[PATCH] http: store credential when PKI auth is used

[PATCH] http: store credential when PKI auth is used

[John Szakmeister]

We already looked for the PKI credentials in the credential store, but
failed to approve it on success.  Meaning, the PKI certificate password
was never stored and git would request it on every connection to the
remote.  Let's complete the chain by storing the certificate password on
success.

Signed-off-by: John Szakmeister <john@szakmeister.net>
---

I'm not sure if certificate passwords were not stored for some reason, but
searching the archives I didn't see a mention of it.  Hopefully this is
acceptable.  I did try this in an environment where we have client SSL certs and
this made the user experience much better.

 http.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/http.c b/http.c
index f8ea28bb2e..440890695f 100644
--- a/http.c
+++ b/http.c
@@ -1637,6 +1637,8 @@ static int handle_curl_result(struct slot_results *results)
 		credential_approve(&http_auth);
 		if (proxy_auth.password)
 			credential_approve(&proxy_auth);
+		if (cert_auth.password)
+			credential_approve(&cert_auth);
 		return HTTP_OK;
 	} else if (missing_target(results))
 		return HTTP_MISSING_TARGET;
-- 
2.30.1

Re: [PATCH] http: store credential when PKI auth is used

[Jeff King]

On Sat, Mar 06, 2021 at 05:52:53PM -0500, John Szakmeister wrote:

> We already looked for the PKI credentials in the credential store, but
> failed to approve it on success.  Meaning, the PKI certificate password
> was never stored and git would request it on every connection to the
> remote.  Let's complete the chain by storing the certificate password on
> success.
> 
> Signed-off-by: John Szakmeister <john@szakmeister.net>
> ---
> 
> I'm not sure if certificate passwords were not stored for some reason, but
> searching the archives I didn't see a mention of it.  Hopefully this is
> acceptable.  I did try this in an environment where we have client SSL certs and
> this made the user experience much better.

I think it was just something that nobody ever cared about before. The
cert password request got converted to credential_fill() as part of
148bb6a7b4 (http: use credential API to get passwords, 2011-12-10). That
commit added approve/reject for http, because that's what I really cared
about, but the intent was always to treat most password queries
consistently.

> diff --git a/http.c b/http.c
> index f8ea28bb2e..440890695f 100644
> --- a/http.c
> +++ b/http.c
> @@ -1637,6 +1637,8 @@ static int handle_curl_result(struct slot_results *results)
>  		credential_approve(&http_auth);
>  		if (proxy_auth.password)
>  			credential_approve(&proxy_auth);
> +		if (cert_auth.password)
> +			credential_approve(&cert_auth);

So I think this is the right direction, but:

  - you'd need a credential_reject() somewhere, too. Otherwise a bad
    password will get stored and then reused over and over, with no
    opportunity to tell the helper to forget about it.

  - is this the best spot to check that our password was right? We only
    care about unlocking the local cert, which in theory is independent
    of what the server tells us. I suspect we can't really tell the
    difference, though (we hand the cert path and password off to curl,
    and then hopefully a request is successful). So this may be the best
    we can do for approval. But for rejection, I doubt that a 401 would
    be the right response. How does curl respond when the password is
    bad? Likewise, what happens if the password is bad but the server is
    willing to make the request anyway (does curl bail immediately, or
    might we get an HTTP 200 even with a bad cert password)?

  - I think proxy_cert_auth would probably want the same treatment.

  - The "if (cert_auth.password)" is redundant. credential_approve()
    will return silently if there is no password to approve. I know
    you're copying the pattern from directly above, but I think that one
    should be cleaned up, too.

    (I also was mildly surprised that this worked at all, since
    credential_approve() will bail if there is no username field. But
    the cert code fills in an empty username).

Most of those are "nice to have" improvements over what you have here,
but I think without a matching reject() this would be a regression.

