Provide authentication error reporting to `cred_acquire_cb`

[wildart]

I'm trying to implement a credential caching mechanism in git_cred_acquire_cb function. However, SSH session authentication does not report any error for libssh2 calls that return LIBSSH2_ERROR_PASSWORD_EXPIRED or LIBSSH2_ERROR_AUTHENTICATION_FAILED error codes (see _git_ssh_authenticate_session). The only exception is the ssh-agent authentication that sets error when failed. Failure to report auth errors makes impossible to identify if cached credentials where correct or not.

[wildart]

Same thing happens with http transport - no auth error is reported.

[ethomson]

I'm not sure what you're asking for; do you want more information about the previous error in your git_cred_acquire_cb?

[wildart]

Yes, I want to know if provided credentials were accepted or not.

[ethomson]

If you're getting called a second time, then no, they were not.

In the HTTP case you call out, there's really not much more information that we could provide, is there?

[spraints]

I've seen some cases where credentials get requested more than once. I assume it's from a Connection: close, but I haven't investigated to see if that's what's actually leading to >1 request for creds. It would be super-useful if the credentials callback got a reason argument, or something, so that it could tell if this is the first request for creds of if creds from the last request were bad. Here's some code that we're using to avoid infinite loops from credentials (using rugged):

repository = Rugged::Repository.new(".")
remote = repository.remotes.create_anonymous("https://github.com/libgit2/libgit2")
puts remote.ls(:credentials => CredHelper.new(Rugged::Credentials::UserPassword.new(:username => "spraints", :password => "lol"))).to_a

class CredHelper
  def initialize(real_creds, ttl: 5)
    @real_creds = real_creds
    @ttl = ttl
  end

  def call(*args)
    raise "auth error" if @ttl < 1
    @ttl -= 1
    @realcreds.call(*args)
  end
end

Obviously, in this example the creds won't get used because libgit2/libgit2 is public. I initially had set ttl = 1, but that led to some spurious errors. ttl=5 seems to be working well. The ttl (which is really just a backstop) could go away if call said that it was calling because of an auth error or not.

[wildart]

You could count number of requests for creds for a one repository but if the same credentials are used for multiple repositories this strategy does not seem viable.

@ethomson Can error be set every time 401 code is returned? Same for SSH when LIBSSH2_ERROR_AUTHENTICATION_FAILED is reported?

[wildart]

Found a way to identify invalid credentials without error status.

[ethomson]

Neat - @wildart would you mind sharing your solution? I think that there's still an opportunity to make this easier for callers but I'm curious about what you did. Thanks!

[wildart]

It the same solution that @spraints suggested - count number of times when the credential callback is called. I found a way in my project to reset the call counter between fetch calls. I'm still using error class to determine if git_cred_ssh_key_from_agent credentials failed, and then fall back to git_cred_ssh_key_new.

[wildart]

I reopen this issue because the solution that I used for caching credentials is a half-measure after all.

Even though counting auth. fails is working, but only for one credential provider. I would like to switch to different credential provide if one that was called before fails. An example would be a use of sh-agent and manual ssh key credentials. If ssh-agent credential fail for some reason, it would be nice to fallback back manually provided credentials rather then terminate operation.