From patchwork Fri May 1 07:33:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff King X-Patchwork-Id: 11522231 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3BAFB1392 for ; Fri, 1 May 2020 07:33:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 24AA6214D8 for ; Fri, 1 May 2020 07:33:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728357AbgEAHdM (ORCPT ); Fri, 1 May 2020 03:33:12 -0400 Received: from cloud.peff.net ([104.130.231.41]:33418 "HELO cloud.peff.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726452AbgEAHdM (ORCPT ); Fri, 1 May 2020 03:33:12 -0400 Received: (qmail 2460 invoked by uid 109); 1 May 2020 07:33:11 -0000 Received: from Unknown (HELO peff.net) (10.0.1.2) by cloud.peff.net (qpsmtpd/0.94) with SMTP; Fri, 01 May 2020 07:33:11 +0000 Authentication-Results: cloud.peff.net; auth=none Received: (qmail 16007 invoked by uid 111); 1 May 2020 07:33:11 -0000 Received: from coredump.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.2) by peff.net (qpsmtpd/0.94) with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS; Fri, 01 May 2020 03:33:11 -0400 Authentication-Results: peff.net; auth=none Date: Fri, 1 May 2020 03:33:11 -0400 From: Jeff King To: Junio C Hamano Cc: douglas.fuller@gmail.com, git@vger.kernel.org Subject: [PATCH v2 2/2] gitcredentials(7): make shell-snippet example more realistic Message-ID: <20200501073311.GB27675@coredump.intra.peff.net> References: <20200501073222.GB27392@coredump.intra.peff.net> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200501073222.GB27392@coredump.intra.peff.net> Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org There's an example of using your own bit of shell to act as a credential helper, but it's not very realistic: - It's stupid to hand out your secret password to _every_ host. In the real world you'd use the config-matcher to limit it to a particular host. - We never provided a username. We can easily do that in another config option (you can do it in the helper, too, but this is much more readable). - We were sending the secret even for store/erase operations. This is OK because Git would just ignore it, but a real system would probably be unlocking a password store, which you wouldn't want to do more than necessary. Signed-off-by: Jeff King --- Documentation/gitcredentials.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Documentation/gitcredentials.txt b/Documentation/gitcredentials.txt index 8127dfcd2f..0d0f7149bd 100644 --- a/Documentation/gitcredentials.txt +++ b/Documentation/gitcredentials.txt @@ -233,8 +233,9 @@ Here are some example specifications: helper = "/path/to/my/helper --with-arguments" # or you can specify your own shell snippet -[credential] - helper = "!f() { echo \"password=$(cat $HOME/.secret)\"; }; f" +[credential "https://example.com"] + username = your_user + helper = "!f() { test \"$1\" = get && echo \"password=$(cat $HOME/.secret)\"; }; f" ---------------------------------------------------- Generally speaking, rule (3) above is the simplest for users to specify.