From 9197941029f0fc215b71efb4a2ff0e602c34fd3c Mon Sep 17 00:00:00 2001 From: M Hickford Date: Thu, 19 Dec 2024 22:19:02 +0000 Subject: [PATCH] credential-cache: respect request capabilities Previously, credential-cache responded with capability[]=authtype regardless of request. The capabilities in a credential helper response should be a subset of the capabilities in the request. Signed-off-by: M Hickford --- builtin/credential-cache--daemon.c | 11 +++++------ t/lib-credential.sh | 15 +++++++++++++++ t/t0303-credential-external.sh | 1 + 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c index bc22f5c6d2413d..692216cf83ccb1 100644 --- a/builtin/credential-cache--daemon.c +++ b/builtin/credential-cache--daemon.c @@ -134,17 +134,16 @@ static void serve_one_client(FILE *in, FILE *out) else if (!strcmp(action.buf, "get")) { struct credential_cache_entry *e = lookup_credential(&c); if (e) { - e->item.capa_authtype.request_initial = 1; - e->item.capa_authtype.request_helper = 1; - - fprintf(out, "capability[]=authtype\n"); + if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE)) { + fprintf(out, "capability[]=authtype\n"); + } if (e->item.username) fprintf(out, "username=%s\n", e->item.username); if (e->item.password) fprintf(out, "password=%s\n", e->item.password); - if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype) + if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype) fprintf(out, "authtype=%s\n", e->item.authtype); - if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential) + if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential) fprintf(out, "credential=%s\n", e->item.credential); if (e->item.password_expiry_utc != TIME_MAX) fprintf(out, "password_expiry_utc=%"PRItime"\n", diff --git a/t/lib-credential.sh b/t/lib-credential.sh index 58b9c740605890..fe170b513fd842 100644 --- a/t/lib-credential.sh +++ b/t/lib-credential.sh @@ -566,6 +566,21 @@ helper_test_authtype() { EOF ' + test_expect_success "helper ($HELPER) does not get authtype and credential without authtype capability" ' + check fill $HELPER <<-\EOF + protocol=https + host=git.example.com + -- + protocol=https + host=git.example.com + username=askpass-username + password=askpass-password + -- + askpass: Username for '\''https://git.example.com'\'': + askpass: Password for '\''https://askpass-username@git.example.com'\'': + EOF + ' + test_expect_success "helper ($HELPER) stores authtype and credential with username" ' check approve $HELPER <<-\EOF capability[]=authtype diff --git a/t/t0303-credential-external.sh b/t/t0303-credential-external.sh index 8aadbe86c45856..437eae5002a08a 100755 --- a/t/t0303-credential-external.sh +++ b/t/t0303-credential-external.sh @@ -63,6 +63,7 @@ helper_test_clean "$GIT_TEST_CREDENTIAL_HELPER" helper_test "$GIT_TEST_CREDENTIAL_HELPER" helper_test_password_expiry_utc "$GIT_TEST_CREDENTIAL_HELPER" helper_test_oauth_refresh_token "$GIT_TEST_CREDENTIAL_HELPER" +helper_test_authtype "$GIT_TEST_CREDENTIAL_HELPER" if test -z "$GIT_TEST_CREDENTIAL_HELPER_TIMEOUT"; then say "# skipping timeout tests (GIT_TEST_CREDENTIAL_HELPER_TIMEOUT not set)"