ -347,6 +357,10 @@ void credential_write(const struct credential *c, FILE *fp, int op_type) } for (size_t i = 0; i < c->wwwauth_headers.nr; i++) credential_write_item(fp, "wwwauth[]", c->wwwauth_headers.v[i], 0); + if (credential_has_capability(&c->capa_state, op_type)) { + for (size_t i = 0; i < c->state_headers.nr; i++) + credential_write_item(fp, "state[]", c->state_headers.v[i], 0); + } } static int run_credential_helper(struct credential *c, diff --git a/credential.h b/credential.h index 2051d04c5a..e2021455fe 100644 --- a/credential.h +++ b/credential.h @@ -142,6 +142,11 @@ struct credential { */ struct strvec wwwauth_headers; + /** + * A `strvec` of state headers from credential helpers. + */ + struct strvec state_headers; + /** * Internal use only. Keeps track of if we previously matched against a * WWW-Authenticate header line in order to re-fold future continuation @@ -156,6 +161,7 @@ struct credential { username_from_proto:1; struct credential_capability capa_authtype; + struct credential_capability capa_state; char *username; char *password; @@ -177,6 +183,7 @@ struct credential { .helpers = STRING_LIST_INIT_DUP, \ .password_expiry_utc = TIME_MAX, \ .wwwauth_headers = STRVEC_INIT, \ + .state_headers = STRVEC_INIT, \ } /* Initialize a credential structure, setting all fields to empty. */ diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh index 8477108b28..aa56e0dc84 100755 --- a/t/t0300-credentials.sh +++ b/t/t0300-credentials.sh @@ -46,9 +46,12 @@ test_expect_success 'setup helper scripts' ' credential=$1; shift . ./dump echo capability[]=authtype + echo capability[]=state test -z "${capability##*authtype*}" || return test -z "$authtype" || echo authtype=$authtype test -z "$credential" || echo credential=$credential + test -z "${capability##*state*}" || return + echo state[]=verbatim-cred:foo EOF write_script git-credential-verbatim-with-expiry <<-\EOF && @@ -99,6 +102,29 @@ test_expect_success 'credential_fill invokes helper with credential' ' EOF ' +test_expect_success 'credential_fill invokes helper with credential and state' ' + check fill "verbatim-cred Bearer token" <<-\EOF + capability[]=authtype + capability[]=state + protocol=http + host=example.com + -- + capability[]=authtype + capability[]=state + authtype=Bearer + credential=token + protocol=http + host=example.com + state[]=verbatim-cred:foo + -- + verbatim-cred: get + verbatim-cred: capability[]=authtype + verbatim-cred: capability[]=state + verbatim-cred: protocol=http + verbatim-cred: host=example.com + EOF +' + test_expect_success 'credential_fill invokes multiple helpers' ' check fill useless "verbatim foo bar" <<-\EOF @@ -122,6 +148,7 @@ test_expect_success 'credential_fill invokes multiple helpers' ' test_expect_success 'credential_fill response does not get capabilities when helpers are incapable' ' check fill useless "verbatim foo bar" <<-\EOF capability[]=authtype + capability[]=state protocol=http host=example.com -- @@ -132,10 +159,12 @@ test_expect_success 'credential_fill response does not get capabilities when hel -- useless: get useless: capability[]=authtype + useless: capability[]=state useless: protocol=http useless: host=example.com verbatim: get verbatim: capability[]=authtype + verbatim: capability[]=state verbatim: protocol=http verbatim: host=example.com EOF From patchwork Sun Mar 24 01:12:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600745 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D271EC4 for ; Sun, 24 Mar 2024 01:13:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242795; cv=none; b=FszKTBUujhKQd6eSk/GwUeBuFCRQkzTOaaAIhYqkbM4XXlZ3ErSHC0WqfcHtK65hMn30kEbmScOr7GOymJx7DP+9FtCDkL8ACN+IcxpvZxxWjoKxqKVp7RYSgIpeeWhQqKGg8Ml5b0UCT7XqdZa9oP+l7IZGlVc2jktAKm9wqek= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242795; c=relaxed/simple; bh=xMhWRt1J+S4TuQXO1QSsMBSmNfSgr2pe2mgv+AZjeMQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VyxV2MalqN2qZMhogKOoklI/pk2v29SCtitWo7/3DNTJFuvgURR9L2oSs/n3I9tvZyK3zCQHbxFGwDcJgtkwCuhZwh9k+9SUOp9nHXaIBnEMxQ70Dq1tTNDxicbR6JUFo1yzQJfPi/9c7fI/WUwqVIZ+ez4/L/dGWxqvQswnvTM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=FE7/x1kL; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="FE7/x1kL" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 3E2F65D412; Sun, 24 Mar 2024 01:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=xMhWRt1J+S4TuQXO1QSsMBSmNfSgr2pe2mgv+AZjeMQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=FE7/x1kL0lSv8qwhHbv5nUexQvphbzRjoC1MQTQx6p3QS+uuyWycdrkSE8HaazxC1 vgQwy1Z1Sle6VZZUlh0jLchkW5aF4UuLl8mFudV+CuJaDfp62nwBsxxbtFR+II7iYo BoH6Yk3I6y409oKPdmKGBc+devzuuUu/OcqkGGPNlELQzikgytXLmIxr9rZ0bmuTBU bXswQoagOQahWPoRG45WeJbFuczBOY/dvKczTMYtZeSumaUf7o+X8Y+177qHHOEOi8 apeKbCSJKbgOgN2T1ejZgflKNf23DASocGBNAYhAAu/XJ9WbpOl7ZndWLTBSquQYdg hlzWbkycDcfNCjR8/XFRGYpTnnsPVODEQkkcEwnAUkQCTioSgSACj03iRSt61ncQSA naA3KRfzV5EE1Tu7bg0QFAS1u4AfSK1nAYhWKXi2xnWEssLREO1DkbofGkugcb8NqB GCd0zcpe3t4ETKzgKCLU8y2kqGXLnDc4KUBxTuMuzyRt3SKPXvA From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 09/13] credential: enable state capability Date: Sun, 24 Mar 2024 01:12:57 +0000 Message-ID: <20240324011301.1553072-10-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Now that we've implemented the state capability, let's send it along by default when filling credentials so we can make use of it. Signed-off-by: brian m. carlson --- credential.c | 1 + t/t5563-simple-http-auth.sh | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/credential.c b/credential.c index 0cd7dd2a00..0ca7c12895 100644 --- a/credential.c +++ b/credential.c @@ -38,6 +38,7 @@ void credential_clear(struct credential *c) static void credential_set_all_capabilities(struct credential *c) { c->capa_authtype.request_initial = 1; + c->capa_state.request_initial = 1; } int credential_match(const struct credential *want, diff --git a/t/t5563-simple-http-auth.sh b/t/t5563-simple-http-auth.sh index b3ed0d9fc2..b098cd0fdf 100755 --- a/t/t5563-simple-http-auth.sh +++ b/t/t5563-simple-http-auth.sh @@ -75,6 +75,7 @@ test_expect_success 'access using basic auth' ' expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=Basic realm="example.com" @@ -111,6 +112,7 @@ test_expect_success 'access using basic auth via authtype' ' expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=Basic realm="example.com" @@ -147,6 +149,7 @@ test_expect_success 'access using basic auth invalid credentials' ' expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=Basic realm="example.com" @@ -185,6 +188,7 @@ test_expect_success 'access using basic auth with extra challenges' ' expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -224,6 +228,7 @@ test_expect_success 'access using basic auth mixed-case wwwauth header name' ' expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=foobar param1="value1" param2="value2" @@ -268,6 +273,7 @@ test_expect_success 'access using basic auth with wwwauth header continuations' expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -314,6 +320,7 @@ test_expect_success 'access using basic auth with wwwauth header empty continuat expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -356,6 +363,7 @@ test_expect_success 'access using basic auth with wwwauth header mixed line-endi expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -397,6 +405,7 @@ test_expect_success 'access using bearer auth' ' expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" @@ -440,6 +449,7 @@ test_expect_success 'access using bearer auth with invalid credentials' ' expect_credential_query get <<-EOF && capability[]=authtype + capability[]=state protocol=http host=$HTTPD_DEST wwwauth[]=FooBar param1="value1" param2="value2" From patchwork Sun Mar 24 01:12:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600748 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2BBA3A50 for ; Sun, 24 Mar 2024 01:13:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242796; cv=none; b=KwkJiQazcYZvAeFmIrdzUh1F9gkTckZTNpJraaxhYbNDqr9MPeTsOIPjf7OsM8/Lzu0Ej2wCGvAK11DnH4cVZJ5Pe37U+7PbCa3yfmbkwvCl4u8fcuRiYNJFsnGTnH9Ut60dX+OE1epTLPbhG7zq/yCpcQ7prtB1sNfcV/kPptc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242796; c=relaxed/simple; bh=qLzO/NbZzNv/1q25jhvmykDRs0zvl+THgoHuoex+vZ8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UUUsIMjhBDP8CItH+iFxUqu+BUyKbxQYuyexwQ+ETINZvOnj+mDFP/brB3+U/elgs7Y8L56w/i/cCuHgMFoKpeyUk3jFVUZYkf/y4UH25/dO/Ozx1usJuKy4zd4k4IWcHGerORYKBp0afxDxI/RCennMs7gOeH3pVfEN7xGr/hI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=Xizja4LH; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="Xizja4LH" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 507A05D414; Sun, 24 Mar 2024 01:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=qLzO/NbZzNv/1q25jhvmykDRs0zvl+THgoHuoex+vZ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=Xizja4LHk9lrdJHqbAiwQvsfZJ7mN56fB38mukw1Ocq9bfkGy4ax0iDJtiPVo0Sad 4YcDgWqS2uBxHmeAbFKuPDlMqRXDvHGB7Evqh7ry2j0Gq0yt8qfUQmRtgl4mzXzEAu NnaFFYi2Z43CfJdVDr1I+suKUhXnv5Dash08LkUlA7F24jK5X23rUCYsxScqsA6abC 5LptKCpsrH1XMrUFyRsqMCy/i97l9c5s1PC2rq1dYglg74FKa6g4wLlWrkBaxzZfvm F2ZOBS+JVAemEml6kewkng5gtvBCTZXGIlUjPX0BNxUJ1ouMvkXaB1ajEPeGEAmXIN tlAHSw09yrs8EzSJdk9TZnDQCdN8SHqX7I4tw8oYzmQ+tEQcqsPYptSclThezbf53R 6EZh0ChAHNzjGB73oM5OZkBc/G7P08WpVDCs3+yo3uWqFKih/8GNOkm5v/cIJP9owi uFjt3yRluqgGW75fM0FKb5ugjGGc5Vlch9LFldYpE3rB1ZWv1jJ From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 10/13] docs: set a limit on credential line length Date: Sun, 24 Mar 2024 01:12:58 +0000 Message-ID: <20240324011301.1553072-11-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 We recently introduced a way for credential helpers to add arbitrary state as part of the protocol. Set some limits on line length to avoid helpers passing extremely large amounts of data. While Git doesn't have a fixed parsing length, there are other tools which support this protocol and it's kind to allow them to use a reasonable fixed-size buffer for parsing. In addition, we would like to be moderate in our memory usage and imposing reasonable limits is helpful for that purpose. In the event a credential helper is incapable of storing its serialized state in 64 KiB, it can feel free to serialize it on disk and store a reference instead. Signed-off-by: brian m. carlson --- Documentation/git-credential.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Documentation/git-credential.txt b/Documentation/git-credential.txt index ef30c89c00..6b7e017066 100644 --- a/Documentation/git-credential.txt +++ b/Documentation/git-credential.txt @@ -111,7 +111,9 @@ attribute per line. Each attribute is specified by a key-value pair, separated by an `=` (equals) sign, followed by a newline. The key may contain any bytes except `=`, newline, or NUL. The value may -contain any bytes except newline or NUL. +contain any bytes except newline or NUL. A line, including the trailing +newline, may not exceed 65535 bytes in order to allow implementations to +parse efficiently. Attributes with keys that end with C-style array brackets `[]` can have multiple values. Each instance of a multi-valued attribute forms an From patchwork Sun Mar 24 01:12:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600747 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9701A10F4 for ; Sun, 24 Mar 2024 01:13:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242795; cv=none; b=BFMv7FTVlWdsTzKz1z4jhy9xLMuQM6+QQCIMcS57muieYC7zJYdlIbb2FfyU4PD0iBwEdJgoM4ojlRtQ/ntr8k32tRx4/CtdK4G+vz/qKkkLl/X6f56O38y1FBYayExVnOYndr+9i6E3CnhVMZjmM+TnZ270GiuCNhspau7L+n4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242795; c=relaxed/simple; bh=OYUDDWVtX0rJQqZYjpAXqg4Jc5rZmv2VJh935Jl/Ws0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tWGX3Juyrtq9qvuBXEePDg8qEmxaFDw86QcKPgoT46IL07bJVqWM6FuUiEN14z+5A8BjkMl/b475fSsV8J9OqXYffVk18AET+i6HrU8CVHjxnPmgIWjwDvK6nRyyU/hlHQVd9dOkre+iklV/TatjkvnDnBzVxd4PJD0DVbuiyfw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=UG6kpjKc; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="UG6kpjKc" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 5B8895D415; Sun, 24 Mar 2024 01:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=OYUDDWVtX0rJQqZYjpAXqg4Jc5rZmv2VJh935Jl/Ws0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=UG6kpjKclQEeFn0b0o/Ya7tUAc2l7UCwUWopBbySNWb5jGxRU/Bv9pB9wp5QZK7QL kJujpZecbycSj+OsYTR9SOUOdzUdy1cn+FAkLjA6sirw9GjLszOv72r7DooXkJe7Ji PPQQEgpXUdsYPqxrSjU2u29btfIrVFuSuKGK4HE/cNJA9s7vA0m3zm4mFPxjghdjIw Vb4doHfk5qjth8MzVWh2B2xe11hpj5WwKFCORfjuEEcy83kAtN2dYWXl4gjELb/gWM Z5UZPYS1Zi5EacnpE+QHyIv/6tDHXM6nH2vMsKO6Ar42KEfjlmKNpGwYdd1s5IsWEb SSaumovlk+UhtTHmAutizpWOpeg1AD/QUTrpqLEyrYZMR1hh4vOVoKbAWVRE8hrL/u DYwOT7akZf4w8hMhYUaMgbc7cTbzYlmasMwc+0fwQCChLp6EMQ/7Ap7GUm33jir1Hi fyEuSpxRIKfIhi/Fq3He7gwAh0q/hCd+9EER/zRbBhQMVN0isNq From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 11/13] t5563: refactor for multi-stage authentication Date: Sun, 24 Mar 2024 01:12:59 +0000 Message-ID: <20240324011301.1553072-12-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Some HTTP authentication schemes, such as NTLM- and Kerberos-based options, require more than one round trip to authenticate. Currently, these can only be supported in libcurl, since Git does not have support for this in the credential helper protocol. However, in a future commit, we'll add support for this functionality into the credential helper protocol and Git itself. Because we don't really want to implement either NTLM or Kerberos, both of which are complex protocols, we'll want to test this using a fake credential authentication scheme. In order to do so, update t5563 and its backend to allow us to accept multiple sets of credentials and respond with different behavior in each case. Since we can now provide any number of possible status codes, provide a non-specific reason phrase so we don't have to generate a more specific one based on the response. The reason phrase is mandatory according to the status-line production in RFC 7230, but clients SHOULD ignore it, and curl does (except to print it). Each entry in the authorization and challenge fields contains an ID, which indicates a corresponding credential and response. If the response is a 200 status, then we continue to execute git-http-backend. Otherwise, we print the corresponding status and response. If no ID is matched, we use the default response with a status of 401. Note that there is an implicit order to the parameters. The ID is always first and the creds or response value is always last, and therefore may contain spaces, equals signs, or other arbitrary data. Signed-off-by: brian m. carlson --- t/lib-httpd/nph-custom-auth.sh | 17 ++++-- t/t5563-simple-http-auth.sh | 96 +++++++++++++++++++--------------- 2 files changed, 66 insertions(+), 47 deletions(-) diff --git a/t/lib-httpd/nph-custom-auth.sh b/t/lib-httpd/nph-custom-auth.sh index f5345e775e..d408d2caad 100644 --- a/t/lib-httpd/nph-custom-auth.sh +++ b/t/lib-httpd/nph-custom-auth.sh @@ -19,21 +19,30 @@ CHALLENGE_FILE=custom-auth.challenge # if test -n "$HTTP_AUTHORIZATION" && \ - grep -Fqsx "${HTTP_AUTHORIZATION}" "$VALID_CREDS_FILE" + grep -Fqs "creds=${HTTP_AUTHORIZATION}" "$VALID_CREDS_FILE" then + idno=$(grep -F "creds=${HTTP_AUTHORIZATION}" "$VALID_CREDS_FILE" | sed -e 's/^id=\([a-z0-9-][a-z0-9-]*\) .*$/\1/') + status=$(sed -ne "s/^id=$idno.*status=\\([0-9][0-9][0-9]\\).*\$/\\1/p" "$CHALLENGE_FILE" | head -n1) # Note that although git-http-backend returns a status line, it # does so using a CGI 'Status' header. Because this script is an # No Parsed Headers (NPH) script, we must return a real HTTP # status line. # This is only a test script, so we don't bother to check for # the actual status from git-http-backend and always return 200. - echo 'HTTP/1.1 200 OK' - exec "$GIT_EXEC_PATH"/git-http-backend + echo "HTTP/1.1 $status Nonspecific Reason Phrase" + if test "$status" -eq 200 + then + exec "$GIT_EXEC_PATH"/git-http-backend + else + sed -ne "s/^id=$idno.*response=//p" "$CHALLENGE_FILE" + echo + exit + fi fi echo 'HTTP/1.1 401 Authorization Required' if test -f "$CHALLENGE_FILE" then - cat "$CHALLENGE_FILE" + sed -ne 's/^id=default.