auth

AddCredentials function #

AddCredentials populates the request header with the user's credentials as specified by the GOAUTH environment variable. It returns whether any matching credentials were found. req must use HTTPS or this function will panic. res is used for the custom GOAUTH command's stdin.

func AddCredentials(client *http.Client, req *http.Request, res *http.Response, url string) bool

approveOrRejectCredential function #

approveOrRejectCredential approves or rejects the provided credential using 'git credential approve/reject'.

func approveOrRejectCredential(credentialOutput []byte, approve bool)

buildCommand function #

func buildCommand(command string) (*exec.Cmd, error)

isCTL function #

isCTL reports whether b is a control byte, according to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2 CTL =

func isCTL(b byte) bool

isLWS function #

isLWS reports whether b is linear white space, according to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2 LWS = [CRLF] 1*( SP | HT )

func isLWS(b byte) bool

loadCredential function #

loadCredential retrieves cached credentials for the given url and adds them to the request headers.

func loadCredential(req *http.Request, url string) bool

mapHeadersToPrefixes function #

mapHeadersToPrefixes returns a mapping of prefix → http.Header without the leading "https://".

func mapHeadersToPrefixes(prefixes []string, header http.Header) map[string]http.Header

netrcPath function #

func netrcPath() (string, error)

parseGitAuth function #

parseGitAuth parses the output of 'git credential fill', extracting the URL prefix, user, and password. Any of these values may be empty if parsing fails.

func parseGitAuth(data []byte) (parsedPrefix string, username string, password string)

parseNetrc function #

func parseNetrc(data string) []netrcLine

parseUserAuth function #

parseUserAuth parses the output from a GOAUTH command and returns a mapping of prefix → http.Header without the leading "https://" or an error if the data does not follow the expected format. Returns an nil error and an empty map if the data is empty. See the expected format in 'go help goauth'.

func parseUserAuth(data string) (map[string]http.Header, error)

runAuthCommand function #

runAuthCommand executes a user provided GOAUTH command, parses its output, and returns a mapping of prefix → http.Header. It uses the client to verify the credential and passes the status to the command's stdin. res is used for the GOAUTH command's stdin.

func runAuthCommand(command string, url string, res *http.Response) (map[string]http.Header, error)

runGitAuth function #

runGitAuth retrieves credentials for the given url using 'git credential fill', validates them with a HEAD request (using the provided client) and updates the credential helper's cache. It returns the matching credential prefix, the http.Header with the Basic Authentication header set, or an error. The caller must not mutate the header.

func runGitAuth(client *http.Client, dir string, url string) (string, http.Header, error)

runGoAuth function #

runGoAuth executes authentication commands specified by the GOAUTH environment variable handling 'off', 'netrc', and 'git' methods specially, and storing retrieved credentials for future access.

func runGoAuth(client *http.Client, res *http.Response, url string)

storeCredential function #

storeCredential caches or removes credentials (represented by HTTP headers) associated with given URL prefixes.

func storeCredential(prefix string, header http.Header)

updateGitCredentialHelper function #

updateGitCredentialHelper validates the given credentials by sending a HEAD request and updates the git credential helper's cache accordingly. It retries the request up to maxTries times.

func updateGitCredentialHelper(client *http.Client, req *http.Request, credentialOutput []byte)

validHeaderFieldName function #

validHeaderFieldName reports whether v is a valid HTTP/1.x header name. HTTP/2 imposes the additional restriction that uppercase ASCII letters are not allowed. RFC 7230 says: header-field = field-name ":" OWS field-value OWS field-name = token token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA

func validHeaderFieldName(v string) bool

validHeaderFieldValue function #

validHeaderFieldValue reports whether v is a valid "field-value" according to http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 : message-header = field-name ":" [ field-value ] field-value = *( field-content | LWS ) field-content = http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2 : TEXT = LWS = [CRLF] 1*( SP | HT ) CTL = RFC 7230 says: field-value = *( field-content / obs-fold ) obj-fold = N/A to http2, and deprecated field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] field-vchar = VCHAR / obs-text obs-text = %x80-FF VCHAR = "any visible [USASCII] character" http2 further says: "Similarly, HTTP/2 allows header field values that are not valid. While most of the values that can be encoded will not alter header field parsing, carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0) might be exploited by an attacker if they are translated verbatim. Any request or response that contains a character not permitted in a header field value MUST be treated as malformed (Section 8.1.2.6). Valid characters are defined by the field-content ABNF rule in Section 3.2 of [RFC7230]." This function does not (yet?) properly handle the rejection of strings that begin or end with SP or HTAB.

func validHeaderFieldValue(v string) bool

writeResponseToStdin function #

writeResponseToStdin writes the HTTP response to the command's stdin.

func writeResponseToStdin(cmd *exec.Cmd, res *http.Response) error