Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

credential-cache: respect request capabilities #1842

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

hickford
Copy link

@hickford hickford commented Dec 20, 2024

CC: [email protected]
CC: [email protected]

Patch v5 adds details to the commit message

Copy link

gitgitgadget bot commented Dec 20, 2024

There are issues in commit 945b5c5:
credential-cache: respect request capabilities
Commit not signed off

@hickford
Copy link
Author

/submit

Copy link

gitgitgadget bot commented Dec 20, 2024

Submitted as [email protected]

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1842/hickford/cache-capability-v1

To fetch this version to local tag pr-1842/hickford/cache-capability-v1:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1842/hickford/cache-capability-v1

Copy link

gitgitgadget bot commented Jan 6, 2025

Submitted as [email protected]

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1842/hickford/cache-capability-v2

To fetch this version to local tag pr-1842/hickford/cache-capability-v2:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1842/hickford/cache-capability-v2

Copy link

gitgitgadget bot commented Jan 6, 2025

On the Git mailing list, "brian m. carlson" wrote (reply to this):

On 2025-01-06 at 19:52:11, M Hickford via GitGitGadget wrote:
> From: M Hickford <[email protected]>
> 
> Previously, credential-cache responded with capability[]=authtype
> regardless of request.

That's the correct behaviour.

> The capabilities in a credential helper response should be a subset of
> the capabilities in the request.

No, it should not.  Otherwise, it's impossible for Git to know whether
the helper does or does not support the capability.  We rely on that
information to correctly pass data back when saving data.

> diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c
> index bc22f5c6d24..692216cf83c 100644
> --- a/builtin/credential-cache--daemon.c
> +++ b/builtin/credential-cache--daemon.c
> @@ -134,17 +134,16 @@ static void serve_one_client(FILE *in, FILE *out)
>  	else if (!strcmp(action.buf, "get")) {
>  		struct credential_cache_entry *e = lookup_credential(&c);
>  		if (e) {
> -			e->item.capa_authtype.request_initial = 1;
> -			e->item.capa_authtype.request_helper = 1;
> -
> -			fprintf(out, "capability[]=authtype\n");
> +			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) {
> +				fprintf(out, "capability[]=authtype\n");
> +			}

This part is not correct.

>  			if (e->item.username)
>  				fprintf(out, "username=%s\n", e->item.username);
>  			if (e->item.password)
>  				fprintf(out, "password=%s\n", e->item.password);
> -			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype)
> +			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype)
>  				fprintf(out, "authtype=%s\n", e->item.authtype);
> -			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential)
> +			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential)

This part may very well be correct.

>  				fprintf(out, "credential=%s\n", e->item.credential);
>  			if (e->item.password_expiry_utc != TIME_MAX)
>  				fprintf(out, "password_expiry_utc=%"PRItime"\n",
> diff --git a/t/lib-credential.sh b/t/lib-credential.sh
> index 58b9c740605..324ecc792d5 100644
> --- a/t/lib-credential.sh
> +++ b/t/lib-credential.sh
> @@ -566,6 +566,21 @@ helper_test_authtype() {
>  		EOF
>  	'
>  
> +	test_expect_success "helper ($HELPER) get authtype only if request has authtype capability" '
> +		check fill $HELPER <<-\EOF
> +		protocol=https
> +		host=git.example.com
> +		--
> +		protocol=https
> +		host=git.example.com
> +		username=askpass-username
> +		password=askpass-password
> +		--
> +		askpass: Username for '\''https://git.example.com'\'':
> +		askpass: Password for '\''https://[email protected]'\'':
> +		EOF
> +	'
> +
>  	test_expect_success "helper ($HELPER) stores authtype and credential with username" '
>  		check approve $HELPER <<-\EOF
>  		capability[]=authtype
> 
> base-commit: 92999a42db1c5f43f330e4f2bca4026b5b81576f
> -- 
> gitgitgadget

-- 
brian m. carlson (they/them or he/him)
Toronto, Ontario, CA

Copy link

gitgitgadget bot commented Jan 6, 2025

On the Git mailing list, M Hickford wrote (reply to this):

On Mon, 6 Jan 2025 at 22:32, brian m. carlson
<[email protected]> wrote:
>
> On 2025-01-06 at 19:52:11, M Hickford via GitGitGadget wrote:
> > From: M Hickford <[email protected]>
> >
> > Previously, credential-cache responded with capability[]=authtype
> > regardless of request.
>
> That's the correct behaviour.
>
> > The capabilities in a credential helper response should be a subset of
> > the capabilities in the request.
>
> No, it should not.  Otherwise, it's impossible for Git to know whether
> the helper does or does not support the capability.  We rely on that
> information to correctly pass data back when saving data.
>
> > diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c
> > index bc22f5c6d24..692216cf83c 100644
> > --- a/builtin/credential-cache--daemon.c
> > +++ b/builtin/credential-cache--daemon.c
> > @@ -134,17 +134,16 @@ static void serve_one_client(FILE *in, FILE *out)
> >       else if (!strcmp(action.buf, "get")) {
> >               struct credential_cache_entry *e = lookup_credential(&c);
> >               if (e) {
> > -                     e->item.capa_authtype.request_initial = 1;
> > -                     e->item.capa_authtype.request_helper = 1;
> > -
> > -                     fprintf(out, "capability[]=authtype\n");
> > +                     if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) {
> > +                             fprintf(out, "capability[]=authtype\n");
> > +                     }
>
> This part is not correct.

Thanks for the review. I'll revert this part and amend the commit message.

>
> >                       if (e->item.username)
> >                               fprintf(out, "username=%s\n", e->item.username);
> >                       if (e->item.password)
> >                               fprintf(out, "password=%s\n", e->item.password);
> > -                     if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype)
> > +                     if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype)
> >                               fprintf(out, "authtype=%s\n", e->item.authtype);
> > -                     if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential)
> > +                     if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential)
>
> This part may very well be correct.
>
> >                               fprintf(out, "credential=%s\n", e->item.credential);
> >                       if (e->item.password_expiry_utc != TIME_MAX)
> >                               fprintf(out, "password_expiry_utc=%"PRItime"\n",
> > diff --git a/t/lib-credential.sh b/t/lib-credential.sh
> > index 58b9c740605..324ecc792d5 100644
> > --- a/t/lib-credential.sh
> > +++ b/t/lib-credential.sh
> > @@ -566,6 +566,21 @@ helper_test_authtype() {
> >               EOF
> >       '
> >
> > +     test_expect_success "helper ($HELPER) get authtype only if request has authtype capability" '
> > +             check fill $HELPER <<-\EOF
> > +             protocol=https
> > +             host=git.example.com
> > +             --
> > +             protocol=https
> > +             host=git.example.com
> > +             username=askpass-username
> > +             password=askpass-password
> > +             --
> > +             askpass: Username for '\''https://git.example.com'\'':
> > +             askpass: Password for '\''https://[email protected]'\'':
> > +             EOF
> > +     '
> > +
> >       test_expect_success "helper ($HELPER) stores authtype and credential with username" '
> >               check approve $HELPER <<-\EOF
> >               capability[]=authtype
> >
> > base-commit: 92999a42db1c5f43f330e4f2bca4026b5b81576f
> > --
> > gitgitgadget
>
> --
> brian m. carlson (they/them or he/him)
> Toronto, Ontario, CA

Copy link

gitgitgadget bot commented Jan 6, 2025

Submitted as [email protected]

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1842/hickford/cache-capability-v3

To fetch this version to local tag pr-1842/hickford/cache-capability-v3:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1842/hickford/cache-capability-v3

Copy link

gitgitgadget bot commented Jan 6, 2025

On the Git mailing list, "brian m. carlson" wrote (reply to this):

On 2025-01-06 at 22:57:06, M Hickford wrote:
> On Mon, 6 Jan 2025 at 22:32, brian m. carlson
> <[email protected]> wrote:
> >
> > On 2025-01-06 at 19:52:11, M Hickford via GitGitGadget wrote:
> > > From: M Hickford <[email protected]>
> > > diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c
> > > index bc22f5c6d24..692216cf83c 100644
> > > --- a/builtin/credential-cache--daemon.c
> > > +++ b/builtin/credential-cache--daemon.c
> > > @@ -134,17 +134,16 @@ static void serve_one_client(FILE *in, FILE *out)
> > >       else if (!strcmp(action.buf, "get")) {
> > >               struct credential_cache_entry *e = lookup_credential(&c);
> > >               if (e) {
> > > -                     e->item.capa_authtype.request_initial = 1;
> > > -                     e->item.capa_authtype.request_helper = 1;
> > > -
> > > -                     fprintf(out, "capability[]=authtype\n");
> > > +                     if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) {
> > > +                             fprintf(out, "capability[]=authtype\n");
> > > +                     }
> >
> > This part is not correct.
> 
> Thanks for the review. I'll revert this part and amend the commit message.

I applied this without that change and it does still pass the test,
which I think is good and shows that can be omitted.  If I have some
time, I may send a follow-up patch to add some additional tests.
-- 
brian m. carlson (they/them or he/him)
Toronto, Ontario, CA

Copy link

gitgitgadget bot commented Jan 7, 2025

Submitted as [email protected]

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1842/hickford/cache-capability-v4

To fetch this version to local tag pr-1842/hickford/cache-capability-v4:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1842/hickford/cache-capability-v4

Copy link

gitgitgadget bot commented Jan 8, 2025

On the Git mailing list, Junio C Hamano wrote (reply to this):

"M Hickford via GitGitGadget" <[email protected]> writes:

> From: M Hickford <[email protected]>
>
> Previously, credential-cache populated authtype regardless of request.

OK, that may be a correct statement of the fact, but it does not
tell readers any of the following:

 - If it is a bad thing to populate authtype regardless of request,
   and if so why?

 - What is the (negative) consequence of doing so, if any?  What
   breaks because it populates authtype regardless of request?

 - What is the remedy?  Instead of unconditionally populating the
   authtype, how does the new code decide when to populate it and
   with what value?

 - Can there be downsides of fixing this?  Are there use cases where
   this unconditional population of authtype was relied upon?

 - Where did the bug come from and what is its fix?  We used to look
   at OP_HELPER to decide when to emit authtype, but the updated
   code checks OP_RESPONSE, which readers can see in the patch.

   It would be nice if the proposed log message helped them by
   briefly explaining their differences, for example.

which would help future "git log" readers what this fix was about.

Will queue for now, but the log message would want to be a bit more
helpful to the readers.

Thanks.

