mirror of
https://gitea.com/gitea/tea.git
synced 2026-06-05 18:58:43 +02:00
Tyler
6dd33b5f4f
Closes #1013. ## Background While trying to use `tea` from a non-interactive context I hit a friction point: after `tea login add` succeeded, plain `git push` over HTTPS still prompted for credentials. I filed #1013 as a feature request to add credential helper integration — then found, on reading the source, that the integration **already exists**: - `tea login add` accepts `--helper` (alias `-j`), which calls `task.SetupHelper` to register a credential helper in `~/.gitconfig`. - `tea login helper get` correctly implements git's credential protocol, reading the request from stdin and returning `protocol`/`host`/`username`/`password` lines. - `tea login helper setup` does the same for every configured login. I verified end-to-end that this works as advertised: after `tea login helper setup`, an HTTPS `git push` against a configured Gitea host authenticates silently using the stored token, no prompts, with `GIT_TERMINAL_PROMPT=0` set as a safety check. So the feature is fine. The problem is that nobody can find it: | Surface | Before | Issue | |---|---|---| | Flag name on `tea login add` | `--helper` (alias `-j`) | Generic; nothing tying it to git or credentials | | Flag usage text | `"Add helper"` | Says nothing | | `tea login helper` command | `Hidden: true` | Not in `tea login --help` | | `tea login helper` usage | `"Git helper"` | Says nothing | | `tea login helper` description | `"Git helper"` | Same string again | | `store/erase` subcommand description | `"Command drops"` | Sentence fragment, no meaning | | `setup` subcommand description | `"Setup helper to tea authenticate"` | Awkward, doesn't explain what it touches | | `get` subcommand description | `"Get token to auth"` | Doesn't mention git, stdin, or the credential protocol | | Mention in `tea login add --help` | None | Feature is invisible | ## What this patch does Purely cosmetic / documentation changes — **no behavior changes**: 1. Renames `--helper` to `--git-credentials`, keeping `--helper` and `-j` as aliases so existing scripts and muscle memory keep working. 2. Removes `Hidden: true` from `tea login helper` so it appears in `tea login --help`. 3. Rewrites every placeholder `Usage` and `Description` string in the helper command tree to describe what the thing actually does. 4. Expands the top-level `Description` of `tea login add` to mention the option and explain what it does. 5. Prints a one-line hint after a successful non-helper login: `Tip: pass --git-credentials (or run 'tea login helper setup') to authenticate 'git push' and 'git clone' over HTTPS with this token.` The credential helper protocol implementation, `SetupHelper`'s gitconfig writes, and the `get`/`store`/`setup` action functions are all unchanged. ## Help output after the patch ``` $ tea login --help COMMANDS: ... helper, git-credential Act as a git credential helper for stored Gitea logins ... $ tea login helper --help NAME: tea logins helper - Act as a git credential helper for stored Gitea logins DESCRIPTION: Speaks git's credential helper protocol so that HTTPS push and clone operations against your configured Gitea instances authenticate silently using the tokens tea already stores. Typical use is automatic: 'tea login add --git-credentials' (or 'tea login helper setup' for existing logins) registers '!tea login helper' as a credential helper in ~/.gitconfig. Git then invokes the 'get' subcommand when it needs credentials for a configured host. COMMANDS: store, erase No-op (git credential protocol store/erase) setup Register tea as a git credential helper for every configured login get Return the stored token for a URL (git credential protocol) ``` ## Open questions for the reviewer A few choices in here that are subjective — happy to change any of them: - **Flag name**: `--git-credentials` was the first clear name I tried. `--credential-helper` and `--git-helper` are also reasonable. Or keep `--helper` as canonical and just fix its usage text. - **Canonical subcommand name**: I kept `helper` as canonical with `git-credential` as alias, matching what was already there. Could flip this — `gh` uses `gh auth git-credential` as canonical with no `helper` form. - **Should `--git-credentials` default to true?** Most users probably want it on; the current opt-in design surprises them. But flipping the default is a behavior change so I left it alone here. - **Should the hint be silenced by an env var or a config flag?** I left it always-on for the people who need to see it; can gate it if it bothers automation users. - **Teardown on `tea login delete`** would parallel the setup behavior, but is genuinely a separate change. Not in this PR. --- This patch was authored interactively with an AI assistant, driven and reviewed by a human (Tyler / @dinsmoor) every step. *pull request created by Tyler's lovingly wrangled demon machine <3* --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-on: https://gitea.com/gitea/tea/pulls/1014 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Tyler <tyler@dinsmoor.us> Co-committed-by: Tyler <tyler@dinsmoor.us>
156 lines
4.4 KiB
Go
156 lines
4.4 KiB
Go
// Copyright 2020 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package login
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"fmt"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/urfave/cli/v3"
|
|
|
|
"gitea.dev/tea/modules/config"
|
|
"gitea.dev/tea/modules/task"
|
|
)
|
|
|
|
// CmdLoginHelper represents to login a gitea helper.
