Commit 1392418e by Philip Kelley

Seamless support for NTLM/Kerberos auth on Windows

parent dd5e74e5
......@@ -185,7 +185,8 @@ GIT_EXTERN(int) git_cred_default_new(git_cred **out);
* remote url, or NULL if not included.
* - allowed_types: A bitmask stating which cred types are OK to return.
* - payload: The payload provided when specifying this callback.
* - returns 0 for success or non-zero to indicate an error
* - returns 0 for success, < 0 to indicate an error, > 0 to indicate
* no credential was acquired
*/
typedef int (*git_cred_acquire_cb)(
git_cred **cred,
......
......@@ -21,6 +21,10 @@
#include <strsafe.h>
/* For IInternetSecurityManager zone check */
#include <objbase.h>
#include <urlmon.h>
/* For UuidCreate */
#pragma comment(lib, "rpcrt4")
......@@ -141,12 +145,12 @@ on_error:
static int apply_default_credentials(HINTERNET request)
{
/* If we are explicitly asked to deliver default credentials, turn set
* the security level to low which will guarantee they are delivered.
* The default is "medium" which applies to the intranet and sounds
* like it would correspond to Internet Explorer security zones, but
* in fact does not.
*/
/* Either the caller explicitly requested that default credentials be passed,
* or our fallback credential callback was invoked and checked that the target
* URI was in the appropriate Internet Explorer security zone. By setting this
* flag, we guarantee that the credentials are delivered by WinHTTP. The default
* is "medium" which applies to the intranet and sounds like it would correspond
* to Internet Explorer security zones, but in fact does not. */
DWORD data = WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW;
if (!WinHttpSetOption(request, WINHTTP_OPTION_AUTOLOGON_POLICY, &data, sizeof(DWORD)))
......@@ -155,6 +159,71 @@ static int apply_default_credentials(HINTERNET request)
return 0;
}
static int fallback_cred_acquire_cb(
git_cred **cred,
const char *url,
const char *username_from_url,
unsigned int allowed_types,
void *payload)
{
int error = 1;
/* If the target URI supports integrated Windows authentication
* as an authentication mechanism */
if (GIT_CREDTYPE_DEFAULT & allowed_types) {
LPWSTR wide_url;
DWORD wide_len;
/* Convert URL to wide characters */
wide_len = MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, url, -1, NULL, 0);
if (!wide_len) {
giterr_set(GITERR_OS, "Failed to measure string for wide conversion");
return -1;
}
wide_url = git__malloc(wide_len * sizeof(WCHAR));
GITERR_CHECK_ALLOC(wide_url);
if (!MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, url, -1, wide_url, wide_len)) {
giterr_set(GITERR_OS, "Failed to convert string to wide form");
git__free(wide_url);
return -1;
}
if (SUCCEEDED(CoInitializeEx(NULL, COINIT_MULTITHREADED))) {
IInternetSecurityManager* pISM;
/* And if the target URI is in the My Computer, Intranet, or Trusted zones */
if (SUCCEEDED(CoCreateInstance(&CLSID_InternetSecurityManager, NULL,
CLSCTX_ALL, &IID_IInternetSecurityManager, (void **)&pISM))) {
DWORD dwZone;
if (SUCCEEDED(pISM->lpVtbl->MapUrlToZone(pISM, wide_url, &dwZone, 0)) &&
(URLZONE_LOCAL_MACHINE == dwZone ||
URLZONE_INTRANET == dwZone ||
URLZONE_TRUSTED == dwZone)) {
git_cred *existing = *cred;
if (existing)
existing->free(existing);
/* Then use default Windows credentials to authenticate this request */
error = git_cred_default_new(cred);
}
pISM->lpVtbl->Release(pISM);
}
CoUninitialize();
}
git__free(wide_url);
}
return error;
}
static int winhttp_stream_connect(winhttp_stream *s)
{
winhttp_subtransport *t = OWNING_SUBTRANSPORT(s);
......@@ -657,8 +726,7 @@ replay:
}
/* Handle authentication failures */
if (HTTP_STATUS_DENIED == status_code &&
get_verb == s->verb && t->owner->cred_acquire_cb) {
if (HTTP_STATUS_DENIED == status_code && get_verb == s->verb) {
int allowed_types;
if (parse_unauthorized_response(s->request, &allowed_types, &t->auth_mechanism) < 0)
......@@ -666,13 +734,27 @@ replay:
if (allowed_types &&
(!t->cred || 0 == (t->cred->credtype & allowed_types))) {
int cred_error = 1;
int error = t->owner->cred_acquire_cb(
&t->cred, t->owner->url, t->connection_data.user,
allowed_types, t->owner->cred_acquire_payload);
if (error < 0)
return error;
/* Start with the user-supplied credential callback, if present */
if (t->owner->cred_acquire_cb) {
cred_error = t->owner->cred_acquire_cb(&t->cred, t->owner->url,
t->connection_data.user, allowed_types, t->owner->cred_acquire_payload);
if (cred_error < 0)
return cred_error;
}
/* Invoke the fallback credentials acquisition callback if necessary */
if (cred_error > 0) {
cred_error = fallback_cred_acquire_cb(&t->cred, t->owner->url,
t->connection_data.user, allowed_types, NULL);
if (cred_error < 0)
return cred_error;
}
if (!cred_error) {
assert(t->cred);
WinHttpCloseHandle(s->request);
......@@ -683,6 +765,7 @@ replay:
goto replay;
}
}
}
if (HTTP_STATUS_OK != status_code) {
giterr_set(GITERR_NET, "Request failed with status code: %d", status_code);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment