Search code examples
bashgitcredentials

GIT_ASKPASS with user and password

I am working in a Docker container with git --version 2.20.1, the base image is Debian 10. I would like to clone a git repository through HTTPS using GIT_ASKPASS or even better the configuration property core.askpass. Here is what I tried:

GIT_ASKPASS=$(mktemp) && chmod a+rx $GIT_ASKPASS && export GIT_ASKPASS
cat > $GIT_ASKPASS <<< '#!/bin/bash
    exec printf "$JENKINS_CREDENTIALS_USR\n$JENKINS_CREDENTIALS_PSW\n"
'

Originally I was running it in Jenkins, but I saw that I am able to reproduce the same issue in a simple docker container. $JENKINS_CREDENTIALS_USR and $JENKINS_CREDENTIALS_PSW are defined like this:

JENKINS_CREDENTIALS_USR=myuser
JENKINS_CREDENTIALS_PSW=mypass
export JENKINS_CREDENTIALS_USR
export JENKINS_CREDENTIALS_PSW

I have not any global configuration property set. ~/.git-credentials does not exist. The error is:

fatal: Authentication failed for 'https://myserver.com/git/project.git/'

It works by specifying the username in the HTTPS url, like this

git clone https://[email protected]/git/project.git .

and printing the password only in the script pointed by GIT_ASKPASS, so I am wondering why it does not work without the username in the url. The documentation clearly says that

If the GIT_ASKPASS environment variable is set, the program specified by the variable is invoked. A suitable prompt is provided to the program on the command line, and the user's input is read from its standard output.

Because when I try to clone, I am asked for both username and password, what is wrong with the original GIT_ASKPASS script?

Solution

  • I found the solution here. All credits go to @AlexeyPelykh, I just adapted his script.

    When trying to git clone, our shell script is called once for each prompted line, basically:

    $GIT_ASKPASS "Username for ..."
$GIT_ASKPASS "Password for ..."

    The problem in my original script is that it returns both the username and password independently from what I am asked for. That is also the reason why in the second case (with the username specified in the URL), it works, in fact I just need the password and it returns only that.

    This is how I changed my original script to make it work with GIT_ASKPASS:

    GIT_ASKPASS=$(mktemp) && chmod a+rx $GIT_ASKPASS && export GIT_ASKPASS
cat > $GIT_ASKPASS <<< '#!/bin/bash
case "$1" in
    Username*) exec echo "$JENKINS_CREDENTIALS_USR" ;;
    Password*) exec echo "$JENKINS_CREDENTIALS_PSW" ;;
esac
'

    In case you want to use the configuration variable core.askPass, replace the first two line with these ones:

    git_askPass_script=$(mktemp) && chmod a+rx $git_askPass_script
cat > $git_askPass_script <<< '#!/bin/bash

    And set the configuration variable with:

    git config --global core.askPass "$git_askPass_script"

    Or even better

    git -c core.askPass="$git_askPass_script" clone ...