2018-09-19 15:05:48 +00:00
|
|
|
package creds
|
2016-12-19 21:38:06 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"fmt"
|
2017-09-13 22:09:18 +00:00
|
|
|
"net/url"
|
2018-09-18 19:14:24 +00:00
|
|
|
"os"
|
2016-12-19 21:38:06 +00:00
|
|
|
"os/exec"
|
|
|
|
"strings"
|
2017-08-09 16:26:21 +00:00
|
|
|
"sync"
|
2017-03-24 17:27:52 +00:00
|
|
|
|
2018-09-19 14:05:24 +00:00
|
|
|
"github.com/git-lfs/git-lfs/config"
|
2017-08-10 22:49:46 +00:00
|
|
|
"github.com/git-lfs/git-lfs/errors"
|
2017-03-24 17:27:52 +00:00
|
|
|
"github.com/rubyist/tracerx"
|
2016-12-19 21:38:06 +00:00
|
|
|
)
|
|
|
|
|
2019-04-18 14:41:55 +00:00
|
|
|
// CredentialHelperWrapper is used to contain the encapsulate the information we need for credential handling during auth.
|
|
|
|
type CredentialHelperWrapper struct {
|
|
|
|
CredentialHelper CredentialHelper
|
|
|
|
Input Creds
|
|
|
|
Url *url.URL
|
|
|
|
Creds Creds
|
|
|
|
}
|
|
|
|
|
2017-10-27 20:10:46 +00:00
|
|
|
// CredentialHelper is an interface used by the lfsapi Client to interact with
|
|
|
|
// the 'git credential' command: https://git-scm.com/docs/gitcredentials
|
|
|
|
// Other implementations include ASKPASS support, and an in-memory cache.
|
2017-10-27 00:34:33 +00:00
|
|
|
type CredentialHelper interface {
|
|
|
|
Fill(Creds) (Creds, error)
|
|
|
|
Reject(Creds) error
|
|
|
|
Approve(Creds) error
|
|
|
|
}
|
|
|
|
|
2019-04-18 14:41:55 +00:00
|
|
|
func (credWrapper CredentialHelperWrapper) FillCreds() error {
|
|
|
|
creds, err := credWrapper.CredentialHelper.Fill(credWrapper.Input)
|
|
|
|
if creds == nil || len(creds) < 1 {
|
|
|
|
errmsg := fmt.Sprintf("Git credentials for %s not found", credWrapper.Url)
|
|
|
|
if err != nil {
|
2019-05-01 16:45:21 +00:00
|
|
|
errmsg = fmt.Sprintf("%s:\n%s", errmsg, err.Error())
|
2019-04-18 14:41:55 +00:00
|
|
|
} else {
|
2019-05-01 16:45:21 +00:00
|
|
|
errmsg = fmt.Sprintf("%s.", errmsg)
|
2019-04-18 14:41:55 +00:00
|
|
|
}
|
|
|
|
err = errors.New(errmsg)
|
|
|
|
}
|
|
|
|
credWrapper.Creds = creds
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2017-10-27 20:10:46 +00:00
|
|
|
// Creds represents a set of key/value pairs that are passed to 'git credential'
|
|
|
|
// as input.
|
2017-10-27 00:34:33 +00:00
|
|
|
type Creds map[string]string
|
|
|
|
|
|
|
|
func bufferCreds(c Creds) *bytes.Buffer {
|
|
|
|
buf := new(bytes.Buffer)
|
|
|
|
|
|
|
|
for k, v := range c {
|
|
|
|
buf.Write([]byte(k))
|
|
|
|
buf.Write([]byte("="))
|
|
|
|
buf.Write([]byte(v))
|
|
|
|
buf.Write([]byte("\n"))
|
|
|
|
}
|
|
|
|
|
|
|
|
return buf
|
|
|
|
}
|
|
|
|
|
2018-09-19 14:05:24 +00:00
|
|
|
type CredentialHelperContext struct {
|
2018-10-08 22:47:17 +00:00
|
|
|
netrcCredHelper *netrcCredentialHelper
|
2018-09-19 14:05:24 +00:00
|
|
|
commandCredHelper *commandCredentialHelper
|
|
|
|
askpassCredHelper *AskPassCredentialHelper
|
|
|
|
cachingCredHelper *credentialCacher
|
|
|
|
|
|
|
|
urlConfig *config.URLConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewCredentialHelperContext(gitEnv config.Environment, osEnv config.Environment) *CredentialHelperContext {
|
|
|
|
c := &CredentialHelperContext{urlConfig: config.NewURLConfig(gitEnv)}
|
|
|
|
|
2018-10-08 22:47:17 +00:00
|
|
|
c.netrcCredHelper = newNetrcCredentialHelper(osEnv)
|
|
|
|
|
2018-09-19 14:05:24 +00:00
|
|
|
askpass, ok := osEnv.Get("GIT_ASKPASS")
|
|
|
|
if !ok {
|
|
|
|
askpass, ok = gitEnv.Get("core.askpass")
|
|
|
|
}
|
|
|
|
if !ok {
|
|
|
|
askpass, _ = osEnv.Get("SSH_ASKPASS")
|
|
|
|
}
|
|
|
|
if len(askpass) > 0 {
|
|
|
|
c.askpassCredHelper = &AskPassCredentialHelper{
|
|
|
|
Program: askpass,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
cacheCreds := gitEnv.Bool("lfs.cachecredentials", true)
|
|
|
|
if cacheCreds {
|
2018-09-19 15:03:12 +00:00
|
|
|
c.cachingCredHelper = NewCredentialCacher()
|
2018-09-19 14:05:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
c.commandCredHelper = &commandCredentialHelper{
|
|
|
|
SkipPrompt: osEnv.Bool("GIT_TERMINAL_PROMPT", false),
|
|
|
|
}
|
|
|
|
|
|
|
|
return c
|
|
|
|
}
|
|
|
|
|
2017-08-10 22:24:46 +00:00
|
|
|
// getCredentialHelper parses a 'credsConfig' from the git and OS environments,
|
|
|
|
// returning the appropriate CredentialHelper to authenticate requests with.
|
|
|
|
//
|
|
|
|
// It returns an error if any configuration was invalid, or otherwise
|
|
|
|
// un-useable.
|
2019-04-18 14:41:55 +00:00
|
|
|
func (ctxt *CredentialHelperContext) GetCredentialHelper(helper CredentialHelper, u *url.URL) CredentialHelperWrapper {
|
2017-10-27 16:29:34 +00:00
|
|
|
rawurl := fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, u.Path)
|
2017-10-26 22:29:43 +00:00
|
|
|
input := Creds{"protocol": u.Scheme, "host": u.Host}
|
2017-10-26 22:09:37 +00:00
|
|
|
if u.User != nil && u.User.Username() != "" {
|
|
|
|
input["username"] = u.User.Username()
|
|
|
|
}
|
lfsapi: add support for encrypted client TLS private keys
When using client certificates for TLS, it's possible to specify a
private key file with an encrypted private key. Previously, we silently
returned a nil Certificate object in this case which promptly resulted
in a panic in crypto/tls when attempting to push.
Instead, let's detect that the key is encrypted and prompt for a
passphrase. Git usually handles this with a prompt from OpenSSL, which
we aren't using, although it can be configured to use the credential
helper as well.
Since there isn't a portable way to turn off the echo in order to prompt
for a passphrase, even among Unix systems, let's use the credential
helper route for this purpose by prompting for credentials using a cert:
URL for the file holding the private key; this is the type of URL that
Git uses with the credential helper for this purpose.
In order to make things as intuitive as possible, tell the credential
code to always include the path for cert: URLs (so we don't just prompt
for "cert:///") and provide the user's current username in the username
field so they don't get a useless username prompt. Provide as much
helpful trace output as possible for debugging; note that credential
filling success and failure already have trace logging enabled
elsewhere.
Note that we create our own credential helper for the client object to
avoid having to pass it into the HTTP client context from the LFS API
context; this should be fine, since we're going to prompt and use this
value only within this context and for this purpose.
Finally, since we're in a context where we can't really return an error
up the chain, if for whatever reason an error occurs, ensure that we
don't pass nil to crypto/tls and instead skip passing a certificate
altogether. This will at least make the failure case obvious later on
and provide a better user experience than a panic.
2018-09-19 18:56:48 +00:00
|
|
|
if u.Scheme == "cert" || ctxt.urlConfig.Bool("credential", rawurl, "usehttppath", false) {
|
2017-10-26 22:29:43 +00:00
|
|
|
input["path"] = strings.TrimPrefix(u.Path, "/")
|
|
|
|
}
|
2017-10-26 22:09:37 +00:00
|
|
|
|
2018-09-19 14:20:02 +00:00
|
|
|
if helper != nil {
|
2019-05-01 16:45:21 +00:00
|
|
|
return CredentialHelperWrapper{CredentialHelper: helper, Input: input, Url: u}
|
2017-10-26 22:09:37 +00:00
|
|
|
}
|
|
|
|
|
2018-10-08 22:47:17 +00:00
|
|
|
helpers := make([]CredentialHelper, 0, 4)
|
|
|
|
if ctxt.netrcCredHelper != nil {
|
|
|
|
helpers = append(helpers, ctxt.netrcCredHelper)
|
|
|
|
}
|
2018-09-19 14:20:02 +00:00
|
|
|
if ctxt.cachingCredHelper != nil {
|
|
|
|
helpers = append(helpers, ctxt.cachingCredHelper)
|
2017-08-10 22:24:46 +00:00
|
|
|
}
|
2018-09-19 14:20:02 +00:00
|
|
|
if ctxt.askpassCredHelper != nil {
|
|
|
|
helper, _ := ctxt.urlConfig.Get("credential", rawurl, "helper")
|
2017-10-27 00:34:33 +00:00
|
|
|
if len(helper) == 0 {
|
2018-09-19 14:20:02 +00:00
|
|
|
helpers = append(helpers, ctxt.askpassCredHelper)
|
2017-08-10 22:49:31 +00:00
|
|
|
}
|
|
|
|
}
|
2019-05-01 16:45:21 +00:00
|
|
|
return CredentialHelperWrapper{CredentialHelper: NewCredentialHelpers(append(helpers, ctxt.commandCredHelper)), Input: input, Url: u}
|
2017-08-10 22:49:31 +00:00
|
|
|
}
|
|
|
|
|
2017-08-10 22:49:46 +00:00
|
|
|
// AskPassCredentialHelper implements the CredentialHelper type for GIT_ASKPASS
|
|
|
|
// and 'core.askpass' configuration values.
|
|
|
|
type AskPassCredentialHelper struct {
|
|
|
|
// Program is the executable program's absolute or relative name.
|
|
|
|
Program string
|
|
|
|
}
|
|
|
|
|
2018-07-16 22:07:27 +00:00
|
|
|
type credValueType int
|
|
|
|
|
|
|
|
const (
|
|
|
|
credValueTypeUnknown credValueType = iota
|
|
|
|
credValueTypeUsername
|
|
|
|
credValueTypePassword
|
|
|
|
)
|
|
|
|
|
2017-08-10 22:49:46 +00:00
|
|
|
// Fill implements fill by running the ASKPASS program and returning its output
|
|
|
|
// as a password encoded in the Creds type given the key "password".
|
|
|
|
//
|
|
|
|
// It accepts the password as coming from the program's stdout, as when invoked
|
|
|
|
// with the given arguments (see (*AskPassCredentialHelper).args() below)./
|
|
|
|
//
|
|
|
|
// If there was an error running the command, it is returned instead of a set of
|
|
|
|
// filled credentials.
|
2018-07-13 22:11:04 +00:00
|
|
|
//
|
|
|
|
// The ASKPASS program is only queried if a credential was not already
|
|
|
|
// provided, i.e. through the git URL
|
2017-08-10 22:49:46 +00:00
|
|
|
func (a *AskPassCredentialHelper) Fill(what Creds) (Creds, error) {
|
2017-09-13 22:09:18 +00:00
|
|
|
u := &url.URL{
|
|
|
|
Scheme: what["protocol"],
|
|
|
|
Host: what["host"],
|
|
|
|
Path: what["path"],
|
|
|
|
}
|
|
|
|
|
2018-07-13 23:47:13 +00:00
|
|
|
creds := make(Creds)
|
|
|
|
|
2018-07-16 22:07:27 +00:00
|
|
|
username, err := a.getValue(what, credValueTypeUsername, u)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2017-09-13 22:09:18 +00:00
|
|
|
}
|
2018-07-16 22:07:27 +00:00
|
|
|
creds["username"] = username
|
2017-09-13 22:09:18 +00:00
|
|
|
|
2018-07-16 22:07:27 +00:00
|
|
|
if len(username) > 0 {
|
2017-09-13 22:09:18 +00:00
|
|
|
// If a non-empty username was given, add it to the URL via func
|
|
|
|
// 'net/url.User()'.
|
2018-07-13 23:47:13 +00:00
|
|
|
u.User = url.User(creds["username"])
|
2017-09-13 22:09:18 +00:00
|
|
|
}
|
|
|
|
|
2018-07-16 22:07:27 +00:00
|
|
|
password, err := a.getValue(what, credValueTypePassword, u)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2017-08-10 22:49:46 +00:00
|
|
|
}
|
2018-07-16 22:07:27 +00:00
|
|
|
creds["password"] = password
|
2017-08-10 22:49:46 +00:00
|
|
|
|
|
|
|
return creds, nil
|
|
|
|
}
|
|
|
|
|
2018-07-16 22:07:27 +00:00
|
|
|
func (a *AskPassCredentialHelper) getValue(what Creds, valueType credValueType, u *url.URL) (string, error) {
|
|
|
|
var valueString string
|
|
|
|
|
|
|
|
switch valueType {
|
|
|
|
case credValueTypeUsername:
|
|
|
|
valueString = "username"
|
|
|
|
case credValueTypePassword:
|
|
|
|
valueString = "password"
|
|
|
|
default:
|
|
|
|
return "", errors.Errorf("Invalid Credential type queried from AskPass")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Return the existing credential if it was already provided, otherwise
|
|
|
|
// query AskPass for it
|
|
|
|
if given, ok := what[valueString]; ok {
|
|
|
|
return given, nil
|
|
|
|
}
|
|
|
|
return a.getFromProgram(valueType, u)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *AskPassCredentialHelper) getFromProgram(valueType credValueType, u *url.URL) (string, error) {
|
2018-07-13 23:47:13 +00:00
|
|
|
var (
|
|
|
|
value bytes.Buffer
|
|
|
|
err bytes.Buffer
|
2018-07-16 22:07:27 +00:00
|
|
|
|
|
|
|
valueString string
|
2018-07-13 23:47:13 +00:00
|
|
|
)
|
|
|
|
|
2018-07-16 22:07:27 +00:00
|
|
|
switch valueType {
|
|
|
|
case credValueTypeUsername:
|
|
|
|
valueString = "Username"
|
|
|
|
case credValueTypePassword:
|
|
|
|
valueString = "Password"
|
|
|
|
default:
|
|
|
|
return "", errors.Errorf("Invalid Credential type queried from AskPass")
|
|
|
|
}
|
|
|
|
|
|
|
|
// 'cmd' will run the GIT_ASKPASS (or core.askpass) command prompting
|
2018-07-13 23:47:13 +00:00
|
|
|
// for the desired valueType (`Username` or `Password`)
|
2018-07-16 22:07:27 +00:00
|
|
|
cmd := exec.Command(a.Program, a.args(fmt.Sprintf("%s for %q", valueString, u))...)
|
|
|
|
cmd.Stderr = &err
|
|
|
|
cmd.Stdout = &value
|
2018-07-13 23:47:13 +00:00
|
|
|
|
2018-07-16 22:07:27 +00:00
|
|
|
tracerx.Printf("creds: filling with GIT_ASKPASS: %s", strings.Join(cmd.Args, " "))
|
|
|
|
if err := cmd.Run(); err != nil {
|
2018-07-13 23:47:13 +00:00
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err.Len() > 0 {
|
|
|
|
return "", errors.New(err.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
return strings.TrimSpace(value.String()), nil
|
|
|
|
}
|
|
|
|
|
2017-08-10 22:49:46 +00:00
|
|
|
// Approve implements CredentialHelper.Approve, and returns nil. The ASKPASS
|
|
|
|
// credential helper does not implement credential approval.
|
|
|
|
func (a *AskPassCredentialHelper) Approve(_ Creds) error { return nil }
|
|
|
|
|
|
|
|
// Reject implements CredentialHelper.Reject, and returns nil. The ASKPASS
|
|
|
|
// credential helper does not implement credential rejection.
|
|
|
|
func (a *AskPassCredentialHelper) Reject(_ Creds) error { return nil }
|
|
|
|
|
2017-09-13 16:15:09 +00:00
|
|
|
// args returns the arguments given to the ASKPASS program, if a prompt was
|
|
|
|
// given.
|
2017-08-10 22:49:46 +00:00
|
|
|
|
|
|
|
// See: https://git-scm.com/docs/gitcredentials#_requesting_credentials for
|
|
|
|
// more.
|
2017-09-13 22:09:18 +00:00
|
|
|
func (a *AskPassCredentialHelper) args(prompt string) []string {
|
|
|
|
if len(prompt) == 0 {
|
2017-09-13 16:15:09 +00:00
|
|
|
return nil
|
2017-08-10 22:49:46 +00:00
|
|
|
}
|
2017-09-13 22:09:18 +00:00
|
|
|
return []string{prompt}
|
2017-08-10 22:49:46 +00:00
|
|
|
}
|
|
|
|
|
2017-01-06 21:38:57 +00:00
|
|
|
type commandCredentialHelper struct {
|
2016-12-19 21:38:06 +00:00
|
|
|
SkipPrompt bool
|
|
|
|
}
|
|
|
|
|
2017-01-06 21:38:57 +00:00
|
|
|
func (h *commandCredentialHelper) Fill(creds Creds) (Creds, error) {
|
2017-03-24 17:27:52 +00:00
|
|
|
tracerx.Printf("creds: git credential fill (%q, %q, %q)",
|
|
|
|
creds["protocol"], creds["host"], creds["path"])
|
2016-12-19 21:38:06 +00:00
|
|
|
return h.exec("fill", creds)
|
|
|
|
}
|
|
|
|
|
2017-01-06 21:38:57 +00:00
|
|
|
func (h *commandCredentialHelper) Reject(creds Creds) error {
|
2016-12-19 21:38:06 +00:00
|
|
|
_, err := h.exec("reject", creds)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2017-01-06 21:38:57 +00:00
|
|
|
func (h *commandCredentialHelper) Approve(creds Creds) error {
|
2017-10-26 22:09:37 +00:00
|
|
|
tracerx.Printf("creds: git credential approve (%q, %q, %q)",
|
|
|
|
creds["protocol"], creds["host"], creds["path"])
|
2016-12-19 21:38:06 +00:00
|
|
|
_, err := h.exec("approve", creds)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2017-01-06 21:38:57 +00:00
|
|
|
func (h *commandCredentialHelper) exec(subcommand string, input Creds) (Creds, error) {
|
2016-12-19 21:38:06 +00:00
|
|
|
output := new(bytes.Buffer)
|
|
|
|
cmd := exec.Command("git", "credential", subcommand)
|
2017-01-06 21:42:37 +00:00
|
|
|
cmd.Stdin = bufferCreds(input)
|
2016-12-19 21:38:06 +00:00
|
|
|
cmd.Stdout = output
|
|
|
|
/*
|
2018-09-18 19:14:24 +00:00
|
|
|
There is a reason we don't read from stderr here:
|
2016-12-19 21:38:06 +00:00
|
|
|
Git's credential cache daemon helper does not close its stderr, so if this
|
|
|
|
process is the process that fires up the daemon, it will wait forever
|
|
|
|
(until the daemon exits, really) trying to read from stderr.
|
|
|
|
|
2018-09-18 19:14:24 +00:00
|
|
|
Instead, we simply pass it through to our stderr.
|
|
|
|
|
2016-12-19 21:38:06 +00:00
|
|
|
See https://github.com/git-lfs/git-lfs/issues/117 for more details.
|
|
|
|
*/
|
2018-09-18 19:14:24 +00:00
|
|
|
cmd.Stderr = os.Stderr
|
2016-12-19 21:38:06 +00:00
|
|
|
|
|
|
|
err := cmd.Start()
|
|
|
|
if err == nil {
|
|
|
|
err = cmd.Wait()
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, ok := err.(*exec.ExitError); ok {
|
|
|
|
if h.SkipPrompt {
|
|
|
|
return nil, fmt.Errorf("Change the GIT_TERMINAL_PROMPT env var to be prompted to enter your credentials for %s://%s.",
|
|
|
|
input["protocol"], input["host"])
|
|
|
|
}
|
|
|
|
|
|
|
|
// 'git credential' exits with 128 if the helper doesn't fill the username
|
|
|
|
// and password values.
|
|
|
|
if subcommand == "fill" && err.Error() == "exit status 128" {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("'git credential %s' error: %s\n", subcommand, err.Error())
|
|
|
|
}
|
|
|
|
|
|
|
|
creds := make(Creds)
|
|
|
|
for _, line := range strings.Split(output.String(), "\n") {
|
|
|
|
pieces := strings.SplitN(line, "=", 2)
|
|
|
|
if len(pieces) < 2 || len(pieces[1]) < 1 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
creds[pieces[0]] = pieces[1]
|
|
|
|
}
|
|
|
|
|
|
|
|
return creds, nil
|
|
|
|
}
|
2017-10-26 22:09:37 +00:00
|
|
|
|
2017-10-27 00:34:33 +00:00
|
|
|
type credentialCacher struct {
|
2017-10-27 00:17:45 +00:00
|
|
|
creds map[string]Creds
|
|
|
|
mu sync.Mutex
|
|
|
|
}
|
|
|
|
|
2018-09-19 15:03:12 +00:00
|
|
|
func NewCredentialCacher() *credentialCacher {
|
2017-10-27 00:34:33 +00:00
|
|
|
return &credentialCacher{creds: make(map[string]Creds)}
|
|
|
|
}
|
|
|
|
|
|
|
|
func credCacheKey(creds Creds) string {
|
|
|
|
parts := []string{
|
|
|
|
creds["protocol"],
|
|
|
|
creds["host"],
|
|
|
|
creds["path"],
|
|
|
|
}
|
|
|
|
return strings.Join(parts, "//")
|
2017-10-27 00:17:45 +00:00
|
|
|
}
|
|
|
|
|
2017-10-27 15:39:04 +00:00
|
|
|
func (c *credentialCacher) Fill(what Creds) (Creds, error) {
|
2017-10-27 00:17:45 +00:00
|
|
|
key := credCacheKey(what)
|
|
|
|
c.mu.Lock()
|
|
|
|
cached, ok := c.creds[key]
|
|
|
|
c.mu.Unlock()
|
|
|
|
|
|
|
|
if ok {
|
2017-10-27 00:36:08 +00:00
|
|
|
tracerx.Printf("creds: git credential cache (%q, %q, %q)",
|
|
|
|
what["protocol"], what["host"], what["path"])
|
2017-10-27 00:17:45 +00:00
|
|
|
return cached, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, credHelperNoOp
|
|
|
|
}
|
|
|
|
|
2017-10-27 15:39:04 +00:00
|
|
|
func (c *credentialCacher) Approve(what Creds) error {
|
2017-10-27 00:17:45 +00:00
|
|
|
key := credCacheKey(what)
|
|
|
|
|
|
|
|
c.mu.Lock()
|
|
|
|
defer c.mu.Unlock()
|
|
|
|
|
|
|
|
if _, ok := c.creds[key]; ok {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
c.creds[key] = what
|
|
|
|
return credHelperNoOp
|
|
|
|
}
|
|
|
|
|
2017-10-27 15:39:04 +00:00
|
|
|
func (c *credentialCacher) Reject(what Creds) error {
|
2017-10-27 00:17:45 +00:00
|
|
|
key := credCacheKey(what)
|
|
|
|
c.mu.Lock()
|
|
|
|
delete(c.creds, key)
|
|
|
|
c.mu.Unlock()
|
|
|
|
return credHelperNoOp
|
|
|
|
}
|
|
|
|
|
2017-10-27 20:10:46 +00:00
|
|
|
// CredentialHelpers iterates through a slice of CredentialHelper objects
|
2017-10-27 00:34:33 +00:00
|
|
|
// CredentialHelpers is a []CredentialHelper that iterates through each
|
2017-10-27 20:10:46 +00:00
|
|
|
// credential helper to fill, reject, or approve credentials. Typically, the
|
|
|
|
// first success returns immediately. Errors are reported to tracerx, unless
|
|
|
|
// all credential helpers return errors. Any erroring credential helpers are
|
|
|
|
// skipped for future calls.
|
|
|
|
//
|
|
|
|
// A CredentialHelper can return a credHelperNoOp error, signaling that the
|
|
|
|
// CredentialHelpers should try the next one.
|
2017-10-27 00:34:33 +00:00
|
|
|
type CredentialHelpers struct {
|
2017-10-27 00:17:45 +00:00
|
|
|
helpers []CredentialHelper
|
|
|
|
skippedHelpers map[int]bool
|
|
|
|
mu sync.Mutex
|
|
|
|
}
|
|
|
|
|
2017-10-27 20:10:46 +00:00
|
|
|
// NewCredentialHelpers initializes a new CredentialHelpers from the given
|
|
|
|
// slice of CredentialHelper instances.
|
2017-10-27 00:17:45 +00:00
|
|
|
func NewCredentialHelpers(helpers []CredentialHelper) CredentialHelper {
|
2017-10-27 00:34:33 +00:00
|
|
|
return &CredentialHelpers{
|
2017-10-27 00:17:45 +00:00
|
|
|
helpers: helpers,
|
|
|
|
skippedHelpers: make(map[int]bool),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var credHelperNoOp = errors.New("no-op!")
|
|
|
|
|
|
|
|
// Fill implements CredentialHelper.Fill by asking each CredentialHelper in
|
|
|
|
// order to fill the credentials.
|
|
|
|
//
|
|
|
|
// If a fill was successful, it is returned immediately, and no other
|
|
|
|
// `CredentialHelper`s are consulted. If any CredentialHelper returns an error,
|
2017-10-27 20:10:46 +00:00
|
|
|
// it is reported to tracerx, and the next one is attempted. If they all error,
|
|
|
|
// then a collection of all the error messages is returned. Erroring credential
|
|
|
|
// helpers are added to the skip list, and never attempted again for the
|
|
|
|
// lifetime of the current Git LFS command.
|
2017-10-27 15:39:04 +00:00
|
|
|
func (s *CredentialHelpers) Fill(what Creds) (Creds, error) {
|
2017-10-27 00:17:45 +00:00
|
|
|
errs := make([]string, 0, len(s.helpers))
|
|
|
|
for i, h := range s.helpers {
|
|
|
|
if s.skipped(i) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
creds, err := h.Fill(what)
|
|
|
|
if err != nil {
|
|
|
|
if err != credHelperNoOp {
|
|
|
|
s.skip(i)
|
|
|
|
tracerx.Printf("credential fill error: %s", err)
|
|
|
|
errs = append(errs, err.Error())
|
|
|
|
}
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if creds != nil {
|
|
|
|
return creds, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(errs) > 0 {
|
|
|
|
return nil, errors.New("credential fill errors:\n" + strings.Join(errs, "\n"))
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Reject implements CredentialHelper.Reject and rejects the given Creds "what"
|
2017-10-27 20:10:46 +00:00
|
|
|
// with the first successful attempt.
|
2017-10-27 15:39:04 +00:00
|
|
|
func (s *CredentialHelpers) Reject(what Creds) error {
|
2017-10-27 00:17:45 +00:00
|
|
|
for i, h := range s.helpers {
|
|
|
|
if s.skipped(i) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := h.Reject(what); err != credHelperNoOp {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return errors.New("no valid credential helpers to reject")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Approve implements CredentialHelper.Approve and approves the given Creds
|
2017-10-27 20:10:46 +00:00
|
|
|
// "what" with the first successful CredentialHelper. If an error occurrs,
|
|
|
|
// it calls Reject() with the same Creds and returns the error immediately. This
|
|
|
|
// ensures a caching credential helper removes the cache, since the Erroring
|
|
|
|
// CredentialHelper never successfully saved it.
|
2017-10-27 15:39:04 +00:00
|
|
|
func (s *CredentialHelpers) Approve(what Creds) error {
|
2017-10-27 00:17:45 +00:00
|
|
|
skipped := make(map[int]bool)
|
|
|
|
for i, h := range s.helpers {
|
|
|
|
if s.skipped(i) {
|
|
|
|
skipped[i] = true
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := h.Approve(what); err != credHelperNoOp {
|
|
|
|
if err != nil && i > 0 { // clear any cached approvals
|
|
|
|
for j := 0; j < i; j++ {
|
|
|
|
if !skipped[j] {
|
|
|
|
s.helpers[j].Reject(what)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return errors.New("no valid credential helpers to approve")
|
|
|
|
}
|
|
|
|
|
2017-10-27 15:39:04 +00:00
|
|
|
func (s *CredentialHelpers) skip(i int) {
|
2017-10-27 00:17:45 +00:00
|
|
|
s.mu.Lock()
|
|
|
|
s.skippedHelpers[i] = true
|
|
|
|
s.mu.Unlock()
|
|
|
|
}
|
|
|
|
|
2017-10-27 15:39:04 +00:00
|
|
|
func (s *CredentialHelpers) skipped(i int) bool {
|
2017-10-27 00:17:45 +00:00
|
|
|
s.mu.Lock()
|
|
|
|
skipped := s.skippedHelpers[i]
|
|
|
|
s.mu.Unlock()
|
|
|
|
return skipped
|
|
|
|
}
|
|
|
|
|
2017-10-26 22:09:37 +00:00
|
|
|
type nullCredentialHelper struct{}
|
|
|
|
|
|
|
|
var (
|
|
|
|
nullCredError = errors.New("No credential helper configured")
|
2018-09-19 14:40:46 +00:00
|
|
|
NullCreds = &nullCredentialHelper{}
|
2017-10-26 22:09:37 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func (h *nullCredentialHelper) Fill(input Creds) (Creds, error) {
|
|
|
|
return nil, nullCredError
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *nullCredentialHelper) Approve(creds Creds) error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *nullCredentialHelper) Reject(creds Creds) error {
|
|
|
|
return nil
|
|
|
|
}
|