Repo commands assume non-enterprise auth and fail trying to auth against github.com

[natdempk]

Describe the bug

I've configured enterprise GitHub auth, but when I run a command like gh repo clone "ndempkowski/python-stuff" which refers to an enterprise repository, it seems like the cli assumes that I want to resolve against github.com. This leads to an error instead of my repo being cloned.

Steps to reproduce the behavior

1. Authorize as an enterprise user with token auth (I think this also affects web-based login)
2. Try to clone an enterprise repo using the OWNER/REPO format
3. Get an error about authentication.

Example:

~/Repos [1] $ gh --version
gh version 1.0.0 (2020-09-16)
https://github.com/cli/cli/releases/tag/v1.0.0
~/Repos $ gh repo clone "ndempkowski/python-stuff"
non-200 OK status code: 401 Unauthorized body: "{\"message\":\"This endpoint requires you to be authenticated.\",\"documentation_url\":\"https://docs.github.com/v3/#authentication\"}"

Yet my auth status is shown as correctly configured:

~/Repos [1] $ gh auth status
git.hubteam.com
  ✓ Logged in to git.xxxxxxx.com as ndempkowski (~/.config/gh/hosts.yml)
  ✓ Git operations for git.xxxxxxx.com configured to use ssh protocol.

Expected vs actual behavior

I expect to be able to clone a repo using the OWNER/REPO format instead of seeing an error.

Logs

See above

[vilmibm]

that should work; sorry about that.

• It looks like it from the auth status output but I'm guessing git.hubteam.com is the only host you've told gh about?
• Is it possible that the repo you are trying to clone is in an organization with extra permissions required?
• What happens if you run gh repo clone with the full URL of the repository as an argument?

[mislav]

@natdempk For now, commands require you to explicitly set a hostname if it's not github.com:

gh repo clone example.com/owner/repo

If that proves to be tedious, you can set the GH_HOST environment variable with the name of your host:

# ~/.bash_profile
export GH_HOST=example.com

Be warned though, if you then want to clone owner/repo from github.com, you'll have to type gh repo clone github.com/owner/repo.

Is the current design and workaround acceptable for you, or did you expect the command to work differently? Sorry for the confusion.

[natdempk]

Ah cool, thanks for the context and workaround. To answer some of the above questions:

It looks like it from the auth status output but I'm guessing git.hubteam.com is the only host you've told gh about?

Correct.

Is it possible that the repo you are trying to clone is in an organization with extra permissions required?

No, it is just from my personal user.

What happens if you run gh repo clone with the full URL of the repository as an argument?

So, this actually seems like it may have uncovered another bug, though this might also be intended behavior. 😅 I noticed that it sort of works, but in this case I am asked for a username + password for the clone instead of using my configuration to clone via ssh if the clone is prepended with https://. You could argue this is intended because of the protocol, but it was unexpected to me when I configured ssh auth. eg:

~/Repos [1] $ gh repo clone https://git.hubteam.com/ndempkowski/python-stuff
Cloning into 'python-stuff'...
Username for 'https://git.hubteam.com': ndempkowski

But without the protocol works fine:

~/Repos [128] $ gh repo clone git.hubteam.com/ndempkowski/python-stuff
Cloning into 'python-stuff'...

Given that by default I'm going to copy-paste a URL with a protocol, it seems a bit counter-intuitive to have to strip it off. 🤷‍♂️

---

Is the current design and workaround acceptable for you, or did you expect the command to work differently? Sorry for the confusion.

Yeah as an enterprise user I would have expected this to work a bit differently. I think if a user has only configured one of the two authentication sources, that should be used as a default everywhere.

If both are configured maybe it is reasonable to default to GitHub.com, the last used one, or add a setting for a default auth preference.

[wimglenn]

Likely same bug as this - I configured token auth for github enterprise. gh issue list , gh repo view correctly use GHE.
gh gist list does not show my GHE gists, it shows some other public gists from github.com (and not even my own ones, which is strange? is it possible that my enterprise token might collide with someone elses token on github.com?)

Setting the GH_HOST var made gh gist list and gh gist create work as expected, i.e. listing my own gists from enterprise and creating gist on enterprise.

[mislav]

gh gist list does not show my GHE gists, it shows some other public gists from github.com (and not even my own ones, which is strange? is it possible that my enterprise token might collide with someone elses token on github.com?)

@wimglenn No, we never send a token for one host to another host. The thing is, gh probably doesn't have your authentication token for github.com, so it sent an anonymous API request to /gist, which (confusingly) returns a sample of public gists from random users.

This will be fixed after the switch to GraphQL #1712

[wimglenn]

Thanks for the explanation. I am reassured that my GHE token was not being sent to github.com.

[mislav]

I noticed that it sort of works, but in this case I am asked for a username + password for the clone instead of using my configuration to clone via ssh if the clone is prepended with https://. You could argue this is intended because of the protocol, but it was unexpected to me when I configured ssh auth.

@natdempk I see; really interesting point! When you paste a full URL to a repository, we assume that we should use the clone protocol from the URL, rather than respecting your default, but I can see how that was surprising to you. We will reconsider this default.

[darthwalsh]

Ideally, it would be great if I could set up different gh default hosts per directory prefix, like I can set up different git default user and email using includeIf:

In ~/.gitconfig, add:

[includeIf "gitdir:~/toplevelFolder1/"]
    path = ~/topLevelFolder1/.gitconfig_include

https://stackoverflow.com/a/48088291/771768

[mzzmjd]

I got a similar error when I started using the gh CLI to access a GitHub Enterprise Server (GHES). Turned out that the clone command was using a credential manager on my machine, but the credentials were out of date (and not using a token). Updated the credential manager with the token then the clones worked fine.

[vilmibm]

I like the idea of adding a per-directory "default hostname".

[jherland]

I still wonder - when I have a single GHE entry, and no github.com entry in my hosts.yml - why should gh gist (and other commands) still default to contacting gihub.com?

It seems having GH_HOST auto-detect/default when there is only one host configured should resolve this issue in most cases?

[mislav]

@jherland You are right. We are leaning to the solution you propose: to default to your non-github.com host if only one host was configured.

However, if you configure one Enterprise host, and then additionally authenticate to github.com as well, we will start defaulting to github.com again. This was our original reasoning to always default to github.com—to follow the principle of least surprise—but our users seem to predominately want to default to whichever one host they authenticated to.

[jherland]

Yes, I agree that if you have more than one host configured, then you cannot expect the Enterprise host to be used by default. I'd maybe argue that you should be prompted for which to use (or you should be able to explicitly choose a default), but this (to me) is much less important than using the configured host when there is only one.

[matschaffer-roblox]

I was hoping there might be a way to set a default in hosts.yml, but just confirming that export GH_HOST=example.com does the trick and with https://direnv.net/ it's easy enough to set that per-directory.

[matschaffer-roblox]

After doing the above for about a month, I still get the impression the public/enterprise combined workflow could be cleaner. So I opened #6688 as a feature proposal.