[thirdparty/git.git] / builtin / credential-cache--daemon.c

#include "builtin.h"
#include "abspath.h"
#include "alloc.h"
#include "gettext.h"
#include "parse-options.h"

#ifndef NO_UNIX_SOCKETS

#include "config.h"
#include "tempfile.h"
#include "credential.h"
#include "unix-socket.h"

struct credential_cache_entry {
	struct credential item;
	timestamp_t expiration;
};
static struct credential_cache_entry *entries;
static int entries_nr;
static int entries_alloc;

static void cache_credential(struct credential *c, int timeout)
{
	struct credential_cache_entry *e;

	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	e = &entries[entries_nr++];

	/* take ownership of pointers */
	memcpy(&e->item, c, sizeof(*c));
	memset(c, 0, sizeof(*c));
	e->expiration = time(NULL) + timeout;
}

static struct credential_cache_entry *lookup_credential(const struct credential *c)
{
	int i;
	for (i = 0; i < entries_nr; i++) {
		struct credential *e = &entries[i].item;
		if (credential_match(c, e))
			return &entries[i];
	}
	return NULL;
}

static void remove_credential(const struct credential *c)
{
	struct credential_cache_entry *e;

	e = lookup_credential(c);
	if (e)
		e->expiration = 0;
}

static timestamp_t check_expirations(void)
{
	static timestamp_t wait_for_entry_until;
	int i = 0;
	timestamp_t now = time(NULL);
	timestamp_t next = TIME_MAX;

	/*
	 * Initially give the client 30 seconds to actually contact us
	 * and store a credential before we decide there's no point in
	 * keeping the daemon around.
	 */
	if (!wait_for_entry_until)
		wait_for_entry_until = now + 30;

	while (i < entries_nr) {
		if (entries[i].expiration <= now) {
			entries_nr--;
			credential_clear(&entries[i].item);
			if (i != entries_nr)
				memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
			/*
			 * Stick around 30 seconds in case a new credential
			 * shows up (e.g., because we just removed a failed
			 * one, and we will soon get the correct one).
			 */
			wait_for_entry_until = now + 30;
		}
		else {
			if (entries[i].expiration < next)
				next = entries[i].expiration;
			i++;
		}
	}

	if (!entries_nr) {
		if (wait_for_entry_until <= now)
			return 0;
		next = wait_for_entry_until;
	}

	return next - now;
}

static int read_request(FILE *fh, struct credential *c,
			struct strbuf *action, int *timeout)
{
	static struct strbuf item = STRBUF_INIT;
	const char *p;

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "action=", &p))
		return error("client sent bogus action line: %s", item.buf);
	strbuf_addstr(action, p);

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "timeout=", &p))
		return error("client sent bogus timeout line: %s", item.buf);
	*timeout = atoi(p);

	if (credential_read(c, fh) < 0)
		return -1;
	return 0;
}

static void serve_one_client(FILE *in, FILE *out)
{
	struct credential c = CREDENTIAL_INIT;
	struct strbuf action = STRBUF_INIT;
	int timeout = -1;

	if (read_request(in, &c, &action, &timeout) < 0)
		/* ignore error */ ;
	else if (!strcmp(action.buf, "get")) {
		struct credential_cache_entry *e = lookup_credential(&c);
		if (e) {
			fprintf(out, "username=%s\n", e->item.username);
			fprintf(out, "password=%s\n", e->item.password);
			if (e->item.password_expiry_utc != TIME_MAX)
				fprintf(out, "password_expiry_utc=%"PRItime"\n",
					e->item.password_expiry_utc);
		}
	}
	else if (!strcmp(action.buf, "exit")) {
		/*
		 * It's important that we clean up our socket first, and then
		 * signal the client only once we have finished the cleanup.
		 * Calling exit() directly does this, because we clean up in
		 * our atexit() handler, and then signal the client when our
		 * process actually ends, which closes the socket and gives
		 * them EOF.
		 */
		exit(0);
	}
	else if (!strcmp(action.buf, "erase"))
		remove_credential(&c);
	else if (!strcmp(action.buf, "store")) {
		if (timeout < 0)
			warning("cache client didn't specify a timeout");
		else if (!c.username || !c.password)
			warning("cache client gave us a partial credential");
		else {
			remove_credential(&c);
			cache_credential(&c, timeout);
		}
	}
	else
		warning("cache client sent unknown action: %s", action.buf);

