mirrors/git
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

credential: add support for multistage credential rounds

Browse Source 
Over HTTP, NTLM and Kerberos require two rounds of authentication on the
client side.  It's possible that there are custom authentication schemes
that also implement this same approach.  Since these are tricky schemes
to implement and the HTTP library in use may not always handle them
gracefully on all systems, it would be helpful to allow the credential
helper to implement them instead for increased portability and
robustness.

To allow this to happen, add a boolean flag, continue, that indicates
that instead of failing when we get a 401, we should retry another round
of authentication.  However, this necessitates some changes in our
current credential code so that we can make this work.

Keep the state[] headers between iterations, but only use them to send
to the helper and only consider the new ones we read from the credential
helper to be valid on subsequent iterations.  That avoids us passing
stale data when we finally approve or reject the credential.  Similarly,
clear the multistage and wwwauth[] values appropriately so that we
don't pass stale data or think we're trying a multiround response when
we're not.  Remove the credential values so that we can actually fill a
second time with new responses.

Limit the number of iterations of reauthentication we do to 3.  This
means that if there's a problem, we'll terminate with an error message
instead of retrying indefinitely and not informing the user (and
possibly conducting a DoS on the server).

In our tests, handle creating multiple response output files from our
helper so we can verify that each of the messages sent is correct.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
brian m. carlson
2024-04-17 00:02:37 +00:00
committed by Junio C Hamano
parent 37417b7717
commit ac4c7cbfaa
6 changed files with 185 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
Documentation/git-credential.txt
View File

@ -222,6 +222,19 @@ provided on input.
This value should not be sent unless the appropriate capability (see below) is
provided on input.
`continue`::
This is a boolean value, which, if enabled, indicates that this
authentication is a non-final part of a multistage authentication step. This
is common in protocols such as NTLM and Kerberos, where two rounds of client
authentication are required, and setting this flag allows the credential
helper to implement the multistage authentication step. This flag should
only be sent if a further stage is required; that is, if another round of
authentication is expected.
+
This value should not be sent unless the appropriate capability (see below) is
provided on input. This attribute is 'one-way' from a credential helper to
pass information to Git (or other programs invoking `git credential`).
`wwwauth[]`::
When an HTTP response is received by Git that includes one or more