[PATCH v2] Add a credential-helper for KDE

["Lukas Sandström" <luksan@gmail.com>]

This Python script plugs into the credentials API
of Git to ask the user for passwords with a nice
KDE password dialog.

The password is saved in the KWallet.

Signed-off-by: Lukas Sandström <luksan@gmail.com>
---

On 2011-08-31 03:42, Jeff King wrote:
> Can we call it git-credential-kdewallet or similar? Then users can just
> do:
> 
>   git config credential.helper kdewallet
> 
> (where "kdewallet" can be whatever you think is most appropriate; the
> key is naming it git-credential-*).

Done.

[...]

> If I am reading this correctly, you look up based purely on the context
> token. Which means that if I do something like this:
> 
>   $ git push https://host.com/repo.git
>   [enter username: user1, password: foo]
>   $ git push https://user2@host.com/other-repo.git
> 
> We will invoke the helper as:
> 
>   git credential-kdewallet --unique=https:host.com --username=user2
> 
> but the helper will ignore the "user2" bit, and return "user1 / foo".
> 
> The "cache" helper I wrote handles this situation better, by indexing
> both on the token and the username. I wonder if the username should
> become part of the token. Or if the token should really just become a
> canonicalized URL, minus the actual path. So the first one would get:
> 
>   --unique=https://host.com
> 
> and the second would get:
> 
>   --unique=https://user2@host.com
> 
> Then helpers wouldn't need to worry about doing anything special.
> 
> What do you think? Also, any comments in general on writing a helper?
> You are the first one besides me to do so. Did you find anything in the
> interface or the documentation confusing? Suggestions are very welcome,
> as nothing has been released yet and we're free to tweak as much as we
> want.
> 
> -Peff

Right. Multiple usernames per "unique" context is supported in this version.
I looked at the git-credential-storage helper when I wrote the first patch,
which didn't have obvious support for multiple usernames per unique context.

Keeping the username outside the token is probably a good thing, but perhaps it
should be clarified in the api-docs that multiple usernames has to be supported.

Also; what about rejecting credentials. This code currently deletes just a 
username/password pair if a username is specified, and all credentials associated
with the token if only --unique and --reject is specified. Is this correct/expected
behavior?

When I first wrote the helper I tried to immediately ask for a new password if a
credential was rejected, but this didn't work with the HTTP auth code, since it
doesn't retry the auth with the new credentials after a reject. I think it would
be better if we asked for a new password instead of just saying "auth failed" and 
having the user retry the fetch/pull when the stored credentials are incorrect.

/Lkas

 .../git-credential-kdewallet.py                    |  137 ++++++++++++++++++++
 1 files changed, 137 insertions(+), 0 deletions(-)
 create mode 100755 contrib/git-credential-kdewallet/git-credential-kdewallet.py

diff --git a/contrib/git-credential-kdewallet/git-credential-kdewallet.py b/contrib/git-credential-kdewallet/git-credential-kdewallet.py
new file mode 100755
index 0000000..29c4ae1
--- /dev/null
+++ b/contrib/git-credential-kdewallet/git-credential-kdewallet.py
@@ -0,0 +1,137 @@
+#!/usr/bin/env python
+# encoding=utf-8
+#
+# Copyright 2011, Lukas Sandström
+#
+# Licensed under the GPL version 2.
+
+import sys
+from PyQt4.QtCore import QString
+from PyKDE4.kdecore import i18n, ki18n, KAboutData, KCmdLineArgs, KCmdLineOptions
+from PyKDE4.kdeui import KApplication, KWallet, KPasswordDialog
+
+appName     = "git-credential-kdewallet"
+catalog     = ""
+programName = ki18n ("Git KDE credentials helper")
+version     = "0.1"
+description = ki18n ("Credentials storage helper for Git")
+license     = KAboutData.License_GPL_V2
+copyright   = ki18n ("(c) 2011 Lukas Sandström")
+text        = ki18n ("none")
+homePage    = "http://www.git-scm.com"
+bugEmail    = "luksan@gmail.com"
+
+aboutData   = KAboutData (appName, catalog, programName, version, description,
+                          license, copyright, text, homePage, bugEmail)
+
+class CredentialHelper(KApplication):
+    def __init__(self, token, username = None, desc = None, reject = False):
+        super(CredentialHelper, self).__init__()
+        self.password = None
+        self.username = username
+        self.save_password = False
+        self.token = token
+        self.desc = desc
+
+        if not self.token:
+            return
+
+        self.open_wallet()
+
+        if reject:
+            self.reject_credential()
+            return
+
+        if not self.check_wallet():
+            self.ask_password_dialog()
+
+        if self.save_password:
+            self.store_password()
+
+        self.output_credentials()
+
+    def output_credentials(self):
+        if self.username:
+            print "username=" + self.username
+        if self.password:
+            print "password=" + self.password
+
+    def reject_credential(self):
+        (res, data) = self.wallet.readMap(self.token)
+        if self.username:
+            try:
+                del data[QString(self.username)]
+            except KeyError:
+                pass
+            self.wallet.writeMap(self.token, data)
+        else:
+            self.wallet.removeEntry(self.token)
+
+    def store_password(self):
+        (res, data) = self.wallet.readMap(self.token)
+        data[QString(self.username)] = QString(self.password)
+        self.wallet.writeMap(QString(self.token), data)
+
+    def open_wallet(self):
+        self.wallet = KWallet.Wallet.openWallet(
+            KWallet.Wallet.LocalWallet(), 0, KWallet.Wallet.Synchronous)
+        if not self.wallet.isOpen():
+            return None
+        if not self.wallet.hasFolder("GitCredentials"):
+            self.wallet.createFolder("GitCredentials")
+        self.wallet.setFolder("GitCredentials")
+
+    def check_wallet(self):
+        (res, data) = self.wallet.readMap(self.token)
+        if res != 0:
+            return None
+        for u, p in data.iteritems():
+            # Pick the first complete credential if no username is specified
+            if not self.username and u and p:
+                self.username = u
+                self.password = p
+                return True
+            if self.username == u:
+                self.password = p
+                return True
+        return None
+
+    def ask_password_dialog(self):
+        dlg = KPasswordDialog(None,
+            KPasswordDialog.KPasswordDialogFlag(
+                KPasswordDialog.ShowKeepPassword |
+                KPasswordDialog.ShowUsernameLine))
+        if self.desc:
+            desc = self.desc
+        else:
+            desc = self.token
+        dlg.setPrompt(i18n("Please enter username and password for %s" % (desc)))
+        dlg.setUsername(self.username)
+        dlg.setKeepPassword(True)
+        if not dlg.exec_():
+            return
+        self.username = dlg.username()
+        self.password = dlg.password()
+        self.save_password = dlg.keepPassword()
+
+def main():
+    KCmdLineArgs.init(sys.argv, aboutData)
+
+    options = KCmdLineOptions()
+    options.add("unique <token>", ki18n("Unique token identifying the credential"))
+    options.add("description <desc>", ki18n("Human readable description of the credential"))
+    options.add("username <username>", ki18n("Requested username"))
+    options.add("reject", ki18n("Purge credential"))
+
+    KCmdLineArgs.addCmdLineOptions(options)
+    args = KCmdLineArgs.parsedArgs();
+
+    username = args.getOption("username")
+    token = args.getOption("unique")
+    desc = args.getOption("description")
+    reject = args.isSet("reject")
+
+    app = CredentialHelper(token, username, desc, reject)
+
+if __name__ == "__main__":
+    main()
-- 
1.7.6.1