From: Junio C Hamano <gitster@pobox.com>
To: Quentin Bouget <ypsah@devyard.org>
Cc: git@vger.kernel.org
Subject: Re: [PATCH 1/2] http: only reject basic auth credentials once they have been tried
Date: Sun, 04 Feb 2024 14:47:56 -0800 [thread overview]
Message-ID: <xmqqfry7onhf.fsf@gitster.g> (raw)
In-Reply-To: <20240204185427.39664-2-ypsah@devyard.org> (Quentin Bouget's message of "Sun, 4 Feb 2024 19:54:26 +0100")
Quentin Bouget <ypsah@devyard.org> writes:
> else if (results->http_code == 401) {
> - if (http_auth.username && http_auth.password) {
> - credential_reject(&http_auth);
> - return HTTP_NOAUTH;
> - } else {
> + if ((http_auth_methods & CURLAUTH_GSSNEGOTIATE) == CURLAUTH_GSSNEGOTIATE) {
> http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;
> if (results->auth_avail) {
> http_auth_methods &= results->auth_avail;
> http_auth_methods_restricted = 1;
> }
> return HTTP_REAUTH;
> }
> + if (http_auth.username && http_auth.password)
> + credential_reject(&http_auth);
> + return HTTP_NOAUTH;
A few comments and questions.
* GSSNEGOTIATE is a synonym for NEGOTIATE since cURL 7.38.0
(released in Sep 2014); currently the earliest version we claim
to support is 7.19.5 (released May 2009) without imap-send, and
we require 7.34.0 (released Dec 2013) with imap-send, so for now,
it is prudent that this patch uses GSSNEGOTIATE.
* Is it something that the client code of libcURL can rely on that
these CURLAUTH_FOO macros are bitmasks [*]? If so, wouldn't
if ((http_auth_methods & CURLAUTH_GSSNEGOTIATE))
be clear enough (and less risk of making typo)?
* When we see 401, the first thing we do in the new code is to see
if GSS is enabled in auth_methods, and if so we drop it from
auth_methods (to prevent us from trying it again) and say REAUTH.
- What assures us that the presense of GSS bit in auth_methods
mean we tried GSS to get this 401? Could it be that we tried
basic and seeing 401 from that, but we haven't tried GSS and we
could retry with GSS now? Is it commonly known that GSS is
always tried first before Basic/Digest when both are availble,
or something like that?
- When auth_avail was given by the cURL library, we further limit
the auth_methods (after dropping GSS) and say REAUTH. This is
not a new to the updated code, but can it happen that the
resulting restricted auth_methods bitmap becomes empty (i.e.
REAUTH would be useless)?
Thanks.
[References]
* https://github.com/curl/curl/blob/b8c003832d730bb2f4b9de4204675ca5d9f7a903/include/curl/curl.h#L787C4-L787C64
next prev parent reply other threads:[~2024-02-04 22:48 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-04 18:54 [PATCH 0/2] Fix gitlab's token-based authentication w/ kerberos Quentin Bouget
2024-02-04 18:54 ` [PATCH 1/2] http: only reject basic auth credentials once they have been tried Quentin Bouget
2024-02-04 22:47 ` Junio C Hamano [this message]
2024-02-05 3:03 ` Quentin Bouget
2024-02-05 5:47 ` Patrick Steinhardt
2024-02-04 18:54 ` [PATCH 2/2] http: prevent redirect from dropping credentials during reauth Quentin Bouget
2024-02-04 22:36 ` brian m. carlson
2024-02-05 3:01 ` Quentin Bouget
2024-02-05 22:18 ` brian m. carlson
2024-02-05 22:52 ` rsbecker
2024-02-04 22:51 ` Junio C Hamano
2024-02-05 3:06 ` Quentin Bouget
2024-02-04 23:01 ` rsbecker
2024-02-05 3:12 ` Quentin Bouget
2024-02-05 9:22 ` Robert Coup
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqfry7onhf.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=ypsah@devyard.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).