summaryrefslogtreecommitdiff
path: root/t/t0300-credentials.sh
diff options
context:
space:
mode:
Diffstat (limited to 't/t0300-credentials.sh')
-rwxr-xr-xt/t0300-credentials.sh422
1 files changed, 416 insertions, 6 deletions
diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
index 82eaaea0f4..3485c0534e 100755
--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
@@ -22,6 +22,11 @@ test_expect_success 'setup helper scripts' '
exit 0
EOF
+ write_script git-credential-quit <<-\EOF &&
+ . ./dump
+ echo quit=1
+ EOF
+
write_script git-credential-verbatim <<-\EOF &&
user=$1; shift
pass=$1; shift
@@ -35,43 +40,71 @@ test_expect_success 'setup helper scripts' '
test_expect_success 'credential_fill invokes helper' '
check fill "verbatim foo bar" <<-\EOF
+ protocol=http
+ host=example.com
--
+ protocol=http
+ host=example.com
username=foo
password=bar
--
verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
EOF
'
test_expect_success 'credential_fill invokes multiple helpers' '
check fill useless "verbatim foo bar" <<-\EOF
+ protocol=http
+ host=example.com
--
+ protocol=http
+ host=example.com
username=foo
password=bar
--
useless: get
+ useless: protocol=http
+ useless: host=example.com
verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
EOF
'
test_expect_success 'credential_fill stops when we get a full response' '
check fill "verbatim one two" "verbatim three four" <<-\EOF
+ protocol=http
+ host=example.com
--
+ protocol=http
+ host=example.com
username=one
password=two
--
verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
EOF
'
test_expect_success 'credential_fill continues through partial response' '
check fill "verbatim one \"\"" "verbatim two three" <<-\EOF
+ protocol=http
+ host=example.com
--
+ protocol=http
+ host=example.com
username=two
password=three
--
verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
verbatim: username=one
EOF
'
@@ -97,14 +130,20 @@ test_expect_success 'credential_fill passes along metadata' '
test_expect_success 'credential_approve calls all helpers' '
check approve useless "verbatim one two" <<-\EOF
+ protocol=http
+ host=example.com
username=foo
password=bar
--
--
useless: store
+ useless: protocol=http
+ useless: host=example.com
useless: username=foo
useless: password=bar
verbatim: store
+ verbatim: protocol=http
+ verbatim: host=example.com
verbatim: username=foo
verbatim: password=bar
EOF
@@ -112,6 +151,8 @@ test_expect_success 'credential_approve calls all helpers' '
test_expect_success 'do not bother storing password-less credential' '
check approve useless <<-\EOF
+ protocol=http
+ host=example.com
username=foo
--
--
@@ -121,14 +162,20 @@ test_expect_success 'do not bother storing password-less credential' '
test_expect_success 'credential_reject calls all helpers' '
check reject useless "verbatim one two" <<-\EOF
+ protocol=http
+ host=example.com
username=foo
password=bar
--
--
useless: erase
+ useless: protocol=http
+ useless: host=example.com
useless: username=foo
useless: password=bar
verbatim: erase
+ verbatim: protocol=http
+ verbatim: host=example.com
verbatim: username=foo
verbatim: password=bar
EOF
@@ -136,33 +183,49 @@ test_expect_success 'credential_reject calls all helpers' '
test_expect_success 'usernames can be preserved' '
check fill "verbatim \"\" three" <<-\EOF
+ protocol=http
+ host=example.com
username=one
--
+ protocol=http
+ host=example.com
username=one
password=three
--
verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
verbatim: username=one
EOF
'
test_expect_success 'usernames can be overridden' '
check fill "verbatim two three" <<-\EOF
+ protocol=http
+ host=example.com
username=one
--
+ protocol=http
+ host=example.com
username=two
password=three
--
verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
verbatim: username=one
EOF
'
test_expect_success 'do not bother completing already-full credential' '
check fill "verbatim three four" <<-\EOF
+ protocol=http
+ host=example.com
username=one
password=two
--
+ protocol=http
+ host=example.com
username=one
password=two
--
@@ -174,24 +237,58 @@ test_expect_success 'do not bother completing already-full credential' '
# askpass helper is run, we know the internal getpass is working.
test_expect_success 'empty helper list falls back to internal getpass' '
check fill <<-\EOF
+ protocol=http
+ host=example.com
--
+ protocol=http
+ host=example.com
username=askpass-username
password=askpass-password
--
- askpass: Username:
- askpass: Password:
+ askpass: Username for '\''http://example.com'\'':
+ askpass: Password for '\''http://askpass-username@example.com'\'':
EOF
'
test_expect_success 'internal getpass does not ask for known username' '
check fill <<-\EOF
+ protocol=http
+ host=example.com
username=foo
--
+ protocol=http
+ host=example.com
username=foo
password=askpass-password
--
- askpass: Password:
+ askpass: Password for '\''http://foo@example.com'\'':
+ EOF
+'
+
+test_expect_success 'git-credential respects core.askPass' '
+ write_script alternate-askpass <<-\EOF &&
+ echo >&2 "alternate askpass invoked"
+ echo alternate-value
EOF
+ test_config core.askpass "$PWD/alternate-askpass" &&
+ (
+ # unset GIT_ASKPASS set by lib-credential.sh which would
+ # override our config, but do so in a subshell so that we do
+ # not interfere with other tests
+ sane_unset GIT_ASKPASS &&
+ check fill <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=alternate-value
+ password=alternate-value
+ --
+ alternate askpass invoked
+ alternate askpass invoked
+ EOF
+ )
'
HELPER="!f() {
@@ -202,7 +299,11 @@ HELPER="!f() {
test_expect_success 'respect configured credentials' '
test_config credential.helper "$HELPER" &&
check fill <<-\EOF
+ protocol=http
+ host=example.com
--
+ protocol=http
+ host=example.com
username=foo
password=bar
--
@@ -240,6 +341,102 @@ test_expect_success 'do not match configured credential' '
EOF
'
+test_expect_success 'match multiple configured helpers' '
+ test_config credential.helper "verbatim \"\" \"\"" &&
+ test_config credential.https://example.com.helper "$HELPER" &&
+ check fill <<-\EOF
+ protocol=https
+ host=example.com
+ path=repo.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'match multiple configured helpers with URLs' '
+ test_config credential.https://example.com/repo.git.helper "verbatim \"\" \"\"" &&
+ test_config credential.https://example.com.helper "$HELPER" &&
+ check fill <<-\EOF
+ protocol=https
+ host=example.com
+ path=repo.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'match percent-encoded values' '
+ test_config credential.https://example.com/%2566.git.helper "$HELPER" &&
+ check fill <<-\EOF
+ url=https://example.com/%2566.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
+test_expect_success 'match percent-encoded UTF-8 values in path' '
+ test_config credential.https://example.com.useHttpPath true &&
+ test_config credential.https://example.com/perĂº.git.helper "$HELPER" &&
+ check fill <<-\EOF
+ url=https://example.com/per%C3%BA.git
+ --
+ protocol=https
+ host=example.com
+ path=perĂº.git
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
+test_expect_success 'match percent-encoded values in username' '
+ test_config credential.https://user%2fname@example.com/foo/bar.git.helper "$HELPER" &&
+ check fill <<-\EOF
+ url=https://user%2fname@example.com/foo/bar.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
+test_expect_success 'fetch with multiple path components' '
+ test_unconfig credential.helper &&
+ test_config credential.https://example.com/foo/repo.git.helper "verbatim foo bar" &&
+ check fill <<-\EOF
+ url=https://example.com/foo/repo.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ EOF
+'
+
test_expect_success 'pull username from config' '
test_config credential.https://example.com.username foo &&
check fill <<-\EOF
@@ -255,6 +452,63 @@ test_expect_success 'pull username from config' '
EOF
'
+test_expect_success 'honors username from URL over helper (URL)' '
+ test_config credential.https://example.com.username bob &&
+ test_config credential.https://example.com.helper "verbatim \"\" bar" &&
+ check fill <<-\EOF
+ url=https://alice@example.com
+ --
+ protocol=https
+ host=example.com
+ username=alice
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ verbatim: username=alice
+ EOF
+'
+
+test_expect_success 'honors username from URL over helper (components)' '
+ test_config credential.https://example.com.username bob &&
+ test_config credential.https://example.com.helper "verbatim \"\" bar" &&
+ check fill <<-\EOF
+ protocol=https
+ host=example.com
+ username=alice
+ --
+ protocol=https
+ host=example.com
+ username=alice
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ verbatim: username=alice
+ EOF
+'
+
+test_expect_success 'last matching username wins' '
+ test_config credential.https://example.com/path.git.username bob &&
+ test_config credential.https://example.com.username alice &&
+ test_config credential.https://example.com.helper "verbatim \"\" bar" &&
+ check fill <<-\EOF
+ url=https://example.com/path.git
+ --
+ protocol=https
+ host=example.com
+ username=alice
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ verbatim: username=alice
+ EOF
+'
+
test_expect_success 'http paths can be part of context' '
check fill "verbatim foo bar" <<-\EOF &&
protocol=https
@@ -289,23 +543,179 @@ test_expect_success 'http paths can be part of context' '
EOF
'
+test_expect_success 'context uses urlmatch' '
+ test_config "credential.https://*.org.useHttpPath" true &&
+ check fill "verbatim foo bar" <<-\EOF
+ protocol=https
+ host=example.org
+ path=foo.git
+ --
+ protocol=https
+ host=example.org
+ path=foo.git
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.org
+ verbatim: path=foo.git
+ EOF
+'
+
test_expect_success 'helpers can abort the process' '
test_must_fail git \
- -c credential.helper="!f() { echo quit=1; }; f" \
+ -c credential.helper=quit \
-c credential.helper="verbatim foo bar" \
- credential fill >stdout &&
- test_must_be_empty stdout
+ credential fill >stdout 2>stderr <<-\EOF &&
+ protocol=http
+ host=example.com
+ EOF
+ test_must_be_empty stdout &&
+ cat >expect <<-\EOF &&
+ quit: get
+ quit: protocol=http
+ quit: host=example.com
+ fatal: credential helper '\''quit'\'' told us to quit
+ EOF
+ test_cmp expect stderr
'
test_expect_success 'empty helper spec resets helper list' '
test_config credential.helper "verbatim file file" &&
check fill "" "verbatim cmdline cmdline" <<-\EOF
+ protocol=http
+ host=example.com
--
+ protocol=http
+ host=example.com
username=cmdline
password=cmdline
--
verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'url parser rejects embedded newlines' '
+ test_must_fail git credential fill 2>stderr <<-\EOF &&
+ url=https://one.example.com?%0ahost=two.example.com/
+ EOF
+ cat >expect <<-\EOF &&
+ warning: url contains a newline in its path component: https://one.example.com?%0ahost=two.example.com/
+ fatal: credential url cannot be parsed: https://one.example.com?%0ahost=two.example.com/
+ EOF
+ test_cmp expect stderr
+'
+
+test_expect_success 'host-less URLs are parsed as empty host' '
+ check fill "verbatim foo bar" <<-\EOF
+ url=cert:///path/to/cert.pem
+ --
+ protocol=cert
+ host=
+ path=path/to/cert.pem
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=cert
+ verbatim: host=
+ verbatim: path=path/to/cert.pem
EOF
'
+test_expect_success 'credential system refuses to work with missing host' '
+ test_must_fail git credential fill 2>stderr <<-\EOF &&
+ protocol=http
+ EOF
+ cat >expect <<-\EOF &&
+ fatal: refusing to work with credential missing host field
+ EOF
+ test_cmp expect stderr
+'
+
+test_expect_success 'credential system refuses to work with missing protocol' '
+ test_must_fail git credential fill 2>stderr <<-\EOF &&
+ host=example.com
+ EOF
+ cat >expect <<-\EOF &&
+ fatal: refusing to work with credential missing protocol field
+ EOF
+ test_cmp expect stderr
+'
+
+# usage: check_host_and_path <url> <expected-host> <expected-path>
+check_host_and_path () {
+ # we always parse the path component, but we need this to make sure it
+ # is passed to the helper
+ test_config credential.useHTTPPath true &&
+ check fill "verbatim user pass" <<-EOF
+ url=$1
+ --
+ protocol=https
+ host=$2
+ path=$3
+ username=user
+ password=pass
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=$2
+ verbatim: path=$3
+ EOF
+}
+
+test_expect_success 'url parser handles bare query marker' '
+ check_host_and_path https://example.com?foo.git example.com ?foo.git
+'
+
+test_expect_success 'url parser handles bare fragment marker' '
+ check_host_and_path https://example.com#foo.git example.com "#foo.git"
+'
+
+test_expect_success 'url parser not confused by encoded markers' '
+ check_host_and_path https://example.com%23%3f%2f/foo.git \
+ "example.com#?/" foo.git
+'
+
+test_expect_success 'credential config with partial URLs' '
+ echo "echo password=yep" | write_script git-credential-yep &&
+ test_write_lines url=https://user@example.com/repo.git >stdin &&
+ for partial in \
+ example.com \
+ user@example.com \
+ https:// \
+ https://example.com \
+ https://example.com/ \
+ https://user@example.com \
+ https://user@example.com/ \
+ https://example.com/repo.git \
+ https://user@example.com/repo.git \
+ /repo.git
+ do
+ git -c credential.$partial.helper=yep \
+ credential fill <stdin >stdout &&
+ grep yep stdout ||
+ return 1
+ done &&
+
+ for partial in \
+ dont.use.this \
+ http:// \
+ /repo
+ do
+ git -c credential.$partial.helper=yep \
+ credential fill <stdin >stdout &&
+ ! grep yep stdout ||
+ return 1
+ done &&
+
+ git -c credential.$partial.helper=yep \
+ -c credential.with%0anewline.username=uh-oh \
+ credential fill <stdin >stdout 2>stderr &&
+ test_i18ngrep "skipping credential lookup for key" stderr
+'
+
test_done