From: Patrick Steinhardt <ps@pks.im>
To: "brian m. carlson" <sandals@crustytoothpaste.net>,
git@vger.kernel.org, Junio C Hamano <gitster@pobox.com>,
Matthew John Cheetham <mjcheetham@outlook.com>,
M Hickford <mirth.hickford@gmail.com>
Subject: Re: [PATCH 05/13] credential: gate new fields on capability
Date: Tue, 2 Apr 2024 12:04:31 +0200 [thread overview]
Message-ID: <ZgvYLxfNwBcOB_s1@tanuki> (raw)
In-Reply-To: <ZgSQr7uQdIA8oVNn@tapette.crustytoothpaste.net>
[-- Attachment #1: Type: text/plain, Size: 6843 bytes --]
On Wed, Mar 27, 2024 at 09:33:35PM +0000, brian m. carlson wrote:
> On 2024-03-27 at 08:02:39, Patrick Steinhardt wrote:
> > On Sun, Mar 24, 2024 at 01:12:53AM +0000, brian m. carlson wrote:
> > > +static int credential_has_capability(const struct credential_capability *capa, int op_type)
> > > +{
> > > + /*
> > > + * We're checking here if each previous step indicated that we had the
> > > + * capability. If it did, then we want to pass it along; conversely, if
> > > + * it did not, we don't want to report that to our caller.
> > > + */
> > > + switch (op_type) {
> > > + case CREDENTIAL_OP_HELPER:
> > > + return capa->request_initial;
> > > + case CREDENTIAL_OP_RESPONSE:
> > > + return capa->request_initial && capa->request_helper;
> > > + default:
> > > + return 0;
> > > + }
> > > +}
> >
> > I think I'm missing the bigger picture here, so please bear with me.
> >
> > What you provide here is simply an `op_type` that indicates the phase we
> > are currently in and thus allows us to check whether all of the
> > preceding phases had the capability set. But to me it seems like a phase
> > and the actual capability should be different things. So why is it that
> > the capability seems to be a mere boolean value instead of something
> > like a bitfield indicating whether a specific capability is supported or
> > not? Or is all of this infra really only to support a single capability,
> > namely the credential capability?
> >
> > I'm mostly coming from the angle of how capabilities work with remote
> > helpers. When asked, the helper will announce a set of capabilities that
> > it supports, e.g. "capabilities stateless-connect". So from thereon the
> > client of the helper knows that it can assume "stateless-connect" to be
> > understood by the helper.
> >
> > I would have expected capabilities to work similarly for the credential
> > helper, where it announces "I know to handle pre-encoded credentials".
> > But given that I have basically no clue at all for how the credential
> > helper works there may very well be good reasons why things work so
> > differently here.
>
> Let me explain a little bit. There are two possible flows that we can
> have for a credential request:
>
> git-credential input -> credential.c -> helper -> credential.c -> git-credential output
>
> git-http-backend -> credential.c -> helper -> credential.c -> git-http-backend
>
> Let's look at the first one (which might, say, come from Git LFS or
> another external tool), but the second one works similarly. When we get
> a request from `git credential fill`, we need to know first whether the
> requester supports the capability. If we're using an external tool from
> last decade, it's not going to do so.
>
> If it _does_ support that, then we want to pass that along to the
> helper, but if it doesn't, we don't. That's because if the caller
> doesn't support `credential` and `authtype`, the helper might
> legitimately want to provide a username and password (or token) instead,
> knowing that that's more likely to work.
>
> Similarly, in the final response, we want to indicate to the external
> caller whether the capability was in fact supported. That's useful to
> know in case we want to pass the response back to `git credential
> store`, and it also discloses functionality about what the credential
> helper in use supports.
>
> We can't assume that the helper does or doesn't support the same
> capabilities as Git because it might come from outside Git (e.g., Git
> Credential Manager Core, or a site-specific credential helper) or it
> just might not be capable of storing or handling that kind of
> credential. By not making the assumption that the helper is implicitly
> capable, we allow users to continue to use very simple shell scripts as
> credential helpers.
