Skip to main content

grit_lib/
credentials.rs

1//! Credential layer — Git-compatible credential filling/approval/rejection for
2//! library embedders.
3//!
4//! This is the reusable core lifted from the CLI's `grit credential` command
5//! (`grit/src/commands/credential.rs`). It exposes:
6//!
7//! - [`Credential`] — a structured credential with the standard Git fields
8//!   ([`protocol`](Credential::protocol), [`host`](Credential::host),
9//!   [`path`](Credential::path), [`username`](Credential::username),
10//!   [`password`](Credential::password), [`url`](Credential::url)) plus
11//!   parsing/serialization in Git's `key=value\n…\n\n` credential wire format
12//!   ([`Credential::parse`] / [`Credential::serialize`]).
13//! - [`CredentialProvider`] — the pluggable seam an embedder implements (or
14//!   wraps) to supply credentials.
15//! - [`HelperCredentialProvider`] — the Git-compatible default that runs the
16//!   configured `credential.helper` / `credential.<url>.helper` programs
17//!   (shell `!cmd`, the built-in `store`/`cache` helpers, and external
18//!   `git-credential-*` binaries).
19//!
20//! ## Non-interactive by design
21//!
22//! Unlike the CLI, [`HelperCredentialProvider`] **never** prompts on a TTY or
23//! via askpass. When the configured helpers cannot supply a usable
24//! username/password, [`fill`](CredentialProvider::fill) returns a typed
25//! [`Error::Message`] (see [`NON_INTERACTIVE_MESSAGE`]) rather than blocking on
26//! `/dev/tty`. Interactive prompting is an explicitly opt-in concern an
27//! embedder can layer on top.
28
29use std::io::Write;
30use std::path::PathBuf;
31use std::process::{Command, Stdio};
32
33use crate::config::{parse_bool, ConfigSet};
34use crate::error::{Error, Result};
35
36/// Message returned (as [`Error::Message`]) when credentials are required but
37/// no configured helper could supply a complete username/password and
38/// interactive prompting is disallowed.
39pub const NON_INTERACTIVE_MESSAGE: &str = "credentials required but unavailable (non-interactive)";
40
41/// A structured Git credential.
42///
43/// Mirrors the fields Git's credential protocol exchanges. Round-trips through
44/// the `key=value\n…\n\n` wire format via [`Credential::parse`] and
45/// [`Credential::serialize`]. Any keys outside the named fields below
46/// (`capability[]`, `authtype`, `password_expiry_utc`, …) are preserved in
47/// [`extra`](Credential::extra) so they survive a parse/serialize round-trip
48/// and are forwarded to helpers unchanged.
49#[derive(Clone, Debug, Default, PartialEq, Eq)]
50pub struct Credential {
51    /// `protocol` field (e.g. `https`, `http`, `ssh`).
52    pub protocol: Option<String>,
53    /// `host` field, optionally including a `:port` suffix.
54    pub host: Option<String>,
55    /// `path` field (repository path on the host).
56    pub path: Option<String>,
57    /// `username` field.
58    pub username: Option<String>,
59    /// `password` field (the secret).
60    pub password: Option<String>,
61    /// `url` field — a full URL Git can decompose into the fields above.
62    pub url: Option<String>,
63    /// Any additional `key=value` pairs, in wire order. Multi-valued keys such
64    /// as `capability[]` may appear more than once.
65    pub extra: Vec<(String, String)>,
66}
67
68impl Credential {
69    /// Parse a credential from Git's `key=value\n…` wire format.
70    ///
71    /// Parsing stops at the first blank line (Git's record terminator) or at
72    /// EOF. Trailing `\r` is stripped from each line so the parser accepts both
73    /// LF and CRLF input. Lines without an `=` are ignored.
74    pub fn parse(input: &str) -> Self {
75        let mut cred = Credential::default();
76        for line in input.lines() {
77            let line = line.trim_end_matches('\r');
78            if line.is_empty() {
79                break;
80            }
81            let Some((key, value)) = line.split_once('=') else {
82                continue;
83            };
84            cred.set(key, value);
85        }
86        cred
87    }
88
89    /// Parse from raw bytes (lossy UTF-8); convenience for helper stdout.
90    pub fn parse_bytes(bytes: &[u8]) -> Self {
91        Self::parse(&String::from_utf8_lossy(bytes))
92    }
93
94    /// Serialize to Git's `key=value\n` wire format (no trailing blank line).
95    ///
96    /// Fields are emitted in Git's canonical order
97    /// (protocol, host, path, username, password, url) followed by any
98    /// [`extra`](Credential::extra) entries in their stored order.
99    pub fn serialize(&self) -> String {
100        let mut out = String::new();
101        for (key, value) in self.iter_pairs() {
102            out.push_str(&key);
103            out.push('=');
104            out.push_str(&value);
105            out.push('\n');
106        }
107        out
108    }
109
110    /// Set a field by its Git key name. Unknown keys land in
111    /// [`extra`](Credential::extra). Multi-valued keys (those ending in `[]`)
112    /// always append; named keys overwrite.
113    fn set(&mut self, key: &str, value: &str) {
114        match key {
115            "protocol" => self.protocol = Some(value.to_string()),
116            "host" => self.host = Some(value.to_string()),
117            "path" => self.path = Some(value.to_string()),
118            "username" => self.username = Some(value.to_string()),
119            "password" => self.password = Some(value.to_string()),
120            "url" => self.url = Some(value.to_string()),
121            _ => {
122                if key.ends_with("[]") {
123                    self.extra.push((key.to_string(), value.to_string()));
124                } else if let Some(slot) = self
125                    .extra
126                    .iter_mut()
127                    .find(|(k, _)| k == key)
128                    .map(|(_, v)| v)
129                {
130                    *slot = value.to_string();
131                } else {
132                    self.extra.push((key.to_string(), value.to_string()));
133                }
134            }
135        }
136    }
137
138    /// Look up an `extra` key (first match).
139    fn extra_get(&self, key: &str) -> Option<&str> {
140        self.extra
141            .iter()
142            .find(|(k, _)| k == key)
143            .map(|(_, v)| v.as_str())
144    }
145
146    /// Iterate the credential's key/value pairs in Git's canonical wire order.
147    fn iter_pairs(&self) -> Vec<(String, String)> {
148        let mut pairs = Vec::new();
149        if let Some(v) = &self.protocol {
150            pairs.push(("protocol".to_string(), v.clone()));
151        }
152        if let Some(v) = &self.host {
153            pairs.push(("host".to_string(), v.clone()));
154        }
155        if let Some(v) = &self.path {
156            pairs.push(("path".to_string(), v.clone()));
157        }
158        if let Some(v) = &self.username {
159            pairs.push(("username".to_string(), v.clone()));
160        }
161        if let Some(v) = &self.password {
162            pairs.push(("password".to_string(), v.clone()));
163        }
164        if let Some(v) = &self.url {
165            pairs.push(("url".to_string(), v.clone()));
166        }
167        for (k, v) in &self.extra {
168            pairs.push((k.clone(), v.clone()));
169        }
170        pairs
171    }
172
173    /// True when the credential carries a usable username **and** password.
174    pub fn is_complete(&self) -> bool {
175        self.username.as_deref().is_some_and(|s| !s.is_empty())
176            && self.password.as_deref().is_some_and(|s| !s.is_empty())
177    }
178
179    /// The URL this credential authenticates against, for matching
180    /// `credential.<url>.helper` config entries. Prefers an explicit
181    /// [`url`](Credential::url); otherwise reconstructs it from
182    /// protocol/host/path (matching Git's `credential_apply_config`).
183    pub fn target_url(&self) -> Option<String> {
184        if let Some(u) = self.url.as_deref().filter(|u| !u.trim().is_empty()) {
185            return Some(u.to_string());
186        }
187        let protocol = self.protocol.as_deref()?;
188        let host = self.host.as_deref()?;
189        let mut url = format!("{protocol}://");
190        if let Some(username) = self.username.as_deref().filter(|u| !u.is_empty()) {
191            url.push_str(username);
192            url.push('@');
193        }
194        url.push_str(host);
195        if let Some(path) = self.path.as_deref().filter(|p| !p.is_empty()) {
196            if !path.starts_with('/') {
197                url.push('/');
198            }
199            url.push_str(path);
200        }
201        Some(url)
202    }
203
204    /// Merge a helper's `get` response into this credential: fill any missing
205    /// username/password (and other recognized fields) without clobbering
206    /// values we already hold. `quit` and `capability[]` are tracked in
207    /// `extra` for the caller to inspect.
