git-lfs/httputil/ntlm.go

package httputil

import (
	"bytes"
	"encoding/base64"
	"errors"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"os"
	"strings"
	"sync/atomic"

	"github.com/ThomsonReutersEikon/go-ntlm/ntlm"
	"github.com/github/git-lfs/auth"
	"github.com/github/git-lfs/config"
)

func ntlmClientSession(c *config.Configuration, creds auth.Creds) (ntlm.ClientSession, error) {
	if c.NtlmSession != nil {
		return c.NtlmSession, nil
	}
	splits := strings.Split(creds["username"], "\\")

	if len(splits) != 2 {
		errorMessage := fmt.Sprintf("Your user name must be of the form DOMAIN\\user. It is currently %s", creds["username"], "string")
		return nil, errors.New(errorMessage)
	}

	session, err := ntlm.CreateClientSession(ntlm.Version2, ntlm.ConnectionOrientedMode)

	if err != nil {
		return nil, err
	}

	session.SetUserInfo(splits[1], creds["password"], strings.ToUpper(splits[0]))
	c.NtlmSession = session
	return session, nil
}

func doNTLMRequest(request *http.Request, retry bool) (*http.Response, error) {
	handReq, err := cloneRequest(request)
	if err != nil {
		return nil, err
	}

	res, err := NewHttpClient(config.Config, handReq.Host).Do(handReq)
	if err != nil && res == nil {
		return nil, err
	}

	//If the status is 401 then we need to re-authenticate, otherwise it was successful
	if res.StatusCode == 401 {

		creds, err := auth.GetCreds(request)
		if err != nil {
			return nil, err
		}

		negotiateReq, err := cloneRequest(request)
		if err != nil {
			return nil, err
		}

		challengeMessage, err := negotiate(negotiateReq, ntlmNegotiateMessage)
		if err != nil {
			return nil, err
		}

		challengeReq, err := cloneRequest(request)
		if err != nil {
			return nil, err
		}

		res, err := challenge(challengeReq, challengeMessage, creds)
		if err != nil {
			return nil, err
		}

		//If the status is 401 then we need to re-authenticate
		if res.StatusCode == 401 && retry == true {
			return doNTLMRequest(challengeReq, false)
		}

		auth.SaveCredentials(creds, res)

		return res, nil
	}
	return res, nil
}

func negotiate(request *http.Request, message string) ([]byte, error) {
	request.Header.Add("Authorization", message)
	res, err := NewHttpClient(config.Config, request.Host).Do(request)

	if res == nil && err != nil {
		return nil, err
	}

	io.Copy(ioutil.Discard, res.Body)
	res.Body.Close()

	ret, err := parseChallengeResponse(res)
	if err != nil {
		return nil, err
	}

	return ret, nil
}

func challenge(request *http.Request, challengeBytes []byte, creds auth.Creds) (*http.Response, error) {
	challenge, err := ntlm.ParseChallengeMessage(challengeBytes)
	if err != nil {
		return nil, err
	}

	session, err := ntlmClientSession(config.Config, creds)
	if err != nil {
		return nil, err
	}

	session.ProcessChallengeMessage(challenge)
	authenticate, err := session.GenerateAuthenticateMessage()
	if err != nil {
		return nil, err
	}

	authMsg := base64.StdEncoding.EncodeToString(authenticate.Bytes())
	request.Header.Add("Authorization", "NTLM "+authMsg)
	return NewHttpClient(config.Config, request.Host).Do(request)
}

func parseChallengeResponse(response *http.Response) ([]byte, error) {
	header := response.Header.Get("Www-Authenticate")
	if len(header) < 6 {
		return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)
	}

	//parse out the "NTLM " at the beginning of the response
	challenge := header[5:]
	val, err := base64.StdEncoding.DecodeString(challenge)

	if err != nil {
		return nil, err
	}
	return []byte(val), nil
}

func cloneRequest(request *http.Request) (*http.Request, error) {
	cloneReqBody, err := cloneRequestBody(request)
	if err != nil {
		return nil, err
	}

	clonedReq, err := http.NewRequest(request.Method, request.URL.String(), cloneReqBody)
	if err != nil {
		return nil, err
	}

	for k, _ := range request.Header {
		clonedReq.Header.Add(k, request.Header.Get(k))
	}

	clonedReq.TransferEncoding = request.TransferEncoding
	clonedReq.ContentLength = request.ContentLength

	return clonedReq, nil
}

func cloneRequestBody(req *http.Request) (io.ReadCloser, error) {
	if req.Body == nil {
		return nil, nil
	}

	var cb *cloneableBody
	var err error
	isCloneableBody := true

	// check to see if the request body is already a cloneableBody
	body := req.Body
	if existingCb, ok := body.(*cloneableBody); ok {
		isCloneableBody = false
		cb, err = existingCb.CloneBody()
	} else {
		cb, err = newCloneableBody(req.Body, 0)
	}

	if err != nil {
		return nil, err
	}

	if isCloneableBody {
		cb2, err := cb.CloneBody()
		if err != nil {
			return nil, err
		}

		req.Body = cb2
	}

	return cb, nil
}

type cloneableBody struct {
	bytes  []byte    // in-memory buffer of body
	file   *os.File  // file buffer of in-memory overflow
	reader io.Reader // internal reader for Read()
	closed bool      // tracks whether body is closed
	dup    *dupTracker
}

func newCloneableBody(r io.Reader, limit int64) (*cloneableBody, error) {
	if limit < 1 {
		limit = 1048576 // default
	}

	b := &cloneableBody{}
	buf := &bytes.Buffer{}
	w, err := io.CopyN(buf, r, limit)
	if err != nil && err != io.EOF {
		return nil, err
	}

	b.bytes = buf.Bytes()
	byReader := bytes.NewBuffer(b.bytes)

	if w >= limit {
		tmp, err := ioutil.TempFile("", "git-lfs-clone-reader")
		if err != nil {
			return nil, err
		}

		_, err = io.Copy(tmp, r)
		tmp.Close()
		if err != nil {
			os.RemoveAll(tmp.Name())
			return nil, err
		}

		f, err := os.Open(tmp.Name())
		if err != nil {
			os.RemoveAll(tmp.Name())
			return nil, err
		}

		dups := int32(0)
		b.dup = &dupTracker{name: f.Name(), dups: &dups}
		b.file = f
		b.reader = io.MultiReader(byReader, b.file)
	} else {
		// no file, so set the reader to just the in-memory buffer
		b.reader = byReader
	}

	return b, nil
}

func (b *cloneableBody) Read(p []byte) (int, error) {
	if b.closed {
		return 0, io.EOF
	}
	return b.reader.Read(p)
}

func (b *cloneableBody) Close() error {
	if !b.closed {
		b.closed = true
		if b.file == nil {
			return nil
		}

		b.file.Close()
		b.dup.Rm()
	}
	return nil
}

func (b *cloneableBody) CloneBody() (*cloneableBody, error) {
	if b.closed {
		return &cloneableBody{closed: true}, nil
	}

	b2 := &cloneableBody{bytes: b.bytes}

	if b.file == nil {
		b2.reader = bytes.NewBuffer(b.bytes)
	} else {
		f, err := os.Open(b.file.Name())
		if err != nil {
			return nil, err
		}
		b2.file = f
		b2.reader = io.MultiReader(bytes.NewBuffer(b.bytes), b2.file)
		b2.dup = b.dup
		b.dup.Add()
	}

	return b2, nil
}

type dupTracker struct {
	name string
	dups *int32
}

func (t *dupTracker) Add() {
	atomic.AddInt32(t.dups, 1)
}

func (t *dupTracker) Rm() {
	newval := atomic.AddInt32(t.dups, -1)
	if newval < 0 {
		os.RemoveAll(t.name)
	}
}

const ntlmNegotiateMessage = "NTLM TlRMTVNTUAABAAAAB7IIogwADAAzAAAACwALACgAAAAKAAAoAAAAD1dJTExISS1NQUlOTk9SVEhBTUVSSUNB"
Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`package httputil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00
			`import (`
			`"bytes"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"encoding/base64"`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`"errors"`
Add NTLM Unit Tests 2015-10-16 15:06:17 +00:00			`"fmt"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"io"`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`"io/ioutil"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"net/http"`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`"os"`
Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`"strings"`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`"sync/atomic"`
use a standard tracer msg when toggling the auth type 2015-11-06 17:53:56 +00:00
lint: lint all files 2016-05-24 15:30:06 +00:00			`"github.com/ThomsonReutersEikon/go-ntlm/ntlm"`
Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`"github.com/github/git-lfs/auth"`
Major refactor to pull things into config, httputil, tools Mainly required to avoid cyclical dependencies when separating other things 2016-05-13 16:38:06 +00:00			`"github.com/github/git-lfs/config"`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`)`

Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`func ntlmClientSession(c *config.Configuration, creds auth.Creds) (ntlm.ClientSession, error) {`
Major refactor to pull things into config, httputil, tools Mainly required to avoid cyclical dependencies when separating other things 2016-05-13 16:38:06 +00:00			`if c.NtlmSession != nil {`
			`return c.NtlmSession, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`splits := strings.Split(creds["username"], "\\")`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if len(splits) != 2 {`
Add NTLM Unit Tests 2015-10-16 15:06:17 +00:00			`errorMessage := fmt.Sprintf("Your user name must be of the form DOMAIN\\user. It is currently %s", creds["username"], "string")`
			`return nil, errors.New(errorMessage)`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`session, err := ntlm.CreateClientSession(ntlm.Version2, ntlm.ConnectionOrientedMode)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Fix NTLM Domain Handling Logic 2015-10-05 19:55:24 +00:00			`session.SetUserInfo(splits[1], creds["password"], strings.ToUpper(splits[0]))`
Major refactor to pull things into config, httputil, tools Mainly required to avoid cyclical dependencies when separating other things 2016-05-13 16:38:06 +00:00			`c.NtlmSession = session`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return session, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`func doNTLMRequest(request http.Request, retry bool) (http.Response, error) {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`handReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`res, err := NewHttpClient(config.Config, handReq.Host).Do(handReq)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil && res == nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`//If the status is 401 then we need to re-authenticate, otherwise it was successful`
			`if res.StatusCode == 401 {`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`creds, err := auth.GetCreds(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`negotiateReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
a const works just fine here for now 2015-11-06 18:24:17 +00:00			`challengeMessage, err := negotiate(negotiateReq, ntlmNegotiateMessage)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`challengeReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`res, err := challenge(challengeReq, challengeMessage, creds)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`//If the status is 401 then we need to re-authenticate`
			`if res.StatusCode == 401 && retry == true {`
Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`return doNTLMRequest(challengeReq, false)`
Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`auth.SaveCredentials(creds, res)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`return res, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return res, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func negotiate(request *http.Request, message string) ([]byte, error) {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`request.Header.Add("Authorization", message)`
Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`res, err := NewHttpClient(config.Config, request.Host).Do(request)`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00
Formatting 2015-10-16 15:41:28 +00:00			`if res == nil && err != nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
			`}`

no need to defer here 2015-11-06 18:20:46 +00:00			`io.Copy(ioutil.Discard, res.Body)`
			`res.Body.Close()`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
no need to defer here 2015-11-06 18:20:46 +00:00			`ret, err := parseChallengeResponse(res)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Formatting 2015-10-16 15:41:28 +00:00			`return ret, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`func challenge(request http.Request, challengeBytes []byte, creds auth.Creds) (http.Response, error) {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`challenge, err := ntlm.ParseChallengeMessage(challengeBytes)`
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Major refactor to pull things into config, httputil, tools Mainly required to avoid cyclical dependencies when separating other things 2016-05-13 16:38:06 +00:00			`session, err := ntlmClientSession(config.Config, creds)`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`if err != nil {`
			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`session.ProcessChallengeMessage(challenge)`
			`authenticate, err := session.GenerateAuthenticateMessage()`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
remove some unnecessary helper funcs 2015-11-06 18:20:27 +00:00			`authMsg := base64.StdEncoding.EncodeToString(authenticate.Bytes())`
			`request.Header.Add("Authorization", "NTLM "+authMsg)`
Refactored many api functions to httputil/api package from lfs Also moved ntlm to httputil since too http-specific to be contained in auth 2016-05-16 16:57:37 +00:00			`return NewHttpClient(config.Config, request.Host).Do(request)`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func parseChallengeResponse(response *http.Response) ([]byte, error) {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`header := response.Header.Get("Www-Authenticate")`
protect against potential go panic 2015-11-06 18:20:35 +00:00			`if len(header) < 6 {`
			`return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`//parse out the "NTLM " at the beginning of the response`
			`challenge := header[5:]`
			`val, err := base64.StdEncoding.DecodeString(challenge)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
			`return []byte(val), nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Response to PR Feedback 2015-10-07 18:30:53 +00:00			`func cloneRequest(request http.Request) (http.Request, error) {`
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`cloneReqBody, err := cloneRequestBody(request)`
			`if err != nil {`
			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`clonedReq, err := http.NewRequest(request.Method, request.URL.String(), cloneReqBody)`
			`if err != nil {`
			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`for k, _ := range request.Header {`
			`clonedReq.Header.Add(k, request.Header.Get(k))`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
clone the transfer encoding property 2015-11-06 19:31:16 +00:00			`clonedReq.TransferEncoding = request.TransferEncoding`
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`clonedReq.ContentLength = request.ContentLength`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`return clonedReq, nil`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`func cloneRequestBody(req *http.Request) (io.ReadCloser, error) {`
			`if req.Body == nil {`
			`return nil, nil`
NTLM Fetch 2015-08-31 18:34:17 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`var cb *cloneableBody`
			`var err error`
better var names 2015-11-16 18:46:28 +00:00			`isCloneableBody := true`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00
			`// check to see if the request body is already a cloneableBody`
			`body := req.Body`
			`if existingCb, ok := body.(*cloneableBody); ok {`
better var names 2015-11-16 18:46:28 +00:00			`isCloneableBody = false`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`cb, err = existingCb.CloneBody()`
			`} else {`
			`cb, err = newCloneableBody(req.Body, 0)`
			`}`

extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`if err != nil {`
			`return nil, err`
NTLM Push 2015-08-28 20:40:41 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
better var names 2015-11-16 18:46:28 +00:00			`if isCloneableBody {`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`cb2, err := cb.CloneBody()`
			`if err != nil {`
			`return nil, err`
			`}`

			`req.Body = cb2`
			`}`

			`return cb, nil`
			`}`

			`type cloneableBody struct {`
better var names 2015-11-16 18:46:28 +00:00			`bytes []byte // in-memory buffer of body`
			`file *os.File // file buffer of in-memory overflow`
			`reader io.Reader // internal reader for Read()`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`closed bool // tracks whether body is closed`
			`dup *dupTracker`
			`}`

			`func newCloneableBody(r io.Reader, limit int64) (*cloneableBody, error) {`
			`if limit < 1 {`
			`limit = 1048576 // default`
			`}`

			`b := &cloneableBody{}`
			`buf := &bytes.Buffer{}`
			`w, err := io.CopyN(buf, r, limit)`
			`if err != nil && err != io.EOF {`
			`return nil, err`
			`}`

better var names 2015-11-16 18:46:28 +00:00			`b.bytes = buf.Bytes()`
			`byReader := bytes.NewBuffer(b.bytes)`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00
			`if w >= limit {`
			`tmp, err := ioutil.TempFile("", "git-lfs-clone-reader")`
			`if err != nil {`
			`return nil, err`
			`}`

			`_, err = io.Copy(tmp, r)`
			`tmp.Close()`
			`if err != nil {`
			`os.RemoveAll(tmp.Name())`
			`return nil, err`
			`}`

			`f, err := os.Open(tmp.Name())`
			`if err != nil {`
			`os.RemoveAll(tmp.Name())`
			`return nil, err`
			`}`

			`dups := int32(0)`
			`b.dup = &dupTracker{name: f.Name(), dups: &dups}`
better var names 2015-11-16 18:46:28 +00:00			`b.file = f`
			`b.reader = io.MultiReader(byReader, b.file)`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`} else {`
			`// no file, so set the reader to just the in-memory buffer`
better var names 2015-11-16 18:46:28 +00:00			`b.reader = byReader`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`}`

			`return b, nil`
			`}`

			`func (b *cloneableBody) Read(p []byte) (int, error) {`
			`if b.closed {`
			`return 0, io.EOF`
			`}`
better var names 2015-11-16 18:46:28 +00:00			`return b.reader.Read(p)`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`}`

			`func (b *cloneableBody) Close() error {`
			`if !b.closed {`
			`b.closed = true`
better var names 2015-11-16 18:46:28 +00:00			`if b.file == nil {`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`return nil`
			`}`

better var names 2015-11-16 18:46:28 +00:00			`b.file.Close()`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`b.dup.Rm()`
			`}`
			`return nil`
			`}`

			`func (b cloneableBody) CloneBody() (cloneableBody, error) {`
			`if b.closed {`
			`return &cloneableBody{closed: true}, nil`
			`}`

better var names 2015-11-16 18:46:28 +00:00			`b2 := &cloneableBody{bytes: b.bytes}`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00
better var names 2015-11-16 18:46:28 +00:00			`if b.file == nil {`
			`b2.reader = bytes.NewBuffer(b.bytes)`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`} else {`
better var names 2015-11-16 18:46:28 +00:00			`f, err := os.Open(b.file.Name())`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`if err != nil {`
			`return nil, err`
			`}`
better var names 2015-11-16 18:46:28 +00:00			`b2.file = f`
			`b2.reader = io.MultiReader(bytes.NewBuffer(b.bytes), b2.file)`
only buffer up to 1MB in memory when copying http request bodies 2015-11-06 20:47:45 +00:00			`b2.dup = b.dup`
			`b.dup.Add()`
			`}`

			`return b2, nil`
			`}`

			`type dupTracker struct {`
			`name string`
			`dups *int32`
			`}`

			`func (t *dupTracker) Add() {`
			`atomic.AddInt32(t.dups, 1)`
			`}`

			`func (t *dupTracker) Rm() {`
			`newval := atomic.AddInt32(t.dups, -1)`
			`if newval < 0 {`
			`os.RemoveAll(t.name)`
			`}`
NTLM Push 2015-08-28 20:40:41 +00:00			`}`

a const works just fine here for now 2015-11-06 18:24:17 +00:00			`const ntlmNegotiateMessage = "NTLM TlRMTVNTUAABAAAAB7IIogwADAAzAAAACwALACgAAAAKAAAoAAAAD1dJTExISS1NQUlOTk9SVEhBTUVSSUNB"`