Skip to content

Commit

Permalink
credential-cache: respect request capabilities
Browse files Browse the repository at this point in the history
Previously, credential-cache responded with capability[]=authtype
regardless of request.

The capabilities in a credential helper response should be a subset of
the capabilities in the request.
  • Loading branch information
hickford committed Dec 19, 2024
1 parent 92999a4 commit 945b5c5
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 6 deletions.
11 changes: 5 additions & 6 deletions builtin/credential-cache--daemon.c
Original file line number Diff line number Diff line change
Expand Up @@ -134,17 +134,16 @@ static void serve_one_client(FILE *in, FILE *out)
else if (!strcmp(action.buf, "get")) {
struct credential_cache_entry *e = lookup_credential(&c);
if (e) {
e->item.capa_authtype.request_initial = 1;
e->item.capa_authtype.request_helper = 1;

fprintf(out, "capability[]=authtype\n");
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) {
fprintf(out, "capability[]=authtype\n");
}
if (e->item.username)
fprintf(out, "username=%s\n", e->item.username);
if (e->item.password)
fprintf(out, "password=%s\n", e->item.password);
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype)
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype)
fprintf(out, "authtype=%s\n", e->item.authtype);
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential)
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential)
fprintf(out, "credential=%s\n", e->item.credential);
if (e->item.password_expiry_utc != TIME_MAX)
fprintf(out, "password_expiry_utc=%"PRItime"\n",
Expand Down
15 changes: 15 additions & 0 deletions t/lib-credential.sh
Original file line number Diff line number Diff line change
Expand Up @@ -566,6 +566,21 @@ helper_test_authtype() {
EOF
'

test_expect_success "helper ($HELPER) does not get authtype and credential without authtype capability" '
check fill $HELPER <<-\EOF
protocol=https
host=git.example.com
--
protocol=https
host=git.example.com
username=askpass-username
password=askpass-password
--
askpass: Username for '\''https://git.example.com'\'':
askpass: Password for '\''https://[email protected]'\'':
EOF
'

test_expect_success "helper ($HELPER) stores authtype and credential with username" '
check approve $HELPER <<-\EOF
capability[]=authtype
Expand Down
1 change: 1 addition & 0 deletions t/t0303-credential-external.sh
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ helper_test_clean "$GIT_TEST_CREDENTIAL_HELPER"
helper_test "$GIT_TEST_CREDENTIAL_HELPER"
helper_test_password_expiry_utc "$GIT_TEST_CREDENTIAL_HELPER"
helper_test_oauth_refresh_token "$GIT_TEST_CREDENTIAL_HELPER"
helper_test_authtype "$GIT_TEST_CREDENTIAL_HELPER"

if test -z "$GIT_TEST_CREDENTIAL_HELPER_TIMEOUT"; then
say "# skipping timeout tests (GIT_TEST_CREDENTIAL_HELPER_TIMEOUT not set)"
Expand Down

0 comments on commit 945b5c5

Please sign in to comment.