From: "M Hickford via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: sandals@crustytoothpaste.net,
M Hickford <mirth.hickford@gmail.com>,
M Hickford <mirth.hickford@gmail.com>
Subject: [PATCH v2] credential-cache: respect request capabilities
Date: Mon, 06 Jan 2025 19:52:11 +0000 [thread overview]
Message-ID: <pull.1842.v2.git.1736193131798.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.1842.git.1734729534213.gitgitgadget@gmail.com>
From: M Hickford <mirth.hickford@gmail.com>
Previously, credential-cache responded with capability[]=authtype
regardless of request.
The capabilities in a credential helper response should be a subset of
the capabilities in the request.
Signed-off-by: M Hickford <mirth.hickford@gmail.com>
---
credential-cache: respect request capabilities
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1842%2Fhickford%2Fcache-capability-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1842/hickford/cache-capability-v2
Pull-Request: https://github.com/gitgitgadget/git/pull/1842
Range-diff vs v1:
1: 9197941029f ! 1: 696780d4782 credential-cache: respect request capabilities
@@ t/lib-credential.sh: helper_test_authtype() {
EOF
'
-+ test_expect_success "helper ($HELPER) does not get authtype and credential without authtype capability" '
++ test_expect_success "helper ($HELPER) get authtype only if request has authtype capability" '
+ check fill $HELPER <<-\EOF
+ protocol=https
+ host=git.example.com
@@ t/lib-credential.sh: helper_test_authtype() {
test_expect_success "helper ($HELPER) stores authtype and credential with username" '
check approve $HELPER <<-\EOF
capability[]=authtype
-
- ## t/t0303-credential-external.sh ##
-@@ t/t0303-credential-external.sh: helper_test_clean "$GIT_TEST_CREDENTIAL_HELPER"
- helper_test "$GIT_TEST_CREDENTIAL_HELPER"
- helper_test_password_expiry_utc "$GIT_TEST_CREDENTIAL_HELPER"
- helper_test_oauth_refresh_token "$GIT_TEST_CREDENTIAL_HELPER"
-+helper_test_authtype "$GIT_TEST_CREDENTIAL_HELPER"
-
- if test -z "$GIT_TEST_CREDENTIAL_HELPER_TIMEOUT"; then
- say "# skipping timeout tests (GIT_TEST_CREDENTIAL_HELPER_TIMEOUT not set)"
builtin/credential-cache--daemon.c | 11 +++++------
t/lib-credential.sh | 15 +++++++++++++++
2 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c
index bc22f5c6d24..692216cf83c 100644
--- a/builtin/credential-cache--daemon.c
+++ b/builtin/credential-cache--daemon.c
@@ -134,17 +134,16 @@ static void serve_one_client(FILE *in, FILE *out)
else if (!strcmp(action.buf, "get")) {
struct credential_cache_entry *e = lookup_credential(&c);
if (e) {
- e->item.capa_authtype.request_initial = 1;
- e->item.capa_authtype.request_helper = 1;
-
- fprintf(out, "capability[]=authtype\n");
+ if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) {
+ fprintf(out, "capability[]=authtype\n");
+ }
if (e->item.username)
fprintf(out, "username=%s\n", e->item.username);
if (e->item.password)
fprintf(out, "password=%s\n", e->item.password);
- if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype)
+ if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype)
fprintf(out, "authtype=%s\n", e->item.authtype);
- if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential)
+ if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential)
fprintf(out, "credential=%s\n", e->item.credential);
if (e->item.password_expiry_utc != TIME_MAX)
fprintf(out, "password_expiry_utc=%"PRItime"\n",
diff --git a/t/lib-credential.sh b/t/lib-credential.sh
index 58b9c740605..324ecc792d5 100644
--- a/t/lib-credential.sh
+++ b/t/lib-credential.sh
@@ -566,6 +566,21 @@ helper_test_authtype() {
EOF
'
+ test_expect_success "helper ($HELPER) get authtype only if request has authtype capability" '
+ check fill $HELPER <<-\EOF
+ protocol=https
+ host=git.example.com
+ --
+ protocol=https
+ host=git.example.com
+ username=askpass-username
+ password=askpass-password
+ --
+ askpass: Username for '\''https://git.example.com'\'':
+ askpass: Password for '\''https://askpass-username@git.example.com'\'':
+ EOF
+ '
+
test_expect_success "helper ($HELPER) stores authtype and credential with username" '
check approve $HELPER <<-\EOF
capability[]=authtype
base-commit: 92999a42db1c5f43f330e4f2bca4026b5b81576f
--
gitgitgadget
next prev parent reply other threads:[~2025-01-06 19:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-20 21:18 [PATCH] credential-cache: respect request capabilities M Hickford via GitGitGadget
2025-01-06 19:52 ` M Hickford via GitGitGadget [this message]
2025-01-06 22:32 ` [PATCH v2] " brian m. carlson
2025-01-06 22:57 ` M Hickford
2025-01-06 23:05 ` brian m. carlson
2025-01-06 23:05 ` [PATCH v3] " M Hickford via GitGitGadget
2025-01-07 1:19 ` [PATCH v4] " M Hickford via GitGitGadget
2025-01-08 2:05 ` Junio C Hamano
2025-01-09 22:45 ` [PATCH v5] credential-cache: respect authtype capability M Hickford via GitGitGadget
2025-01-18 20:09 ` M Hickford
2025-01-18 20:14 ` brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=pull.1842.v2.git.1736193131798.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=git@vger.kernel.org \
--cc=mirth.hickford@gmail.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).