Re: [PATCH v3] t5550: add netrc tests for http 401/403
From: Ashlesh Gawande <hidden>
Date: 2026-01-31 12:39:08
Any other comments or suggestions on this patch that I can address? (re-sending because the mailing list rejected my previous email for not being plain text). Thanks Ashlesh On 1/7/26 13:17, Ashlesh Gawande wrote:
quoted hunk ↗ jump to hunk
git allows using .netrc file to supply credentials for HTTP auth. Three test cases are added in this patch to provide missing coverage when cloning over HTTP using .netrc file: - First test case checks that the git clone is successful when credentials are provided via .netrc file - Second test case checks that the git clone fails when the .netrc file provides invalid credentials. The HTTP server is expected to return 401 Unauthorized in such a case. The test checks that the user is provided with a prompt for username/password on 401 to provide the valid ones. - Third test case checks that the git clone fails when the .netrc file provides credentials that are valid but do not have permission for this user. For example one may have multiple tokens in GitHub and uses the one which was not authorized for cloning this repo. In such a case the HTTP server returns 403 Forbidden. For this test, the apache.conf is modified to return a 403 on finding a forbidden-user. No prompt for username/password is expected after the 403 (unlike 401). This is because prompting may wipe out existing credentials or conflict with custom credential helpers. Signed-off-by: Ashlesh Gawande <redacted> --- Range-diff against v2: 1: 0b68f1d1af ! 1: 25ef751f28 t5550: add netrc tests for http 401/403 @@ Metadata ## Commit message ## t5550: add netrc tests for http 401/403 + git allows using .netrc file to supply credentials for HTTP auth. + Three test cases are added in this patch to provide missing coverage + when cloning over HTTP using .netrc file: + + - First test case checks that the git clone is successful when credentials + are provided via .netrc file + - Second test case checks that the git clone fails when the .netrc file + provides invalid credentials. The HTTP server is expected to return + 401 Unauthorized in such a case. The test checks that the user is + provided with a prompt for username/password on 401 to provide + the valid ones. + - Third test case checks that the git clone fails when the .netrc file + provides credentials that are valid but do not have permission for + this user. For example one may have multiple tokens in GitHub + and uses the one which was not authorized for cloning this repo. + In such a case the HTTP server returns 403 Forbidden. + For this test, the apache.conf is modified to return a 403 + on finding a forbidden-user. No prompt for username/password is + expected after the 403 (unlike 401). This is because prompting may wipe + out existing credentials or conflict with custom credential helpers. + Signed-off-by: Ashlesh Gawande [off-list ref] ## t/lib-httpd.sh ## t/lib-httpd.sh | 13 +++++++++++-- t/lib-httpd/apache.conf | 4 ++++ t/lib-httpd/passwd | 1 + t/t5550-http-fetch-dumb.sh | 25 +++++++++++++++++++++++++ 4 files changed, 41 insertions(+), 2 deletions(-)diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh index 5091db949b..5f42c311c2 100644 --- a/t/lib-httpd.sh +++ b/t/lib-httpd.sh@@ -319,13 +319,22 @@ setup_askpass_helper() { ' } -set_askpass() { +set_askpass () { >"$TRASH_DIRECTORY/askpass-query" && echo "$1" >"$TRASH_DIRECTORY/askpass-user" && echo "$2" >"$TRASH_DIRECTORY/askpass-pass" } -expect_askpass() { +set_netrc () { + # $HOME=$TRASH_DIRECTORY + echo "machine $1 login $2 password $3" >"$TRASH_DIRECTORY/.netrc" +} + +clear_netrc () { + rm -f "$TRASH_DIRECTORY/.netrc" +} + +expect_askpass () { dest=$HTTPD_DEST${3+/$3} {diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf index e631ab0eb5..6b8c50a51a 100644 --- a/t/lib-httpd/apache.conf +++ b/t/lib-httpd/apache.conf@@ -238,6 +238,10 @@ SSLEngine On AuthName "git-auth" AuthUserFile passwd Require valid-user + + # return 403 for authenticated user: forbidden-user@host + RewriteCond "%{REMOTE_USER}" "^forbidden-user@host" + RewriteRule ^ - [F] </Location> <LocationMatch "^/auth-push/.*/git-receive-pack$">diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd index d9c122f348..3bab7b6423 100644 --- a/t/lib-httpd/passwd +++ b/t/lib-httpd/passwd@@ -1 +1,2 @@ user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1 +forbidden-user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1diff --git a/t/t5550-http-fetch-dumb.sh b/t/t5550-http-fetch-dumb.sh index ed0ad66fad..9530f01b9e 100755 --- a/t/t5550-http-fetch-dumb.sh +++ b/t/t5550-http-fetch-dumb.sh@@ -102,6 +102,31 @@ test_expect_success 'cloning password-protected repository can fail' ' expect_askpass both wrong ' +test_expect_success 'using credentials from netrc to clone successfully' ' + test_when_finished clear_netrc && + set_askpass wrong && + set_netrc 127.0.0.1 user@host pass@host && + git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc && + expect_askpass none +' + +test_expect_success 'netrc unauthorized credentials (prompt after 401)' ' + test_when_finished clear_netrc && + set_askpass wrong && + set_netrc 127.0.0.1 user@host pass@wrong && + test_must_fail git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc-401 && + expect_askpass both wrong +' + +test_expect_success 'netrc authorized but forbidden credentials (fail on 403)' ' + test_when_finished clear_netrc && + set_askpass wrong && + set_netrc 127.0.0.1 forbidden-user@host pass@host && + test_must_fail git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-netrc-403 2>err && + expect_askpass none && + grep "The requested URL returned error: 403" err +' + test_expect_success 'http auth can use user/pass in URL' ' set_askpass wrong && git clone "$HTTPD_URL_USER_PASS/auth/dumb/repo.git" clone-auth-none &&