From: Ashlesh Gawande <git@ashlesh•me>
To: git@vger•kernel.org
Cc: sandals@crustytoothpaste•net, gitster@pobox•com
Subject: Re: [PATCH v3] t5550: add netrc tests for http 401/403
Date: Sat, 31 Jan 2026 18:03:30 +0530 [thread overview]
Message-ID: <49baf22b-ce7c-464c-8f6b-65ca7ed1e9f2@ashlesh.me> (raw)
In-Reply-To: <20260107074724.13165-1-git@ashlesh.me>
Any other comments or suggestions on this patch that I can address?
(re-sending because the mailing list rejected my previous email for not
being plain text).
Thanks
Ashlesh
On 1/7/26 13:17, Ashlesh Gawande wrote:
> git allows using .netrc file to supply credentials for HTTP auth.
> Three test cases are added in this patch to provide missing coverage
> when cloning over HTTP using .netrc file:
>
> - First test case checks that the git clone is successful when credentials
> are provided via .netrc file
> - Second test case checks that the git clone fails when the .netrc file
> provides invalid credentials. The HTTP server is expected to return
> 401 Unauthorized in such a case. The test checks that the user is
> provided with a prompt for username/password on 401 to provide
> the valid ones.
> - Third test case checks that the git clone fails when the .netrc file
> provides credentials that are valid but do not have permission for
> this user. For example one may have multiple tokens in GitHub
> and uses the one which was not authorized for cloning this repo.
> In such a case the HTTP server returns 403 Forbidden.
> For this test, the apache.conf is modified to return a 403
> on finding a forbidden-user. No prompt for username/password is
> expected after the 403 (unlike 401). This is because prompting may wipe
> out existing credentials or conflict with custom credential helpers.
>
> Signed-off-by: Ashlesh Gawande <git@ashlesh•me>
> ---
> Range-diff against v2:
> 1: 0b68f1d1af ! 1: 25ef751f28 t5550: add netrc tests for http 401/403
> @@ Metadata
> ## Commit message ##
> t5550: add netrc tests for http 401/403
>
> + git allows using .netrc file to supply credentials for HTTP auth.
> + Three test cases are added in this patch to provide missing coverage
> + when cloning over HTTP using .netrc file:
> +
> + - First test case checks that the git clone is successful when credentials
> + are provided via .netrc file
> + - Second test case checks that the git clone fails when the .netrc file
> + provides invalid credentials. The HTTP server is expected to return
> + 401 Unauthorized in such a case. The test checks that the user is
> + provided with a prompt for username/password on 401 to provide
> + the valid ones.
> + - Third test case checks that the git clone fails when the .netrc file
> + provides credentials that are valid but do not have permission for
> + this user. For example one may have multiple tokens in GitHub
> + and uses the one which was not authorized for cloning this repo.
> + In such a case the HTTP server returns 403 Forbidden.
> + For this test, the apache.conf is modified to return a 403
> + on finding a forbidden-user. No prompt for username/password is
> + expected after the 403 (unlike 401). This is because prompting may wipe
> + out existing credentials or conflict with custom credential helpers.
> +
> Signed-off-by: Ashlesh Gawande <git@ashlesh•me>
>
> ## t/lib-httpd.sh ##
>
> t/lib-httpd.sh | 13 +++++++++++--
> t/lib-httpd/apache.conf | 4 ++++
> t/lib-httpd/passwd | 1 +
> t/t5550-http-fetch-dumb.sh | 25 +++++++++++++++++++++++++
> 4 files changed, 41 insertions(+), 2 deletions(-)
>
> diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
> index 5091db949b..5f42c311c2 100644
> --- a/t/lib-httpd.sh
> +++ b/t/lib-httpd.sh
> @@ -319,13 +319,22 @@ setup_askpass_helper() {
> '
> }
>
> -set_askpass() {
> +set_askpass () {
> >"$TRASH_DIRECTORY/askpass-query" &&
> echo "$1" >"$TRASH_DIRECTORY/askpass-user" &&
> echo "$2" >"$TRASH_DIRECTORY/askpass-pass"
> }
>
> -expect_askpass() {
> +set_netrc () {
> + # $HOME=$TRASH_DIRECTORY
> + echo "machine $1 login $2 password $3" >"$TRASH_DIRECTORY/.netrc"
> +}
> +
> +clear_netrc () {
> + rm -f "$TRASH_DIRECTORY/.netrc"
> +}
> +
> +expect_askpass () {
> dest=$HTTPD_DEST${3+/$3}
>
> {
> diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
> index e631ab0eb5..6b8c50a51a 100644
> --- a/t/lib-httpd/apache.conf
> +++ b/t/lib-httpd/apache.conf
> @@ -238,6 +238,10 @@ SSLEngine On
> AuthName "git-auth"
> AuthUserFile passwd
> Require valid-user
> +
> + # return 403 for authenticated user: forbidden-user@host
> + RewriteCond "%{REMOTE_USER}" "^forbidden-user@host"
> + RewriteRule ^ - [F]
> </Location>
>
> <LocationMatch "^/auth-push/.*/git-receive-pack$">
> diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd
> index d9c122f348..3bab7b6423 100644
> --- a/t/lib-httpd/passwd
> +++ b/t/lib-httpd/passwd
> @@ -1 +1,2 @@
> user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1
> +forbidden-user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1
> diff --git a/t/t5550-http-fetch-dumb.sh b/t/t5550-http-fetch-dumb.sh
> index ed0ad66fad..9530f01b9e 100755
> --- a/t/t5550-http-fetch-dumb.sh
> +++ b/t/t5550-http-fetch-dumb.sh
> @@ -102,6 +102,31 @@ test_expect_success 'cloning password-protected repository can fail' '
> expect_askpass both wrong
> '
>
> +test_expect_success 'using credentials from netrc to clone successfully' '
> + test_when_finished clear_netrc &&
> + set_askpass wrong &&
> + set_netrc 127.0.0.1 user@host pass@host &&
> + git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc &&
> + expect_askpass none
> +'
> +
> +test_expect_success 'netrc unauthorized credentials (prompt after 401)' '
> + test_when_finished clear_netrc &&
> + set_askpass wrong &&
> + set_netrc 127.0.0.1 user@host pass@wrong &&
> + test_must_fail git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc-401 &&
> + expect_askpass both wrong
> +'
> +
> +test_expect_success 'netrc authorized but forbidden credentials (fail on 403)' '
> + test_when_finished clear_netrc &&
> + set_askpass wrong &&
> + set_netrc 127.0.0.1 forbidden-user@host pass@host &&
> + test_must_fail git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc-403 2>err &&
> + expect_askpass none &&
> + grep "The requested URL returned error: 403" err
> +'
> +
> test_expect_success 'http auth can use user/pass in URL' '
> set_askpass wrong &&
> git clone "$HTTPD_URL_USER_PASS/auth/dumb/repo.git" clone-auth-none &&
next prev parent reply other threads:[~2026-01-31 12:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 9:34 [PATCH] t5550: add netrc tests for http 401/403 Ashlesh Gawande
2026-01-06 10:20 ` Junio C Hamano
2026-01-06 11:47 ` Ashlesh Gawande
2026-01-06 11:40 ` [PATCH v2] " Ashlesh Gawande
2026-01-07 0:32 ` Junio C Hamano
2026-01-07 7:47 ` [PATCH v3] " Ashlesh Gawande
2026-01-31 12:33 ` Ashlesh Gawande [this message]
2026-02-06 5:05 ` Junio C Hamano
2026-02-06 9:38 ` Jeff King
2026-02-06 15:25 ` Ashlesh Gawande
2026-02-06 15:53 ` Ashlesh Gawande
2026-02-06 20:44 ` Jeff King
2026-02-06 17:39 ` Junio C Hamano
2026-02-06 20:53 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49baf22b-ce7c-464c-8f6b-65ca7ed1e9f2@ashlesh.me \
--to=git@ashlesh$(echo .)me \
--cc=git@vger$(echo .)kernel.org \
--cc=gitster@pobox$(echo .)com \
--cc=sandals@crustytoothpaste$(echo .)net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox