remote-curl: rewrite base url from info/refs redirects

For efficiency and security reasons, an earlier commit in
this series taught http_get_* to re-write the base url based
on redirections we saw while making a specific request.

This commit wires that option into the info/refs request,
meaning that a redirect from

    http://example.com/foo.git/info/refs

to

    https://example.com/bar.git/info/refs

will behave as if "https://example.com/bar.git" had been
provided to git in the first place.

The tests bear some explanation. We introduce two new
hierearchies into the httpd test config:

  1. Requests to /smart-redir-limited will work only for the
     initial info/refs request, but not any subsequent
     requests. As a result, we can confirm whether the
     client is re-rooting its requests after the initial
     contact, since otherwise it will fail (it will ask for
     "repo.git/git-upload-pack", which is not redirected).

  2. Requests to smart-redir-auth will redirect, and require
     auth after the redirection. Since we are using the
     redirected base for further requests, we also update
     the credential struct, in order not to mislead the user
     (or credential helpers) about which credential is
     needed. We can therefore check the GIT_ASKPASS prompts
     to make sure we are prompting for the new location.
     Because we have neither multiple servers nor https
     support in our test setup, we can only redirect between
     paths, meaning we need to turn on
     credential.useHttpPath to see the difference.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>

diff --git a/remote-curl.c b/remote-curl.c
index 345fea8898805e090df599cfebe6995461ba3147..ef1684b9df3ee5cff0d63ab5f7ed51e7f351a686 100644 (file)
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -188,6 +188,7 @@ static struct discovery* discover_refs(const char *service, int for_push)
        struct strbuf type = STRBUF_INIT;
        struct strbuf buffer = STRBUF_INIT;
        struct strbuf refs_url = STRBUF_INIT;
+       struct strbuf effective_url = STRBUF_INIT;
        struct discovery *last = last_discovery;
        int http_ret, maybe_smart = 0;
        struct http_get_options options;
@@ -209,6 +210,8 @@ static struct discovery* discover_refs(const char *service, int for_push)
 
        memset(&options, 0, sizeof(options));
        options.content_type = &type;
+       options.effective_url = &effective_url;
+       options.base_url = &url;
        options.no_cache = 1;
        options.keep_error = 1;
 
@@ -268,6 +271,7 @@ static struct discovery* discover_refs(const char *service, int for_push)
        strbuf_release(&refs_url);
        strbuf_release(&exp);
        strbuf_release(&type);
+       strbuf_release(&effective_url);
        strbuf_release(&buffer);
        last_discovery = last;
        return last;

diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
index 895b9258b07ca65b78ac376023e203f482d8ac16..7059cc6c21518ec43df28770ffc18d5e0ac1a660 100644 (file)
--- a/t/lib-httpd.sh
+++ b/t/lib-httpd.sh
@@ -187,7 +187,8 @@ set_askpass() {
 }
 
 expect_askpass() {
-       dest=$HTTPD_DEST
+       dest=$HTTPD_DEST${3+/$3}
+
        {
                case "$1" in
                none)

diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index dd17e3a09d728a08c8038c5ce8187ea63112cdf3..4a261f13f533daaa3d687d2bb88481b560432378 100644 (file)
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -102,6 +102,8 @@ ScriptAlias /broken_smart/ broken-smart-http.sh/
 RewriteEngine on
 RewriteRule ^/smart-redir-perm/(.*)$ /smart/$1 [R=301]
 RewriteRule ^/smart-redir-temp/(.*)$ /smart/$1 [R=302]
+RewriteRule ^/smart-redir-auth/(.*)$ /auth/smart/$1 [R=301]
+RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301]
 
 <IfDefine SSL>
 LoadModule ssl_module modules/mod_ssl.so

diff --git a/t/t5551-http-fetch.sh b/t/t5551-http-fetch.sh
index 55a866af803452e164e2c11c421b1e63f62d2e1e..1b71bb515646e47181da33f83f97f04b6e0e8617 100755 (executable)
--- a/t/t5551-http-fetch.sh
+++ b/t/t5551-http-fetch.sh
@@ -113,6 +113,10 @@ test_expect_success 'follow redirects (302)' '
        git clone $HTTPD_URL/smart-redir-temp/repo.git --quiet repo-t
 '
 
+test_expect_success 'redirects re-root further requests' '
+       git clone $HTTPD_URL/smart-redir-limited/repo.git repo-redir-limited
+'
+
 test_expect_success 'clone from password-protected repository' '
        echo two >expect &&
        set_askpass user@host &&
@@ -146,6 +150,13 @@ test_expect_success 'no-op half-auth fetch does not require a password' '
        expect_askpass none
 '
 
+test_expect_success 'redirects send auth to new location' '
+       set_askpass user@host &&
+       git -c credential.useHttpPath=true \
+         clone $HTTPD_URL/smart-redir-auth/repo.git repo-redir-auth &&
+       expect_askpass both user@host auth/smart/repo.git
+'
+
 test_expect_success 'disable dumb http on server' '
        git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" \
                config http.getanyfile false