t / t5550-http-fetch-dumb.shon commit Merge branch 'jk/archive-zip-userdiff-config' (0f650e1)
   1#!/bin/sh
   2
   3test_description='test dumb fetching over http via static file'
   4. ./test-lib.sh
   5. "$TEST_DIRECTORY"/lib-httpd.sh
   6start_httpd
   7
   8test_expect_success 'setup repository' '
   9        git config push.default matching &&
  10        echo content1 >file &&
  11        git add file &&
  12        git commit -m one &&
  13        echo content2 >file &&
  14        git add file &&
  15        git commit -m two
  16'
  17
  18test_expect_success 'create http-accessible bare repository with loose objects' '
  19        cp -R .git "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
  20        (cd "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
  21         git config core.bare true &&
  22         mkdir -p hooks &&
  23         echo "exec git update-server-info" >hooks/post-update &&
  24         chmod +x hooks/post-update &&
  25         hooks/post-update
  26        ) &&
  27        git remote add public "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
  28        git push public master:master
  29'
  30
  31test_expect_success 'clone http repository' '
  32        git clone $HTTPD_URL/dumb/repo.git clone-tmpl &&
  33        cp -R clone-tmpl clone &&
  34        test_cmp file clone/file
  35'
  36
  37test_expect_success 'create password-protected repository' '
  38        mkdir -p "$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb/" &&
  39        cp -Rf "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" \
  40               "$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb/repo.git"
  41'
  42
  43setup_askpass_helper
  44
  45test_expect_success 'cloning password-protected repository can fail' '
  46        set_askpass wrong &&
  47        test_must_fail git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-fail &&
  48        expect_askpass both wrong
  49'
  50
  51test_expect_success 'http auth can use user/pass in URL' '
  52        set_askpass wrong &&
  53        git clone "$HTTPD_URL_USER_PASS/auth/dumb/repo.git" clone-auth-none &&
  54        expect_askpass none
  55'
  56
  57test_expect_success 'http auth can use just user in URL' '
  58        set_askpass wrong pass@host &&
  59        git clone "$HTTPD_URL_USER/auth/dumb/repo.git" clone-auth-pass &&
  60        expect_askpass pass user@host
  61'
  62
  63test_expect_success 'http auth can request both user and pass' '
  64        set_askpass user@host pass@host &&
  65        git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-both &&
  66        expect_askpass both user@host
  67'
  68
  69test_expect_success 'http auth respects credential helper config' '
  70        test_config_global credential.helper "!f() {
  71                cat >/dev/null
  72                echo username=user@host
  73                echo password=pass@host
  74        }; f" &&
  75        set_askpass wrong &&
  76        git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-helper &&
  77        expect_askpass none
  78'
  79
  80test_expect_success 'http auth can get username from config' '
  81        test_config_global "credential.$HTTPD_URL.username" user@host &&
  82        set_askpass wrong pass@host &&
  83        git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-user &&
  84        expect_askpass pass user@host
  85'
  86
  87test_expect_success 'configured username does not override URL' '
  88        test_config_global "credential.$HTTPD_URL.username" wrong &&
  89        set_askpass wrong pass@host &&
  90        git clone "$HTTPD_URL_USER/auth/dumb/repo.git" clone-auth-user2 &&
  91        expect_askpass pass user@host
  92'
  93
  94test_expect_success 'set up repo with http submodules' '
  95        git init super &&
  96        set_askpass user@host pass@host &&
  97        (
  98                cd super &&
  99                git submodule add "$HTTPD_URL/auth/dumb/repo.git" sub &&
 100                git commit -m "add submodule"
 101        )
 102'
 103
 104test_expect_success 'cmdline credential config passes to submodule via clone' '
 105        set_askpass wrong pass@host &&
 106        test_must_fail git clone --recursive super super-clone &&
 107        rm -rf super-clone &&
 108
 109        set_askpass wrong pass@host &&
 110        git -c "credential.$HTTPD_URL.username=user@host" \
 111                clone --recursive super super-clone &&
 112        expect_askpass pass user@host
 113'
 114
 115test_expect_success 'cmdline credential config passes submodule via fetch' '
 116        set_askpass wrong pass@host &&
 117        test_must_fail git -C super-clone fetch --recurse-submodules &&
 118
 119        set_askpass wrong pass@host &&
 120        git -C super-clone \
 121            -c "credential.$HTTPD_URL.username=user@host" \
 122            fetch --recurse-submodules &&
 123        expect_askpass pass user@host
 124'
 125
 126test_expect_success 'cmdline credential config passes submodule update' '
 127        # advance the submodule HEAD so that a fetch is required
 128        git commit --allow-empty -m foo &&
 129        git push "$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb/repo.git" HEAD &&
 130        sha1=$(git rev-parse HEAD) &&
 131        git -C super-clone update-index --cacheinfo 160000,$sha1,sub &&
 132
 133        set_askpass wrong pass@host &&
 134        test_must_fail git -C super-clone submodule update &&
 135
 136        set_askpass wrong pass@host &&
 137        git -C super-clone \
 138            -c "credential.$HTTPD_URL.username=user@host" \
 139            submodule update &&
 140        expect_askpass pass user@host
 141'
 142
 143test_expect_success 'fetch changes via http' '
 144        echo content >>file &&
 145        git commit -a -m two &&
 146        git push public &&
 147        (cd clone && git pull) &&
 148        test_cmp file clone/file
 149'
 150
 151test_expect_success 'fetch changes via manual http-fetch' '
 152        cp -R clone-tmpl clone2 &&
 153
 154        HEAD=$(git rev-parse --verify HEAD) &&
 155        (cd clone2 &&
 156         git http-fetch -a -w heads/master-new $HEAD $(git config remote.origin.url) &&
 157         git checkout master-new &&
 158         test $HEAD = $(git rev-parse --verify HEAD)) &&
 159        test_cmp file clone2/file
 160'
 161
 162test_expect_success 'http remote detects correct HEAD' '
 163        git push public master:other &&
 164        (cd clone &&
 165         git remote set-head origin -d &&
 166         git remote set-head origin -a &&
 167         git symbolic-ref refs/remotes/origin/HEAD > output &&
 168         echo refs/remotes/origin/master > expect &&
 169         test_cmp expect output
 170        )
 171'
 172
 173test_expect_success 'fetch packed objects' '
 174        cp -R "$HTTPD_DOCUMENT_ROOT_PATH"/repo.git "$HTTPD_DOCUMENT_ROOT_PATH"/repo_pack.git &&
 175        (cd "$HTTPD_DOCUMENT_ROOT_PATH"/repo_pack.git &&
 176         git --bare repack -a -d
 177        ) &&
 178        git clone $HTTPD_URL/dumb/repo_pack.git
 179'
 180
 181test_expect_success 'fetch notices corrupt pack' '
 182        cp -R "$HTTPD_DOCUMENT_ROOT_PATH"/repo_pack.git "$HTTPD_DOCUMENT_ROOT_PATH"/repo_bad1.git &&
 183        (cd "$HTTPD_DOCUMENT_ROOT_PATH"/repo_bad1.git &&
 184         p=$(ls objects/pack/pack-*.pack) &&
 185         chmod u+w $p &&
 186         printf %0256d 0 | dd of=$p bs=256 count=1 seek=1 conv=notrunc
 187        ) &&
 188        mkdir repo_bad1.git &&
 189        (cd repo_bad1.git &&
 190         git --bare init &&
 191         test_must_fail git --bare fetch $HTTPD_URL/dumb/repo_bad1.git &&
 192         test 0 = $(ls objects/pack/pack-*.pack | wc -l)
 193        )
 194'
 195
 196test_expect_success 'fetch notices corrupt idx' '
 197        cp -R "$HTTPD_DOCUMENT_ROOT_PATH"/repo_pack.git "$HTTPD_DOCUMENT_ROOT_PATH"/repo_bad2.git &&
 198        (cd "$HTTPD_DOCUMENT_ROOT_PATH"/repo_bad2.git &&
 199         p=$(ls objects/pack/pack-*.idx) &&
 200         chmod u+w $p &&
 201         printf %0256d 0 | dd of=$p bs=256 count=1 seek=1 conv=notrunc
 202        ) &&
 203        mkdir repo_bad2.git &&
 204        (cd repo_bad2.git &&
 205         git --bare init &&
 206         test_must_fail git --bare fetch $HTTPD_URL/dumb/repo_bad2.git &&
 207         test 0 = $(ls objects/pack | wc -l)
 208        )
 209'
 210
 211test_expect_success 'fetch can handle previously-fetched .idx files' '
 212        git checkout --orphan branch1 &&
 213        echo base >file &&
 214        git add file &&
 215        git commit -m base &&
 216        git --bare init "$HTTPD_DOCUMENT_ROOT_PATH"/repo_packed_branches.git &&
