gitauth.go

     1  // Copyright 2019 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // gitauth uses 'git credential' to implement the GOAUTH protocol.
     6  //
     7  // See https://git-scm.com/docs/gitcredentials or run 'man gitcredentials' for
     8  // information on how to configure 'git credential'.
     9  package auth
    10  
    11  import (
    12  	"bytes"
    13  	"cmd/go/internal/base"
    14  	"cmd/go/internal/cfg"
    15  	"cmd/go/internal/web/intercept"
    16  	"fmt"
    17  	"log"
    18  	"net/http"
    19  	"net/url"
    20  	"os/exec"
    21  	"strings"
    22  )
    23  
    24  const maxTries = 3
    25  
    26  // runGitAuth retrieves credentials for the given prefix using
    27  // 'git credential fill', validates them with a HEAD request
    28  // (using the provided client) and updates the credential helper's cache.
    29  // It returns the matching credential prefix, the http.Header with the
    30  // Basic Authentication header set, or an error.
    31  // The caller must not mutate the header.
    32  func runGitAuth(client *http.Client, dir, prefix string) (string, http.Header, error) {
    33  	if prefix == "" {
    34  		// No explicit prefix was passed, but 'git credential'
    35  		// provides no way to enumerate existing credentials.
    36  		// Wait for a request for a specific prefix.
    37  		return "", nil, fmt.Errorf("no explicit prefix was passed")
    38  	}
    39  	if dir == "" {
    40  		// Prevent config-injection attacks by requiring an explicit working directory.
    41  		// See https://golang.org/issue/29230 for details.
    42  		panic("'git' invoked in an arbitrary directory") // this should be caught earlier.
    43  	}
    44  	cmd := exec.Command("git", "credential", "fill")
    45  	cmd.Dir = dir
    46  	cmd.Stdin = strings.NewReader(fmt.Sprintf("url=%s\n", prefix))
    47  	out, err := cmd.CombinedOutput()
    48  	if err != nil {
    49  		return "", nil, fmt.Errorf("'git credential fill' failed (url=%s): %w\n%s", prefix, err, out)
    50  	}
    51  	parsedPrefix, username, password := parseGitAuth(out)
    52  	if parsedPrefix == "" {
    53  		return "", nil, fmt.Errorf("'git credential fill' failed for url=%s, could not parse url\n", prefix)
    54  	}
    55  	// Check that the URL Git gave us is a prefix of the one we requested.
    56  	if !strings.HasPrefix(prefix, parsedPrefix) {
    57  		return "", nil, fmt.Errorf("requested a credential for %s, but 'git credential fill' provided one for %s\n", prefix, parsedPrefix)
    58  	}
    59  	req, err := http.NewRequest("HEAD", parsedPrefix, nil)
    60  	if err != nil {
    61  		return "", nil, fmt.Errorf("internal error constructing HTTP HEAD request: %v\n", err)
    62  	}
    63  	req.SetBasicAuth(username, password)
    64  	// Asynchronously validate the provided credentials using a HEAD request,
    65  	// allowing the git credential helper to update its cache without blocking.
    66  	// This avoids repeatedly prompting the user for valid credentials.
    67  	// This is a best-effort update; the primary validation will still occur
    68  	// with the caller's client.
    69  	// The request is intercepted for testing purposes to simulate interactions
    70  	// with the credential helper.
    71  	intercept.Request(req)
    72  	go updateCredentialHelper(client, req, out)
    73  
    74  	// Return the parsed prefix and headers, even if credential validation fails.
    75  	// The caller is responsible for the primary validation.
    76  	return parsedPrefix, req.Header, nil
    77  }
    78  
    79  // parseGitAuth parses the output of 'git credential fill', extracting
    80  // the URL prefix, user, and password.
    81  // Any of these values may be empty if parsing fails.
    82  func parseGitAuth(data []byte) (parsedPrefix, username, password string) {
    83  	prefix := new(url.URL)
    84  	for _, line := range strings.Split(string(data), "\n") {
    85  		key, value, ok := strings.Cut(strings.TrimSpace(line), "=")
    86  		if !ok {
    87  			continue
    88  		}
    89  		switch key {
    90  		case "protocol":
    91  			prefix.Scheme = value
    92  		case "host":
    93  			prefix.Host = value
    94  		case "path":
    95  			prefix.Path = value
    96  		case "username":
    97  			username = value
    98  		case "password":
    99  			password = value
   100  		case "url":
   101  			// Write to a local variable instead of updating prefix directly:
   102  			// if the url field is malformed, we don't want to invalidate
   103  			// information parsed from the protocol, host, and path fields.
   104  			u, err := url.ParseRequestURI(value)
   105  			if err != nil {
   106  				if cfg.BuildX {
   107  					log.Printf("malformed URL from 'git credential fill' (%v): %q\n", err, value)
   108  					// Proceed anyway: we might be able to parse the prefix from other fields of the response.
   109  				}
   110  				continue
   111  			}
   112  			prefix = u
   113  		}
   114  	}
   115  	return prefix.String(), username, password
   116  }
   117  
   118  // updateCredentialHelper validates the given credentials by sending a HEAD request
   119  // and updates the git credential helper's cache accordingly. It retries the
   120  // request up to maxTries times.
   121  func updateCredentialHelper(client *http.Client, req *http.Request, credentialOutput []byte) {
   122  	for range maxTries {
   123  		release, err := base.AcquireNet()
   124  		if err != nil {
   125  			return
   126  		}
   127  		res, err := client.Do(req)
   128  		if err != nil {
   129  			release()
   130  			continue
   131  		}
   132  		res.Body.Close()
   133  		release()
   134  		if res.StatusCode == http.StatusOK || res.StatusCode == http.StatusUnauthorized {
   135  			approveOrRejectCredential(credentialOutput, res.StatusCode == http.StatusOK)
   136  			break
   137  		}
   138  	}
   139  }
   140  
   141  // approveOrRejectCredential approves or rejects the provided credential using
   142  // 'git credential approve/reject'.
   143  func approveOrRejectCredential(credentialOutput []byte, approve bool) {
   144  	action := "reject"
   145  	if approve {
   146  		action = "approve"
   147  	}
   148  	cmd := exec.Command("git", "credential", action)
   149  	cmd.Stdin = bytes.NewReader(credentialOutput)
   150  	cmd.Run() // ignore error
   151  }
   152
View as plain text