vcs_cli_support/credentials.rs
1//! Credential provisioning for the CLI wrappers.
2//!
3//! Remote operations (a forge API call, a `git`/`jj` fetch or push against an
4//! authenticated remote) need a secret the toolkit deliberately does **not**
5//! store. By default every backend authenticates through its CLI's *own* ambient
6//! credential system (`gh`/`glab` logins, git credential helpers, the SSH agent)
7//! — the toolkit holds nothing. This module adds an **opt-in** seam for callers
8//! that want to supply a secret *per operation* instead: a CI job minting a
9//! short-lived token, an agent acting for different accounts, a vault-backed
10//! rotation. You implement (or pick a built-in) [`CredentialProvider`]; the
11//! backend resolves it just-in-time and injects the secret through the relevant
12//! CLI's *native* non-interactive mechanism — never persisting it.
13//!
14//! How the secret reaches each CLI (chosen so the value never lands in `argv`,
15//! which is broadly observable; only an env-var *name* or a token value in the
16//! process environment is used):
17//!
18//! - **GitHub** (`gh`) → `GH_TOKEN` environment variable.
19//! - **GitLab** (`glab`) → `GITLAB_TOKEN` environment variable.
20//! - **git** (`fetch`/`push`/`clone`) → an inline `credential.helper` that emits
21//! the secret read from an environment variable *by name* (see
22//! [`git_credential_helper`]); the secret value is never an argument.
23//! - **Gitea** (`tea`) and **Jujutsu** (`jj`) — no per-operation injection: `tea`
24//! authenticates only from its stored logins, and `jj`'s in-process git backend
25//! offers no per-invocation credential override. Both stay on ambient auth.
26//!
27//! Secrets are wrapped in [`Secret`], which redacts itself in `Debug`/`Display`
28//! so a stray log line can't leak a token. (It does **not** securely zero memory
29//! on drop — that is out of scope; rely on OS-level protections for that.)
30
31use std::fmt;
32
33use async_trait::async_trait;
34use processkit::Result;
35
36/// A secret value — an API token, a password — that **redacts itself** whenever
37/// it is formatted, so it can't leak into a log line or an error message. Read
38/// the underlying value only at the point of use, via [`expose`](Secret::expose).
39///
40/// Redaction is the achievable guarantee here; this type does **not** securely
41/// scrub its memory on drop.
42///
43/// Deliberately **not** `PartialEq`/`Eq`: comparing secrets with `String`'s
44/// short-circuiting `==` is timing-variable and turns the type into an equality
45/// oracle. Compare the [`expose`](Secret::expose)d value explicitly if you must.
46#[derive(Clone)]
47pub struct Secret(String);
48
49impl Secret {
50 /// Wrap a secret value.
51 #[must_use]
52 pub fn new(value: impl Into<String>) -> Self {
53 Self(value.into())
54 }
55
56 /// Borrow the underlying secret. Call this only where the value is actually
57 /// needed (e.g. setting an environment variable on a command); don't store
58 /// or log the result.
59 #[must_use]
60 pub fn expose(&self) -> &str {
61 &self.0
62 }
63}
64
65impl fmt::Debug for Secret {
66 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
67 f.write_str("Secret(\"***\")")
68 }
69}
70
71impl fmt::Display for Secret {
72 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
73 f.write_str("***")
74 }
75}
76
77impl From<String> for Secret {
78 fn from(value: String) -> Self {
79 Self(value)
80 }
81}
82
83impl From<&str> for Secret {
84 fn from(value: &str) -> Self {
85 Self(value.to_string())
86 }
87}
88
89/// A resolved credential: a [`Secret`] plus an optional username. For a forge
90/// token only the secret is used; for git HTTPS the username pairs with the
91/// secret as the password (a personal-access token).
92///
93/// Not `PartialEq`/`Eq` (it holds a [`Secret`], which intentionally is neither).
94#[derive(Clone, Debug)]
95pub struct Credential {
96 username: Option<String>,
97 secret: Secret,
98}
99
100impl Credential {
101 /// A bare token/secret with no username (the forge case, and git HTTPS where
102 /// any username is accepted). For git HTTPS a default username
103 /// (`x-access-token`, which GitHub/GitLab personal-access tokens accept) is
104 /// supplied automatically; use [`userpass`](Credential::userpass) if your host
105 /// needs a specific one. Forge token-env injection ignores the username.
106 #[must_use]
107 pub fn token(secret: impl Into<Secret>) -> Self {
108 Self {
109 username: None,
110 secret: secret.into(),
111 }
112 }
113
114 /// A username paired with a secret (git HTTPS user/password, where the
115 /// password is typically a personal-access token). The username is used only
116 /// for **git HTTPS**; forge token-env injection (`GH_TOKEN`/`GITLAB_TOKEN`)
117 /// uses only the secret and ignores the username.
118 #[must_use]
119 pub fn userpass(username: impl Into<String>, secret: impl Into<Secret>) -> Self {
120 Self {
121 username: Some(username.into()),
122 secret: secret.into(),
123 }
124 }
125
126 /// The username, if one was supplied.
127 #[must_use]
128 pub fn username(&self) -> Option<&str> {
129 self.username.as_deref()
130 }
131
132 /// The secret (token/password).
133 #[must_use]
134 pub fn secret(&self) -> &Secret {
135 &self.secret
136 }
137}
138
139/// Which backend/tool is asking for a credential — lets a provider return
140/// different secrets per service. `#[non_exhaustive]`: new backends may be added.
141#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
142#[non_exhaustive]
143pub enum CredentialService {
144 /// A `git` remote operation (fetch/push/clone over HTTPS).
145 Git,
146 /// A GitHub (`gh`) API operation.
147 GitHub,
148 /// A GitLab (`glab`) API operation.
149 GitLab,
150 /// A Gitea (`tea`) API operation. Reserved: `tea` has no per-operation token
151 /// mechanism today, so no backend currently emits this — it exists so a
152 /// provider can be written against it once `tea` gains support.
153 Gitea,
154}
155
156/// The context of a credential request: which service, and the remote host if
157/// the backend knows it (forge calls often defer host resolution to the CLI, so
158/// `host` is frequently `None`). `#[non_exhaustive]`: more context may be added.
159#[derive(Clone, Copy, Debug)]
160#[non_exhaustive]
161pub struct CredentialRequest<'a> {
162 /// The backend/tool making the request.
163 pub service: CredentialService,
164 /// The remote host (e.g. `github.com`), if known.
165 pub host: Option<&'a str>,
166}
167
168impl<'a> CredentialRequest<'a> {
169 /// A request for `service` with no known host.
170 #[must_use]
171 pub fn new(service: CredentialService) -> Self {
172 Self {
173 service,
174 host: None,
175 }
176 }
177
178 /// Attach a known remote host.
179 #[must_use]
180 pub fn with_host(mut self, host: &'a str) -> Self {
181 self.host = Some(host);
182 self
183 }
184}
185
186/// Supplies a [`Credential`] for a [`CredentialRequest`], just-in-time. Returning
187/// `Ok(None)` means "I have nothing for this request" — the backend then falls
188/// back to its ambient CLI auth, exactly as if no provider were configured.
189///
190/// Implement this for a vault/keychain lookup, per-account routing, or token
191/// rotation; for simple cases use [`StaticCredential`], [`EnvToken`], or
192/// [`provider_fn`]. The trait is async and dyn-compatible, so a backend can hold
193/// an `Arc<dyn CredentialProvider>`.
194#[async_trait]
195pub trait CredentialProvider: Send + Sync {
196 /// Resolve the credential for `request`, or `Ok(None)` to defer to ambient
197 /// auth. An `Err` aborts the operation (e.g. the vault was unreachable).
198 ///
199 /// A returned credential whose secret is **empty** is treated as `None`
200 /// (ambient) by the clients — an empty token can't authenticate, and injecting
201 /// one would override the ambient login with nothing rather than defer to it.
202 async fn credential(&self, request: &CredentialRequest<'_>) -> Result<Option<Credential>>;
203}
204
205/// A provider that always yields the same [`Credential`] for every request — the
206/// common "use this one token" case.
207#[derive(Clone, Debug)]
208pub struct StaticCredential(Credential);
209
210impl StaticCredential {
211 /// Always supply `credential`.
212 #[must_use]
213 pub fn new(credential: Credential) -> Self {
214 Self(credential)
215 }
216
217 /// Always supply a bare token.
