Merge pull request #2867 from NoEffex/master

Support default TTL for authentication tokens acquired via SSH
2018-06-28 12:53:28 -05:00 · 2018-06-28 12:53:28 -05:00 · 2d37e5811b
commit 2d37e5811b
parent df881bf23a 40dce490b8
3 changed files with 29 additions and 5 deletions
--- a/docs/man/git-lfs-config.5.ronn
+++ b/docs/man/git-lfs-config.5.ronn
@ -303,6 +303,14 @@ be scoped inside the configuration for a remote.
  The default is `true`; you can disable this behaviour and have all files
  writeable by setting either variable to 0, 'no' or 'false'.

+* `lfs.defaulttokenttl`
+
+  This setting sets a default token TTL when git-lfs-authenticate does not
+  include the TTL in the JSON response but still enforces it.
+
+  Note that this is only necessary for larger repositories hosted on LFS
+  servers that don't include the TTL.
+
 ## LFSCONFIG

 The .lfsconfig file in a repository is read and interpreted in the same format
--- a/lfsapi/lfsapi.go
+++ b/lfsapi/lfsapi.go
@ -72,7 +72,7 @@ func NewClient(ctx Context) (*Client, error) {
 	}

 	cacheCreds := gitEnv.Bool("lfs.cachecredentials", true)
-	var sshResolver SSHResolver = &sshAuthClient{os: osEnv}
+	var sshResolver SSHResolver = &sshAuthClient{os: osEnv, git: gitEnv}
 	if cacheCreds {
 		sshResolver = withSSHCache(sshResolver)
 	}
--- a/lfsapi/ssh.go
+++ b/lfsapi/ssh.go
@ -59,18 +59,27 @@ type sshAuthResponse struct {
 	Message   string            `json:"-"`
 	Href      string            `json:"href"`
 	Header    map[string]string `json:"header"`
-	ExpiresAt time.Time         `json:"expires_at"`
-	ExpiresIn int               `json:"expires_in"`
+	ExpiresAt *time.Time        `json:"expires_at"`
+	ExpiresIn *int              `json:"expires_in"`

 	createdAt time.Time
 }

 func (r *sshAuthResponse) IsExpiredWithin(d time.Duration) (time.Time, bool) {
-	return tools.IsExpiredAtOrIn(r.createdAt, d, r.ExpiresAt, time.Duration(r.ExpiresIn)*time.Second)
+	expiresAt := time.Time{}
+	if r.ExpiresAt != nil {
+		expiresAt = *r.ExpiresAt
+	}
+	expiresIn := 0
+	if r.ExpiresIn != nil {
+		expiresIn = *r.ExpiresIn
+	}
+	return tools.IsExpiredAtOrIn(r.createdAt, d, expiresAt, time.Duration(expiresIn)*time.Second)
 }

 type sshAuthClient struct {
-	os config.Environment
+	os  config.Environment
+	git config.Environment
 }

 func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, error) {
@ -100,6 +109,13 @@ func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, err
 		res.Message = strings.TrimSpace(errbuf.String())
 	} else {
 		err = json.Unmarshal(outbuf.Bytes(), &res)
+		if res.ExpiresIn == nil && res.ExpiresAt == nil {
+			ttl := c.git.Int("lfs.defaulttokenttl", 0)
+			if ttl < 0 {
+				ttl = 0
+			}
+			res.ExpiresIn = &ttl
+		}
 		res.createdAt = now
 	}