2023-02-27 17:20:18 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
test_description='test http auth header and credential helper interop'
|
|
|
|
|
|
|
|
. ./test-lib.sh
|
|
|
|
. "$TEST_DIRECTORY"/lib-httpd.sh
|
|
|
|
|
t/lib-httpd: make CGIPassAuth support conditional
Commit 988aad99b4 (t5563: add tests for basic and anoymous HTTP access,
2023-02-27) added tests that require Apache to support the CGIPassAuth
directive, which was added in Apache 2.4.13. This is fairly old (~8
years), but recent enough that we still encounter it in the wild (e.g.,
RHEL/CentOS 7, which is not EOL until June 2024).
We can live with skipping the new tests on such a platform. But
unfortunately, since the directive is used unconditionally in our
apache.conf, it means the web server fails to start entirely, and we
cannot run other HTTP tests at all (e.g., the basic ones in t5551).
We can fix that by making the config conditional, and only triggering it
for t5563. That solves the problem for t5551 (which then ignores the
directive entirely). For t5563, we'd see apache complain in start_httpd;
with the default setting of GIT_TEST_HTTPD, we'd then skip the whole
script.
But that leaves one small problem: people may set GIT_TEST_HTTPD=1
explicitly, which instructs the tests to fail (rather than skip) when we
can't start the webserver (to avoid accidentally missing some tests).
This could be worked around by having the user manually set
GIT_SKIP_TESTS on a platform with an older Apache. But we can be a bit
friendlier by doing the version check ourselves and setting an
appropriate prereq. We'll use the (lack of) prereq to then skip the rest
of t5563. In theory we could use the prereq to skip individual tests, but
in practice this whole script depends on it.
Reported-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-05-18 19:21:02 +00:00
|
|
|
enable_cgipassauth
|
|
|
|
if ! test_have_prereq CGIPASSAUTH
|
|
|
|
then
|
|
|
|
skip_all="no CGIPassAuth support"
|
|
|
|
test_done
|
|
|
|
fi
|
2023-02-27 17:20:18 +00:00
|
|
|
start_httpd
|
|
|
|
|
|
|
|
test_expect_success 'setup_credential_helper' '
|
|
|
|
mkdir "$TRASH_DIRECTORY/bin" &&
|
|
|
|
PATH=$PATH:"$TRASH_DIRECTORY/bin" &&
|
|
|
|
export PATH &&
|
|
|
|
|
|
|
|
CREDENTIAL_HELPER="$TRASH_DIRECTORY/bin/git-credential-test-helper" &&
|
|
|
|
write_script "$CREDENTIAL_HELPER" <<-\EOF
|
|
|
|
cmd=$1
|
|
|
|
teefile=$cmd-query.cred
|
|
|
|
catfile=$cmd-reply.cred
|
|
|
|
sed -n -e "/^$/q" -e "p" >>$teefile
|
|
|
|
if test "$cmd" = "get"
|
|
|
|
then
|
|
|
|
cat $catfile
|
|
|
|
fi
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
|
|
|
set_credential_reply () {
|
|
|
|
cat >"$TRASH_DIRECTORY/$1-reply.cred"
|
|
|
|
}
|
|
|
|
|
|
|
|
expect_credential_query () {
|
|
|
|
cat >"$TRASH_DIRECTORY/$1-expect.cred" &&
|
|
|
|
test_cmp "$TRASH_DIRECTORY/$1-expect.cred" \
|
|
|
|
"$TRASH_DIRECTORY/$1-query.cred"
|
|
|
|
}
|
|
|
|
|
|
|
|
per_test_cleanup () {
|
|
|
|
rm -f *.cred &&
|
|
|
|
rm -f "$HTTPD_ROOT_PATH"/custom-auth.valid \
|
|
|
|
"$HTTPD_ROOT_PATH"/custom-auth.challenge
|
|
|
|
}
|
|
|
|
|
|
|
|
test_expect_success 'setup repository' '
|
|
|
|
test_commit foo &&
|
|
|
|
git init --bare "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
|
|
|
|
git push --mirror "$HTTPD_DOCUMENT_ROOT_PATH/repo.git"
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'access using basic auth' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(alice:secret-passwd)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
|
|
|
|
WWW-Authenticate: Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
2023-02-27 17:20:18 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
2023-02-27 17:20:20 +00:00
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query store <<-EOF
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
test_expect_success 'access using basic auth via authtype' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
capability[]=authtype
|
|
|
|
authtype=Basic
|
|
|
|
credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(alice:secret-passwd)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
|
|
|
|
WWW-Authenticate: Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
GIT_CURL_VERBOSE=1 git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query store <<-EOF
|
|
|
|
capability[]=authtype
|
