r-lib / credentials Goto Github PK

View Code? Open in Web Editor NEW

70.0 70.0 5.0 288 KB

Tools for Managing SSH and Git Credentials

Home Page: https://docs.ropensci.org/credentials

License: Other

R 99.47% Shell 0.53%

git password r rstats ssh

credentials's People

Contributors

Stargazers

Watchers

Forkers

amnahsiddiqa tubbz-alt isabella232 pawanramamali richardjacton

credentials's Issues

Test with GCM Core

See https://github.blog/2020-07-02-git-credential-manager-core-building-a-universal-authentication-experience/

pkgdown site

Can credentials get the same pkgdown setup as gert? I'd like to start linking to it from usethis.

`id_rsa` permissions

I was just trying out credentials::ssh_setup_github() and everything seems to work until I try to clone (this is in a clean container with no .ssh folder) where I get the following:

~$ git clone [email protected]:rundel/test-private.git
Cloning into 'test-private'...
Warning: Permanently added the RSA host key for IP address '140.82.112.4' to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/guest/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/guest/.ssh/id_rsa": bad permissions
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

the ssh keys are generated with -rw-r--r-- default permissions on this system.

~$ ls -la .ssh
total 20
drwxr-xr-x 2 guest users 4096 Jul 23 18:25 .
drwxrwxr-x 8 guest users 4096 Jul 23 18:29 ..
-rw-r--r-- 1 guest users 1744 Jul 23 18:26 id_rsa
-rw-r--r-- 1 guest users  381 Jul 23 18:23 id_rsa.pub
-rw-r--r-- 1 guest users 2210 Jul 23 18:29 known_hosts

would it be possible to have the creation process remove the group and other permissions automatically?

Verbosity

More re: me trying to control verbosity of credentials and gert in usethis's usage.

credentials itself is also emitting messages and also the kind that look like errors (the "Looking up https credentials ..." here). Maybe credentials could use the inform() approach as gert?

Add warning for macOS xcrun errors?

I don't know how it got past the defenses, but somehow loading this package on macOS that did not have developer tools set up ended up causing an error (carpentries/sandpaper-docs#33 (comment)). I confirmed that the user was using version 1.3.0:

xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun
xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun
Error: .onLoad failed in loadNamespace() for 'credentials', details:
  call: NULL
  error: Failed to call 'git help -a'

> packageVersion(“credentials”)
[1] ‘1.3.0’
> R.version
               _
platform       x86_64-apple-darwin17.0
arch           x86_64
os             darwin17.0
system         x86_64, darwin17.0
status
major          4
minor          0.2
year           2020
month          06
day            22
svn rev        78730
language       R
version.string R version 4.0.2 (2020-06-22)
nickname       Taking Off Again

From what I can tell, the reason it got to this error message is that Sys.which('git') will return /usr/bin/git, so the has_git_cmd() works, but it will error when calling credential_helper_list():

credentials/R/onattach.R

Line 68 in 721bef3

helper <- credential_helper_list()[1]

But since this is in a tryCatch block, I have no clue why exactly it would result in an error, but it is indeed being caught by loadNamespace() and treated as an error.

prefer or accept token keyed by username

I'm running into a problem where credentials::set_github_pat(verbose = FALSE) (I think) won't find the correct entry in my (macOS) keychain, and therefore will always ask me interactively, even though there is a PAT in the keychain.

Here's how to reproduce this (executible reprex is a bit difficult b/c of interactive nature):

set a PAT on GitHub (for example via usethis::create_github_token)
ingest the token to the git credentials manager via gitcreds::gitcreds_set() (choose update; I already had info in there probably because of gh cli usage?)
retrieve the token from the GCM (macOS keychain) and store it as an env var via credentials::set_github_pat()

This did not retrieve the token from the GCM, but instead asked for another one:

If prompted for GitHub credentials, enter your PAT in the password field
Password for 'https://[email protected]':

─ Session info ───────────────────────────────────────────────────────────────
 setting  value                       
 version  R version 4.1.0 (2021-05-18)
 os       macOS Big Sur 11.4          
 system   x86_64, darwin17.0          
 ui       X11                         
 language en_US.UTF-8 git             
 collate  en_US.UTF-8                 
 ctype    en_US.UTF-8                 
 tz       Europe/Berlin               
 date     2021-06-17                  

─ Packages ───────────────────────────────────────────────────────────────────
 package     * version date       lib source        
 askpass       1.1     2019-01-13 [1] CRAN (R 4.1.0)
 cli           2.5.0   2021-04-26 [1] CRAN (R 4.1.0)
 credentials   1.3.0   2020-07-21 [1] CRAN (R 4.1.0)
 openssl       1.4.4   2021-04-30 [1] CRAN (R 4.1.0)
 sessioninfo   1.1.1   2018-11-05 [1] CRAN (R 4.1.0)
 sys           3.4     2020-07-23 [1] CRAN (R 4.1.0)
 withr         2.4.2   2021-04-18 [1] CRAN (R 4.1.0)

[1] /Library/Frameworks/R.framework/Versions/4.1/Resources/library

When credentials is (source) installed, `~/.gitconfig` is generated and left intact

Found at rocker-org/devcontainer-images#39.

It appears that when the credentials package is installed, the following ~/.gitconfig file is generated and left intact.

[credential]
	helper = cache

Is this the intended behavior?

Problems with RStudio Connect installation - could we modify the `.onLoad` to fail less severely?

Currently we have an issue where rsconnect/packrat are somehow insisting on publishing credentials as a dependency of one of our applications.

The problem with this is that credentials won't install in the restricted (sandboxed) security space that we're running RStudio Connect installation.

Example part of our application publish logs:

2021/04/20 09:14:27.234881673 Error: Command failed (1)
2021/04/20 09:14:27.234904603 
2021/04/20 09:14:27.234976523 Failed to run system command:
2021/04/20 09:14:27.234980743 
2021/04/20 09:14:27.235009739 	'/opt/R/4.0.2/lib/R/bin/R' --vanilla CMD INSTALL --preclean '/opt/rstudio-connect/mnt/tmp/Rtmp5fBl45/credentials' --library='/opt/rstudio-connect/mnt/app/packrat/lib/x86_64-pc-linux-gnu/4.0.2' --install-tests --no-docs --no-multiarch --no-demo 
2021/04/20 09:14:27.235035739 
2021/04/20 09:14:27.235066940 The command failed with output:
2021/04/20 09:14:27.235070376 * installing *source* package ‘credentials’ ...
2021/04/20 09:14:27.235098316 ** package ‘credentials’ successfully unpacked and MD5 sums checked
2021/04/20 09:14:27.235102006 ** using staged installation
2021/04/20 09:14:27.235128333 ** R
2021/04/20 09:14:27.235132053 ** inst
2021/04/20 09:14:27.235158977 ** byte-compile and prepare package for lazy loading
2021/04/20 09:14:27.235162227 ** help
2021/04/20 09:14:27.235188930 *** installing help indices
2021/04/20 09:14:27.235192000 ** building package indices
2021/04/20 09:14:27.235218800 ** installing vignettes
2021/04/20 09:14:27.235221890 ** testing if installed package can be loaded from temporary location
2021/04/20 09:14:27.235271267 error: could not lock config file /home/rstudio-connect/.gitconfig: Permission denied
2021/04/20 09:14:27.235275537 Error: package or namespace load failed for ‘credentials’:
2021/04/20 09:14:27.235303420  .onLoad failed in loadNamespace() for 'credentials', details:
2021/04/20 09:14:27.235306587   call: NULL
2021/04/20 09:14:27.235333547   error: Failed to call 'git config --global credential.helper cache'
2021/04/20 09:14:27.235336587 Error: loading failed
2021/04/20 09:14:27.235363554 Execution halted
2021/04/20 09:14:27.235366444 ERROR: loading failed
2021/04/20 09:14:27.235393507 * removing ‘/opt/rstudio-connect/mnt/app/packrat/lib/x86_64-pc-linux-gnu/4.0.2/credentials’

I'm not entirely sure still of quite how/why credentials is being pulled into one of our applications which is being deployed into our RStudio Connect server... and I am digging into that - see some notes on rstudio/rsconnect#505

However, I was also wondering if credentials would be interested in a PR which would allow credentials to fail with warnings rather than errors in onLoad

credentials/R/onattach.R

Line 3 in 17eaef8

.onLoad <- function(libname, pkgname){

Add installation instructions

I naively ran remotes::install_github("ropensci/credentials")

load failure when git stub found on macOS

Currently, renv is failing R CMD check on CRAN's r-oldrel-macos machine:

https://www.r-project.org/nosvn/R.check/r-oldrel-macos-x86_64/renv-00check.html

  > renv:::renv_tests_init()
  xcodebuild: error: SDK "/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk" cannot be located.
  git: error: unable to find utility "git", not a developer tool or in PATH
  xcodebuild: error: SDK "/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk" cannot be located.
  git: error: unable to find utility "git", not a developer tool or in PATH
  Error: (converted from warning) .onLoad failed in loadNamespace() for 'credentials', details:
    call: NULL
    error: Failed to call 'git help -a'
  Execution halted

It looks like the credentials package is trying to use git on startup, and that is failing?

I suspect that this needs to be fixed on the CRAN side (why aren't command line tools installed on that machine?) but figured it would be worth filing here for posterity since the issue may effect users who haven't installed command line tools on their machine.

error: unused arguments

It looks like the error message I'm receiving is different than previous posts. Please see the line regarding "unused arguments".

$ R CMD INSTALL credentials_1.3.0.tar.gz
* installing to library ‘R/x86_64-pc-linux-gnu-library/3.5’
* installing *source* package ‘credentials’ ...
** package ‘credentials’ successfully unpacked and MD5 sums checked
** R
** inst
** byte-compile and prepare package for lazy loading
** help
*** installing help indices
** building package indices
** installing vignettes
** testing if installed package can be loaded
Error: package or namespace load failed for ‘credentials’:
 .onLoad failed in loadNamespace() for 'credentials', details:
  call: sys::exec_wait(git, command, std_out = outcon, std_err = verbose,
  error: unused arguments (std_in = input, timeout = timeout)
Error: loading failed
Execution halted
ERROR: loading failed
* removing ‘R/x86_64-pc-linux-gnu-library/3.5/credentials’

Here is the output from sessionInfo()

R version 3.5.3 (2019-03-11)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Red Hat Enterprise Linux Server 7.9 (Maipo)

Matrix products: default
BLAS: /opt/R/R-3.5.3/lib64/R/lib/libRblas.so
LAPACK: /opt/R/R-3.5.3/lib64/R/lib/libRlapack.so

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C               LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8     LC_MONETARY=en_US.UTF-8   
 [6] LC_MESSAGES=en_US.UTF-8    LC_PAPER=en_US.UTF-8       LC_NAME=C                  LC_ADDRESS=C               LC_TELEPHONE=C            
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

loaded via a namespace (and not attached):
[1] compiler_3.5.3 tools_3.5.3    renv_0.14.0

Move `master` branch to `main`

The master branch of this repository will soon be renamed to main, as part of a coordinated change across several GitHub organizations (including, but not limited to: tidyverse, r-lib, tidymodels, and sol-eng). We anticipate this will happen by the end of September 2021.

That will be preceded by a release of the usethis package, which will gain some functionality around detecting and adapting to a renamed default branch. There will also be a blog post at the time of this master --> main change.

The purpose of this issue is to:

Help us firm up the list of targetted repositories
Make sure all maintainers are aware of what's coming
Give us an issue to close when the job is done
Give us a place to put advice for collaborators re: how to adapt

message id: euphoric_snowdog

Allow GITHUB_TOKEN as well as GITHUB_PAT

Some but not all R packages which use git credentials are hard-coded to expect tokens to be stored as GITHUB_PAT only. The official GitHub cli now only accepts tokens stored as GITHUB_TOKEN. GitHub should be granted the authority here to specify token nomenclature, so it would be good if GITHUB_TOKEN worked in all credentials processes.

`ssh_keygen()` needs to add requirements to RSA keys

Currently, ssh_keygen() creates an RSA key with SHA-1, which is not allowed now. See this Github blog.

This might cause error in usethis::use_github_release() (r-lib/usethis#1634).

Error in libgit2::git_remote_fetch : 
  ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

fatal: credential-cache unavailable; no unix socket support

I am seeing the following error message when setting my credentials for a private GitLab instance from my company Windows laptop:

credentials::git_credential_ask("https://gitlab.private.com")
#> fatal: credential-cache unavailable; no unix socket support
#> $protocol
#> [1] "https"

#> $host
#> [1] "gitlab.private.com"

#> $username
#> [1] "My.Username"

#> $password
#> [1] "XXXXXXXXXXXXXXXXXX"

#> attr(,"class")
#> [1] "git_credential"

I get that fatal error message but it does retrieve the correct credentials.

My credential helper is store (credential-manager), not cache:

credentials::credential_helper_get()
#> [1] "manager"

Any idea why it complains about the credential-cache when my credential helper is the Windows Credential Manager?

Note that I originally found this issue when trying to use gert. Any operation that requires authentication showed the same fatal error message about the credential-cache and failed to retrieve my credentials, thus prompting me to enter my credentials every time.

I do not see this behaviour in my company Mac laptop and everything works fine there.

Set GitHub PAT permanently on AWS-Lightsail

I am using credentials::set_github_pat() on AWS-Lightsail (Ubuntu, personal User) and it works basically fine.

However, when I restart the instance, RStudio asks me again for PW/User.

Also if I run credentials::set_github_pat() after restart, I am getting asked for the PAT again.

Is there a way around this and set the PAT permanently? What could be the issue?

Edit: Also writing credentials::set_github_pat() into .Renviron as recommended in this blogpost https://ropensci.org/blog/2020/07/07/github-pat/ doesn't solve this and instead leads to the following error msg. in RStudioServer after a reboot.

Abstract the diagnostics printed in onAttach() into an exported function

usethis has a git_sitrep() function that reveals a lot about a user's Git setup, for diagnostic and troubleshooting purposes. In the past, this revealed info re: the git2r outlook.

Since usethis is shifting away from git2r in favour of gert + credentials, I want to reveal similar info. gert::libgit2_config() covers gert pretty well.

I'd like to include similar info from credentials.

Can we take the smarts in .onAttach() and move them into an actual exported function that other packages can call?

https://github.com/r-lib/credentials/blob/master/R/onattach.R

I'd love to get my hands on some of this info programmatically:

> library(credentials)
Found git version 2.24.3 (Apple Git-128)
Supported HTTPS credential helpers: cache, store
Found OpenSSH_8.1p1, LibreSSL 2.7.3
Default SSH key: /Users/jenny/.ssh/id_rsa

credential_approve timeouts with latest git

With recent git versions on Linux and Windows we see a timeout (maybe due to user prompt)

> ### Name: credential_api
> ### Title: Retrieve and store git HTTPS credentials
> ### Aliases: credential_api credential_fill credential_approve
> ###   credential_reject
> 
> ### ** Examples
> 
> ## No test: 
> # Insert example cred
> example <- list(protocol = "https", host = "example.org",
+   username = "test", password = "secret")
> credential_approve(example)
Error: Error: Program 'git' terminated (timeout reached: 10.00sec)

Package cannot be installed when installing as another user on linux

I'm trying to install this package on a system for another user:
echo 'install.packages("credentials")' | sudo -u some_other_user R --no-save

This causes the following error to occur:

warning: unable to access '/home/jeff/.config/git/config': Permission denied
error: could not lock config file /home/jeff/.gitconfig: Permission denied
Error: package or namespace load failed for ‘credentials’:
 .onLoad failed in loadNamespace() for 'credentials', details:
  call: NULL
  error: Failed to call 'git config --global credential.helper cache'
Error: loading failed
Execution halted
ERROR: loading failed

I see that the error is occurring here where we set the global user git config to cache credentials: https://github.com/r-lib/credentials/blob/master/R/onattach.R#L22.

I can see it being useful to have this behaviour for the common user but I don't think it's necessarily desirable all the time. Could a flag be added to disable this behaviour?

terminal prompts disabled

Trying to update GITHUB_PAT using credentials 1.3.2, but I am getting curious behaviour.

> library(credentials)
Found git version 2.24.0
Supported HTTPS credential helpers: cache, store
Found OpenSSH_8.6p1, LibreSSL 3.3.6
Default SSH key: /Users/{user}/.ssh/id_rsa
> git_credential_ask()
$protocol
[1] "https"

$host
[1] "github.com"

$username
[1] "..."

$password
[1] "ghp_......."

attr(,"class")
[1] "git_credential"
> git_credential_update()
error: cannot run rpostback-askpass: No such file or directory
fatal: could not read Username for 'https://github.com': terminal prompts disabled
Error: Failed to call 'git credential fill'
> git_credential_ask()
error: cannot run rpostback-askpass: No such file or directory
fatal: could not read Username for 'https://github.com': terminal prompts disabled
Error: Failed to call 'git credential fill'
> set_github_pat()
If prompted for GitHub credentials, enter your PAT in the password field
/Users/{user}/Library/R/x86_64/4.2/library/credentials/ask_token.sh: line 3: exec: rpostback-askpass: not found
error: unable to read askpass response from '/Users/{user}/Library/R/x86_64/4.2/library/credentials/ask_token.sh'
fatal: could not read Password for 'https://[email protected]': terminal prompts disabled
Error: Failed to call 'git credential fill'

The first time git_credential_ask() asks for my local user password to unlock osxkeychain, and produces the expected result.

I tried the first two solutions in https://stackoverflow.com/questions/32232655/go-get-results-in-terminal-prompts-disabled-error-for-github-private-repo, but no luck. Happens on two different macs, both running OSX 12.6.

Appreciate any ideas that could help.

r-lib / credentials Goto Github PK

credentials's People

Contributors

Stargazers

Watchers

Forkers

credentials's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs