"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes:
> If we're in auto mode and we got a username and password, set the
> authentication scheme to Basic. libcurl will not send authentication
> proactively unless there's a single choice of allowed authentication,
> and we know in this case we didn't get an authtype entry telling us what
> scheme to use, or we would have taken a different codepath and written
> the header ourselves. In any event, of the other schemes that libcurl
> supports, Digest and NTLM require a nonce or challenge, which means that
> they cannot work with proactive auth, and GSSAPI does not use a username
> and password at all, so Basic is the only logical choice among the
> built-in options.
Nice explanation.
> +http.proactiveAuth::
> + Attempt authentication without first making an unauthenticated attempt and
> + receiving a 401 response. This can be used to ensure that all requests are
> + authenticated. If `http.emptyAuth` is set to true, this value has no effect.
> ++
> +If the credential helper used specifies an authentication scheme (i.e., via the
> +`authtype` field), that value will be used; if a username and password is
> +provided without a scheme, then Basic authentication is used. The value of the
> +option determines the scheme requested from the helper. Possible values are:
> ++
> +--
> +* `basic` - Request Basic authentication from the helper.
> +* `auto` - Allow the helper to pick an appropriate scheme.
> +* `none` - Disable proactive authentication.
> +--
> ++
> +Note that TLS should always be used with this configuration, since otherwise it
> +is easy to accidentally expose plaintext credentials if Basic authentication
> +is selected.
OK.
> @@ -539,6 +552,18 @@ static int http_options(const char *var, const char *value,
> return 0;
> }
>
> + if (!strcmp("http.proactiveauth", var)) {
If we choose to make
[http] proactiveauth ; nothing else on the line
an error, we could do
if (!value)
return config_error_nonbool(var);
and lose all the "we have to make sure value is not NULL before
feeding it to strcmp()" checks below.
Or
if (!value) {
warning(_("http.proactiveauth set to true???"));
return 0;
}
if we wanted to be more lenient (which is more in line with how we
treat unknown string value below).
> + if (value && !strcmp(value, "auto"))
> + http_proactive_auth = PROACTIVE_AUTH_AUTO;
> + else if (value && !strcmp(value, "basic"))
> + http_proactive_auth = PROACTIVE_AUTH_BASIC;
> + else if (value && !strcmp(value, "none"))
> + http_proactive_auth = PROACTIVE_AUTH_NONE;
> + else
> + warning(_("Unknown value for http.proactiveauth"));
> + return 0;
> + }
> +
Other than that I saw nothing puzzling or curious. Looking very
good.
Thanks. Will queue.
