New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove unnecessary 'git credential approve' calls #2690
Comments
I was able to replicate this with a bit of extra tracing. This patch was applied to the current diff --git a/lfsapi/creds.go b/lfsapi/creds.go
index 187043b1..c6839e83 100644
--- a/lfsapi/creds.go
+++ b/lfsapi/creds.go
@@ -307,6 +307,8 @@ func (c *credentialCacher) Reject(creds Creds) error {
}
func (c *credentialCacher) Approve(creds Creds) error {
+ tracerx.Printf("creds: git credential cache approve (%q, %q, %q)",
+ creds["protocol"], creds["host"], creds["path"])
err := c.helper.Approve(creds)
if err == nil {
c.cmu.Lock()
@@ -332,6 +334,8 @@ func (h *commandCredentialHelper) Reject(creds Creds) error {
}
func (h *commandCredentialHelper) Approve(creds Creds) error {
+ tracerx.Printf("creds: git credential helper approve (%q, %q, %q)",
+ creds["protocol"], creds["host"], creds["path"])
_, err := h.exec("approve", creds)
return err
} Git Credential BehaviorFirst, it seems that Git itself always calls $ GIT_TRACE=1 git clone https://my-git-server/technoweenie/lfs-pull-bug
12:22:49.972579 git.c:340 trace: built-in: git 'clone' 'https://my-git-server/technoweenie/lfs-pull-bug'
Cloning into 'lfs-pull-bug'...
12:22:49.982650 run-command.c:626 trace: run_command: 'git-remote-https' 'origin' 'https://my-git-server/technoweenie/lfs-pull-bug'
12:22:50.234679 run-command.c:626 trace: run_command: 'git credential-osxkeychain get'
12:22:50.241247 git.c:572 trace: exec: 'git-credential-osxkeychain' 'get'
12:22:50.241650 run-command.c:626 trace: run_command: 'git-credential-osxkeychain' 'get'
12:22:50.325235 run-command.c:626 trace: run_command: 'git credential-osxkeychain store'
12:22:50.331867 git.c:572 trace: exec: 'git-credential-osxkeychain' 'store'
12:22:50.332400 run-command.c:626 trace: run_command: 'git-credential-osxkeychain' 'store' For comparison, here's what the trace output looks like if the credential helper doesn't have creds for that host: 12:09:16.617330 run-command.c:626 trace: run_command: 'git credential-osxkeychain get'
12:09:16.622668 git.c:572 trace: exec: 'git-credential-osxkeychain' 'get'
12:09:16.623104 run-command.c:626 trace: run_command: 'git-credential-osxkeychain' 'get'
Username for 'https://my-git-server': technoweenie
Password for 'https://technoweenie@my-git-server':
12:09:36.632585 run-command.c:626 trace: run_command: 'git credential-osxkeychain store'
12:09:36.638982 git.c:572 trace: exec: 'git-credential-osxkeychain' 'store'
12:09:36.639469 run-command.c:626 trace: run_command: 'git-credential-osxkeychain' 'store' It appears Git always calls LFS BehaviorOn the first LFS Batch request, LFS attempts an unauthenticated request (for public repositories). If it gets a 401, it retries with creds. Note that this doesn't prompt me again since it's using the same creds properties as the 12:22:50.968958 trace git-lfs: HTTP: 401
12:22:50.969068 trace git-lfs: HTTP: {"message":"Must authenticate to access this API.","documentation_url":"https://help.github.com/enterprise"}
12:22:50.969179 trace git-lfs: setting repository access to basic
12:22:50.969191 trace git-lfs: exec: git 'config' '--replace-all' 'lfs.https://my-git-server/technoweenie/lfs-pull-bug.git/info/lfs.access' 'basic'
12:22:50.974888 trace git-lfs: api: http response indicates "basic" authentication. Resubmitting...
12:22:50.974947 trace git-lfs: creds: git credential fill ("https", "my-git-server", "technoweenie/lfs-pull-bug")
12:22:51.005809 trace git-lfs: Filled credentials for https://my-git-server/technoweenie/lfs-pull-bug
12:22:51.005899 trace git-lfs: HTTP: POST https://my-git-server/technoweenie/lfs-pull-bug.git/info/lfs/objects/batch
12:22:51.102669 trace git-lfs: HTTP: 200
12:22:51.102702 trace git-lfs: creds: git credential cache approve ("https", "my-git-server", "")
12:22:51.102709 trace git-lfs: creds: git credential helper approve ("https", "my-git-server", "") The next Batch request looks similar, but it doesn't bother with the unauthenticated request attempt. This matches Git's behavior above. I think the reason is the request was successful, but Git and LFS can't tell if the credential helper had to prompt the user (meaning an 12:22:52.404363 trace git-lfs: creds: git credential cache ("https", "my-git-server", "technoweenie/lfs-pull-bug")
12:22:52.404369 trace git-lfs: Filled credentials for https://my-git-server/technoweenie/lfs-pull-bug
12:22:52.404404 trace git-lfs: HTTP: POST https://my-git-server/technoweenie/lfs-pull-bug.git/info/lfs/objects/batch
12:22:52.404462 trace git-lfs: Read filter-process request.
12:22:52.528844 trace git-lfs: HTTP: 200
12:22:52.528878 trace git-lfs: creds: git credential cache approve ("https", "my-git-server", "")
12:22:52.528888 trace git-lfs: creds: git credential helper approve ("https", "my-git-server", "") GitHub's LFS implementation doesn't require the credential helper, since the LFS Batch API returns the necessary
TODO
|
/cc #2328 (comment)
The text was updated successfully, but these errors were encountered: