From: Jeff King <peff@peff.net>
To: Masaya Suzuki <masayasuzuki@google.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] credential: add nocache option to the credentials API
Date: Tue, 9 Jul 2019 07:56:20 -0500 [thread overview]
Message-ID: <20190709125620.GA18175@sigill.intra.peff.net> (raw)
In-Reply-To: <20190707055132.103736-1-masayasuzuki@google.com>
On Sat, Jul 06, 2019 at 10:51:32PM -0700, Masaya Suzuki wrote:
> The credentials API calls credentials helpers in order. If a
> username/password pair is returned the helpers and if it's used for
> authentication successfully, it's announced to the helpers and they can
> store it for later use.
>
> Some credentials are valid only for the limited time and should not be
> cached. In this case, because the credential is announced to all helpers
> and they can independently decide whether they will cache it or not,
> those short-lived credentials can be cached.
>
> This change adds an option that a credential helper can specify that the
> credential returned by the helper should not be cached. If this is
> specified, even after the credential is used successfully, it won't be
> announced to other helpers for store.
I think this makes sense to do, though note that there's an old
discussion which covers some alternatives:
https://public-inbox.org/git/20120407033417.GA13914@sigill.intra.peff.net/
In that patch, I essentially proposed making all gathered credentials as
nocache. That's a more secure default (though in some cases less
convenient).
It did break a case Shawn had of caching the result of another helper. I
showed some options there for providing a mechanism to chain helpers
together explicitly.
We also discussed helpers passing out an explicit ttl. That's a more
general case of your nocache flag (i.e., ttl=0 covers that case, but we
could additionally pass "ttl" to the cache helper to let it be smarter).
Given the age of that discussion and the fact that nobody has really
complained much in the interim, I'm OK to go with your much simpler
approach. But I think it's worth at least thinking for a few minutes on
whether there's anything to pull from that discussion. :)
(As a side note, I've had all those patches on my "to revisit and send
upstream" queue for 7 years; if we take yours, maybe I can finally let
them go. ;) ).
> Documentation/technical/api-credentials.txt | 4 +++-
> credential.c | 4 +++-
> credential.h | 3 ++-
> t/t0300-credentials.sh | 9 +++++++++
> 4 files changed, 17 insertions(+), 3 deletions(-)
The patch itself looks good; two minor comments:
> @@ -296,7 +298,7 @@ void credential_approve(struct credential *c)
> {
> int i;
>
> - if (c->approved)
> + if (c->approved || c->no_cache)
> return;
> if (!c->username || !c->password)
> return;
Here we're disallowing a "nocache" credential from being passed to _any_
helper, whether it's caching or not. It could be storing permanently,
though perhaps that's semantic nitpicking (if it's not to be cached, it
probably shouldn't be stored permanently either). Other helpers could in
theory be doing something else with the data, though in practice I doubt
here are any uses beyond debugging.
I dunno. I started writing that paragraph to suggest calling it
"nostore" or something, but I think that is really no better than
"nocache".
If we did have a ttl, I'd expect to see a check for "ttl=0" here, but
then otherwise pass the ttl along to the helper (and a matching change
in credential-cache to use the minimum of the credential-specific ttl or
the global-configured one).
> diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
> index 82eaaea0f4..ad06f6fe11 100755
> --- a/t/t0300-credentials.sh
> +++ b/t/t0300-credentials.sh
> @@ -118,6 +118,15 @@ test_expect_success 'do not bother storing password-less credential' '
> EOF
> '
>
> +test_expect_success 'credential_approve does not call helpers for nocache' '
> + check approve useless <<-\EOF
> + username=foo
> + password=bar
> + nocache=1
> + --
> + --
> + EOF
> +'
At first I thought this test was doing nothing, since we don't generally
expect a helper to produce output for an "approve" request (and there
are cases in lib-credential.sh that rely on that). But the "useless"
helper is intentionally chatty, so it produces output for all requests,
and this would fail without your patch. Good.
The cases in lib-credential also omit the "--" for empty sections, but I
see the similar "do not bother..." test above includes them. It
shouldn't matter either way.
So I think this looks good.
-Peff
next prev parent reply other threads:[~2019-07-09 12:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-07 5:51 [PATCH] credential: add nocache option to the credentials API Masaya Suzuki
2019-07-09 12:56 ` Jeff King [this message]
2019-07-22 17:30 ` Masaya Suzuki
2019-07-22 21:00 ` Jeff King
2019-08-26 16:27 ` Junio C Hamano
2019-09-15 21:50 ` Masaya Suzuki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190709125620.GA18175@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=masayasuzuki@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).