credential.h

#ifndef CREDENTIAL_H
#define CREDENTIAL_H

#include "string-list.h"

/**
 * The credentials API provides an abstracted way of gathering username and
 * password credentials from the user.
 *
 * Typical setup
 * -------------
 *
 * ------------
 * +-----------------------+
 * | Git code (C)          |--- to server requiring --->
 * |                       |        authentication
 * |.......................|
 * | C credential API      |--- prompt ---> User
 * +-----------------------+
 * 	^      |
 * 	| pipe |
 * 	|      v
 * +-----------------------+
 * | Git credential helper |
 * +-----------------------+
 * ------------
 *
 * The Git code (typically a remote-helper) will call the C API to obtain
 * credential data like a login/password pair (credential_fill). The
 * API will itself call a remote helper (e.g. "git credential-cache" or
 * "git credential-store") that may retrieve credential data from a
 * store. If the credential helper cannot find the information, the C API
 * will prompt the user. Then, the caller of the API takes care of
 * contacting the server, and does the actual authentication.
 *
 * C API
 * -----
 *
 * The credential C API is meant to be called by Git code which needs to
 * acquire or store a credential. It is centered around an object
 * representing a single credential and provides three basic operations:
 * fill (acquire credentials by calling helpers and/or prompting the user),
 * approve (mark a credential as successfully used so that it can be stored
 * for later use), and reject (mark a credential as unsuccessful so that it
 * can be erased from any persistent storage).
 *
 * Example
 * ~~~~~~~
 *
 * The example below shows how the functions of the credential API could be
 * used to login to a fictitious "foo" service on a remote host:
 *
 * -----------------------------------------------------------------------
 * int foo_login(struct foo_connection *f)
 * {
 * 	int status;
 * 	// Create a credential with some context; we don't yet know the
 * 	// username or password.
 *
 * struct credential c = CREDENTIAL_INIT;
 * c.protocol = xstrdup("foo");
 * c.host = xstrdup(f->hostname);
 *
 * // Fill in the username and password fields by contacting
 * // helpers and/or asking the user. The function will die if it
 * // fails.
 * credential_fill(&c);
 *
 * // Otherwise, we have a username and password. Try to use it.
 *
 * status = send_foo_login(f, c.username, c.password);
 * switch (status) {
 * case FOO_OK:
 * // It worked. Store the credential for later use.
 * credential_accept(&c);
 * break;
 * case FOO_BAD_LOGIN:
 * // Erase the credential from storage so we don't try it again.
 * credential_reject(&c);
 * break;
 * default:
 * // Some other error occurred. We don't know if the
 * // credential is good or bad, so report nothing to the
 * // credential subsystem.
 * }
 *
 * // Free any associated resources.
 * credential_clear(&c);
 *
 * return status;
 * }
 * -----------------------------------------------------------------------
 *
 * Credential Helpers
 * ------------------
 *
 * Credential helpers are programs executed by Git to fetch or save
 * credentials from and to long-term storage (where "long-term" is simply
 * longer than a single Git process; e.g., credentials may be stored
 * in-memory for a few minutes, or indefinitely on disk).
 *
 * Each helper is specified by a single string in the configuration
 * variable `credential.helper` (and others, see Documentation/git-config.txt).
 * The string is transformed by Git into a command to be executed using
 * these rules:
 *
 *   1. If the helper string begins with "!", it is considered a shell
 *      snippet, and everything after the "!" becomes the command.
 *
 *   2. Otherwise, if the helper string begins with an absolute path, the
 *      verbatim helper string becomes the command.
 *
 *   3. Otherwise, the string "git credential-" is prepended to the helper
 *      string, and the result becomes the command.
 *
 * The resulting command then has an "operation" argument appended to it
 * (see below for details), and the result is executed by the shell.
 *
 * Here are some example specifications:
 *
 * ----------------------------------------------------
 * # run "git credential-foo"
 * foo
 *
 * # same as above, but pass an argument to the helper
 * foo --bar=baz
 *
 * # the arguments are parsed by the shell, so use shell
 * # quoting if necessary
 * foo --bar="whitespace arg"
 *
 * # you can also use an absolute path, which will not use the git wrapper
 * /path/to/my/helper --with-arguments
 *
 * # or you can specify your own shell snippet
 * !f() { echo "password=`cat $HOME/.secret`"; }; f
 * ----------------------------------------------------
 *
 * Generally speaking, rule (3) above is the simplest for users to specify.
