NTLM Auth attempt 2#820
Merged
Merged
Conversation
added 30 commits
August 26, 2015 17:51
* Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper
…WillHipschman-ntlm
Both of these 'res' vars come from functions that call decodeApiResponse(). It already closes the response, releasing the http connection back to the pool.
Contributor
Author
|
Trying to remove the |
|
This looks good to me. Thanks for the changes 👍 |
NTLM: cloneable body
chrisd8088
added a commit
to manturovDan/git-lfs
that referenced
this pull request
Apr 2, 2026
In prior commits in this PR we revised the DoWithAuth() method of the Client structure in our "lfsapi" package so that it should no longer enter an infinite loop if a Git LFS API implementation repeatedly responds to requests with a 401 Unauthorized status code. The method now returns an error with the message "too many authentication attempts" after a maximum of three requests receive 401 status code responses. Previously, the DoWithAuth() method called itself recursively in order to retry requests for which it received a response with a 401 Unauthorized status code. We have now changed the method to iterate through a loop in which it calls the doWithAuth() method each time to perform a request, and then repeats the loop if a response with a 401 status code is received, but only if the maximum number of allowed requests has not been reached. At the end of this loop, we output a trace log message which states that the response to a Git LFS API request indicates that authentication is required, and that the client will resubmit the request with the requested authentication scheme. The text of this message was first introduced when we added NTLM support in commit d5622de of PR git-lfs#820. Then in commit db755d7 of PR git-lfs#1839 we added the DoWithAuth() method as part of a general refactoring and the creation of the "lfsapi" package. This initial version of the method called itself recursively, as described above, and would output the trace log message just before doing so. (Note that we subsequently removed the original function which also output the trace log message in PR git-lfs#1846, and we later removed support for NTLM in PR git-lfs#4384.) In a previous commit in this PR we revised the DoWithAuth() method to iterate through a loop instead of recursing, and so we now output the trace log message at the end of the loop. However, as pointed out by larsxschneider in PR review, this means we output the message even when we have already performed the maximum allowed number of requests for authentication and will exit the loop rather than make another request. We therefore update the DoWithAuth() method so that it only outputs the trace log message stating that an API request will be resubmitted if fewer than the maximum number of allowed requests have been made. Unfortunately this change means we have to explicitly track the number of iterations in a local variable, which we had hoped to avoid, per this conversation: git-lfs#6018 (comment) This is a minor inconvenience, though, and as an added benefit, allows us to also avoid retrieving the access mode for the next request from our cache unless we actually intend to make another request for authentication. We also take the opportunity to expand the code comment which precedes our new conditional block so that the comment explains that we expect responses with 401 status codes when we are performing a multi-stage authentication sequence, and so this condition is not necessarily an indication of an anomalous situation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This makes some changes to #714:
!Config.NtlmAccess()checks to lower level helper functions, so that every caller of these functions doesn't have to also check for ntml access.toggleAuthType()so every caller doesn't have to define one.isNtlmRequest(). Trying to remove as much ntlm special casing as possible.ConcurrentTransfers()to 1 if ntlm authentication is used, so users aren't required to set this value themselves.ioutil.NopCloser()is pretty cool, for example).@WillHipschman: Normally I'd just leave feedback for you to fix. But I didn't because the diff on #714 includes some changes in master that were made after the PR was opened. It made it really difficult to review. Seems like a GitHub PR issue, and nothing to do with your actual work.
There is still an
ioutil.ReadAll()when cloning an http request, though. If NTLM auth is used for any file requests (as opposed to just LFS API requests), it should definitely buffer to a file instead. Maybe buffer up to 1MB in memory, and put the overflow in a temp file.