-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for GitHub enterprise-managed user accounts #1190
Conversation
696c36a
to
90ff39d
Compare
75bdc87
to
bab4d3d
Compare
29eaa0c
to
eee841a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! So excited this is finally happening! Just had a couple minor questions.
Add parsing of GitHub.com's WWW-Authenticate header, with the upcoming enterprise_hint and domain_hint properties that can be used to indicate when a resource (repository) requires a specific EMU account.
If we have been given a domain_hint in the WWW-Authenticate headers we should use that value to filter any existing accounts we have stored. The header format is: WWW-Authenticate: Basic realm="GitHub" [enterprise_hint="X"] [domain_hint="Y"] ..where X is the enterprise slug/name, and Y is the enterprise 'shortcode'. The shortcode is the suffix applied to GitHub.com accounts that are EMUs (Enterprise Managed Users). That is to say they are backed by an external IdP (Identity Provider). If we have not been given any WWW-Authenticate header (such as with older versions of Git), do not do any filtering. Likewise, if the remote is not GitHub.com (the only place EMUs mingle with other account types) then do no filtering.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Went through all the changes + re-did the testing workflows and all looks good! 🎉
**Changes:** - Use in-proc methods for getting OS version number (#1240, #1264) - Update System.CommandLine (#1265) - Suppress GUI from command-line argument (#1267) - Add github (login|logout|list) commands (#1267) - cURL Cookie file support (#1251) - Update target framework on Mac/Linux to .NET 7 (#1274, #1282) - Replace JSON.NET with System.Text.Json (#1274) - Preserve exact redirect URI formatting in OAuth requests (#1281) - Use IP localhost redirect for GitHub (#1286) - Use WWW-Authenticate headers from Git for Azure Repos authority (#1288) - Better GitHub Enterprise Managed User (EMU) account support (#1190)
{ | ||
if (!IsGitHubDotCom(remoteUri)) | ||
{ | ||
_context.Trace.WriteLine("No account filtering outside of GitHub.com."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should everything below be skipped if remoteUri is not a github.com by returning a false? Like, in case there is a link to the GHES.
Sorry to bump an old topic, but I'm curious if there's been any plans for Github.com to support the enterprise/domain hints that have been implemented here? |
Hello! 👋 When you say "plans for Github.com to support the .. hints" I'm not sure what you mean? GitHub.com will return Do you mean hints for non-EMU/public repos? |
Add support for GitHub enterprise-manage users (EMU) to the GitHub host provider.
Accounts in an 'EMU' enterprise/business are siloed from the regular, public GitHub.com accounts. EMU accounts are identified by the
_shortcode
suffix, where theshortcode
is a moniker for the enterprise/business, for examplealice_contoso
.When asked to recall credentials for the GitHub.com host we now attempt to filter stored accounts by the
shortcode
, given information provided inWWW-Authenticate
headers from upcoming versions of Git that support these headers (as of gitgitgadget/git@92c56da).The format of the header is:
..where
X
is the shortcode, andY
is the enterprise name.If multiple accounts are available for the given 'domain' then we present an account selection prompt. Users can avoid this prompt in the case of multiple user accounts by specifying the desired account in the remote URL (e.g.
https://alice@github.com/mona/test
to always use thealice
account).Note that GitHub.com does not yet return such
WWW-Authenticate
headers, except alwaysBasic realm="GitHub"
, so this may be subject to fixes later. In the case ofrealm="GitHub"
, i.e., public accounts, there is no change.Testing
To test the new behaviour before GitHub.com returns such headers, it's possible to fake the server response using
mitmproxy
and the following script:Replace
orgN
with the org names that are backed by an EMU Enterprise, and filldomainN
for the shortcode, andenterpriseN
for the enterprise slug/name.Configure Git to use the proxy and run
mitmproxy
with the--scripts
argument:Now all Git interactions that touch
orgN
will include thedomain_hint
andenterprise_hint
s as defined.I use these two helpful aliases to quickly add and remove the local proxy from Git's config: