Skip to content

NTLM Auth attempt 2#820

Merged
technoweenie merged 55 commits into
masterfrom
WillHipschman-ntlm
Nov 16, 2015
Merged

NTLM Auth attempt 2#820
technoweenie merged 55 commits into
masterfrom
WillHipschman-ntlm

Conversation

@technoweenie

Copy link
Copy Markdown
Contributor

This makes some changes to #714:

  • Moved some !Config.NtlmAccess() checks to lower level helper functions, so that every caller of these functions doesn't have to also check for ntml access.
  • Use a standard tracer message for toggleAuthType() so every caller doesn't have to define one.
  • Removed some ntlm specific helpers like isNtlmRequest(). Trying to remove as much ntlm special casing as possible.
  • Remove some spots where http response bodies are closed multiple times.
  • Automatically set ConcurrentTransfers() to 1 if ntlm authentication is used, so users aren't required to set this value themselves.
  • Removed some redundant internal helper functions in favor of the stdlib (ioutil.NopCloser() is pretty cool, for example).

@WillHipschman: Normally I'd just leave feedback for you to fix. But I didn't because the diff on #714 includes some changes in master that were made after the PR was opened. It made it really difficult to review. Seems like a GitHub PR issue, and nothing to do with your actual work.

There is still an ioutil.ReadAll() when cloning an http request, though. If NTLM auth is used for any file requests (as opposed to just LFS API requests), it should definitely buffer to a file instead. Maybe buffer up to 1MB in memory, and put the overflow in a temp file.

This was referenced Nov 6, 2015
@technoweenie

Copy link
Copy Markdown
Contributor Author

Trying to remove the ioutil.ReadAll() call was more difficult than I thought. It's in #821 by itself.

@WillHipschman

Copy link
Copy Markdown

This looks good to me. Thanks for the changes 👍

technoweenie added a commit that referenced this pull request Nov 16, 2015
@technoweenie technoweenie merged commit cf92541 into master Nov 16, 2015
@technoweenie technoweenie deleted the WillHipschman-ntlm branch November 16, 2015 18:50
@technoweenie technoweenie mentioned this pull request Nov 16, 2015
13 tasks
chrisd8088 added a commit to manturovDan/git-lfs that referenced this pull request Apr 2, 2026
In prior commits in this PR we revised the DoWithAuth() method of the
Client structure in our "lfsapi" package so that it should no longer
enter an infinite loop if a Git LFS API implementation repeatedly
responds to requests with a 401 Unauthorized status code.  The method
now returns an error with the message "too many authentication attempts"
after a maximum of three requests receive 401 status code responses.

Previously, the DoWithAuth() method called itself recursively in order to
retry requests for which it received a response with a 401 Unauthorized
status code.  We have now changed the method to iterate through a loop
in which it calls the doWithAuth() method each time to perform a request,
and then repeats the loop if a response with a 401 status code is
received, but only if the maximum number of allowed requests has not
been reached.

At the end of this loop, we output a trace log message which states that
the response to a Git LFS API request indicates that authentication is
required, and that the client will resubmit the request with the
requested authentication scheme.

The text of this message was first introduced when we added NTLM support
in commit d5622de of PR git-lfs#820.  Then in
commit db755d7 of PR git-lfs#1839 we added
the DoWithAuth() method as part of a general refactoring and the
creation of the "lfsapi" package.  This initial version of the method
called itself recursively, as described above, and would output the
trace log message just before doing so.

(Note that we subsequently removed the original function which also
output the trace log message in PR git-lfs#1846, and we later removed support
for NTLM in PR git-lfs#4384.)

In a previous commit in this PR we revised the DoWithAuth() method to
iterate through a loop instead of recursing, and so we now output the
trace log message at the end of the loop.

However, as pointed out by larsxschneider in PR review, this means we
output the message even when we have already performed the maximum
allowed number of requests for authentication and will exit the loop
rather than make another request.

We therefore update the DoWithAuth() method so that it only outputs
the trace log message stating that an API request will be resubmitted
if fewer than the maximum number of allowed requests have been made.

Unfortunately this change means we have to explicitly track the
number of iterations in a local variable, which we had hoped to avoid,
per this conversation:

  git-lfs#6018 (comment)

This is a minor inconvenience, though, and as an added benefit, allows
us to also avoid retrieving the access mode for the next request from
our cache unless we actually intend to make another request for
authentication.

We also take the opportunity to expand the code comment which precedes
our new conditional block so that the comment explains that we expect
responses with 401 status codes when we are performing a multi-stage
authentication sequence, and so this condition is not necessarily an
indication of an anomalous situation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants