[thirdparty/git.git] / builtin / credential-cache--daemon.c

#include "builtin.h"
#include "alloc.h"
#include "parse-options.h"

#ifndef NO_UNIX_SOCKETS

#include "config.h"
#include "tempfile.h"
#include "credential.h"
#include "unix-socket.h"

struct credential_cache_entry {
	struct credential item;
	timestamp_t expiration;
};
static struct credential_cache_entry *entries;
static int entries_nr;
static int entries_alloc;

static void cache_credential(struct credential *c, int timeout)
{
	struct credential_cache_entry *e;

	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	e = &entries[entries_nr++];

	/* take ownership of pointers */
	memcpy(&e->item, c, sizeof(*c));
	memset(c, 0, sizeof(*c));
	e->expiration = time(NULL) + timeout;
}

static struct credential_cache_entry *lookup_credential(const struct credential *c)
{
	int i;
	for (i = 0; i < entries_nr; i++) {
		struct credential *e = &entries[i].item;
		if (credential_match(c, e))
			return &entries[i];
	}
	return NULL;
}

static void remove_credential(const struct credential *c)
{
	struct credential_cache_entry *e;

	e = lookup_credential(c);
	if (e)
		e->expiration = 0;
}

static timestamp_t check_expirations(void)
{
	static timestamp_t wait_for_entry_until;
	int i = 0;
	timestamp_t now = time(NULL);
	timestamp_t next = TIME_MAX;

	/*
	 * Initially give the client 30 seconds to actually contact us
	 * and store a credential before we decide there's no point in
	 * keeping the daemon around.
	 */
	if (!wait_for_entry_until)
		wait_for_entry_until = now + 30;

	while (i < entries_nr) {
		if (entries[i].expiration <= now) {
			entries_nr--;
			credential_clear(&entries[i].item);
			if (i != entries_nr)
				memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
			/*
			 * Stick around 30 seconds in case a new credential
			 * shows up (e.g., because we just removed a failed
			 * one, and we will soon get the correct one).
			 */
			wait_for_entry_until = now + 30;
		}
		else {
			if (entries[i].expiration < next)
				next = entries[i].expiration;
			i++;
		}
	}

	if (!entries_nr) {
		if (wait_for_entry_until <= now)
			return 0;
		next = wait_for_entry_until;
	}

	return next - now;
}

static int read_request(FILE *fh, struct credential *c,
			struct strbuf *action, int *timeout)
{
	static struct strbuf item = STRBUF_INIT;
	const char *p;

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "action=", &p))
		return error("client sent bogus action line: %s", item.buf);
	strbuf_addstr(action, p);

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "timeout=", &p))
		return error("client sent bogus timeout line: %s", item.buf);
	*timeout = atoi(p);

	if (credential_read(c, fh) < 0)
		return -1;
	return 0;
}

static void serve_one_client(FILE *in, FILE *out)
{
	struct credential c = CREDENTIAL_INIT;
	struct strbuf action = STRBUF_INIT;
	int timeout = -1;

	if (read_request(in, &c, &action, &timeout) < 0)
		/* ignore error */ ;
	else if (!strcmp(action.buf, "get")) {
		struct credential_cache_entry *e = lookup_credential(&c);
		if (e) {
			fprintf(out, "username=%s\n", e->item.username);
			fprintf(out, "password=%s\n", e->item.password);
		}
	}
	else if (!strcmp(action.buf, "exit")) {
		/*
		 * It's important that we clean up our socket first, and then
		 * signal the client only once we have finished the cleanup.
		 * Calling exit() directly does this, because we clean up in
		 * our atexit() handler, and then signal the client when our
		 * process actually ends, which closes the socket and gives
		 * them EOF.
		 */
		exit(0);
	}
	else if (!strcmp(action.buf, "erase"))
		remove_credential(&c);
	else if (!strcmp(action.buf, "store")) {
		if (timeout < 0)
			warning("cache client didn't specify a timeout");
		else if (!c.username || !c.password)
			warning("cache client gave us a partial credential");
		else {
			remove_credential(&c);
			cache_credential(&c, timeout);
		}
	}
	else
		warning("cache client sent unknown action: %s", action.buf);