	credential_clear(&c);
	strbuf_release(&action);
}

static int serve_cache_loop(int fd)
{
	struct pollfd pfd;
	timestamp_t wakeup;

	wakeup = check_expirations();
	if (!wakeup)
		return 0;

	pfd.fd = fd;
	pfd.events = POLLIN;
	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
		if (errno != EINTR)
			die_errno("poll failed");
		return 1;
	}

	if (pfd.revents & POLLIN) {
		int client, client2;
		FILE *in, *out;

		client = accept(fd, NULL, NULL);
		if (client < 0) {
			warning_errno("accept failed");
			return 1;
		}
		client2 = dup(client);
		if (client2 < 0) {
			warning_errno("dup failed");
			close(client);
			return 1;
		}

		in = xfdopen(client, "r");
		out = xfdopen(client2, "w");
		serve_one_client(in, out);
		fclose(in);
		fclose(out);
	}
	return 1;
}

static void serve_cache(const char *socket_path, int debug)
{
	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
	int fd;

	fd = unix_stream_listen(socket_path, &opts);
	if (fd < 0)
		die_errno("unable to bind to '%s'", socket_path);

	printf("ok\n");
	fclose(stdout);
	if (!debug) {
		if (!freopen("/dev/null", "w", stderr))
			die_errno("unable to point stderr to /dev/null");
	}

	while (serve_cache_loop(fd))
		; /* nothing */

	close(fd);
}

static const char permissions_advice[] = N_(
"The permissions on your socket directory are too loose; other\n"
"users may be able to read your cached credentials. Consider running:\n"
"\n"
"	chmod 0700 %s");
static void init_socket_directory(const char *path)
{
	struct stat st;
	char *path_copy = xstrdup(path);
	char *dir = dirname(path_copy);

	if (!stat(dir, &st)) {
		if (st.st_mode & 077)
			die(_(permissions_advice), dir);
	} else {
		/*
		 * We must be sure to create the directory with the correct mode,
		 * not just chmod it after the fact; otherwise, there is a race
		 * condition in which somebody can chdir to it, sleep, then try to open
		 * our protected socket.
		 */
		if (safe_create_leading_directories_const(dir) < 0)
			die_errno("unable to create directories for '%s'", dir);
		if (mkdir(dir, 0700) < 0)
			die_errno("unable to mkdir '%s'", dir);
	}

	if (chdir(dir))
		/*
		 * We don't actually care what our cwd is; we chdir here just to
		 * be a friendly daemon and avoid tying up our original cwd.
		 * If this fails, it's OK to just continue without that benefit.
		 */
		;

	free(path_copy);
}

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	struct tempfile *socket_file;
	const char *socket_path;
	int ignore_sighup = 0;
	static const char *usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		NULL
	};
	int debug = 0;
	const struct option options[] = {
		OPT_BOOL(0, "debug", &debug,
			 N_("print debugging messages to stderr")),
		OPT_END()
	};

	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	socket_path = argv[0];

	if (!socket_path)
		usage_with_options(usage, options);

	if (!is_absolute_path(socket_path))
		die("socket directory must be an absolute path");

	init_socket_directory(socket_path);
	socket_file = register_tempfile(socket_path);

	if (ignore_sighup)
		signal(SIGHUP, SIG_IGN);

	serve_cache(socket_path, debug);
	delete_tempfile(&socket_file);

	return 0;
}

#else

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	const char * const usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		"",
		"credential-cache--daemon is disabled in this build of Git",
		NULL
	};
	struct option options[] = { OPT_END() };

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	die(_("credential-cache--daemon unavailable; no unix socket support"));
}

