git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
From: Simon.Richter@hogyros.de
To: git@vger.kernel.org
Cc: Simon Richter <Simon.Richter@hogyros.de>
Subject: [PATCH 0/3] Allow configuration of HTTP authentication method
Date: Fri, 13 May 2022 09:04:13 +0200	[thread overview]
Message-ID: <20220513070416.37235-1-Simon.Richter@hogyros.de> (raw)

From: Simon Richter <Simon.Richter@hogyros.de>

Hi,

this adds a configuration option to set the authentication method curl uses
when authenticating to a server.

The method is always configured, not just when a username is set, to allow
failing early if the server does not support the selected method;
otherwise, this mechanism is orthogonal to the proxy authentication method
handling, and I've liberally copied code from there.

This introduces http.authmethod and remote.<name>.authmethod configuration
options and an environment variable GIT_HTTP_AUTHMETHOD, with ascending
precedence.

There are three patches in this series, one that just renames a constant
list of options as it is used outside the proxy configuration scope now,
one that contains the main patch, and one I'm unsure about (hence no
Signed-Off-By yet) that allows empty user names during authentication.

The latter avoids surprises when people half-follow Microsoft's
documentation, which suggests that users configure a custom header
containing a hand-crafted Basic authentication string with an empty user
name. This is not strictly required by the "DevOps" server, any string will
do here, but simply pressing return on the username prompt will otherwise
fail to present the credentials at all, and give an error message
indicating that the given token is invalid.

I haven't investigated fully whether this is of any use outside the
interactive case, so the third patch is more of a request for comments.

With these changes, I can successfully authenticate to MS DevOps server
over HTTP using a Personal Access Token, without using the custom header
workaround[1], which allows me to use git-lfs (which in turn doesn't work
over ssh) from Jenkins with a limited token that is stored in the Jenkins
credential store, solving a problem for approximately tens of users[2].

   Simon

[1] https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Windows#use-a-pat

[2] https://stackoverflow.com/q/64800010

Simon Richter (3):
  Rename proxy_authmethods -> authmethods
  Add config option/env var to limit HTTP auth methods
  Allow empty user name in HTTP authentication

 Documentation/config/http.txt   | 19 ++++++++++++++
 Documentation/config/remote.txt |  4 +++
 http.c                          | 45 ++++++++++++++++++++++++++++-----
 remote.c                        |  4 +++
 remote.h                        |  3 +++
 5 files changed, 68 insertions(+), 7 deletions(-)

-- 
2.30.2


             reply	other threads:[~2022-05-13  7:13 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-13  7:04 Simon.Richter [this message]
2022-05-13  7:04 ` [PATCH 1/3] Rename proxy_authmethods -> authmethods Simon.Richter
2022-05-13 19:50   ` Junio C Hamano
2022-05-13  7:04 ` [PATCH 2/3] Add config option/env var to limit HTTP auth methods Simon.Richter
2022-05-13 20:26   ` Junio C Hamano
2022-05-13  7:04 ` [RFC PATCH 3/3] Allow empty user name in HTTP authentication Simon.Richter
2022-05-13 23:51   ` brian m. carlson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220513070416.37235-1-Simon.Richter@hogyros.de \
    --to=simon.richter@hogyros.de \
    --cc=git@vger.kernel.org \
    --subject='Re: [PATCH 0/3] Allow configuration of HTTP authentication method' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).