Merge pull request #1452 from github/allow-skippable-auth

add object Authenticated property
git-lfs · Aug 16, 2016 · fb63bc4 · fb63bc4
2 parents 2ccfb7d + c24e0c5
commit fb63bc4
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 12 deletions.
diff --git a/api/object.go b/api/object.go
@@ -19,11 +19,12 @@ func (e *ObjectError) Error() string {
 }
 
 type ObjectResource struct {
-	Oid     string                   `json:"oid,omitempty"`
-	Size    int64                    `json:"size"`
-	Actions map[string]*LinkRelation `json:"actions,omitempty"`
-	Links   map[string]*LinkRelation `json:"_links,omitempty"`
-	Error   *ObjectError             `json:"error,omitempty"`
+	Oid           string                   `json:"oid,omitempty"`
+	Size          int64                    `json:"size"`
+	Authenticated bool                     `json:"authenticated,omitempty"`
+	Actions       map[string]*LinkRelation `json:"actions,omitempty"`
+	Links         map[string]*LinkRelation `json:"_links,omitempty"`
+	Error         *ObjectError             `json:"error,omitempty"`
 }
 
 // TODO LEGACY API: remove when legacy API removed
@@ -73,6 +74,10 @@ func (o *ObjectResource) IsExpired(now time.Time) bool {
 	return false
 }
 
+func (o *ObjectResource) NeedsAuth() bool {
+	return !o.Authenticated
+}
+
 type LinkRelation struct {
 	Href      string            `json:"href"`
 	Header    map[string]string `json:"header,omitempty"`

diff --git a/docs/api/v1.3/http-v1.3-batch-request-schema.json b/docs/api/v1.3/http-v1.3-batch-request-schema.json
@@ -22,7 +22,10 @@
           },
           "size": {
             "type": "number"
-          }
+          },
+          "authenticated": {
+            "type": "boolean"
+          },
         },
         "required": ["oid", "size"],
         "additionalProperties": false

diff --git a/docs/api/v1.3/http-v1.3-batch-response-schema.json b/docs/api/v1.3/http-v1.3-batch-response-schema.json
@@ -39,6 +39,9 @@
             "type": "number",
             "minimum": 0
           },
+          "authenticated": {
+            "type": "boolean"
+          },
           "actions": {
             "type": "object",
             "properties": {

diff --git a/test/cmd/lfstest-gitserver.go b/test/cmd/lfstest-gitserver.go
@@ -50,6 +50,7 @@ var (
 		"status-storage-403", "status-storage-404", "status-storage-410", "status-storage-422", "status-storage-500",
 		"status-legacy-404", "status-legacy-410", "status-legacy-422", "status-legacy-403", "status-legacy-500",
 		"status-batch-resume-206", "batch-resume-fail-fallback", "return-expired-action", "return-invalid-size",
+		"object-authenticated",
 	}
 )
 
@@ -126,10 +127,11 @@ func writeTestStateFile(contents []byte, envVar, defaultFilename string) string
 }
 
 type lfsObject struct {
-	Oid     string             `json:"oid,omitempty"`
-	Size    int64              `json:"size,omitempty"`
-	Actions map[string]lfsLink `json:"actions,omitempty"`
-	Err     *lfsError          `json:"error,omitempty"`
+	Oid           string             `json:"oid,omitempty"`
+	Size          int64              `json:"size,omitempty"`
+	Authenticated bool               `json:"authenticated,omitempty"`
+	Actions       map[string]lfsLink `json:"actions,omitempty"`
+	Err           *lfsError          `json:"error,omitempty"`
 }
 
 type lfsLink struct {
@@ -366,6 +368,10 @@ func lfsBatchHandler(w http.ResponseWriter, r *http.Request, id, repo string) {
 
 		handler := oidHandlers[obj.Oid]
 
+		if handler == "object-authenticated" {
+			o.Authenticated = true
+		}
+
 		switch handler {
 		case "status-batch-403":
 			o.Err = &lfsError{Code: 403, Message: "welp"}
@@ -484,6 +490,12 @@ func storageHandler(w http.ResponseWriter, r *http.Request) {
 		case "status-storage-500":
 			w.WriteHeader(500)
 			return
+		case "object-authenticated":
+			if len(r.Header.Get("Authorization")) > 0 {
+				w.WriteHeader(400)
+				w.Write([]byte("Should not send authentication"))
+			}
+			return
 		}
 
 		if testingChunkedTransferEncoding(r) {

diff --git a/test/test-object-authenticated.sh b/test/test-object-authenticated.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+. "test/testlib.sh"
+
+# these tests rely on GIT_TERMINAL_PROMPT to test properly
+ensure_git_version_isnt $VERSION_LOWER "2.3.0"
+
+# if there is a system cred helper we can't run this test
+# can't disable without changing state outside test & probably don't have permission
+# this is common on OS X with certain versions of Git installed, default cred helper
+if [[ -n "$(git config --system credential.helper)" ]]; then
+  echo "skip: $0 (system cred helper we can't disable)"
+  exit
+fi
+
+begin_test "download authenticated object"
+(
+  set -e
+  reponame="$(basename "$0" ".sh")"
+  setup_remote_repo "$reponame"
+  clone_repo "$reponame" without-creds
+
+  git lfs track "*.dat"
+  printf "object-authenticated" > hi.dat
+  git add hi.dat
+  git add .gitattributes
+  git commit -m "initial commit"
+
+  GIT_CURL_VERBOSE=1 GIT_TERMINAL_PROMPT=0 git lfs push origin master
+)
+end_test
diff --git a/transfer/basic_download.go b/transfer/basic_download.go
@@ -110,7 +110,7 @@ func (a *basicDownloadAdapter) download(t *Transfer, cb TransferProgressCallback
 		req.Header.Set("Range", fmt.Sprintf("bytes=%d-%d", fromByte, t.Object.Size-1))
 	}
 
-	res, err := httputil.DoHttpRequest(config.Config, req, true)
+	res, err := httputil.DoHttpRequest(config.Config, req, t.Object.NeedsAuth())
 	if err != nil {
 		// Special-case status code 416 () - fall back
 		if fromByte > 0 && dlFile != nil && res.StatusCode == 416 {

diff --git a/transfer/basic_upload.go b/transfer/basic_upload.go
@@ -97,7 +97,7 @@ func (a *basicUploadAdapter) DoTransfer(ctx interface{}, t *Transfer, cb Transfe
 
 	req.Body = ioutil.NopCloser(reader)
 
-	res, err := httputil.DoHttpRequest(config.Config, req, true)
+	res, err := httputil.DoHttpRequest(config.Config, req, t.Object.NeedsAuth())
 	if err != nil {
 		return errutil.NewRetriableError(err)
 	}