From 669c3d754c407d4e6cfc09edceddbccd045f9b72 Mon Sep 17 00:00:00 2001 From: Aaron Jenkins Date: Wed, 14 Feb 2018 13:58:59 -0800 Subject: [PATCH 1/5] Set ExpiresIn field to lfs.defaulttokenttl if it is not present and the configuration option has been set --- lfsapi/lfsapi.go | 2 +- lfsapi/ssh.go | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lfsapi/lfsapi.go b/lfsapi/lfsapi.go index db20dab8..7184d594 100644 --- a/lfsapi/lfsapi.go +++ b/lfsapi/lfsapi.go @@ -72,7 +72,7 @@ func NewClient(ctx Context) (*Client, error) { } cacheCreds := gitEnv.Bool("lfs.cachecredentials", true) - var sshResolver SSHResolver = &sshAuthClient{os: osEnv} + var sshResolver SSHResolver = &sshAuthClient{os: osEnv, git: gitEnv} if cacheCreds { sshResolver = withSSHCache(sshResolver) } diff --git a/lfsapi/ssh.go b/lfsapi/ssh.go index f2dac898..01978e4e 100644 --- a/lfsapi/ssh.go +++ b/lfsapi/ssh.go @@ -4,6 +4,7 @@ import ( "bytes" "encoding/json" "fmt" + "os" "os/exec" "path/filepath" "regexp" @@ -71,6 +72,7 @@ func (r *sshAuthResponse) IsExpiredWithin(d time.Duration) (time.Time, bool) { type sshAuthClient struct { os config.Environment + git config.Environment } func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, error) { @@ -100,6 +102,12 @@ func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, err res.Message = strings.TrimSpace(errbuf.String()) } else { err = json.Unmarshal(outbuf.Bytes(), &res) + if res.ExpiresIn <= 0 { + ttl := c.git.Int("lfs.defaulttokenttl", 0) + if ttl > 0 { + res.ExpiresIn = ttl + } + } res.createdAt = now } From 3cc85ab56c0209dcf0547ce66e1a23613ea52406 Mon Sep 17 00:00:00 2001 From: Aaron Jenkins Date: Wed, 14 Feb 2018 14:23:46 -0800 Subject: [PATCH 2/5] Update config documentation with new option --- docs/man/git-lfs-config.5.ronn | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/man/git-lfs-config.5.ronn b/docs/man/git-lfs-config.5.ronn index 32b3b289..ad7a2746 100644 --- a/docs/man/git-lfs-config.5.ronn +++ b/docs/man/git-lfs-config.5.ronn @@ -303,6 +303,14 @@ be scoped inside the configuration for a remote. The default is `true`; you can disable this behaviour and have all files writeable by setting either variable to 0, 'no' or 'false'. +* `lfs.defaulttokenttl` + + This setting sets a default token TTL when git-lfs-authenticate does not + include the TTL in the JSON response but still enforces it. + + Note that this is only necessary for larger repositories hosted on LFS + servers that don't include the TTL. + ## LFSCONFIG The .lfsconfig file in a repository is read and interpreted in the same format From df8436ffefed2264b6da7ccaeb19590fdab19255 Mon Sep 17 00:00:00 2001 From: Aaron Jenkins Date: Wed, 14 Feb 2018 14:26:47 -0800 Subject: [PATCH 3/5] Remove unused import --- lfsapi/ssh.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lfsapi/ssh.go b/lfsapi/ssh.go index 01978e4e..76ead38d 100644 --- a/lfsapi/ssh.go +++ b/lfsapi/ssh.go @@ -4,7 +4,6 @@ import ( "bytes" "encoding/json" "fmt" - "os" "os/exec" "path/filepath" "regexp" @@ -71,7 +70,7 @@ func (r *sshAuthResponse) IsExpiredWithin(d time.Duration) (time.Time, bool) { } type sshAuthClient struct { - os config.Environment + os config.Environment git config.Environment } From 85184a365dc486f686468608a0e4b2dcb5ecedf3 Mon Sep 17 00:00:00 2001 From: Aaron Jenkins Date: Thu, 15 Feb 2018 13:25:55 -0800 Subject: [PATCH 4/5] Change the expiry fields in sshAuthResponse to pointers so it can be determined if they are set by git-lfs-authenticate's response. --- lfsapi/ssh.go | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/lfsapi/ssh.go b/lfsapi/ssh.go index 76ead38d..71043be2 100644 --- a/lfsapi/ssh.go +++ b/lfsapi/ssh.go @@ -59,14 +59,22 @@ type sshAuthResponse struct { Message string `json:"-"` Href string `json:"href"` Header map[string]string `json:"header"` - ExpiresAt time.Time `json:"expires_at"` - ExpiresIn int `json:"expires_in"` + ExpiresAt *time.Time `json:"expires_at"` + ExpiresIn *int `json:"expires_in"` createdAt time.Time } func (r *sshAuthResponse) IsExpiredWithin(d time.Duration) (time.Time, bool) { - return tools.IsExpiredAtOrIn(r.createdAt, d, r.ExpiresAt, time.Duration(r.ExpiresIn)*time.Second) + expiresAt := time.Now() + if r.ExpiresAt != nil { + expiresAt = *r.ExpiresAt + } + expiresIn := 0 + if r.ExpiresIn != nil { + expiresIn = *r.ExpiresIn + } + return tools.IsExpiredAtOrIn(r.createdAt, d, expiresAt, time.Duration(expiresIn)*time.Second) } type sshAuthClient struct { @@ -101,11 +109,12 @@ func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, err res.Message = strings.TrimSpace(errbuf.String()) } else { err = json.Unmarshal(outbuf.Bytes(), &res) - if res.ExpiresIn <= 0 { + if res.ExpiresIn == nil && res.ExpiresAt == nil { ttl := c.git.Int("lfs.defaulttokenttl", 0) - if ttl > 0 { - res.ExpiresIn = ttl + if ttl < 0 { + ttl = 0 } + res.ExpiresIn = &ttl } res.createdAt = now } From 40dce490b83355c0cc6f0719a856bd58dcc67a7a Mon Sep 17 00:00:00 2001 From: Aaron Jenkins Date: Thu, 15 Feb 2018 14:03:15 -0800 Subject: [PATCH 5/5] Change the default value of ExpiresAt to zero time instead of time.Now() --- lfsapi/ssh.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lfsapi/ssh.go b/lfsapi/ssh.go index 71043be2..2659d1e4 100644 --- a/lfsapi/ssh.go +++ b/lfsapi/ssh.go @@ -66,7 +66,7 @@ type sshAuthResponse struct { } func (r *sshAuthResponse) IsExpiredWithin(d time.Duration) (time.Time, bool) { - expiresAt := time.Now() + expiresAt := time.Time{} if r.ExpiresAt != nil { expiresAt = *r.ExpiresAt }