From: Quentin Bouget <ypsah@devyard.org>
To: git@vger.kernel.org
Cc: Quentin Bouget <ypsah@devyard.org>
Subject: [PATCH 1/2] http: only reject basic auth credentials once they have been tried
Date: Sun, 4 Feb 2024 19:54:26 +0100 [thread overview]
Message-ID: <20240204185427.39664-2-ypsah@devyard.org> (raw)
In-Reply-To: <20240204185427.39664-1-ypsah@devyard.org>
When CURLAUTH_GSSNEGOTIATE is enabled, it is currently assumed that
the provided username/password relate to a GSSAPI auth attempt.
In practice, forges such as gitlab can be deployed with HTTP basic auth
and GSSAPI auth both listening on the same port, meaning just because
the server supports GSSAPI and failed an authentication attempt using
the provided credentials, it does not mean the credentials are not valid
HTTP basic auth credentials.
This is documented as a long running bug here [1] and breaks token-based
authentication when the token is provided in the remote's URL itself.
This commit makes it so credentials are only dropped once they have been
tried both as GSSAPI credentials and HTTP basic auth credentials.
[1] https://gitlab.com/gitlab-org/gitlab/-/blob/b0e0d25646d1992fefda863febdcba8d4c7a1bbf/doc/integration/kerberos.md#L250
Signed-off-by: Quentin Bouget <ypsah@devyard.org>
---
http.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/http.c b/http.c
index e73b136e58..ccea19ac47 100644
--- a/http.c
+++ b/http.c
@@ -1758,10 +1758,7 @@ static int handle_curl_result(struct slot_results *results)
} else if (missing_target(results))
return HTTP_MISSING_TARGET;
else if (results->http_code == 401) {
- if (http_auth.username && http_auth.password) {
- credential_reject(&http_auth);
- return HTTP_NOAUTH;
- } else {
+ if ((http_auth_methods & CURLAUTH_GSSNEGOTIATE) == CURLAUTH_GSSNEGOTIATE) {
http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;
if (results->auth_avail) {
http_auth_methods &= results->auth_avail;
@@ -1769,6 +1766,9 @@ static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ if (http_auth.username && http_auth.password)
+ credential_reject(&http_auth);
+ return HTTP_NOAUTH;
} else {
if (results->http_connectcode == 407)
credential_reject(&proxy_auth);
--
2.43.0
next prev parent reply other threads:[~2024-02-04 19:10 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-04 18:54 [PATCH 0/2] Fix gitlab's token-based authentication w/ kerberos Quentin Bouget
2024-02-04 18:54 ` Quentin Bouget [this message]
2024-02-04 22:47 ` [PATCH 1/2] http: only reject basic auth credentials once they have been tried Junio C Hamano
2024-02-05 3:03 ` Quentin Bouget
2024-02-05 5:47 ` Patrick Steinhardt
2024-02-04 18:54 ` [PATCH 2/2] http: prevent redirect from dropping credentials during reauth Quentin Bouget
2024-02-04 22:36 ` brian m. carlson
2024-02-05 3:01 ` Quentin Bouget
2024-02-05 22:18 ` brian m. carlson
2024-02-05 22:52 ` rsbecker
2024-02-04 22:51 ` Junio C Hamano
2024-02-05 3:06 ` Quentin Bouget
2024-02-04 23:01 ` rsbecker
2024-02-05 3:12 ` Quentin Bouget
2024-02-05 9:22 ` Robert Coup
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240204185427.39664-2-ypsah@devyard.org \
--to=ypsah@devyard.org \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.