summaryrefslogtreecommitdiffstats
path: root/t/t0300-credentials.sh
diff options
context:
space:
mode:
Diffstat (limited to 't/t0300-credentials.sh')
-rwxr-xr-xt/t0300-credentials.sh833
1 files changed, 833 insertions, 0 deletions
diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
new file mode 100755
index 0000000..400f6bd
--- /dev/null
+++ b/t/t0300-credentials.sh
@@ -0,0 +1,833 @@
+#!/bin/sh
+
+test_description='basic credential helper tests'
+. ./test-lib.sh
+. "$TEST_DIRECTORY"/lib-credential.sh
+
+test_expect_success 'setup helper scripts' '
+ cat >dump <<-\EOF &&
+ whoami=$(echo $0 | sed s/.*git-credential-//)
+ echo >&2 "$whoami: $*"
+ OIFS=$IFS
+ IFS==
+ while read key value; do
+ echo >&2 "$whoami: $key=$value"
+ eval "$key=$value"
+ done
+ IFS=$OIFS
+ EOF
+
+ write_script git-credential-useless <<-\EOF &&
+ . ./dump
+ exit 0
+ EOF
+
+ write_script git-credential-quit <<-\EOF &&
+ . ./dump
+ echo quit=1
+ EOF
+
+ write_script git-credential-verbatim <<-\EOF &&
+ user=$1; shift
+ pass=$1; shift
+ . ./dump
+ test -z "$user" || echo username=$user
+ test -z "$pass" || echo password=$pass
+ EOF
+
+ write_script git-credential-verbatim-with-expiry <<-\EOF &&
+ user=$1; shift
+ pass=$1; shift
+ pexpiry=$1; shift
+ . ./dump
+ test -z "$user" || echo username=$user
+ test -z "$pass" || echo password=$pass
+ test -z "$pexpiry" || echo password_expiry_utc=$pexpiry
+ EOF
+
+ PATH="$PWD:$PATH"
+'
+
+test_expect_success 'credential_fill invokes helper' '
+ check fill "verbatim foo bar" <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'credential_fill invokes multiple helpers' '
+ check fill useless "verbatim foo bar" <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ --
+ useless: get
+ useless: protocol=http
+ useless: host=example.com
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'credential_fill stops when we get a full response' '
+ check fill "verbatim one two" "verbatim three four" <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=one
+ password=two
+ --
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'credential_fill continues through partial response' '
+ check fill "verbatim one \"\"" "verbatim two three" <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=two
+ password=three
+ --
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ verbatim: username=one
+ EOF
+'
+
+test_expect_success 'credential_fill populates password_expiry_utc' '
+ check fill "verbatim-with-expiry one two 9999999999" <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=one
+ password=two
+ password_expiry_utc=9999999999
+ --
+ verbatim-with-expiry: get
+ verbatim-with-expiry: protocol=http
+ verbatim-with-expiry: host=example.com
+ EOF
+'
+
+test_expect_success 'credential_fill ignores expired password' '
+ check fill "verbatim-with-expiry one two 5" "verbatim three four" <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=three
+ password=four
+ --
+ verbatim-with-expiry: get
+ verbatim-with-expiry: protocol=http
+ verbatim-with-expiry: host=example.com
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ verbatim: username=one
+ EOF
+'
+
+test_expect_success 'credential_fill passes along metadata' '
+ check fill "verbatim one two" <<-\EOF
+ protocol=ftp
+ host=example.com
+ path=foo.git
+ --
+ protocol=ftp
+ host=example.com
+ path=foo.git
+ username=one
+ password=two
+ --
+ verbatim: get
+ verbatim: protocol=ftp
+ verbatim: host=example.com
+ verbatim: path=foo.git
+ EOF
+'
+
+test_expect_success 'credential_approve calls all helpers' '
+ check approve useless "verbatim one two" <<-\EOF
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ --
+ --
+ useless: store
+ useless: protocol=http
+ useless: host=example.com
+ useless: username=foo
+ useless: password=bar
+ verbatim: store
+ verbatim: protocol=http
+ verbatim: host=example.com
+ verbatim: username=foo
+ verbatim: password=bar
+ EOF
+'
+
+test_expect_success 'credential_approve stores password expiry' '
+ check approve useless <<-\EOF
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ password_expiry_utc=9999999999
+ --
+ --
+ useless: store
+ useless: protocol=http
+ useless: host=example.com
+ useless: username=foo
+ useless: password=bar
+ useless: password_expiry_utc=9999999999
+ EOF
+'
+
+test_expect_success 'credential_approve stores oauth refresh token' '
+ check approve useless <<-\EOF
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ oauth_refresh_token=xyzzy
+ --
+ --
+ useless: store
+ useless: protocol=http
+ useless: host=example.com
+ useless: username=foo
+ useless: password=bar
+ useless: oauth_refresh_token=xyzzy
+ EOF
+'
+
+test_expect_success 'do not bother storing password-less credential' '
+ check approve useless <<-\EOF
+ protocol=http
+ host=example.com
+ username=foo
+ --
+ --
+ EOF
+'
+
+test_expect_success 'credential_approve does not store expired password' '
+ check approve useless <<-\EOF
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ password_expiry_utc=5
+ --
+ --
+ EOF
+'
+
+test_expect_success 'credential_reject calls all helpers' '
+ check reject useless "verbatim one two" <<-\EOF
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ --
+ --
+ useless: erase
+ useless: protocol=http
+ useless: host=example.com
+ useless: username=foo
+ useless: password=bar
+ verbatim: erase
+ verbatim: protocol=http
+ verbatim: host=example.com
+ verbatim: username=foo
+ verbatim: password=bar
+ EOF
+'
+
+test_expect_success 'credential_reject erases credential regardless of expiry' '
+ check reject useless <<-\EOF
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ password_expiry_utc=5
+ --
+ --
+ useless: erase
+ useless: protocol=http
+ useless: host=example.com
+ useless: username=foo
+ useless: password=bar
+ useless: password_expiry_utc=5
+ EOF
+'
+
+test_expect_success 'usernames can be preserved' '
+ check fill "verbatim \"\" three" <<-\EOF
+ protocol=http
+ host=example.com
+ username=one
+ --
+ protocol=http
+ host=example.com
+ username=one
+ password=three
+ --
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ verbatim: username=one
+ EOF
+'
+
+test_expect_success 'usernames can be overridden' '
+ check fill "verbatim two three" <<-\EOF
+ protocol=http
+ host=example.com
+ username=one
+ --
+ protocol=http
+ host=example.com
+ username=two
+ password=three
+ --
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ verbatim: username=one
+ EOF
+'
+
+test_expect_success 'do not bother completing already-full credential' '
+ check fill "verbatim three four" <<-\EOF
+ protocol=http
+ host=example.com
+ username=one
+ password=two
+ --
+ protocol=http
+ host=example.com
+ username=one
+ password=two
+ --
+ EOF
+'
+
+# We can't test the basic terminal password prompt here because
+# getpass() tries too hard to find the real terminal. But if our
+# askpass helper is run, we know the internal getpass is working.
+test_expect_success 'empty helper list falls back to internal getpass' '
+ check fill <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=askpass-username
+ password=askpass-password
+ --
+ askpass: Username for '\''http://example.com'\'':
+ askpass: Password for '\''http://askpass-username@example.com'\'':
+ EOF
+'
+
+test_expect_success 'internal getpass does not ask for known username' '
+ check fill <<-\EOF
+ protocol=http
+ host=example.com
+ username=foo
+ --
+ protocol=http
+ host=example.com
+ username=foo
+ password=askpass-password
+ --
+ askpass: Password for '\''http://foo@example.com'\'':
+ EOF
+'
+
+test_expect_success 'git-credential respects core.askPass' '
+ write_script alternate-askpass <<-\EOF &&
+ echo >&2 "alternate askpass invoked"
+ echo alternate-value
+ EOF
+ test_config core.askpass "$PWD/alternate-askpass" &&
+ (
+ # unset GIT_ASKPASS set by lib-credential.sh which would
+ # override our config, but do so in a subshell so that we do
+ # not interfere with other tests
+ sane_unset GIT_ASKPASS &&
+ check fill <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=alternate-value
+ password=alternate-value
+ --
+ alternate askpass invoked
+ alternate askpass invoked
+ EOF
+ )
+'
+
+HELPER="!f() {
+ cat >/dev/null
+ echo username=foo
+ echo password=bar
+ }; f"
+test_expect_success 'respect configured credentials' '
+ test_config credential.helper "$HELPER" &&
+ check fill <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
+test_expect_success 'match configured credential' '
+ test_config credential.https://example.com.helper "$HELPER" &&
+ check fill <<-\EOF
+ protocol=https
+ host=example.com
+ path=repo.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
+test_expect_success 'do not match configured credential' '
+ test_config credential.https://foo.helper "$HELPER" &&
+ check fill <<-\EOF
+ protocol=https
+ host=bar
+ --
+ protocol=https
+ host=bar
+ username=askpass-username
+ password=askpass-password
+ --
+ askpass: Username for '\''https://bar'\'':
+ askpass: Password for '\''https://askpass-username@bar'\'':
+ EOF
+'
+
+test_expect_success 'match multiple configured helpers' '
+ test_config credential.helper "verbatim \"\" \"\"" &&
+ test_config credential.https://example.com.helper "$HELPER" &&
+ check fill <<-\EOF
+ protocol=https
+ host=example.com
+ path=repo.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'match multiple configured helpers with URLs' '
+ test_config credential.https://example.com/repo.git.helper "verbatim \"\" \"\"" &&
+ test_config credential.https://example.com.helper "$HELPER" &&
+ check fill <<-\EOF
+ protocol=https
+ host=example.com
+ path=repo.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'match percent-encoded values' '
+ test_config credential.https://example.com/%2566.git.helper "$HELPER" &&
+ check fill <<-\EOF
+ url=https://example.com/%2566.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
+test_expect_success 'match percent-encoded UTF-8 values in path' '
+ test_config credential.https://example.com.useHttpPath true &&
+ test_config credential.https://example.com/perĂº.git.helper "$HELPER" &&
+ check fill <<-\EOF
+ url=https://example.com/per%C3%BA.git
+ --
+ protocol=https
+ host=example.com
+ path=perĂº.git
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
+test_expect_success 'match percent-encoded values in username' '
+ test_config credential.https://user%2fname@example.com/foo/bar.git.helper "$HELPER" &&
+ check fill <<-\EOF
+ url=https://user%2fname@example.com/foo/bar.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ EOF
+'
+
+test_expect_success 'fetch with multiple path components' '
+ test_unconfig credential.helper &&
+ test_config credential.https://example.com/foo/repo.git.helper "verbatim foo bar" &&
+ check fill <<-\EOF
+ url=https://example.com/foo/repo.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'pull username from config' '
+ test_config credential.https://example.com.username foo &&
+ check fill <<-\EOF
+ protocol=https
+ host=example.com
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=askpass-password
+ --
+ askpass: Password for '\''https://foo@example.com'\'':
+ EOF
+'
+
+test_expect_success 'honors username from URL over helper (URL)' '
+ test_config credential.https://example.com.username bob &&
+ test_config credential.https://example.com.helper "verbatim \"\" bar" &&
+ check fill <<-\EOF
+ url=https://alice@example.com
+ --
+ protocol=https
+ host=example.com
+ username=alice
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ verbatim: username=alice
+ EOF
+'
+
+test_expect_success 'honors username from URL over helper (components)' '
+ test_config credential.https://example.com.username bob &&
+ test_config credential.https://example.com.helper "verbatim \"\" bar" &&
+ check fill <<-\EOF
+ protocol=https
+ host=example.com
+ username=alice
+ --
+ protocol=https
+ host=example.com
+ username=alice
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ verbatim: username=alice
+ EOF
+'
+
+test_expect_success 'last matching username wins' '
+ test_config credential.https://example.com/path.git.username bob &&
+ test_config credential.https://example.com.username alice &&
+ test_config credential.https://example.com.helper "verbatim \"\" bar" &&
+ check fill <<-\EOF
+ url=https://example.com/path.git
+ --
+ protocol=https
+ host=example.com
+ username=alice
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ verbatim: username=alice
+ EOF
+'
+
+test_expect_success 'http paths can be part of context' '
+ check fill "verbatim foo bar" <<-\EOF &&
+ protocol=https
+ host=example.com
+ path=foo.git
+ --
+ protocol=https
+ host=example.com
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ EOF
+ test_config credential.https://example.com.useHttpPath true &&
+ check fill "verbatim foo bar" <<-\EOF
+ protocol=https
+ host=example.com
+ path=foo.git
+ --
+ protocol=https
+ host=example.com
+ path=foo.git
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.com
+ verbatim: path=foo.git
+ EOF
+'
+
+test_expect_success 'context uses urlmatch' '
+ test_config "credential.https://*.org.useHttpPath" true &&
+ check fill "verbatim foo bar" <<-\EOF
+ protocol=https
+ host=example.org
+ path=foo.git
+ --
+ protocol=https
+ host=example.org
+ path=foo.git
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=example.org
+ verbatim: path=foo.git
+ EOF
+'
+
+test_expect_success 'helpers can abort the process' '
+ test_must_fail git \
+ -c credential.helper=quit \
+ -c credential.helper="verbatim foo bar" \
+ credential fill >stdout 2>stderr <<-\EOF &&
+ protocol=http
+ host=example.com
+ EOF
+ test_must_be_empty stdout &&
+ cat >expect <<-\EOF &&
+ quit: get
+ quit: protocol=http
+ quit: host=example.com
+ fatal: credential helper '\''quit'\'' told us to quit
+ EOF
+ test_cmp expect stderr
+'
+
+test_expect_success 'empty helper spec resets helper list' '
+ test_config credential.helper "verbatim file file" &&
+ check fill "" "verbatim cmdline cmdline" <<-\EOF
+ protocol=http
+ host=example.com
+ --
+ protocol=http
+ host=example.com
+ username=cmdline
+ password=cmdline
+ --
+ verbatim: get
+ verbatim: protocol=http
+ verbatim: host=example.com
+ EOF
+'
+
+test_expect_success 'url parser rejects embedded newlines' '
+ test_must_fail git credential fill 2>stderr <<-\EOF &&
+ url=https://one.example.com?%0ahost=two.example.com/
+ EOF
+ cat >expect <<-\EOF &&
+ warning: url contains a newline in its path component: https://one.example.com?%0ahost=two.example.com/
+ fatal: credential url cannot be parsed: https://one.example.com?%0ahost=two.example.com/
+ EOF
+ test_cmp expect stderr
+'
+
+test_expect_success 'host-less URLs are parsed as empty host' '
+ check fill "verbatim foo bar" <<-\EOF
+ url=cert:///path/to/cert.pem
+ --
+ protocol=cert
+ host=
+ path=path/to/cert.pem
+ username=foo
+ password=bar
+ --
+ verbatim: get
+ verbatim: protocol=cert
+ verbatim: host=
+ verbatim: path=path/to/cert.pem
+ EOF
+'
+
+test_expect_success 'credential system refuses to work with missing host' '
+ test_must_fail git credential fill 2>stderr <<-\EOF &&
+ protocol=http
+ EOF
+ cat >expect <<-\EOF &&
+ fatal: refusing to work with credential missing host field
+ EOF
+ test_cmp expect stderr
+'
+
+test_expect_success 'credential system refuses to work with missing protocol' '
+ test_must_fail git credential fill 2>stderr <<-\EOF &&
+ host=example.com
+ EOF
+ cat >expect <<-\EOF &&
+ fatal: refusing to work with credential missing protocol field
+ EOF
+ test_cmp expect stderr
+'
+
+# usage: check_host_and_path <url> <expected-host> <expected-path>
+check_host_and_path () {
+ # we always parse the path component, but we need this to make sure it
+ # is passed to the helper
+ test_config credential.useHTTPPath true &&
+ check fill "verbatim user pass" <<-EOF
+ url=$1
+ --
+ protocol=https
+ host=$2
+ path=$3
+ username=user
+ password=pass
+ --
+ verbatim: get
+ verbatim: protocol=https
+ verbatim: host=$2
+ verbatim: path=$3
+ EOF
+}
+
+test_expect_success 'url parser handles bare query marker' '
+ check_host_and_path https://example.com?foo.git example.com ?foo.git
+'
+
+test_expect_success 'url parser handles bare fragment marker' '
+ check_host_and_path https://example.com#foo.git example.com "#foo.git"
+'
+
+test_expect_success 'url parser not confused by encoded markers' '
+ check_host_and_path https://example.com%23%3f%2f/foo.git \
+ "example.com#?/" foo.git
+'
+
+test_expect_success 'credential config with partial URLs' '
+ echo "echo password=yep" | write_script git-credential-yep &&
+ test_write_lines url=https://user@example.com/repo.git >stdin &&
+ for partial in \
+ example.com \
+ user@example.com \
+ https:// \
+ https://example.com \
+ https://example.com/ \
+ https://user@example.com \
+ https://user@example.com/ \
+ https://example.com/repo.git \
+ https://user@example.com/repo.git \
+ /repo.git
+ do
+ git -c credential.$partial.helper=yep \
+ credential fill <stdin >stdout &&
+ grep yep stdout ||
+ return 1
+ done &&
+
+ for partial in \
+ dont.use.this \
+ http:// \
+ /repo
+ do
+ git -c credential.$partial.helper=yep \
+ credential fill <stdin >stdout &&
+ ! grep yep stdout ||
+ return 1
+ done &&
+
+ git -c credential.$partial.helper=yep \
+ -c credential.with%0anewline.username=uh-oh \
+ credential fill <stdin 2>stderr &&
+ test_grep "skipping credential lookup for key" stderr
+'
+
+test_done