208    fn merge_response(&mut self, response: &Credential) {
209        if self.username.is_none() {
210            self.username = response.username.clone();
211        }
212        if self.password.is_none() {
213            self.password = response.password.clone();
214        }
215        if self.protocol.is_none() {
216            self.protocol = response.protocol.clone();
217        }
218        if self.host.is_none() {
219            self.host = response.host.clone();
220        }
221        if self.path.is_none() {
222            self.path = response.path.clone();
223        }
224        for (k, v) in &response.extra {
225            // Preserve quit signalling for callers; other extras are advisory.
226            if k == "quit" {
227                self.set(k, v);
228            }
229        }
230    }
231
232    /// Did a helper signal `quit=1`/`quit=true` (stop querying further helpers)?
233    fn wants_quit(&self) -> bool {
234        matches!(self.extra_get("quit"), Some("1") | Some("true"))
235    }
236}
237
238/// The pluggable credential seam an embedder implements (or wraps).
239///
240/// All three methods take a (partial) [`Credential`] describing the target and
241/// return a result; transports call [`fill`](CredentialProvider::fill) before a
242/// request and [`approve`](CredentialProvider::approve) /
243/// [`reject`](CredentialProvider::reject) after, mirroring Git's
244/// `credential_fill` / `credential_approve` / `credential_reject`.
245pub trait CredentialProvider {
246    /// Fill in missing fields (typically username/password) for `input`,
247    /// returning a more-complete [`Credential`]. Implementations that cannot
248    /// supply a usable credential should return a typed [`Error`] rather than
249    /// block on interactive input.
250    fn fill(&self, input: &Credential) -> Result<Credential>;
251
252    /// Mark `cred` as known-good (helpers `store` it).
253    fn approve(&self, cred: &Credential) -> Result<()>;
254
255    /// Mark `cred` as known-bad (helpers `erase` it).
256    fn reject(&self, cred: &Credential) -> Result<()>;
257}
258
259/// Git-compatible [`CredentialProvider`] that runs the configured
260/// `credential.helper` programs.
261///
262/// Built from a [`ConfigSet`]; it resolves the helper list per the target URL
263/// (so `credential.<url>.helper` entries are honored) and invokes each helper
264/// with `get` (for [`fill`](CredentialProvider::fill)), `store` (for
265/// [`approve`](CredentialProvider::approve)), or `erase` (for
266/// [`reject`](CredentialProvider::reject)) exactly as Git does.
267///
268/// **Never prompts.** If no helper yields a complete credential,
269/// [`fill`](CredentialProvider::fill) returns [`Error::Message`] with
270/// [`NON_INTERACTIVE_MESSAGE`].
271pub struct HelperCredentialProvider {
272    config: ConfigSet,
273}
274
275impl HelperCredentialProvider {
276    /// Build a provider from a loaded [`ConfigSet`].
277    pub fn new(config: ConfigSet) -> Self {
278        Self { config }
279    }
280
281    /// The ordered helper list applicable to `target_url`.
282    fn helpers(&self, target_url: Option<&str>) -> Vec<String> {
283        credential_helpers(&self.config, target_url)
284    }
285}
286
287impl CredentialProvider for HelperCredentialProvider {
288    fn fill(&self, input: &Credential) -> Result<Credential> {
289        let mut filled = input.clone();
290        if filled.is_complete() {
291            return Ok(filled);
292        }
293        let target_url = filled.target_url();
294        for helper in self.helpers(target_url.as_deref()) {
295            let response = invoke_helper(&helper, "get", &filled)?;
296            if response.wants_quit() {
297                return Err(Error::Message(format!(
298                    "credential helper '{helper}' told us to quit"
299                )));
300            }
301            filled.merge_response(&response);
302            if filled.is_complete() {
303                return Ok(filled);
304            }
305        }
306        // No helper could complete the credential. The library default does NOT
307        // fall back to an interactive prompt; surface a typed error instead.
308        Err(Error::Message(NON_INTERACTIVE_MESSAGE.to_string()))
309    }
310
311    fn approve(&self, cred: &Credential) -> Result<()> {
312        let target_url = cred.target_url();
313        for helper in self.helpers(target_url.as_deref()) {
314            invoke_helper(&helper, "store", cred)?;
315        }
316        Ok(())
317    }
318
319    fn reject(&self, cred: &Credential) -> Result<()> {
320        let target_url = cred.target_url();
321        for helper in self.helpers(target_url.as_deref()) {
322            invoke_helper(&helper, "erase", cred)?;
323        }
324        Ok(())
325    }
326}
327
328/// Build the effective `credential.helper` list in Git order.
329///
330/// Git walks every `credential.helper` and `credential.<URL>.helper` config
331/// entry in load order. URL-scoped entries only apply when the subsection
332/// pattern matches `target_url` (per Git's URL-match rules). For every
333/// applicable entry, a non-empty value is appended to the helper list and an
334/// empty value resets it (Git's `string_list_clear` semantics in
335/// `credential_apply_config_cb`).
336///
337/// `target_url` is the URL we're authenticating against (e.g.
338/// `https://github.com/owner/repo.git`). When `None`, only unscoped
339/// `credential.helper` entries contribute.
340fn credential_helpers(config: &ConfigSet, target_url: Option<&str>) -> Vec<String> {
341    let mut out = Vec::new();
342    for entry in config.entries() {
343        let key = &entry.key;
344        if key.contains('\n') || key.to_ascii_lowercase().contains("%0a") {
345            continue;
346        }
347        let Some(first_dot) = key.find('.') else {
348            continue;
349        };
350        let Some(last_dot) = key.rfind('.') else {
351            continue;
352        };
353        let section = &key[..first_dot];
354        let variable = &key[last_dot + 1..];
355        if !section.eq_ignore_ascii_case("credential") || !variable.eq_ignore_ascii_case("helper") {
356            continue;
357        }
358        if first_dot != last_dot {
359            let subsection = &key[first_dot + 1..last_dot];
360            if percent_decode_lossy(subsection).contains('\n') {
361                continue;
362            }
363            let Some(target) = target_url else {
364                continue;
365            };
366            if !credential_url_matches(subsection, target) {
367                continue;
368            }
369        }
370        let value = entry.value.as_deref().unwrap_or("");
371        if value.trim().is_empty() {
372            out.clear();
373        } else {
374            out.push(value.to_string());
375        }
376    }
377    out
378}
379
380fn credential_url_matches(pattern: &str, target: &str) -> bool {
381    let pattern = percent_decode_lossy(pattern);
382    if pattern.contains('\n') {
383        return false;
384    }
385    let pattern = pattern.trim_end_matches('/');
386    let pattern_no_user = strip_url_userinfo(pattern);
387    let pattern_after_user = pattern.rsplit_once('@').map(|(_, host)| host);
388    let target = target.trim_end_matches('/');
389    let target_no_user = strip_url_userinfo(target);
390    let target_no_scheme = strip_url_scheme(target);
391    let target_no_scheme_no_user = strip_url_scheme(&target_no_user);
392    let target_path = target_path_component(target);
393
394    let matches = |pattern: &str| {
395        if pattern.starts_with('/') {
396            return credential_prefix_matches(pattern, target_path);
397        }
398        if pattern.ends_with("://") {
399            return target.starts_with(pattern) || target_no_user.starts_with(pattern);
400        }
401        if pattern.contains('*') {
402            return credential_wildcard_matches(pattern, target)
403                || credential_wildcard_matches(pattern, &target_no_user)
404                || credential_wildcard_matches(pattern, target_no_scheme)
405                || credential_wildcard_matches(pattern, target_no_scheme_no_user);
406        }
407        credential_prefix_matches(pattern, target)
408            || credential_prefix_matches(pattern, &target_no_user)
409            || credential_prefix_matches(pattern, target_no_scheme)
410            || credential_prefix_matches(pattern, target_no_scheme_no_user)
411    };
412    matches(pattern)
413        || (pattern_no_user != pattern && matches(&pattern_no_user))
414        || pattern_after_user.is_some_and(matches)
415}
416
417fn credential_prefix_matches(pattern: &str, candidate: &str) -> bool {
418    candidate
419        .strip_prefix(pattern)
420        .is_some_and(|rest| rest.is_empty() || rest.starts_with('/') || pattern.ends_with("://"))
421}
422
423fn credential_wildcard_matches(pattern: &str, candidate: &str) -> bool {
424    let Some((prefix, suffix)) = pattern.split_once('*') else {
425        return false;
426    };
427    let Some(rest) = candidate.strip_prefix(prefix) else {
428        return false;
429    };
430    rest.find(suffix).is_some_and(|idx| {
431        let after = &rest[idx + suffix.len()..];
432        after.is_empty() || after.starts_with('/')
433    })
434}
435
436fn strip_url_scheme(url: &str) -> &str {
437    url.split_once("://").map_or(url, |(_, rest)| rest)
438}
439
440fn strip_url_userinfo(url: &str) -> String {
441    let Some((scheme, rest)) = url.split_once("://") else {
442        return url
443            .rsplit_once('@')
444            .map_or(url, |(_, host)| host)
445            .to_string();
446    };
447    rest.rsplit_once('@')
448        .map_or_else(|| url.to_string(), |(_, host)| format!("{scheme}://{host}"))
449}
450
451fn target_path_component(url: &str) -> &str {
452    let rest = strip_url_scheme(url);
453    let idx = rest
454        .char_indices()
455        .find_map(|(idx, ch)| matches!(ch, '/' | '?' | '#').then_some(idx))
456        .unwrap_or(rest.len());
457    &rest[idx..]
458}
459
460fn percent_decode_lossy(input: &str) -> String {
461    let mut out = Vec::with_capacity(input.len());
462    let bytes = input.as_bytes();
463    let mut idx = 0;
464    while idx < bytes.len() {
465        if bytes[idx] == b'%' && idx + 2 < bytes.len() {
466            if let (Some(hi), Some(lo)) = (hex_value(bytes[idx + 1]), hex_value(bytes[idx + 2])) {
467                out.push((hi << 4) | lo);
468                idx += 3;
469                continue;
470            }
471        }
472        out.push(bytes[idx]);
473        idx += 1;
474    }
475    String::from_utf8_lossy(&out).into_owned()
476}
477
478fn hex_value(byte: u8) -> Option<u8> {
479    match byte {
480        b'0'..=b'9' => Some(byte - b'0'),
481        b'a'..=b'f' => Some(byte - b'a' + 10),
482        b'A'..=b'F' => Some(byte - b'A' + 10),
483        _ => None,
484    }
485}
486
487/// Directories to search for `git-credential-*` the way Git does
488/// (exec-path before `PATH`). Git installs helpers under e.g.
489/// `/usr/libexec/git-core`, which is not on `PATH`.
490fn credential_helper_exec_path_candidates() -> Vec<PathBuf> {
491    let mut v = Vec::new();
492    if let Ok(ep) = std::env::var("GIT_EXEC_PATH") {
493        let p = PathBuf::from(ep.trim());
494        if p.is_dir() {
495            v.push(p);
496        }
497    }
498    for candidate in [
499        "/usr/libexec/git-core",
500        "/Library/Developer/CommandLineTools/usr/libexec/git-core",
501        "/opt/homebrew/opt/git/libexec/git-core",
502        "/opt/homebrew/libexec/git-core",
503        "/usr/lib/git-core",
504        "/usr/local/libexec/git-core",
505    ] {
506        let p = PathBuf::from(candidate);
507        if p.is_dir() {
508            v.push(p);
509        }
510    }
511    v
512}
513
514/// Resolve a helper program name to an executable path. A bare
515/// `git-credential-<name>` is looked up across Git's exec-path candidates
516/// before falling back to `PATH`.
517fn resolve_credential_helper_executable(helper_program: &str) -> PathBuf {
518    if helper_program.contains('/') {
519        return PathBuf::from(helper_program);
520    }
521    if let Some(suffix) = helper_program.strip_prefix("git-credential-") {
522        let exe_name = format!("git-credential-{suffix}");
523        for ep in credential_helper_exec_path_candidates() {
524            let candidate = ep.join(&exe_name);
525            if candidate.is_file() {
526                return candidate;
527            }
528        }
529    }
530    PathBuf::from(helper_program)
531}
532
533/// Invoke an external credential helper program.
534///
535/// The helper may be:
536/// - shell form: `!command ...` (executed by `sh -c`)
537/// - absolute/relative path containing `/`
538/// - bare helper name (expanded to `git-credential-<name>`)
539/// - already-expanded binary (`git-credential-...`)
540///
541/// The built-in `store`/`cache` helpers are re-dispatched through the current
542/// executable's `credential-store`/`credential-cache` subcommands, matching the
543/// CLI's behavior.
544///
545/// The helper is invoked with one action argument (`get`, `store`, `erase`)
546/// after any arguments from the configured helper string. Credential fields are
547/// written to stdin as `key=value` lines followed by a blank line; stdout is
548/// parsed back into a [`Credential`].
549fn invoke_helper(helper: &str, action: &str, creds: &Credential) -> Result<Credential> {
550    let helper_words = shell_words::split(helper)
551        .map_err(|e| Error::Message(format!("invalid credential.helper '{helper}': {e}")))?;
552    let (first_word, extra_args) = match helper_words.split_first() {
553        Some((first, rest)) => (first.as_str(), rest),
554        None => ("", &[][..]),
555    };
556
557    let mut child = if let Some(shell_cmd) = helper.strip_prefix('!') {
558        Command::new("sh")
559            .arg("-c")
560            .arg(format!("{shell_cmd} {action}"))
561            .stdin(Stdio::piped())
562            .stdout(Stdio::piped())
563            .stderr(Stdio::inherit())
564            .spawn()
565            .map_err(|e| {
566                Error::Message(format!(
567                    "failed to run credential helper shell '{helper}': {e}"
568                ))
569            })?
570    } else if matches!(
571        first_word,
572        "store" | "cache" | "git-credential-store" | "git-credential-cache"
573    ) {
574        let subcmd = if first_word.ends_with("store") {
575            "credential-store"
576        } else {
577            "credential-cache"
578        };
579        let exe = std::env::current_exe()
580            .map_err(|e| Error::Message(format!("resolve current executable: {e}")))?;
581        let mut cmd = Command::new(exe);
582        cmd.arg(subcmd);
583        for arg in extra_args {
584            cmd.arg(arg);
585        }
586        cmd.arg(action);
587        cmd.stdin(Stdio::piped())
588            .stdout(Stdio::piped())
589            .stderr(Stdio::inherit())
590            .spawn()
591            .map_err(|e| {
592                Error::Message(format!(
593                    "failed to run built-in credential helper '{subcmd}': {e}"
594                ))
595            })?
596    } else {
597        let helper_program =
598            if first_word.contains('/') || first_word.starts_with("git-credential-") {
599                // Already a path or fully-qualified helper binary; use verbatim.
600                first_word.to_string()
601            } else {
602                // Bare helper name (e.g. `osxkeychain`) -> `git-credential-osxkeychain`.
603                format!("git-credential-{first_word}")
604            };
605        let resolved = resolve_credential_helper_executable(&helper_program);
606        let mut cmd = Command::new(&resolved);
607        for arg in extra_args {
608            cmd.arg(arg);
609        }
610        cmd.arg(action);
611        cmd.stdin(Stdio::piped())
612            .stdout(Stdio::piped())
613            .stderr(Stdio::inherit())
614            .spawn()
615            .map_err(|e| {
616                Error::Message(format!(
617                    "failed to run credential helper '{helper_program}': {e}"
618                ))
619            })?
620    };
621
622    {
623        let stdin = child
624            .stdin
625            .as_mut()
626            .ok_or_else(|| Error::Message("credential helper missing stdin".to_string()))?;
627        stdin.write_all(creds.serialize().as_bytes())?;
628        // Git terminates the credential record with a blank line.
629        stdin.write_all(b"\n")?;
630    }
631
632    let output = child
633        .wait_with_output()
634        .map_err(|e| Error::Message(format!("credential helper '{helper}' failed: {e}")))?;
635    if !output.status.success() {
636        return Err(Error::Message(format!(
637            "credential helper '{helper}' exited with status {}",
638            output.status
639        )));
640    }
641
642    Ok(Credential::parse_bytes(&output.stdout))
643}
644
645/// Whether `credential.useHttpPath` (optionally URL-scoped) is enabled.
646///
647/// Exposed so embedders can decide whether to include the `path` field when
648/// constructing a [`Credential`] for an HTTP(S) target, matching Git.
649pub fn use_http_path(config: &ConfigSet, target_url: Option<&str>) -> bool {
650    credential_config_value(config, target_url, "useHttpPath")
651        .as_deref()
652        .map(|value| parse_bool(value).unwrap_or(false))
653        .unwrap_or(false)
654}
655
656fn credential_config_value(
657    config: &ConfigSet,
658    target_url: Option<&str>,
659    variable_name: &str,
660) -> Option<String> {
661    let mut out = None;
662    for entry in config.entries() {
663        let key = &entry.key;
664        if key.contains('\n') || key.to_ascii_lowercase().contains("%0a") {
665            continue;
666        }
667        let Some(first_dot) = key.find('.') else {
668            continue;
669        };
670        let Some(last_dot) = key.rfind('.') else {
671            continue;
672        };
673        let section = &key[..first_dot];
674        let variable = &key[last_dot + 1..];
675        if !section.eq_ignore_ascii_case("credential")
676            || !variable.eq_ignore_ascii_case(variable_name)
677        {
678            continue;
679        }
680        if first_dot != last_dot {
681            let subsection = &key[first_dot + 1..last_dot];
682            if percent_decode_lossy(subsection).contains('\n') {
683                continue;
684            }
685            let Some(target) = target_url else {
686                continue;
687            };
688            if !credential_url_matches(subsection, target) {
689                continue;
690            }
691        }
692        out = entry.value.clone();
693    }
694    out
695}
696
697/// Windows Credential Manager backing store for the built-in `manager`
698/// credential helper (`gs manager`).
