[thirdparty/git.git] / builtin / credential-cache--daemon.c

#include "builtin.h"
#include "alloc.h"
#include "parse-options.h"

#ifndef NO_UNIX_SOCKETS

#include "config.h"
#include "tempfile.h"
#include "credential.h"
#include "unix-socket.h"

struct credential_cache_entry {
	struct credential item;
	timestamp_t expiration;
};
static struct credential_cache_entry *entries;
static int entries_nr;
static int entries_alloc;

static void cache_credential(struct credential *c, int timeout)
{
	struct credential_cache_entry *e;

	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	e = &entries[entries_nr++];

	/* take ownership of pointers */
	memcpy(&e->item, c, sizeof(*c));
	memset(c, 0, sizeof(*c));
	e->expiration = time(NULL) + timeout;
}

static struct credential_cache_entry *lookup_credential(const struct credential *c)
{
	int i;
	for (i = 0; i < entries_nr; i++) {
		struct credential *e = &entries[i].item;
		if (credential_match(c, e))
			return &entries[i];
	}
	return NULL;
}

static void remove_credential(const struct credential *c)
{
	struct credential_cache_entry *e;

	e = lookup_credential(c);
	if (e)
		e->expiration = 0;
}

static timestamp_t check_expirations(void)
{
	static timestamp_t wait_for_entry_until;
	int i = 0;
	timestamp_t now = time(NULL);
	timestamp_t next = TIME_MAX;

	/*
	 * Initially give the client 30 seconds to actually contact us
	 * and store a credential before we decide there's no point in
	 * keeping the daemon around.
	 */
	if (!wait_for_entry_until)
		wait_for_entry_until = now + 30;

	while (i < entries_nr) {
		if (entries[i].expiration <= now) {
			entries_nr--;
			credential_clear(&entries[i].item);
			if (i != entries_nr)
				memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
			/*
			 * Stick around 30 seconds in case a new credential
			 * shows up (e.g., because we just removed a failed
			 * one, and we will soon get the correct one).
			 */
			wait_for_entry_until = now + 30;
		}
		else {
			if (entries[i].expiration < next)
				next = entries[i].expiration;
			i++;
		}
	}

	if (!entries_nr) {
		if (wait_for_entry_until <= now)
			return 0;
		next = wait_for_entry_until;
	}

	return next - now;
}

static int read_request(FILE *fh, struct credential *c,
			struct strbuf *action, int *timeout)
{
	static struct strbuf item = STRBUF_INIT;
	const char *p;

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "action=", &p))
		return error("client sent bogus action line: %s", item.buf);
	strbuf_addstr(action, p);

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "timeout=", &p))
		return error("client sent bogus timeout line: %s", item.buf);
	*timeout = atoi(p);

	if (credential_read(c, fh) < 0)
		return -1;
	return 0;
}

static void serve_one_client(FILE *in, FILE *out)
{
	struct credential c = CREDENTIAL_INIT;
	struct strbuf action = STRBUF_INIT;
	int timeout = -1;

	if (read_request(in, &c, &action, &timeout) < 0)
		/* ignore error */ ;
	else if (!strcmp(action.buf, "get")) {
		struct credential_cache_entry *e = lookup_credential(&c);
		if (e) {
			fprintf(out, "username=%s\n", e->item.username);
			fprintf(out, "password=%s\n", e->item.password);
			if (e->item.password_expiry_utc != TIME_MAX)
				fprintf(out, "password_expiry_utc=%"PRItime"\n",
					e->item.password_expiry_utc);
		}
	}
	else if (!strcmp(action.buf, "exit")) {
		/*
		 * It's important that we clean up our socket first, and then
		 * signal the client only once we have finished the cleanup.
		 * Calling exit() directly does this, because we clean up in
		 * our atexit() handler, and then signal the client when our
		 * process actually ends, which closes the socket and gives
		 * them EOF.
		 */
		exit(0);
	}
	else if (!strcmp(action.buf, "erase"))
		remove_credential(&c);
	else if (!strcmp(action.buf, "store")) {
		if (timeout < 0)
			warning("cache client didn't specify a timeout");
		else if (!c.username || !c.password)
			warning("cache client gave us a partial credential");
		else {
			remove_credential(&c);
			cache_credential(&c, timeout);
		}
	}
	else
		warning("cache client sent unknown action: %s", action.buf);

	credential_clear(&c);
	strbuf_release(&action);
}

static int serve_cache_loop(int fd)
{
	struct pollfd pfd;
	timestamp_t wakeup;

	wakeup = check_expirations();
	if (!wakeup)
		return 0;

	pfd.fd = fd;
	pfd.events = POLLIN;
	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
		if (errno != EINTR)
			die_errno("poll failed");
		return 1;
	}

	if (pfd.revents & POLLIN) {
		int client, client2;
		FILE *in, *out;

		client = accept(fd, NULL, NULL);
		if (client < 0) {
			warning_errno("accept failed");
			return 1;
		}
		client2 = dup(client);
		if (client2 < 0) {
			warning_errno("dup failed");
			close(client);
			return 1;
		}

		in = xfdopen(client, "r");
		out = xfdopen(client2, "w");
		serve_one_client(in, out);
		fclose(in);
		fclose(out);
	}
	return 1;
}

static void serve_cache(const char *socket_path, int debug)
{
	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
	int fd;

	fd = unix_stream_listen(socket_path, &opts);
	if (fd < 0)
		die_errno("unable to bind to '%s'", socket_path);

	printf("ok\n");
	fclose(stdout);
	if (!debug) {
		if (!freopen("/dev/null", "w", stderr))
			die_errno("unable to point stderr to /dev/null");
	}

	while (serve_cache_loop(fd))
		; /* nothing */

	close(fd);
}

static const char permissions_advice[] = N_(
"The permissions on your socket directory are too loose; other\n"
"users may be able to read your cached credentials. Consider running:\n"
"\n"
"	chmod 0700 %s");
static void init_socket_directory(const char *path)
{
	struct stat st;
	char *path_copy = xstrdup(path);
	char *dir = dirname(path_copy);

	if (!stat(dir, &st)) {
		if (st.st_mode & 077)
			die(_(permissions_advice), dir);
	} else {
		/*
		 * We must be sure to create the directory with the correct mode,
		 * not just chmod it after the fact; otherwise, there is a race
		 * condition in which somebody can chdir to it, sleep, then try to open
		 * our protected socket.
		 */
		if (safe_create_leading_directories_const(dir) < 0)
			die_errno("unable to create directories for '%s'", dir);
		if (mkdir(dir, 0700) < 0)
			die_errno("unable to mkdir '%s'", dir);
	}

	if (chdir(dir))
		/*
		 * We don't actually care what our cwd is; we chdir here just to
		 * be a friendly daemon and avoid tying up our original cwd.
		 * If this fails, it's OK to just continue without that benefit.
		 */
		;

	free(path_copy);
}

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	struct tempfile *socket_file;
	const char *socket_path;
	int ignore_sighup = 0;
	static const char *usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		NULL
	};
	int debug = 0;
	const struct option options[] = {
		OPT_BOOL(0, "debug", &debug,
			 N_("print debugging messages to stderr")),
		OPT_END()
	};

	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	socket_path = argv[0];

	if (!socket_path)
		usage_with_options(usage, options);

	if (!is_absolute_path(socket_path))
		die("socket directory must be an absolute path");

	init_socket_directory(socket_path);
	socket_file = register_tempfile(socket_path);

	if (ignore_sighup)
		signal(SIGHUP, SIG_IGN);

	serve_cache(socket_path, debug);
	delete_tempfile(&socket_file);

	return 0;
}

#else

int cmd_credential_cache_daemon(int argc, const char **argv, const char *prefix)
{
	const char * const usage[] = {
		"git credential-cache--daemon [--debug] <socket-path>",
		"",
		"credential-cache--daemon is disabled in this build of Git",
		NULL
	};
	struct option options[] = { OPT_END() };

	argc = parse_options(argc, argv, prefix, options, usage, 0);
	die(_("credential-cache--daemon unavailable; no unix socket support"));
}

#endif /* NO_UNIX_SOCKET */
Commit	Line	Data
b5dd96b7	1	#include "builtin.h"
36bf1958	2	#include "alloc.h"
b5dd96b7 JK	3	#include "parse-options.h"
	4
	5	#ifndef NO_UNIX_SOCKETS
	6
b2141fc1	7	#include "config.h"
9e903316	8	#include "tempfile.h"
e2770979 JK	9	#include "credential.h"
e2770979 JK	10	#include "unix-socket.h"
e2770979	11
e2770979 JK	12	struct credential_cache_entry {
e2770979 JK	13	struct credential item;
dddbad72	14	timestamp_t expiration;
e2770979 JK	15	};
	16	static struct credential_cache_entry *entries;
	17	static int entries_nr;
	18	static int entries_alloc;
	19
	20	static void cache_credential(struct credential *c, int timeout)
	21	{
	22	struct credential_cache_entry *e;
	23
	24	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	25	e = &entries[entries_nr++];
	26
	27	/* take ownership of pointers */
	28	memcpy(&e->item, c, sizeof(*c));
	29	memset(c, 0, sizeof(*c));
	30	e->expiration = time(NULL) + timeout;
	31	}
	32
	33	static struct credential_cache_entry lookup_credential(const struct credential c)
	34	{
	35	int i;
	36	for (i = 0; i < entries_nr; i++) {
	37	struct credential *e = &entries[i].item;
	38	if (credential_match(c, e))
	39	return &entries[i];
	40	}
	41	return NULL;
	42	}
	43
	44	static void remove_credential(const struct credential *c)
	45	{
	46	struct credential_cache_entry *e;
	47
	48	e = lookup_credential(c);
	49	if (e)
	50	e->expiration = 0;
	51	}
	52
dddbad72	53	static timestamp_t check_expirations(void)
e2770979	54	{
dddbad72	55	static timestamp_t wait_for_entry_until;
e2770979	56	int i = 0;
dddbad72 JS	57	timestamp_t now = time(NULL);
dddbad72 JS	58	timestamp_t next = TIME_MAX;
e2770979 JK	59
	60	/*
	61	* Initially give the client 30 seconds to actually contact us
	62	* and store a credential before we decide there's no point in
	63	* keeping the daemon around.
	64	*/
	65	if (!wait_for_entry_until)
	66	wait_for_entry_until = now + 30;
	67
	68	while (i < entries_nr) {
	69	if (entries[i].expiration <= now) {
	70	entries_nr--;
	71	credential_clear(&entries[i].item);
	72	if (i != entries_nr)
	73	memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
	74	/*
	75	* Stick around 30 seconds in case a new credential
	76	* shows up (e.g., because we just removed a failed
	77	* one, and we will soon get the correct one).
	78	*/
	79	wait_for_entry_until = now + 30;
	80	}
	81	else {
	82	if (entries[i].expiration < next)
	83	next = entries[i].expiration;
	84	i++;
	85	}
	86	}
	87
	88	if (!entries_nr) {
	89	if (wait_for_entry_until <= now)
	90	return 0;
	91	next = wait_for_entry_until;
	92	}
	93
	94	return next - now;
	95	}
	96
	97	static int read_request(FILE fh, struct credential c,
3b335762 NTND	98	struct strbuf action, int timeout)
3b335762 NTND	99	{
e2770979 JK	100	static struct strbuf item = STRBUF_INIT;
	101	const char *p;
	102
8f309aeb	103	strbuf_getline_lf(&item, fh);
cf4fff57	104	if (!skip_prefix(item.buf, "action=", &p))
e2770979 JK	105	return error("client sent bogus action line: %s", item.buf);
	106	strbuf_addstr(action, p);
	107
8f309aeb	108	strbuf_getline_lf(&item, fh);
cf4fff57	109	if (!skip_prefix(item.buf, "timeout=", &p))
e2770979 JK	110	return error("client sent bogus timeout line: %s", item.buf);
	111	*timeout = atoi(p);
	112
	113	if (credential_read(c, fh) < 0)
	114	return -1;
	115	return 0;
	116	}
	117
	118	static void serve_one_client(FILE in, FILE out)
	119	{
	120	struct credential c = CREDENTIAL_INIT;
	121	struct strbuf action = STRBUF_INIT;
	122	int timeout = -1;
	123
	124	if (read_request(in, &c, &action, &timeout) < 0)
	125	/* ignore error */ ;
	126	else if (!strcmp(action.buf, "get")) {
	127	struct credential_cache_entry *e = lookup_credential(&c);
	128	if (e) {
	129	fprintf(out, "username=%s\n", e->item.username);
	130	fprintf(out, "password=%s\n", e->item.password);
d208bfdf H	131	if (e->item.password_expiry_utc != TIME_MAX)
	132	fprintf(out, "password_expiry_utc=%"PRItime"\n",
	133	e->item.password_expiry_utc);
e2770979 JK	134	}
e2770979 JK	135	}
7d5e9c98 JK	136	else if (!strcmp(action.buf, "exit")) {
	137	/*
	138	* It's important that we clean up our socket first, and then
	139	* signal the client only once we have finished the cleanup.
	140	* Calling exit() directly does this, because we clean up in
	141	* our atexit() handler, and then signal the client when our
	142	* process actually ends, which closes the socket and gives
	143	* them EOF.
	144	*/
e2770979	145	exit(0);
7d5e9c98	146	}
e2770979 JK	147	else if (!strcmp(action.buf, "erase"))
	148	remove_credential(&c);
	149	else if (!strcmp(action.buf, "store")) {
	150	if (timeout < 0)
	151	warning("cache client didn't specify a timeout");
	152	else if (!c.username \|\| !c.password)
	153	warning("cache client gave us a partial credential");
	154	else {
	155	remove_credential(&c);
	156	cache_credential(&c, timeout);
	157	}
	158	}
	159	else
	160	warning("cache client sent unknown action: %s", action.buf);
	161
	162	credential_clear(&c);
	163	strbuf_release(&action);
	164	}
	165
	166	static int serve_cache_loop(int fd)
	167	{
	168	struct pollfd pfd;
dddbad72	169	timestamp_t wakeup;
e2770979 JK	170
	171	wakeup = check_expirations();
	172	if (!wakeup)
	173	return 0;
	174
	175	pfd.fd = fd;
	176	pfd.events = POLLIN;
	177	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
	178	if (errno != EINTR)
	179	die_errno("poll failed");
	180	return 1;
	181	}
	182
	183	if (pfd.revents & POLLIN) {
	184	int client, client2;
	185	FILE in, out;
	186
	187	client = accept(fd, NULL, NULL);
	188	if (client < 0) {
26604f9f	189	warning_errno("accept failed");
e2770979 JK	190	return 1;
	191	}
	192	client2 = dup(client);
	193	if (client2 < 0) {
26604f9f	194	warning_errno("dup failed");
e2770979 JK	195	close(client);
	196	return 1;
	197	}
	198
	199	in = xfdopen(client, "r");
	200	out = xfdopen(client2, "w");
	201	serve_one_client(in, out);
	202	fclose(in);
	203	fclose(out);
	204	}
	205	return 1;
	206	}
	207
f5e3c0b9	208	static void serve_cache(const char *socket_path, int debug)
e2770979	209	{
55144ccb	210	struct unix_stream_listen_opts opts = UNIX_STREAM_LISTEN_OPTS_INIT;
e2770979 JK	211	int fd;
e2770979 JK	212
55144ccb	213	fd = unix_stream_listen(socket_path, &opts);
e2770979 JK	214	if (fd < 0)
	215	die_errno("unable to bind to '%s'", socket_path);
	216
	217	printf("ok\n");
	218	fclose(stdout);
f5e3c0b9 JK	219	if (!debug) {
	220	if (!freopen("/dev/null", "w", stderr))
	221	die_errno("unable to point stderr to /dev/null");
	222	}
e2770979 JK	223
	224	while (serve_cache_loop(fd))
	225	; /* nothing */
	226
	227	close(fd);
e2770979 JK	228	}
e2770979 JK	229
af64f20b	230	static const char permissions_advice[] = N_(
e2770979 JK	231	"The permissions on your socket directory are too loose; other\n"
	232	"users may be able to read your cached credentials. Consider running:\n"
	233	"\n"
af64f20b	234	" chmod 0700 %s");
a6e5e286	235	static void init_socket_directory(const char *path)
e2770979 JK	236	{
	237	struct stat st;
	238	char *path_copy = xstrdup(path);
	239	char *dir = dirname(path_copy);
	240
	241	if (!stat(dir, &st)) {
	242	if (st.st_mode & 077)
af64f20b	243	die(_(permissions_advice), dir);
a6e5e286 JG	244	} else {
	245	/*
	246	* We must be sure to create the directory with the correct mode,
	247	* not just chmod it after the fact; otherwise, there is a race
	248	* condition in which somebody can chdir to it, sleep, then try to open
	249	* our protected socket.
	250	*/
	251	if (safe_create_leading_directories_const(dir) < 0)
	252	die_errno("unable to create directories for '%s'", dir);
	253	if (mkdir(dir, 0700) < 0)
	254	die_errno("unable to mkdir '%s'", dir);
e2770979 JK	255	}
e2770979 JK	256
6e614490 JG	257	if (chdir(dir))
	258	/*
	259	* We don't actually care what our cwd is; we chdir here just to
	260	* be a friendly daemon and avoid tying up our original cwd.
	261	* If this fails, it's OK to just continue without that benefit.
	262	*/
	263	;
	264
e2770979 JK	265	free(path_copy);
	266	}
	267
b5dd96b7	268	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
e2770979	269	{
076aa2cb	270	struct tempfile *socket_file;
9e903316	271	const char *socket_path;
7f4d4746	272	int ignore_sighup = 0;
f5e3c0b9	273	static const char *usage[] = {
3e4ebe3a	274	"git credential-cache--daemon [--debug] <socket-path>",
f5e3c0b9 JK	275	NULL
	276	};
	277	int debug = 0;
	278	const struct option options[] = {
	279	OPT_BOOL(0, "debug", &debug,
	280	N_("print debugging messages to stderr")),
	281	OPT_END()
	282	};
	283
7f4d4746 NP	284	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);
7f4d4746 NP	285
b5dd96b7	286	argc = parse_options(argc, argv, prefix, options, usage, 0);
f5e3c0b9	287	socket_path = argv[0];
e2770979 JK	288
e2770979 JK	289	if (!socket_path)
f5e3c0b9	290	usage_with_options(usage, options);
e2770979	291
bd93b8d9 JG	292	if (!is_absolute_path(socket_path))
	293	die("socket directory must be an absolute path");
	294
a6e5e286	295	init_socket_directory(socket_path);
076aa2cb	296	socket_file = register_tempfile(socket_path);
7f4d4746 NP	297
	298	if (ignore_sighup)
	299	signal(SIGHUP, SIG_IGN);
	300
f5e3c0b9	301	serve_cache(socket_path, debug);
9e903316	302	delete_tempfile(&socket_file);
18a3de42	303
e2770979 JK	304	return 0;
e2770979 JK	305	}
b5dd96b7 JK	306
	307	#else
	308
	309	int cmd_credential_cache_daemon(int argc, const char *argv, const char prefix)
	310	{
	311	const char * const usage[] = {
3e4ebe3a	312	"git credential-cache--daemon [--debug] <socket-path>",
b5dd96b7 JK	313	"",
	314	"credential-cache--daemon is disabled in this build of Git",
	315	NULL
	316	};
	317	struct option options[] = { OPT_END() };
	318
	319	argc = parse_options(argc, argv, prefix, options, usage, 0);
	320	die(_("credential-cache--daemon unavailable; no unix socket support"));
	321	}
	322
	323	#endif /* NO_UNIX_SOCKET */