tq: use correct access

For tq requests, use the URL being transferred to for the access mode instead of the LFS API endpoint. Since these endpoints are different, this will ensure credentials aren't passed along needlessly if, for example, the API endpoint requires authentication and the endpoint being transferred to does not.
2018-09-27 16:52:38 -07:00 · 2018-09-27 16:52:38 -07:00 · 3f61ea62f4
commit 3f61ea62f4
parent 95fa7fb5da
5 changed files with 26 additions and 5 deletions
--- a/t/cmd/lfstest-gitserver.go
+++ b/t/cmd/lfstest-gitserver.go
@ -1257,6 +1257,11 @@ func missingRequiredCreds(w http.ResponseWriter, r *http.Request, repo string) b
 	}

 	auth := r.Header.Get("Authorization")
+	if len(auth) == 0 {
+		writeLFSError(w, 401, "Error: Authorization Required")
+		return true
+	}
+
 	user, pass, err := extractAuth(auth)
 	if err != nil {
 		writeLFSError(w, 403, err.Error())
--- a/t/t-credentials.sh
+++ b/t/t-credentials.sh
@ -346,7 +346,10 @@ begin_test "credentials from lfs.url"
  gitserverhost=$(echo "$GITSERVER" | cut -d'/' -f3)
  git config lfs.url http://requirecreds:pass@$gitserverhost/$reponame.git/info/lfs
  git lfs env
-  git lfs push origin master 2>&1 | tee push.log
+  GIT_TRACE=1 git lfs push origin master 2>&1 | tee push.log
+  # A 401 indicates URL access mode for the /storage endpoint
+  # was used instead of for the lfsapi endpoint
+  grep "HTTP: 401" push.log
  grep "Uploading LFS objects:   0% (0/1), 0 B" push.log

  echo "bad fetch"
@ -387,7 +390,10 @@ begin_test "credentials from remote.origin.url"
  gitserverhost=$(echo "$GITSERVER" | cut -d'/' -f3)
  git config remote.origin.url http://requirecreds:pass@$gitserverhost/$reponame.git
  git lfs env
-  git lfs push origin master 2>&1 | tee push.log
+  GIT_TRACE=1 git lfs push origin master 2>&1 | tee push.log
+  # A 401 indicates URL access mode for the /storage endpoint
+  # was used instead of for the lfsapi endpoint
+  grep "HTTP: 401" push.log
  grep "Uploading LFS objects: 100% (1/1), 7 B" push.log

  echo "bad fetch"
--- a/tq/adapterbase.go
+++ b/tq/adapterbase.go
@ -214,7 +214,8 @@ func (a *adapterBase) doHTTP(t *Transfer, req *http.Request) (*http.Response, er
 	if t.Authenticated {
 		return a.apiClient.Do(req)
 	}
-	return a.apiClient.DoAPIRequestWithAuth(a.remote, req)
+	endpoint := endpointURL(req.URL.String(), t.Oid)
+	return a.apiClient.DoWithAuth(a.remote, a.apiClient.Endpoints.AccessFor(endpoint), req, false)
 }

 func advanceCallbackProgress(cb ProgressCallback, t *Transfer, numBytes int64) {
@ -234,3 +235,7 @@ func advanceCallbackProgress(cb ProgressCallback, t *Transfer, numBytes int64) {
 		}
 	}
 }
+
+func endpointURL(rawurl, oid string) string {
+	return strings.Split(rawurl, oid)[0]
+}
--- a/tq/verify.go
+++ b/tq/verify.go
@ -51,7 +51,7 @@ func verifyUpload(c *lfsapi.Client, remote string, t *Transfer) error {
 		if t.Authenticated {
 			res, err = c.Do(req)
 		} else {
-			res, err = c.DoAPIRequestWithAuth(remote, req)
+			res, err = c.DoWithAuth(remote, c.Endpoints.AccessFor(action.Href), req, true)
 		}

 		if err != nil {
--- a/tq/verify_test.go
+++ b/tq/verify_test.go
@ -45,8 +45,13 @@ func TestVerifySuccess(t *testing.T) {
 	}))
 	defer srv.Close()

+	// Set auth on the server URL but not on the /verify endpoint. Since auth
+	// will cause the request to fail, this will test that the correct access
+	// mode is being passed to `DoWithAuth()`
 	c, err := lfsapi.NewClient(lfshttp.NewContext(nil, nil, map[string]string{
-		"lfs.transfer.maxverifies": "1",
+		"lfs.transfer.maxverifies":          "1",
+		"lfs." + srv.URL + ".access":        "Basic",
+		"lfs." + srv.URL + "/verify.access": "None",
 	}))
 	require.Nil(t, err)
 	tr := &Transfer{