Re: [PATCH] send-email: implement SMTP bearer authentication

public inbox for git@vger.kernel.org 
 help / color / mirror / Atom feed

From: Shengyu Qu <wiagn233@outlook•com>
To: Julian Swagemakers <julian@swagemakers•org>, git@vger•kernel.org
Cc: wiagn233@outlook•com
Subject: Re: [PATCH] send-email: implement SMTP bearer authentication
Date: Sat, 12 Oct 2024 01:48:18 +0800	[thread overview]
Message-ID: <TYCPR01MB843751F88AF98DFDB606B0BE98792@TYCPR01MB8437.jpnprd01.prod.outlook.com> (raw)
In-Reply-To: <20240225103413.9845-1-julian@swagemakers.org>

Hello,

Sorry to bother but what had happened to this patch? It is more useful now
since outlook also switched to oauth2 only mode.

Best regards,
Shengyu


在 2024/2/25 18:34, Julian Swagemakers 写道:
> Manually send SMTP AUTH command for auth type OAUTHBEARER and XOAUTH2.
> This is necessary since they are currently not supported by the Perls
> Authen::SASL module.
>
> The bearer token needs to be passed in as the password. This can be done
> with git-credential-oauth[0] after minor modifications[1]. Which will
> allow using git send-email with Gmail and oauth2 authentication:
>
> ```
> [credential]
> 	helper = cache --timeout 7200	# two hours
> 	helper = oauth
> [sendemail]
>      smtpEncryption = tls
>      smtpServer = smtp.gmail.com
>      smtpUser = example@gmail•com
>      smtpServerPort = 587
>      smtpauth = OAUTHBEARER
> ```
>
> As well as Office 365 accounts:
>
> ```
> [credential]
> 	helper = cache --timeout 7200	# two hours
> 	helper = oauth
> [sendemail]
>      smtpEncryption = tls
>      smtpServer = smtp.office365.com
>      smtpUser = example@example•com
>      smtpServerPort = 587
>      smtpauth = XOAUTH2
> ```
>
> [0] https://github.com/hickford/git-credential-oauth
> [1] https://github.com/hickford/git-credential-oauth/issues/48
>
> Signed-off-by: Julian Swagemakers <julian@swagemakers•org>
> ---
>   git-send-email.perl | 65 +++++++++++++++++++++++++++++++++++++++++++--
>   1 file changed, 63 insertions(+), 2 deletions(-)
>
> diff --git a/git-send-email.perl b/git-send-email.perl
> index 821b2b3a13..72d378f6fd 100755
> --- a/git-send-email.perl
> +++ b/git-send-email.perl
> @@ -1359,6 +1359,63 @@ sub smtp_host_string {
>   	}
>   }
>   
> +sub generate_oauthbearer_string {
> +	# This will generate the oauthbearer string used for authentication.
> +	#
> +	# "n,a=" {User} ",^Ahost=" {Host} "^Aport=" {Port} "^Aauth=Bearer " {Access Token} "^A^A
> +	#
> +	# The first part `n,a=" {User} ",` is the gs2 header described in RFC5801.
> +	# * gs2-cb-flag `n` -> client does not support CB
> +	# * gs2-authzid `a=" {User} "`
> +	#
> +	# The second part are key value pairs containing host, port and auth as
> +	# described in RFC7628.
> +	#
> +	# https://datatracker.ietf.org/doc/html/rfc5801
> +	# https://datatracker.ietf.org/doc/html/rfc7628
> +	my $username = shift;
> +	my $token = shift;
> +	return "n,a=$username,\001port=$smtp_server_port\001auth=Bearer $token\001\001";
> +}
> +
> +sub generate_xoauth2_string {
> +	# "user=" {User} "^Aauth=Bearer " {Access Token} "^A^A"
> +	# https://developers.google.com/gmail/imap/xoauth2-protocol#initial_client_response
> +	my $username = shift;
> +	my $token = shift;
> +	return "user=$username\001auth=Bearer $token\001\001";
> +}
> +
> +sub smtp_bearer_auth {
> +	my $username = shift;
> +	my $token = shift;
> +	my $auth_string;
> +	if ($smtp_encryption ne "tls") {
> +		# As described in RFC7628 TLS is required and will be will
> +		# be enforced at this point.
> +		#
> +		# https://datatracker.ietf.org/doc/html/rfc7628#section-3
> +		die __("For $smtp_auth TLS is required.")
> +	}
> +	if ($smtp_auth eq "OAUTHBEARER") {
> +		$auth_string = generate_oauthbearer_string($username, $token);
> +	} elsif ($smtp_auth eq "XOAUTH2") {
> +		$auth_string = generate_xoauth2_string($username, $token);
> +	}
> +	my $encoded_auth_string = MIME::Base64::encode($auth_string, "");
> +	$smtp->command("AUTH $smtp_auth $encoded_auth_string\r\n");
> +	use Net::Cmd qw(CMD_OK);
> +	if ($smtp->response() == CMD_OK){
> +		return 1;
> +	} else {
> +		# Send dummy request on authentication failure according to rfc7628.
> +		# https://datatracker.ietf.org/doc/html/rfc7628#section-3.2.3
> +		$smtp->command(MIME::Base64::encode("\001"));
> +		$smtp->response();
> +		return 0;
> +	}
> +}
> +
>   # Returns 1 if authentication succeeded or was not necessary
>   # (smtp_user was not specified), and 0 otherwise.
>   
> @@ -1392,8 +1449,12 @@ sub smtp_auth_maybe {
>   		'password' => $smtp_authpass
>   	}, sub {
>   		my $cred = shift;
> -
> -		if ($smtp_auth) {
> +		if ($smtp_auth eq "OAUTHBEARER" or $smtp_auth eq "XOAUTH2") {
> +			# Since Authen:SASL does not support XOAUTH2 nor OAUTHBEARER we will
> +			# manuall authenticate for tese types. The password field should
> +			# contain the auth token at this point.
> +			return smtp_bearer_auth($cred->{'username'}, $cred->{'password'});
> +		} elsif ($smtp_auth) {
>   			my $sasl = Authen::SASL->new(
>   				mechanism => $smtp_auth,
>   				callback => {

next prev parent reply	other threads:[~2024-10-11 17:48 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-25 10:34 [PATCH] send-email: implement SMTP bearer authentication Julian Swagemakers
2024-02-28 17:53 ` M Hickford
2024-10-11 17:48 ` Shengyu Qu [this message]
2024-10-11 18:05   ` Junio C Hamano
2024-10-11 18:24     ` Shengyu Qu
     [not found]       ` < <TYCPR01MB8437CDD2208EA6555117E72C98792@TYCPR01MB8437.jpnprd01.prod.outlook.com>
2024-10-12 18:43         ` Julian Swagemakers
2025-01-25 19:01 ` [PATCH v2] " Julian Swagemakers
  -- strict thread matches above, loose matches on Subject: below --
2025-01-07 19:49 [PATCH] " M Hickford
2025-01-11 19:06 ` Julian Swagemakers
2025-01-11 21:19   ` M Hickford
2025-01-11 21:27 M Hickford

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=TYCPR01MB843751F88AF98DFDB606B0BE98792@TYCPR01MB8437.jpnprd01.prod.outlook.com \
    --to=wiagn233@outlook$(echo .)com \
    --cc=git@vger$(echo .)kernel.org \
    --cc=julian@swagemakers$(echo .)org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox