Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[JENKINS-35959] Don't prompt interactively for credentials
Use git 2.3+ GIT_TERMINAL_PROMPT=0 to prevent git auth prompt.
Older git versions may continue to prompt for interactive credentials,
since they don't recognize the GIT_TERMINAL_PROMPT variable.

Command line git prompts for authentication if connected to a terminal.
Jenkins agents running as a service are not connected to a terminal.
Jenkins agents running from a desktop (Windows or interactive docker)
may run a git process which prompts for authentication.  This setting
should reduce the ways that a newer command line git installation can
block.  Support for GIT_TERMINAL_PROMPT was first added in git 2.3.

Don't prompt from Git Credentials Manager (Windows).

Refer to
https://github.com/Microsoft/Git-Credential-Manager-for-Windows/blob/105a222711afd00166182b0d95776572a40f57af/Cli-Shared/Program.cs#L62

User can return to old behavior with the CliGitAPIImpl property
org.jenkinsci.plugins.gitclient.CliGitAPIImpl.promptForAuthentication=true
  • Loading branch information
MarkEWaite committed Oct 14, 2017
1 parent c20862d commit 8988615
Showing 1 changed file with 34 additions and 0 deletions.
34 changes: 34 additions & 0 deletions src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java
Expand Up @@ -86,6 +86,33 @@ public class CliGitAPIImpl extends LegacyCompatibleGitAPIImpl {
*/
public static final boolean USE_SETSID = Boolean.valueOf(System.getProperty(CliGitAPIImpl.class.getName() + ".useSETSID", "false"));

/**
* Set promptForAuthentication=true if you must allow command line git
* versions 2.3 and later to prompt the user for authentication.
*
* Command line git prompting for authentication should be rare, since
* Jenkins credentials should be managed through the credentials plugin.
*
* Command line git 2.3 and later read the environment variable
* GIT_TERMINAL_PROMPT. If it has the value 0, then git will not prompt the
* user for authentication, even if a terminal is available (as when running
* a Jenkins agent from the Windows desktop, or when running it
* interactively from the command line, or from a Docker image). If a
* terminal is not available (most services on Windows and Linux), then
* command line git will not prompt for authentication, whether or not
* GIT_TERMINAL_PROMPT is set.
*
* GCM_INTERACTIVE=never is the environment variable which should
* cause the git credential manager for windows to never prompt
* for credentials.
*
* Credential prompting could happen on multiple platforms, but is
* more common on Windows computers because many Windows agents
* run from the desktop environment. Agents running on the
* desktop are much less common in the Unix environments.
*/
private static final boolean PROMPT_FOR_AUTHENTICATION = Boolean.valueOf(System.getProperty(CliGitAPIImpl.class.getName() + ".promptForAuthentication", "false"));

/**
* CALL_SETSID decides if command line git can use the setsid program
* during ssh based authentication to detach git from its controlling
Expand Down Expand Up @@ -1581,6 +1608,13 @@ private String launchCommandWithCredentials(ArgumentListBuilder args, File workD
File pass = null;
File askpass = null;
EnvVars env = environment;
if (!PROMPT_FOR_AUTHENTICATION && isAtLeastVersion(2, 3, 0, 0)) {
env = new EnvVars(env);
env.put("GIT_TERMINAL_PROMPT", "0"); // Don't prompt for auth from command line git
if (isWindows()) {
env.put("GCM_INTERACTIVE", "never"); // Don't prompt for auth from git credentials manager for windows
}
}
try {
if (credentials instanceof SSHUserPrivateKey) {
SSHUserPrivateKey sshUser = (SSHUserPrivateKey) credentials;
Expand Down

0 comments on commit 8988615

Please sign in to comment.