From: M Hickford <mirth.hickford@xxxxxxxxx>
Previously, credential-cache populated authtype regardless of request.
Signed-off-by: M Hickford <mirth.hickford@xxxxxxxxx>
---
credential-cache: respect request capabilities
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1842%2Fhickford%2Fcache-capability-v3
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1842/hickford/cache-capability-v3
Pull-Request: https://github.com/gitgitgadget/git/pull/1842
Range-diff vs v2:
1: 696780d4782 ! 1: e9851c5c4ac credential-cache: respect request capabilities
@@ Metadata
## Commit message ##
credential-cache: respect request capabilities
- Previously, credential-cache responded with capability[]=authtype
- regardless of request.
-
- The capabilities in a credential helper response should be a subset of
- the capabilities in the request.
+ Previously, credential-cache populated authtype regardless of request.
Signed-off-by: M Hickford <mirth.hickford@xxxxxxxxx>
## builtin/credential-cache--daemon.c ##
@@ builtin/credential-cache--daemon.c: static void serve_one_client(FILE *in, FILE *out)
- else if (!strcmp(action.buf, "get")) {
- struct credential_cache_entry *e = lookup_credential(&c);
- if (e) {
-- e->item.capa_authtype.request_initial = 1;
-- e->item.capa_authtype.request_helper = 1;
--
-- fprintf(out, "capability[]=authtype\n");
-+ if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) {
-+ fprintf(out, "capability[]=authtype\n");
-+ }
- if (e->item.username)
fprintf(out, "username=%s\n", e->item.username);
if (e->item.password)
fprintf(out, "password=%s\n", e->item.password);
@@ t/lib-credential.sh: helper_test_authtype() {
EOF
'
-+ test_expect_success "helper ($HELPER) get authtype only if request has authtype capability" '
++ test_expect_success "helper ($HELPER) gets authtype and credential only if request has authtype capability" '
+ check fill $HELPER <<-\EOF
+ protocol=https
+ host=git.example.com
+ --
++ capability[]=authtype
+ protocol=https
+ host=git.example.com
+ username=askpass-username
builtin/credential-cache--daemon.c | 4 ++--
t/lib-credential.sh | 16 ++++++++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c
index bc22f5c6d24..e707618e743 100644
--- a/builtin/credential-cache--daemon.c
+++ b/builtin/credential-cache--daemon.c
@@ -142,9 +142,9 @@ static void serve_one_client(FILE *in, FILE *out)
fprintf(out, "username=%s\n", e->item.username);
if (e->item.password)
fprintf(out, "password=%s\n", e->item.password);
- if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype)
+ if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype)
fprintf(out, "authtype=%s\n", e->item.authtype);
- if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential)
+ if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential)
fprintf(out, "credential=%s\n", e->item.credential);
if (e->item.password_expiry_utc != TIME_MAX)
fprintf(out, "password_expiry_utc=%"PRItime"\n",
diff --git a/t/lib-credential.sh b/t/lib-credential.sh
index 58b9c740605..8da0afe9395 100644
--- a/t/lib-credential.sh
+++ b/t/lib-credential.sh
@@ -566,6 +566,22 @@ helper_test_authtype() {
EOF
'
+ test_expect_success "helper ($HELPER) gets authtype and credential only if request has authtype capability" '
+ check fill $HELPER <<-\EOF
+ protocol=https
+ host=git.example.com
+ --
+ capability[]=authtype
+ protocol=https
+ host=git.example.com
+ username=askpass-username
+ password=askpass-password
+ --
+ askpass: Username for '\''https://git.example.com'\'':
+ askpass: Password for '\''https://askpass-username@xxxxxxxxxxxxxxx'\'':
+ EOF
+ '
+
test_expect_success "helper ($HELPER) stores authtype and credential with username" '
check approve $HELPER <<-\EOF
capability[]=authtype
base-commit: 92999a42db1c5f43f330e4f2bca4026b5b81576f
--
gitgitgadget
