| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We did not properly support default credentials for proxies, only for
destination servers. Refactor the credential handling to support sending
either username/password _or_ default credentials to either the proxy or
the destination server.
This actually shares the authentication logic between proxy servers and
destination servers. Due to copy/pasta drift over time, they had
diverged. Now they share a common logic which is: first, use
credentials specified in the URL (if there were any), treating empty
username and password (ie, "http://:@foo.com/") as default credentials,
for compatibility with git. Next, call the credential callbacks.
Finally, fallback to WinHTTP compatibility layers using built-in
authentication like we always have.
Allowing default credentials for proxies requires moving the security
level downgrade into the credential setting routines themselves.
We will update our security level to "high" by default which means that
we will never send default credentials without prompting. (A lower
setting, like the WinHTTP default of "medium" would allow WinHTTP to
handle credentials for us, despite what a user may have requested with
their structures.) Now we start with "high" and downgrade to "low" only
after a user has explicitly requested default credentials.
|
| |
|
|
|
| |
There's no reason a git repository couldn't be at the root of a server,
and URLs should have an implicit path of '/' when one is not specified.
|
| |
|
|
|
|
|
|
| |
GitHub recently changed their behavior from returning 401s for private
or nonexistent repositories on a clone to returning 404s. For our tests
that require an auth failure (and 401), move to GitLab to request a
missing repository. This lets us continue to test our auth failure
case, at least until they decide to mimic that decision.
|
| |
|
|
|
|
| |
Since libssh2 doesn't read host configuration from the config file,
this callback can be used to hand over URL resolving to the client
without touching the SSH implementation itself.
|
| |
|
|
|
| |
Update internal usage of `git_transfer_progress` to
`git_indexer_progreses`.
|
| |
|
|
|
| |
Move to the `git_error` name in the internal API for error-related
functions.
|
| |
|
|
| |
Update internal usage to use the `git_reference` names for constants.
|
| |
|
|
| |
detected
|
| |
|
|
|
|
|
|
|
|
| |
For testing, we may wish to use a man-in-the-middle proxy that can
inspect the CONNECT traffic to our test endpoints. For this, we will
need to accept the proxy's certificate, which will not be valid for the
true endpoint.
Add a new environment variable, GITTEST_REMOTE_SSL_NOVERIFY to disable
https certificate validation for the tests.
|
| |
|
|
| |
Rename credential callback to proxy_cred_cb to match new cert callback.
|
| |
|
|
|
|
|
| |
Give the proxy tests a proxy certificate callback, and allow self-signed
certificates when the `GITTEST_REMOTE_PROXY_SELFSIGNED` environment
variable is set (to anything). In that case, simply compare the hostname
from the callback to the hostname that we connected to.
|
| |
|
|
|
|
|
| |
As we want to support HTTPS proxies, support an optional
`GITTEST_REMOTE_PROXY_SCHEME` environment variable for tests that will
allow for HTTPS support. (When unset, the tests default to HTTP
proxies.)
|
| |
|
|
|
|
|
| |
Change the `GITTEST_REMOTE_PROXY_URL` environment variable to be
`GITTEST_REMOTE_PROXY_HOST`, since it is a host:port combination, not an
actual URL. (We cannot use a URL here since we may want to include the
username:password combination in the constructed URL.)
|
| |
|
|
|
| |
Before resetting the url and username, ensure that we free them in case
they were set by environment variables.
|
| |
|
|
| |
Don't just free the spec vector, also free the specs themselves.
|
| |
|
|
|
| |
Don't just free the push status structure, actually free the strings that were
strdup'd into the struct as well.
|
| | |
|
| |\
| |
| | |
online::clone: validate user:pass in HTTP_PROXY
|
| | |
| |
| |
| |
| | |
Validate using the http://user:pass@host/ format in HTTP_PROXY and
HTTPS_PROXY environment variables.
|
| | |
| |
| |
| |
| | |
Update the settings to use a specific read-only token for accessing our
test repositories in Bitbucket.
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
At present, we have three online tests against bitbucket: one which
specifies the credentials in the payload, one which specifies the
correct credentials in the URL and a final one that specifies the
incorrect credentials in the URL. Bitbucket has begun responding to the
latter test with a 403, which causes us to fail.
