git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
* [PATCH 0/1] credential: do not mask the username
@ 2019-04-29 22:06 Johannes Schindelin via GitGitGadget
  2019-04-29 22:06 ` [PATCH 1/1] " Jarosław Honkis via GitGitGadget
  0 siblings, 1 reply; 8+ messages in thread
From: Johannes Schindelin via GitGitGadget @ 2019-04-29 22:06 UTC (permalink / raw)
  To: git; +Cc: Junio C Hamano

This is yet another patch that finally makes it from Git for Windows into
core Git.

Jarosław Honkis (1):
  credential: do not mask the username

 credential.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


base-commit: 8104ec994ea3849a968b4667d072fedd1e688642
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-138%2Fdscho%2Funmask-credentials-username-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-138/dscho/unmask-credentials-username-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/138
-- 
gitgitgadget

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 1/1] credential: do not mask the username
  2019-04-29 22:06 [PATCH 0/1] credential: do not mask the username Johannes Schindelin via GitGitGadget
@ 2019-04-29 22:06 ` Jarosław Honkis via GitGitGadget
  2019-04-29 22:12   ` Eric Sunshine
  2019-04-29 23:40   ` Jeff King
  0 siblings, 2 replies; 8+ messages in thread
From: Jarosław Honkis via GitGitGadget @ 2019-04-29 22:06 UTC (permalink / raw)
  To: git; +Cc: Junio C Hamano, Jarosław Honkis

From: =?UTF-8?q?Jaros=C5=82aw=20Honkis?= <yaras6@gmail.com>

When a user is asked for credentials there is no need to mask the
username, so the PROMPT_ASKPASS flag on calling credential_ask_one for
login is unnecessary.

The `credential_ask_one()` function internally uses `git_prompt()` which
in case it is given the flag PROMPT_ASKPASS uses masked input method
instead of git_terminal_prompt, which does not mask user input.

This fixes https://github.com/git-for-windows/git/issue/675

Signed-off-by: Jarosław Honkis <yaras6@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 credential.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/credential.c b/credential.c
index 62be651b03..e9108a9e8a 100644
--- a/credential.c
+++ b/credential.c
@@ -136,7 +136,9 @@ static void credential_getpass(struct credential *c)
 {
 	if (!c->username)
 		c->username = credential_ask_one("Username", c,
-						 PROMPT_ASKPASS|PROMPT_ECHO);
+						 (getenv("GIT_ASKPASS") ?
+						  PROMPT_ASKPASS : 0) |
+						 PROMPT_ECHO);
 	if (!c->password)
 		c->password = credential_ask_one("Password", c,
 						 PROMPT_ASKPASS);
-- 
gitgitgadget

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 1/1] credential: do not mask the username
  2019-04-29 22:06 ` [PATCH 1/1] " Jarosław Honkis via GitGitGadget
@ 2019-04-29 22:12   ` Eric Sunshine
  2019-04-29 23:06     ` Johannes Schindelin
  2019-04-29 23:40   ` Jeff King
  1 sibling, 1 reply; 8+ messages in thread
From: Eric Sunshine @ 2019-04-29 22:12 UTC (permalink / raw)
  To: Jarosław Honkis via GitGitGadget
  Cc: Git List, Junio C Hamano, Jarosław Honkis

On Mon, Apr 29, 2019 at 6:06 PM Jarosław Honkis via GitGitGadget
<gitgitgadget@gmail.com> wrote:
> When a user is asked for credentials there is no need to mask the
> username, so the PROMPT_ASKPASS flag on calling credential_ask_one for
> login is unnecessary.
>
> The `credential_ask_one()` function internally uses `git_prompt()` which
> in case it is given the flag PROMPT_ASKPASS uses masked input method
> instead of git_terminal_prompt, which does not mask user input.
>
> This fixes https://github.com/git-for-windows/git/issue/675

This link is dead. Is there a more modern URL to which this can point?

> Signed-off-by: Jarosław Honkis <yaras6@gmail.com>
> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 1/1] credential: do not mask the username
  2019-04-29 22:12   ` Eric Sunshine
@ 2019-04-29 23:06     ` Johannes Schindelin
  0 siblings, 0 replies; 8+ messages in thread
From: Johannes Schindelin @ 2019-04-29 23:06 UTC (permalink / raw)
  To: Eric Sunshine
  Cc: Jarosław Honkis via GitGitGadget, Git List, Junio C Hamano,
	Jarosław Honkis

[-- Attachment #1: Type: text/plain, Size: 1014 bytes --]

Hi Eric,


On Mon, 29 Apr 2019, Eric Sunshine wrote:

> On Mon, Apr 29, 2019 at 6:06 PM Jarosław Honkis via GitGitGadget
> <gitgitgadget@gmail.com> wrote:
> > When a user is asked for credentials there is no need to mask the
> > username, so the PROMPT_ASKPASS flag on calling credential_ask_one for
> > login is unnecessary.
> >
> > The `credential_ask_one()` function internally uses `git_prompt()` which
> > in case it is given the flag PROMPT_ASKPASS uses masked input method
> > instead of git_terminal_prompt, which does not mask user input.
> >
> > This fixes https://github.com/git-for-windows/git/issue/675
>
> This link is dead. Is there a more modern URL to which this can point?

Oops. I should have looked more carefully, right? It is missing an "s" at
the end of "issues":

	https://github.com/git-for-windows/git/issues/675

Thanks,
Dscho

> > Signed-off-by: Jarosław Honkis <yaras6@gmail.com>
> > Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
>
>

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 1/1] credential: do not mask the username
  2019-04-29 22:06 ` [PATCH 1/1] " Jarosław Honkis via GitGitGadget
  2019-04-29 22:12   ` Eric Sunshine
@ 2019-04-29 23:40   ` Jeff King
  2019-04-30 22:07     ` Johannes Schindelin
  1 sibling, 1 reply; 8+ messages in thread
From: Jeff King @ 2019-04-29 23:40 UTC (permalink / raw)
  To: Jarosław Honkis via GitGitGadget
  Cc: Johannes Schindelin, git, Junio C Hamano, Jarosław Honkis

On Mon, Apr 29, 2019 at 03:06:11PM -0700, Jarosław Honkis via GitGitGadget wrote:

> From: =?UTF-8?q?Jaros=C5=82aw=20Honkis?= <yaras6@gmail.com>
> 
> When a user is asked for credentials there is no need to mask the
> username, so the PROMPT_ASKPASS flag on calling credential_ask_one for
> login is unnecessary.
> 
> The `credential_ask_one()` function internally uses `git_prompt()` which
> in case it is given the flag PROMPT_ASKPASS uses masked input method
> instead of git_terminal_prompt, which does not mask user input.

This description (and the patch) doesn't make sense to me. The
PROMPT_ASKPASS flag is just about whether we would trigger the askpass
tool (e.g., if the user does not have a terminal).

The PROMPT_ECHO flag is what you want to tell the underlying code that
the value can be shown to the user. And that's already set.

Now there is a slight issue, which is that the askpass tool has no way
for us to tell it to show the contents to the user.  There's no way
around that without disabling askpass entirely, which I guess is the
strategy this patch is trying to do. But in doing so it's going to break
anybody who _doesn't_ have a terminal, because now we have no way to
prompt there for their username!

So I think our options are:

  1. Leave it. If people don't want askpass to prompt them, they should
     not set up askpass.

  2. Use another tool besides askpass. I don't know of any askpass
     implementations that take something like our ECHO flag, but there
     are lots of other tools. I doubt there's any easy portable
     solution, though. And anyway, credential helpers are a much more
     advanced version of this anyway, so I'd probably steer people in
     that direction.

  3. If we really want to try to try to avoid using askpass for
     usernames we can, but I don't think the logic in this patch is
     right.

     If we want to avoid regressing existing cases, then we'd have to
     first check if there's a usable terminal. And only if _that_ fails,
     try askpass. And then give up if neither work. I.e., invert the
     order in git_prompt() when both ASKPASS and ECHO are set.

     I think I'd still favor option 1 over this, though. Configuring
     askpass has always overridden the terminal for usernames, and this
     would change that. I come back to: if you don't want to use
     askpass, then why are you configuring it?

>  		c->username = credential_ask_one("Username", c,
> -						 PROMPT_ASKPASS|PROMPT_ECHO);
> +						 (getenv("GIT_ASKPASS") ?
> +						  PROMPT_ASKPASS : 0) |
> +						 PROMPT_ECHO);

This logic is weird. It still uses askpass if GIT_ASKPASS isn't set. But
_doesn't_ if it's set elsewhere, e.g. in core.askPass. Which makes
little sense to me.

Maybe the intent was that the original user has SSH_ASKPASS set, and
that is kicking in (which would also explain why "if you don't like it,
don't configure it" didn't work). You can get around that by setting
GIT_ASKPASS (or core.askPass) to the empty string (I don't think that's
documented anywhere, and I don't recall it being intentional, but it
does look like that's how the code works).

-Peff

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 1/1] credential: do not mask the username
  2019-04-29 23:40   ` Jeff King
@ 2019-04-30 22:07     ` Johannes Schindelin
  2019-04-30 22:21       ` Jeff King
  0 siblings, 1 reply; 8+ messages in thread
From: Johannes Schindelin @ 2019-04-30 22:07 UTC (permalink / raw)
  To: Jeff King
  Cc: Jarosław Honkis via GitGitGadget, git, Junio C Hamano,
	Jarosław Honkis

[-- Attachment #1: Type: text/plain, Size: 5212 bytes --]

Hi Peff,

On Mon, 29 Apr 2019, Jeff King wrote:

> On Mon, Apr 29, 2019 at 03:06:11PM -0700, Jarosław Honkis via GitGitGadget wrote:
>
> > From: =?UTF-8?q?Jaros=C5=82aw=20Honkis?= <yaras6@gmail.com>
> >
> > When a user is asked for credentials there is no need to mask the
> > username, so the PROMPT_ASKPASS flag on calling credential_ask_one for
> > login is unnecessary.
> >
> > The `credential_ask_one()` function internally uses `git_prompt()` which
> > in case it is given the flag PROMPT_ASKPASS uses masked input method
> > instead of git_terminal_prompt, which does not mask user input.
>
> This description (and the patch) doesn't make sense to me. The
> PROMPT_ASKPASS flag is just about whether we would trigger the askpass
> tool (e.g., if the user does not have a terminal).

Thanks for calling this out. It is a bit of a problem and you're right, I
should improve the commit message.

> The PROMPT_ECHO flag is what you want to tell the underlying code that
> the value can be shown to the user. And that's already set.
>
> Now there is a slight issue, which is that the askpass tool has no way
> for us to tell it to show the contents to the user.  There's no way
> around that without disabling askpass entirely, which I guess is the
> strategy this patch is trying to do.

Precisely.

> But in doing so it's going to break anybody who _doesn't_ have a
> terminal, because now we have no way to prompt there for their username!
>
> So I think our options are:
>
>   1. Leave it. If people don't want askpass to prompt them, they should
>      not set up askpass.
>
>   2. Use another tool besides askpass. I don't know of any askpass
>      implementations that take something like our ECHO flag, but there
>      are lots of other tools. I doubt there's any easy portable
>      solution, though. And anyway, credential helpers are a much more
>      advanced version of this anyway, so I'd probably steer people in
>      that direction.
>
>   3. If we really want to try to try to avoid using askpass for
>      usernames we can, but I don't think the logic in this patch is
>      right.
>
>      If we want to avoid regressing existing cases, then we'd have to
>      first check if there's a usable terminal. And only if _that_ fails,
>      try askpass. And then give up if neither work. I.e., invert the
>      order in git_prompt() when both ASKPASS and ECHO are set.
>
>      I think I'd still favor option 1 over this, though. Configuring
>      askpass has always overridden the terminal for usernames, and this
>      would change that. I come back to: if you don't want to use
>      askpass, then why are you configuring it?

How about inventing a new convention: we could set `GIT_ASKPASS_FLAGS`
as an environment variable that contains whitespace-delimited flags, in
the current instance just "echo"?

We could then teach `git-gui--askpass` to heed that.

Mind you, these days, this patch is a lot less necessary because Git for
Windows (which is *the* platform where you'd expect no terminal to be
available when fetching/pushing, right?) defaults to using the Git
Credential Manager [*1*].

> >  		c->username = credential_ask_one("Username", c,
> > -						 PROMPT_ASKPASS|PROMPT_ECHO);
> > +						 (getenv("GIT_ASKPASS") ?
> > +						  PROMPT_ASKPASS : 0) |
> > +						 PROMPT_ECHO);
>
> This logic is weird. It still uses askpass if GIT_ASKPASS isn't set. But
> _doesn't_ if it's set elsewhere, e.g. in core.askPass. Which makes
> little sense to me.

True. I guess this is my fault, as that patch is so old that core.askPass
might not have existed when it was written.

> Maybe the intent was that the original user has SSH_ASKPASS set, and
> that is kicking in (which would also explain why "if you don't like it,
> don't configure it" didn't work). You can get around that by setting
> GIT_ASKPASS (or core.askPass) to the empty string (I don't think that's
> documented anywhere, and I don't recall it being intentional, but it
> does look like that's how the code works).

I agree with your concerns.

What do you think about the `GIT_ASKPASS_FLAGS` thing? It is not perfect,
but it could be used at least in conjunction with `git-gui--askpass` (or
with other helpers that would make use of this side channel to receive
more information about the way they should present the question to the
user)?

Alternatively, I could simply drop that patch from Git for Windows, as it
really only concerns users who override the default, opting out of using
Git Credential Manager.

Ciao,
Dscho

Footnote *1*: The Git Credential Manager for Windows
(https://github.com/Microsoft/Git-Credential-Manager-for-Windows/) is a C#
project that requires .NET Framework, which older Windows versions might
not have, but I think most of Git for Windows' users do. In the interest
of keeping users' privacy intact, we have no way of knowing, of course.

The Git Credential Manager is preferable over the `git-gui--askpass`
method in more ways than just unmasking the username: it also supports
Two-Factor-Authorization, most notably with GitHub, Azure Repos and
BitBucket.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 1/1] credential: do not mask the username
  2019-04-30 22:07     ` Johannes Schindelin
@ 2019-04-30 22:21       ` Jeff King
  2019-05-03  9:09         ` Johannes Schindelin
  0 siblings, 1 reply; 8+ messages in thread
From: Jeff King @ 2019-04-30 22:21 UTC (permalink / raw)
  To: Johannes Schindelin
  Cc: Jarosław Honkis via GitGitGadget, git, Junio C Hamano,
	Jarosław Honkis

On Tue, Apr 30, 2019 at 06:07:15PM -0400, Johannes Schindelin wrote:

> >   2. Use another tool besides askpass. I don't know of any askpass
> >      implementations that take something like our ECHO flag, but there
> >      are lots of other tools. I doubt there's any easy portable
> >      solution, though. And anyway, credential helpers are a much more
> >      advanced version of this anyway, so I'd probably steer people in
> >      that direction.
> [...]
> 
> How about inventing a new convention: we could set `GIT_ASKPASS_FLAGS`
> as an environment variable that contains whitespace-delimited flags, in
> the current instance just "echo"?
> 
> We could then teach `git-gui--askpass` to heed that.

Yeah, I almost suggested something like that for my (2) above, but I
couldn't actually find an askpass implementation that supported this
(though there are lots of general dialog tools that do).

But today I learned about git-gui--askpass. :)

So yeah, I think that is a solution in the right direction, but it may
not be helping that many people if it is specific to git-gui--askpass.

> Mind you, these days, this patch is a lot less necessary because Git for
> Windows (which is *the* platform where you'd expect no terminal to be
> available when fetching/pushing, right?) defaults to using the Git
> Credential Manager [*1*].

The no-terminal thing isn't specific to Windows. You can imagine
somebody triggering "git fetch" from any GUI on Linux that no longer has
a controlling terminal (because the GUI was spawned by a desktop manager
or some such).

But I definitely agree that credential helpers are the right way to do
fancier prompting. AFAIK your GCM is the only one which actually does
prompting (most of the rest are just key-store interfaces), but it's
definitely inbounds and was part of the original intent. For usernames,
I personally just stick mine in credential.$URL.username config, since
they're obviously not a secret. But then my habits may not match most
users. :)

> What do you think about the `GIT_ASKPASS_FLAGS` thing? It is not perfect,
> but it could be used at least in conjunction with `git-gui--askpass` (or
> with other helpers that would make use of this side channel to receive
> more information about the way they should present the question to the
> user)?

It seems perfectly reasonable to me, but if it were me, I think this:

> Alternatively, I could simply drop that patch from Git for Windows, as it
> really only concerns users who override the default, opting out of using
> Git Credential Manager.

would be the path I would take.

-Peff

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 1/1] credential: do not mask the username
  2019-04-30 22:21       ` Jeff King
@ 2019-05-03  9:09         ` Johannes Schindelin
  0 siblings, 0 replies; 8+ messages in thread
From: Johannes Schindelin @ 2019-05-03  9:09 UTC (permalink / raw)
  To: Jeff King
  Cc: Jarosław Honkis via GitGitGadget, git, Junio C Hamano,
	Jarosław Honkis

Hi Peff,

On Tue, 30 Apr 2019, Jeff King wrote:

> On Tue, Apr 30, 2019 at 06:07:15PM -0400, Johannes Schindelin wrote:
>
> > Alternatively, I could simply drop that patch from Git for Windows, as
> > it really only concerns users who override the default, opting out of
> > using Git Credential Manager.
>
> would be the path I would take.

Okay, let's drop it, then.

Thanks,
Dscho

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2019-05-03  9:09 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-29 22:06 [PATCH 0/1] credential: do not mask the username Johannes Schindelin via GitGitGadget
2019-04-29 22:06 ` [PATCH 1/1] " Jarosław Honkis via GitGitGadget
2019-04-29 22:12   ` Eric Sunshine
2019-04-29 23:06     ` Johannes Schindelin
2019-04-29 23:40   ` Jeff King
2019-04-30 22:07     ` Johannes Schindelin
2019-04-30 22:21       ` Jeff King
2019-05-03  9:09         ` Johannes Schindelin

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).