Skip to content

http: fix emptyAuth=auto for Negotiate/SPNEGO #2087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mjcheetham wants to merge 3 commits into
base: master
Choose a base branch
from
+112 −4
Open

http: fix emptyAuth=auto for Negotiate/SPNEGO #2087

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
49488cc
http: extract http_reauth_prepare() from retry paths
mjcheetham Apr 13, 2026
f175294
http: attempt Negotiate auth in http.emptyAuth=auto mode
mjcheetham Apr 13, 2026
650acab
t5563: add tests for http.emptyAuth with Negotiate
mjcheetham Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion http.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -665,6 +665,11 @@ static void init_curl_http_auth(CURL *result)
}
Copy link
Copy Markdown

@gitgitgadget gitgitgadget Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Junio C Hamano wrote on the Git mailing list (how to reply to this email):

"Matthew John Cheetham via GitGitGadget" <gitgitgadget@gmail.com>
writes:

> From: Matthew John Cheetham <mjcheetham@outlook.com>
>
> All three HTTP retry paths (http_request_recoverable, post_rpc,
> probe_rpc) call credential_fill() directly when handling
> HTTP_REAUTH. Extract this into a helper function so that a
> subsequent commit can add pre-fill logic (such as attempting
> empty-auth before prompting) in one place.
>
> No functional change.
>
> Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
> ---
>  http.c        | 7 ++++++-
>  http.h        | 6 ++++++
>  remote-curl.c | 4 ++--
>  3 files changed, 14 insertions(+), 3 deletions(-)

Neat.

>
> diff --git a/http.c b/http.c
> index d8d016891b..f208e0ad82 100644
> --- a/http.c
> +++ b/http.c
> @@ -665,6 +665,11 @@ static void init_curl_http_auth(CURL *result)
>  	}
>  }
>  
> +void http_reauth_prepare(int all_capabilities)
> +{
> +	credential_fill(the_repository, &http_auth, all_capabilities);
> +}
> +
>  /* *var must be free-able */
>  static void var_override(char **var, char *value)
>  {
> @@ -2398,7 +2403,7 @@ static int http_request_recoverable(const char *url,
>  				sleep(retry_delay);
>  			}
>  		} else if (ret == HTTP_REAUTH) {
> -			credential_fill(the_repository, &http_auth, 1);
> +			http_reauth_prepare(1);
>  		}
>  
>  		ret = http_request(url, result, target, options);
> diff --git a/http.h b/http.h
> index f9ee888c3e..729c51904d 100644
> --- a/http.h
> +++ b/http.h
> @@ -76,6 +76,12 @@ extern int http_is_verbose;
>  extern ssize_t http_post_buffer;
>  extern struct credential http_auth;
>  
> +/**
> + * Prepare for an HTTP re-authentication retry. This fills credentials
> + * via credential_fill() so the next request can include them.
> + */
> +void http_reauth_prepare(int all_capabilities);
> +
>  extern char curl_errorstr[CURL_ERROR_SIZE];
>  
>  enum http_follow_config {
> diff --git a/remote-curl.c b/remote-curl.c
> index aba60d5712..affdb880f7 100644
> --- a/remote-curl.c
> +++ b/remote-curl.c
> @@ -946,7 +946,7 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece
>  		do {
>  			err = probe_rpc(rpc, &results);
>  			if (err == HTTP_REAUTH)
> -				credential_fill(the_repository, &http_auth, 0);
> +				http_reauth_prepare(0);
>  		} while (err == HTTP_REAUTH);
>  		if (err != HTTP_OK)
>  			return -1;
> @@ -1068,7 +1068,7 @@ retry:
>  	rpc->any_written = 0;
>  	err = run_slot(slot, NULL);
>  	if (err == HTTP_REAUTH && !large_request) {
> -		credential_fill(the_repository, &http_auth, 0);
> +		http_reauth_prepare(0);
>  		curl_slist_free_all(headers);
>  		goto retry;
>  	}

}

void http_reauth_prepare(int all_capabilities)
{
credential_fill(the_repository, &http_auth, all_capabilities);
}

/* *var must be free-able */
static void var_override(char **var, char *value)
{
Expand Down Expand Up @@ -2398,7 +2403,7 @@ static int http_request_recoverable(const char *url,
sleep(retry_delay);
}
} else if (ret == HTTP_REAUTH) {
credential_fill(the_repository, &http_auth, 1);
http_reauth_prepare(1);
}

ret = http_request(url, result, target, options);
Expand Down
6 changes: 6 additions & 0 deletions http.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,12 @@ extern int http_is_verbose;
extern ssize_t http_post_buffer;
extern struct credential http_auth;

/**
* Prepare for an HTTP re-authentication retry. This fills credentials
* via credential_fill() so the next request can include them.
*/
void http_reauth_prepare(int all_capabilities);

extern char curl_errorstr[CURL_ERROR_SIZE];

enum http_follow_config {
Expand Down
4 changes: 2 additions & 2 deletions remote-curl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -946,7 +946,7 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece
do {
err = probe_rpc(rpc, &results);
if (err == HTTP_REAUTH)
credential_fill(the_repository, &http_auth, 0);
http_reauth_prepare(0);
} while (err == HTTP_REAUTH);
if (err != HTTP_OK)
return -1;
Expand Down Expand Up @@ -1068,7 +1068,7 @@ static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_rece
rpc->any_written = 0;
err = run_slot(slot, NULL);
if (err == HTTP_REAUTH && !large_request) {
credential_fill(the_repository, &http_auth, 0);
http_reauth_prepare(0);
curl_slist_free_all(headers);
goto retry;
}
Expand Down