[thirdparty/git.git] / credential-cache--daemon.c

#include "cache.h"
#include "config.h"
#include "tempfile.h"
#include "credential.h"
#include "unix-socket.h"
#include "parse-options.h"

struct credential_cache_entry {
	struct credential item;
	timestamp_t expiration;
};
static struct credential_cache_entry *entries;
static int entries_nr;
static int entries_alloc;

static void cache_credential(struct credential *c, int timeout)
{
	struct credential_cache_entry *e;

	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	e = &entries[entries_nr++];

	/* take ownership of pointers */
	memcpy(&e->item, c, sizeof(*c));
	memset(c, 0, sizeof(*c));
	e->expiration = time(NULL) + timeout;
}

static struct credential_cache_entry *lookup_credential(const struct credential *c)
{
	int i;
	for (i = 0; i < entries_nr; i++) {
		struct credential *e = &entries[i].item;
		if (credential_match(c, e))
			return &entries[i];
	}
	return NULL;
}

static void remove_credential(const struct credential *c)
{
	struct credential_cache_entry *e;

	e = lookup_credential(c);
	if (e)
		e->expiration = 0;
}

static timestamp_t check_expirations(void)
{
	static timestamp_t wait_for_entry_until;
	int i = 0;
	timestamp_t now = time(NULL);
	timestamp_t next = TIME_MAX;

	/*
	 * Initially give the client 30 seconds to actually contact us
	 * and store a credential before we decide there's no point in
	 * keeping the daemon around.
	 */
	if (!wait_for_entry_until)
		wait_for_entry_until = now + 30;

	while (i < entries_nr) {
		if (entries[i].expiration <= now) {
			entries_nr--;
			credential_clear(&entries[i].item);
			if (i != entries_nr)
				memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
			/*
			 * Stick around 30 seconds in case a new credential
			 * shows up (e.g., because we just removed a failed
			 * one, and we will soon get the correct one).
			 */
			wait_for_entry_until = now + 30;
		}
		else {
			if (entries[i].expiration < next)
				next = entries[i].expiration;
			i++;
		}
	}

	if (!entries_nr) {
		if (wait_for_entry_until <= now)
			return 0;
		next = wait_for_entry_until;
	}

	return next - now;
}

static int read_request(FILE *fh, struct credential *c,
			struct strbuf *action, int *timeout)
{
	static struct strbuf item = STRBUF_INIT;
	const char *p;

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "action=", &p))
		return error("client sent bogus action line: %s", item.buf);
	strbuf_addstr(action, p);

	strbuf_getline_lf(&item, fh);
	if (!skip_prefix(item.buf, "timeout=", &p))
		return error("client sent bogus timeout line: %s", item.buf);
	*timeout = atoi(p);

	if (credential_read(c, fh) < 0)
		return -1;
	return 0;
}

static void serve_one_client(FILE *in, FILE *out)
{
	struct credential c = CREDENTIAL_INIT;
	struct strbuf action = STRBUF_INIT;
	int timeout = -1;

	if (read_request(in, &c, &action, &timeout) < 0)
		/* ignore error */ ;
	else if (!strcmp(action.buf, "get")) {
		struct credential_cache_entry *e = lookup_credential(&c);
		if (e) {
			fprintf(out, "username=%s\n", e->item.username);
			fprintf(out, "password=%s\n", e->item.password);
		}
	}
	else if (!strcmp(action.buf, "exit")) {
		/*
		 * It's important that we clean up our socket first, and then
		 * signal the client only once we have finished the cleanup.
		 * Calling exit() directly does this, because we clean up in
		 * our atexit() handler, and then signal the client when our
		 * process actually ends, which closes the socket and gives
		 * them EOF.
		 */
		exit(0);
	}
	else if (!strcmp(action.buf, "erase"))
		remove_credential(&c);
	else if (!strcmp(action.buf, "store")) {
		if (timeout < 0)
			warning("cache client didn't specify a timeout");
		else if (!c.username || !c.password)
			warning("cache client gave us a partial credential");
		else {
			remove_credential(&c);
			cache_credential(&c, timeout);
		}
	}
	else
		warning("cache client sent unknown action: %s", action.buf);

	credential_clear(&c);
	strbuf_release(&action);
}

static int serve_cache_loop(int fd)
{
	struct pollfd pfd;
	timestamp_t wakeup;

	wakeup = check_expirations();
	if (!wakeup)
		return 0;

	pfd.fd = fd;
	pfd.events = POLLIN;
	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
		if (errno != EINTR)
			die_errno("poll failed");
		return 1;
	}

	if (pfd.revents & POLLIN) {
		int client, client2;
		FILE *in, *out;

