[thirdparty/git.git] / builtin / credential-cache--daemon.c

#include "builtin.h"
#include "abspath.h"
#include "gettext.h"
#include "object-file.h"
#include "parse-options.h"

#ifndef NO_UNIX_SOCKETS

#include "config.h"
#include "tempfile.h"
#include "credential.h"
#include "unix-socket.h"

struct credential_cache_entry {
	struct credential item;
	timestamp_t expiration;
};
static struct credential_cache_entry *entries;
static int entries_nr;
static int entries_alloc;

static void cache_credential(struct credential *c, int timeout)
{
	struct credential_cache_entry *e;

	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	e = &entries[entries_nr++];

	/* take ownership of pointers */
	memcpy(&e->item, c, sizeof(*c));
	memset(c, 0, sizeof(*c));
	e->expiration = time(NULL) + timeout;
}

static struct credential_cache_entry *lookup_credential(const struct credential *c)
{
	int i;
	for (i = 0; i < entries_nr; i++) {
		struct credential *e = &entries[i].item;
		if (credential_match(c, e, 0))
			return &entries[i];
	}
	return NULL;
}

static void remove_credential(const struct credential *c, int match_password)
{
	struct credential_cache_entry *e;

	int i;
	for (i = 0; i < entries_nr; i++) {
		e = &entries[i];
		if (credential_match(c, &e->item, match_password))
			e->expiration = 0;
	}
}

static timestamp_t check_expirations(void)
{
	static timestamp_t wait_for_entry_until;
	int i = 0;
	timestamp_t now = time(NULL);
	timestamp_t next = TIME_MAX;

	/*
	 * Initially give the client 30 seconds to actually contact us
	 * and store a credential before we decide there's no point in
	 * keeping the daemon around.
	 */
	if (!wait_for_entry_until)
		wait_for_entry_until = now + 30;

	while (i < entries_nr) {
		if (entries[i].expiration <= now) {
			entries_nr--;
			credential_clear(&entries[i].item);
			if (i != entries_nr)
				memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
			/*
			 * Stick around 30 seconds in case a new credential
			 * shows up (e.g., because we just removed a failed
			 * one, and we will soon get the correct one).
			 */
			wait_for_entry_until = now + 30;
		}
		else {
			if (entries[i].expiration < next)
				next = entries[i].expiration;
			i++;
		}
	}

	if (!entries_nr) {
		if (wait_for_entry_until <= now)
			return 0;
		next = wait_for_entry_until;
	}

	return next - now;
}

static int read_request(FILE *fh, struct credential *c,
			struct strbuf *action, int *timeout)
{
	static struct strbuf item = STRBUF_INIT;
	const char *p;

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "action=", &p))
		return error("client sent bogus action line: %s", item.buf);
	strbuf_addstr(action, p);

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "timeout=", &p))
		return error("client sent bogus timeout line: %s", item.buf);
	*timeout = atoi(p);

	if (credential_read(c, fh) < 0)
		return -1;
	return 0;
}

static void serve_one_client(FILE *in, FILE *out)
{
	struct credential c = CREDENTIAL_INIT;
	struct strbuf action = STRBUF_INIT;
	int timeout = -1;

	if (read_request(in, &c, &action, &timeout) < 0)
		/* ignore error */ ;
	else if (!strcmp(action.buf, "get")) {
		struct credential_cache_entry *e = lookup_credential(&c);
		if (e) {
			fprintf(out, "username=%s\n", e->item.username);
			fprintf(out, "password=%s\n", e->item.password);
			if (e->item.password_expiry_utc != TIME_MAX)
				fprintf(out, "password_expiry_utc=%"PRItime"\n",
					e->item.password_expiry_utc);
			if (e->item.oauth_refresh_token)
				fprintf(out, "oauth_refresh_token=%s\n",
					e->item.oauth_refresh_token);
		}
	}
	else if (!strcmp(action.buf, "exit")) {
		/*
		 * It's important that we clean up our socket first, and then
		 * signal the client only once we have finished the cleanup.
		 * Calling exit() directly does this, because we clean up in
		 * our atexit() handler, and then signal the client when our
		 * process actually ends, which closes the socket and gives
		 * them EOF.
		 */
		exit(0);
	}
	else if (!strcmp(action.buf, "erase"))
		remove_credential(&c, 1);
	else if (!strcmp(action.buf, "store")) {
		if (timeout < 0)
			warning("cache client didn't specify a timeout");
		else if (!c.username || !c.password)
			warning("cache client gave us a partial credential");
		else {
			remove_credential(&c, 0);
			cache_credential(&c, timeout);
		}
	}
	else
		warning("cache client sent unknown action: %s", action.buf);

	credential_clear(&c);
	strbuf_release(&action);
}

static int serve_cache_loop(int fd)
{
	struct pollfd pfd;
	timestamp_t wakeup;

	wakeup = check_expirations();
	if (!wakeup)
		return 0;

	pfd.fd = fd;
	pfd.events = POLLIN;
	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
		if (errno != EINTR)
			die_errno("poll failed");
		return 1;
	}

	if (pfd.revents & POLLIN) {
		int client, client2;
		FILE *in, *out;

		client = accept(fd, NULL, NULL);
		if (client < 0) {
			warning_errno("accept failed");
			return 1;
		}
		client2 = dup(client);
		if (client2 < 0) {
			warning_errno("dup failed");
			close(client);
			return 1;
		}

		in = xfdopen(client, "r");
		out = xfdopen(client2, "w");
		serve_one_client(in, out);
		fclose(in);
		fclose(out);
	}
	return 1;
}

static void serve_cache(const char *socket_path, int debug)
{
	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
	int fd;

	fd = unix_stream_listen(socket_path, &opts);
	if (fd < 0)
		die_errno("unable to bind to '%s'", socket_path);

	printf("ok\n");
	fclose(stdout);
	if (!debug) {
		if (!freopen("/dev/null", "w", stderr))
			die_errno("unable to point stderr to /dev/null");
	}

	while (serve_cache_loop(fd))
		; /* nothing */

	close(fd);
}

static const char permissions_advice[] = N_(
"The permissions on your socket directory are too loose; other\n"
"users may be able to read your cached credentials. Consider running:\n"
"\n"
"	chmod 0700 %s");
static void init_socket_directory(const char *path)
{
	struct stat st;
	char *path_copy = xstrdup(path);
	char *dir = dirname(path_copy);

	if (!stat(dir, &st)) {
		if (st.st_mode & 077)
			die(_(permissions_advice), dir);
	} else {
		/*
		 * We must be sure to create the directory with the correct mode,
		 * not just chmod it after the fact; otherwise, there is a race
		 * condition in which somebody can chdir to it, sleep, then try to open
		 * our protected socket.
		 */
		if (safe_create_leading_directories_const(dir) < 0)
			die_errno("unable to create directories for '%s'", dir);
		if (mkdir(dir, 0700) < 0)
			die_errno("unable to mkdir '%s'", dir);
	}

	if (chdir(dir))
		/*
		 * We don't actually care what our cwd is; we chdir here just to
		 * be a friendly daemon and avoid tying up our original cwd.
		 * If this fails, it's OK to just continue without that benefit.
		 */
		;

	free(path_copy);
}

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	struct tempfile *socket_file;
	const char *socket_path;
	int ignore_sighup = 0;
	static const char *usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		NULL
	};
	int debug = 0;
	const struct option options[] = {
		OPT_BOOL(0, "debug", &debug,
			 N_("print debugging messages to stderr")),
		OPT_END()
	};

	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	socket_path = argv[0];

	if (!socket_path)
		usage_with_options(usage, options);

	if (!is_absolute_path(socket_path))
		die("socket directory must be an absolute path");

	init_socket_directory(socket_path);
	socket_file = register_tempfile(socket_path);

	if (ignore_sighup)
		signal(SIGHUP, SIG_IGN);

	serve_cache(socket_path, debug);
	delete_tempfile(&socket_file);

	return 0;
}

#else

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	const char * const usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		"",
		"credential-cache--daemon is disabled in this build of Git",
		NULL
	};
	struct option options[] = { OPT_END() };

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	die(_("credential-cache--daemon unavailable; no unix socket support"));
}

#endif /* NO_UNIX_SOCKET */
Commit	Line	Data
b5dd96b7	1	#include "builtin.h"
0b027f6c	2	#include "abspath.h"
f394e093	3	#include "gettext.h"
87bed179	4	#include "object-file.h"
b5dd96b7 JK	5	#include "parse-options.h"
	6
	7	#ifndef NO_UNIX_SOCKETS
	8
b2141fc1	9	#include "config.h"
9e903316	10	#include "tempfile.h"
e2770979 JK	11	#include "credential.h"
e2770979 JK	12	#include "unix-socket.h"
e2770979	13
e2770979 JK	14	struct credential_cache_entry {
e2770979 JK	15	struct credential item;
dddbad72	16	timestamp_t expiration;
e2770979 JK	17	};
	18	static struct credential_cache_entry *entries;
	19	static int entries_nr;
	20	static int entries_alloc;
	21
	22	static void cache_credential(struct credential *c, int timeout)
	23	{
	24	struct credential_cache_entry *e;
	25
	26	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	27	e = &entries[entries_nr++];
	28
	29	/* take ownership of pointers */
	30	memcpy(&e->item, c, sizeof(*c));
	31	memset(c, 0, sizeof(*c));
	32	e->expiration = time(NULL) + timeout;
	33	}
	34
6c26da84	35	static struct credential_cache_entry lookup_credential(const struct credential c)
e2770979 JK	36	{
	37	int i;
	38	for (i = 0; i < entries_nr; i++) {
	39	struct credential *e = &entries[i].item;
6c26da84	40	if (credential_match(c, e, 0))
e2770979 JK	41	return &entries[i];
	42	}
	43	return NULL;
	44	}
	45
aeb21ce2	46	static void remove_credential(const struct credential *c, int match_password)
e2770979 JK	47	{
	48	struct credential_cache_entry *e;
	49
6c26da84 H	50	int i;
	51	for (i = 0; i < entries_nr; i++) {
	52	e = &entries[i];
	53	if (credential_match(c, &e->item, match_password))
	54	e->expiration = 0;
	55	}
e2770979 JK	56	}
e2770979 JK	57
dddbad72	58	static timestamp_t check_expirations(void)
e2770979	59	{
dddbad72	60	static timestamp_t wait_for_entry_until;
e2770979	61	int i = 0;
dddbad72 JS	62	timestamp_t now = time(NULL);
dddbad72 JS	63	timestamp_t next = TIME_MAX;
e2770979 JK	64
	65	/*
	66	* Initially give the client 30 seconds to actually contact us
	67	* and store a credential before we decide there's no point in
	68	* keeping the daemon around.
	69	*/
	70	if (!wait_for_entry_until)
	71	wait_for_entry_until = now + 30;
	72
	73	while (i < entries_nr) {
	74	if (entries[i].expiration <= now) {
	75	entries_nr--;
	76	credential_clear(&entries[i].item);
	77	if (i != entries_nr)
	78	memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
	79	/*
	80	* Stick around 30 seconds in case a new credential
	81	* shows up (e.g., because we just removed a failed
	82	* one, and we will soon get the correct one).
	83	*/
	84	wait_for_entry_until = now + 30;
	85	}
	86	else {
	87	if (entries[i].expiration < next)
	88	next = entries[i].expiration;
	89	i++;
	90	}
	91	}
	92
	93	if (!entries_nr) {
	94	if (wait_for_entry_until <= now)
	95	return 0;
	96	next = wait_for_entry_until;
	97	}
	98
	99	return next - now;
	100	}
	101
	102	static int read_request(FILE fh, struct credential c,
3b335762 NTND	103	struct strbuf action, int timeout)
3b335762 NTND	104	{
e2770979 JK	105	static struct strbuf item = STRBUF_INIT;
	106	const char *p;
	107
8f309aeb	108	strbuf_getline_lf(&item, fh);
cf4fff57	109	if (!skip_prefix(item.buf, "action=", &p))
e2770979 JK	110	return error("client sent bogus action line: %s", item.buf);
	111	strbuf_addstr(action, p);
	112
8f309aeb	113	strbuf_getline_lf(&item, fh);
cf4fff57	114	if (!skip_prefix(item.buf, "timeout=", &p))
e2770979 JK	115	return error("client sent bogus timeout line: %s", item.buf);
	116	*timeout = atoi(p);
	117
	118	if (credential_read(c, fh) < 0)
	119	return -1;
	120	return 0;
	121	}
	122
	123	static void serve_one_client(FILE in, FILE out)
	124	{
	125	struct credential c = CREDENTIAL_INIT;
	126	struct strbuf action = STRBUF_INIT;
	127	int timeout = -1;
	128
	129	if (read_request(in, &c, &action, &timeout) < 0)
	130	/* ignore error */ ;
	131	else if (!strcmp(action.buf, "get")) {
6c26da84	132	struct credential_cache_entry *e = lookup_credential(&c);
e2770979 JK	133	if (e) {
	134	fprintf(out, "username=%s\n", e->item.username);
	135	fprintf(out, "password=%s\n", e->item.password);
d208bfdf H	136	if (e->item.password_expiry_utc != TIME_MAX)
	137	fprintf(out, "password_expiry_utc=%"PRItime"\n",
	138	e->item.password_expiry_utc);
a5c76569 H	139	if (e->item.oauth_refresh_token)
	140	fprintf(out, "oauth_refresh_token=%s\n",
	141	e->item.oauth_refresh_token);
e2770979 JK	142	}
e2770979 JK	143	}
7d5e9c98 JK	144	else if (!strcmp(action.buf, "exit")) {
	145	/*
	146	* It's important that we clean up our socket first, and then
	147	* signal the client only once we have finished the cleanup.
	148	* Calling exit() directly does this, because we clean up in
	149	* our atexit() handler, and then signal the client when our
	150	* process actually ends, which closes the socket and gives
	151	* them EOF.
	152	*/
e2770979	153	exit(0);
7d5e9c98	154	}
e2770979	155	else if (!strcmp(action.buf, "erase"))
aeb21ce2	156	remove_credential(&c, 1);
e2770979 JK	157	else if (!strcmp(action.buf, "store")) {
	158	if (timeout < 0)
	159	warning("cache client didn't specify a timeout");
	160	else if (!c.username \|\| !c.password)
	161	warning("cache client gave us a partial credential");
	162	else {
aeb21ce2	163	remove_credential(&c, 0);
e2770979 JK	164	cache_credential(&c, timeout);
	165	}
	166	}
	167	else
	168	warning("cache client sent unknown action: %s", action.buf);
	169
	170	credential_clear(&c);
	171	strbuf_release(&action);
	172	}
	173
	174	static int serve_cache_loop(int fd)
	175	{
	176	struct pollfd pfd;
dddbad72	177	timestamp_t wakeup;
e2770979 JK	178
	179	wakeup = check_expirations();
	180	if (!wakeup)
	181	return 0;
	182
	183	pfd.fd = fd;
	184	pfd.events = POLLIN;
	185	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
	186	if (errno != EINTR)
	187	die_errno("poll failed");
	188	return 1;
	189	}
	190
	191	if (pfd.revents & POLLIN) {
	192	int client, client2;
	193	FILE in, out;
	194
	195	client = accept(fd, NULL, NULL);
	196	if (client < 0) {
26604f9f	197	warning_errno("accept failed");
e2770979 JK	198	return 1;
	199	}
	200	client2 = dup(client);
	201	if (client2 < 0) {
26604f9f	202	warning_errno("dup failed");
e2770979 JK	203	close(client);
	204	return 1;
	205	}
	206
	207	in = xfdopen(client, "r");
	208	out = xfdopen(client2, "w");
	209	serve_one_client(in, out);
	210	fclose(in);
	211	fclose(out);
	212	}
	213	return 1;
	214	}
	215
f5e3c0b9	216	static void serve_cache(const char *socket_path, int debug)
e2770979	217	{
55144ccb	218	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
e2770979 JK	219	int fd;
e2770979 JK	220
55144ccb	221	fd = unix_stream_listen(socket_path, &opts);
e2770979 JK	222	if (fd < 0)
	223	die_errno("unable to bind to '%s'", socket_path);
	224
	225	printf("ok\n");
	226	fclose(stdout);
f5e3c0b9 JK	227	if (!debug) {
	228	if (!freopen("/dev/null", "w", stderr))
	229	die_errno("unable to point stderr to /dev/null");
	230	}
e2770979 JK	231
	232	while (serve_cache_loop(fd))
	233	; /* nothing */
	234
	235	close(fd);
e2770979 JK	236	}
e2770979 JK	237
af64f20b	238	static const char permissions_advice[] = N_(
e2770979 JK	239	"The permissions on your socket directory are too loose; other\n"
	240	"users may be able to read your cached credentials. Consider running:\n"
	241	"\n"
af64f20b	242	" chmod 0700 %s");
a6e5e286	243	static void init_socket_directory(const char *path)
e2770979 JK	244	{
	245	struct stat st;
	246	char *path_copy = xstrdup(path);
	247	char *dir = dirname(path_copy);
	248
	249	if (!stat(dir, &st)) {
	250	if (st.st_mode & 077)
af64f20b	251	die(_(permissions_advice), dir);
a6e5e286 JG	252	} else {
	253	/*
	254	* We must be sure to create the directory with the correct mode,
	255	* not just chmod it after the fact; otherwise, there is a race
	256	* condition in which somebody can chdir to it, sleep, then try to open
	257	* our protected socket.
	258	*/
	259	if (safe_create_leading_directories_const(dir) < 0)
	260	die_errno("unable to create directories for '%s'", dir);
	261	if (mkdir(dir, 0700) < 0)
	262	die_errno("unable to mkdir '%s'", dir);
e2770979 JK	263	}
e2770979 JK	264
6e614490 JG	265	if (chdir(dir))
	266	/*
	267	* We don't actually care what our cwd is; we chdir here just to
	268	* be a friendly daemon and avoid tying up our original cwd.
	269	* If this fails, it's OK to just continue without that benefit.
	270	*/
	271	;
	272
e2770979 JK	273	free(path_copy);
	274	}
	275
b5dd96b7	276	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
e2770979	277	{
076aa2cb	278	struct tempfile *socket_file;
9e903316	279	const char *socket_path;
7f4d4746	280	int ignore_sighup = 0;
f5e3c0b9	281	static const char *usage[] = {
3e4ebe3a	282	"git credential-cache--daemon [--debug] <socket-path>",
f5e3c0b9 JK	283	NULL
	284	};
	285	int debug = 0;
	286	const struct option options[] = {
	287	OPT_BOOL(0, "debug", &debug,
	288	N_("print debugging messages to stderr")),
	289	OPT_END()
	290	};
	291
7f4d4746 NP	292	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);
7f4d4746 NP	293
b5dd96b7	294	argc = parse_options(argc, argv, prefix, options, usage, 0);
f5e3c0b9	295	socket_path = argv[0];
e2770979 JK	296
e2770979 JK	297	if (!socket_path)
f5e3c0b9	298	usage_with_options(usage, options);
e2770979	299
bd93b8d9 JG	300	if (!is_absolute_path(socket_path))
	301	die("socket directory must be an absolute path");
	302
a6e5e286	303	init_socket_directory(socket_path);
076aa2cb	304	socket_file = register_tempfile(socket_path);
7f4d4746 NP	305
	306	if (ignore_sighup)
	307	signal(SIGHUP, SIG_IGN);
	308
f5e3c0b9	309	serve_cache(socket_path, debug);
9e903316	310	delete_tempfile(&socket_file);
18a3de42	311
e2770979 JK	312	return 0;
e2770979 JK	313	}
b5dd96b7 JK	314
	315	#else
	316
	317	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
	318	{
	319	const char * const usage[] = {
3e4ebe3a	320	"git credential-cache--daemon [--debug] <socket-path>",
b5dd96b7 JK	321	"",
	322	"credential-cache--daemon is disabled in this build of Git",
	323	NULL
	324	};
	325	struct option options[] = { OPT_END() };
	326
	327	argc = parse_options(argc, argv, prefix, options, usage, 0);
	328	die(_("credential-cache--daemon unavailable; no unix socket support"));
	329	}
	330
	331	#endif /* NO_UNIX_SOCKET */