From: Aaron Plattner <aplattner@nvidia.com>
To: <git@vger.kernel.org>
Cc: Aaron Plattner <aplattner@nvidia.com>,
Rahul Rameshbabu <rrameshbabu@nvidia.com>
Subject: [PATCH] credential: clear expired c->credential in addition to c->password
Date: Tue, 4 Jun 2024 11:02:20 -0700 [thread overview]
Message-ID: <20240604180224.1484537-1-aplattner@nvidia.com> (raw)
When a struct credential expires, credential_fill() clears c->password
so that clients don't try to use it later. However, a struct cred that
uses an alternate authtype won't have a password, but might have a
credential stored in c->credential. Clear that too.
This is a problem, for example, when an OAuth2 bearer token is used. In
the system I'm using, the OAuth2 configuration generates and caches a
bearer token that is valid for an hour. After the token expires, git
needs to call back into the credential helper to use a stored refresh
token to get a new bearer token. But if c->credential is still non-NULL,
git will instead try to use the expired token and fail with an error:
fatal: Authentication failed for 'https://<oauth2-enabled-server>/repository'
And on the server:
[auth_openidc:error] [client <ip>:34012] oidc_proto_validate_exp: "exp" validation failure (1717522989): JWT expired 224 seconds ago
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
---
credential.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/credential.c b/credential.c
index 758528b291..38b51e11cb 100644
--- a/credential.c
+++ b/credential.c
@@ -480,8 +480,9 @@ void credential_fill(struct credential *c, int all_capabilities)
for (i = 0; i < c->helpers.nr; i++) {
credential_do(c, c->helpers.items[i].string, "get");
if (c->password_expiry_utc < time(NULL)) {
- /* Discard expired password */
+ /* Discard expired credentials */
FREE_AND_NULL(c->password);
+ FREE_AND_NULL(c->credential);
/* Reset expiry to maintain consistency */
c->password_expiry_utc = TIME_MAX;
}
--
2.45.2.409.g7b0defb391
next reply other threads:[~2024-06-04 18:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-04 18:02 Aaron Plattner [this message]
2024-06-04 18:24 ` [PATCH] credential: clear expired c->credential in addition to c->password Junio C Hamano
2024-06-04 18:51 ` Aaron Plattner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240604180224.1484537-1-aplattner@nvidia.com \
--to=aplattner@nvidia.com \
--cc=git@vger.kernel.org \
--cc=rrameshbabu@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox