credential-cache: implement authtype capability

bk2204 · gitster · commit 40220f48b189 · 2024-04-16T22:39:08.000-07:00
Now that we have full support in Git for the authtype capability, let's
add support to the cache credential helper.

When parsing data, we always set the initial capabilities because we're
the helper, and we need both the initial and helper capabilities to be
set in order to have the helper capabilities take effect.

When emitting data, always emit the supported capability and make sure
we emit items only if we have them and they're supported by the caller.
Since we may no longer have a username or password, be sure to emit
those conditionally as well so we don't segfault on a NULL pointer.
Similarly, when comparing credentials, consider both the password and
credential fields when we're matching passwords.

Adjust the partial credential detection code so that we can store
credentials missing a username or password as long as they have an
authtype and credential.

Signed-off-by: brian m. carlson &lt;sandals@crustytoothpaste.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c
@@ -115,6 +115,8 @@ static int read_request(FILE *fh, struct credential *c,
 		return error("client sent bogus timeout line: %s", item.buf);
 	*timeout = atoi(p);
 
+	credential_set_all_capabilities(c, CREDENTIAL_OP_INITIAL);
+
 	if (credential_read(c, fh, CREDENTIAL_OP_HELPER) < 0)
 		return -1;
 	return 0;
@@ -131,8 +133,18 @@ static void serve_one_client(FILE *in, FILE *out)
 	else if (!strcmp(action.buf, "get")) {
 		struct credential_cache_entry *e = lookup_credential(&c);
 		if (e) {
-			fprintf(out, "username=%s\n", e->item.username);
-			fprintf(out, "password=%s\n", e->item.password);
+			e->item.capa_authtype.request_initial = 1;
+			e->item.capa_authtype.request_helper = 1;
+
+			fprintf(out, "capability[]=authtype\n");
+			if (e->item.username)
+				fprintf(out, "username=%s\n", e->item.username);
+			if (e->item.password)
+				fprintf(out, "password=%s\n", e->item.password);
+			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype)
+				fprintf(out, "authtype=%s\n", e->item.authtype);
+			if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential)
+				fprintf(out, "credential=%s\n", e->item.credential);
 			if (e->item.password_expiry_utc != TIME_MAX)
 				fprintf(out, "password_expiry_utc=%"PRItime"\n",
 					e->item.password_expiry_utc);
@@ -157,8 +169,10 @@ static void serve_one_client(FILE *in, FILE *out)
 	else if (!strcmp(action.buf, "store")) {
 		if (timeout < 0)
 			warning("cache client didn't specify a timeout");
-		else if (!c.username || !c.password)
+		else if ((!c.username || !c.password) && (!c.authtype && !c.credential))
 			warning("cache client gave us a partial credential");
+		else if (c.ephemeral)
+			warning("not storing ephemeral credential");
 		else {
 			remove_credential(&c, 0);
 			cache_credential(&c, timeout);
diff --git a/credential.c b/credential.c
@@ -80,7 +80,8 @@ int credential_match(const struct credential *want,
 	       CHECK(host) &&
 	       CHECK(path) &&
 	       CHECK(username) &&
-	       (!match_password || CHECK(password));
+	       (!match_password || CHECK(password)) &&
+	       (!match_password || CHECK(credential));
 #undef CHECK
 }
 
@@ -248,8 +249,8 @@ static void credential_getpass(struct credential *c)
 						 PROMPT_ASKPASS);
 }
 
-static int credential_has_capability(const struct credential_capability *capa,
-				     enum credential_op_type op_type)
+int credential_has_capability(const struct credential_capability *capa,
+			      enum credential_op_type op_type)
 {
 	/*
 	 * We're checking here if each previous step indicated that we had the
diff --git a/credential.h b/credential.h
@@ -263,6 +263,12 @@ void credential_clear_secrets(struct credential *c);
  */
 void credential_next_state(struct credential *c);
 
+/**
+ * Return true if the capability is enabled for an operation of op_type.
+ */
+int credential_has_capability(const struct credential_capability *capa,
+			      enum credential_op_type op_type);
+
 int credential_read(struct credential *, FILE *,
 		    enum credential_op_type);
 void credential_write(const struct credential *, FILE *,
diff --git a/t/t0301-credential-cache.sh b/t/t0301-credential-cache.sh
@@ -31,6 +31,7 @@ test_atexit 'git credential-cache exit'
 helper_test cache
 helper_test_password_expiry_utc cache
 helper_test_oauth_refresh_token cache
+helper_test_authtype cache
 
 test_expect_success 'socket defaults to ~/.cache/git/credential/socket' '
 	test_when_finished "

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,8 @@ int credential_match(const struct credential *want,`
`80`	`80`	`CHECK(host) &&`
`81`	`81`	`CHECK(path) &&`
`82`	`82`	`CHECK(username) &&`
`83`		`- (!match_password \|\| CHECK(password));`
	`83`	`+ (!match_password \|\| CHECK(password)) &&`
	`84`	`+ (!match_password \|\| CHECK(credential));`
`84`	`85`	`#undef CHECK`
`85`	`86`	`}`
`86`	`87`
`@@ -248,8 +249,8 @@ static void credential_getpass(struct credential *c)`
`248`	`249`	`PROMPT_ASKPASS);`
`249`	`250`	`}`
`250`	`251`
`251`		`-static int credential_has_capability(const struct credential_capability *capa,`
`252`		`- enum credential_op_type op_type)`
	`252`	`+int credential_has_capability(const struct credential_capability *capa,`
	`253`	`+ enum credential_op_type op_type)`
`253`	`254`	`{`
`254`	`255`	`/*`
`255`	`256`	`* We're checking here if each previous step indicated that we had the`