*response=//p' "$CHALLENGE_FILE" fi echo diff --git a/t/t5563-simple-http-auth.sh b/t/t5563-simple-http-auth.sh index b098cd0fdf..515185ae00 100755 --- a/t/t5563-simple-http-auth.sh +++ b/t/t5563-simple-http-auth.sh @@ -63,11 +63,12 @@ test_expect_success 'access using basic auth' ' # Basic base64(alice:secret-passwd) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== EOF cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && - WWW-Authenticate: Basic realm="example.com" + id=1 status=200 + id=default response=WWW-Authenticate: Basic realm="example.com" EOF test_config_global credential.helper test-helper && @@ -100,11 +101,12 @@ test_expect_success 'access using basic auth via authtype' ' # Basic base64(alice:secret-passwd) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== EOF cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && - WWW-Authenticate: Basic realm="example.com" + id=1 status=200 + id=default response=WWW-Authenticate: Basic realm="example.com" EOF test_config_global credential.helper test-helper && @@ -137,11 +139,12 @@ test_expect_success 'access using basic auth invalid credentials' ' # Basic base64(alice:secret-passwd) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== EOF cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && - WWW-Authenticate: Basic realm="example.com" + id=1 status=200 + id=default response=WWW-Authenticate: Basic realm="example.com" EOF test_config_global credential.helper test-helper && @@ -174,13 +177,14 @@ test_expect_success 'access using basic auth with extra challenges' ' # Basic base64(alice:secret-passwd) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== EOF cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && - WWW-Authenticate: FooBar param1="value1" param2="value2" - WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 - WWW-Authenticate: Basic realm="example.com" + id=1 status=200 + id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2" + id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 + id=default response=WWW-Authenticate: Basic realm="example.com" EOF test_config_global credential.helper test-helper && @@ -214,13 +218,14 @@ test_expect_success 'access using basic auth mixed-case wwwauth header name' ' # Basic base64(alice:secret-passwd) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== EOF cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && - www-authenticate: foobar param1="value1" param2="value2" - WWW-AUTHENTICATE: BEARER authorize_uri="id.example.com" p=1 q=0 - WwW-aUtHeNtIcAtE: baSiC realm="example.com" + id=1 status=200 + id=default response=www-authenticate: foobar param1="value1" param2="value2" + id=default response=WWW-AUTHENTICATE: BEARER authorize_uri="id.example.com" p=1 q=0 + id=default response=WwW-aUtHeNtIcAtE: baSiC realm="example.com" EOF test_config_global credential.helper test-helper && @@ -254,18 +259,19 @@ test_expect_success 'access using basic auth with wwwauth header continuations' # Basic base64(alice:secret-passwd) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== EOF # Note that leading and trailing whitespace is important to correctly # simulate a continuation/folded header. cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && - WWW-Authenticate: FooBar param1="value1" - param2="value2" - WWW-Authenticate: Bearer authorize_uri="id.example.com" - p=1 - q=0 - WWW-Authenticate: Basic realm="example.com" + id=1 status=200 + id=default response=WWW-Authenticate: FooBar param1="value1" + id=default response= param2="value2" + id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" + id=default response= p=1 + id=default response= q=0 + id=default response=WWW-Authenticate: Basic realm="example.com" EOF test_config_global credential.helper test-helper && @@ -299,21 +305,22 @@ test_expect_success 'access using basic auth with wwwauth header empty continuat # Basic base64(alice:secret-passwd) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== EOF CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" && # Note that leading and trailing whitespace is important to correctly # simulate a continuation/folded header. - printf "WWW-Authenticate: FooBar param1=\"value1\"\r\n" >"$CHALLENGE" && - printf " \r\n" >>"$CHALLENGE" && - printf " param2=\"value2\"\r\n" >>"$CHALLENGE" && - printf "WWW-Authenticate: Bearer authorize_uri=\"id.example.com\"\r\n" >>"$CHALLENGE" && - printf " p=1\r\n" >>"$CHALLENGE" && - printf " \r\n" >>"$CHALLENGE" && - printf " q=0\r\n" >>"$CHALLENGE" && - printf "WWW-Authenticate: Basic realm=\"example.com\"\r\n" >>"$CHALLENGE" && + printf "id=1 status=200\n" >"$CHALLENGE" && + printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" && + printf "id=default response= \r\n" >>"$CHALLENGE" && + printf "id=default response= param2=\"value2\"\r\n" >>"$CHALLENGE" && + printf "id=default response=WWW-Authenticate: Bearer authorize_uri=\"id.example.com\"\r\n" >>"$CHALLENGE" && + printf "id=default response= p=1\r\n" >>"$CHALLENGE" && + printf "id=default response= \r\n" >>"$CHALLENGE" && + printf "id=default response= q=0\r\n" >>"$CHALLENGE" && + printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"\r\n" >>"$CHALLENGE" && test_config_global credential.helper test-helper && git ls-remote "$HTTPD_URL/custom_auth/repo.git" && @@ -346,17 +353,18 @@ test_expect_success 'access using basic auth with wwwauth header mixed line-endi # Basic base64(alice:secret-passwd) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== + id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA== EOF CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" && # Note that leading and trailing whitespace is important to correctly # simulate a continuation/folded header. - printf "WWW-Authenticate: FooBar param1=\"value1\"\r\n" >"$CHALLENGE" && - printf " \r\n" >>"$CHALLENGE" && - printf "\tparam2=\"value2\"\r\n" >>"$CHALLENGE" && - printf "WWW-Authenticate: Basic realm=\"example.com\"" >>"$CHALLENGE" && + printf "id=1 status=200\n" >"$CHALLENGE" && + printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" && + printf "id=default response= \r\n" >>"$CHALLENGE" && + printf "id=default response=\tparam2=\"value2\"\r\n" >>"$CHALLENGE" && + printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"" >>"$CHALLENGE" && test_config_global credential.helper test-helper && git ls-remote "$HTTPD_URL/custom_auth/repo.git" && @@ -389,15 +397,16 @@ test_expect_success 'access using bearer auth' ' # Basic base64(a-git-token) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Bearer YS1naXQtdG9rZW4= + id=1 creds=Bearer YS1naXQtdG9rZW4= EOF CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" && cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && - WWW-Authenticate: FooBar param1="value1" param2="value2" - WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 - WWW-Authenticate: Basic realm="example.com" + id=1 status=200 + id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2" + id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 + id=default response=WWW-Authenticate: Basic realm="example.com" EOF test_config_global credential.helper test-helper && @@ -433,15 +442,16 @@ test_expect_success 'access using bearer auth with invalid credentials' ' # Basic base64(a-git-token) cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && - Bearer YS1naXQtdG9rZW4= + id=1 creds=Bearer YS1naXQtdG9rZW4= EOF CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" && cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && - WWW-Authenticate: FooBar param1="value1" param2="value2" - WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 - WWW-Authenticate: Basic realm="example.com" + id=1 status=200 + id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2" + id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 + id=default response=WWW-Authenticate: Basic realm="example.com" EOF test_config_global credential.helper test-helper && From patchwork Sun Mar 24 01:13:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600744 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 93CA0ECF for ; Sun, 24 Mar 2024 01:13:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242795; cv=none; b=rfBG2KS47Ib1EI6qHeJ+o6Znuf+nY7YqM2X0wnn3v0z/dRvCajitSQmII4k6ZNE8Eeza6JDZ2dyep7uh17Dm07TOw7rGGGzDXGbqPwEqivxRyzYnKX97nWslVSXaHZMK0SflqqVbVliVqnT8FEJT5lgPnESwa5aaR2WmRTvCs9Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242795; c=relaxed/simple; bh=nkKd0E37Am2K8HItmwId5mlnNWgfJnJARVeNMIObChc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hIUxD4AZED3QxWIBiNzP3yU7aqxz1H3uGolEFAIkh90pOGUAk3jbMjRySlAUfOXXU6S0BvnZhOicYs8Rk+IpBjWu4qEeO+21Xhc1sWanAI665bEI0I+MCD9hCPpqDVo+SJTLX3h9WcPkuce7gXqLBiEJmfSxjmAk1zIAhiLi/uQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=itSIMOal; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="itSIMOal" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 759875D47E; Sun, 24 Mar 2024 01:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=nkKd0E37Am2K8HItmwId5mlnNWgfJnJARVeNMIObChc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=itSIMOal76RtURegA7pY9cLNiVIa8DSlqG0LadWRi1df4TbddV5vCshPJiggS+nt0 PXOqBRCIrgo3Y3Jb00DToMltS6uHKkyNXV3zE6aC007veHU9YsfsHb4H1EHCCIccjF A4aiWgXPAHn4lyCeK+HB3BDfA9VlvCnmL/kG3VPXNwX8iedBsGtl2gGthR/2kR+1Y5 Py+3FMpMNBYI+1PA/rj22Q27j8C+AMDv10GbCn+lT5T/mBh1qmeLDz5wyKms+/tss3 nMIE33sBMrNNAflIJf3EwmN5Iaal7ap6tWvm0XWHQRA06KFLro6rWoKdosihUiOLko tZP0Rjht5twAyDsnXNozGv7HVSSXX/HGvj58EB3zOJzCbTpAitsMqrRkLXd9JyfoAv Z1N72Wj0Z7dOa1ZsCD5Ir3mzsSLdQNLXaNh6OyRqfLqDuTWf1ZGmUT5erCIjE/jfhd E6gAxCQ0ADAo5Q0sbfE0lMIoHBMYvZC0ThRZygnSBBYipOtTgaL From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 12/13] strvec: implement swapping two strvecs Date: Sun, 24 Mar 2024 01:13:00 +0000 Message-ID: <20240324011301.1553072-13-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In a future commit, we'll want the ability to efficiently swap the contents of two strvec instances without needing to copy any data. Since a strvec is simply a pointer and two sizes, swapping them is as simply as copying the two pointers and sizes, so let's do that. We use a temporary here simply because C doesn't provide a standard swapping function, unlike C++ and Rust, but a good optimizing compiler will recognize this syntax and handle it appropriately using an optimization pass. Signed-off-by: brian m. carlson --- strvec.c | 7 +++++++ strvec.h | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/strvec.c b/strvec.c index 178f4f3748..93006f1e63 100644 --- a/strvec.c +++ b/strvec.c @@ -106,3 +106,10 @@ const char **strvec_detach(struct strvec *array) return ret; } } + +void strvec_swap(struct strvec *a, struct strvec *b) +{ + struct strvec t = *a; + *a = *b; + *b = t; +} diff --git a/strvec.h b/strvec.h index 4715d3e51f..5b762532bb 100644 --- a/strvec.h +++ b/strvec.h @@ -88,4 +88,9 @@ void strvec_clear(struct strvec *); */ const char **strvec_detach(struct strvec *); +/** + * Swap the contents of two `strvec` structs without allocating. + */ +void strvec_swap(struct strvec *, struct strvec *); + #endif /* STRVEC_H */ From patchwork Sun Mar 24 01:13:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13600749 Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 959D210E4 for ; Sun, 24 Mar 2024 01:13:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.110.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242796; cv=none; b=M2zLGGZWd7rxXqMNsjYDPDajfqQpKuAx/wcjBry/Xg60HX8TpoCnCmRBbub/tnh7mrJhf/v43rMAcgRebyPm+uqromvgkgQdDwMg28UUJgKQRMemH57EFTDAdsg2NXHzu3CRsfKBMPZsLTG/2+HQ2I4BckRKi2/GoHCaIZqJWwM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711242796; c=relaxed/simple; bh=4GiDnV0LaH6la5L7Lw4kvVi4mj7/gl9OhOkW9xI51FI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Z0bhwS19aaM41efzw8RwPbqz77rrk65QU0thJNb1R5qdSWNdmC34WX+xMP0wYD1ZYlsCSlyvDsqrWeiugIQIIYa9ezLI/VVYhayOxFoEXkwcWypSEWSjNXbwcZXl2D5gS5OQvwHgtlaBHJyZOpXK0p7sM8M6PAamgT3xa8O6kBI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=Sh2LsDS5; arc=none smtp.client-ip=172.105.110.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="Sh2LsDS5" Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 852005D498; Sun, 24 Mar 2024 01:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1711242786; bh=4GiDnV0LaH6la5L7Lw4kvVi4mj7/gl9OhOkW9xI51FI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=Sh2LsDS5zlg6vVWchVZ97GrkSDUAfkLoF7C7N/JyaEVL66RnsTOAjsVBLv3bf3rrL 5WQBQUqclgIFhVhVsAr2O2L6sgHuSZhKzJHouFaB4I6bWC/SQddfg2BVdAmwaOdvPB H/v3lgO10KMfMyrdKbk9p6OEgClx/cjhBbFLQ8yWXHkX46R5Exsebe25RiMgBQgeQt 6uk+Pjy1nLb4WFU1szXtScT0oLe1u5AJRBOsFWXQxJAfSMxQE47wXgQphTyZRV5v4l X7ES/3fK1JRKXPj9XjjPshzXRKXTg6YVRl3TfQRws1mAdFVofeU20FxGg1buGpE51w 7nZw+kcj3aJy710C+WB+IxlpdpiUA/kUM7QZ32emtlXoJwZHMLUZWoAJcl6cRk2/XZ 7UQkDq5Gk2gYMrD1FtIhbJhEYr12uxkx1+874FIIykJDrIbNzYTHoXPFkoy7XJruWu FtQYB7e577Yg95ptX7+dL9691c3TI3D8/0y1FMfdyTmLLyi8tA5 From: "brian m. carlson" To: Cc: Junio C Hamano , Matthew John Cheetham , M Hickford Subject: [PATCH 13/13] credential: add support for multistage credential rounds Date: Sun, 24 Mar 2024 01:13:01 +0000 Message-ID: <20240324011301.1553072-14-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.43.0.381.gb435a96ce8 In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net> References: <20240324011301.1553072-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Over HTTP, NTLM and Kerberos require two rounds of authentication on the client side. It's possible that there are custom authentication schemes that also implement this same approach. Since these are tricky schemes to implement and the HTTP library in use may not always handle them gracefully on all systems, it would be helpful to allow the credential helper to implement them instead for increased portability and robustness. To allow this to happen, add a boolean flag, continue, that indicates that instead of failing when we get a 401, we should retry another round of authentication. However, this necessitates some changes in our current credential code so that we can make this work. Keep the state[] headers between iterations, but only use them to send to the helper and only consider the new ones we read from the credential helper to be valid on subsequent iterations. That avoids us passing stale data when we finally approve or reject the credential. Similarly, clear the multistage and wwwauth[] values appropriately so that we don't pass stale data or think we're trying a multiround response when we're not. Remove the credential values so that we can actually fill a second time with new responses. Limit the number of iterations of reauthentication we do to 3. This means that if there's a problem, we'll terminate with an error message instead of retrying indefinitely and not informing the user (and possibly conducting a DoS on the server). In our tests, handle creating multiple response output files from our helper so we can verify that each of the messages sent is correct. Signed-off-by: brian m. carlson --- Documentation/git-credential.txt | 16 +++++- builtin/credential.c | 1 + credential.c | 32 ++++++++++-- credential.h | 27 +++++++++- http.c | 59 +++++++++++---------- t/t5563-simple-http-auth.sh | 89 ++++++++++++++++++++++++++++++-- 6 files changed, 187 insertions(+), 37 deletions(-) diff --git a/Documentation/git-credential.txt b/Documentation/git-credential.txt index 6b7e017066..160dee5c6a 100644 --- a/Documentation/git-credential.txt +++ b/Documentation/git-credential.txt @@ -207,6 +207,19 @@ provided on input. This value should not be sent unless the appropriate capability (see below) is provided on input. +`continue`:: + This is a boolean value, which, if enabled, indicates that this + authentication is a non-final part of a multistage authentication step. This + is common in protocols such as NTLM and Kerberos, where two rounds of client + authentication are required, and setting this flag allows the credential + helper to implement the multistage authentication step. This flag should + only be sent if a further stage is required; that is, if another round of + authentication is expected. ++ +This value should not be sent unless the appropriate capability (see below) is +provided on input. This attribute is 'one-way' from a credential helper to +pass information to Git (or other programs invoking `git credential`). + `wwwauth[]`:: When an HTTP response is received by Git that includes one or more @@ -225,7 +238,8 @@ to pass additional information to credential helpers. + There are two currently supported capabilities. The first is `authtype`, which indicates that the `authtype` and `credential` values are understood. The -second is `state`, which indicates that the `state[]` value is understood. +second is `state`, which indicates that the `state[]` and `continue` values are +understood. It is not obligatory to use the additional features just because the capability is supported, but they should not be provided without this capability. diff --git a/builtin/credential.c b/builtin/credential.c index 5123dabcf1..f14d1b5ed6 100644 --- a/builtin/credential.c +++ b/builtin/credential.c @@ -22,6 +22,7 @@ int cmd_credential(int argc, const char **argv, const char *prefix UNUSED) if (!strcmp(op, "fill")) { credential_fill(&c, 0); + credential_next_state(&c); credential_write(&c, stdout, CREDENTIAL_OP_RESPONSE); } else if (!strcmp(op, "approve")) { credential_approve(&c); diff --git a/credential.c b/credential.c index 0ca7c12895..9a08efe113 100644 --- a/credential.c +++ b/credential.c @@ -31,10 +31,23 @@ void credential_clear(struct credential *c) string_list_clear(&c->helpers, 0); strvec_clear(&c->wwwauth_headers); strvec_clear(&c->state_headers); + strvec_clear(&c->state_headers_to_send); credential_init(c); } +void credential_next_state(struct credential *c) +{ + strvec_clear(&c->state_headers_to_send); + strvec_swap(&c->state_headers, &c->state_headers_to_send); +} + +void credential_clear_secrets(struct credential *c) +{ + FREE_AND_NULL(c->password); + FREE_AND_NULL(c->credential); +} + static void credential_set_all_capabilities(struct credential *c) { c->capa_authtype.request_initial = 1; @@ -295,6 +308,8 @@ int credential_read(struct credential *c, FILE *fp, int op_type) credential_set_capability(&c->capa_authtype, op_type); else if (!strcmp(value, "state")) credential_set_capability(&c->capa_state, op_type); + } else if (!strcmp(key, "continue")) { + c->multistage = !!git_config_bool("continue", value); } else if (!strcmp(key, "password_expiry_utc")) { errno = 0; c->password_expiry_utc = parse_timestamp(value, NULL, 10); @@ -359,8 +374,10 @@ void credential_write(const struct credential *c, FILE *fp, int op_type) for (size_t i = 0; i < c->wwwauth_headers.nr; i++) credential_write_item(fp, "wwwauth[]", c->wwwauth_headers.v[i], 0); if (credential_has_capability(&c->capa_state, op_type)) { - for (size_t i = 0; i < c->state_headers.nr; i++) - credential_write_item(fp, "state[]", c->state_headers.v[i], 0); + if (c->multistage) + credential_write_item(fp, "continue", "1", 0); + for (size_t i = 0; i < c->state_headers_to_send.nr; i++) + credential_write_item(fp, "state[]", c->state_headers_to_send.v[i], 0); } } @@ -431,6 +448,9 @@ void credential_fill(struct credential *c, int all_capabilities) if ((c->username && c->password) || c->credential) return; + credential_next_state(c); + c->multistage = 0; + credential_apply_config(c); if (all_capabilities) credential_set_all_capabilities(c); @@ -443,8 +463,10 @@ void credential_fill(struct credential *c, int all_capabilities) /* Reset expiry to maintain consistency */ c->password_expiry_utc = TIME_MAX; } - if ((c->username && c->password) || c->credential) + if ((c->username && c->password) || c->credential) { + strvec_clear(&c->wwwauth_headers); return; + } if (c->quit) die("credential helper '%s' told us to quit", c->helpers.items[i].string); @@ -464,6 +486,8 @@ void credential_approve(struct credential *c) if (((!c->username || !c->password) && !c->credential) || c->password_expiry_utc < time(NULL)) return; + credential_next_state(c); + credential_apply_config(c); for (i = 0; i < c->helpers.nr; i++) @@ -475,6 +499,8 @@ void credential_reject(struct credential *c) { int i; + credential_next_state(c); + credential_apply_config(c); for (i = 0; i < c->helpers.nr; i++) diff --git a/credential.h b/credential.h index e2021455fe..adb1fc370a 100644 --- a/credential.h +++ b/credential.h @@ -143,10 +143,15 @@ struct credential { struct strvec wwwauth_headers; /** - * A `strvec` of state headers from credential helpers. + * A `strvec` of state headers received from credential helpers. */ struct strvec state_headers; + /** + * A `strvec` of state headers to send to credential helpers. + */ + struct strvec state_headers_to_send; + /** * Internal use only. Keeps track of if we previously matched against a * WWW-Authenticate header line in order to re-fold future continuation @@ -156,6 +161,7 @@ struct credential { unsigned approved:1, configured:1, + multistage: 1, quit:1, use_http_path:1, username_from_proto:1; @@ -184,6 +190,7 @@ struct credential { .password_expiry_utc = TIME_MAX, \ .wwwauth_headers = STRVEC_INIT, \ .state_headers = STRVEC_INIT, \ + .state_headers_to_send = STRVEC_INIT, \ } /* Initialize a credential structure, setting all fields to empty. */ @@ -229,6 +236,24 @@ void credential_approve(struct credential *); */ void credential_reject(struct credential *); +/** + * Clear the secrets in this credential, but leave other data intact. + * + * This is useful for resetting credentials in preparation for a subsequent + * stage of filling. + */ +void credential_clear_secrets(struct credential *c); + +/** + * Prepares the credential for the next iteration of the helper protocol by + * updating the state headers to send with the ones read by the last iteration + * of the protocol. + * + * Except for internal callers, this should be called exactly once between + * reading credentials with `credential_fill` and writing them. + */ +void credential_next_state(struct credential *c); + int credential_read(struct credential *, FILE *, int); void credential_write(const struct credential *, FILE *, int); diff --git a/http.c b/http.c index f98c520924..9d373c6460 100644 --- a/http.c +++ b/http.c @@ -1781,6 +1781,10 @@ static int handle_curl_result(struct slot_results *results) else if (results->http_code == 401) { if ((http_auth.username && http_auth.password) ||\ (http_auth.authtype && http_auth.credential)) { + if (http_auth.multistage) { + credential_clear_secrets(&http_auth); + return HTTP_REAUTH; + } credential_reject(&http_auth); return HTTP_NOAUTH; } else { @@ -2178,6 +2182,7 @@ static int http_request_reauth(const char *url, void *result, int target, struct http_get_options *options) { + int i = 3; int ret = http_request(url, result, target, options); if (ret != HTTP_OK && ret != HTTP_REAUTH) @@ -2191,35 +2196,35 @@ static int http_request_reauth(const char *url, } } - if (ret != HTTP_REAUTH) - return ret; + while (ret == HTTP_REAUTH && --i) { + /* + * The previous request may have put cruft into our output stream; we + * should clear it out before making our next request. + */ + switch (target) { + case HTTP_REQUEST_STRBUF: + strbuf_reset(result); + break; + case HTTP_REQUEST_FILE: + if (fflush(result)) { + error_errno("unable to flush a file"); + return HTTP_START_FAILED; + } + rewind(result); + if (ftruncate(fileno(result), 0) < 0) { + error_errno("unable to truncate a file"); + return HTTP_START_FAILED; + } + break; + default: + BUG("Unknown http_request target"); + } - /* - * The previous request may have put cruft into our output stream; we - * should clear it out before making our next request. - */ - switch (target) { - case HTTP_REQUEST_STRBUF: - strbuf_reset(result); - break; - case HTTP_REQUEST_FILE: - if (fflush(result)) { - error_errno("unable to flush a file"); - return HTTP_START_FAILED; - } - rewind(result); - if (ftruncate(fileno(result), 0) < 0) { - error_errno("unable to truncate a file"); - return HTTP_START_FAILED; - } - break; - default: - BUG("Unknown http_request target"); + credential_fill(&http_auth, 1); + + ret = http_request(url, result, target, options); } - - credential_fill(&http_auth, 1); - - return http_request(url, result, target, options); + return ret; } int http_get_strbuf(const char *url, diff --git a/t/t5563-simple-http-auth.sh b/t/t5563-simple-http-auth.sh index 515185ae00..5d5caa3f58 100755 --- a/t/t5563-simple-http-auth.sh +++ b/t/t5563-simple-http-auth.sh @@ -21,9 +21,17 @@ test_expect_success 'setup_credential_helper' ' CREDENTIAL_HELPER="$TRASH_DIRECTORY/bin/git-credential-test-helper" && write_script "$CREDENTIAL_HELPER" <<-\EOF cmd=$1 - teefile=$cmd-query.cred + teefile=$cmd-query-temp.cred catfile=$cmd-reply.cred sed -n -e "/^$/q" -e "p" >>$teefile + state=$(sed -ne "s/^state\[\]=helper://p" "$teefile") + if test -z "$state" + then + mv "$teefile" "$cmd-query.cred" + else + mv "$teefile" "$cmd-query-$state.cred" + catfile="$cmd-reply-$state.cred" + fi if test "$cmd" = "get" then cat $catfile @@ -32,13 +40,15 @@ test_expect_success 'setup_credential_helper' ' ' set_credential_reply () { - cat >"$TRASH_DIRECTORY/$1-reply.cred" + local suffix="$(test -n "$2" && echo "-$2")" + cat >"$TRASH_DIRECTORY/$1-reply$suffix.cred" } expect_credential_query () { - cat >"$TRASH_DIRECTORY/$1-expect.cred" && - test_cmp "$TRASH_DIRECTORY/$1-expect.cred" \ - "$TRASH_DIRECTORY/$1-query.cred" + local suffix="$(test -n "$2" && echo "-$2")" + cat >"$TRASH_DIRECTORY/$1-expect$suffix.cred" && + test_cmp "$TRASH_DIRECTORY/$1-expect$suffix.cred" \ + "$TRASH_DIRECTORY/$1-query$suffix.cred" } per_test_cleanup () { @@ -479,4 +489,73 @@ test_expect_success 'access using bearer auth with invalid credentials' ' EOF ' +test_expect_success 'access using three-legged auth' ' + test_when_finished "per_test_cleanup" && + + set_credential_reply get <<-EOF && + capability[]=authtype + capability[]=state + authtype=Multistage + credential=YS1naXQtdG9rZW4= + state[]=helper:foobar + continue=1 + EOF + + set_credential_reply get foobar <<-EOF && + capability[]=authtype + capability[]=state + authtype=Multistage + credential=YW5vdGhlci10b2tlbg== + state[]=helper:bazquux + EOF + + cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF && + id=1 creds=Multistage YS1naXQtdG9rZW4= + id=2 creds=Multistage YW5vdGhlci10b2tlbg== + EOF + + CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" && + + cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF && + id=1 status=401 response=WWW-Authenticate: Multistage challenge="456" + id=1 status=401 response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 + id=2 status=200 + id=default response=WWW-Authenticate: Multistage challenge="123" + id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0 + EOF + + test_config_global credential.helper test-helper && + git ls-remote "$HTTPD_URL/custom_auth/repo.git" && + + expect_credential_query get <<-EOF && + capability[]=authtype + capability[]=state + protocol=http + host=$HTTPD_DEST + wwwauth[]=Multistage challenge="123" + wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0 + EOF + + expect_credential_query get foobar <<-EOF && + capability[]=authtype + capability[]=state + authtype=Multistage + protocol=http + host=$HTTPD_DEST + wwwauth[]=Multistage challenge="456" + wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0 + state[]=helper:foobar + EOF + + expect_credential_query store bazquux <<-EOF + capability[]=authtype + capability[]=state + authtype=Multistage + credential=YW5vdGhlci10b2tlbg== + protocol=http + host=$HTTPD_DEST + state[]=helper:bazquux + EOF +' + test_done