 217        git push "$HTTPD_DOCUMENT_ROOT_PATH"/repo_packed_branches.git branch1 &&
 218        git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH"/repo_packed_branches.git repack -d &&
 219        git checkout -b branch2 branch1 &&
 220        echo b2 >>file &&
 221        git commit -a -m b2 &&
 222        git push "$HTTPD_DOCUMENT_ROOT_PATH"/repo_packed_branches.git branch2 &&
 223        git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH"/repo_packed_branches.git repack -d &&
 224        git --bare init clone_packed_branches.git &&
 225        git --git-dir=clone_packed_branches.git fetch "$HTTPD_URL"/dumb/repo_packed_branches.git branch1:branch1 &&
 226        git --git-dir=clone_packed_branches.git fetch "$HTTPD_URL"/dumb/repo_packed_branches.git branch2:branch2
 227'
 228
 229test_expect_success 'did not use upload-pack service' '
 230        test_might_fail grep '/git-upload-pack' <"$HTTPD_ROOT_PATH"/access.log >act &&
 231        : >exp &&
 232        test_cmp exp act
 233'
 234
 235test_expect_success 'git client shows text/plain errors' '
 236        test_must_fail git clone "$HTTPD_URL/error/text" 2>stderr &&
 237        grep "this is the error message" stderr
 238'
 239
 240test_expect_success 'git client does not show html errors' '
 241        test_must_fail git clone "$HTTPD_URL/error/html" 2>stderr &&
 242        ! grep "this is the error message" stderr
 243'
 244
 245test_expect_success 'git client shows text/plain with a charset' '
 246        test_must_fail git clone "$HTTPD_URL/error/charset" 2>stderr &&
 247        grep "this is the error message" stderr
 248'
 249
 250test_expect_success 'http error messages are reencoded' '
 251        test_must_fail git clone "$HTTPD_URL/error/utf16" 2>stderr &&
 252        grep "this is the error message" stderr
 253'
 254
 255test_expect_success 'reencoding is robust to whitespace oddities' '
 256        test_must_fail git clone "$HTTPD_URL/error/odd-spacing" 2>stderr &&
 257        grep "this is the error message" stderr
 258'
 259
 260check_language () {
 261        case "$2" in
 262        '')
 263                >expect
 264                ;;
 265        ?*)
 266                echo "=> Send header: Accept-Language: $1" >expect
 267                ;;
 268        esac &&
 269        GIT_TRACE_CURL=true \
 270        LANGUAGE=$2 \
 271        git ls-remote "$HTTPD_URL/dumb/repo.git" >output 2>&1 &&
 272        tr -d '\015' <output |
 273        sort -u |
 274        sed -ne '/^=> Send header: Accept-Language:/ p' >actual &&
 275        test_cmp expect actual
 276}
 277
 278test_expect_success 'git client sends Accept-Language based on LANGUAGE' '
 279        check_language "ko-KR, *;q=0.9" ko_KR.UTF-8'
 280
 281test_expect_success 'git client sends Accept-Language correctly with unordinary LANGUAGE' '
 282        check_language "ko-KR, *;q=0.9" "ko_KR:" &&
 283        check_language "ko-KR, en-US;q=0.9, *;q=0.8" "ko_KR::en_US" &&
 284        check_language "ko-KR, *;q=0.9" ":::ko_KR" &&
 285        check_language "ko-KR, en-US;q=0.9, *;q=0.8" "ko_KR!!:en_US" &&
 286        check_language "ko-KR, ja-JP;q=0.9, *;q=0.8" "ko_KR en_US:ja_JP"'
 287
 288test_expect_success 'git client sends Accept-Language with many preferred languages' '
 289        check_language "ko-KR, en-US;q=0.9, fr-CA;q=0.8, de;q=0.7, sr;q=0.6, \
 290ja;q=0.5, zh;q=0.4, sv;q=0.3, pt;q=0.2, *;q=0.1" \
 291                ko_KR.EUC-KR:en_US.UTF-8:fr_CA:de.UTF-8@euro:sr@latin:ja:zh:sv:pt &&
 292        check_language "ko-KR, en-US;q=0.99, fr-CA;q=0.98, de;q=0.97, sr;q=0.96, \
 293ja;q=0.95, zh;q=0.94, sv;q=0.93, pt;q=0.92, nb;q=0.91, *;q=0.90" \
 294                ko_KR.EUC-KR:en_US.UTF-8:fr_CA:de.UTF-8@euro:sr@latin:ja:zh:sv:pt:nb
 295'
 296
 297test_expect_success 'git client does not send an empty Accept-Language' '
 298        GIT_TRACE_CURL=true LANGUAGE= git ls-remote "$HTTPD_URL/dumb/repo.git" 2>stderr &&
 299        ! grep "^=> Send header: Accept-Language:" stderr
 300'
 301
 302test_expect_success 'remote-http complains cleanly about malformed urls' '
 303        # do not actually issue "list" or other commands, as we do not
 304        # want to rely on what curl would actually do with such a broken
 305        # URL. This is just about making sure we do not segfault during
 306        # initialization.