-Peff

Re: [PATCH] http: store credential when PKI auth is used

[John Szakmeister]

On Wed, Mar 10, 2021 at 3:01 PM Jeff King <peff@peff.net> wrote:
[snip]
> I think it was just something that nobody ever cared about before. The
> cert password request got converted to credential_fill() as part of
> 148bb6a7b4 (http: use credential API to get passwords, 2011-12-10). That
> commit added approve/reject for http, because that's what I really cared
> about, but the intent was always to treat most password queries
> consistently.

I figured it'd be something like that, but wanted to ask, just in case. :-)

> > diff --git a/http.c b/http.c
> > index f8ea28bb2e..440890695f 100644
> > --- a/http.c
> > +++ b/http.c
> > @@ -1637,6 +1637,8 @@ static int handle_curl_result(struct slot_results *results)
> >               credential_approve(&http_auth);
> >               if (proxy_auth.password)
> >                       credential_approve(&proxy_auth);
> > +             if (cert_auth.password)
> > +                     credential_approve(&cert_auth);
>
> So I think this is the right direction, but:
>
>   - you'd need a credential_reject() somewhere, too. Otherwise a bad
>     password will get stored and then reused over and over, with no
>     opportunity to tell the helper to forget about it.

Right, I totally forgot about that aspect of this.

>   - is this the best spot to check that our password was right? We only
>     care about unlocking the local cert, which in theory is independent
>     of what the server tells us. I suspect we can't really tell the
>     difference, though (we hand the cert path and password off to curl,
>     and then hopefully a request is successful). So this may be the best
>     we can do for approval. But for rejection, I doubt that a 401 would
>     be the right response. How does curl respond when the password is
>     bad? Likewise, what happens if the password is bad but the server is
>     willing to make the request anyway (does curl bail immediately, or
>     might we get an HTTP 200 even with a bad cert password)?

It turns out that it was the right spot.  Curl will report
CURLE_SSL_CERTPROBLEM when provided a bad password, so
I ended up checking for that and using it to reject the credential.  It's a
bit loose in that other problems with the client certificate could cause
the same error, but there's not a good way to know whether the issue
was password-related or not.  So the new patch set will just reject it,
even if the issue was ultimately some other problem with the cert.  It
seemed like the best response given the information we have.

>   - I think proxy_cert_auth would probably want the same treatment.

Oh, I think I misread this before making my fixes.  I think what you're
saying here is that proxy_cert_auth should be approved and rejected
in the same spots as the client cert auth?  I missed that but am happy
to add it, if that's what you meant.  The only trouble is that I don't have
a great way of checking that particular feature.

>   - The "if (cert_auth.password)" is redundant. credential_approve()
>     will return silently if there is no password to approve. I know
>     you're copying the pattern from directly above, but I think that one
>     should be cleaned up, too.

Done.

>     (I also was mildly surprised that this worked at all, since
>     credential_approve() will bail if there is no username field. But
>     the cert code fills in an empty username).
>
> Most of those are "nice to have" improvements over what you have here,
> but I think without a matching reject() this would be a regression.

No worries.  If we can figure out the details, I'm happy to add it.

-John

Re: [PATCH] http: store credential when PKI auth is used

[Jeff King]

On Thu, Mar 11, 2021 at 08:01:53PM -0500, John Szakmeister wrote:

> >   - I think proxy_cert_auth would probably want the same treatment.
> 
> Oh, I think I misread this before making my fixes.  I think what you're
> saying here is that proxy_cert_auth should be approved and rejected
> in the same spots as the client cert auth?  I missed that but am happy
> to add it, if that's what you meant.  The only trouble is that I don't have
> a great way of checking that particular feature.

Yep, that's what I meant. Looking at CURLE_SSL_* in curl.h, it looks
like there's no way to distinguish a proxy cert problem from a regular
cert problem. So probably we'd need to reject both when we see
CURLE_SSL_CERTPROBLEM. As long as somebody is not using both at once, it
would not matter at all. And even if they are, the worst case is having
to put in their password again.

That said, given that nobody has asked for it and you have no easy way
of testing it, I'm content to leave it be for now. Your patches
shouldn't make anything worse there, and it shouldn't be too hard to
find this discussion in the list archive later.

-Peff