> Signed-off-by: M Hickford <[email protected]>
> ---
>     credential-cache: respect request capabilities
>     
>     CC: [email protected]
>     
>     Patch v4 fixes test
>
> Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1842%2Fhickford%2Fcache-capability-v4
> Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1842/hickford/cache-capability-v4
> Pull-Request: https://github.com/gitgitgadget/git/pull/1842
>
> Range-diff vs v3:
>
>  1:  e9851c5c4ac ! 1:  23942f9fa47 credential-cache: respect request capabilities
>      @@ t/lib-credential.sh: helper_test_authtype() {
>       +		protocol=https
>       +		host=git.example.com
>       +		--
>      -+		capability[]=authtype
>       +		protocol=https
>       +		host=git.example.com
>       +		username=askpass-username
>
>
>  builtin/credential-cache--daemon.c |  4 ++--
>  t/lib-credential.sh                | 15 +++++++++++++++
>  2 files changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c
> index bc22f5c6d24..e707618e743 100644
> --- a/builtin/credential-cache--daemon.c
> +++ b/builtin/credential-cache--daemon.c
> @@ -142,9 +142,9 @@ static void serve_one_client(FILE *in, FILE *out)
>  				fprintf(out, "username=%s\n", e->item.username);
>  			if (e->item.password)
>  				fprintf(out, "password=%s\n", e->item.password);
> -			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype)
> +			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype)
>  				fprintf(out, "authtype=%s\n", e->item.authtype);
> -			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential)
> +			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential)
>  				fprintf(out, "credential=%s\n", e->item.credential);
>  			if (e->item.password_expiry_utc != TIME_MAX)
>  				fprintf(out, "password_expiry_utc=%"PRItime"\n",
> diff --git a/t/lib-credential.sh b/t/lib-credential.sh
> index 58b9c740605..cc6bf9aa5f3 100644
> --- a/t/lib-credential.sh
> +++ b/t/lib-credential.sh
> @@ -566,6 +566,21 @@ helper_test_authtype() {
>  		EOF
>  	'
>  
> +	test_expect_success "helper ($HELPER) gets authtype and credential only if request has authtype capability" '
> +		check fill $HELPER <<-\EOF
> +		protocol=https
> +		host=git.example.com
> +		--
> +		protocol=https
> +		host=git.example.com
> +		username=askpass-username
> +		password=askpass-password
> +		--
> +		askpass: Username for '\''https://git.example.com'\'':
> +		askpass: Password for '\''https://[email protected]'\'':
> +		EOF
> +	'
> +
>  	test_expect_success "helper ($HELPER) stores authtype and credential with username" '
>  		check approve $HELPER <<-\EOF
>  		capability[]=authtype
>
> base-commit: 92999a42db1c5f43f330e4f2bca4026b5b81576f

Copy link

gitgitgadget bot commented Jan 8, 2025

This patch series was integrated into seen via git@d970fe7.

@gitgitgadget gitgitgadget bot added the seen label Jan 8, 2025
Copy link

gitgitgadget bot commented Jan 8, 2025

This patch series was integrated into seen via git@485116e.

Previously, credential-cache populated authtype regardless whether
"get" request had authtype capability. As documented in
git-credential.txt, authtype "should not be sent unless the appropriate
capability ... is provided".

Add test. Without this change, the test failed because "credential fill"
printed an incomplete credential with only protocol and host attributes
(the unexpected authtype attribute was discarded by credential.c).

Signed-off-by: M Hickford <[email protected]>
@hickford
Copy link
Author

hickford commented Jan 9, 2025

/submit

Copy link

gitgitgadget bot commented Jan 9, 2025

Submitted as [email protected]

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1842/hickford/cache-capability-v5

To fetch this version to local tag pr-1842/hickford/cache-capability-v5:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1842/hickford/cache-capability-v5

Copy link

gitgitgadget bot commented Jan 9, 2025

This branch is now known as mh/credential-cache-authtype-request-fix.

Copy link

gitgitgadget bot commented Jan 9, 2025

This patch series was integrated into seen via git@5160d3a.

Copy link

gitgitgadget bot commented Jan 10, 2025

This patch series was integrated into seen via git@15ef9d2.

Copy link

gitgitgadget bot commented Jan 10, 2025

This patch series was integrated into seen via git@1ca2557.

Copy link

gitgitgadget bot commented Jan 10, 2025

This patch series was integrated into seen via git@062b28a.

Copy link

gitgitgadget bot commented Jan 10, 2025

This patch series was integrated into seen via git@cf184fa.

Copy link

gitgitgadget bot commented Jan 10, 2025

There was a status update in the "New Topics" section about the branch mh/credential-cache-authtype-request-fix on the Git mailing list:

The "cache" credential back-end did not handle authtype correctly,
which has been corrected.
source: <[email protected]>

Copy link

gitgitgadget bot commented Jan 11, 2025

This patch series was integrated into seen via git@6526132.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant