On Sat, Mar 06, 2021 at 05:52:53PM -0500, John Szakmeister wrote: > We already looked for the PKI credentials in the credential store, but > failed to approve it on success. Meaning, the PKI certificate password > was never stored and git would request it on every connection to the > remote. Let's complete the chain by storing the certificate password on > success. > > Signed-off-by: John Szakmeister <john@xxxxxxxxxxxxxxx> > --- > > I'm not sure if certificate passwords were not stored for some reason, but > searching the archives I didn't see a mention of it. Hopefully this is > acceptable. I did try this in an environment where we have client SSL certs and > this made the user experience much better. I think it was just something that nobody ever cared about before. The cert password request got converted to credential_fill() as part of 148bb6a7b4 (http: use credential API to get passwords, 2011-12-10). That commit added approve/reject for http, because that's what I really cared about, but the intent was always to treat most password queries consistently. > diff --git a/http.c b/http.c > index f8ea28bb2e..440890695f 100644 > --- a/http.c > +++ b/http.c > @@ -1637,6 +1637,8 @@ static int handle_curl_result(struct slot_results *results) > credential_approve(&http_auth); > if (proxy_auth.password) > credential_approve(&proxy_auth); > + if (cert_auth.password) > + credential_approve(&cert_auth); So I think this is the right direction, but: - you'd need a credential_reject() somewhere, too. Otherwise a bad password will get stored and then reused over and over, with no opportunity to tell the helper to forget about it. - is this the best spot to check that our password was right? We only care about unlocking the local cert, which in theory is independent of what the server tells us. I suspect we can't really tell the difference, though (we hand the cert path and password off to curl, and then hopefully a request is successful). So this may be the best we can do for approval. But for rejection, I doubt that a 401 would be the right response. How does curl respond when the password is bad? Likewise, what happens if the password is bad but the server is willing to make the request anyway (does curl bail immediately, or might we get an HTTP 200 even with a bad cert password)? - I think proxy_cert_auth would probably want the same treatment. - The "if (cert_auth.password)" is redundant. credential_approve() will return silently if there is no password to approve. I know you're copying the pattern from directly above, but I think that one should be cleaned up, too. (I also was mildly surprised that this worked at all, since credential_approve() will bail if there is no username field. But the cert code fills in an empty username). Most of those are "nice to have" improvements over what you have here, but I think without a matching reject() this would be a regression. -Peff