Merge pull request #739 from mjcheetham/cred-noop

Avoid writing credentials when account & password have not changed

Author: mjcheetham

src/shared/Core/Interop/InteropUtils.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Linq;
 using System.Runtime.InteropServices;
 
 namespace GitCredentialManager.Interop
@@ -11,5 +12,21 @@ public static byte[] ToByteArray(IntPtr ptr, long count)
             Marshal.Copy(ptr, destination, 0, destination.Length);
             return destination;
         }
+
+        public static bool AreEqual(byte[] bytes, IntPtr ptr, uint length)
+        {
+            if (bytes.Length == 0 && (ptr == IntPtr.Zero || length == 0))
+            {
+                return true;
+            }
+
+            if (bytes.Length != length)
+            {
+                return false;
+            }
+
+            byte[] ptrBytes = ToByteArray(ptr, length);
+            return bytes.SequenceEqual(ptrBytes);
+        }
     }
 }

src/shared/Core/Interop/Linux/SecretServiceCollection.cs

@@ -114,6 +114,16 @@ public unsafe void AddOrUpdate(string service, string account, string secret)
             SecretValue* secretValue = null;
             GError *error = null;
 
+            // If there is an existing credential that matches the same account and password
+            // then don't bother writing out anything because they're the same!
+            ICredential existingCred = Get(service, account);
+            if (existingCred != null &&
+                StringComparer.Ordinal.Equals(existingCred.Account, account) &&
+                StringComparer.Ordinal.Equals(existingCred.Password, secret))
+            {
+                return;
+            }
+
             try
             {
                 SecretService* secService = GetSecretService();

src/shared/Core/Interop/MacOS/MacOSKeychain.cs

@@ -103,7 +103,6 @@ public void AddOrUpdate(string service, string account, string secret)
 
             string serviceName = CreateServiceName(service);
 
-
             uint serviceNameLength = (uint) serviceName.Length;
             uint accountLength = (uint) (account?.Length ?? 0);
 
@@ -112,12 +111,12 @@ public void AddOrUpdate(string service, string account, string secret)
                 // Check if an entry already exists in the keychain
                 int findResult = SecKeychainFindGenericPassword(
                     IntPtr.Zero, serviceNameLength, serviceName, accountLength, account,
-                    out uint _, out passwordData, out itemRef);
+                    out uint passwordDataLength, out passwordData, out itemRef);
 
                 switch (findResult)
                 {
-                    // Update existing entry
-                    case OK:
+                    // Update existing entry only if the password/secret is different
+                    case OK when !InteropUtils.AreEqual(secretBytes, passwordData, passwordDataLength):
                         ThrowIfError(
                             SecKeychainItemModifyAttributesAndData(itemRef, IntPtr.Zero, (uint) secretBytes.Length, secretBytes),
                             "Could not update existing item"

src/shared/Core/Interop/Windows/Native/Advapi32.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Runtime.InteropServices;
+using System.Text;
 using FILETIME = System.Runtime.InteropServices.ComTypes.FILETIME;
 
 namespace GitCredentialManager.Interop.Windows.Native
@@ -93,5 +94,16 @@ public struct Win32Credential
         public string TargetAlias;
         [MarshalAs(UnmanagedType.LPWStr)]
         public string UserName;
+
+        public string GetCredentialBlobAsString()
+        {
+            if (CredentialBlobSize != 0 && CredentialBlob != IntPtr.Zero)
+            {
+                byte[] passwordBytes = InteropUtils.ToByteArray(CredentialBlob, CredentialBlobSize);
+                return Encoding.Unicode.GetString(passwordBytes);
+            }
+
+            return null;
+        }
     }
 }

src/shared/Core/Interop/Windows/WindowsCredentialManager.cs

@@ -13,8 +13,6 @@ public class WindowsCredentialManager : ICredentialStore
 
         private readonly string _namespace;
 
-        #region Constructors
-
         /// <summary>
         /// Open the Windows Credential Manager vault for the current user.
         /// </summary>
@@ -26,10 +24,6 @@ public WindowsCredentialManager(string @namespace = null)
             _namespace = @namespace;
         }
 
-        #endregion
-
-        #region ICredentialStore
-
         public ICredential Get(string service, string account)
         {
             return Enumerate(service, account).FirstOrDefault();
@@ -66,6 +60,15 @@ public void AddOrUpdate(string service, string account, string secret)
                         // Create new entry with the account in the target name
                         targetName = CreateTargetName(service, account);
                     }
+                    else
+                    {
+                        // No need to write out credential if the account and secret/password are the same
+                        string existingSecret = existingCred.GetCredentialBlobAsString();
+                        if (StringComparer.Ordinal.Equals(existingSecret, secret))
+                        {
+                            return;
+                        }
+                    }
                 }
 
                 byte[] secretBytes = Encoding.Unicode.GetBytes(secret);
@@ -129,8 +132,6 @@ public bool Remove(string service, string account)
             return false;
         }
 
-        #endregion
-
         /// <summary>
         /// Check if we can persist credentials to for the current process and logon session.
         /// </summary>
@@ -205,14 +206,7 @@ private IEnumerable<WindowsCredential> Enumerate(string service, string account)
 
         private WindowsCredential CreateCredentialFromStructure(Win32Credential credential)
         {
-            string password = null;
-            if (credential.CredentialBlobSize != 0 && credential.CredentialBlob != IntPtr.Zero)
-            {
-                byte[] passwordBytes = InteropUtils.ToByteArray(
-                    credential.CredentialBlob,
-                    credential.CredentialBlobSize);
-                password = Encoding.Unicode.GetString(passwordBytes);
-            }
+            string password = credential.GetCredentialBlobAsString();
 
             // Recover the target name we gave from the internal (raw) target name
             string targetName = credential.TargetName.TrimUntilIndexOf(TargetNameLegacyGenericPrefix);

src/shared/Core/PlaintextCredentialStore.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text;
 
 namespace GitCredentialManager
@@ -22,44 +23,26 @@ public PlaintextCredentialStore(IFileSystem fileSystem, string storeRoot, string
         protected string Namespace { get; }
         protected virtual string CredentialFileExtension => ".credential";
 
-        #region ICredentialStore
-
         public ICredential Get(string service, string account)
         {
-            string serviceSlug = CreateServiceSlug(service);
-            string searchPath = Path.Combine(StoreRoot, serviceSlug);
-            bool anyAccount = string.IsNullOrWhiteSpace(account);
-
-            if (!FileSystem.DirectoryExists(searchPath))
-            {
-                return null;
-            }
-
-            IEnumerable<string> allFiles = FileSystem.EnumerateFiles(searchPath, $"*{CredentialFileExtension}");
-
-            foreach (string fullPath in allFiles)
-            {
-                string accountFile = Path.GetFileNameWithoutExtension(fullPath);
-                if (anyAccount || StringComparer.OrdinalIgnoreCase.Equals(account, accountFile))
-                {
-                    // Validate the credential metadata also matches our search
-                    if (TryDeserializeCredential(fullPath, out FileCredential credential) &&
-                        StringComparer.OrdinalIgnoreCase.Equals(service, credential.Service) &&
-                        (anyAccount || StringComparer.OrdinalIgnoreCase.Equals(account, credential.Account)))
-                    {
-                        return credential;
-                    }
-                }
-            }
-
-            return null;
+            return Enumerate(service, account).FirstOrDefault();
         }
 
         public void AddOrUpdate(string service, string account, string secret)
         {
             // Ensure the store root exists and permissions are set
             EnsureStoreRoot();
 
+            FileCredential existingCredential = Enumerate(service, account).FirstOrDefault();
+
+            // No need to update existing credential if nothing has changed
+            if (existingCredential != null &&
+                StringComparer.Ordinal.Equals(account, existingCredential.Account) &&
+                StringComparer.Ordinal.Equals(secret, existingCredential.Password))
+            {
+                return;
+            }
+
             string serviceSlug = CreateServiceSlug(service);
             string servicePath = Path.Combine(StoreRoot, serviceSlug);
 
@@ -75,39 +58,16 @@ public void AddOrUpdate(string service, string account, string secret)
 
         public bool Remove(string service, string account)
         {
-            string serviceSlug = CreateServiceSlug(service);
-            string searchPath = Path.Combine(StoreRoot, serviceSlug);
-            bool anyAccount = string.IsNullOrWhiteSpace(account);
-
-            if (!FileSystem.DirectoryExists(searchPath))
-            {
-                return false;
-            }
-
-            IEnumerable<string> allFiles = FileSystem.EnumerateFiles(searchPath, $"*{CredentialFileExtension}");
-
-            foreach (string fullPath in allFiles)
+            foreach (FileCredential credential in Enumerate(service, account))
             {
-                string accountFile = Path.GetFileNameWithoutExtension(fullPath);
-                if (anyAccount || StringComparer.OrdinalIgnoreCase.Equals(account, accountFile))
-                {
-                    // Validate the credential metadata also matches our search
-                    if (TryDeserializeCredential(fullPath, out FileCredential credential) &&
-                        StringComparer.OrdinalIgnoreCase.Equals(service, credential.Service) &&
-                        (anyAccount || StringComparer.OrdinalIgnoreCase.Equals(account, credential.Account)))
-                    {
-                        // Delete the credential file
-                        FileSystem.DeleteFile(fullPath);
-                        return true;
-                    }
-                }
+                // Only delete the first match
+                FileSystem.DeleteFile(credential.FullPath);
+                return true;
             }
 
             return false;
         }
 
-        #endregion
-
         protected virtual bool TryDeserializeCredential(string path, out FileCredential credential)
         {
             string text;
@@ -162,6 +122,35 @@ protected virtual void SerializeCredential(FileCredential credential)
             }
         }
 
+        private IEnumerable<FileCredential> Enumerate(string service, string account)
+        {
+            string serviceSlug = CreateServiceSlug(service);
+            string searchPath = Path.Combine(StoreRoot, serviceSlug);
+            bool anyAccount = string.IsNullOrWhiteSpace(account);
+
+            if (!FileSystem.DirectoryExists(searchPath))
+            {
+                yield break;
+            }
+
+            IEnumerable<string> allFiles = FileSystem.EnumerateFiles(searchPath, $"*{CredentialFileExtension}");
+
+            foreach (string fullPath in allFiles)
+            {
+                string accountFile = Path.GetFileNameWithoutExtension(fullPath);
+                if (anyAccount || StringComparer.OrdinalIgnoreCase.Equals(account, accountFile))
+                {
+                    // Validate the credential metadata also matches our search
+                    if (TryDeserializeCredential(fullPath, out FileCredential credential) &&
+                        StringComparer.OrdinalIgnoreCase.Equals(service, credential.Service) &&
+                        (anyAccount || StringComparer.OrdinalIgnoreCase.Equals(account, credential.Account)))
+                    {
+                        yield return credential;
+                    }
+                }
+            }
+        }
+
         /// <summary>
         /// Ensure the store root directory exists. If it does not, create a new directory with
         /// permissions that only permit the owner to read/write/execute. Permissions on an existing