t5550: add netrc tests for http 401/403

git allows using .netrc file to supply credentials for HTTP auth.
Three test cases are added in this patch to provide missing coverage
when cloning over HTTP using .netrc file:

  - First test case checks that the git clone is successful when credentials
    are provided via .netrc file
  - Second test case checks that the git clone fails when the .netrc file
    provides invalid credentials. The HTTP server is expected to return
    401 Unauthorized in such a case. The test checks that the user is
    provided with a prompt for username/password on 401 to provide
    the valid ones.
  - Third test case checks that the git clone fails when the .netrc file
    provides credentials that are valid but do not have permission for
    this user. For example one may have multiple tokens in GitHub
    and uses the one which was not authorized for cloning this repo.
    In such a case the HTTP server returns 403 Forbidden.
    For this test, the apache.conf is modified to return a 403
    on finding a forbidden-user. No prompt for username/password is
    expected after the 403 (unlike 401). This is because prompting may wipe
    out existing credentials or conflict with custom credential helpers.

Signed-off-by: Ashlesh Gawande <git@ashlesh.me>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
index 5091db949b7f998be8ef1dde7fd0efe37bbe032f..5f42c311c2f2f5d13301c69af86bf60285303c9e 100644 (file)
--- a/t/lib-httpd.sh
+++ b/t/lib-httpd.sh
@@ -319,13 +319,22 @@ setup_askpass_helper() {
        '
 }
 
-set_askpass() {
+set_askpass () {
        >"$TRASH_DIRECTORY/askpass-query" &&
        echo "$1" >"$TRASH_DIRECTORY/askpass-user" &&
        echo "$2" >"$TRASH_DIRECTORY/askpass-pass"
 }
 
-expect_askpass() {
+set_netrc () {
+       # $HOME=$TRASH_DIRECTORY
+       echo "machine $1 login $2 password $3" >"$TRASH_DIRECTORY/.netrc"
+}
+
+clear_netrc () {
+       rm -f "$TRASH_DIRECTORY/.netrc"
+}
+
+expect_askpass () {
        dest=$HTTPD_DEST${3+/$3}
 
        {

diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index e631ab0eb5ef051a199a93dcc52fcf603420dc21..6b8c50a51a3b72748110218459fa8dafd31798b5 100644 (file)
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -238,6 +238,10 @@ SSLEngine On
        AuthName "git-auth"
        AuthUserFile passwd
        Require valid-user
+
+       # return 403 for authenticated user: forbidden-user@host
+       RewriteCond "%{REMOTE_USER}" "^forbidden-user@host"
+       RewriteRule ^ - [F]
 </Location>
 
 <LocationMatch "^/auth-push/.*/git-receive-pack$">

diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd
index d9c122f34828919da09284529b9e5a70b4ffeec1..3bab7b64236b11d675466b84d78e573f4c195654 100644 (file)
--- a/t/lib-httpd/passwd
+++ b/t/lib-httpd/passwd
@@ -1 +1,2 @@
 user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1
+forbidden-user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1

diff --git a/t/t5550-http-fetch-dumb.sh b/t/t5550-http-fetch-dumb.sh
index ed0ad66fade32b182ab219a12b6918e90ce7f472..9530f01b9e3d13bbe26f9d9d5e5b77e10ab2e7bf 100755 (executable)
--- a/t/t5550-http-fetch-dumb.sh
+++ b/t/t5550-http-fetch-dumb.sh
@@ -102,6 +102,31 @@ test_expect_success 'cloning password-protected repository can fail' '
        expect_askpass both wrong
 '
 
+test_expect_success 'using credentials from netrc to clone successfully' '
+       test_when_finished clear_netrc &&
+       set_askpass wrong &&
+       set_netrc 127.0.0.1 user@host pass@host &&
+       git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc &&
+       expect_askpass none
+'
+
+test_expect_success 'netrc unauthorized credentials (prompt after 401)' '
+       test_when_finished clear_netrc &&
+       set_askpass wrong &&
+       set_netrc 127.0.0.1 user@host pass@wrong &&
+       test_must_fail git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc-401 &&
+       expect_askpass both wrong
+'
+
+test_expect_success 'netrc authorized but forbidden credentials (fail on 403)' '
+       test_when_finished clear_netrc &&
+       set_askpass wrong &&
+       set_netrc 127.0.0.1 forbidden-user@host pass@host &&
+       test_must_fail git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc-403 2>err &&
+       expect_askpass none &&
+       grep "The requested URL returned error: 403" err
+'
+
 test_expect_success 'http auth can use user/pass in URL' '
        set_askpass wrong &&
        git clone "$HTTPD_URL_USER_PASS/auth/dumb/repo.git" clone-auth-none &&