From: Aaron Plattner <aplattner@nvidia.com>
To: Patrick Steinhardt <ps@pks.im>,
Rahul Rameshbabu <rrameshbabu@nvidia.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] remote-curl: Use auth for probe_rpc() requests too
Date: Fri, 9 Jan 2026 10:39:10 -0800 [thread overview]
Message-ID: <c09387eb-0847-4130-85d1-9da8a3f64164@nvidia.com> (raw)
In-Reply-To: <2e103c5b-8cb3-40ec-aa0e-793f85a1f80d@nvidia.com>
On 1/9/26 9:57 AM, Aaron Plattner wrote:
> On 1/9/26 6:51 AM, Patrick Steinhardt wrote:
[...]
>>> diff --git a/remote-curl.c b/remote-curl.c
>>> index 69f919454a..1d0ae72521 100644
>>> --- a/remote-curl.c
>>> +++ b/remote-curl.c
>>> @@ -877,6 +877,8 @@ static int probe_rpc(struct rpc_state *rpc,
>>> struct slot_results *results)
>>> headers = curl_slist_append(headers, rpc->hdr_content_type);
>>> headers = curl_slist_append(headers, rpc->hdr_accept);
>>> + headers = http_append_auth_header(&http_auth, headers);
>>> +
>>> curl_easy_setopt(slot->curl, CURLOPT_NOBODY, 0L);
>>> curl_easy_setopt(slot->curl, CURLOPT_POST, 1L);
>>> curl_easy_setopt(slot->curl, CURLOPT_URL, rpc->service_url);
>>
>> The change looks simple enough, and matches what we do in `post_rpc()`
>> itself.
>>
>> It would be great to have a test case for this. It might be possible to
>> use t5563-simple-http-auth as an example, where we already know to set
>> up an HTTP server with authentication.
>
> I'll look into that. It wasn't obvious to me how to make it hit this RPC
> case specifically but I'll see if I can figure out a way.
I asked AI to try generating a test case for me and it discovered that
the problem doesn't reproduce with Basic auth because git sets
CURLOPT_USERNAME and CURLOPT_PASSWORD and curl implicitly includes those
in subsequent requests without git having to add them explicitly. If we
used CURLOPT_XOAUTH2_BEARER like imap-send.c does, then curl would
presumably do the same thing behind the scenes.
That said, I'm not sure using that makes sense since the credential
helper just tells git to use Bearer auth and what the token is, but not
whether it's OAuth2 or some other kind of token. I don't know if that
matters. Rahul, do you have any opinions there since you're familiar
with this stuff than I am?
Anyway, the test it came up with creates a repository with 2000 branches
to get the reply to hit the large_request=1 case and then uses a simple
credential helper with a dummy Bearer token to trigger the problem. If
you think the current fix and that test scenario sound reasonable, I'll
clean it up and send out a v2.
-- Aaron
next prev parent reply other threads:[~2026-01-09 18:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-12 22:37 [PATCH] remote-curl: Use auth for probe_rpc() requests too Aaron Plattner
2025-12-16 21:50 ` Lucas De Marchi
2026-01-09 14:51 ` Patrick Steinhardt
2026-01-09 17:57 ` Aaron Plattner
2026-01-09 18:39 ` Aaron Plattner [this message]
2026-01-12 8:21 ` Patrick Steinhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c09387eb-0847-4130-85d1-9da8a3f64164@nvidia.com \
--to=aplattner@nvidia.com \
--cc=git@vger.kernel.org \
--cc=ps@pks.im \
--cc=rrameshbabu@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox