search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
repository: avoid leaking `fsmonitor` data
[git.git] / credential.c
blobf32011343f9400a80cb9999fe75e0eeefde48146
1 #include "cache.h"
2 #include "config.h"
3 #include "credential.h"
4 #include "string-list.h"
5 #include "run-command.h"
6 #include "url.h"
7 #include "prompt.h"
8 #include "sigchain.h"
9 #include "urlmatch.h"
10 #include "git-compat-util.h"
11
12 void credential_init(struct credential *c)
13 {
14 struct credential blank = CREDENTIAL_INIT;
15 memcpy(c, &blank, sizeof(*c));
16 }
17
18 void credential_clear(struct credential *c)
19 {
20 free(c->protocol);
21 free(c->host);
22 free(c->path);
23 free(c->username);
24 free(c->password);
25 string_list_clear(&c->helpers, 0);
26
27 credential_init(c);
28 }
29
30 int credential_match(const struct credential *want,
31 const struct credential *have)
32 {
33 #define CHECK(x) (!want->x || (have->x && !strcmp(want->x, have->x)))
34 return CHECK(protocol) &&
35 CHECK(host) &&
36 CHECK(path) &&
37 CHECK(username);
38 #undef CHECK
39 }
40
41
42 static int credential_from_potentially_partial_url(struct credential *c,
43 const char *url);
44
45 static int credential_config_callback(const char *var, const char *value,
46 void *data)
47 {
48 struct credential *c = data;
49 const char *key;
50
51 if (!skip_prefix(var, "credential.", &key))
52 return 0;
53
54 if (!value)
55 return config_error_nonbool(var);
56
57 if (!strcmp(key, "helper")) {
58 if (*value)
59 string_list_append(&c->helpers, value);
60 else
61 string_list_clear(&c->helpers, 0);
62 } else if (!strcmp(key, "username")) {
63 if (!c->username_from_proto) {
64 free(c->username);
65 c->username = xstrdup(value);
66 }
67 }
68 else if (!strcmp(key, "usehttppath"))
69 c->use_http_path = git_config_bool(var, value);
70
71 return 0;
72 }
73
74 static int proto_is_http(const char *s)
75 {
76 if (!s)
77 return 0;
78 return !strcmp(s, "https") || !strcmp(s, "http");
79 }
80
81 static void credential_describe(struct credential *c, struct strbuf *out);
82 static void credential_format(struct credential *c, struct strbuf *out);
83
84 static int select_all(const struct urlmatch_item *a,
85 const struct urlmatch_item *b)
86 {
87 return 0;
88 }
89
90 static int match_partial_url(const char *url, void *cb)
91 {
92 struct credential *c = cb;
93 struct credential want = CREDENTIAL_INIT;
94 int matches = 0;
95
96 if (credential_from_potentially_partial_url(&want, url) < 0)
97 warning(_("skipping credential lookup for key: credential.%s"),
98 url);
99 else
100 matches = credential_match(&want, c);
101 credential_clear(&want);
102
103 return matches;
104 }
105
106 static void credential_apply_config(struct credential *c)
107 {
108 char *normalized_url;
109 struct urlmatch_config config = URLMATCH_CONFIG_INIT;
110 struct strbuf url = STRBUF_INIT;
111
112 if (!c->host)
113 die(_("refusing to work with credential missing host field"));
114 if (!c->protocol)
115 die(_("refusing to work with credential missing protocol field"));
116
117 if (c->configured)
118 return;
119
120 config.section = "credential";
121 config.key = NULL;
122 config.collect_fn = credential_config_callback;
123 config.cascade_fn = NULL;
124 config.select_fn = select_all;
125 config.fallback_match_fn = match_partial_url;
126 config.cb = c;
127
128 credential_format(c, &url);
129 normalized_url = url_normalize(url.buf, &config.url);
130
131 git_config(urlmatch_config_entry, &config);
132 string_list_clear(&config.vars, 1);
133 free(normalized_url);
134 urlmatch_config_release(&config);
135 strbuf_release(&url);
136
137 c->configured = 1;
138
139 if (!c->use_http_path && proto_is_http(c->protocol)) {
140 FREE_AND_NULL(c->path);
141 }
142 }
143
144 static void credential_describe(struct credential *c, struct strbuf *out)
145 {
146 if (!c->protocol)
147 return;
148 strbuf_addf(out, "%s://", c->protocol);
149 if (c->username && *c->username)
150 strbuf_addf(out, "%s@", c->username);
151 if (c->host)
152 strbuf_addstr(out, c->host);
153 if (c->path)
154 strbuf_addf(out, "/%s", c->path);
155 }
156
157 static void credential_format(struct credential *c, struct strbuf *out)
158 {
159 if (!c->protocol)
160 return;
161 strbuf_addf(out, "%s://", c->protocol);
162 if (c->username && *c->username) {
163 strbuf_add_percentencode(out, c->username, STRBUF_ENCODE_SLASH);
164 strbuf_addch(out, '@');
165 }
166 if (c->host)
167 strbuf_addstr(out, c->host);
168 if (c->path) {
169 strbuf_addch(out, '/');
170 strbuf_add_percentencode(out, c->path, 0);
171 }
172 }
173
174 static char *credential_ask_one(const char *what, struct credential *c,
175 int flags)
176 {
177 struct strbuf desc = STRBUF_INIT;
178 struct strbuf prompt = STRBUF_INIT;
179 char *r;
180
181 credential_describe(c, &desc);
182 if (desc.len)
183 strbuf_addf(&prompt, "%s for '%s': ", what, desc.buf);
184 else
185 strbuf_addf(&prompt, "%s: ", what);
186
187 r = git_prompt(prompt.buf, flags);
188
189 strbuf_release(&desc);
190 strbuf_release(&prompt);
191 return xstrdup(r);
192 }
193
194 static void credential_getpass(struct credential *c)
195 {
196 if (!c->username)
197 c->username = credential_ask_one("Username", c,
198 PROMPT_ASKPASS|PROMPT_ECHO);
199 if (!c->password)
200 c->password = credential_ask_one("Password", c,
201 PROMPT_ASKPASS);
202 }
203
204 int credential_read(struct credential *c, FILE *fp)
205 {
206 struct strbuf line = STRBUF_INIT;
207
208 while (strbuf_getline(&line, fp) != EOF) {
209 char *key = line.buf;
210 char *value = strchr(key, '=');
211
212 if (!line.len)
213 break;
214
215 if (!value) {
216 warning("invalid credential line: %s", key);
217 strbuf_release(&line);
218 return -1;
219 }
220 *value++ = '\0';
221
222 if (!strcmp(key, "username")) {
223 free(c->username);
224 c->username = xstrdup(value);
225 c->username_from_proto = 1;
226 } else if (!strcmp(key, "password")) {
227 free(c->password);
228 c->password = xstrdup(value);
229 } else if (!strcmp(key, "protocol")) {
230 free(c->protocol);
231 c->protocol = xstrdup(value);
232 } else if (!strcmp(key, "host")) {
233 free(c->host);
234 c->host = xstrdup(value);
235 } else if (!strcmp(key, "path")) {
236 free(c->path);
237 c->path = xstrdup(value);
238 } else if (!strcmp(key, "password_expiry_utc")) {
239 errno = 0;
240 c->password_expiry_utc = parse_timestamp(value, NULL, 10);
241 if (c->password_expiry_utc == 0 || errno == ERANGE)
242 c->password_expiry_utc = TIME_MAX;
243 } else if (!strcmp(key, "url")) {
244 credential_from_url(c, value);
245 } else if (!strcmp(key, "quit")) {
246 c->quit = !!git_config_bool("quit", value);
247 }
248 /*
249 * Ignore other lines; we don't know what they mean, but
250 * this future-proofs us when later versions of git do
251 * learn new lines, and the helpers are updated to match.
252 */
253 }
254
255 strbuf_release(&line);
256 return 0;
257 }
258
259 static void credential_write_item(FILE *fp, const char *key, const char *value,
260 int required)
261 {
262 if (!value && required)
263 BUG("credential value for %s is missing", key);
264 if (!value)
265 return;
266 if (strchr(value, '\n'))
267 die("credential value for %s contains newline", key);
268 fprintf(fp, "%s=%s\n", key, value);
269 }
270
271 void credential_write(const struct credential *c, FILE *fp)
272 {
273 credential_write_item(fp, "protocol", c->protocol, 1);
274 credential_write_item(fp, "host", c->host, 1);
275 credential_write_item(fp, "path", c->path, 0);
276 credential_write_item(fp, "username", c->username, 0);
277 credential_write_item(fp, "password", c->password, 0);
278 if (c->password_expiry_utc != TIME_MAX) {
279 char *s = xstrfmt("%"PRItime, c->password_expiry_utc);
280 credential_write_item(fp, "password_expiry_utc", s, 0);
281 free(s);
282 }
283 }
284
285 static int run_credential_helper(struct credential *c,
286 const char *cmd,
287 int want_output)
288 {
289 struct child_process helper = CHILD_PROCESS_INIT;
290 FILE *fp;
291
292 strvec_push(&helper.args, cmd);
293 helper.use_shell = 1;
294 helper.in = -1;
295 if (want_output)
296 helper.out = -1;
297 else
298 helper.no_stdout = 1;
299
300 if (start_command(&helper) < 0)
301 return -1;
302
303 fp = xfdopen(helper.in, "w");
304 sigchain_push(SIGPIPE, SIG_IGN);
305 credential_write(c, fp);
306 fclose(fp);
307 sigchain_pop(SIGPIPE);
308
309 if (want_output) {
310 int r;
311 fp = xfdopen(helper.out, "r");
312 r = credential_read(c, fp);
313 fclose(fp);
314 if (r < 0) {
315 finish_command(&helper);
316 return -1;
317 }
318 }
319
320 if (finish_command(&helper))
321 return -1;
322 return 0;
323 }
324
325 static int credential_do(struct credential *c, const char *helper,
326 const char *operation)
327 {
328 struct strbuf cmd = STRBUF_INIT;
329 int r;
330
331 if (helper[0] == '!')
332 strbuf_addstr(&cmd, helper + 1);
333 else if (is_absolute_path(helper))
334 strbuf_addstr(&cmd, helper);
335 else
336 strbuf_addf(&cmd, "git credential-%s", helper);
337
338 strbuf_addf(&cmd, " %s", operation);
339 r = run_credential_helper(c, cmd.buf, !strcmp(operation, "get"));
340
341 strbuf_release(&cmd);
342 return r;
343 }
344
345 void credential_fill(struct credential *c)
346 {
347 int i;
348
349 if (c->username && c->password)
350 return;
351
352 credential_apply_config(c);
353
354 for (i = 0; i < c->helpers.nr; i++) {
355 credential_do(c, c->helpers.items[i].string, "get");
356 if (c->password_expiry_utc < time(NULL)) {
357 /* Discard expired password */
358 FREE_AND_NULL(c->password);
359 /* Reset expiry to maintain consistency */
360 c->password_expiry_utc = TIME_MAX;
361 }
362 if (c->username && c->password)
363 return;
364 if (c->quit)
365 die("credential helper '%s' told us to quit",
366 c->helpers.items[i].string);
367 }
368
369 credential_getpass(c);
370 if (!c->username && !c->password)
371 die("unable to get password from user");
372 }
373
374 void credential_approve(struct credential *c)
375 {
376 int i;
377
378 if (c->approved)
379 return;
380 if (!c->username || !c->password || c->password_expiry_utc < time(NULL))
381 return;
382
383 credential_apply_config(c);
384
385 for (i = 0; i < c->helpers.nr; i++)
386 credential_do(c, c->helpers.items[i].string, "store");
387 c->approved = 1;
388 }
389
390 void credential_reject(struct credential *c)
391 {
392 int i;
393
394 credential_apply_config(c);
395
396 for (i = 0; i < c->helpers.nr; i++)
397 credential_do(c, c->helpers.items[i].string, "erase");
398
399 FREE_AND_NULL(c->username);
400 FREE_AND_NULL(c->password);
401 c->password_expiry_utc = TIME_MAX;
402 c->approved = 0;
403 }
404
405 static int check_url_component(const char *url, int quiet,
406 const char *name, const char *value)
407 {
408 if (!value)
409 return 0;
410 if (!strchr(value, '\n'))
411 return 0;
412
413 if (!quiet)
414 warning(_("url contains a newline in its %s component: %s"),
415 name, url);
416 return -1;
417 }
418
419 /*
420 * Potentially-partial URLs can, but do not have to, contain
421 *
422 * - a protocol (or scheme) of the form "<protocol>://"
423 *
424 * - a host name (the part after the protocol and before the first slash after
425 * that, if any)
426 *
427 * - a user name and potentially a password (as "<user>[:<password>]@" part of
428 * the host name)
429 *
430 * - a path (the part after the host name, if any, starting with the slash)
431 *
432 * Missing parts will be left unset in `struct credential`. Thus, `https://`
433 * will have only the `protocol` set, `example.com` only the host name, and
434 * `/git` only the path.
435 *
436 * Note that an empty host name in an otherwise fully-qualified URL (e.g.
437 * `cert:///path/to/cert.pem`) will be treated as unset if we expect the URL to
438 * be potentially partial, and only then (otherwise, the empty string is used).
439 *
440 * The credential_from_url() function does not allow partial URLs.
441 */
442 static int credential_from_url_1(struct credential *c, const char *url,
443 int allow_partial_url, int quiet)
444 {
445 const char *at, *colon, *cp, *slash, *host, *proto_end;
446
447 credential_clear(c);
448
449 /*
450 * Match one of:
451 * (1) proto://<host>/...
452 * (2) proto://<user>@<host>/...
453 * (3) proto://<user>:<pass>@<host>/...
454 */
455 proto_end = strstr(url, "://");
456 if (!allow_partial_url && (!proto_end || proto_end == url)) {
457 if (!quiet)
458 warning(_("url has no scheme: %s"), url);
459 return -1;
460 }
461 cp = proto_end ? proto_end + 3 : url;
462 at = strchr(cp, '@');
463 colon = strchr(cp, ':');
464
465 /*
466 * A query or fragment marker before the slash ends the host portion.
467 * We'll just continue to call this "slash" for simplicity. Notably our
468 * "trim leading slashes" part won't skip over this part of the path,
469 * but that's what we'd want.
470 */
471 slash = cp + strcspn(cp, "/?#");
472
473 if (!at || slash <= at) {
474 /* Case (1) */
475 host = cp;
476 }
477 else if (!colon || at <= colon) {
478 /* Case (2) */
479 c->username = url_decode_mem(cp, at - cp);
480 if (c->username && *c->username)
481 c->username_from_proto = 1;
482 host = at + 1;
483 } else {
484 /* Case (3) */
485 c->username = url_decode_mem(cp, colon - cp);
486 if (c->username && *c->username)
487 c->username_from_proto = 1;
488 c->password = url_decode_mem(colon + 1, at - (colon + 1));
489 host = at + 1;
490 }
491
492 if (proto_end && proto_end - url > 0)
493 c->protocol = xmemdupz(url, proto_end - url);
494 if (!allow_partial_url || slash - host > 0)
495 c->host = url_decode_mem(host, slash - host);
496 /* Trim leading and trailing slashes from path */
497 while (*slash == '/')
498 slash++;
499 if (*slash) {
500 char *p;
501 c->path = url_decode(slash);
502 p = c->path + strlen(c->path) - 1;
503 while (p > c->path && *p == '/')
504 *p-- = '\0';
505 }
506
507 if (check_url_component(url, quiet, "username", c->username) < 0 ||
508 check_url_component(url, quiet, "password", c->password) < 0 ||
509 check_url_component(url, quiet, "protocol", c->protocol) < 0 ||
510 check_url_component(url, quiet, "host", c->host) < 0 ||
511 check_url_component(url, quiet, "path", c->path) < 0)
512 return -1;
513
514 return 0;
515 }
516
517 static int credential_from_potentially_partial_url(struct credential *c,
518 const char *url)
519 {
520 return credential_from_url_1(c, url, 1, 0);
521 }
522
523 int credential_from_url_gently(struct credential *c, const char *url, int quiet)
524 {
525 return credential_from_url_1(c, url, 0, quiet);
526 }
527
528 void credential_from_url(struct credential *c, const char *url)
529 {
530 if (credential_from_url_gently(c, url, 0) < 0)
531 die(_("credential url cannot be parsed: %s"), url);
532 }
The Best VCS Around