699///
700/// Git for Windows bundles Git Credential Manager (the `manager` helper), but it
701/// is only present when Git for Windows is installed. These functions let `gs`
702/// store and retrieve secrets directly from the Windows Credential Manager
703/// without that dependency. They are only compiled on Windows; the `gs manager`
704/// command errors elsewhere.
705///
706/// Secrets are stored as `CRED_TYPE_GENERIC` entries keyed by a target name of
707/// the form `git:<protocol>://<host>`, matching Git's own `wincred` helper so
708/// the entries are recognizable in the Credential Manager UI.
709#[cfg(windows)]
710pub mod windows_store {
711    use std::ffi::OsStr;
712    use std::os::windows::ffi::OsStrExt;
713
714    use windows_sys::Win32::Foundation::{GetLastError, ERROR_NOT_FOUND};
715    use windows_sys::Win32::Security::Credentials::{
716        CredDeleteW, CredFree, CredReadW, CredWriteW, CREDENTIALW, CRED_PERSIST_LOCAL_MACHINE,
717        CRED_TYPE_GENERIC,
718    };
719
720    use super::Credential;
721    use crate::error::{Error, Result};
722
723    /// The Credential Manager target name a credential is stored under.
724    fn target_name(cred: &Credential) -> Result<String> {
725        let protocol = cred
726            .protocol
727            .as_deref()
728            .filter(|p| !p.is_empty())
729            .ok_or_else(|| Error::Message("credential is missing its protocol".to_owned()))?;
730        let host = cred
731            .host
732            .as_deref()
733            .filter(|h| !h.is_empty())
734            .ok_or_else(|| Error::Message("credential is missing its host".to_owned()))?;
735        Ok(format!("git:{protocol}://{host}"))
736    }
737
738    /// Encode a string as a NUL-terminated UTF-16 buffer for the wide Win32 API.
739    fn wide(s: &str) -> Vec<u16> {
740        OsStr::new(s)
741            .encode_wide()
742            .chain(std::iter::once(0))
743            .collect()
744    }
745
746    /// Read a NUL-terminated wide string from a (possibly null) pointer.
747    ///
748    /// # Safety
749    /// `ptr` must be null or point to a NUL-terminated UTF-16 string owned by a
750    /// live `CREDENTIALW` returned by `CredReadW`.
751    unsafe fn wstr_to_string(ptr: *const u16) -> String {
752        if ptr.is_null() {
753            return String::new();
754        }
755        let mut len = 0usize;
756        while *ptr.add(len) != 0 {
757            len += 1;
758        }
759        String::from_utf16_lossy(std::slice::from_raw_parts(ptr, len))
760    }
761
762    /// Look up the stored username/password for `cred`'s host, if any.
763    pub fn get(cred: &Credential) -> Result<Option<Credential>> {
764        let target = wide(&target_name(cred)?);
765        let mut pcred: *mut CREDENTIALW = std::ptr::null_mut();
766        // SAFETY: `target` is a valid NUL-terminated wide string and `pcred` is a
767        // valid out-pointer; on success Windows allocates the credential for us.
768        let ok = unsafe { CredReadW(target.as_ptr(), CRED_TYPE_GENERIC, 0, &mut pcred) };
769        if ok == 0 {
770            // SAFETY: `GetLastError` is always safe to call after a failed Win32 call.
771            let err = unsafe { GetLastError() };
772            if err == ERROR_NOT_FOUND {
773                return Ok(None);
774            }
775            return Err(Error::Message(format!(
776                "reading from the Windows Credential Manager failed (error {err})"
777            )));
778        }
779
780        // SAFETY: `CredReadW` succeeded, so `pcred` points to a live credential we own
781        // until `CredFree`. We copy out the fields before freeing it.
782        let (username, password) = unsafe {
783            let c = &*pcred;
784            let username = wstr_to_string(c.UserName);
785            let password = if c.CredentialBlob.is_null() || c.CredentialBlobSize == 0 {
786                String::new()
787            } else {
788                let bytes =
789                    std::slice::from_raw_parts(c.CredentialBlob, c.CredentialBlobSize as usize);
790                String::from_utf8_lossy(bytes).into_owned()
791            };
792            (username, password)
793        };
794        // SAFETY: `pcred` came from `CredReadW` and has not been freed yet.
795        unsafe { CredFree(pcred as *const core::ffi::c_void) };
796
797        let mut out = Credential::default();
798        if !username.is_empty() {
799            out.username = Some(username);
800        }
801        if !password.is_empty() {
802            out.password = Some(password);
803        }
804        Ok(Some(out))
805    }
806
807    /// Store `cred`'s password (and username) for its host. A credential with no
808    /// password is a no-op.
809    pub fn store(cred: &Credential) -> Result<()> {
810        let password = match cred.password.as_deref() {
811            Some(p) if !p.is_empty() => p,
812            _ => return Ok(()),
813        };
814        let mut target = wide(&target_name(cred)?);
815        let mut username = wide(cred.username.as_deref().unwrap_or(""));
816        let blob = password.as_bytes();
817
818        // SAFETY: zeroing is valid for this plain-old-data struct; we populate the
819        // fields the API reads below.
820        let mut credential: CREDENTIALW = unsafe { std::mem::zeroed() };
821        credential.Type = CRED_TYPE_GENERIC;
822        credential.TargetName = target.as_mut_ptr();
823        credential.CredentialBlobSize = blob.len() as u32;
824        credential.CredentialBlob = blob.as_ptr() as *mut u8;
825        credential.Persist = CRED_PERSIST_LOCAL_MACHINE;
826        credential.UserName = username.as_mut_ptr();
827
828        // SAFETY: every pointer field references a buffer that outlives the call.
829        let ok = unsafe { CredWriteW(&credential as *const CREDENTIALW, 0) };
830        if ok == 0 {
831            // SAFETY: always safe after a failed Win32 call.
832            let err = unsafe { GetLastError() };
833            return Err(Error::Message(format!(
834                "writing to the Windows Credential Manager failed (error {err})"
835            )));
836        }
837        Ok(())
838    }
839
840    /// Delete the stored credential for `cred`'s host. Succeeds if none exists.
841    pub fn erase(cred: &Credential) -> Result<()> {
842        let target = wide(&target_name(cred)?);
843        // SAFETY: `target` is a valid NUL-terminated wide string.
844        let ok = unsafe { CredDeleteW(target.as_ptr(), CRED_TYPE_GENERIC, 0) };
845        if ok == 0 {
846            // SAFETY: always safe after a failed Win32 call.
847            let err = unsafe { GetLastError() };
848            if err != ERROR_NOT_FOUND {
849                return Err(Error::Message(format!(
850                    "deleting from the Windows Credential Manager failed (error {err})"
851                )));
852            }
853        }
854        Ok(())
855    }
856}
857
858#[cfg(test)]
859mod tests {
860    use super::*;
861
862    #[test]
863    fn parse_round_trips_named_fields() {
864        let input =
865            "protocol=https\nhost=example.com\nusername=alice\npassword=secret\n\nignored=x\n";
866        let cred = Credential::parse(input);
867        assert_eq!(cred.protocol.as_deref(), Some("https"));
868        assert_eq!(cred.host.as_deref(), Some("example.com"));
869        assert_eq!(cred.username.as_deref(), Some("alice"));
870        assert_eq!(cred.password.as_deref(), Some("secret"));
871        // Parsing stops at the blank line.
872        assert!(cred.extra.is_empty());
873    }
874
875    #[test]
876    fn serialize_uses_canonical_order() {
877        let cred = Credential {
878            protocol: Some("https".into()),
879            host: Some("h".into()),
880            username: Some("u".into()),
881            password: Some("p".into()),
882            ..Default::default()
883        };
884        assert_eq!(
885            cred.serialize(),
886            "protocol=https\nhost=h\nusername=u\npassword=p\n"
887        );
888    }
889
890    #[test]
891    fn target_url_reconstructed_from_fields() {
892        let cred = Credential {
893            protocol: Some("https".into()),
894            host: Some("github.com".into()),
895            path: Some("o/r.git".into()),
896            ..Default::default()
897        };
898        assert_eq!(
899            cred.target_url().as_deref(),
900            Some("https://github.com/o/r.git")
901        );
902    }
903}