		client = accept(fd, NULL, NULL);
		if (client < 0) {
			warning_errno("accept failed");
			return 1;
		}
		client2 = dup(client);
		if (client2 < 0) {
			warning_errno("dup failed");
			close(client);
			return 1;
		}

		in = xfdopen(client, "r");
		out = xfdopen(client2, "w");
		serve_one_client(in, out);
		fclose(in);
		fclose(out);
	}
	return 1;
}

static void serve_cache(const char *socket_path, int debug)
{
	int fd;

	fd = unix_stream_listen(socket_path);
	if (fd < 0)
		die_errno("unable to bind to '%s'", socket_path);

	printf("ok\n");
	fclose(stdout);
	if (!debug) {
		if (!freopen("/dev/null", "w", stderr))
			die_errno("unable to point stderr to /dev/null");
	}

	while (serve_cache_loop(fd))
		; /* nothing */

	close(fd);
}

static const char permissions_advice[] = N_(
"The permissions on your socket directory are too loose; other\n"
"users may be able to read your cached credentials. Consider running:\n"
"\n"
"	chmod 0700 %s");
static void init_socket_directory(const char *path)
{
	struct stat st;
	char *path_copy = xstrdup(path);
	char *dir = dirname(path_copy);

	if (!stat(dir, &st)) {
		if (st.st_mode & 077)
			die(_(permissions_advice), dir);
	} else {
		/*
		 * We must be sure to create the directory with the correct mode,
		 * not just chmod it after the fact; otherwise, there is a race
		 * condition in which somebody can chdir to it, sleep, then try to open
		 * our protected socket.
		 */
		if (safe_create_leading_directories_const(dir) < 0)
			die_errno("unable to create directories for '%s'", dir);
		if (mkdir(dir, 0700) < 0)
			die_errno("unable to mkdir '%s'", dir);
	}

	if (chdir(dir))
		/*
		 * We don't actually care what our cwd is; we chdir here just to
		 * be a friendly daemon and avoid tying up our original cwd.
		 * If this fails, it's OK to just continue without that benefit.
		 */
		;

	free(path_copy);
}

int cmd_main(int argc, const char **argv)
{
	struct tempfile *socket_file;
	const char *socket_path;
	int ignore_sighup = 0;
	static const char *usage[] = {
		"git-credential-cache--daemon [opts] <socket_path>",
		NULL
	};
	int debug = 0;
	const struct option options[] = {
		OPT_BOOL(0, "debug", &debug,
			 N_("print debugging messages to stderr")),
		OPT_END()
	};

	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);

	argc = parse_options(argc, argv, NULL, options, usage, 0);
	socket_path = argv[0];

	if (!socket_path)
		usage_with_options(usage, options);

	if (!is_absolute_path(socket_path))
		die("socket directory must be an absolute path");

	init_socket_directory(socket_path);
	socket_file = register_tempfile(socket_path);

	if (ignore_sighup)
		signal(SIGHUP, SIG_IGN);

	serve_cache(socket_path, debug);
	delete_tempfile(&socket_file);

	return 0;
}
Commit	Line	Data
e2770979	1	#include "cache.h"
b2141fc1	2	#include "config.h"
9e903316	3	#include "tempfile.h"
e2770979 JK	4	#include "credential.h"
e2770979 JK	5	#include "unix-socket.h"
f5e3c0b9	6	#include "parse-options.h"
e2770979	7
e2770979 JK	8	struct credential_cache_entry {
e2770979 JK	9	struct credential item;
dddbad72	10	timestamp_t expiration;
e2770979 JK	11	};
	12	static struct credential_cache_entry *entries;
	13	static int entries_nr;
	14	static int entries_alloc;
	15
	16	static void cache_credential(struct credential *c, int timeout)
	17	{
	18	struct credential_cache_entry *e;
	19
	20	ALLOC_GROW(entries, entries_nr + 1, entries_alloc);
	21	e = &entries[entries_nr++];
	22
	23	/* take ownership of pointers */
	24	memcpy(&e->item, c, sizeof(*c));
	25	memset(c, 0, sizeof(*c));
	26	e->expiration = time(NULL) + timeout;
	27	}
	28
	29	static struct credential_cache_entry lookup_credential(const struct credential c)
	30	{
	31	int i;
	32	for (i = 0; i < entries_nr; i++) {
	33	struct credential *e = &entries[i].item;
	34	if (credential_match(c, e))
	35	return &entries[i];
	36	}
	37	return NULL;
	38	}
	39
	40	static void remove_credential(const struct credential *c)
	41	{
	42	struct credential_cache_entry *e;
	43
	44	e = lookup_credential(c);
	45	if (e)
	46	e->expiration = 0;
	47	}
	48
dddbad72	49	static timestamp_t check_expirations(void)
e2770979	50	{
dddbad72	51	static timestamp_t wait_for_entry_until;
e2770979	52	int i = 0;
dddbad72 JS	53	timestamp_t now = time(NULL);
dddbad72 JS	54	timestamp_t next = TIME_MAX;
e2770979 JK	55
	56	/*
	57	* Initially give the client 30 seconds to actually contact us
	58	* and store a credential before we decide there's no point in
	59	* keeping the daemon around.
	60	*/
	61	if (!wait_for_entry_until)
	62	wait_for_entry_until = now + 30;
	63
	64	while (i < entries_nr) {
	65	if (entries[i].expiration <= now) {
	66	entries_nr--;
	67	credential_clear(&entries[i].item);
	68	if (i != entries_nr)
	69	memcpy(&entries[i], &entries[entries_nr], sizeof(*entries));
	70	/*
	71	* Stick around 30 seconds in case a new credential
	72	* shows up (e.g., because we just removed a failed
	73	* one, and we will soon get the correct one).
	74	*/
	75	wait_for_entry_until = now + 30;
	76	}
	77	else {
	78	if (entries[i].expiration < next)
	79	next = entries[i].expiration;
	80	i++;
	81	}
	82	}
	83
	84	if (!entries_nr) {
	85	if (wait_for_entry_until <= now)
	86	return 0;
	87	next = wait_for_entry_until;
	88	}
	89
	90	return next - now;
	91	}
	92
	93	static int read_request(FILE fh, struct credential c,
3b335762 NTND	94	struct strbuf action, int timeout)
3b335762 NTND	95	{
e2770979 JK	96	static struct strbuf item = STRBUF_INIT;
	97	const char *p;
	98
8f309aeb	99	strbuf_getline_lf(&item, fh);
cf4fff57	100	if (!skip_prefix(item.buf, "action=", &p))
e2770979 JK	101	return error("client sent bogus action line: %s", item.buf);
	102	strbuf_addstr(action, p);
	103
8f309aeb	104	strbuf_getline_lf(&item, fh);
cf4fff57	105	if (!skip_prefix(item.buf, "timeout=", &p))
e2770979 JK	106	return error("client sent bogus timeout line: %s", item.buf);
	107	*timeout = atoi(p);
	108
	109	if (credential_read(c, fh) < 0)
	110	return -1;
	111	return 0;
	112	}
	113
	114	static void serve_one_client(FILE in, FILE out)
	115	{
	116	struct credential c = CREDENTIAL_INIT;
	117	struct strbuf action = STRBUF_INIT;
	118	int timeout = -1;
	119
	120	if (read_request(in, &c, &action, &timeout) < 0)
	121	/* ignore error */ ;
	122	else if (!strcmp(action.buf, "get")) {
	123	struct credential_cache_entry *e = lookup_credential(&c);
	124	if (e) {
	125	fprintf(out, "username=%s\n", e->item.username);
	126	fprintf(out, "password=%s\n", e->item.password);
	127	}
	128	}
7d5e9c98 JK	129	else if (!strcmp(action.buf, "exit")) {
	130	/*
	131	* It's important that we clean up our socket first, and then
	132	* signal the client only once we have finished the cleanup.
	133	* Calling exit() directly does this, because we clean up in
	134	* our atexit() handler, and then signal the client when our
	135	* process actually ends, which closes the socket and gives
	136	* them EOF.
	137	*/
e2770979	138	exit(0);
7d5e9c98	139	}
e2770979 JK	140	else if (!strcmp(action.buf, "erase"))
	141	remove_credential(&c);
	142	else if (!strcmp(action.buf, "store")) {
	143	if (timeout < 0)
	144	warning("cache client didn't specify a timeout");
	145	else if (!c.username \|\| !c.password)
	146	warning("cache client gave us a partial credential");
	147	else {
	148	remove_credential(&c);
	149	cache_credential(&c, timeout);
	150	}
	151	}
	152	else
	153	warning("cache client sent unknown action: %s", action.buf);
	154
	155	credential_clear(&c);
	156	strbuf_release(&action);
	157	}
	158
	159	static int serve_cache_loop(int fd)
	160	{
	161	struct pollfd pfd;
dddbad72	162	timestamp_t wakeup;
e2770979 JK	163
	164	wakeup = check_expirations();
	165	if (!wakeup)
	166	return 0;
	167
	168	pfd.fd = fd;
	169	pfd.events = POLLIN;
	170	if (poll(&pfd, 1, 1000 * wakeup) < 0) {
	171	if (errno != EINTR)
	172	die_errno("poll failed");
	173	return 1;
	174	}
	175
	176	if (pfd.revents & POLLIN) {
	177	int client, client2;
	178	FILE in, out;
	179
	180	client = accept(fd, NULL, NULL);
	181	if (client < 0) {
26604f9f	182	warning_errno("accept failed");
e2770979 JK	183	return 1;
	184	}
	185	client2 = dup(client);
	186	if (client2 < 0) {
26604f9f	187	warning_errno("dup failed");
e2770979 JK	188	close(client);
	189	return 1;
	190	}
	191
	192	in = xfdopen(client, "r");
	193	out = xfdopen(client2, "w");
	194	serve_one_client(in, out);
	195	fclose(in);
	196	fclose(out);
	197	}
	198	return 1;
	199	}
	200
f5e3c0b9	201	static void serve_cache(const char *socket_path, int debug)
e2770979 JK	202	{
	203	int fd;
	204
	205	fd = unix_stream_listen(socket_path);
	206	if (fd < 0)
	207	die_errno("unable to bind to '%s'", socket_path);
	208
	209	printf("ok\n");
	210	fclose(stdout);
f5e3c0b9 JK	211	if (!debug) {
	212	if (!freopen("/dev/null", "w", stderr))
	213	die_errno("unable to point stderr to /dev/null");
	214	}
e2770979 JK	215
	216	while (serve_cache_loop(fd))
	217	; /* nothing */
	218
	219	close(fd);
e2770979 JK	220	}
e2770979 JK	221
af64f20b	222	static const char permissions_advice[] = N_(
e2770979 JK	223	"The permissions on your socket directory are too loose; other\n"
	224	"users may be able to read your cached credentials. Consider running:\n"
	225	"\n"
af64f20b	226	" chmod 0700 %s");
a6e5e286	227	static void init_socket_directory(const char *path)
e2770979 JK	228	{
	229	struct stat st;
	230	char *path_copy = xstrdup(path);
	231	char *dir = dirname(path_copy);
	232
	233	if (!stat(dir, &st)) {
	234	if (st.st_mode & 077)
af64f20b	235	die(_(permissions_advice), dir);
a6e5e286 JG	236	} else {
	237	/*
	238	* We must be sure to create the directory with the correct mode,
	239	* not just chmod it after the fact; otherwise, there is a race
	240	* condition in which somebody can chdir to it, sleep, then try to open
	241	* our protected socket.
	242	*/
	243	if (safe_create_leading_directories_const(dir) < 0)
	244	die_errno("unable to create directories for '%s'", dir);
	245	if (mkdir(dir, 0700) < 0)
	246	die_errno("unable to mkdir '%s'", dir);
e2770979 JK	247	}
e2770979 JK	248
6e614490 JG	249	if (chdir(dir))
	250	/*
	251	* We don't actually care what our cwd is; we chdir here just to
	252	* be a friendly daemon and avoid tying up our original cwd.
	253	* If this fails, it's OK to just continue without that benefit.
	254	*/
	255	;
	256
e2770979 JK	257	free(path_copy);
	258	}
	259
3f2e2297	260	int cmd_main(int argc, const char **argv)
e2770979	261	{
076aa2cb	262	struct tempfile *socket_file;
9e903316	263	const char *socket_path;
7f4d4746	264	int ignore_sighup = 0;
f5e3c0b9 JK	265	static const char *usage[] = {
	266	"git-credential-cache--daemon [opts] <socket_path>",
	267	NULL
	268	};
	269	int debug = 0;
	270	const struct option options[] = {
	271	OPT_BOOL(0, "debug", &debug,
	272	N_("print debugging messages to stderr")),
	273	OPT_END()
	274	};
	275
7f4d4746 NP	276	git_config_get_bool("credentialcache.ignoresighup", &ignore_sighup);
7f4d4746 NP	277
f5e3c0b9 JK	278	argc = parse_options(argc, argv, NULL, options, usage, 0);
f5e3c0b9 JK	279	socket_path = argv[0];
e2770979 JK	280
e2770979 JK	281	if (!socket_path)
f5e3c0b9	282	usage_with_options(usage, options);
e2770979	283
bd93b8d9 JG	284	if (!is_absolute_path(socket_path))
	285	die("socket directory must be an absolute path");
	286
a6e5e286	287	init_socket_directory(socket_path);
076aa2cb	288	socket_file = register_tempfile(socket_path);
7f4d4746 NP	289
	290	if (ignore_sighup)
	291	signal(SIGHUP, SIG_IGN);
	292
f5e3c0b9	293	serve_cache(socket_path, debug);
9e903316	294	delete_tempfile(&socket_file);
18a3de42	295
e2770979 JK	296	return 0;
e2770979 JK	297	}