diff options
author | brian m. carlson <sandals@crustytoothpaste.net> | 2024-04-17 00:02:37 +0000 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2024-04-16 22:39:08 -0700 |
commit | ac4c7cbfaa1871e8865d5fa5b8142a70da37cce4 (patch) | |
tree | 8e5b267bc7d0199482a49a60dcf644dc804dea27 /Documentation/git-credential.txt | |
parent | 37417b771707786756e94a589441e6510e9f57e4 (diff) | |
download | git-ac4c7cbfaa1871e8865d5fa5b8142a70da37cce4.tar.gz |
credential: add support for multistage credential rounds
Over HTTP, NTLM and Kerberos require two rounds of authentication on the
client side. It's possible that there are custom authentication schemes
that also implement this same approach. Since these are tricky schemes
to implement and the HTTP library in use may not always handle them
gracefully on all systems, it would be helpful to allow the credential
helper to implement them instead for increased portability and
robustness.
To allow this to happen, add a boolean flag, continue, that indicates
that instead of failing when we get a 401, we should retry another round
of authentication. However, this necessitates some changes in our
current credential code so that we can make this work.
Keep the state[] headers between iterations, but only use them to send
to the helper and only consider the new ones we read from the credential
helper to be valid on subsequent iterations. That avoids us passing
stale data when we finally approve or reject the credential. Similarly,
clear the multistage and wwwauth[] values appropriately so that we
don't pass stale data or think we're trying a multiround response when
we're not. Remove the credential values so that we can actually fill a
second time with new responses.
Limit the number of iterations of reauthentication we do to 3. This
means that if there's a problem, we'll terminate with an error message
instead of retrying indefinitely and not informing the user (and
possibly conducting a DoS on the server).
In our tests, handle creating multiple response output files from our
helper so we can verify that each of the messages sent is correct.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation/git-credential.txt')
-rw-r--r-- | Documentation/git-credential.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/Documentation/git-credential.txt b/Documentation/git-credential.txt index 4bbf2db9ca..3d3accc273 100644 --- a/Documentation/git-credential.txt +++ b/Documentation/git-credential.txt @@ -222,6 +222,19 @@ provided on input. This value should not be sent unless the appropriate capability (see below) is provided on input. +`continue`:: + This is a boolean value, which, if enabled, indicates that this + authentication is a non-final part of a multistage authentication step. This + is common in protocols such as NTLM and Kerberos, where two rounds of client + authentication are required, and setting this flag allows the credential + helper to implement the multistage authentication step. This flag should + only be sent if a further stage is required; that is, if another round of + authentication is expected. ++ +This value should not be sent unless the appropriate capability (see below) is +provided on input. This attribute is 'one-way' from a credential helper to +pass information to Git (or other programs invoking `git credential`). + `wwwauth[]`:: When an HTTP response is received by Git that includes one or more |