From: M Hickford <mirth.hickford@xxxxxxxxx> Previously, credential-cache responded with capability[]=authtype regardless of request. The capabilities in a credential helper response should be a subset of the capabilities in the request. Signed-off-by: M Hickford <mirth.hickford@xxxxxxxxx> --- credential-cache: respect request capabilities Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1842%2Fhickford%2Fcache-capability-v1 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1842/hickford/cache-capability-v1 Pull-Request: https://github.com/gitgitgadget/git/pull/1842 builtin/credential-cache--daemon.c | 11 +++++------ t/lib-credential.sh | 15 +++++++++++++++ t/t0303-credential-external.sh | 1 + 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c index bc22f5c6d24..692216cf83c 100644 --- a/builtin/credential-cache--daemon.c +++ b/builtin/credential-cache--daemon.c @@ -134,17 +134,16 @@ static void serve_one_client(FILE *in, FILE *out) else if (!strcmp(action.buf, "get")) { struct credential_cache_entry *e = lookup_credential(&c); if (e) { - e->item.capa_authtype.request_initial = 1; - e->item.capa_authtype.request_helper = 1; - - fprintf(out, "capability[]=authtype\n"); + if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) { + fprintf(out, "capability[]=authtype\n"); + } if (e->item.username) fprintf(out, "username=%s\n", e->item.username); if (e->item.password) fprintf(out, "password=%s\n", e->item.password); - if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype) + if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype) fprintf(out, "authtype=%s\n", e->item.authtype); - if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential) + if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential) fprintf(out, "credential=%s\n", e->item.credential); if (e->item.password_expiry_utc != TIME_MAX) fprintf(out, "password_expiry_utc=%"PRItime"\n", diff --git a/t/lib-credential.sh b/t/lib-credential.sh index 58b9c740605..fe170b513fd 100644 --- a/t/lib-credential.sh +++ b/t/lib-credential.sh @@ -566,6 +566,21 @@ helper_test_authtype() { EOF ' + test_expect_success "helper ($HELPER) does not get authtype and credential without authtype capability" ' + check fill $HELPER <<-\EOF + protocol=https + host=git.example.com + -- + protocol=https + host=git.example.com + username=askpass-username + password=askpass-password + -- + askpass: Username for '\''https://git.example.com'\'': + askpass: Password for '\''https://askpass-username@xxxxxxxxxxxxxxx'\'': + EOF + ' + test_expect_success "helper ($HELPER) stores authtype and credential with username" ' check approve $HELPER <<-\EOF capability[]=authtype diff --git a/t/t0303-credential-external.sh b/t/t0303-credential-external.sh index 8aadbe86c45..437eae5002a 100755 --- a/t/t0303-credential-external.sh +++ b/t/t0303-credential-external.sh @@ -63,6 +63,7 @@ helper_test_clean "$GIT_TEST_CREDENTIAL_HELPER" helper_test "$GIT_TEST_CREDENTIAL_HELPER" helper_test_password_expiry_utc "$GIT_TEST_CREDENTIAL_HELPER" helper_test_oauth_refresh_token "$GIT_TEST_CREDENTIAL_HELPER" +helper_test_authtype "$GIT_TEST_CREDENTIAL_HELPER" if test -z "$GIT_TEST_CREDENTIAL_HELPER_TIMEOUT"; then say "# skipping timeout tests (GIT_TEST_CREDENTIAL_HELPER_TIMEOUT not set)" base-commit: 92999a42db1c5f43f330e4f2bca4026b5b81576f -- gitgitgadget