git/Documentation/gitcredentials.txt
M Hickford d208bfdfef credential: new attribute password_expiry_utc
Some passwords have an expiry date known at generation. This may be
years away for a personal access token or hours for an OAuth access
token.

When multiple credential helpers are configured, `credential fill` tries
each helper in turn until it has a username and password, returning
early. If Git authentication succeeds, `credential approve`
stores the successful credential in all helpers. If authentication
fails, `credential reject` erases matching credentials in all helpers.
Helpers implement corresponding operations: get, store, erase.

The credential protocol has no expiry attribute, so helpers cannot
store expiry information. Even if a helper returned an improvised
expiry attribute, git credential discards unrecognised attributes
between operations and between helpers.

This is a particular issue when a storage helper and a
credential-generating helper are configured together:

	[credential]
		helper = storage  # eg. cache or osxkeychain
		helper = generate  # eg. oauth

`credential approve` stores the generated credential in both helpers
without expiry information. Later `credential fill` may return an
expired credential from storage. There is no workaround, no matter how
clever the second helper. The user sees authentication fail (a retry
will succeed).

Introduce a password expiry attribute. In `credential fill`, ignore
expired passwords and continue to query subsequent helpers.

In the example above, `credential fill` ignores the expired password
and a fresh credential is generated. If authentication succeeds,
`credential approve` replaces the expired password in storage.
If authentication fails, the expired credential is erased by
`credential reject`. It is unnecessary but harmless for storage
helpers to self prune expired credentials.

Add support for the new attribute to credential-cache.
Eventually, I hope to see support in other popular storage helpers.

Example usage in a credential-generating helper
https://github.com/hickford/git-credential-oauth/pull/16

Signed-off-by: M Hickford <mirth.hickford@gmail.com>
Reviewed-by: Calvin Wan <calvinwan@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-02-22 15:18:58 -08:00

