From: M Hickford <mirth.hickford@gmail.com>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: "M Hickford via GitGitGadget" <gitgitgadget@gmail.com>,
git@vger.kernel.org, "Johannes Sixt [ ]" <j6t@kdbg.org>,
"Harshil Jani [ ]" <harshiljani2002@gmail.com>,
"Jakub Bereżański" <kuba@berezanscy.pl>,
"Karsten Blees" <blees@dcon.de>,
"Erik Faye-Lund" <kusmabite@gmail.com>,
"Javier Roucher Iglesias"
<Javier.Roucher-Iglesias@ensimag.imag.fr>,
"M Hickford" <mirth.hickford@gmail.com>
Subject: Re: [PATCH] credential/wincred: store password_expiry_utc
Date: Thu, 30 Mar 2023 06:50:30 +0100 [thread overview]
Message-ID: <CAGJzqs=D8hmcxJKGCcz-NqEQ+QDYgi_aO02fj59kQoHZgiW3OQ@mail.gmail.com> (raw)
In-Reply-To: <35e1ebe6-e15b-1712-f030-70ab708740db@gmx.de>
On Tue, 28 Mar 2023 at 13:14, Johannes Schindelin
<Johannes.Schindelin@gmx.de> wrote:
> And the reason is...
>
> > @@ -195,6 +197,15 @@ static void get_credential(void)
> > write_item("password",
> > (LPCWSTR)creds[i]->CredentialBlob,
> > creds[i]->CredentialBlobSize / sizeof(WCHAR));
> > + attr = creds[i]->Attributes;
> > + for (int j = 0; j < creds[i]->AttributeCount; j++) {
> > + if (wcscmp(attr->Keyword, L"git_password_expiry_utc")) {
>
> ^^^^^^
>
> ... here. Note how the return value of `wcscmp()` needs to be non-zero to
> enter the conditional block? But `wcscmp()` returns 0 if there are no
> differences between the two provided strings.
>
> That's not the only bug, though. While the loop iterates over all of the
> attributes, the `attr` variable is unchanged, and always points to the
> first attribute. You have to access it as `creds[i]->Attributes[j]`,
> though, see e.g.
> https://github.com/sandboxie-plus/Sandboxie/blob/f2a357f9222b81e7bdc994e5d9824790a1b5d826/Sandboxie/core/dll/cred.c#L324
>
> So with this patch on top of your patch, it works for me:
>
Thanks Johannes for the review and the fix. I'll include it in any patch v2.
>
> But I have to wonder: why even bother with `git-wincred`? This credential
> helper is so ridiculously limited in its capabilities, it does not even
> support any host that is remotely close to safe (no 2FA, no OAuth, just
> passwords). So I would be just as happy if I weren't asked to spend my
> time to review changes to a credential helper I'd much rather see retired
> than actively worked on.
git-credential-wincred has the same capabilities as popular helpers
git-credential-cache, git-credential-store, git-credential-osxkeychain
and git-credential-libsecret. Any of which can store OAuth credentials
generated by a helper such as git-credential-oauth [1]. This is
compatible with 2FA (any 2FA happens in browser). Example config:
[credential]
helper = wincred
helper = oauth
This patch to store password_expiry_utc is necessary to avoid Git
trying to use OAuth credentials beyond expiry. See
https://github.com/git/git/commit/d208bfdfef97a1e8fb746763b5057e0ad91e283b
for background (I'll add to commit message v2).
What about Git Credential Manager? GCM has a similar need to store
password expiry, see comment
https://github.com/git-ecosystem/git-credential-manager/discussions/1169#discussioncomment-5472096.
I think OAuth is important enough to fix this issue in both
git-credential-wincred and GCM. Some users might prefer the above
setup over GCM to avoid .NET dependency or if they really like
git-credential-oauth.
Note that OAuth expiry issues don't occur authenticating to GitHub
because GitHub doesn't populate OAuth expiry.
[1] https://github.com/hickford/git-credential-oauth
next prev parent reply other threads:[~2023-03-30 5:51 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-25 7:39 [PATCH] credential/wincred: store password_expiry_utc M Hickford via GitGitGadget
2023-03-28 12:14 ` Johannes Schindelin
2023-03-30 5:50 ` M Hickford [this message]
2023-05-01 22:25 ` Junio C Hamano
2023-05-02 9:38 ` M Hickford
2023-05-02 17:43 ` Johannes Sixt
2023-05-02 18:16 ` Felipe Contreras
2023-03-30 18:17 ` [PATCH v2] " M Hickford via GitGitGadget
2023-03-30 19:19 ` Junio C Hamano
2023-04-03 7:00 ` M Hickford
2023-04-03 7:47 ` [PATCH v3] " M Hickford via GitGitGadget
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGJzqs=D8hmcxJKGCcz-NqEQ+QDYgi_aO02fj59kQoHZgiW3OQ@mail.gmail.com' \
--to=mirth.hickford@gmail.com \
--cc=Javier.Roucher-Iglesias@ensimag.imag.fr \
--cc=Johannes.Schindelin@gmx.de \
--cc=blees@dcon.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=harshiljani2002@gmail.com \
--cc=j6t@kdbg.org \
--cc=kuba@berezanscy.pl \
--cc=kusmabite@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).