From 0ea47f9d3307bdb1cd9364acd3e4a463b244bba2 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Mon, 15 Sep 2014 14:59:00 -0700 Subject: signed push: teach smart-HTTP to pass "git push --signed" around The "--signed" option received by "git push" is first passed to the transport layer, which the native transport directly uses to notice that a push certificate needs to be sent. When the transport-helper is involved, however, the option needs to be told to the helper with set_helper_option(), and the helper needs to take necessary action. For the smart-HTTP helper, the "necessary action" involves spawning the "git send-pack" subprocess with the "--signed" option. Once the above all gets wired in, the smart-HTTP transport now can use the push certificate mechanism to authenticate its pushes. Add a test that is modeled after tests for the native transport in t5534-push-signed.sh to t5541-http-push-smart.sh. Update the test Apache configuration to pass GNUPGHOME environment variable through. As PassEnv would trigger warnings for an environment variable that is not set, export it from test-lib.sh set to a harmless value when GnuPG is not being used in the tests. Note that the added test is deliberately loose and does not check the nonce in this step. This is because the stateless RPC mode is inevitably flaky and a nonce that comes back in the actual push processing is one issued by a different process; if the two interactions with the server crossed a second boundary, the nonces will not match and such a check will fail. A later patch in the series will work around this shortcoming. Signed-off-by: Junio C Hamano --- t/t5541-http-push-smart.sh | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 't/t5541-http-push-smart.sh') diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh index 73af16f481..24926a4a42 100755 --- a/t/t5541-http-push-smart.sh +++ b/t/t5541-http-push-smart.sh @@ -12,6 +12,7 @@ if test -n "$NO_CURL"; then fi ROOT_PATH="$PWD" +. "$TEST_DIRECTORY"/lib-gpg.sh . "$TEST_DIRECTORY"/lib-httpd.sh . "$TEST_DIRECTORY"/lib-terminal.sh start_httpd @@ -323,5 +324,40 @@ test_expect_success 'push into half-auth-complete requires password' ' test_cmp expect actual ' +test_expect_success GPG 'push with post-receive to inspect certificate' ' + ( + cd "$HTTPD_DOCUMENT_ROOT_PATH"/test_repo.git && + mkdir -p hooks && + write_script hooks/post-receive <<-\EOF && + # discard the update list + cat >/dev/null + # record the push certificate + if test -n "${GIT_PUSH_CERT-}" + then + git cat-file blob $GIT_PUSH_CERT >../push-cert + fi && + cat >../push-cert-status < + KEY=13B6F51ECDDE430D + STATUS=G + EOF + ) >expect && + test_cmp expect "$HTTPD_DOCUMENT_ROOT_PATH/push-cert-status" +' + stop_httpd test_done -- cgit v1.2.1 From 5732373daacf9486a0db9741cf0de4e7a41b08b3 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 5 Sep 2014 10:46:04 -0700 Subject: signed push: allow stale nonce in stateless mode When operating with the stateless RPC mode, we will receive a nonce issued by another instance of us that advertised our capability and refs some time ago. Update the logic to check received nonce to detect this case, compute how much time has passed since the nonce was issued and report the status with a new environment variable GIT_PUSH_CERT_NONCE_SLOP to the hooks. GIT_PUSH_CERT_NONCE_STATUS will report "SLOP" in such a case. The hooks are free to decide how large a slop it is willing to accept. Strictly speaking, the "nonce" is not really a "nonce" anymore in the stateless RPC mode, as it will happily take any "nonce" issued by it (which is protected by HMAC and its secret key) as long as it is fresh enough. The degree of this security degradation, relative to the native protocol, is about the same as the "we make sure that the 'git push' decided to update our refs with new objects based on the freshest observation of our refs by making sure the values they claim the original value of the refs they ask us to update exactly match the current state" security is loosened to accomodate the stateless RPC mode in the existing code without this series, so there is no need for those who are already using smart HTTP to push to their repositories to be alarmed any more than they already are. In addition, the server operator can set receive.certnonceslop configuration variable to specify how stale a nonce can be (in seconds). When this variable is set, and if the nonce received in the certificate that passes the HMAC check was less than that many seconds old, hooks are given "OK" in GIT_PUSH_CERT_NONCE_STATUS (instead of "SLOP") and the received nonce value is given in GIT_PUSH_CERT_NONCE, which makes it easier for a simple-minded hook to check if the certificate we received is recent enough. Signed-off-by: Junio C Hamano --- t/t5541-http-push-smart.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 't/t5541-http-push-smart.sh') diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh index 24926a4a42..ffb3af4498 100755 --- a/t/t5541-http-push-smart.sh +++ b/t/t5541-http-push-smart.sh @@ -340,21 +340,26 @@ test_expect_success GPG 'push with post-receive to inspect certificate' ' SIGNER=${GIT_PUSH_CERT_SIGNER-nobody} KEY=${GIT_PUSH_CERT_KEY-nokey} STATUS=${GIT_PUSH_CERT_STATUS-nostatus} + NONCE_STATUS=${GIT_PUSH_CERT_NONCE_STATUS-nononcestatus} + NONCE=${GIT_PUSH_CERT_NONCE-nononce} E_O_F EOF - git config receive.certnonceseed sekrit + git config receive.certnonceseed sekrit && + git config receive.certnonceslop 30 ) && cd "$ROOT_PATH/test_repo_clone" && test_commit cert-test && git push --signed "$HTTPD_URL/smart/test_repo.git" && ( cd "$HTTPD_DOCUMENT_ROOT_PATH" && - cat <<-\EOF + cat <<-\EOF && SIGNER=C O Mitter KEY=13B6F51ECDDE430D STATUS=G + NONCE_STATUS=OK EOF + sed -n -e "s/^nonce /NONCE=/p" -e "/^$/q" push-cert ) >expect && test_cmp expect "$HTTPD_DOCUMENT_ROOT_PATH/push-cert-status" ' -- cgit v1.2.1