Merge pull request libgit2#5286 from libgit2/ethomson/gssapi

HTTP: Support Apache-based servers with Negotiate

Author: ethomson

azure-pipelines.yml

@@ -19,7 +19,8 @@ jobs:
       environmentVariables: |
        CC=gcc
        CMAKE_GENERATOR=Ninja
-       CMAKE_OPTIONS=-DUSE_HTTPS=OpenSSL -DREGEX_BACKEND=builtin -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DVALGRIND=on
+       CMAKE_OPTIONS=-DUSE_HTTPS=OpenSSL -DREGEX_BACKEND=builtin -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DVALGRIND=on -DUSE_GSSAPI=ON
+       GITTEST_NEGOTIATE_PASSWORD=$(GITTEST_NEGOTIATE_PASSWORD)
 
 - job: linux_amd64_xenial_gcc_mbedtls
   displayName: 'Linux (amd64; Xenial; GCC; mbedTLS)'
@@ -34,7 +35,8 @@ jobs:
       environmentVariables: |
        CC=gcc
        CMAKE_GENERATOR=Ninja
-       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DVALGRIND=on
+       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DVALGRIND=on -DUSE_GSSAPI=ON
+       GITTEST_NEGOTIATE_PASSWORD=$(GITTEST_NEGOTIATE_PASSWORD)
 
 - job: linux_amd64_xenial_clang_openssl
   displayName: 'Linux (amd64; Xenial; Clang; OpenSSL)'
@@ -49,7 +51,8 @@ jobs:
       environmentVariables: |
        CC=clang
        CMAKE_GENERATOR=Ninja
-       CMAKE_OPTIONS=-DUSE_HTTPS=OpenSSL -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DVALGRIND=on
+       CMAKE_OPTIONS=-DUSE_HTTPS=OpenSSL -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DVALGRIND=on -DUSE_GSSAPI=ON
+       GITTEST_NEGOTIATE_PASSWORD=$(GITTEST_NEGOTIATE_PASSWORD)
 
 - job: linux_amd64_xenial_clang_mbedtls
   displayName: 'Linux (amd64; Xenial; Clang; mbedTLS)'
@@ -64,7 +67,8 @@ jobs:
       environmentVariables: |
        CC=clang
        CMAKE_GENERATOR=Ninja
-       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DREGEX_BACKEND=pcre -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DVALGRIND=on
+       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DREGEX_BACKEND=pcre -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DVALGRIND=on -DUSE_GSSAPI=ON
+       GITTEST_NEGOTIATE_PASSWORD=$(GITTEST_NEGOTIATE_PASSWORD)
 
 - job: macos
   displayName: 'macOS'
@@ -81,6 +85,7 @@ jobs:
         CMAKE_GENERATOR: Ninja
         CMAKE_OPTIONS: -DREGEX_BACKEND=regcomp_l -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=leaks -DUSE_GSSAPI=ON
         SKIP_SSH_TESTS: true
+        GITTEST_NEGOTIATE_PASSWORD: $(GITTEST_NEGOTIATE_PASSWORD)
 
 - job: windows_vs_amd64
   displayName: 'Windows (amd64; Visual Studio)'
@@ -92,6 +97,7 @@ jobs:
         CMAKE_GENERATOR: Visual Studio 12 2013 Win64
         CMAKE_OPTIONS: -DMSVC_CRTDBG=ON -DDEPRECATE_HARD=ON
         SKIP_SSH_TESTS: true
+        SKIP_NEGOTIATE_TESTS: true
 
 - job: windows_vs_x86
   displayName: 'Windows (x86; Visual Studio)'
@@ -103,6 +109,7 @@ jobs:
         CMAKE_GENERATOR: Visual Studio 12 2013
         CMAKE_OPTIONS: -DMSVC_CRTDBG=ON -DDEPRECATE_HARD=ON -DUSE_SHA1=HTTPS
         SKIP_SSH_TESTS: true
+        SKIP_NEGOTIATE_TESTS: true
 
