From: Matthew John Cheetham <mjcheetham@xxxxxxxxxxx> Introduce a new credential field `authtype` that can be used by credential helpers to indicate the type of the credential or authentication mechanism to use for a request. Modify http.c to now specify the correct authentication scheme or credential type when authenticating the curl handle. If the new `authtype` field in the credential structure is `NULL` or "Basic" then use the existing username/password options. If the field is "Bearer" then use the OAuth bearer token curl option. Otherwise, the `authtype` field is the authentication scheme and the `password` field is the raw, unencoded value. Signed-off-by: Matthew John Cheetham <mjcheetham@xxxxxxxxxxx> --- Documentation/git-credential.txt | 12 ++++++++++++ credential.c | 5 +++++ credential.h | 1 + git-curl-compat.h | 10 ++++++++++ http.c | 24 +++++++++++++++++++++--- 5 files changed, 49 insertions(+), 3 deletions(-) diff --git a/Documentation/git-credential.txt b/Documentation/git-credential.txt index 791a57dddfb..9069bfb2d50 100644 --- a/Documentation/git-credential.txt +++ b/Documentation/git-credential.txt @@ -175,6 +175,18 @@ username in the example above) will be left unset. attribute 'wwwauth[]', where the order of the attributes is the same as they appear in the HTTP response. +`authtype`:: + + Indicates the type of authentication scheme that should be used by Git. + Credential helpers may reply to a request from Git with this attribute, + such that subsequent authenticated requests include the correct + `Authorization` header. + If this attribute is not present, the default value is "Basic". + Known values include "Basic", "Digest", and "Bearer". + If an unknown value is provided, this is taken as the authentication + scheme for the `Authorization` header, and the `password` field is + used as the raw unencoded authorization parameters of the same header. + GIT --- Part of the linkgit:git[1] suite diff --git a/credential.c b/credential.c index 8a3ad6c0ae2..a556f9f375a 100644 --- a/credential.c +++ b/credential.c @@ -21,6 +21,7 @@ void credential_clear(struct credential *c) free(c->path); free(c->username); free(c->password); + free(c->authtype); string_list_clear(&c->helpers, 0); strvec_clear(&c->wwwauth_headers); @@ -235,6 +236,9 @@ int credential_read(struct credential *c, FILE *fp) } else if (!strcmp(key, "path")) { free(c->path); c->path = xstrdup(value); + } else if (!strcmp(key, "authtype")) { + free(c->authtype); + c->authtype = xstrdup(value); } else if (!strcmp(key, "url")) { credential_from_url(c, value); } else if (!strcmp(key, "quit")) { @@ -281,6 +285,7 @@ void credential_write(const struct credential *c, FILE *fp) credential_write_item(fp, "path", c->path, 0); credential_write_item(fp, "username", c->username, 0); credential_write_item(fp, "password", c->password, 0); + credential_write_item(fp, "authtype", c->authtype, 0); credential_write_strvec(fp, "wwwauth", &c->wwwauth_headers); } diff --git a/credential.h b/credential.h index 6f2e5bc610b..8d580b054d0 100644 --- a/credential.h +++ b/credential.h @@ -140,6 +140,7 @@ struct credential { char *protocol; char *host; char *path; + char *authtype; }; #define CREDENTIAL_INIT { \ diff --git a/git-curl-compat.h b/git-curl-compat.h index 56a83b6bbd8..839049f6dfe 100644 --- a/git-curl-compat.h +++ b/git-curl-compat.h @@ -126,4 +126,14 @@ #define GIT_CURL_HAVE_CURLSSLSET_NO_BACKENDS #endif +/** + * CURLAUTH_BEARER was added in 7.61.0, released in July 2018. + * However, only 7.69.0 fixes a bug where Bearer headers were not + * actually sent with reused connections on subsequent transfers + * (curl/curl@dea17b519dc1). + */ +#if LIBCURL_VERSION_NUM >= 0x074500 +#define GIT_CURL_HAVE_CURLAUTH_BEARER +#endif + #endif diff --git a/http.c b/http.c index 17b47195d22..ac620bcbf0c 100644 --- a/http.c +++ b/http.c @@ -517,7 +517,8 @@ static int curl_empty_auth_enabled(void) static void init_curl_http_auth(struct active_request_slot *slot) { - if (!http_auth.username || !*http_auth.username) { + if (!http_auth.authtype && + (!http_auth.username || !*http_auth.username)) { if (curl_empty_auth_enabled()) curl_easy_setopt(slot->curl, CURLOPT_USERPWD, ":"); return; @@ -525,8 +526,25 @@ static void init_curl_http_auth(struct active_request_slot *slot) credential_fill(&http_auth); - curl_easy_setopt(slot->curl, CURLOPT_USERNAME, http_auth.username); - curl_easy_setopt(slot->curl, CURLOPT_PASSWORD, http_auth.password); + if (!http_auth.authtype || !strcasecmp(http_auth.authtype, "basic") + || !strcasecmp(http_auth.authtype, "digest")) { + curl_easy_setopt(slot->curl, CURLOPT_USERNAME, + http_auth.username); + curl_easy_setopt(slot->curl, CURLOPT_PASSWORD, + http_auth.password); +#ifdef GIT_CURL_HAVE_CURLAUTH_BEARER + } else if (!strcasecmp(http_auth.authtype, "bearer")) { + curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, CURLAUTH_BEARER); + curl_easy_setopt(slot->curl, CURLOPT_XOAUTH2_BEARER, + http_auth.password); +#endif + } else { + struct strbuf auth = STRBUF_INIT; + strbuf_addf(&auth, "Authorization: %s %s", + http_auth.authtype, http_auth.password); + slot->headers = curl_slist_append(slot->headers, auth.buf); + strbuf_release(&auth); + } } /* *var must be free-able */ -- gitgitgadget