	credential_clear(&c);
	strbuf_release(&action);
}

static int serve_cache_loop(int fd)
{
	struct pollfd pfd;
	timestamp_t wakeup;

	wakeup = check_expirations();
	if (!wakeup)
		return 0;

	pfd.fd = fd;
	pfd.events = POLLIN;
	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
		if (errno != EINTR)
			die_errno("poll failed");
		return 1;
	}

	if (pfd.revents & POLLIN) {
		int client, client2;
		FILE *in, *out;

		client = accept(fd, NULL, NULL);
		if (client < 0) {
			warning_errno("accept failed");
			return 1;
		}
		client2 = dup(client);
		if (client2 < 0) {
			warning_errno("dup failed");
			close(client);
			return 1;
		}

		in = xfdopen(client, "r");
		out = xfdopen(client2, "w");
		serve_one_client(in, out);
		fclose(in);
		fclose(out);
	}
	return 1;
}

static void serve_cache(const char *socket_path, int debug)
{
	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
	int fd;

	fd = unix_stream_listen(socket_path, &opts);
	if (fd < 0)
		die_errno("unable to bind to '%s'", socket_path);

	printf("ok\n");
	fclose(stdout);
	if (!debug) {
		if (!freopen("/dev/null", "w", stderr))
			die_errno("unable to point stderr to /dev/null");
	}

	while (serve_cache_loop(fd))
		; /* nothing */

	close(fd);
}

static const char permissions_advice[] = N_(
"The permissions on your socket directory are too loose; other\n"
"users may be able to read your cached credentials. Consider running:\n"
"\n"
"	chmod 0700 %s");
static void init_socket_directory(const char *path)
{
	struct stat st;
	char *path_copy = xstrdup(path);
	char *dir = dirname(path_copy);

	if (!stat(dir, &st)) {
		if (st.st_mode & 077)
			die(_(permissions_advice), dir);
	} else {
		/*
		 * We must be sure to create the directory with the correct mode,
		 * not just chmod it after the fact; otherwise, there is a race
		 * condition in which somebody can chdir to it, sleep, then try to open
		 * our protected socket.
		 */
		if (safe_create_leading_directories_const(dir) < 0)
			die_errno("unable to create directories for '%s'", dir);
		if (mkdir(dir, 0700) < 0)
			die_errno("unable to mkdir '%s'", dir);
	}

	if (chdir(dir))
		/*
		 * We don't actually care what our cwd is; we chdir here just to
		 * be a friendly daemon and avoid tying up our original cwd.
		 * If this fails, it's OK to just continue without that benefit.
		 */
		;

	free(path_copy);
}

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	struct tempfile *socket_file;
	const char *socket_path;
	int ignore_sighup = 0;
	static const char *usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		NULL
	};
	int debug = 0;
	const struct option options[] = {
		OPT_BOOL(0, "debug", &debug,
			 N_("print debugging messages to stderr")),
		OPT_END()
	};

	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	socket_path = argv[0];

	if (!socket_path)
		usage_with_options(usage, options);

	if (!is_absolute_path(socket_path))
		die("socket directory must be an absolute path");

	init_socket_directory(socket_path);
	socket_file = register_tempfile(socket_path);

	if (ignore_sighup)
		signal(SIGHUP, SIG_IGN);

	serve_cache(socket_path, debug);
	delete_tempfile(&socket_file);

	return 0;
}

#else

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	const char * const usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		"",
		"credential-cache--daemon is disabled in this build of Git",
		NULL
	};
	struct option options[] = { OPT_END() };

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	die(_("credential-cache--daemon unavailable; no unix socket support"));
}