 - job: windows_mingw_amd64
   displayName: 'Windows (amd64; MinGW)'
@@ -120,6 +127,7 @@ jobs:
         CMAKE_GENERATOR: MinGW Makefiles
         CMAKE_OPTIONS: -DDEPRECATE_HARD=ON
         SKIP_SSH_TESTS: true
+        SKIP_NEGOTIATE_TESTS: true
 
 - job: windows_mingw_x86
   displayName: 'Windows (x86; MinGW)'
@@ -138,6 +146,7 @@ jobs:
         CMAKE_GENERATOR: MinGW Makefiles
         CMAKE_OPTIONS: -DDEPRECATE_HARD=ON
         SKIP_SSH_TESTS: true
+        SKIP_NEGOTIATE_TESTS: true
 
 - job: documentation
   displayName: 'Generate Documentation'

azure-pipelines/docker/xenial

@@ -1,16 +1,18 @@
 ARG BASE
 FROM $BASE AS apt
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         bzip2 \
         clang \
         cmake \
         curl \
         gcc \
         git \
         gosu \
+        krb5-user \
         libcurl4-gnutls-dev \
         libgcrypt20-dev \
+        libkrb5-dev \
         libpcre3-dev \
         libssl-dev \
         libz-dev \

azure-pipelines/test.sh

@@ -6,6 +6,11 @@ if [ -n "$SKIP_TESTS" ]; then
 	exit 0
 fi
 
+# Windows doesn't run the NTLM tests properly (yet)
+if [[ "$(uname -s)" == MINGW* ]]; then
+        SKIP_NTLM_TESTS=1
+fi
+
 SOURCE_DIR=${SOURCE_DIR:-$( cd "$( dirname "${BASH_SOURCE[0]}" )" && dirname $( pwd ) )}
 BUILD_DIR=$(pwd)
 TMPDIR=${TMPDIR:-/tmp}
@@ -89,6 +94,16 @@ if [ -z "$SKIP_PROXY_TESTS" ]; then
 	java -jar poxyproxy.jar --address 127.0.0.1 --port 8090 --credentials foo:bar --auth-type ntlm --quiet &
 fi
 
+if [ -z "$SKIP_NTLM_TESTS" ]; then
+	curl -L https://github.com/ethomson/poxygit/releases/download/v0.4.0/poxygit-0.4.0.jar >poxygit.jar
+
+	echo ""
+	echo "Starting HTTP server..."
+	NTLM_DIR=`mktemp -d ${TMPDIR}/ntlm.XXXXXXXX`
+	git init --bare "${NTLM_DIR}/test.git"
+	java -jar poxygit.jar --address 127.0.0.1 --port 9000 --credentials foo:baz --quiet "${NTLM_DIR}" &
+fi
+
 if [ -z "$SKIP_SSH_TESTS" ]; then
 	echo "Starting ssh daemon..."
 	HOME=`mktemp -d ${TMPDIR}/home.XXXXXXXX`
@@ -207,6 +222,65 @@ if [ -z "$SKIP_PROXY_TESTS" ]; then
 	unset GITTEST_REMOTE_PROXY_PASS
 fi
 
+if [ -z "$SKIP_NTLM_TESTS" ]; then
+	echo ""
+	echo "Running NTLM tests (IIS emulation)"
+	echo ""
+
+	export GITTEST_REMOTE_URL="http://localhost:9000/ntlm/test.git"
+	export GITTEST_REMOTE_USER="foo"
+	export GITTEST_REMOTE_PASS="baz"
+	run_test auth_clone_and_push
+	unset GITTEST_REMOTE_URL
+	unset GITTEST_REMOTE_USER
+	unset GITTEST_REMOTE_PASS
+
+	echo ""
+	echo "Running NTLM tests (Apache emulation)"
+	echo ""
+
+	export GITTEST_REMOTE_URL="http://localhost:9000/broken-ntlm/test.git"
+	export GITTEST_REMOTE_USER="foo"
+	export GITTEST_REMOTE_PASS="baz"
+	run_test auth_clone_and_push
+	unset GITTEST_REMOTE_URL
+	unset GITTEST_REMOTE_USER
+	unset GITTEST_REMOTE_PASS
+fi
+
+if [ -z "$SKIP_NEGOTIATE_TESTS" -a -n "$GITTEST_NEGOTIATE_PASSWORD" ]; then
+	echo ""
+	echo "Running SPNEGO tests"
+	echo ""
+
+	if [ "$(uname -s)" = "Darwin" ]; then
+		KINIT_FLAGS="--password-file=STDIN"
+	fi
+
+	echo $GITTEST_NEGOTIATE_PASSWORD | kinit $KINIT_FLAGS test@LIBGIT2.ORG
+	klist -5f
+
+	export GITTEST_REMOTE_URL="https://test.libgit2.org/kerberos/empty.git"
+	export GITTEST_REMOTE_DEFAULT="true"
+	run_test auth_clone
+	unset GITTEST_REMOTE_URL
+	unset GITTEST_REMOTE_DEFAULT
+
+	echo ""
+	echo "Running SPNEGO tests (expect/continue)"
+	echo ""
+
+	export GITTEST_REMOTE_URL="https://test.libgit2.org/kerberos/empty.git"
+	export GITTEST_REMOTE_DEFAULT="true"
+	export GITTEST_REMOTE_EXPECTCONTINUE="true"
+	run_test auth_clone
+	unset GITTEST_REMOTE_URL
+	unset GITTEST_REMOTE_DEFAULT
+	unset GITTEST_REMOTE_EXPECTCONTINUE
+
+	kdestroy -A
+fi
+
 if [ -z "$SKIP_SSH_TESTS" ]; then
 	echo ""
 	echo "Running ssh tests"

cmake/Modules/SelectGSSAPI.cmake

@@ -49,5 +49,5 @@ IF(GSS_BACKEND)
 	ENDIF()
 ELSE()
 	SET(GIT_GSSAPI 0)
-	ADD_FEATURE_INFO(SPNEGO NO "")
+	ADD_FEATURE_INFO(SPNEGO NO "SPNEGO authentication support")
 ENDIF()

include/git2/common.h

@@ -203,7 +203,8 @@ typedef enum {
 	GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY,
 	GIT_OPT_GET_PACK_MAX_OBJECTS,
 	GIT_OPT_SET_PACK_MAX_OBJECTS,
-	GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS
+	GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS,
+	GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE
 } git_libgit2_opt_t;
 
 /**
@@ -397,6 +398,11 @@ typedef enum {
  *		> This will cause .keep file existence checks to be skipped when
  *		> accessing packfiles, which can help performance with remote filesystems.
  *
+ *	 opts(GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE, int enabled)
+ *		> When connecting to a server using NTLM or Negotiate
+ *		> authentication, use expect/continue when POSTing data.
+ *		> This option is not available on Windows.
+ *
  * @param option Option key
  * @param ... value to set the option
  * @return 0 on success, <0 on failure

include/git2/errors.h

@@ -106,7 +106,8 @@ typedef enum {
 	GIT_ERROR_FILESYSTEM,
 	GIT_ERROR_PATCH,
 	GIT_ERROR_WORKTREE,
-	GIT_ERROR_SHA1
+	GIT_ERROR_SHA1,
+	GIT_ERROR_HTTP
 } git_error_t;
 
 /**

src/buffer.c

@@ -567,6 +567,11 @@ void git_buf_copy_cstr(char *data, size_t datasize, const git_buf *buf)
 	data[copylen] = '\0';
 }
 
+void git_buf_consume_bytes(git_buf *buf, size_t len)
+{
+	git_buf_consume(buf, buf->ptr + len);
+}
+
 void git_buf_consume(git_buf *buf, const char *end)
 {
 	if (end > buf->ptr && end <= buf->ptr + buf->size) {

src/buffer.h

@@ -113,6 +113,7 @@ int git_buf_puts(git_buf *buf, const char *string);
 int git_buf_printf(git_buf *buf, const char *format, ...) GIT_FORMAT_PRINTF(2, 3);
 int git_buf_vprintf(git_buf *buf, const char *format, va_list ap);
 void git_buf_clear(git_buf *buf);
+void git_buf_consume_bytes(git_buf *buf, size_t len);
 void git_buf_consume(git_buf *buf, const char *end);
 void git_buf_truncate(git_buf *buf, size_t len);
 void git_buf_shorten(git_buf *buf, size_t amount);