The intent of this is quite clear to me, but thanks for re-explaining
the bigger picture :)
> As to why this functionality exists, it exists to support the two new
> capabilities in this series, `credential` and `state`. A pie in the sky
> goal for the future is to support additional request signing
> functionality, so it might learn things like method, URI, and TLS
> channel binding info, which would be an additional capability. (I might
> implement that, or I might not.) All of those are boolean: they either
> are supported, or not. If folks in the future want to expose
> non-boolean capabilities, I don't think that should be a problem.
I think you misunderstood my confusion. I didn't meant to say that there
should be non-boolean capabilities. I was rather missing the picture of
how exactly you can advertise multiple capabilities with the infra that
currently exists, and why the infra supports per-phase capabilities.
Basically, what I would have expected is a protocol where both Git and
the credential helper initially did a single "handshake" that also
announces capabilities. So something like:
HELPER: capability foobar
HELPER: capability barfoo
GIT: capability foobar
Git would only acknowledge capabilities that it both understands and
that have been announced by the helper. So at the end of this both have
agreed on a single capability "foobar".
This is roughly how the remote helper capability subsystem works. What
this patch is introducing seems quite a bit more complicated than that
though because we have "staged" capabilities. I assume there is good
reason for this complexity, but I didn't yet manage to figure out the
reasoning behind it.
To ask more specifically: why would one side ever announce a capability
in phase 1, but not in phase 2? Is the reason that capabilities are in
fact tied to credentials?
Patrick
> > > +/*
> > > + * These values define the kind of operation we're performing and the
> > > + * capabilities at each stage. The first is either an external request (via git
> > > + * credential fill) or an internal request (e.g., via the HTTP) code. The
> > > + * second is the call to the credential helper, and the third is the response
> > > + * we're providing.
> > > + *
> > > + * At each stage, we will emit the capability only if the previous stage
> > > + * supported it.
> > > + */
> > > +#define CREDENTIAL_OP_INITIAL 1
> > > +#define CREDENTIAL_OP_HELPER 2
> > > +#define CREDENTIAL_OP_RESPONSE 3
> >
> > Is there any specific reason why you're using defines instead of an enum
> > here? I think the latter would be more self-explanatory when you see
> > that functions take `enum credential_op` as input instead of an `int`.
>
> I think an enum would be a nice improvement. I'll include that in a
> reroll.
> --
> brian m. carlson (they/them or he/him)
> Toronto, Ontario, CA
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-04-02 10:04 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-24 1:12 [PATCH 00/13] Support for arbitrary schemes in credentials brian m. carlson
2024-03-24 1:12 ` [PATCH 01/13] credential: add an authtype field brian m. carlson
2024-03-24 1:12 ` [PATCH 02/13] remote-curl: reset headers on new request brian m. carlson
2024-03-24 1:12 ` [PATCH 03/13] http: use new headers for each object request brian m. carlson
2024-03-27 8:02 ` Patrick Steinhardt
2024-03-24 1:12 ` [PATCH 04/13] credential: add a field for pre-encoded credentials brian m. carlson
2024-03-24 1:12 ` [PATCH 05/13] credential: gate new fields on capability brian m. carlson
2024-03-27 8:02 ` Patrick Steinhardt
2024-03-27 21:33 ` brian m. carlson
2024-04-02 10:04 ` Patrick Steinhardt [this message]
2024-04-04 0:39 ` brian m. carlson
2024-04-04 4:07 ` Patrick Steinhardt
2024-03-28 10:20 ` Jeff King
2024-03-28 16:13 ` Junio C Hamano
2024-03-28 16:29 ` Jeff King
2024-03-28 17:25 ` Junio C Hamano
2024-03-28 21:18 ` brian m. carlson
2024-03-24 1:12 ` [PATCH 06/13] docs: indicate new credential protocol fields brian m. carlson
2024-03-25 23:16 ` M Hickford
2024-03-25 23:37 ` brian m. carlson
2024-03-30 13:00 ` M Hickford
2024-03-31 21:43 ` brian m. carlson
2024-03-24 1:12 ` [PATCH 07/13] http: add support for authtype and credential brian m. carlson
2024-03-24 1:12 ` [PATCH 08/13] credential: add an argument to keep state brian m. carlson
2024-04-01 21:05 ` mirth hickford
2024-04-01 22:14 ` brian m. carlson
2024-03-24 1:12 ` [PATCH 09/13] credential: enable state capability brian m. carlson
2024-03-24 1:12 ` [PATCH 10/13] docs: set a limit on credential line length brian m. carlson
2024-03-24 1:12 ` [PATCH 11/13] t5563: refactor for multi-stage authentication brian m. carlson
2024-03-24 1:13 ` [PATCH 12/13] strvec: implement swapping two strvecs brian m. carlson
2024-03-27 8:02 ` Patrick Steinhardt
2024-03-27 21:22 ` Junio C Hamano
2024-03-27 21:34 ` brian m. carlson
2024-03-24 1:13 ` [PATCH 13/13] credential: add support for multistage credential rounds brian m. carlson
2024-03-28 8:00 ` M Hickford
2024-03-28 21:53 ` brian m. carlson
2024-04-01 20:51 ` M Hickford
2024-03-24 2:24 ` [PATCH 00/13] Support for arbitrary schemes in credentials Junio C Hamano
2024-03-24 15:21 ` brian m. carlson
2024-03-24 16:13 ` Junio C Hamano
2024-03-30 8:00 ` M Hickford
2024-03-30 8:16 ` M Hickford
2024-04-02 22:26 ` Calvin Wan
2024-04-04 1:01 ` brian m. carlson
2024-04-08 18:42 ` Jackson Toeniskoetter
2024-04-11 7:00 ` M Hickford
2024-04-12 0:09 ` brian m. carlson
2024-04-11 7:00 ` M Hickford
2024-04-12 0:13 ` brian m. carlson
2024-04-17 0:02 ` [PATCH v2 00/16] " brian m. carlson
2024-04-17 0:02 ` [PATCH v2 01/16] credential: add an authtype field brian m. carlson
2024-04-17 0:02 ` [PATCH v2 02/16] remote-curl: reset headers on new request brian m. carlson
2024-04-17 0:02 ` [PATCH v2 03/16] http: use new headers for each object request brian m. carlson
2024-04-17 0:02 ` [PATCH v2 04/16] credential: add a field for pre-encoded credentials brian m. carlson
2024-04-17 0:02 ` [PATCH v2 05/16] credential: gate new fields on capability brian m. carlson
2024-04-17 0:02 ` [PATCH v2 06/16] credential: add a field called "ephemeral" brian m. carlson
2024-04-17 0:02 ` [PATCH v2 07/16] docs: indicate new credential protocol fields brian m. carlson
2024-04-17 0:02 ` [PATCH v2 08/16] http: add support for authtype and credential brian m. carlson
2024-04-17 0:02 ` [PATCH v2 09/16] credential: add an argument to keep state brian m. carlson
2024-04-17 0:02 ` [PATCH v2 10/16] credential: enable state capability brian m. carlson
2024-04-17 0:02 ` [PATCH v2 11/16] docs: set a limit on credential line length brian m. carlson
2024-04-17 0:02 ` [PATCH v2 12/16] t5563: refactor for multi-stage authentication brian m. carlson
2024-04-17 0:02 ` [PATCH v2 13/16] credential: add support for multistage credential rounds brian m. carlson
2024-04-17 0:02 ` [PATCH v2 14/16] t: add credential tests for authtype brian m. carlson
2024-04-17 0:02 ` [PATCH v2 15/16] credential-cache: implement authtype capability brian m. carlson
2024-04-17 0:02 ` [PATCH v2 16/16] credential: add method for querying capabilities brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZgvYLxfNwBcOB_s1@tanuki \
--to=ps@pks.im \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mirth.hickford@gmail.com \
--cc=mjcheetham@outlook.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).