#endif /* NO_UNIX_SOCKET */
Commit	Line	Data
b5dd96b7	1	#include "builtin.h"
36bf1958	2	#include "alloc.h"
b5dd96b7 JK	3	#include "parse-options.h"
	4
	5	#ifndef NO_UNIX_SOCKETS
	6
b2141fc1	7	#include "config.h"
9e903316	8	#include "tempfile.h"
e2770979 JK	9	#include "credential.h"
e2770979 JK	10	#include "unix-socket.h"
e2770979	11
e2770979 JK	12	struct credential_cache_entry {
e2770979 JK	13	struct credential item;
dddbad72	14	timestamp_t expiration;
e2770979 JK	15	};
	16	static struct credential_cache_entry *entries;
	17	static int entries_nr;
	18	static int entries_alloc;
	19
	20	static void cache_credential(struct credential *c, int timeout)
	21	{
	22	struct credential_cache_entry *e;
	23
	24	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	25	e = &entries[entries_nr++];
	26
	27	/* take ownership of pointers */
	28	memcpy(&e->item, c, sizeof(*c));
	29	memset(c, 0, sizeof(*c));
	30	e->expiration = time(NULL) + timeout;
	31	}
	32
	33	static struct credential_cache_entry lookup_credential(const struct credential c)
	34	{
	35	int i;
	36	for (i = 0; i < entries_nr; i++) {
	37	struct credential *e = &entries[i].item;
	38	if (credential_match(c, e))
	39	return &entries[i];
	40	}
	41	return NULL;
	42	}
	43
	44	static void remove_credential(const struct credential *c)
	45	{
	46	struct credential_cache_entry *e;
	47
	48	e = lookup_credential(c);
	49	if (e)
	50	e->expiration = 0;
	51	}
	52
dddbad72	53	static timestamp_t check_expirations(void)
e2770979	54	{
dddbad72	55	static timestamp_t wait_for_entry_until;
e2770979	56	int i = 0;
dddbad72 JS	57	timestamp_t now = time(NULL);
dddbad72 JS	58	timestamp_t next = TIME_MAX;
e2770979 JK	59
	60	/*
	61	* Initially give the client 30 seconds to actually contact us
	62	* and store a credential before we decide there's no point in
	63	* keeping the daemon around.
	64	*/
	65	if (!wait_for_entry_until)
	66	wait_for_entry_until = now + 30;
	67
	68	while (i < entries_nr) {
	69	if (entries[i].expiration <= now) {
	70	entries_nr--;
	71	credential_clear(&entries[i].item);
	72	if (i != entries_nr)
	73	memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
	74	/*
	75	* Stick around 30 seconds in case a new credential
	76	* shows up (e.g., because we just removed a failed
	77	* one, and we will soon get the correct one).
	78	*/
	79	wait_for_entry_until = now + 30;
	80	}
	81	else {
	82	if (entries[i].expiration < next)
	83	next = entries[i].expiration;
	84	i++;
	85	}
	86	}
	87
	88	if (!entries_nr) {
	89	if (wait_for_entry_until <= now)
	90	return 0;
	91	next = wait_for_entry_until;
	92	}
	93
	94	return next - now;
	95	}
	96
	97	static int read_request(FILE fh, struct credential c,
3b335762 NTND	98	struct strbuf action, int timeout)
3b335762 NTND	99	{
e2770979 JK	100	static struct strbuf item = STRBUF_INIT;
	101	const char *p;
	102
8f309aeb	103	strbuf_getline_lf(&item, fh);
cf4fff57	104	if (!skip_prefix(item.buf, "action=", &p))
e2770979 JK	105	return error("client sent bogus action line: %s", item.buf);
	106	strbuf_addstr(action, p);
	107
8f309aeb	108	strbuf_getline_lf(&item, fh);
cf4fff57	109	if (!skip_prefix(item.buf, "timeout=", &p))
e2770979 JK	110	return error("client sent bogus timeout line: %s", item.buf);
	111	*timeout = atoi(p);
	112
	113	if (credential_read(c, fh) < 0)
	114	return -1;
	115	return 0;
	116	}
	117
	118	static void serve_one_client(FILE in, FILE out)
	119	{
	120	struct credential c = CREDENTIAL_INIT;
	121	struct strbuf action = STRBUF_INIT;
	122	int timeout = -1;
	123
	124	if (read_request(in, &c, &action, &timeout) < 0)
	125	/* ignore error */ ;
	126	else if (!strcmp(action.buf, "get")) {
	127	struct credential_cache_entry *e = lookup_credential(&c);
	128	if (e) {
	129	fprintf(out, "username=%s\n", e->item.username);
	130	fprintf(out, "password=%s\n", e->item.password);
	131	}
	132	}
7d5e9c98 JK	133	else if (!strcmp(action.buf, "exit")) {
	134	/*
	135	* It's important that we clean up our socket first, and then
	136	* signal the client only once we have finished the cleanup.
	137	* Calling exit() directly does this, because we clean up in
	138	* our atexit() handler, and then signal the client when our
	139	* process actually ends, which closes the socket and gives
	140	* them EOF.
	141	*/
e2770979	142	exit(0);
7d5e9c98	143	}
e2770979 JK	144	else if (!strcmp(action.buf, "erase"))
	145	remove_credential(&c);
	146	else if (!strcmp(action.buf, "store")) {
	147	if (timeout < 0)
	148	warning("cache client didn't specify a timeout");
	149	else if (!c.username \|\| !c.password)
	150	warning("cache client gave us a partial credential");
	151	else {
	152	remove_credential(&c);
	153	cache_credential(&c, timeout);
	154	}
	155	}
	156	else
	157	warning("cache client sent unknown action: %s", action.buf);
	158
	159	credential_clear(&c);
	160	strbuf_release(&action);
	161	}
	162
	163	static int serve_cache_loop(int fd)
	164	{
	165	struct pollfd pfd;
dddbad72	166	timestamp_t wakeup;
e2770979 JK	167
	168	wakeup = check_expirations();
	169	if (!wakeup)
	170	return 0;
	171
	172	pfd.fd = fd;
	173	pfd.events = POLLIN;
	174	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
	175	if (errno != EINTR)
	176	die_errno("poll failed");
	177	return 1;
	178	}
	179
	180	if (pfd.revents & POLLIN) {
	181	int client, client2;
	182	FILE in, out;
	183
	184	client = accept(fd, NULL, NULL);
	185	if (client < 0) {
26604f9f	186	warning_errno("accept failed");
e2770979 JK	187	return 1;
	188	}
	189	client2 = dup(client);
	190	if (client2 < 0) {
26604f9f	191	warning_errno("dup failed");
e2770979 JK	192	close(client);
	193	return 1;
	194	}
	195
	196	in = xfdopen(client, "r");
	197	out = xfdopen(client2, "w");
	198	serve_one_client(in, out);
	199	fclose(in);
	200	fclose(out);
	201	}
	202	return 1;
	203	}
	204
f5e3c0b9	205	static void serve_cache(const char *socket_path, int debug)
e2770979	206	{
55144ccb	207	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
e2770979 JK	208	int fd;
e2770979 JK	209
55144ccb	210	fd = unix_stream_listen(socket_path, &opts);
e2770979 JK	211	if (fd < 0)
	212	die_errno("unable to bind to '%s'", socket_path);
	213
	214	printf("ok\n");
	215	fclose(stdout);
f5e3c0b9 JK	216	if (!debug) {
	217	if (!freopen("/dev/null", "w", stderr))
	218	die_errno("unable to point stderr to /dev/null");
	219	}
e2770979 JK	220
	221	while (serve_cache_loop(fd))
	222	; /* nothing */
	223
	224	close(fd);
e2770979 JK	225	}