218 #[must_use]
219 pub fn token(secret: impl Into<Secret>) -> Self {
220 Self(Credential::token(secret))
221 }
222}
223
224#[async_trait]
225impl CredentialProvider for StaticCredential {
226 async fn credential(&self, _request: &CredentialRequest<'_>) -> Result<Option<Credential>> {
227 Ok(Some(self.0.clone()))
228 }
229}
230
231/// A provider that reads a bare token from a named **environment variable**, at
232/// request time. If the variable is unset/empty it yields `None` (fall back to
233/// ambient auth) rather than erroring — handy for "use `$MY_TOKEN` if present".
234#[derive(Clone, Debug)]
235pub struct EnvToken {
236 var: String,
237 username: Option<String>,
238}
239
240impl EnvToken {
241 /// Read the token from environment variable `var`.
242 #[must_use]
243 pub fn new(var: impl Into<String>) -> Self {
244 Self {
245 var: var.into(),
246 username: None,
247 }
248 }
249
250 /// Pair the token with a username (for git HTTPS).
251 #[must_use]
252 pub fn with_username(mut self, username: impl Into<String>) -> Self {
253 self.username = Some(username.into());
254 self
255 }
256}
257
258#[async_trait]
259impl CredentialProvider for EnvToken {
260 async fn credential(&self, _request: &CredentialRequest<'_>) -> Result<Option<Credential>> {
261 match std::env::var(&self.var) {
262 // A set-but-blank (or whitespace-only) variable is treated as unset →
263 // `None` (defer to ambient auth), not an empty token that would override
264 // the ambient login with nothing.
265 Ok(value) if !value.trim().is_empty() => Ok(Some(match &self.username {
266 Some(user) => Credential::userpass(user.clone(), value),
267 None => Credential::token(value),
268 })),
269 _ => Ok(None),
270 }
271 }
272}
273
274/// Adapt a synchronous closure into a [`CredentialProvider`]. The closure runs at
275/// request time and returns the credential (or `None` to defer to ambient auth).
276/// For async sources (a network vault), implement [`CredentialProvider`] directly.
277#[must_use]
278pub fn provider_fn<F>(f: F) -> FnProvider<F>
279where
280 F: Fn(&CredentialRequest<'_>) -> Result<Option<Credential>> + Send + Sync,
281{
282 FnProvider(f)
283}
284
285/// A [`CredentialProvider`] backed by a synchronous closure (see [`provider_fn`]).
286pub struct FnProvider<F>(F);
287
288impl<F> fmt::Debug for FnProvider<F> {
289 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
290 f.debug_struct("FnProvider").finish_non_exhaustive()
291 }
292}
293
294#[async_trait]
295impl<F> CredentialProvider for FnProvider<F>
296where
297 F: Fn(&CredentialRequest<'_>) -> Result<Option<Credential>> + Send + Sync,
298{
299 async fn credential(&self, request: &CredentialRequest<'_>) -> Result<Option<Credential>> {
300 (self.0)(request)
301 }
302}
303
304/// The default username git uses when a [`Credential`] supplies none. GitHub (and
305/// GitLab) accept any username when the password is a personal-access token, so a
306/// fixed placeholder works; `git` still requires *a* username.
307const DEFAULT_GIT_USERNAME: &str = "x-access-token";
308
309/// Environment-variable name carrying the username for [`git_credential_helper`].
310const GIT_USERNAME_VAR: &str = "VCS_TOOLKIT_GIT_USERNAME";
311/// Environment-variable name carrying the secret for [`git_credential_helper`].
312const GIT_PASSWORD_VAR: &str = "VCS_TOOLKIT_GIT_PASSWORD";
313
314/// The pieces needed to authenticate a `git` HTTPS operation with a [`Credential`]
315/// **without putting the secret in `argv`**. See [`git_credential_helper`].
316///
317/// `#[non_exhaustive]`: only [`git_credential_helper`] constructs it, so new fields
318/// can be added without breaking callers (who read the fields, never build it).
319#[derive(Clone, Debug)]
320#[non_exhaustive]
321pub struct GitCredentialHelper {
322 /// `-c key=value` global options to place **before** the git subcommand. They
323 /// reference the secret only by environment-variable *name*, never by value.
324 pub config_args: Vec<String>,
325 /// Environment variables (name → value) to set on the command. This is where
326 /// the actual secret lives — in the child's environment, not its arguments.
327 pub env: Vec<(String, Secret)>,
328}
329
330/// Build a git `credential.helper` invocation that supplies `cred` over HTTPS
331/// while keeping the secret out of `argv` (which is broadly observable). The
332/// returned [`config_args`](GitCredentialHelper::config_args) install an inline
333/// helper that prints the credential read from two environment variables; the
334/// secret value appears only in [`env`](GitCredentialHelper::env), i.e. the child
335/// process environment. A leading empty `credential.helper=` first clears any
336/// inherited helper so only ours runs.
337///
338/// The helper is a tiny POSIX-shell snippet: git runs `credential.helper` values
339/// that begin with `!` via the shell it ships with (so this works on Windows too,
340/// where Git for Windows bundles its own `sh` — it never goes through `cmd.exe`).
341/// It applies to **HTTPS remotes only**: git invokes a credential helper just for
342/// HTTP(S) user/password auth, so an SSH remote ignores it and falls through to
343/// the SSH agent. It is opt-in — built only when a [`CredentialProvider`] yields a
344/// credential — so the default path is unchanged. The helper answers only git's
345/// `get` action (never `store`/`erase`), so the secret is never written to a
346/// credential cache or config; it lives only in the child's environment.
347///
348/// The username/secret must not contain a newline: git's credential protocol is
349/// line-based, so an embedded `\n` is read as the end of the value (git truncates
350/// there). Real tokens and usernames never contain one.
351#[must_use]
352pub fn git_credential_helper(cred: &Credential) -> GitCredentialHelper {
353 let username = cred.username().unwrap_or(DEFAULT_GIT_USERNAME).to_string();
354 // Reference the values by env-var NAME inside the snippet, so `argv` never
355 // carries the secret. Respond only to git's `get` action; ignore store/erase.
356 // Guard on the password var being non-empty (`test -n`): if `config_args` is
357 // applied without `env` (the two fields must travel together), the helper emits
358 // nothing and git falls through to ambient auth — never an empty credential that
359 // would override the ambient login with nothing and fail.
360 let helper = format!(
361 "!f() {{ test \"$1\" = get && test -n \"${GIT_PASSWORD_VAR}\" && \
362 printf 'username=%s\\npassword=%s\\n' \
363 \"${GIT_USERNAME_VAR}\" \"${GIT_PASSWORD_VAR}\"; }}; f"
364 );
365 GitCredentialHelper {
366 config_args: vec![
367 "-c".to_string(),
368 "credential.helper=".to_string(),
369 "-c".to_string(),
370 format!("credential.helper={helper}"),
371 ],
372 env: vec![
373 (GIT_USERNAME_VAR.to_string(), Secret::new(username)),
374 (GIT_PASSWORD_VAR.to_string(), cred.secret().clone()),
375 ],
376 }
377}
378
379#[cfg(test)]
380mod tests {
381 use super::*;
382
383 #[test]
384 fn secret_redacts_in_debug_and_display() {
385 let s = Secret::new("hunter2");
386 assert_eq!(format!("{s:?}"), "Secret(\"***\")");
387 assert_eq!(format!("{s}"), "***");
388 // The value is only reachable through `expose`.
389 assert_eq!(s.expose(), "hunter2");
390 // A Credential's Debug must not leak the secret either.
391 let c = Credential::userpass("alice", "hunter2");
392 let dbg = format!("{c:?}");
393 assert!(!dbg.contains("hunter2"), "secret leaked in Debug: {dbg}");
394 assert!(dbg.contains("alice"), "username should be visible: {dbg}");
395 }
396
397 #[tokio::test]
398 async fn static_and_env_and_fn_providers() {
399 let req = CredentialRequest::new(CredentialService::GitHub);
400
401 let s = StaticCredential::token("tok");
402 assert_eq!(
403 s.credential(&req).await.unwrap().unwrap().secret().expose(),
404 "tok"
405 );
406
407 // EnvToken: absent → None; present → the token.
408 let env = EnvToken::new("VCS_TOOLKIT_TEST_TOKEN_UNSET_XYZ");
409 assert!(env.credential(&req).await.unwrap().is_none());
410
411 // provider_fn routes on the request.
412 let p = provider_fn(|r: &CredentialRequest<'_>| {
413 Ok(match r.service {
414 CredentialService::GitHub => Some(Credential::token("gh")),
415 _ => None,
416 })
417 });
418 assert_eq!(
419 p.credential(&req).await.unwrap().unwrap().secret().expose(),
420 "gh"
421 );
422 let gl = CredentialRequest::new(CredentialService::GitLab);
423 assert!(p.credential(&gl).await.unwrap().is_none());
424 }
425
426 // EnvToken's present-variable path: a set variable yields the token (the most
427 // common "use $CI_TOKEN" provider); the username pairs through `with_username`.
428 #[tokio::test]
429 async fn env_token_reads_a_present_variable() {
430 let req = CredentialRequest::new(CredentialService::Git);
431 // A unique name so no other (parallel) test reads or writes it.
432 let var = "VCS_TOOLKIT_TEST_ENV_TOKEN_PRESENT_4f2a";
433 // SAFETY: edition-2024 requires `unsafe` for env mutation; the name is
434 // unique to this test, so there is no concurrent reader of it.
435 unsafe { std::env::set_var(var, "tok-from-env") };
436 let provider = EnvToken::new(var).with_username("alice");
437 let cred = provider
438 .credential(&req)
439 .await
440 .unwrap()
441 .expect("present variable yields a credential");
442 assert_eq!(cred.secret().expose(), "tok-from-env");
443 assert_eq!(cred.username(), Some("alice"));
444 // Once removed, it falls back to None (ambient).
445 unsafe { std::env::remove_var(var) };
446 assert!(provider.credential(&req).await.unwrap().is_none());
447 }
448
449 #[test]
450 fn git_credential_helper_keeps_secret_out_of_argv() {
451 let cred = Credential::userpass("alice", "s3cr3t");
452 let h = git_credential_helper(&cred);
453 // The secret value must NOT appear in any config arg (only the env-var name).
454 for a in &h.config_args {
455 assert!(!a.contains("s3cr3t"), "secret leaked into argv: {a}");
456 }
457 assert!(
458 h.config_args
459 .iter()
460 .any(|a| a.contains("VCS_TOOLKIT_GIT_PASSWORD"))
461 );
462 // A leading empty helper clears inherited helpers.
463 assert!(h.config_args.iter().any(|a| a == "credential.helper="));
464 // The secret + username live in the env, keyed by the helper's var names.
465 let pw = h
466 .env
467 .iter()
468 .find(|(k, _)| k == "VCS_TOOLKIT_GIT_PASSWORD")
469 .unwrap();
470 assert_eq!(pw.1.expose(), "s3cr3t");
471 let user = h
472 .env
473 .iter()
474 .find(|(k, _)| k == "VCS_TOOLKIT_GIT_USERNAME")
475 .unwrap();
476 assert_eq!(user.1.expose(), "alice");
477 }
478
479 #[test]
480 fn git_credential_helper_defaults_username() {
481 let h = git_credential_helper(&Credential::token("t"));
482 let user = h
483 .env
484 .iter()
485 .find(|(k, _)| k == "VCS_TOOLKIT_GIT_USERNAME")
486 .unwrap();
487 assert_eq!(user.1.expose(), DEFAULT_GIT_USERNAME);
488 }
489
490 #[test]
491 fn git_credential_helper_is_immune_to_shell_metacharacters() {
492 // A hostile username/secret must stay inert: they're carried as env
493 // VALUES, and the helper snippet references them only by env-var NAME
494 // (double-quoted), so the user-controlled bytes never enter the argv.
495 let cred = Credential::userpass("$(rm -rf /); x", "tok'; echo pwned");
496 let h = git_credential_helper(&cred);
497 for a in &h.config_args {
498 assert!(
499 !a.contains("rm -rf"),
500 "username metachars reached argv: {a}"
501 );
502 assert!(!a.contains("pwned"), "secret reached argv: {a}");
503 }
504 // They are preserved verbatim in the env, where the shell only ever
505 // expands them as a quoted variable value.
506 let user = h
507 .env
508 .iter()
509 .find(|(k, _)| k == "VCS_TOOLKIT_GIT_USERNAME")
510 .unwrap();
511 assert_eq!(user.1.expose(), "$(rm -rf /); x");
512 }
513}