[thirdparty/git.git] / builtin / credential-cache--daemon.c

#include "builtin.h"
#include "alloc.h"
#include "gettext.h"
#include "parse-options.h"

#ifndef NO_UNIX_SOCKETS

#include "config.h"
#include "tempfile.h"
#include "credential.h"
#include "unix-socket.h"

struct credential_cache_entry {
	struct credential item;
	timestamp_t expiration;
};
static struct credential_cache_entry *entries;
static int entries_nr;
static int entries_alloc;

static void cache_credential(struct credential *c, int timeout)
{
	struct credential_cache_entry *e;

	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	e = &entries[entries_nr++];

	/* take ownership of pointers */
	memcpy(&e->item, c, sizeof(*c));
	memset(c, 0, sizeof(*c));
	e->expiration = time(NULL) + timeout;
}

static struct credential_cache_entry *lookup_credential(const struct credential *c)
{
	int i;
	for (i = 0; i < entries_nr; i++) {
		struct credential *e = &entries[i].item;
		if (credential_match(c, e))
			return &entries[i];
	}
	return NULL;
}

static void remove_credential(const struct credential *c)
{
	struct credential_cache_entry *e;

	e = lookup_credential(c);
	if (e)
		e->expiration = 0;
}

static timestamp_t check_expirations(void)
{
	static timestamp_t wait_for_entry_until;
	int i = 0;
	timestamp_t now = time(NULL);
	timestamp_t next = TIME_MAX;

	/*
	 * Initially give the client 30 seconds to actually contact us
	 * and store a credential before we decide there's no point in
	 * keeping the daemon around.
	 */
	if (!wait_for_entry_until)
		wait_for_entry_until = now + 30;

	while (i < entries_nr) {
		if (entries[i].expiration <= now) {
			entries_nr--;
			credential_clear(&entries[i].item);
			if (i != entries_nr)
				memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
			/*
			 * Stick around 30 seconds in case a new credential
			 * shows up (e.g., because we just removed a failed
			 * one, and we will soon get the correct one).
			 */
			wait_for_entry_until = now + 30;
		}
		else {
			if (entries[i].expiration < next)
				next = entries[i].expiration;
			i++;
		}
	}

	if (!entries_nr) {
		if (wait_for_entry_until <= now)
			return 0;
		next = wait_for_entry_until;
	}

	return next - now;
}

static int read_request(FILE *fh, struct credential *c,
			struct strbuf *action, int *timeout)
{
	static struct strbuf item = STRBUF_INIT;
	const char *p;

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "action=", &p))
		return error("client sent bogus action line: %s", item.buf);
	strbuf_addstr(action, p);

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "timeout=", &p))
		return error("client sent bogus timeout line: %s", item.buf);
	*timeout = atoi(p);

	if (credential_read(c, fh) < 0)
		return -1;
	return 0;
}

static void serve_one_client(FILE *in, FILE *out)
{
	struct credential c = CREDENTIAL_INIT;
	struct strbuf action = STRBUF_INIT;
	int timeout = -1;

	if (read_request(in, &c, &action, &timeout) < 0)
		/* ignore error */ ;
	else if (!strcmp(action.buf, "get")) {
		struct credential_cache_entry *e = lookup_credential(&c);
		if (e) {
			fprintf(out, "username=%s\n", e->item.username);
			fprintf(out, "password=%s\n", e->item.password);
			if (e->item.password_expiry_utc != TIME_MAX)
				fprintf(out, "password_expiry_utc=%"PRItime"\n",
					e->item.password_expiry_utc);
		}
	}
	else if (!strcmp(action.buf, "exit")) {
		/*
		 * It's important that we clean up our socket first, and then
		 * signal the client only once we have finished the cleanup.
		 * Calling exit() directly does this, because we clean up in
		 * our atexit() handler, and then signal the client when our
		 * process actually ends, which closes the socket and gives
		 * them EOF.
		 */
		exit(0);
	}
	else if (!strcmp(action.buf, "erase"))
		remove_credential(&c);
	else if (!strcmp(action.buf, "store")) {
		if (timeout < 0)
			warning("cache client didn't specify a timeout");
		else if (!c.username || !c.password)
			warning("cache client gave us a partial credential");
		else {
			remove_credential(&c);
			cache_credential(&c, timeout);
		}
	}
	else
		warning("cache client sent unknown action: %s", action.buf);

	credential_clear(&c);
	strbuf_release(&action);
}

static int serve_cache_loop(int fd)
{
	struct pollfd pfd;
	timestamp_t wakeup;

	wakeup = check_expirations();
	if (!wakeup)
		return 0;

	pfd.fd = fd;
	pfd.events = POLLIN;
	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
		if (errno != EINTR)
			die_errno("poll failed");
		return 1;
	}

	if (pfd.revents & POLLIN) {
		int client, client2;
		FILE *in, *out;

		client = accept(fd, NULL, NULL);
		if (client < 0) {
			warning_errno("accept failed");
			return 1;
		}
		client2 = dup(client);
		if (client2 < 0) {
			warning_errno("dup failed");
			close(client);
			return 1;
		}

		in = xfdopen(client, "r");
		out = xfdopen(client2, "w");
		serve_one_client(in, out);
		fclose(in);
		fclose(out);
	}
	return 1;
}

static void serve_cache(const char *socket_path, int debug)
{
	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
	int fd;

	fd = unix_stream_listen(socket_path, &opts);
	if (fd < 0)
		die_errno("unable to bind to '%s'", socket_path);

	printf("ok\n");
	fclose(stdout);
	if (!debug) {
		if (!freopen("/dev/null", "w", stderr))
			die_errno("unable to point stderr to /dev/null");
	}

	while (serve_cache_loop(fd))
		; /* nothing */

	close(fd);
}

static const char permissions_advice[] = N_(
"The permissions on your socket directory are too loose; other\n"
"users may be able to read your cached credentials. Consider running:\n"
"\n"
"	chmod 0700 %s");
static void init_socket_directory(const char *path)
{
	struct stat st;
	char *path_copy = xstrdup(path);
	char *dir = dirname(path_copy);

	if (!stat(dir, &st)) {
		if (st.st_mode & 077)
			die(_(permissions_advice), dir);
	} else {
		/*
		 * We must be sure to create the directory with the correct mode,
		 * not just chmod it after the fact; otherwise, there is a race
		 * condition in which somebody can chdir to it, sleep, then try to open
		 * our protected socket.
		 */
		if (safe_create_leading_directories_const(dir) < 0)
			die_errno("unable to create directories for '%s'", dir);
		if (mkdir(dir, 0700) < 0)
			die_errno("unable to mkdir '%s'", dir);
	}

	if (chdir(dir))
		/*
		 * We don't actually care what our cwd is; we chdir here just to
		 * be a friendly daemon and avoid tying up our original cwd.
		 * If this fails, it's OK to just continue without that benefit.
		 */
		;

	free(path_copy);
}

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	struct tempfile *socket_file;
	const char *socket_path;
	int ignore_sighup = 0;
	static const char *usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		NULL
	};
	int debug = 0;
	const struct option options[] = {
		OPT_BOOL(0, "debug", &debug,
			 N_("print debugging messages to stderr")),
		OPT_END()
	};

	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	socket_path = argv[0];

	if (!socket_path)
		usage_with_options(usage, options);

	if (!is_absolute_path(socket_path))
		die("socket directory must be an absolute path");

	init_socket_directory(socket_path);
	socket_file = register_tempfile(socket_path);

	if (ignore_sighup)
		signal(SIGHUP, SIG_IGN);

	serve_cache(socket_path, debug);
	delete_tempfile(&socket_file);

	return 0;
}

#else

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	const char * const usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		"",
		"credential-cache--daemon is disabled in this build of Git",
		NULL
	};
	struct option options[] = { OPT_END() };

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	die(_("credential-cache--daemon unavailable; no unix socket support"));
}

#endif /* NO_UNIX_SOCKET */
Commit	Line	Data
b5dd96b7	1	#include "builtin.h"
36bf1958	2	#include "alloc.h"
f394e093	3	#include "gettext.h"
b5dd96b7 JK	4	#include "parse-options.h"
	5
	6	#ifndef NO_UNIX_SOCKETS
	7
b2141fc1	8	#include "config.h"
9e903316	9	#include "tempfile.h"
e2770979 JK	10	#include "credential.h"
e2770979 JK	11	#include "unix-socket.h"
e2770979	12
e2770979 JK	13	struct credential_cache_entry {
e2770979 JK	14	struct credential item;
dddbad72	15	timestamp_t expiration;
e2770979 JK	16	};
	17	static struct credential_cache_entry *entries;
	18	static int entries_nr;
	19	static int entries_alloc;
	20
	21	static void cache_credential(struct credential *c, int timeout)
	22	{
	23	struct credential_cache_entry *e;
	24
	25	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	26	e = &entries[entries_nr++];
	27
	28	/* take ownership of pointers */
	29	memcpy(&e->item, c, sizeof(*c));
	30	memset(c, 0, sizeof(*c));
	31	e->expiration = time(NULL) + timeout;
	32	}
	33
	34	static struct credential_cache_entry lookup_credential(const struct credential c)
	35	{
	36	int i;
	37	for (i = 0; i < entries_nr; i++) {
	38	struct credential *e = &entries[i].item;
	39	if (credential_match(c, e))
	40	return &entries[i];
	41	}
	42	return NULL;
	43	}
	44
	45	static void remove_credential(const struct credential *c)
	46	{
	47	struct credential_cache_entry *e;
	48
	49	e = lookup_credential(c);
	50	if (e)
	51	e->expiration = 0;
	52	}
	53
dddbad72	54	static timestamp_t check_expirations(void)
e2770979	55	{
dddbad72	56	static timestamp_t wait_for_entry_until;
e2770979	57	int i = 0;
dddbad72 JS	58	timestamp_t now = time(NULL);
dddbad72 JS	59	timestamp_t next = TIME_MAX;
e2770979 JK	60
	61	/*
	62	* Initially give the client 30 seconds to actually contact us
	63	* and store a credential before we decide there's no point in
	64	* keeping the daemon around.
	65	*/
	66	if (!wait_for_entry_until)
	67	wait_for_entry_until = now + 30;
	68
	69	while (i < entries_nr) {
	70	if (entries[i].expiration <= now) {
	71	entries_nr--;
	72	credential_clear(&entries[i].item);
	73	if (i != entries_nr)
	74	memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
	75	/*
	76	* Stick around 30 seconds in case a new credential
	77	* shows up (e.g., because we just removed a failed
	78	* one, and we will soon get the correct one).
	79	*/
	80	wait_for_entry_until = now + 30;
	81	}
	82	else {
	83	if (entries[i].expiration < next)
	84	next = entries[i].expiration;
	85	i++;
	86	}
	87	}
	88
	89	if (!entries_nr) {
	90	if (wait_for_entry_until <= now)
	91	return 0;
	92	next = wait_for_entry_until;
	93	}
	94
	95	return next - now;
	96	}
	97
	98	static int read_request(FILE fh, struct credential c,
3b335762 NTND	99	struct strbuf action, int timeout)
3b335762 NTND	100	{
e2770979 JK	101	static struct strbuf item = STRBUF_INIT;
	102	const char *p;
	103
8f309aeb	104	strbuf_getline_lf(&item, fh);
cf4fff57	105	if (!skip_prefix(item.buf, "action=", &p))
e2770979 JK	106	return error("client sent bogus action line: %s", item.buf);
	107	strbuf_addstr(action, p);
	108
8f309aeb	109	strbuf_getline_lf(&item, fh);
cf4fff57	110	if (!skip_prefix(item.buf, "timeout=", &p))
e2770979 JK	111	return error("client sent bogus timeout line: %s", item.buf);
	112	*timeout = atoi(p);
	113
	114	if (credential_read(c, fh) < 0)
	115	return -1;
	116	return 0;
	117	}
	118
	119	static void serve_one_client(FILE in, FILE out)
	120	{
	121	struct credential c = CREDENTIAL_INIT;
	122	struct strbuf action = STRBUF_INIT;
	123	int timeout = -1;
	124
	125	if (read_request(in, &c, &action, &timeout) < 0)
	126	/* ignore error */ ;
	127	else if (!strcmp(action.buf, "get")) {
	128	struct credential_cache_entry *e = lookup_credential(&c);
	129	if (e) {
	130	fprintf(out, "username=%s\n", e->item.username);
	131	fprintf(out, "password=%s\n", e->item.password);
d208bfdf H	132	if (e->item.password_expiry_utc != TIME_MAX)
	133	fprintf(out, "password_expiry_utc=%"PRItime"\n",
	134	e->item.password_expiry_utc);
e2770979 JK	135	}
e2770979 JK	136	}
7d5e9c98 JK	137	else if (!strcmp(action.buf, "exit")) {
	138	/*
	139	* It's important that we clean up our socket first, and then
	140	* signal the client only once we have finished the cleanup.
	141	* Calling exit() directly does this, because we clean up in
	142	* our atexit() handler, and then signal the client when our
	143	* process actually ends, which closes the socket and gives
	144	* them EOF.
	145	*/
e2770979	146	exit(0);
7d5e9c98	147	}
e2770979 JK	148	else if (!strcmp(action.buf, "erase"))
	149	remove_credential(&c);
	150	else if (!strcmp(action.buf, "store")) {
	151	if (timeout < 0)
	152	warning("cache client didn't specify a timeout");
	153	else if (!c.username \|\| !c.password)
	154	warning("cache client gave us a partial credential");
	155	else {
	156	remove_credential(&c);
	157	cache_credential(&c, timeout);
	158	}
	159	}
	160	else
	161	warning("cache client sent unknown action: %s", action.buf);
	162
	163	credential_clear(&c);
	164	strbuf_release(&action);
	165	}
	166
	167	static int serve_cache_loop(int fd)
	168	{
	169	struct pollfd pfd;
dddbad72	170	timestamp_t wakeup;
e2770979 JK	171
	172	wakeup = check_expirations();
	173	if (!wakeup)
	174	return 0;
	175
	176	pfd.fd = fd;
	177	pfd.events = POLLIN;
	178	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
	179	if (errno != EINTR)
	180	die_errno("poll failed");
	181	return 1;
	182	}
	183
	184	if (pfd.revents & POLLIN) {
	185	int client, client2;
	186	FILE in, out;
	187
	188	client = accept(fd, NULL, NULL);
	189	if (client < 0) {
26604f9f	190	warning_errno("accept failed");
e2770979 JK	191	return 1;
	192	}
	193	client2 = dup(client);
	194	if (client2 < 0) {
26604f9f	195	warning_errno("dup failed");
e2770979 JK	196	close(client);
	197	return 1;
	198	}
	199
	200	in = xfdopen(client, "r");
	201	out = xfdopen(client2, "w");
	202	serve_one_client(in, out);
	203	fclose(in);
	204	fclose(out);
	205	}
	206	return 1;
	207	}
	208
f5e3c0b9	209	static void serve_cache(const char *socket_path, int debug)
e2770979	210	{
55144ccb	211	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
e2770979 JK	212	int fd;
e2770979 JK	213
55144ccb	214	fd = unix_stream_listen(socket_path, &opts);
e2770979 JK	215	if (fd < 0)
	216	die_errno("unable to bind to '%s'", socket_path);
	217
	218	printf("ok\n");
	219	fclose(stdout);
f5e3c0b9 JK	220	if (!debug) {
	221	if (!freopen("/dev/null", "w", stderr))
	222	die_errno("unable to point stderr to /dev/null");
	223	}
e2770979 JK	224
	225	while (serve_cache_loop(fd))
	226	; /* nothing */
	227
	228	close(fd);
e2770979 JK	229	}
e2770979 JK	230
af64f20b	231	static const char permissions_advice[] = N_(
e2770979 JK	232	"The permissions on your socket directory are too loose; other\n"
	233	"users may be able to read your cached credentials. Consider running:\n"
	234	"\n"
af64f20b	235	" chmod 0700 %s");
a6e5e286	236	static void init_socket_directory(const char *path)
e2770979 JK	237	{
	238	struct stat st;
	239	char *path_copy = xstrdup(path);
	240	char *dir = dirname(path_copy);
	241
	242	if (!stat(dir, &st)) {
	243	if (st.st_mode & 077)
af64f20b	244	die(_(permissions_advice), dir);
a6e5e286 JG	245	} else {
	246	/*
	247	* We must be sure to create the directory with the correct mode,
	248	* not just chmod it after the fact; otherwise, there is a race
	249	* condition in which somebody can chdir to it, sleep, then try to open
	250	* our protected socket.
	251	*/
	252	if (safe_create_leading_directories_const(dir) < 0)
	253	die_errno("unable to create directories for '%s'", dir);
	254	if (mkdir(dir, 0700) < 0)
	255	die_errno("unable to mkdir '%s'", dir);
e2770979 JK	256	}
e2770979 JK	257
6e614490 JG	258	if (chdir(dir))
	259	/*
	260	* We don't actually care what our cwd is; we chdir here just to
	261	* be a friendly daemon and avoid tying up our original cwd.
	262	* If this fails, it's OK to just continue without that benefit.
	263	*/
	264	;
	265
e2770979 JK	266	free(path_copy);
	267	}
	268
b5dd96b7	269	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
e2770979	270	{
076aa2cb	271	struct tempfile *socket_file;
9e903316	272	const char *socket_path;
7f4d4746	273	int ignore_sighup = 0;
f5e3c0b9	274	static const char *usage[] = {
3e4ebe3a	275	"git credential-cache--daemon [--debug] <socket-path>",
f5e3c0b9 JK	276	NULL
	277	};
	278	int debug = 0;
	279	const struct option options[] = {
	280	OPT_BOOL(0, "debug", &debug,
	281	N_("print debugging messages to stderr")),
	282	OPT_END()
	283	};
	284
7f4d4746 NP	285	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);
7f4d4746 NP	286
b5dd96b7	287	argc = parse_options(argc, argv, prefix, options, usage, 0);
f5e3c0b9	288	socket_path = argv[0];
e2770979 JK	289
e2770979 JK	290	if (!socket_path)
f5e3c0b9	291	usage_with_options(usage, options);
e2770979	292
bd93b8d9 JG	293	if (!is_absolute_path(socket_path))
	294	die("socket directory must be an absolute path");
	295
a6e5e286	296	init_socket_directory(socket_path);
076aa2cb	297	socket_file = register_tempfile(socket_path);
7f4d4746 NP	298
	299	if (ignore_sighup)
	300	signal(SIGHUP, SIG_IGN);
	301
f5e3c0b9	302	serve_cache(socket_path, debug);
9e903316	303	delete_tempfile(&socket_file);
18a3de42	304
e2770979 JK	305	return 0;
e2770979 JK	306	}
b5dd96b7 JK	307
	308	#else
	309
	310	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
	311	{
	312	const char * const usage[] = {
3e4ebe3a	313	"git credential-cache--daemon [--debug] <socket-path>",
b5dd96b7 JK	314	"",
	315	"credential-cache--daemon is disabled in this build of Git",
	316	NULL
	317	};
	318	struct option options[] = { OPT_END() };
	319
	320	argc = parse_options(argc, argv, prefix, options, usage, 0);
	321	die(_("credential-cache--daemon unavailable; no unix socket support"));
	322	}
	323
	324	#endif /* NO_UNIX_SOCKET */