How to use credentials from git-credential helper

Question

How to use credentials from git-credential helper

jeroen opened this issue 7 years ago · 4 comments

Is it possible to make libgit2 authenticate using credentials that the user has previously stored via the command line git? Specifically Git for Windows defaults to storing credentials in Git Credential Manager for Windows which speaks the credential helper protocol.

I think this involves shelling out to git credential fill but maybe there is more to it. Is there an example that implements something like this? A git_cred_ helper function would also be very useful.

@dscho

Answer 1 · 2018-10-31T13:44:20.000Z

As you've noted, this isn't something that we have built-in support for - we don't exec programs directly for a plurality of reasons. But indeed, it should be relatively straightforward to call out to the git credential fill command from a credential callback.

We do have an example of credential callbacks but we don't have an example for one that exec's something.

Answer 2 · 2018-10-31T16:34:54.000Z

So for future reference, to get credentials from e.g. github.com the callback needs to invoke a shell command equivalent to this:

printf "protocol=https\nhost=github.com\n" | git credential fill

If credential for the given host is stored, those are returned, and otherwise the user is prompted for a username/password. The output is then printed to stdout like this:

protocol=https
host=github.com
username=jerry
password=2aae6c35c94fcfb415dbe95f408b9ce91ee846ed

Which you can then feed back to git_cred_userpass_plaintext_new in the callback.

Answer 3 · 2019-01-03T16:09:09.000Z

I already wrote a (GPLed) framework executing external commands from libgit2 (for filters and ssh; cf. https://gitlab.com/tortoisegit/tortoisegit/tree/master/src/libgit2). I haven't found the time for extending it for the credential API, yet, but I'm open for contributions.

Answer 4 · 2024-10-16T08:29:21.000Z

So for future reference, to get credentials from e.g. github.com the callback needs to invoke a shell command equivalent to this:
printf "protocol=https\nhost=github.com\n" | git credential fill
If credential for the given host is stored, those are returned, and otherwise the user is prompted for a username/password. The output is then printed to stdout like this:
protocol=https
host=github.com
username=jerry
password=2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
Which you can then feed back to git_cred_userpass_plaintext_new in the callback.

To adapt this to a windows C/C++ environment, I needed to use _popen("git credential fill < temp_file.txt", "r"), which opens a pipe to read the stdout output of git credential fill. The temp_file.txt was previously populated with

protocol=https
host=github.com

The reason I used a file instead of piping it in on the command line is passing input and reading output on the same pipe is not possible. The output string was constructed by reading from the pipe using fgets. Don't forget _pclose() as well.