Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Use an HTTP scheme that supports the given credentials #5212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 9, 2019
Merged

Use an HTTP scheme that supports the given credentials #5212

merged 2 commits into from
Sep 9, 2019

Conversation

ethomson
Copy link
Member

Don't try to select the "best" scheme that the server offers us without taking into account the credentials that the user has selected. Otherwise, the "best" scheme may not support the given credentials.

eg, many servers use both Negotiate and NTLM as a fallback. Negotiate only works with default credentials, while our NTLM implementation only works with username/password credentials. As a result, our caller has given us a particular kind of credentials and we must match those credentials to the schemes offered.

Instead of using the "best" overall scheme, use the "best" scheme (ordered first) that our credentials support.

Fixes #5178

ethomson and others added 2 commits August 21, 2019 16:45
@ethomson
http: allow dummy negotiation scheme to fail to act
1c84716 
The dummy negotiation scheme is used for known authentication strategies
that do not wish to act.  For example, when a server requests the
"Negotiate" scheme but libgit2 is not built with Negotiate support, and
will use the "dummy" strategy which will simply not act.

Instead of setting `out` to NULL and returning a successful code, return
`GIT_PASSTHROUGH` to indicate that it did not act and catch that error
code.
@ianhattendorf @ethomson
http: ensure the scheme supports the credentials
4de51f9 
When a server responds with multiple scheme support - for example,
Negotiate and NTLM are commonly used together - we need to ensure that
we choose a scheme that supports the credentials.
@ethomson
Copy link
Member Author

Thanks @ianhattendorf for the patch, I made sure to list you as the author on the commit.

@ethomson
Copy link
Member Author

Also, @ianhattendorf, can you double-check this? You mentioned in #5178 that you were seeing some test failures. If you're still seeing them with this branch, can you give me more details?

pks-t
pks-t approved these changes Aug 27, 2019
View reviewed changes
Copy link
Member

@pks-t pks-t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks sensible to me, but I'm not too knowledgable when it comes to cred schemes. So waiting for @ianhattendorf's feedback

@ianhattendorf
Copy link
Contributor

Thanks for looking into this. I'm getting sporadic failures on all 5 proxy tests. Sometimes tests 1 2 4 fail, other times 2 3 5, etc. Out of ~20 runs, all 5 passed successfully twice. @ethomson I'll see what I can do about getting you access to our test proxy server if that would help.

./libgit2_clar -vv -sonline::clone::proxy
ninja: no work to do.
Loaded 378 suites:
Started (test status codes: OK='.' FAILURE='F' SKIPPED='S')

online::cloneFFF..

  1) Failure:
online::clone::proxy_credentials_request [../tests/online/clone.c:785]
  Function call failed: (git_clone(&g_repo, "http://github.com/libgit2/TestGitRepository", "./foo", &g_options))
  error -1 - too many redirects or authentication replays

  2) Failure:
online::clone::proxy_credentials_in_url [../tests/online/clone.c:806]
  Function call failed: (git_clone(&g_repo, "http://github.com/libgit2/TestGitRepository", "./foo", &g_options))
  error -1 - proxy authentication required but no callback set

  3) Failure:
online::clone::proxy_credentials_in_environment [../tests/online/clone.c:833]
  Function call failed: (git_clone(&g_repo, "http://github.com/libgit2/TestGitRepository", "./foo", &g_options))
  error -1 - proxy authentication required but no callback set

./libgit2_clar -vv -sonline::clone::proxy
ninja: no work to do.
Loaded 378 suites:
Started (test status codes: OK='.' FAILURE='F' SKIPPED='S')

online::clone.F.F.

  1) Failure:
online::clone::proxy_credentials_in_url [../tests/online/clone.c:807]
  Function call failed: (git_clone(&g_repo, "http://github.com/libgit2/TestGitRepository", "./foo", &g_options))
  error -1 - proxy authentication required but no callback set

  2) Failure:
online::clone::proxy_auto_not_detected [../tests/online/clone.c:843]
  Function call failed: (git_clone(&g_repo, "http://github.com/libgit2/TestGitRepository", "./foo", &g_options))
  error -1 - proxy authentication required but no callback set

@ethomson
Copy link
Member Author

ethomson commented Sep 9, 2019

I'm going to go ahead and merge this since it's strictly an improvement. I'd be curious to follow up on your proxy problems, but at the moment, I can't recreate them.

@ethomson ethomson merged commit 39028eb into master Sep 9, 2019
@ethomson ethomson deleted the ethomson/creds_for_scheme branch February 2, 2020 13:07
@snyk-bot snyk-bot mentioned this pull request Feb 23, 2020
Open
@snyk-bot snyk-bot mentioned this pull request Mar 12, 2020
Merged
@snyk-bot snyk-bot mentioned this pull request Apr 22, 2020
Open
@snyk-bot snyk-bot mentioned this pull request May 5, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pks-t pks-t pks-t approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Assertion failure when remote proxy supports both SPNEGO/Negotiate and NTLM
3 participants
@ethomson @ianhattendorf @pks-t