-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve git http authentication via repository configuration #5581
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
abn
force-pushed
the
fix-git-auth
branch
2 times, most recently
from
May 9, 2022 20:30
d0433e2
to
c9debec
Compare
abn
changed the title
replace Factory.create_config() w/ Config.create()
improve git http authentication via repository configuration
May 9, 2022
neersighted
requested changes
May 10, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only had time to glance at one thing for now.
Closed
abn
force-pushed
the
fix-git-auth
branch
2 times, most recently
from
May 10, 2022 17:34
110458a
to
78c597d
Compare
Prior to this change when `Config` was initialised for non-command use, user `config.toml` and `auth.toml` files were not loaded. This caused unintended side effects when configuration look up were performed from the `Authenticator` and other parts of the code.
Since git repository authentication is a special case of repository configuration, the existing assumptions around path matching do not apply. In order to prevent unexpected behaviour due to similar path matching, git authentication will use exact url matching.
This change ensures that http-basic auth credentials are only passed to dulwich when the remote url uses http/https schemes. In addition to the above, it is now ensured that username/password parameters are not passed through to dulwich unless both username and password are configured explicitly. This is to ensure that dulwich does not bail out if it detects a username in the url (eg: `ssh://git@github.com`).
neersighted
reviewed
May 10, 2022
neersighted
approved these changes
May 10, 2022
2 tasks
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
replace Factory.create_config() w/ Config.create()
Prior to this change when
Config
was initialised for non-command use, userconfig.toml
andauth.toml
files were not loaded. This caused unintended side effects when configuration look up were performed from theAuthenticator
and other parts of the code.ensure git repository authn uses exact urls
Since git repository authentication is a special case of repository configuration, the existing assumptions around path matching do not apply. In order to prevent unexpected behaviour due to similar path matching, git authentication will use exact url matching.
git: ignore http auth for ssh url
This change ensures that http-basic auth credentials are only passed to dulwich when the remote url uses http/https schemes.
In addition to the above, it is now ensured that username/password parameters are not passed through to dulwich unless both username and password are configured explicitly. This is to ensure that dulwich does not bail out if it detects a username in the url (eg:
ssh://git@github.com
).Relates-to: #5567 (this feature relies on config being available)