Merge pull request #65 from entireio/soph/issue-63-deferred-credential-helper

auth: defer credential helper until 401, match git's behaviour

Author: Soph

cmd/git-sync/main_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -14,6 +15,7 @@ import (
 	"testing"
 	"time"
 
+	"entire.io/entire/git-sync/internal/auth"
 	"entire.io/entire/git-sync/internal/syncertest"
 	"entire.io/entire/git-sync/unstable"
 	billy "github.com/go-git/go-billy/v6"
@@ -29,6 +31,27 @@ import (
 	"github.com/go-git/go-git/v6/storage/memory"
 )
 
+// TestMain isolates the package's tests from the developer's local
+// credential helper. EnsureAuthForService probes /git-receive-pack with a
+// flush-packet POST unconditionally (required to discover cross-host
+// auth challenges and auth-on-POST-only gates), so without stubbing the
+// helper, `git credential fill` could find stored credentials for
+// 127.0.0.1 (e.g. cached from an earlier test run) and attach them,
+// changing the wire shape of the push the test under inspection.
+//
+// The probe itself still happens — receive-pack POST counts include it —
+// but the stub guarantees no credentials are attached and the probe
+// returns without further side effects on the helper.
+//
+// Tests that need to exercise helper behaviour explicitly should
+// restore auth.GitCredentialCommand in their own setup.
+func TestMain(m *testing.M) {
+	auth.GitCredentialCommand = func(_ context.Context, _ auth.CredentialOp, _ string) ([]byte, error) {
+		return nil, errors.New("no helper configured (test default)")
+	}
+	os.Exit(m.Run())
+}
+
 const testBranch = "master"
 const modeReplicate = "replicate"
 
@@ -241,8 +264,11 @@ func TestRun_Replicate_SubcommandExecutesAgainstEmptyTarget(t *testing.T) {
 		t.Fatalf("expected relayReason=empty-target-managed-refs, got %#v", result["relayReason"])
 	}
 
-	if got := targetServer.Count("git-receive-pack"); got != 1 {
-		t.Fatalf("expected one receive-pack POST, got %d", got)
+	// Two receive-pack POSTs: the auth-probe (a flush-packet POST that
+	// EnsureAuthForService always sends to detect auth-on-POST-only gates and
+	// cross-host challenges) plus the real push.
+	if got := targetServer.Count("git-receive-pack"); got != 2 {
+		t.Fatalf("expected two receive-pack POSTs (auth-probe + real push), got %d", got)
 	}
 	sourceHead, err := sourceRepo.Reference(plumbing.NewBranchReferenceName(testBranch), true)
 	if err != nil {

internal/auth/auth.go

@@ -29,25 +29,20 @@ type Endpoint struct {
 }
 
 // Resolve resolves the auth method for the given endpoint configuration.
-// Order: explicit flags → Entire DB token → git credential helper → anonymous.
+// Order: explicit flags → Entire DB token → anonymous (with the git credential
+// helper deferred until the server returns 401, matching git's own behaviour).
 func Resolve(raw Endpoint, ep *url.URL) (Method, error) {
 	if auth := explicitAuth(raw); auth != nil {
 		return auth, nil
 	}
-	if ep == nil {
-		return nil, nil //nolint:nilnil // nil signals no auth method found at this stage
-	}
-	if ep.Scheme != "http" && ep.Scheme != "https" {
+	if !isHTTPEndpoint(ep) {
 		return nil, nil //nolint:nilnil // nil signals no auth method found at this stage
 	}
 	if username, password, ok, err := LookupEntireDBCredential(raw, ep); err != nil {
 		return nil, err // issue #7: surface refresh failure explicitly
 	} else if ok {
 		return &transporthttp.BasicAuth{Username: username, Password: password}, nil
 	}
-	if username, password, ok := lookupGitCredential(ep); ok {
-		return &transporthttp.BasicAuth{Username: username, Password: password}, nil
-	}
 	return nil, nil //nolint:nilnil // nil signals no auth method found at this stage
 }
 
@@ -65,39 +60,119 @@ func explicitAuth(raw Endpoint) Method {
 	return nil
 }
 
-// GitCredentialFillCommand is replaceable for testing.
-var GitCredentialFillCommand = func(ctx context.Context, input string) ([]byte, error) {
-	cmd := exec.CommandContext(ctx, "git", "credential", "fill")
+// CredentialOp identifies a `git credential` subcommand.
+type CredentialOp string
+
+const (
+	CredentialOpFill    CredentialOp = "fill"
+	CredentialOpApprove CredentialOp = "approve"
+	CredentialOpReject  CredentialOp = "reject"
+)
+
+// newGitCredentialCmd builds the `git credential <op>` invocation. Extracted
+// so tests can inspect the command's environment without exec'ing git.
+//
+// We inherit the parent environment unchanged — in particular, we do NOT
+// force GIT_TERMINAL_PROMPT=0. The original #63 symptom (interactive prompt
+// on a public-and-anonymous repo) is already prevented by Resolve no longer
+// invoking the helper proactively: with no 401 there's no Lookup, no
+// `git credential fill`, and so no prompt. Once the server actually
+// challenges with a 401, prompting is the right behaviour when there's a
+// terminal and a helper that has no entry for the host yet — same as
+// vanilla `git push`. Non-interactive callers (CI, daemons, the syncer
+// background loop) set GIT_TERMINAL_PROMPT=0 in their own environment the
+// same way they would for plain git, and we pass that through.
+func newGitCredentialCmd(ctx context.Context, op CredentialOp, input string) *exec.Cmd {
+	cmd := exec.CommandContext(ctx, "git", "credential", string(op))
 	cmd.Stdin = strings.NewReader(input)
-	return cmd.Output()
+	return cmd
+}
+
+// GitCredentialCommand invokes `git credential <op>` with the given input
+// (git-credential text format). Replaceable for testing.
+var GitCredentialCommand = func(ctx context.Context, op CredentialOp, input string) ([]byte, error) {
+	return newGitCredentialCmd(ctx, op, input).Output()
 }
 
-func lookupGitCredential(ep *url.URL) (string, string, bool) {
-	input := credentialFillInput(ep)
+// GitCredentialHelper bridges Git's credential helper protocol to HTTP auth.
+// Best-effort: a missing or misbehaving helper denies credentials rather
+// than failing the surrounding sync.
+type GitCredentialHelper struct{}
+
+// Lookup queries the git credential helper for credentials for ep. Returns
+// ok=false if no credentials are available so the caller can surface a
+// clean 401. A non-nil error means the lookup itself couldn't complete
+// (e.g. the context was cancelled) and the caller should surface that
+// rather than fall back to the original 401.
+//
+// Lookup may block on user interaction when the helper falls through to a
+// terminal prompt (vanilla `git credential fill` behaviour). Callers that
+// must not block should set GIT_TERMINAL_PROMPT=0 in the process
+// environment; the credential subprocess inherits it. See
+// newGitCredentialCmd for the rationale on not forcing that ourselves.
+func (GitCredentialHelper) Lookup(ctx context.Context, ep *url.URL) (username, password string, ok bool, err error) {
+	if !isHTTPEndpoint(ep) {
+		return "", "", false, nil
+	}
+	input := credentialInput(ep, "", "")
 	if input == "" {
-		return "", "", false
+		return "", "", false, nil
 	}
-	output, err := GitCredentialFillCommand(context.Background(), input)
-	if err != nil {
-		return "", "", false
+	output, helperErr := GitCredentialCommand(ctx, CredentialOpFill, input)
+	if helperErr != nil {
+		// A cancelled or timed-out context kills the `git credential fill`
+		// subprocess; surface that as the real cause instead of masking it
+		// as "no credentials available", which would report the original
+		// HTTP 401 rather than context.Canceled/DeadlineExceeded.
+		if ctxErr := ctx.Err(); ctxErr != nil {
+			return "", "", false, fmt.Errorf("git credential fill: %w", ctxErr)
+		}
+		return "", "", false, nil
 	}
 	values := parseCredentialOutput(output)
-	password := values["password"]
+	password = values["password"]
 	if password == "" {
-		return "", "", false
+		return "", "", false, nil
 	}
-	username := values["username"]
+	username = values["username"]
 	if username == "" {
 		if ep.User != nil && ep.User.Username() != "" {
 			username = ep.User.Username()
 		} else {
 			username = defaultGitUsername
 		}
 	}
-	return username, password, true
+	return username, password, true, nil
 }
 
-func credentialFillInput(ep *url.URL) string {
+// Approve tells the helper the credentials worked.
+func (h GitCredentialHelper) Approve(ctx context.Context, ep *url.URL, username, password string) {
+	h.signal(ctx, CredentialOpApprove, ep, username, password)
+}
+
+// Reject tells the helper the credentials failed.
+func (h GitCredentialHelper) Reject(ctx context.Context, ep *url.URL, username, password string) {
+	h.signal(ctx, CredentialOpReject, ep, username, password)
+}
+
+func (GitCredentialHelper) signal(ctx context.Context, op CredentialOp, ep *url.URL, username, password string) {
+	input := credentialInput(ep, username, password)
+	if input == "" {
+		return
+	}
+	_, _ = GitCredentialCommand(ctx, op, input) //nolint:errcheck // advisory signal; helper failures swallowed
+}
+
+func isHTTPEndpoint(ep *url.URL) bool {
+	return ep != nil && (ep.Scheme == "http" || ep.Scheme == "https")
+}
+
+// credentialInput builds a git-credential format request body for the given
+// endpoint. When username/password are set, they are appended (for use with
+// `git credential approve`/`reject`). When both are empty, the result is a
+// query body suitable for `git credential fill`. Explicit username overrides
+// any user embedded in the endpoint URL.
+func credentialInput(ep *url.URL, username, password string) string {
 	if ep == nil || ep.Hostname() == "" {
 		return ""
 	}
@@ -106,8 +181,15 @@ func credentialFillInput(ep *url.URL) string {
 	if path := strings.TrimPrefix(ep.Path, "/"); path != "" {
 		fmt.Fprintf(&b, "path=%s\n", path)
 	}
-	if ep.User != nil && ep.User.Username() != "" {
-		fmt.Fprintf(&b, "username=%s\n", ep.User.Username())
+	user := username
+	if user == "" && ep.User != nil {
+		user = ep.User.Username()
+	}
+	if user != "" {
+		fmt.Fprintf(&b, "username=%s\n", user)
+	}
+	if password != "" {
+		fmt.Fprintf(&b, "password=%s\n", password)
 	}
 	b.WriteString("\n")
 	return b.String()