Break these three tests into separate tests so that we can skip the
latter until this is resolved on Bitbucket's end or until we can change
the test to a different provider.
|
| | |
|
| |
|
|
|
|
|
|
| |
Right now, we test our credential callback code twice, once via SSH on
localhost and once via a non-existent GitHub repository. While the first
URL makes sense to be configurable, it does not make sense to hard-code
the non-existing repository, which requires us to call tests multiple
times. Instead, we can just inline the URL into another set of tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We support two types of passing credentials to the proxy, either via the
URL or explicitly by specifying user and password. We test these types
by modifying the proxy URL and executing the tests twice, which is
in fact unnecessary and requires us to maintain the list of environment
variables and test executions across multiple CI infrastructures.
To fix the situation, we can just always pass the host, port, user and
password to the tests. The tests can then assemble the complete URL
either with or without included credentials, allowing us to test both
cases in-process.
|
| |\ |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
The repository URL is duplicated several times and can be de-duplicated
like this. Furthermore, exchange the static refspec variable with a
define to reduce BSS size.
|
| | |
| |
| |
| |
| |
| |
| | |
There are only few actions which actually make sense for a detached
remote, like e.g. `git_remote_ls`, `git_remote_prune`. For all the other
actions, we have to report an error when the remote has no repository
attached to it. This commit does so and implements some tests.
|
| |/
|
|
|
|
|
|
|
|
| |
All our tests running against a local SSH server usually read the
server's URL from environment variables. But online::clone::ssh_cert
test fails to do so and instead always connects to
"ssh://localhost/foo". This assumption breaks whenever the SSH server is
not running on the standard port, e.g. when it is running as a user.
Fix the issue by using the URL provided by the environment.
|
| | |
|
| |
|
|
|
| |
None of our crypto backends actually reject RC4 as a cipher so don't
test for it and instead keep it as something we'd like to do.
|
| |
|
|
|
| |
We must make sure that we're getting a certificate error from the
library so we know that we're testing the right thing.
|
| |
|
|
|
|
| |
Make sure that the callbacks do also get a 'valid' value of zero when
the certificate we're looking at is in valid and assert that within the
test.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to git-fetch(1), "[t]he colon can be omitted when <dst>
is empty." So according to git, the refspec "refs/heads/master"
is the same as the refspec "refs/heads/master:" when fetching
changes. When trying to fetch from a remote with a trailing
colon with libgit2, though, the fetch actually fails while it
works when the trailing colon is left out. So obviously, libgit2
does _not_ treat these two refspec formats the same for fetches.
The problem results from parsing refspecs, where the resulting
refspec has its destination set to an empty string in the case of
a trailing colon and to a `NULL` pointer in the case of no
trailing colon. When passing this to our DWIM machinery, the
empty string gets translated to "refs/heads/", which is simply
wrong.
Fix the problem by having the parsing machinery treat both cases
the same for fetch refspecs.
|
| | |
|
| |
|
|
|
|
| |
We leave this up to the scheme in the url field. The type should only
tell us about whether we want a proxy and whether we want to auto-detect
it.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This ensures that when using OpenSSL a safe default set of ciphers
is selected. This is done so that the client communicates securely
and we don't accidentally enable unsafe ciphers like RC4, or even
worse some old export ciphers.
Implements the first part of https://github.com/libgit2/libgit2/issues/3682
|
| |
|
|
|
| |
If none of GIT_OPENSSL, GIT_WINHTTP or GIT_SECURE_TRANSPORT
is defined we should also be able to build the unit test.
|
| |\
| |
| | |
Include custom HTTP headers
|
| | |
| |
| |
| | |
Also, *some* custom headers actually are valid.
|
| | | |
|
| | |
| |
| |
| |
| | |
These provide bad X.509 certificates, which we should refuse to connect
to by default.
|
| | | |
|
| |/
|
|
|
|
| |
These are small pieces of data, so there is no advantage to allocating
them separately. Include the two ids inline in the struct we use to
check that the expected and actual ids match.
|
| |
|
|
|
|
| |
Introduce `git__getenv` which is a UTF-8 aware `getenv` everywhere.
Make `cl_getenv` use this to keep consistent memory handling around
return values (free everywhere, as opposed to only some platforms).
|
| | |
|
