go-gerrit icon indicating copy to clipboard operation
go-gerrit copied to clipboard

Published 20 hours ago verified publisher icon andygrunwald

Simpler fix for credentials with characters such as '/'.

Open dmitshur opened this issue 6 years ago • 2 comments

Thanks for describing the problem in great detail in PR #39 @opalmer.

I suspect there may be a much simpler fix, which I'd like to discuss. Consider this comment:

https://github.com/andygrunwald/go-gerrit/blob/70bbb05ea8c6502189a73862f956dac687b91075/gerrit.go#L101-L104

If I'm not mistaken, that URL gets parsed correctly by url.Parse. It's just that the URL itself is not correctly escaped, so it doesn't produce the results you want.

Let's use url.URL.String method to construct a URL with "http" schema, "admin" username, "ZOSOKjgV/kgEkN0bzPJp+oGeJLqpXykqWFJpon/Ckg" password, and "localhost:38607" host:

u := &url.URL{
	Scheme: "http",
	User:   url.UserPassword("admin", "ZOSOKjgV/kgEkN0bzPJp+oGeJLqpXykqWFJpon/Ckg"),
	Host:   "localhost:38607",
}
fmt.Println(u.String())

// Output: http://admin:ZOSOKjgV%2FkgEkN0bzPJp+oGeJLqpXykqWFJpon%2FCkg@localhost:38607

(See on playground: https://play.golang.org/p/M3cq7xWI2eE.)

Note that the / character in the password gets escaped to %2F.

When we parse that URL with url.Parse, it produces the expected results:

u, err := url.Parse("http://admin:ZOSOKjgV%2FkgEkN0bzPJp+oGeJLqpXykqWFJpon%2FCkg@localhost:38607")
if err != nil {
	log.Fatalln(err)
}
fmt.Println(u.Scheme)
fmt.Println(u.User.Username())
fmt.Println(u.User.Password())
fmt.Println(u.Host)

// Output:
// http
// admin
// ZOSOKjgV/kgEkN0bzPJp+oGeJLqpXykqWFJpon/Ckg true
// localhost:38607

(See on playground: https://play.golang.org/p/01GMpYMMzsw.)

Notably, the original "ZOSOKjgV/kgEkN0bzPJp+oGeJLqpXykqWFJpon/Ckg" password is preserved.

So, I believe as long as the URL is correctly escaped, the logic added in #39 isn't needed and can be reverted. That would simplify the code. What do you think @opalmer?

dmitshur avatar May 07 '18 15:05 dmitshur

Really good catch. From the first glance, I am with @shurcooL here. His reasoning seems to be valid. Lets wait for @opalmer opinion.

andygrunwald avatar May 09 '18 00:05 andygrunwald

Agreed with @andygrunwald, nice catch! I'm all for simplifying the code and would support a PR to fix this too.

Last I remember there are some specific tests that will need to be updated or removed to reflect the change you're making. You probably should also consider adding some tests specifically to make sure that http basic auth works properly with your change.

opalmer avatar May 09 '18 12:05 opalmer