Merge branch 'jk/http-auth' into maint

Reduce authentication round-trip over HTTP when the server supports
just a single authentication method.

* jk/http-auth:
  http: add an "auto" mode for http.emptyauth
  http: restrict auth methods to what the server advertises
This commit is contained in:
Junio C Hamano 2017-03-16 13:56:41 -07:00
commit d880bfd947

50
http.c
View File

@ -109,7 +109,7 @@ static int curl_save_cookies;
struct credential http_auth = CREDENTIAL_INIT;
static int http_proactive_auth;
static const char *user_agent;
static int curl_empty_auth;
static int curl_empty_auth = -1;
enum http_follow_config http_follow_config = HTTP_FOLLOW_INITIAL;
@ -125,6 +125,14 @@ static struct credential cert_auth = CREDENTIAL_INIT;
static int ssl_cert_password_required;
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
static unsigned long http_auth_methods = CURLAUTH_ANY;
static int http_auth_methods_restricted;
/* Modes for which empty_auth cannot actually help us. */
static unsigned long empty_auth_useless =
CURLAUTH_BASIC
#ifdef CURLAUTH_DIGEST_IE
| CURLAUTH_DIGEST_IE
#endif
| CURLAUTH_DIGEST;
#endif
static struct curl_slist *pragma_header;
@ -333,7 +341,10 @@ static int http_options(const char *var, const char *value, void *cb)
return git_config_string(&user_agent, var, value);
if (!strcmp("http.emptyauth", var)) {
curl_empty_auth = git_config_bool(var, value);
if (value && !strcmp("auto", value))
curl_empty_auth = -1;
else
curl_empty_auth = git_config_bool(var, value);
return 0;
}
@ -382,10 +393,37 @@ static int http_options(const char *var, const char *value, void *cb)
return git_default_config(var, value, cb);
}
static int curl_empty_auth_enabled(void)
{
if (curl_empty_auth >= 0)
return curl_empty_auth;
#ifndef LIBCURL_CAN_HANDLE_AUTH_ANY
/*
* Our libcurl is too old to do AUTH_ANY in the first place;
* just default to turning the feature off.
*/
#else
/*
* In the automatic case, kick in the empty-auth
* hack as long as we would potentially try some
* method more exotic than "Basic" or "Digest".
*
* But only do this when this is our second or
* subsequent request, as by then we know what
* methods are available.
*/
if (http_auth_methods_restricted &&
(http_auth_methods & ~empty_auth_useless))
return 1;
#endif
return 0;
}
static void init_curl_http_auth(CURL *result)
{
if (!http_auth.username || !*http_auth.username) {
if (curl_empty_auth)
if (curl_empty_auth_enabled())
curl_easy_setopt(result, CURLOPT_USERPWD, ":");
return;
}
@ -1079,7 +1117,7 @@ struct active_request_slot *get_active_slot(void)
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods);
#endif
if (http_auth.password || curl_empty_auth)
if (http_auth.password || curl_empty_auth_enabled())
init_curl_http_auth(slot->curl);
return slot;
@ -1347,6 +1385,10 @@ static int handle_curl_result(struct slot_results *results)
} else {
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;
if (results->auth_avail) {
http_auth_methods &= results->auth_avail;
http_auth_methods_restricted = 1;
}
#endif
return HTTP_REAUTH;
}