 307        test_must_fail git remote-http http::/example.com/repo.git
 308'
 309
 310test_expect_success 'redirects can be forbidden/allowed' '
 311        test_must_fail git -c http.followRedirects=false \
 312                clone $HTTPD_URL/dumb-redir/repo.git dumb-redir &&
 313        git -c http.followRedirects=true \
 314                clone $HTTPD_URL/dumb-redir/repo.git dumb-redir 2>stderr
 315'
 316
 317test_expect_success 'redirects are reported to stderr' '
 318        # just look for a snippet of the redirected-to URL
 319        test_i18ngrep /dumb/ stderr
 320'
 321
 322test_expect_success 'non-initial redirects can be forbidden' '
 323        test_must_fail git -c http.followRedirects=initial \
 324                clone $HTTPD_URL/redir-objects/repo.git redir-objects &&
 325        git -c http.followRedirects=true \
 326                clone $HTTPD_URL/redir-objects/repo.git redir-objects
 327'
 328
 329test_expect_success 'http.followRedirects defaults to "initial"' '
 330        test_must_fail git clone $HTTPD_URL/redir-objects/repo.git default
 331'
 332
 333# The goal is for a clone of the "evil" repository, which has no objects
 334# itself, to cause the client to fetch objects from the "victim" repository.
 335test_expect_success 'set up evil alternates scheme' '
 336        victim=$HTTPD_DOCUMENT_ROOT_PATH/victim.git &&
 337        git init --bare "$victim" &&
 338        git -C "$victim" --work-tree=. commit --allow-empty -m secret &&
 339        git -C "$victim" repack -ad &&
 340        git -C "$victim" update-server-info &&
 341        sha1=$(git -C "$victim" rev-parse HEAD) &&
 342
 343        evil=$HTTPD_DOCUMENT_ROOT_PATH/evil.git &&
 344        git init --bare "$evil" &&
 345        # do this by hand to avoid object existence check
 346        printf "%s\\t%s\\n" $sha1 refs/heads/master >"$evil/info/refs"
 347'
 348
 349# Here we'll just redirect via HTTP. In a real-world attack these would be on
 350# different servers, but we should reject it either way.
 351test_expect_success 'http-alternates is a non-initial redirect' '
 352        echo "$HTTPD_URL/dumb/victim.git/objects" \
 353                >"$evil/objects/info/http-alternates" &&
 354        test_must_fail git -c http.followRedirects=initial \
 355                clone $HTTPD_URL/dumb/evil.git evil-initial &&
 356        git -c http.followRedirects=true \
 357                clone $HTTPD_URL/dumb/evil.git evil-initial
 358'
 359
 360# Curl supports a lot of protocols that we'd prefer not to allow
 361# http-alternates to use, but it's hard to test whether curl has
 362# accessed, say, the SMTP protocol, because we are not running an SMTP server.
 363# But we can check that it does not allow access to file://, which would
 364# otherwise allow this clone to complete.
 365test_expect_success 'http-alternates cannot point at funny protocols' '
 366        echo "file://$victim/objects" >"$evil/objects/info/http-alternates" &&
 367        test_must_fail git -c http.followRedirects=true \
 368                clone "$HTTPD_URL/dumb/evil.git" evil-file
 369'
 370
 371test_expect_success 'http-alternates triggers not-from-user protocol check' '
 372        echo "$HTTPD_URL/dumb/victim.git/objects" \
 373                >"$evil/objects/info/http-alternates" &&
 374        test_config_global http.followRedirects true &&
 375        test_must_fail git -c protocol.http.allow=user \
 376                clone $HTTPD_URL/dumb/evil.git evil-user &&
 377        git -c protocol.http.allow=always \
 378                clone $HTTPD_URL/dumb/evil.git evil-user
 379'
 380
 381stop_httpd
 382test_done