be like git and ask for credentials if 404

Please describe the problem.

This is a continuation to the prior report/discussion to facilitate access to private repositories on public hosting portals.

If we place more odd/custom behavior of gitlab etc installations which forward to login screen (thus no 401 or 404 response) upon attempt to access something which might be within private rep, aside, the situation with github and gogs (github clone) which powers gin (which I had mentioned in that prior discussion)) is different: they return 404 response. And I think (didn't check git code, but just based on its behavior) git is then asking for credentials as the "next way to try". I think git-annex should do the same -- if 404 received, ask git credential to fill for that domain (as it would do now in case of 401).

What steps will reproduce the problem?

Try to clone and get data from a private repository on https://gin.g-node.org/ (repo could be created, or let me know and I would create one, but you would still need to register there). I am not yet 100% certain that upon authentication you would be able to fetch that /config (haven't tried). Satellite issue/discussion I just initiated on gin is here

What version of git-annex are you using? On what operating system?

8.20201127+git54-ga1b227171-1~ndall+1

edit 1: although probably a deeper look into how/why git decides to ask for credentials for private repos might be due. May be similar check should be done by git-annex first, since otherwise there might be no way to tell apart from a "proper" 404 for inability to get /config from github

notabug --Joey

RSS Atom

comment 1

The git source code does not appear to behave like that, see http.c normalize_curl_result, which reauths on 401, but not on 404. If you think git behaves like this, you need to show an example where it clearly accesses an url that is 404 and goes on to authenticate.

Seems to me that these hosting sites may simply not be exposing foo.git/config to http. Git does not request that file over http. Such a hosting site would probably also not expose foo.git/annex/ over http, so git-annex would not be able to use it anyway. To support git-annex, it would need to expose both, and then git-annex's handling of 401 should work fine for authentication.

Comment by joey — Thu Jan 21 16:57:06 2021

Remove comment

comment 2

a quick one: https://gin.g-node.org/ does expose foo.git/annex/ -- that is what gin has extended original borg with. Example repo to try on https://gin.g-node.org/ljchang/Sherlock . The problem/difficulty is only in access to "private" repositories -- access to config and annexed files is working fine through http

Comment by yarikoptic — Thu Jan 21 18:36:50 2021

Remove comment

comment 3

It still seems easy to demonstrate that git does not ask for creds on 404:

joey@darkstar:~> git clone http://google.com/this-url-does-not-exist
Cloning into 'this-url-does-not-exist'...
fatal: repository 'http://google.com/this-url-does-not-exist/' not found

So I need you to show me what makes you think that git does such a strange thing, before I can take seriously a request to replicate that behavior in git-annex. Because the only possible reason I would implement such an insane thing is if git has lost its collective mind and so I needed to follow into the abyss.

If the actual issue is that gogs has implemented support for git-annex, but that it sends 404 when git-annex requests config from a private repo, rather than 401, it seems to me the place to fix that is in gogs.

Comment by joey — Thu Jan 21 19:20:00 2021

Remove comment

comment 4

yeap, it is not about 404 ...

with gogs/gin situation is obscure but "easyish" - 401 is returned upon access to /info/refs but not above:

$> wget -S "https://gin.g-node.org/SakshamSharda/ophys_testing1.git/info/refs"
--2021-01-21 20:37:22--  https://gin.g-node.org/SakshamSharda/ophys_testing1.git/info/refs
Resolving gin.g-node.org (gin.g-node.org)... 141.84.41.219
Connecting to gin.g-node.org (gin.g-node.org)|141.84.41.219|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 401 Unauthorized
  Date: Fri, 22 Jan 2021 01:37:23 GMT
  Server: Apache/2.4.38 (Debian)
  content-type: text/plain
  www-authenticate: Basic realm="."
  content-length: 0
  set-cookie: lang=en-US; Path=/; Max-Age=2147483647
  set-cookie: gnode_gin=823b677f19feb8ef; Path=/; HttpOnly
  set-cookie: _csrf=GrekbiqDJleLLNcVyax5z77buGY6MTYxMTI3OTQ0MzYwMTMyMzE4NQ; Path=/; Expires=Sat, 23 Jan 2021 01:37:23 GMT
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive

Username/Password Authentication Failed.
1 51975 ->6 [2].....................................:Thu 21 Jan 2021 08:37:23 PM EST:.
(git)lena:~/proj/misc/git[master]git
$> wget -S "https://gin.g-node.org/SakshamSharda/ophys_testing1.git/info"     
--2021-01-21 20:37:52--  https://gin.g-node.org/SakshamSharda/ophys_testing1.git/info
Resolving gin.g-node.org (gin.g-node.org)... 141.84.41.219
Connecting to gin.g-node.org (gin.g-node.org)|141.84.41.219|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 404 Not Found
  Date: Fri, 22 Jan 2021 01:37:53 GMT
  Server: Apache/2.4.38 (Debian)
  content-type: text/html; charset=UTF-8
  set-cookie: lang=en-US; Path=/; Max-Age=2147483647
  set-cookie: gnode_gin=26d42c5108c8715d; Path=/; HttpOnly
  set-cookie: _csrf=SAKUL4rdspufTb_lxEWIijnzYBU6MTYxMTI3OTQ3Mjk5MDczODgzMA; Path=/; Expires=Sat, 23 Jan 2021 01:37:52 GMT
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Transfer-Encoding: chunked
2021-01-21 20:37:53 ERROR 404: Not Found.

github is ... trickier, or to say -- my C/gdb/whatever foo is not good enough, since

it is still 404 with simple wget but git remote-https seems to get 401:

