Re: [PATCH v2 1/1] http: allow authenticating proactively

public inbox for git@vger.kernel.org 
 help / color / mirror / Atom feed

From: Junio C Hamano <gitster@pobox•com>
To: "brian m. carlson" <sandals@crustytoothpaste•net>
Cc: <git@vger•kernel.org>
Subject: Re: [PATCH v2 1/1] http: allow authenticating proactively
Date: Wed, 03 Jul 2024 22:49:56 -0700	[thread overview]
Message-ID: <xmqqo77d7lkr.fsf@gitster.g> (raw)
In-Reply-To: <20240704001748.746429-2-sandals@crustytoothpaste.net> (brian m. carlson's message of "Thu, 4 Jul 2024 00:17:48 +0000")

"brian m. carlson" <sandals@crustytoothpaste•net> writes:

> If we're in auto mode and we got a username and password, set the
> authentication scheme to Basic.  libcurl will not send authentication
> proactively unless there's a single choice of allowed authentication,
> and we know in this case we didn't get an authtype entry telling us what
> scheme to use, or we would have taken a different codepath and written
> the header ourselves.  In any event, of the other schemes that libcurl
> supports, Digest and NTLM require a nonce or challenge, which means that
> they cannot work with proactive auth, and GSSAPI does not use a username
> and password at all, so Basic is the only logical choice among the
> built-in options.

Nice explanation.

> +http.proactiveAuth::
> +	Attempt authentication without first making an unauthenticated attempt and
> +	receiving a 401 response. This can be used to ensure that all requests are
> +	authenticated. If `http.emptyAuth` is set to true, this value has no effect.
> ++
> +If the credential helper used specifies an authentication scheme (i.e., via the
> +`authtype` field), that value will be used; if a username and password is
> +provided without a scheme, then Basic authentication is used.  The value of the
> +option determines the scheme requested from the helper. Possible values are:
> ++
> +--
> +* `basic` - Request Basic authentication from the helper.
> +* `auto` - Allow the helper to pick an appropriate scheme.
> +* `none` - Disable proactive authentication.
> +--
> ++
> +Note that TLS should always be used with this configuration, since otherwise it
> +is easy to accidentally expose plaintext credentials if Basic authentication
> +is selected.

OK.

> @@ -539,6 +552,18 @@ static int http_options(const char *var, const char *value,
>  		return 0;
>  	}
>  
> +	if (!strcmp("http.proactiveauth", var)) {

If we choose to make

	[http] proactiveauth ; nothing else on the line

an error, we could do

		if (!value)
                	return config_error_nonbool(var);

and lose all the "we have to make sure value is not NULL before
feeding it to strcmp()" checks below.

Or 

		if (!value) {
			warning(_("http.proactiveauth set to true???"));
                        return 0;
		}

if we wanted to be more lenient (which is more in line with how we
treat unknown string value below).

> +		if (value && !strcmp(value, "auto"))
> +			http_proactive_auth = PROACTIVE_AUTH_AUTO;
> +		else if (value && !strcmp(value, "basic"))
> +			http_proactive_auth = PROACTIVE_AUTH_BASIC;
> +		else if (value && !strcmp(value, "none"))
> +			http_proactive_auth = PROACTIVE_AUTH_NONE;
> +		else
> +			warning(_("Unknown value for http.proactiveauth"));
> +		return 0;
> +	}
> +

Other than that I saw nothing puzzling or curious.  Looking very
good.

Thanks.  Will queue.

next prev parent reply	other threads:[~2024-07-04  5:49 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-28  0:27 [PATCH 0/1] Proactive authentication over HTTP brian m. carlson
2024-06-28  0:27 ` [PATCH 1/1] http: allow authenticating proactively brian m. carlson
2024-06-28 18:16   ` Junio C Hamano
2024-06-28 22:00     ` brian m. carlson
2024-06-28 22:18       ` Junio C Hamano
2024-06-29  0:23         ` brian m. carlson
2024-07-01 15:26           ` Junio C Hamano
2024-07-04  0:17 ` [PATCH v2 0/1] Proactive authentication over HTTP brian m. carlson
2024-07-04  0:17   ` [PATCH v2 1/1] http: allow authenticating proactively brian m. carlson
2024-07-04  5:49     ` Junio C Hamano [this message]
2024-07-10  0:01   ` [PATCH v3 0/1] Proactive authentication over HTTP brian m. carlson
2024-07-10  0:01     ` [PATCH v3 1/1] http: allow authenticating proactively brian m. carlson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=xmqqo77d7lkr.fsf@gitster.g \
    --to=gitster@pobox$(echo .)com \
    --cc=git@vger$(echo .)kernel.org \
    --cc=sandals@crustytoothpaste$(echo .)net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox