Skip to content

Commit 945b5c5

Browse files
hickfordhickford
committed
credential-cache: respect request capabilities
Previously, credential-cache responded with capability[]=authtype regardless of request. The capabilities in a credential helper response should be a subset of the capabilities in the request.
1 parent 92999a4 commit 945b5c5

File tree

3 files changed

+21
-6
lines changed

3 files changed

+21
-6
lines changed

builtin/credential-cache--daemon.c

+5-6
Original file line numberDiff line numberDiff line change
@@ -134,17 +134,16 @@ static void serve_one_client(FILE *in, FILE *out)
134134
else if (!strcmp(action.buf, "get")) {
135135
struct credential_cache_entry *e = lookup_credential(&c);
136136
if (e) {
137-
e->item.capa_authtype.request_initial = 1;
138-
e->item.capa_authtype.request_helper = 1;
139-
140-
fprintf(out, "capability[]=authtype\n");
137+
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) {
138+
fprintf(out, "capability[]=authtype\n");
139+
}
141140
if (e->item.username)
142141
fprintf(out, "username=%s\n", e->item.username);
143142
if (e->item.password)
144143
fprintf(out, "password=%s\n", e->item.password);
145-
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype)
144+
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype)
146145
fprintf(out, "authtype=%s\n", e->item.authtype);
147-
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential)
146+
if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential)
148147
fprintf(out, "credential=%s\n", e->item.credential);
149148
if (e->item.password_expiry_utc != TIME_MAX)
150149
fprintf(out, "password_expiry_utc=%"PRItime"\n",

t/lib-credential.sh

+15
Original file line numberDiff line numberDiff line change
@@ -566,6 +566,21 @@ helper_test_authtype() {
566566
EOF
567567
'
568568

569+
test_expect_success "helper ($HELPER) does not get authtype and credential without authtype capability" '
570+
check fill $HELPER <<-\EOF
571+
protocol=https
572+
host=git.example.com
573+
--
574+
protocol=https
575+
host=git.example.com
576+
username=askpass-username
577+
password=askpass-password
578+
--
579+
askpass: Username for '\''https://git.example.com'\'':
580+
askpass: Password for '\''https://[email protected]'\'':
581+
EOF
582+
'
583+
569584
test_expect_success "helper ($HELPER) stores authtype and credential with username" '
570585
check approve $HELPER <<-\EOF
571586
capability[]=authtype

t/t0303-credential-external.sh

+1
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@ helper_test_clean "$GIT_TEST_CREDENTIAL_HELPER"
6363
helper_test "$GIT_TEST_CREDENTIAL_HELPER"
6464
helper_test_password_expiry_utc "$GIT_TEST_CREDENTIAL_HELPER"
6565
helper_test_oauth_refresh_token "$GIT_TEST_CREDENTIAL_HELPER"
66+
helper_test_authtype "$GIT_TEST_CREDENTIAL_HELPER"
6667

6768
if test -z "$GIT_TEST_CREDENTIAL_HELPER_TIMEOUT"; then
6869
say "# skipping timeout tests (GIT_TEST_CREDENTIAL_HELPER_TIMEOUT not set)"

0 commit comments

Comments
 (0)