 * Authors of credential helpers should make an effort to assist their
 * users by naming their program "git-credential-$NAME", and putting it in
 * the $PATH or $GIT_EXEC_PATH during installation, which will allow a user
 * to enable it with `git config credential.helper $NAME`.
 *
 * When a helper is executed, it will have one "operation" argument
 * appended to its command line, which is one of:
 *
 * `get`::
 *
 * 	Return a matching credential, if any exists.
 *
 * `store`::
 *
 * 	Store the credential, if applicable to the helper.
 *
 * `erase`::
 *
 * 	Remove a matching credential, if any, from the helper's storage.
 *
 * The details of the credential will be provided on the helper's stdin
 * stream. The exact format is the same as the input/output format of the
 * `git credential` plumbing command (see the section `INPUT/OUTPUT
 * FORMAT` in Documentation/git-credential.txt for a detailed specification).
 *
 * For a `get` operation, the helper should produce a list of attributes
 * on stdout in the same format. A helper is free to produce a subset, or
 * even no values at all if it has nothing useful to provide. Any provided
 * attributes will overwrite those already known about by Git.  If a helper
 * outputs a `quit` attribute with a value of `true` or `1`, no further
 * helpers will be consulted, nor will the user be prompted (if no
 * credential has been provided, the operation will then fail).
 *
 * For a `store` or `erase` operation, the helper's output is ignored.
 * If it fails to perform the requested operation, it may complain to
 * stderr to inform the user. If it does not support the requested
 * operation (e.g., a read-only store), it should silently ignore the
 * request.
 *
 * If a helper receives any other operation, it should silently ignore the
 * request. This leaves room for future operations to be added (older
 * helpers will just ignore the new requests).
 *
 */


/**
 * This struct represents a single username/password combination
 * along with any associated context. All string fields should be
 * heap-allocated (or NULL if they are not known or not applicable).
 * The meaning of the individual context fields is the same as
 * their counterparts in the helper protocol.
 *
 * This struct should always be initialized with `CREDENTIAL_INIT` or
 * `credential_init`.
 */
struct credential {

	/**
	 * A `string_list` of helpers. Each string specifies an external
	 * helper which will be run, in order, to either acquire or store
	 * credentials. This list is filled-in by the API functions
	 * according to the corresponding configuration variables before
	 * consulting helpers, so there usually is no need for a caller to
	 * modify the helpers field at all.
	 */
	struct string_list helpers;

	unsigned approved:1,
		 configured:1,
		 quit:1,
		 use_http_path:1;

	char *username;
	char *password;
	char *protocol;
	char *host;
	char *path;
};

#define CREDENTIAL_INIT { STRING_LIST_INIT_DUP }

/* Initialize a credential structure, setting all fields to empty. */
void credential_init(struct credential *);

/**
 * Free any resources associated with the credential structure, returning
 * it to a pristine initialized state.
 */
void credential_clear(struct credential *);

/**
 * Instruct the credential subsystem to fill the username and
 * password fields of the passed credential struct by first
 * consulting helpers, then asking the user. After this function
 * returns, the username and password fields of the credential are
 * guaranteed to be non-NULL. If an error occurs, the function will
 * die().
 */
void credential_fill(struct credential *);

/**
 * Inform the credential subsystem that the provided credentials
 * were successfully used for authentication.  This will cause the
 * credential subsystem to notify any helpers of the approval, so
 * that they may store the result to be used again.  Any errors
 * from helpers are ignored.
 */
void credential_approve(struct credential *);

/**
 * Inform the credential subsystem that the provided credentials
 * have been rejected. This will cause the credential subsystem to
 * notify any helpers of the rejection (which allows them, for
 * example, to purge the invalid credentials from storage). It
 * will also free() the username and password fields of the
 * credential and set them to NULL (readying the credential for
 * another call to `credential_fill`). Any errors from helpers are
 * ignored.
 */
void credential_reject(struct credential *);

int credential_read(struct credential *, FILE *);
void credential_write(const struct credential *, FILE *);

/* Parse a URL into broken-down credential fields. */
void credential_from_url(struct credential *, const char *url);

int credential_match(const struct credential *have,
		     const struct credential *want);

#endif /* CREDENTIAL_H */