|
|
var CmdLoginHelper = cli.Command{
|
|
Name: "helper",
|
|
Aliases: []string{"git-credential"},
|
|
Usage: "Act as a git credential helper for stored Gitea logins",
|
|
Description: `Speaks git's credential helper protocol so that HTTPS push and clone
|
|
operations against your configured Gitea instances authenticate silently
|
|
using the tokens tea already stores.
|
|
|
|
Typical use is automatic: 'tea login add --git-credentials' (or 'tea login
|
|
helper setup' for existing logins) registers '!tea login helper' as a
|
|
credential helper in ~/.gitconfig. Git then invokes the 'get' subcommand
|
|
when it needs credentials for a configured host.`,
|
|
Commands: []*cli.Command{
|
|
{
|
|
Name: "store",
|
|
Aliases: []string{"erase"},
|
|
Usage: "No-op (git credential protocol store/erase)",
|
|
Description: "No-op invoked by git on credential store/erase; tea persists credentials only in its own config",
|
|
Action: func(requestCtx context.Context, _ *cli.Command) error {
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
Name: "setup",
|
|
Usage: "Register tea as a git credential helper for every configured login",
|
|
Description: "Register tea as a git credential helper in ~/.gitconfig for every configured login",
|
|
Action: func(requestCtx context.Context, _ *cli.Command) error {
|
|
logins, err := config.GetLogins()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, login := range logins {
|
|
added, err := task.SetupHelper(login)
|
|
if err != nil {
|
|
return err
|
|
} else if added {
|
|
fmt.Printf("Added \"%s\"\n", login.Name)
|
|
} else {
|
|
fmt.Printf("\"%s\" has already been added!\n", login.Name)
|
|
}
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
Name: "get",
|
|
Usage: "Return the stored token for a URL (git credential protocol)",
|
|
Description: "Return the stored token for a given URL in git's credential helper protocol (called by git, reads request from stdin)",
|
|
Flags: []cli.Flag{
|
|
&cli.StringFlag{
|
|
Name: "login",
|
|
Aliases: []string{"l"},
|
|
Usage: "Use a specific login",
|
|
},
|
|
},
|
|
Action: func(requestCtx context.Context, cmd *cli.Command) error {
|
|
wants := map[string]string{}
|
|
s := bufio.NewScanner(os.Stdin)
|
|
for s.Scan() {
|
|
line := s.Text()
|
|
if line == "" {
|
|
break
|
|
}
|
|
parts := strings.SplitN(line, "=", 2)
|
|
if len(parts) < 2 {
|
|
continue
|
|
}
|
|
key, value := parts[0], parts[1]
|
|
if key == "url" {
|
|
u, err := url.Parse(value)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
wants["protocol"] = u.Scheme
|
|
wants["host"] = u.Host
|
|
wants["path"] = u.Path
|
|
wants["username"] = u.User.Username()
|
|
wants["password"], _ = u.User.Password()
|
|
} else {
|
|
wants[key] = value
|
|
}
|
|
}
|
|
|
|
if len(wants["host"]) == 0 {
|
|
return fmt.Errorf("hostname is required")
|
|
} else if len(wants["protocol"]) == 0 {
|
|
wants["protocol"] = "http"
|
|
}
|
|
|
|
// Use --login flag if provided, otherwise fall back to host lookup
|
|
var userConfig *config.Login
|
|
if loginName := cmd.String("login"); loginName != "" {
|
|
var lookupErr error
|
|
userConfig, lookupErr = config.GetLoginByName(loginName)
|
|
if lookupErr != nil {
|
|
return lookupErr
|
|
}
|
|
if userConfig == nil {
|
|
return fmt.Errorf("login '%s' not found", loginName)
|
|
}
|
|
} else {
|
|
var lookupErr error
|
|
userConfig, lookupErr = config.GetLoginByHost(wants["host"])
|
|
if lookupErr != nil {
|
|
return lookupErr
|
|
}
|
|
if userConfig == nil {
|
|
return fmt.Errorf("no login found for host '%s'", wants["host"])
|
|
}
|
|
}
|
|
|
|
if len(userConfig.GetAccessToken()) == 0 {
|
|
return fmt.Errorf("user not set")
|
|
}
|
|
|
|
host, err := url.Parse(userConfig.URL)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Refresh token if expired or near expiry (updates userConfig in place)
|
|
if err = userConfig.RefreshOAuthTokenIfNeeded(); err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = fmt.Fprintf(os.Stdout, "protocol=%s\nhost=%s\nusername=%s\npassword=%s\n", host.Scheme, host.Host, userConfig.User, userConfig.GetAccessToken())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
},
|
|
},
|
|
},
|
|
}
|