#endif /* NO_UNIX_SOCKET */
Commit	Line	Data
b5dd96b7	1	#include "builtin.h"
0b027f6c	2	#include "abspath.h"
36bf1958	3	#include "alloc.h"
f394e093	4	#include "gettext.h"
b5dd96b7 JK	5	#include "parse-options.h"
	6
	7	#ifndef NO_UNIX_SOCKETS
	8
b2141fc1	9	#include "config.h"
9e903316	10	#include "tempfile.h"
e2770979 JK	11	#include "credential.h"
e2770979 JK	12	#include "unix-socket.h"
e2770979	13
e2770979 JK	14	struct credential_cache_entry {
e2770979 JK	15	struct credential item;
dddbad72	16	timestamp_t expiration;
e2770979 JK	17	};
	18	static struct credential_cache_entry *entries;
	19	static int entries_nr;
	20	static int entries_alloc;
	21
	22	static void cache_credential(struct credential *c, int timeout)
	23	{
	24	struct credential_cache_entry *e;
	25
	26	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	27	e = &entries[entries_nr++];
	28
	29	/* take ownership of pointers */
	30	memcpy(&e->item, c, sizeof(*c));
	31	memset(c, 0, sizeof(*c));
	32	e->expiration = time(NULL) + timeout;
	33	}
	34
	35	static struct credential_cache_entry lookup_credential(const struct credential c)
	36	{
	37	int i;
	38	for (i = 0; i < entries_nr; i++) {
	39	struct credential *e = &entries[i].item;
	40	if (credential_match(c, e))
	41	return &entries[i];
	42	}
	43	return NULL;
	44	}
	45
	46	static void remove_credential(const struct credential *c)
	47	{
	48	struct credential_cache_entry *e;
	49
	50	e = lookup_credential(c);
	51	if (e)
	52	e->expiration = 0;
	53	}
	54
dddbad72	55	static timestamp_t check_expirations(void)
e2770979	56	{
dddbad72	57	static timestamp_t wait_for_entry_until;
e2770979	58	int i = 0;
dddbad72 JS	59	timestamp_t now = time(NULL);
dddbad72 JS	60	timestamp_t next = TIME_MAX;
e2770979 JK	61
	62	/*
	63	* Initially give the client 30 seconds to actually contact us
	64	* and store a credential before we decide there's no point in
	65	* keeping the daemon around.
	66	*/
	67	if (!wait_for_entry_until)
	68	wait_for_entry_until = now + 30;
	69
	70	while (i < entries_nr) {
	71	if (entries[i].expiration <= now) {
	72	entries_nr--;
	73	credential_clear(&entries[i].item);
	74	if (i != entries_nr)
	75	memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
	76	/*
	77	* Stick around 30 seconds in case a new credential
	78	* shows up (e.g., because we just removed a failed
	79	* one, and we will soon get the correct one).
	80	*/
	81	wait_for_entry_until = now + 30;
	82	}
	83	else {
	84	if (entries[i].expiration < next)
	85	next = entries[i].expiration;
	86	i++;
	87	}
	88	}
	89
	90	if (!entries_nr) {
	91	if (wait_for_entry_until <= now)
	92	return 0;
	93	next = wait_for_entry_until;
	94	}
	95
	96	return next - now;
	97	}
	98
	99	static int read_request(FILE fh, struct credential c,
3b335762 NTND	100	struct strbuf action, int timeout)
3b335762 NTND	101	{
e2770979 JK	102	static struct strbuf item = STRBUF_INIT;
	103	const char *p;
	104
8f309aeb	105	strbuf_getline_lf(&item, fh);
cf4fff57	106	if (!skip_prefix(item.buf, "action=", &p))
e2770979 JK	107	return error("client sent bogus action line: %s", item.buf);
	108	strbuf_addstr(action, p);
	109
8f309aeb	110	strbuf_getline_lf(&item, fh);
cf4fff57	111	if (!skip_prefix(item.buf, "timeout=", &p))
e2770979 JK	112	return error("client sent bogus timeout line: %s", item.buf);
	113	*timeout = atoi(p);
	114
	115	if (credential_read(c, fh) < 0)
	116	return -1;
	117	return 0;
	118	}
	119
	120	static void serve_one_client(FILE in, FILE out)
	121	{
	122	struct credential c = CREDENTIAL_INIT;
	123	struct strbuf action = STRBUF_INIT;
	124	int timeout = -1;
	125
	126	if (read_request(in, &c, &action, &timeout) < 0)
	127	/* ignore error */ ;
	128	else if (!strcmp(action.buf, "get")) {
	129	struct credential_cache_entry *e = lookup_credential(&c);
	130	if (e) {
	131	fprintf(out, "username=%s\n", e->item.username);
	132	fprintf(out, "password=%s\n", e->item.password);
d208bfdf H	133	if (e->item.password_expiry_utc != TIME_MAX)
	134	fprintf(out, "password_expiry_utc=%"PRItime"\n",
	135	e->item.password_expiry_utc);
e2770979 JK	136	}
e2770979 JK	137	}
7d5e9c98 JK	138	else if (!strcmp(action.buf, "exit")) {
	139	/*
	140	* It's important that we clean up our socket first, and then
	141	* signal the client only once we have finished the cleanup.
	142	* Calling exit() directly does this, because we clean up in
	143	* our atexit() handler, and then signal the client when our
	144	* process actually ends, which closes the socket and gives
	145	* them EOF.
	146	*/
e2770979	147	exit(0);
7d5e9c98	148	}
e2770979 JK	149	else if (!strcmp(action.buf, "erase"))
	150	remove_credential(&c);
	151	else if (!strcmp(action.buf, "store")) {
	152	if (timeout < 0)
	153	warning("cache client didn't specify a timeout");
	154	else if (!c.username \|\| !c.password)
	155	warning("cache client gave us a partial credential");
	156	else {
	157	remove_credential(&c);
	158	cache_credential(&c, timeout);
	159	}
	160	}
	161	else
	162	warning("cache client sent unknown action: %s", action.buf);
	163
	164	credential_clear(&c);
	165	strbuf_release(&action);
	166	}
	167
	168	static int serve_cache_loop(int fd)
	169	{
	170	struct pollfd pfd;
dddbad72	171	timestamp_t wakeup;
e2770979 JK	172
	173	wakeup = check_expirations();
	174	if (!wakeup)
	175	return 0;
	176
	177	pfd.fd = fd;
	178	pfd.events = POLLIN;
	179	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
	180	if (errno != EINTR)
	181	die_errno("poll failed");
	182	return 1;
	183	}
	184
	185	if (pfd.revents & POLLIN) {
	186	int client, client2;
	187	FILE in, out;
	188
	189	client = accept(fd, NULL, NULL);
	190	if (client < 0) {
26604f9f	191	warning_errno("accept failed");
e2770979 JK	192	return 1;
	193	}
	194	client2 = dup(client);
	195	if (client2 < 0) {
26604f9f	196	warning_errno("dup failed");
e2770979 JK	197	close(client);
	198	return 1;
	199	}
	200
	201	in = xfdopen(client, "r");
	202	out = xfdopen(client2, "w");
	203	serve_one_client(in, out);
	204	fclose(in);
	205	fclose(out);
	206	}
	207	return 1;
	208	}
	209
f5e3c0b9	210	static void serve_cache(const char *socket_path, int debug)
e2770979	211	{
55144ccb	212	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
e2770979 JK	213	int fd;
e2770979 JK	214
55144ccb	215	fd = unix_stream_listen(socket_path, &opts);
e2770979 JK	216	if (fd < 0)
	217	die_errno("unable to bind to '%s'", socket_path);
	218
	219	printf("ok\n");
	220	fclose(stdout);
f5e3c0b9 JK	221	if (!debug) {
	222	if (!freopen("/dev/null", "w", stderr))
	223	die_errno("unable to point stderr to /dev/null");
	224	}
e2770979 JK	225
	226	while (serve_cache_loop(fd))
	227	; /* nothing */
	228
	229	close(fd);
e2770979 JK	230	}
e2770979 JK	231
af64f20b	232	static const char permissions_advice[] = N_(
e2770979 JK	233	"The permissions on your socket directory are too loose; other\n"
	234	"users may be able to read your cached credentials. Consider running:\n"
	235	"\n"
af64f20b	236	" chmod 0700 %s");
a6e5e286	237	static void init_socket_directory(const char *path)
e2770979 JK	238	{
	239	struct stat st;
	240	char *path_copy = xstrdup(path);
	241	char *dir = dirname(path_copy);
	242
	243	if (!stat(dir, &st)) {
	244	if (st.st_mode & 077)
af64f20b	245	die(_(permissions_advice), dir);
a6e5e286 JG	246	} else {
	247	/*
	248	* We must be sure to create the directory with the correct mode,
	249	* not just chmod it after the fact; otherwise, there is a race
	250	* condition in which somebody can chdir to it, sleep, then try to open
	251	* our protected socket.
	252	*/
	253	if (safe_create_leading_directories_const(dir) < 0)
	254	die_errno("unable to create directories for '%s'", dir);
	255	if (mkdir(dir, 0700) < 0)
	256	die_errno("unable to mkdir '%s'", dir);
e2770979 JK	257	}
e2770979 JK	258
6e614490 JG	259	if (chdir(dir))
	260	/*
	261	* We don't actually care what our cwd is; we chdir here just to
	262	* be a friendly daemon and avoid tying up our original cwd.
	263	* If this fails, it's OK to just continue without that benefit.
	264	*/
	265	;
	266
e2770979 JK	267	free(path_copy);
	268	}
	269
b5dd96b7	270	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
e2770979	271	{
076aa2cb	272	struct tempfile *socket_file;
9e903316	273	const char *socket_path;
7f4d4746	274	int ignore_sighup = 0;
f5e3c0b9	275	static const char *usage[] = {
3e4ebe3a	276	"git credential-cache--daemon [--debug] <socket-path>",
f5e3c0b9 JK	277	NULL
	278	};
	279	int debug = 0;
	280	const struct option options[] = {
	281	OPT_BOOL(0, "debug", &debug,
	282	N_("print debugging messages to stderr")),
	283	OPT_END()
	284	};
	285
7f4d4746 NP	286	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);
7f4d4746 NP	287
b5dd96b7	288	argc = parse_options(argc, argv, prefix, options, usage, 0);
f5e3c0b9	289	socket_path = argv[0];
e2770979 JK	290
e2770979 JK	291	if (!socket_path)
f5e3c0b9	292	usage_with_options(usage, options);
e2770979	293
bd93b8d9 JG	294	if (!is_absolute_path(socket_path))
	295	die("socket directory must be an absolute path");
	296
a6e5e286	297	init_socket_directory(socket_path);
076aa2cb	298	socket_file = register_tempfile(socket_path);
7f4d4746 NP	299
	300	if (ignore_sighup)
	301	signal(SIGHUP, SIG_IGN);
	302
f5e3c0b9	303	serve_cache(socket_path, debug);
9e903316	304	delete_tempfile(&socket_file);
18a3de42	305
e2770979 JK	306	return 0;
e2770979 JK	307	}
b5dd96b7 JK	308
	309	#else
	310
	311	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
	312	{
	313	const char * const usage[] = {
3e4ebe3a	314	"git credential-cache--daemon [--debug] <socket-path>",
b5dd96b7 JK	315	"",
	316	"credential-cache--daemon is disabled in this build of Git",
	317	NULL
	318	};
	319	struct option options[] = { OPT_END() };
	320
	321	argc = parse_options(argc, argv, prefix, options, usage, 0);
	322	die(_("credential-cache--daemon unavailable; no unix socket support"));
	323	}
	324
	325	#endif /* NO_UNIX_SOCKET */