checkout: refer to other-worktree branch, not ref
[git/gitster.git] / credential.c
blob6dea3859ece3389c97dc773a2466eb291a1617e8
1 #define USE_THE_REPOSITORY_VARIABLE
3 #include "git-compat-util.h"
4 #include "abspath.h"
5 #include "config.h"
6 #include "credential.h"
7 #include "gettext.h"
8 #include "string-list.h"
9 #include "run-command.h"
10 #include "url.h"
11 #include "prompt.h"
12 #include "sigchain.h"
13 #include "strbuf.h"
14 #include "urlmatch.h"
15 #include "git-compat-util.h"
16 #include "trace2.h"
17 #include "repository.h"
19 void credential_init(struct credential *c)
21 struct credential blank = CREDENTIAL_INIT;
22 memcpy(c, &blank, sizeof(*c));
25 void credential_clear(struct credential *c)
27 credential_clear_secrets(c);
28 free(c->protocol);
29 free(c->host);
30 free(c->path);
31 free(c->username);
32 free(c->oauth_refresh_token);
33 free(c->authtype);
34 string_list_clear(&c->helpers, 0);
35 strvec_clear(&c->wwwauth_headers);
36 strvec_clear(&c->state_headers);
37 strvec_clear(&c->state_headers_to_send);
39 credential_init(c);
42 void credential_next_state(struct credential *c)
44 strvec_clear(&c->state_headers_to_send);
45 SWAP(c->state_headers, c->state_headers_to_send);
48 void credential_clear_secrets(struct credential *c)
50 FREE_AND_NULL(c->password);
51 FREE_AND_NULL(c->credential);
54 static void credential_set_capability(struct credential_capability *capa,
55 enum credential_op_type op_type)
57 switch (op_type) {
58 case CREDENTIAL_OP_INITIAL:
59 capa->request_initial = 1;
60 break;
61 case CREDENTIAL_OP_HELPER:
62 capa->request_helper = 1;
63 break;
64 case CREDENTIAL_OP_RESPONSE:
65 capa->response = 1;
66 break;
71 void credential_set_all_capabilities(struct credential *c,
72 enum credential_op_type op_type)
74 credential_set_capability(&c->capa_authtype, op_type);
75 credential_set_capability(&c->capa_state, op_type);
78 static void announce_one(struct credential_capability *cc, const char *name, FILE *fp) {
79 if (cc->request_initial)
80 fprintf(fp, "capability %s\n", name);
83 void credential_announce_capabilities(struct credential *c, FILE *fp) {
84 fprintf(fp, "version 0\n");
85 announce_one(&c->capa_authtype, "authtype", fp);
86 announce_one(&c->capa_state, "state", fp);
89 int credential_match(const struct credential *want,
90 const struct credential *have, int match_password)
92 #define CHECK(x) (!want->x || (have->x && !strcmp(want->x, have->x)))
93 return CHECK(protocol) &&
94 CHECK(host) &&
95 CHECK(path) &&
96 CHECK(username) &&
97 (!match_password || CHECK(password)) &&
98 (!match_password || CHECK(credential));
99 #undef CHECK
103 static int credential_from_potentially_partial_url(struct credential *c,
104 const char *url);
106 static int credential_config_callback(const char *var, const char *value,
107 const struct config_context *ctx UNUSED,
108 void *data)
110 struct credential *c = data;
111 const char *key;
113 if (!skip_prefix(var, "credential.", &key))
114 return 0;
116 if (!value)
117 return config_error_nonbool(var);
119 if (!strcmp(key, "helper")) {
120 if (*value)
121 string_list_append(&c->helpers, value);
122 else
123 string_list_clear(&c->helpers, 0);
124 } else if (!strcmp(key, "username")) {
125 if (!c->username_from_proto) {
126 free(c->username);
127 c->username = xstrdup(value);
130 else if (!strcmp(key, "usehttppath"))
131 c->use_http_path = git_config_bool(var, value);
133 return 0;
136 static int proto_is_http(const char *s)
138 if (!s)
139 return 0;
140 return !strcmp(s, "https") || !strcmp(s, "http");
143 static void credential_describe(struct credential *c, struct strbuf *out);
144 static void credential_format(struct credential *c, struct strbuf *out);
146 static int select_all(const struct urlmatch_item *a UNUSED,
147 const struct urlmatch_item *b UNUSED)
149 return 0;
152 static int match_partial_url(const char *url, void *cb)
154 struct credential *c = cb;
155 struct credential want = CREDENTIAL_INIT;
156 int matches = 0;
158 if (credential_from_potentially_partial_url(&want, url) < 0)
159 warning(_("skipping credential lookup for key: credential.%s"),
160 url);
161 else
162 matches = credential_match(&want, c, 0);
163 credential_clear(&want);
165 return matches;
168 static void credential_apply_config(struct credential *c)
170 char *normalized_url;
171 struct urlmatch_config config = URLMATCH_CONFIG_INIT;
172 struct strbuf url = STRBUF_INIT;
174 if (!c->host)
175 die(_("refusing to work with credential missing host field"));
176 if (!c->protocol)
177 die(_("refusing to work with credential missing protocol field"));
179 if (c->configured)
180 return;
182 config.section = "credential";
183 config.key = NULL;
184 config.collect_fn = credential_config_callback;
185 config.cascade_fn = NULL;
186 config.select_fn = select_all;
187 config.fallback_match_fn = match_partial_url;
188 config.cb = c;
190 credential_format(c, &url);
191 normalized_url = url_normalize(url.buf, &config.url);
193 git_config(urlmatch_config_entry, &config);
194 string_list_clear(&config.vars, 1);
195 free(normalized_url);
196 urlmatch_config_release(&config);
197 strbuf_release(&url);
199 c->configured = 1;
201 if (!c->use_http_path && proto_is_http(c->protocol)) {
202 FREE_AND_NULL(c->path);
206 static void credential_describe(struct credential *c, struct strbuf *out)
208 if (!c->protocol)
209 return;
210 strbuf_addf(out, "%s://", c->protocol);
211 if (c->username && *c->username)
212 strbuf_addf(out, "%s@", c->username);
213 if (c->host)
214 strbuf_addstr(out, c->host);
215 if (c->path)
216 strbuf_addf(out, "/%s", c->path);
219 static void credential_format(struct credential *c, struct strbuf *out)
221 if (!c->protocol)
222 return;
223 strbuf_addf(out, "%s://", c->protocol);
224 if (c->username && *c->username) {
225 strbuf_add_percentencode(out, c->username, STRBUF_ENCODE_SLASH);
226 strbuf_addch(out, '@');
228 if (c->host)
229 strbuf_addstr(out, c->host);
230 if (c->path) {
231 strbuf_addch(out, '/');
232 strbuf_add_percentencode(out, c->path, 0);
236 static char *credential_ask_one(const char *what, struct credential *c,
237 int flags)
239 struct strbuf desc = STRBUF_INIT;
240 struct strbuf prompt = STRBUF_INIT;
241 char *r;
243 credential_describe(c, &desc);
244 if (desc.len)
245 strbuf_addf(&prompt, "%s for '%s': ", what, desc.buf);
246 else
247 strbuf_addf(&prompt, "%s: ", what);
249 r = git_prompt(prompt.buf, flags);
251 strbuf_release(&desc);
252 strbuf_release(&prompt);
253 return xstrdup(r);
256 static int credential_getpass(struct credential *c)
258 int interactive;
259 char *value;
260 if (!git_config_get_maybe_bool("credential.interactive", &interactive) &&
261 !interactive) {
262 trace2_data_intmax("credential", the_repository,
263 "interactive/skipped", 1);
264 return -1;
266 if (!git_config_get_string("credential.interactive", &value)) {
267 int same = !strcmp(value, "never");
268 free(value);
269 if (same) {
270 trace2_data_intmax("credential", the_repository,
271 "interactive/skipped", 1);
272 return -1;
276 trace2_region_enter("credential", "interactive", the_repository);
277 if (!c->username)
278 c->username = credential_ask_one("Username", c,
279 PROMPT_ASKPASS|PROMPT_ECHO);
280 if (!c->password)
281 c->password = credential_ask_one("Password", c,
282 PROMPT_ASKPASS);
283 trace2_region_leave("credential", "interactive", the_repository);
285 return 0;
288 int credential_has_capability(const struct credential_capability *capa,
289 enum credential_op_type op_type)
292 * We're checking here if each previous step indicated that we had the
293 * capability. If it did, then we want to pass it along; conversely, if
294 * it did not, we don't want to report that to our caller.
296 switch (op_type) {
297 case CREDENTIAL_OP_HELPER:
298 return capa->request_initial;
299 case CREDENTIAL_OP_RESPONSE:
300 return capa->request_initial && capa->request_helper;
301 default:
302 return 0;
306 int credential_read(struct credential *c, FILE *fp,
307 enum credential_op_type op_type)
309 struct strbuf line = STRBUF_INIT;
311 while (strbuf_getline(&line, fp) != EOF) {
312 char *key = line.buf;
313 char *value = strchr(key, '=');
315 if (!line.len)
316 break;
318 if (!value) {
319 warning("invalid credential line: %s", key);
320 strbuf_release(&line);
321 return -1;
323 *value++ = '\0';
325 if (!strcmp(key, "username")) {
326 free(c->username);
327 c->username = xstrdup(value);
328 c->username_from_proto = 1;
329 } else if (!strcmp(key, "password")) {
330 free(c->password);
331 c->password = xstrdup(value);
332 } else if (!strcmp(key, "credential")) {
333 free(c->credential);
334 c->credential = xstrdup(value);
335 } else if (!strcmp(key, "protocol")) {
336 free(c->protocol);
337 c->protocol = xstrdup(value);
338 } else if (!strcmp(key, "host")) {
339 free(c->host);
340 c->host = xstrdup(value);
341 } else if (!strcmp(key, "path")) {
342 free(c->path);
343 c->path = xstrdup(value);
344 } else if (!strcmp(key, "ephemeral")) {
345 c->ephemeral = !!git_config_bool("ephemeral", value);
346 } else if (!strcmp(key, "wwwauth[]")) {
347 strvec_push(&c->wwwauth_headers, value);
348 } else if (!strcmp(key, "state[]")) {
349 strvec_push(&c->state_headers, value);
350 } else if (!strcmp(key, "capability[]")) {
351 if (!strcmp(value, "authtype"))
352 credential_set_capability(&c->capa_authtype, op_type);
353 else if (!strcmp(value, "state"))
354 credential_set_capability(&c->capa_state, op_type);
355 } else if (!strcmp(key, "continue")) {
356 c->multistage = !!git_config_bool("continue", value);
357 } else if (!strcmp(key, "password_expiry_utc")) {
358 errno = 0;
359 c->password_expiry_utc = parse_timestamp(value, NULL, 10);
360 if (c->password_expiry_utc == 0 || errno == ERANGE)
361 c->password_expiry_utc = TIME_MAX;
362 } else if (!strcmp(key, "oauth_refresh_token")) {
363 free(c->oauth_refresh_token);
364 c->oauth_refresh_token = xstrdup(value);
365 } else if (!strcmp(key, "authtype")) {
366 free(c->authtype);
367 c->authtype = xstrdup(value);
368 } else if (!strcmp(key, "url")) {
369 credential_from_url(c, value);
370 } else if (!strcmp(key, "quit")) {
371 c->quit = !!git_config_bool("quit", value);
374 * Ignore other lines; we don't know what they mean, but
375 * this future-proofs us when later versions of git do
376 * learn new lines, and the helpers are updated to match.
380 strbuf_release(&line);
381 return 0;
384 static void credential_write_item(FILE *fp, const char *key, const char *value,
385 int required)
387 if (!value && required)
388 BUG("credential value for %s is missing", key);
389 if (!value)
390 return;
391 if (strchr(value, '\n'))
392 die("credential value for %s contains newline", key);
393 fprintf(fp, "%s=%s\n", key, value);
396 void credential_write(const struct credential *c, FILE *fp,
397 enum credential_op_type op_type)
399 if (credential_has_capability(&c->capa_authtype, op_type))
400 credential_write_item(fp, "capability[]", "authtype", 0);
401 if (credential_has_capability(&c->capa_state, op_type))
402 credential_write_item(fp, "capability[]", "state", 0);
404 if (credential_has_capability(&c->capa_authtype, op_type)) {
405 credential_write_item(fp, "authtype", c->authtype, 0);
406 credential_write_item(fp, "credential", c->credential, 0);
407 if (c->ephemeral)
408 credential_write_item(fp, "ephemeral", "1", 0);
410 credential_write_item(fp, "protocol", c->protocol, 1);
411 credential_write_item(fp, "host", c->host, 1);
412 credential_write_item(fp, "path", c->path, 0);
413 credential_write_item(fp, "username", c->username, 0);
414 credential_write_item(fp, "password", c->password, 0);
415 credential_write_item(fp, "oauth_refresh_token", c->oauth_refresh_token, 0);
416 if (c->password_expiry_utc != TIME_MAX) {
417 char *s = xstrfmt("%"PRItime, c->password_expiry_utc);
418 credential_write_item(fp, "password_expiry_utc", s, 0);
419 free(s);
421 for (size_t i = 0; i < c->wwwauth_headers.nr; i++)
422 credential_write_item(fp, "wwwauth[]", c->wwwauth_headers.v[i], 0);
423 if (credential_has_capability(&c->capa_state, op_type)) {
424 if (c->multistage)
425 credential_write_item(fp, "continue", "1", 0);
426 for (size_t i = 0; i < c->state_headers_to_send.nr; i++)
427 credential_write_item(fp, "state[]", c->state_headers_to_send.v[i], 0);
431 static int run_credential_helper(struct credential *c,
432 const char *cmd,
433 int want_output)
435 struct child_process helper = CHILD_PROCESS_INIT;
436 FILE *fp;
438 strvec_push(&helper.args, cmd);
439 helper.use_shell = 1;
440 helper.in = -1;
441 if (want_output)
442 helper.out = -1;
443 else
444 helper.no_stdout = 1;
446 if (start_command(&helper) < 0)
447 return -1;
449 fp = xfdopen(helper.in, "w");
450 sigchain_push(SIGPIPE, SIG_IGN);
451 credential_write(c, fp, want_output ? CREDENTIAL_OP_HELPER : CREDENTIAL_OP_RESPONSE);
452 fclose(fp);
453 sigchain_pop(SIGPIPE);
455 if (want_output) {
456 int r;
457 fp = xfdopen(helper.out, "r");
458 r = credential_read(c, fp, CREDENTIAL_OP_HELPER);
459 fclose(fp);
460 if (r < 0) {
461 finish_command(&helper);
462 return -1;
466 if (finish_command(&helper))
467 return -1;
468 return 0;
471 static int credential_do(struct credential *c, const char *helper,
472 const char *operation)
474 struct strbuf cmd = STRBUF_INIT;
475 int r;
477 if (helper[0] == '!')
478 strbuf_addstr(&cmd, helper + 1);
479 else if (is_absolute_path(helper))
480 strbuf_addstr(&cmd, helper);
481 else
482 strbuf_addf(&cmd, "git credential-%s", helper);
484 strbuf_addf(&cmd, " %s", operation);
485 r = run_credential_helper(c, cmd.buf, !strcmp(operation, "get"));
487 strbuf_release(&cmd);
488 return r;
491 void credential_fill(struct credential *c, int all_capabilities)
493 int i;
495 if ((c->username && c->password) || c->credential)
496 return;
498 credential_next_state(c);
499 c->multistage = 0;
501 credential_apply_config(c);
502 if (all_capabilities)
503 credential_set_all_capabilities(c, CREDENTIAL_OP_INITIAL);
505 for (i = 0; i < c->helpers.nr; i++) {
506 credential_do(c, c->helpers.items[i].string, "get");
508 if (c->password_expiry_utc < time(NULL)) {
510 * Don't use credential_clear() here: callers such as
511 * cmd_credential() expect to still be able to call
512 * credential_write() on a struct credential whose
513 * secrets have expired.
515 credential_clear_secrets(c);
516 /* Reset expiry to maintain consistency */
517 c->password_expiry_utc = TIME_MAX;
519 if ((c->username && c->password) || c->credential) {
520 strvec_clear(&c->wwwauth_headers);
521 return;
523 if (c->quit)
524 die("credential helper '%s' told us to quit",
525 c->helpers.items[i].string);
528 if (credential_getpass(c) ||
529 (!c->username && !c->password && !c->credential))
530 die("unable to get password from user");
533 void credential_approve(struct credential *c)
535 int i;
537 if (c->approved)
538 return;
539 if (((!c->username || !c->password) && !c->credential) || c->password_expiry_utc < time(NULL))
540 return;
542 credential_next_state(c);
544 credential_apply_config(c);
546 for (i = 0; i < c->helpers.nr; i++)
547 credential_do(c, c->helpers.items[i].string, "store");
548 c->approved = 1;
551 void credential_reject(struct credential *c)
553 int i;
555 credential_next_state(c);
557 credential_apply_config(c);
559 for (i = 0; i < c->helpers.nr; i++)
560 credential_do(c, c->helpers.items[i].string, "erase");
562 credential_clear_secrets(c);
563 FREE_AND_NULL(c->username);
564 FREE_AND_NULL(c->oauth_refresh_token);
565 c->password_expiry_utc = TIME_MAX;
566 c->approved = 0;
569 static int check_url_component(const char *url, int quiet,
570 const char *name, const char *value)
572 if (!value)
573 return 0;
574 if (!strchr(value, '\n'))
575 return 0;
577 if (!quiet)
578 warning(_("url contains a newline in its %s component: %s"),
579 name, url);
580 return -1;
584 * Potentially-partial URLs can, but do not have to, contain
586 * - a protocol (or scheme) of the form "<protocol>://"
588 * - a host name (the part after the protocol and before the first slash after
589 * that, if any)
591 * - a user name and potentially a password (as "<user>[:<password>]@" part of
592 * the host name)
594 * - a path (the part after the host name, if any, starting with the slash)
596 * Missing parts will be left unset in `struct credential`. Thus, `https://`
597 * will have only the `protocol` set, `example.com` only the host name, and
598 * `/git` only the path.
600 * Note that an empty host name in an otherwise fully-qualified URL (e.g.
601 * `cert:///path/to/cert.pem`) will be treated as unset if we expect the URL to
602 * be potentially partial, and only then (otherwise, the empty string is used).
604 * The credential_from_url() function does not allow partial URLs.
606 static int credential_from_url_1(struct credential *c, const char *url,
607 int allow_partial_url, int quiet)
609 const char *at, *colon, *cp, *slash, *host, *proto_end;
611 credential_clear(c);
614 * Match one of:
615 * (1) proto://<host>/...
616 * (2) proto://<user>@<host>/...
617 * (3) proto://<user>:<pass>@<host>/...
619 proto_end = strstr(url, "://");
620 if (!allow_partial_url && (!proto_end || proto_end == url)) {
621 if (!quiet)
622 warning(_("url has no scheme: %s"), url);
623 return -1;
625 cp = proto_end ? proto_end + 3 : url;
626 at = strchr(cp, '@');
627 colon = strchr(cp, ':');
630 * A query or fragment marker before the slash ends the host portion.
631 * We'll just continue to call this "slash" for simplicity. Notably our
632 * "trim leading slashes" part won't skip over this part of the path,
633 * but that's what we'd want.
635 slash = cp + strcspn(cp, "/?#");
637 if (!at || slash <= at) {
638 /* Case (1) */
639 host = cp;
641 else if (!colon || at <= colon) {
642 /* Case (2) */
643 c->username = url_decode_mem(cp, at - cp);
644 if (c->username && *c->username)
645 c->username_from_proto = 1;
646 host = at + 1;
647 } else {
648 /* Case (3) */
649 c->username = url_decode_mem(cp, colon - cp);
650 if (c->username && *c->username)
651 c->username_from_proto = 1;
652 c->password = url_decode_mem(colon + 1, at - (colon + 1));
653 host = at + 1;
656 if (proto_end && proto_end - url > 0)
657 c->protocol = xmemdupz(url, proto_end - url);
658 if (!allow_partial_url || slash - host > 0)
659 c->host = url_decode_mem(host, slash - host);
660 /* Trim leading and trailing slashes from path */
661 while (*slash == '/')
662 slash++;
663 if (*slash) {
664 char *p;
665 c->path = url_decode(slash);
666 p = c->path + strlen(c->path) - 1;
667 while (p > c->path && *p == '/')
668 *p-- = '\0';
671 if (check_url_component(url, quiet, "username", c->username) < 0 ||
672 check_url_component(url, quiet, "password", c->password) < 0 ||
673 check_url_component(url, quiet, "protocol", c->protocol) < 0 ||
674 check_url_component(url, quiet, "host", c->host) < 0 ||
675 check_url_component(url, quiet, "path", c->path) < 0)
676 return -1;
678 return 0;
681 static int credential_from_potentially_partial_url(struct credential *c,
682 const char *url)
684 return credential_from_url_1(c, url, 1, 0);
687 int credential_from_url_gently(struct credential *c, const char *url, int quiet)
689 return credential_from_url_1(c, url, 0, quiet);
692 void credential_from_url(struct credential *c, const char *url)
694 if (credential_from_url_gently(c, url, 0) < 0)
695 die(_("credential url cannot be parsed: %s"), url);