(gdb) p results
$15 = {curl_result = CURLE_HTTP_RETURNED_ERROR, http_code = 401, auth_avail = 1, http_connectcode = 0}
(gdb) p rl
No symbol "rl" in current context.
(gdb) p url
$16 = 0x5555557a4450 "https://github.com/yarikoptic/abcd-testds2/info/refs?service=git-upload-pack"
(gdb) bt
#0  http_request (url=0x5555557a4450 "https://github.com/yarikoptic/abcd-testds2/info/refs?service=git-upload-pack", 
    result=<optimized out>, target=<optimized out>, options=0x7fffffffd920) at http.c:1981
#1  0x00005555555665bf in http_request_reauth (
    url=0x5555557a4450 "https://github.com/yarikoptic/abcd-testds2/info/refs?service=git-upload-pack", result=0x7fffffffd880, 
    target=0, options=0x7fffffffd920) at http.c:2040
#2  0x000055555555f7f3 in discover_refs (service=<optimized out>, service@entry=0x5555556b622c "git-upload-pack", 
    for_push=for_push@entry=0) at remote-curl.c:493
#3  0x000055555556137e in get_refs (for_push=<optimized out>) at remote-curl.c:548
#4  cmd_main (argc=argc@entry=3, argv=argv@entry=0x7fffffffdcd8) at remote-curl.c:1523
#5  0x000055555555ee94 in main (argc=3, argv=0x7fffffffdcd8) at common-main.c:52

$> wget --header "Git-Protocol: version=2" --header "Pragma: no-cache" -S 'https://github.com/yarikoptic/abcd-testds2/info/refs?service=git-upload-pack' 
--2021-01-21 20:41:21--  https://github.com/yarikoptic/abcd-testds2/info/refs?service=git-upload-pack
Resolving github.com (github.com)... 140.82.114.3
Connecting to github.com (github.com)|140.82.114.3|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 404 Not Found
  Server: GitHub.com
  Date: Fri, 22 Jan 2021 01:41:21 GMT
  Content-Type: text/plain; charset=utf-8
  Status: 404 Not Found
  Vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
  Cache-Control: no-cache
  Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
  X-Frame-Options: deny
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
  Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
  Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
  Content-Security-Policy: default-src 'none'; base-uri 'self'; connect-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self'; style-src 'unsafe-inline'
  Set-Cookie: _gh_sess=UoF3mYOvfYf5mFbK1tr7aWOuYpQbNoJVhajA5nr2ANUvg%2FekQjtgh0h3xLva0EcwHnLNNsl7VMEdVLXNGi9Yn4AbjrBxX0sdo51DL1XQYR%2Bm3ZeS71I7keexEnrZspp%2FQxaT7cJpceXr7ZrKg2HwJu8dMo%2Bcz13Vr%2F9p7MtZ6cIjUMMF3ql8GX%2BYO949RdgS31KNBb1Ln917v7GlLaZhbejgGAYJOFI2YMuWhs3WkZxOZCMy1JnW%2Bbp3OcdyffBt0ToaKaLcUx1mt6kzzOb4Ow%3D%3D--FD5dTEIs8HUBjIdH--P%2B86pTRJ%2FwWUndICVXAaNA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
  Set-Cookie: _octo=GH1.1.1513753117.1611279681; Path=/; Domain=github.com; Expires=Sat, 22 Jan 2022 01:41:21 GMT; Secure; SameSite=Lax
  Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sat, 22 Jan 2022 01:41:21 GMT; HttpOnly; Secure; SameSite=Lax
  Content-Length: 9
  X-GitHub-Request-Id: 8F40:2881:CD3AD3:1222997:600A2D41
2021-01-21 20:41:21 ERROR 404: Not Found.

but overall the point is that git does seems to get 401 with auth availability (although I failed to dig out how exactly it gets it). So I will leave it to the experts to figure out how

Comment by yarikoptic — Fri Jan 22 01:47:46 2021

Remove comment

comment 5

These possibilities seem about equally likely to me:

gogs has not implemented authed access to the files git-annex needs for private repositories
gogs has a bug where it returns 404 rather than 401 when not authed, but serves the files up when authed.

So why try to work around it in git-annex when it's a coin flip whether git-annex can at all, when in either case there's clearly a bug in gogs, and is specifically in code in gogs that is intended to support git-annex?

github has a bad habit of using user-agent to make urls do different things when git accesses them than when other http clients do. That is the case in your example; use wget -U git/1 and it will 401. But I don't see how that's relevant, since git-annex does not talk to github except for a) via git and b) via its git-lfs implementation (which supports http basic auth although I can't remember if I tested it against github's server or only other servers like gitlab).

If github's lfs endpoint did do user-agent sniffing, IMHO that would violate their spec, but also yeah, I'd probably put in some appropiately snarky fake user-agent in git-annex there. But not in general, and none of this says git-annex should be treating 404 like 401.

Comment by joey — Fri Jan 22 18:36:50 2021

Remove comment

comment 6

THANK YOU Joey. That is indeed quite odd ("security through obscurity") behavior from github (note: github returns 401 even if that repo does not exist, so it is at least consistent in not revealing presence/absence of private repos at a url). Feel welcome to close this issue since I guess nothing should indeed be done on git-annex side, and ideally gin portal just returns 401 in such cases

Comment by yarikoptic — Mon Jan 25 15:18:39 2021

Remove comment

comment 7

github's rationalle for the sniffing, such as it is, is that an url to a git repository lets you view it in the web ui, and the same url can be cloned by git.

Agreed, I'll close this in git-annex, and they can fix it in gin.

Comment by joey — Thu Jan 28 16:37:59 2021

Remove comment

Add a comment