From e32fe8a1b347224f89e1ab4dbe9e5e84a0c45297 Mon Sep 17 00:00:00 2001 From: "Bryan C. Mills" Date: Fri, 8 Feb 2019 15:31:29 -0500 Subject: [PATCH] cmd/auth/gitauth: add a reference GOAUTH implementation using 'git credential fill' Updates golang/go#26232 Change-Id: Ic22722756df1e66551222a8834a152519cb39e24 Reviewed-on: https://go-review.googlesource.com/c/tools/+/161667 Run-TryBot: Bryan C. Mills TryBot-Result: Gobot Gobot Reviewed-by: Jay Conrod --- cmd/auth/gitauth/gitauth.go | 149 ++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 cmd/auth/gitauth/gitauth.go diff --git a/cmd/auth/gitauth/gitauth.go b/cmd/auth/gitauth/gitauth.go new file mode 100644 index 0000000000..b481fe6b99 --- /dev/null +++ b/cmd/auth/gitauth/gitauth.go @@ -0,0 +1,149 @@ +// Copyright 2019 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// gitauth uses 'git credential' to implement the GOAUTH protocol described in +// https://golang.org/issue/26232. It expects an absolute path to the working +// directory for the 'git' command as the first command-line argument. +// +// Example GOAUTH usage: +// export GOAUTH="gitauth $HOME" +// +// See https://git-scm.com/docs/gitcredentials or run 'man gitcredentials' for +// information on how to configure 'git credential'. +package main + +import ( + "bytes" + "fmt" + "log" + "net/http" + "net/url" + "os" + "os/exec" + "path/filepath" + "strings" +) + +func main() { + if len(os.Args) < 2 || !filepath.IsAbs(os.Args[1]) { + fmt.Fprintf(os.Stderr, "usage: %s WORKDIR [URL]", os.Args[0]) + os.Exit(2) + } + + log.SetPrefix("gitauth: ") + + if len(os.Args) != 3 { + // No explicit URL was passed on the command line, but 'git credential' + // provides no way to enumerate existing credentials. + // Wait for a request for a specific URL. + return + } + + u, err := url.ParseRequestURI(os.Args[2]) + if err != nil { + log.Fatalf("invalid request URI (%v): %q\n", err, os.Args[1]) + } + + var ( + prefix *url.URL + lastHeader http.Header + lastStatus = http.StatusUnauthorized + ) + for lastStatus == http.StatusUnauthorized { + cmd := exec.Command("git", "credential", "fill") + + // We don't want to execute a 'git' command in an arbitrary directory, since + // that opens up a number of config-injection attacks (for example, + // https://golang.org/issue/29230). Instead, we have the user configure a + // directory explicitly on the command line. + cmd.Dir = os.Args[1] + + cmd.Stdin = strings.NewReader(fmt.Sprintf("url=%s\n", u)) + cmd.Stderr = os.Stderr + out, err := cmd.Output() + if err != nil { + log.Fatalf("'git credential fill' failed: %v\n", err) + } + + prefix = new(url.URL) + var username, password string + lines := strings.Split(string(out), "\n") + for _, line := range lines { + frags := strings.SplitN(line, "=", 2) + if len(frags) != 2 { + continue // Ignore unrecognized response lines. + } + switch strings.TrimSpace(frags[0]) { + case "protocol": + prefix.Scheme = frags[1] + case "host": + prefix.Host = frags[1] + case "path": + prefix.Path = frags[1] + case "username": + username = frags[1] + case "password": + password = frags[1] + case "url": + // Write to a local variable instead of updating prefix directly: + // if the url field is malformed, we don't want to invalidate + // information parsed from the protocol, host, and path fields. + u, err := url.ParseRequestURI(frags[1]) + if err == nil { + prefix = u + } else { + log.Printf("malformed URL from 'git credential fill' (%v): %q\n", err, frags[1]) + // Proceed anyway: we might be able to parse the prefix from other fields of the response. + } + } + } + + // Double-check that the URL Git gave us is a prefix of the one we requested. + if !strings.HasPrefix(u.String(), prefix.String()) { + log.Fatalf("requested a credential for %q, but 'git credential fill' provided one for %q\n", u, prefix) + } + + // Send a HEAD request to try to detect whether the credential is valid. + // If the user just typed in a correct password and has caching enabled, + // we don't want to nag them for it again the next time they run a 'go' command. + req, err := http.NewRequest("HEAD", u.String(), nil) + if err != nil { + log.Fatalf("internal error constructing HTTP HEAD request: %v\n", err) + } + req.SetBasicAuth(username, password) + lastHeader = req.Header + resp, err := http.DefaultClient.Do(req) + if err != nil { + log.Printf("HTTPS HEAD request failed to connect: %v\n", err) + // Couldn't verify the credential, but we have no evidence that it is invalid either. + // Proceed, but don't update git's credential cache. + break + } + lastStatus = resp.StatusCode + + if resp.StatusCode != http.StatusOK { + log.Printf("%s: %v %s\n", u, resp.StatusCode, http.StatusText(resp.StatusCode)) + } + + if resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusUnauthorized { + // We learned something about the credential: it either worked or it was invalid. + // Approve or reject the credential (on a best-effort basis) + // so that the git credential helper can update its cache as appropriate. + action := "approve" + if resp.StatusCode != http.StatusOK { + action = "reject" + } + cmd = exec.Command("git", "credential", action) + cmd.Stderr = os.Stderr + cmd.Stdout = os.Stderr + cmd.Stdin = bytes.NewReader(out) + _ = cmd.Run() + } + } + + // Write out the credential in the format expected by the 'go' command. + fmt.Printf("%s\n\n", prefix) + lastHeader.Write(os.Stdout) + fmt.Println() +}