|
|
|
authtype=Basic
|
|
|
|
credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
2023-02-27 17:20:20 +00:00
|
|
|
test_expect_success 'access using basic auth invalid credentials' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
username=baduser
|
|
|
|
password=wrong-passwd
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(alice:secret-passwd)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
|
|
|
|
WWW-Authenticate: Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
2023-02-27 17:20:20 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query erase <<-EOF
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
username=baduser
|
|
|
|
password=wrong-passwd
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'access using basic auth with extra challenges' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(alice:secret-passwd)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
|
|
|
|
WWW-Authenticate: FooBar param1="value1" param2="value2"
|
|
|
|
WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
WWW-Authenticate: Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
2023-02-27 17:20:20 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=FooBar param1="value1" param2="value2"
|
|
|
|
wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query store <<-EOF
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'access using basic auth mixed-case wwwauth header name' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(alice:secret-passwd)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
|
|
|
|
www-authenticate: foobar param1="value1" param2="value2"
|
|
|
|
WWW-AUTHENTICATE: BEARER authorize_uri="id.example.com" p=1 q=0
|
|
|
|
WwW-aUtHeNtIcAtE: baSiC realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
2023-02-27 17:20:20 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=foobar param1="value1" param2="value2"
|
|
|
|
wwwauth[]=BEARER authorize_uri="id.example.com" p=1 q=0
|
|
|
|
wwwauth[]=baSiC realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query store <<-EOF
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'access using basic auth with wwwauth header continuations' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(alice:secret-passwd)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Note that leading and trailing whitespace is important to correctly
|
|
|
|
# simulate a continuation/folded header.
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
|
|
|
|
WWW-Authenticate: FooBar param1="value1"
|
|
|
|
param2="value2"
|
|
|
|
WWW-Authenticate: Bearer authorize_uri="id.example.com"
|
|
|
|
p=1
|
|
|
|
q=0
|
|
|
|
WWW-Authenticate: Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
2023-02-27 17:20:20 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=FooBar param1="value1" param2="value2"
|
|
|
|
wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query store <<-EOF
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'access using basic auth with wwwauth header empty continuations' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(alice:secret-passwd)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
|
|
|
|
|
|
|
|
# Note that leading and trailing whitespace is important to correctly
|
|
|
|
# simulate a continuation/folded header.
|
2023-03-31 06:52:05 +00:00
|
|
|
printf "WWW-Authenticate: FooBar param1=\"value1\"\r\n" >"$CHALLENGE" &&
|
|
|
|
printf " \r\n" >>"$CHALLENGE" &&
|
|
|
|
printf " param2=\"value2\"\r\n" >>"$CHALLENGE" &&
|
|
|
|
printf "WWW-Authenticate: Bearer authorize_uri=\"id.example.com\"\r\n" >>"$CHALLENGE" &&
|
|
|
|
printf " p=1\r\n" >>"$CHALLENGE" &&
|
|
|
|
printf " \r\n" >>"$CHALLENGE" &&
|
|
|
|
printf " q=0\r\n" >>"$CHALLENGE" &&
|
|
|
|
printf "WWW-Authenticate: Basic realm=\"example.com\"\r\n" >>"$CHALLENGE" &&
|
2023-02-27 17:20:20 +00:00
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
2023-02-27 17:20:20 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=FooBar param1="value1" param2="value2"
|
|
|
|
wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query store <<-EOF
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'access using basic auth with wwwauth header mixed line-endings' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(alice:secret-passwd)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
|
|
|
|
|
|
|
|
# Note that leading and trailing whitespace is important to correctly
|
|
|
|
# simulate a continuation/folded header.
|
2023-03-31 06:52:05 +00:00
|
|
|
printf "WWW-Authenticate: FooBar param1=\"value1\"\r\n" >"$CHALLENGE" &&
|
|
|
|
printf " \r\n" >>"$CHALLENGE" &&
|
|
|
|
printf "\tparam2=\"value2\"\r\n" >>"$CHALLENGE" &&
|
|
|
|
printf "WWW-Authenticate: Basic realm=\"example.com\"" >>"$CHALLENGE" &&
|
2023-02-27 17:20:20 +00:00
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
2023-02-27 17:20:20 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=FooBar param1="value1" param2="value2"
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
2023-02-27 17:20:18 +00:00
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query store <<-EOF
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
username=alice
|
|
|
|
password=secret-passwd
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
test_expect_success 'access using bearer auth' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
capability[]=authtype
|
|
|
|
authtype=Bearer
|
|
|
|
credential=YS1naXQtdG9rZW4=
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(a-git-token)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Bearer YS1naXQtdG9rZW4=
|
|
|
|
EOF
|
|
|
|
|
|
|
|
CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
|
|
|
|
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
|
|
|
|
WWW-Authenticate: FooBar param1="value1" param2="value2"
|
|
|
|
WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
WWW-Authenticate: Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=FooBar param1="value1" param2="value2"
|
|
|
|
wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query store <<-EOF
|
|
|
|
capability[]=authtype
|
|
|
|
authtype=Bearer
|
|
|
|
credential=YS1naXQtdG9rZW4=
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'access using bearer auth with invalid credentials' '
|
|
|
|
test_when_finished "per_test_cleanup" &&
|
|
|
|
|
|
|
|
set_credential_reply get <<-EOF &&
|
|
|
|
capability[]=authtype
|
|
|
|
authtype=Bearer
|
|
|
|
credential=incorrect-token
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Basic base64(a-git-token)
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
|
|
|
|
Bearer YS1naXQtdG9rZW4=
|
|
|
|
EOF
|
|
|
|
|
|
|
|
CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
|
|
|
|
|
|
|
|
cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
|
|
|
|
WWW-Authenticate: FooBar param1="value1" param2="value2"
|
|
|
|
WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
WWW-Authenticate: Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
test_config_global credential.helper test-helper &&
|
|
|
|
test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
|
|
|
|
|
|
|
|
expect_credential_query get <<-EOF &&
|
|
|
|
capability[]=authtype
|
2024-04-17 00:02:34 +00:00
|
|
|
capability[]=state
|
http: add support for authtype and credential
Now that we have the credential helper code set up to handle arbitrary
authentications schemes, let's add support for this in the HTTP code,
where we really want to use it. If we're using this new functionality,
don't set a username and password, and instead set a header wherever
we'd normally do so, including for proxy authentication.
Since we can now handle this case, ask the credential helper to enable
the appropriate capabilities.
Finally, if we're using the authtype value, set "Expect: 100-continue".
Any type of authentication that requires multiple rounds (such as NTLM
or Kerberos) requires a 100 Continue (if we're larger than
http.postBuffer) because otherwise we send the pack data before we're
authenticated, the push gets a 401 response, and we can't rewind the
stream. We don't know for certain what other custom schemes might
require this, the HTTP/1.1 standard has required handling this since
1999, the broken HTTP server for which we disabled this (Google's) is
now fixed and has been for some time, and libcurl has a 1-second
fallback in case the HTTP server is still broken. In addition, it is
not unreasonable to require compliance with a 25-year old standard to
use new Git features. For all of these reasons, do so here.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-04-17 00:02:32 +00:00
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=FooBar param1="value1" param2="value2"
|
|
|
|
wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
expect_credential_query erase <<-EOF
|
|
|
|
capability[]=authtype
|
|
|
|
authtype=Bearer
|
|
|
|
credential=incorrect-token
|
|
|
|
protocol=http
|
|
|
|
host=$HTTPD_DEST
|
|
|
|
wwwauth[]=FooBar param1="value1" param2="value2"
|
|
|
|
wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
|
|
|
|
wwwauth[]=Basic realm="example.com"
|
|
|
|
EOF
|
|
|
|
'
|
|
|
|
|
2023-02-27 17:20:18 +00:00
|
|
|
test_done
|