gitcreds icon indicating copy to clipboard operation
gitcreds copied to clipboard

Published 20 hours ago verified publisher icon r-lib

Ship our own credential helper on Linux

Open gaborcsardi opened this issue 1 year ago • 16 comments

This is tricky for many reasons:

  • should the credential helper call R? That is messy and not super reliable. Or should it be a standalone binary? That seems like a better option.
  • how should be actually store credentials. We need to look at what gh does Linux. It apparently installs its own handler and stores credentials internally: 
    root@99340efa4c28:~# cat .gitconfig
[credential "https://github.com"]
    helper =
    helper = !/usr/bin/gh auth git-credential
[credential "https://gist.github.com"]
    helper =
    helper = !/usr/bin/gh auth git-credential

gaborcsardi avatar Mar 25 '23 11:03 gaborcsardi

Well, gh does implement a very simple credential helper that just stores the tokens in the gh config files, in plain text:

root@99340efa4c28:~# cat .config/gh/hosts.yml
github.com:
    oauth_token: <token>
    user: gaborcsardi
    git_protocol: https

So this is not any better than the built in "store" credential helper that stores the tokens in ~/.git-credentials.

We could certainly have something like this in gitcreds, but it seems questionable to introduce yet another plain text file with credentials.... we could store it the same place as gh, though.

gaborcsardi avatar Mar 25 '23 14:03 gaborcsardi

Just expressing interest in this feature!

We have seen a number of folks struggle when transitioning from RStudio Desktop to Posit Workbench or RStudio Server as they are relying on guidance from Happy Git with R or the underlying gitcreds workflows.

jthomasmock avatar Sep 27 '23 15:09 jthomasmock

@jthomasmock As AFAIK there is no way to store credentials in Workbench currently (but FIXME), I think we cannot do better than the built-in 'store' credential helper, which just writes the credentials to plain text files.

But then maybe we could help the user set that up, with documentation and possibly a helper function?

gaborcsardi avatar Sep 27 '23 15:09 gaborcsardi

I honestly think that writing to the .Renviron file would be fine as that's generally what we would recommend anyway. On Linux, would it make sense to just stick with that?

https://happygitwithr.com/https-pat.html?q=renviron#pat-doesnt-persist-on-linux

IE have gitcreds::gitcreds_set() write out to .Renviron and then it could get pulled with gitcreds::gitcreds_get()? This could still be transparent through the messaging of gitcreds:

#> -> Your current credentials for 'https://github.com':
#> 
#>   protocol: https
#>   host    : github.com
#>   username: gaborcsardi
#>   password: <-- hidden -->
#> 
#> -> What would you like to do?
#> 
#> 1: Keep these credentials
#> 2: Replace these credentials
#> 3: See the password / token
#> 
#> Selection: 2
#> 
#> ? Enter new password or token: secret
#> -> Removing current credentials...
#> -> Adding new credentials to .Renviron...  <---- something like this.
#> -> Done.

jthomasmock avatar Sep 28 '23 01:09 jthomasmock

A proper credential helper has many advantages over storing credentials in .Renviron. Although gitcreds supports setting host-specific credentials (e.g. GitHub, GitLab, Azure, etc.) from env vars, it does not support other customization, e.g. repository-specific (URL-specific) credentials and other possible customizations. These only work with a proper git credential store.

The other main advantage is that if we use a credential helper, then command line git, (and every other tool that uses the credentials store, like the github cli, etc.) will be able to use that.

gaborcsardi avatar Sep 28 '23 07:09 gaborcsardi

I just tried calling

system("git config --global credential.helper store")

on colorado, and it seems to work well.

What's somewhat surprising to me is that different sessions share the same home directory, so you'll get one set of credentials across all sessions. I guess that is a feature.

So I think that we would need to update our advice in usethis and in gitcreds as well, probably, to say that people should set up the 'store' credential helper.

gaborcsardi avatar Sep 29 '23 18:09 gaborcsardi

Thanks for looking into this Gabor!

What's somewhat surprising to me is that different sessions share the same home directory, so you'll get one set of credentials across all sessions. I guess that is a feature

Yes, we persist information into the user's directory in NFS, so that users can safely resume or work on various projects over time.

If I recall correctly, @leesahanders and @rikagx were facing an issue with persisting the config, and after referencing this blogpost they ended up trying:

git config --global credential.helper 'store --file ~/.my-credentials'
# OR
git config --global credential.helper 'cache --timeout=10000000'

Lisa or Rika, was that able to persist the behavior for both the shell and RStudio?

jthomasmock avatar Oct 03 '23 15:10 jthomasmock

@jthomasmock Happy to confirm that using git config --global credential.helper 'store --file ~/.my-credentials' worked for me for persistence. This was especially useful for testing on a Sagemaker deployment where the home directories persist but any files saved onto the transient EC2 local drive would be lost once the session was spun down.

Unfortunately the downside to this method is that the file isn't saved with any encryption, which could be a problem for enterprise customers with security requirements. Would love thoughts for any other options that could be explored! The blog post mentioned by @jthomasmock suggested libsecret and gcm core, possibly worth considering recommending as part of the Workbench installation?

leesahanders avatar Oct 03 '23 16:10 leesahanders

Yeah, that blog post is geared towards a desktop Linux I think. The cache helper is not great for workbench because it stores the credentials "in" a background process, so if the session is paused then I think that process dies. Setting a longer timeout does not help with this.

So we are left with the store credential helper.

gaborcsardi avatar Oct 03 '23 16:10 gaborcsardi

So we are left with the store credential helper.

Which isn't WORSE than .Renviron but is better for both terminal and R/RStudio use.

jthomasmock avatar Oct 03 '23 17:10 jthomasmock

Why do you actually think it is worse than .Renviron? I would say that it is not more or less secure and it is much more flexible.

gaborcsardi avatar Oct 03 '23 17:10 gaborcsardi

Re libsecret, we cannot use that in workbench, in practice it requires a GUI, and it is very hard, possibly impossible to make it work at the command line.

gaborcsardi avatar Oct 03 '23 17:10 gaborcsardi

Why do you actually think it is worse than .Renviron? I would say that it is not more or less secure and it is much more flexible.

Apologies for the double negative.

I think that store is better, ie NOT any worse than .Renviron, both have some issues in being plain-text, but store is directly tied to git.

jthomasmock avatar Oct 03 '23 18:10 jthomasmock

Apologies for the double negative.

Apologies for not being able to read. 🙈

gaborcsardi avatar Oct 03 '23 18:10 gaborcsardi

Hello! Stumbled on this after starting with a fresh install of ubuntu. What about git-credential-libsecret e.g. https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e ?

sudo apt install make libsecret-1-0 libsecret-1-dev libglib2.0-dev
sudo make --directory=/usr/share/doc/git/contrib/credential/libsecret
git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret

tanho63 avatar Nov 30 '23 15:11 tanho63

@tanho63 libsecret only works on desktop Linux with a GUI, in practice, unfortunately.

gaborcsardi avatar Nov 30 '23 19:11 gaborcsardi

From r-hub/rhub#581

Due to this, if we register our own commands, something like pak::pak() seems to hang permanently.

eitsupi avatar May 14 '24 14:05 eitsupi