From 0521710a8b9321751ca8768c3f7ea8895901e5c3 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 13 Dec 2011 15:17:04 -0500 Subject: [PATCH 1/2] t5540: test DAV push with authentication We don't currently test this case at all, and instead just test the DAV mechanism over an unauthenticated push. That isn't very realistic, as most people will want to authenticate pushes. Two of the tests expect_failure as they reveal bugs: 1. Pushing without a username in the URL fails to ask for credentials when we get an HTTP 401. This has always been the case, but it would be nice if it worked like smart-http. 2. Pushing with a username fails to ask for the password since 986bbc0 (http: don't always prompt for password, 2011-11-04). This is a severe regression in v1.7.8, as authenticated push-over-DAV is now totally unusable unless you have credentials in your .netrc. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- t/lib-httpd/apache.conf | 3 +++ t/t5540-http-push.sh | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf index 0a4cdfa93..3c12b05d6 100644 --- a/t/lib-httpd/apache.conf +++ b/t/lib-httpd/apache.conf @@ -92,6 +92,9 @@ SSLEngine On Dav on + + Dav on + diff --git a/t/t5540-http-push.sh b/t/t5540-http-push.sh index 64767d870..330022779 100755 --- a/t/t5540-http-push.sh +++ b/t/t5540-http-push.sh @@ -40,6 +40,22 @@ test_expect_success 'setup remote repository' ' mv test_repo.git "$HTTPD_DOCUMENT_ROOT_PATH" ' +test_expect_success 'create password-protected repository' ' + mkdir -p "$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb" && + cp -Rf "$HTTPD_DOCUMENT_ROOT_PATH/test_repo.git" \ + "$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb/test_repo.git" +' + +test_expect_success 'setup askpass helper' ' + cat >askpass <<-\EOF && + #!/bin/sh + echo user@host + EOF + chmod +x askpass && + GIT_ASKPASS="$PWD/askpass" && + export GIT_ASKPASS +' + test_expect_success 'clone remote repository' ' cd "$ROOT_PATH" && git clone $HTTPD_URL/dumb/test_repo.git test_repo_clone @@ -144,6 +160,24 @@ test_expect_success 'PUT and MOVE sends object to URLs with SHA-1 hash suffix' ' test_http_push_nonff "$HTTPD_DOCUMENT_ROOT_PATH"/test_repo.git \ "$ROOT_PATH"/test_repo_clone master +test_expect_failure 'push to password-protected repository (user in URL)' ' + test_commit pw-user && + git push "$HTTPD_URL_USER/auth/dumb/test_repo.git" HEAD && + git rev-parse --verify HEAD >expect && + git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb/test_repo.git" \ + rev-parse --verify HEAD >actual && + test_cmp expect actual +' + +test_expect_failure 'push to password-protected repository (no user in URL)' ' + test_commit pw-nouser && + git push "$HTTPD_URL/auth/dumb/test_repo.git" HEAD && + git rev-parse --verify HEAD >expect && + git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb/test_repo.git" \ + rev-parse --verify HEAD >actual && + test_cmp expect actual +' + stop_httpd test_done From a4ddbc33d7906f0e10c68c140a9a1003d9715a77 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 13 Dec 2011 19:11:56 -0500 Subject: [PATCH 2/2] http-push: enable "proactive auth" Before commit 986bbc08, git was proactive about asking for http passwords. It assumed that if you had a username in your URL, you would also want a password, and asked for it before making any http requests. However, this could interfere with the use of .netrc (see 986bbc08 for details). And it was also unnecessary, since the http fetching code had learned to recognize an HTTP 401 and prompt the user then. Furthermore, the proactive prompt could interfere with the usage of .netrc (see 986bbc08 for details). Unfortunately, the http push-over-DAV code never learned to recognize HTTP 401, and so was broken by this change. This patch does a quick fix of re-enabling the "proactive auth" strategy only for http-push, leaving the dumb http fetch and smart-http as-is. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- http-fetch.c | 2 +- http-push.c | 2 +- http.c | 8 +++++++- http.h | 3 ++- remote-curl.c | 2 +- t/t5540-http-push.sh | 2 +- 6 files changed, 13 insertions(+), 6 deletions(-) diff --git a/http-fetch.c b/http-fetch.c index 69299b7bd..94d47cbb2 100644 --- a/http-fetch.c +++ b/http-fetch.c @@ -67,7 +67,7 @@ int main(int argc, const char **argv) git_config(git_default_config, NULL); - http_init(NULL, url); + http_init(NULL, url, 0); walker = get_http_walker(url); walker->get_tree = get_tree; walker->get_history = get_history; diff --git a/http-push.c b/http-push.c index edd553b7f..cdfdd4f79 100644 --- a/http-push.c +++ b/http-push.c @@ -1820,7 +1820,7 @@ int main(int argc, char **argv) memset(remote_dir_exists, -1, 256); - http_init(NULL, repo->url); + http_init(NULL, repo->url, 1); #ifdef USE_CURL_MULTI is_running_queue = 0; diff --git a/http.c b/http.c index e6c75976e..7e454f778 100644 --- a/http.c +++ b/http.c @@ -43,6 +43,7 @@ static int curl_ftp_no_epsv; static const char *curl_http_proxy; static const char *curl_cookie_file; static char *user_name, *user_pass, *description; +static int http_proactive_auth; static const char *user_agent; #if LIBCURL_VERSION_NUM >= 0x071700 @@ -279,6 +280,9 @@ static CURL *get_curl_handle(void) curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY); #endif + if (http_proactive_auth) + init_curl_http_auth(result); + if (ssl_cert != NULL) curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert); if (has_cert_password()) @@ -367,7 +371,7 @@ static void set_from_env(const char **var, const char *envname) *var = val; } -void http_init(struct remote *remote, const char *url) +void http_init(struct remote *remote, const char *url, int proactive_auth) { char *low_speed_limit; char *low_speed_time; @@ -378,6 +382,8 @@ void http_init(struct remote *remote, const char *url) curl_global_init(CURL_GLOBAL_ALL); + http_proactive_auth = proactive_auth; + if (remote && remote->http_proxy) curl_http_proxy = xstrdup(remote->http_proxy); diff --git a/http.h b/http.h index 3c332a98e..51f6ba73b 100644 --- a/http.h +++ b/http.h @@ -86,7 +86,8 @@ extern void add_fill_function(void *data, int (*fill)(void *)); extern void step_active_slots(void); #endif -extern void http_init(struct remote *remote, const char *url); +extern void http_init(struct remote *remote, const char *url, + int proactive_auth); extern void http_cleanup(void); extern int data_received; diff --git a/remote-curl.c b/remote-curl.c index 0e720ee8b..0757b19a8 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -859,7 +859,7 @@ int main(int argc, const char **argv) url = strbuf_detach(&buf, NULL); - http_init(remote, url); + http_init(remote, url, 0); do { if (strbuf_getline(&buf, stdin, '\n') == EOF) { diff --git a/t/t5540-http-push.sh b/t/t5540-http-push.sh index 330022779..1eea64765 100755 --- a/t/t5540-http-push.sh +++ b/t/t5540-http-push.sh @@ -160,7 +160,7 @@ test_expect_success 'PUT and MOVE sends object to URLs with SHA-1 hash suffix' ' test_http_push_nonff "$HTTPD_DOCUMENT_ROOT_PATH"/test_repo.git \ "$ROOT_PATH"/test_repo_clone master -test_expect_failure 'push to password-protected repository (user in URL)' ' +test_expect_success 'push to password-protected repository (user in URL)' ' test_commit pw-user && git push "$HTTPD_URL_USER/auth/dumb/test_repo.git" HEAD && git rev-parse --verify HEAD >expect &&