From db575d9d116b9b2bb106a1bc39775e6274f2c908 Mon Sep 17 00:00:00 2001 From: M Hickford Date: Thu, 9 Jan 2025 20:54:29 +0000 Subject: [PATCH] credential-cache: respect authtype capability Previously, credential-cache populated authtype regardless whether "get" request had authtype capability. As documented in git-credential.txt, authtype "should not be sent unless the appropriate capability ... is provided". Add test. Without this change, the test failed because "credential fill" printed an incomplete credential with only protocol and host attributes (the unexpected authtype attribute was discarded by credential.c). Signed-off-by: M Hickford --- builtin/credential-cache--daemon.c | 4 ++-- t/lib-credential.sh | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c index bc22f5c6d2413d..e707618e743942 100644 --- a/builtin/credential-cache--daemon.c +++ b/builtin/credential-cache--daemon.c @@ -142,9 +142,9 @@ static void serve_one_client(FILE *in, FILE *out) fprintf(out, "username=%s\n", e->item.username); if (e->item.password) fprintf(out, "password=%s\n", e->item.password); - if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.authtype) + if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.authtype) fprintf(out, "authtype=%s\n", e->item.authtype); - if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_HELPER) && e->item.credential) + if (credential_has_capability(&c.capa_authtype, CREDENTIAL_OP_RESPONSE) && e->item.credential) fprintf(out, "credential=%s\n", e->item.credential); if (e->item.password_expiry_utc != TIME_MAX) fprintf(out, "password_expiry_utc=%"PRItime"\n", diff --git a/t/lib-credential.sh b/t/lib-credential.sh index 58b9c740605890..cc6bf9aa5f3717 100644 --- a/t/lib-credential.sh +++ b/t/lib-credential.sh @@ -566,6 +566,21 @@ helper_test_authtype() { EOF ' + test_expect_success "helper ($HELPER) gets authtype and credential only if request has authtype capability" ' + check fill $HELPER <<-\EOF + protocol=https + host=git.example.com + -- + protocol=https + host=git.example.com + username=askpass-username + password=askpass-password + -- + askpass: Username for '\''https://git.example.com'\'': + askpass: Password for '\''https://askpass-username@git.example.com'\'': + EOF + ' + test_expect_success "helper ($HELPER) stores authtype and credential with username" ' check approve $HELPER <<-\EOF capability[]=authtype