e2770979 JK	226
af64f20b	227	static const char permissions_advice[] = N_(
e2770979 JK	228	"The permissions on your socket directory are too loose; other\n"
	229	"users may be able to read your cached credentials. Consider running:\n"
	230	"\n"
af64f20b	231	" chmod 0700 %s");
a6e5e286	232	static void init_socket_directory(const char *path)
e2770979 JK	233	{
	234	struct stat st;
	235	char *path_copy = xstrdup(path);
	236	char *dir = dirname(path_copy);
	237
	238	if (!stat(dir, &st)) {
	239	if (st.st_mode & 077)
af64f20b	240	die(_(permissions_advice), dir);
a6e5e286 JG	241	} else {
	242	/*
	243	* We must be sure to create the directory with the correct mode,
	244	* not just chmod it after the fact; otherwise, there is a race
	245	* condition in which somebody can chdir to it, sleep, then try to open
	246	* our protected socket.
	247	*/
	248	if (safe_create_leading_directories_const(dir) < 0)
	249	die_errno("unable to create directories for '%s'", dir);
	250	if (mkdir(dir, 0700) < 0)
	251	die_errno("unable to mkdir '%s'", dir);
e2770979 JK	252	}
e2770979 JK	253
6e614490 JG	254	if (chdir(dir))
	255	/*
	256	* We don't actually care what our cwd is; we chdir here just to
	257	* be a friendly daemon and avoid tying up our original cwd.
	258	* If this fails, it's OK to just continue without that benefit.
	259	*/
	260	;
	261
e2770979 JK	262	free(path_copy);
	263	}
	264
b5dd96b7	265	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
e2770979	266	{
076aa2cb	267	struct tempfile *socket_file;
9e903316	268	const char *socket_path;
7f4d4746	269	int ignore_sighup = 0;
f5e3c0b9	270	static const char *usage[] = {
3e4ebe3a	271	"git credential-cache--daemon [--debug] <socket-path>",
f5e3c0b9 JK	272	NULL
	273	};
	274	int debug = 0;
	275	const struct option options[] = {
	276	OPT_BOOL(0, "debug", &debug,
	277	N_("print debugging messages to stderr")),
	278	OPT_END()
	279	};
	280
7f4d4746 NP	281	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);
7f4d4746 NP	282
b5dd96b7	283	argc = parse_options(argc, argv, prefix, options, usage, 0);
f5e3c0b9	284	socket_path = argv[0];
e2770979 JK	285
e2770979 JK	286	if (!socket_path)
f5e3c0b9	287	usage_with_options(usage, options);
e2770979	288
bd93b8d9 JG	289	if (!is_absolute_path(socket_path))
	290	die("socket directory must be an absolute path");
	291
a6e5e286	292	init_socket_directory(socket_path);
076aa2cb	293	socket_file = register_tempfile(socket_path);
7f4d4746 NP	294
	295	if (ignore_sighup)
	296	signal(SIGHUP, SIG_IGN);
	297
f5e3c0b9	298	serve_cache(socket_path, debug);
9e903316	299	delete_tempfile(&socket_file);
18a3de42	300
e2770979 JK	301	return 0;
e2770979 JK	302	}
b5dd96b7 JK	303
	304	#else
	305
	306	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
	307	{
	308	const char * const usage[] = {
3e4ebe3a	309	"git credential-cache--daemon [--debug] <socket-path>",
b5dd96b7 JK	310	"",
	311	"credential-cache--daemon is disabled in this build of Git",
	312	NULL
	313	};
	314	struct option options[] = { OPT_END() };
	315
	316	argc = parse_options(argc, argv, prefix, options, usage, 0);
	317	die(_("credential-cache--daemon unavailable; no unix socket support"));
	318	}
	319
	320	#endif /* NO_UNIX_SOCKET */