303 lines
11 KiB
Plaintext

gitcredentials(7)
=================
NAME
----
gitcredentials - Providing usernames and passwords to Git
SYNOPSIS
--------
------------------
git config credential.https://example.com.username myusername
git config credential.helper "$helper $options"
------------------
DESCRIPTION
-----------
Git will sometimes need credentials from the user in order to perform
operations; for example, it may need to ask for a username and password
in order to access a remote repository over HTTP. Some remotes accept
a personal access token or OAuth access token as a password. This
manual describes the mechanisms Git uses to request these credentials,
as well as some features to avoid inputting these credentials repeatedly.
REQUESTING CREDENTIALS
----------------------
Without any credential helpers defined, Git will try the following
strategies to ask the user for usernames and passwords:
1. If the `GIT_ASKPASS` environment variable is set, the program
specified by the variable is invoked. A suitable prompt is provided
to the program on the command line, and the user's input is read
from its standard output.
2. Otherwise, if the `core.askPass` configuration variable is set, its
value is used as above.
3. Otherwise, if the `SSH_ASKPASS` environment variable is set, its
value is used as above.
4. Otherwise, the user is prompted on the terminal.
AVOIDING REPETITION
-------------------
It can be cumbersome to input the same credentials over and over. Git
provides two methods to reduce this annoyance:
1. Static configuration of usernames for a given authentication context.
2. Credential helpers to cache or store passwords, or to interact with
a system password wallet or keychain.
The first is simple and appropriate if you do not have secure storage available
for a password. It is generally configured by adding this to your config:
---------------------------------------
[credential "https://example.com"]
username = me
---------------------------------------
Credential helpers, on the other hand, are external programs from which Git can
request both usernames and passwords; they typically interface with secure
storage provided by the OS or other programs. Alternatively, a
credential-generating helper might generate credentials for certain servers via
some API.
To use a helper, you must first select one to use. Git currently
includes the following helpers:
cache::
Cache credentials in memory for a short period of time. See
linkgit:git-credential-cache[1] for details.
store::
Store credentials indefinitely on disk. See
linkgit:git-credential-store[1] for details.
You may also have third-party helpers installed; search for
`credential-*` in the output of `git help -a`, and consult the
documentation of individual helpers. Once you have selected a helper,
you can tell Git to use it by putting its name into the
credential.helper variable.
1. Find a helper.
+
-------------------------------------------
$ git help -a | grep credential-
credential-foo
-------------------------------------------
2. Read its description.
+
-------------------------------------------
$ git help credential-foo
-------------------------------------------
3. Tell Git to use it.
+
-------------------------------------------
$ git config --global credential.helper foo
-------------------------------------------
CREDENTIAL CONTEXTS
-------------------
Git considers each credential to have a context defined by a URL. This context
is used to look up context-specific configuration, and is passed to any
helpers, which may use it as an index into secure storage.
For instance, imagine we are accessing `https://example.com/foo.git`. When Git
looks into a config file to see if a section matches this context, it will
consider the two a match if the context is a more-specific subset of the
pattern in the config file. For example, if you have this in your config file:
--------------------------------------
[credential "https://example.com"]
username = foo
--------------------------------------
then we will match: both protocols are the same, both hosts are the same, and
the "pattern" URL does not care about the path component at all. However, this
context would not match:
--------------------------------------
[credential "https://kernel.org"]
username = foo
--------------------------------------
because the hostnames differ. Nor would it match `foo.example.com`; Git
compares hostnames exactly, without considering whether two hosts are part of
the same domain. Likewise, a config entry for `http://example.com` would not
match: Git compares the protocols exactly. However, you may use wildcards in
the domain name and other pattern matching techniques as with the `http.<URL>.*`
options.
If the "pattern" URL does include a path component, then this too must match
exactly: the context `https://example.com/bar/baz.git` will match a config
entry for `https://example.com/bar/baz.git` (in addition to matching the config
entry for `https://example.com`) but will not match a config entry for
`https://example.com/bar`.
CONFIGURATION OPTIONS
---------------------
Options for a credential context can be configured either in
`credential.*` (which applies to all credentials), or
`credential.<URL>.*`, where <URL> matches the context as described
above.
The following options are available in either location:
helper::
The name of an external credential helper, and any associated options.
If the helper name is not an absolute path, then the string `git
credential-` is prepended. The resulting string is executed by the
shell (so, for example, setting this to `foo --option=bar` will execute
`git credential-foo --option=bar` via the shell. See the manual of
specific helpers for examples of their use.
+
If there are multiple instances of the `credential.helper` configuration
variable, each helper will be tried in turn, and may provide a username,
password, or nothing. Once Git has acquired both a username and a
non-expired password, no more helpers will be tried.
+
If `credential.helper` is configured to the empty string, this resets
the helper list to empty (so you may override a helper set by a
lower-priority config file by configuring the empty-string helper,
followed by whatever set of helpers you would like).
username::
A default username, if one is not provided in the URL.
useHttpPath::
By default, Git does not consider the "path" component of an http URL
to be worth matching via external helpers. This means that a credential
stored for `https://example.com/foo.git` will also be used for
`https://example.com/bar.git`. If you do want to distinguish these
cases, set this option to `true`.
CUSTOM HELPERS
--------------
You can write your own custom helpers to interface with any system in
which you keep credentials.
Credential helpers are programs executed by Git to fetch or save
credentials from and to long-term storage (where "long-term" is simply
longer than a single Git process; e.g., credentials may be stored
in-memory for a few minutes, or indefinitely on disk).
Each helper is specified by a single string in the configuration
variable `credential.helper` (and others, see linkgit:git-config[1]).
The string is transformed by Git into a command to be executed using
these rules:
1. If the helper string begins with "!", it is considered a shell
snippet, and everything after the "!" becomes the command.
2. Otherwise, if the helper string begins with an absolute path, the
verbatim helper string becomes the command.
3. Otherwise, the string "git credential-" is prepended to the helper
string, and the result becomes the command.
The resulting command then has an "operation" argument appended to it
(see below for details), and the result is executed by the shell.
Here are some example specifications:
----------------------------------------------------
# run "git credential-foo"
[credential]
helper = foo
# same as above, but pass an argument to the helper
[credential]
helper = "foo --bar=baz"
# the arguments are parsed by the shell, so use shell
# quoting if necessary
[credential]
helper = "foo --bar='whitespace arg'"
# you can also use an absolute path, which will not use the git wrapper
[credential]
helper = "/path/to/my/helper --with-arguments"
# or you can specify your own shell snippet
[credential "https://example.com"]
username = your_user
helper = "!f() { test \"$1\" = get && echo \"password=$(cat $HOME/.secret)\"; }; f"
----------------------------------------------------
Generally speaking, rule (3) above is the simplest for users to specify.
Authors of credential helpers should make an effort to assist their
users by naming their program "git-credential-$NAME", and putting it in
the `$PATH` or `$GIT_EXEC_PATH` during installation, which will allow a
user to enable it with `git config credential.helper $NAME`.
When a helper is executed, it will have one "operation" argument
appended to its command line, which is one of:
`get`::
Return a matching credential, if any exists.
`store`::
Store the credential, if applicable to the helper.
`erase`::
Remove a matching credential, if any, from the helper's storage.
The details of the credential will be provided on the helper's stdin
stream. The exact format is the same as the input/output format of the
`git credential` plumbing command (see the section `INPUT/OUTPUT
FORMAT` in linkgit:git-credential[1] for a detailed specification).
For a `get` operation, the helper should produce a list of attributes on
stdout in the same format (see linkgit:git-credential[1] for common
attributes). A helper is free to produce a subset, or even no values at
all if it has nothing useful to provide. Any provided attributes will
overwrite those already known about by Git's credential subsystem.
Unrecognised attributes are silently discarded.
While it is possible to override all attributes, well behaving helpers
should refrain from doing so for any attribute other than username and
password.
If a helper outputs a `quit` attribute with a value of `true` or `1`,
no further helpers will be consulted, nor will the user be prompted
(if no credential has been provided, the operation will then fail).
Similarly, no more helpers will be consulted once both username and
password had been provided.
For a `store` or `erase` operation, the helper's output is ignored.
If a helper fails to perform the requested operation or needs to notify
the user of a potential issue, it may write to stderr.
If it does not support the requested operation (e.g., a read-only store
or generator), it should silently ignore the request.
If a helper receives any other operation, it should silently ignore the
request. This leaves room for future operations to be added (older
helpers will just ignore the new requests).
GIT
---
Part of the linkgit:git[1] suite