Add support for GitHub enterprise-managed user accounts #1190
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mjcheetham
added
enhancement
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
mjcheetham
force-pushed
the
github-emu
branch
3 times, most recently
from
696c36a
to
90ff39d
Compare
mjcheetham
force-pushed
the
github-emu
branch
7 times, most recently
from
75bdc87
to
bab4d3d
Compare
mjcheetham
force-pushed
the
github-emu
branch
2 times, most recently
from
29eaa0c
to
eee841a
Compare
ldennington
approved these changes
Jun 16, 2023
Add parsing of GitHub.com's WWW-Authenticate header, with the upcoming enterprise_hint and domain_hint properties that can be used to indicate when a resource (repository) requires a specific EMU account.
If we have been given a domain_hint in the WWW-Authenticate headers we should use that value to filter any existing accounts we have stored. The header format is: WWW-Authenticate: Basic realm="GitHub" [enterprise_hint="X"] [domain_hint="Y"] ..where X is the enterprise slug/name, and Y is the enterprise 'shortcode'. The shortcode is the suffix applied to GitHub.com accounts that are EMUs (Enterprise Managed Users). That is to say they are backed by an external IdP (Identity Provider). If we have not been given any WWW-Authenticate header (such as with older versions of Git), do not do any filtering. Likewise, if the remote is not GitHub.com (the only place EMUs mingle with other account types) then do no filtering.
ldennington
approved these changes
Jun 23, 2023
Merged
mjcheetham
added a commit
that referenced
this pull request
Jun 26, 2023
**Changes:** - Use in-proc methods for getting OS version number (#1240, #1264) - Update System.CommandLine (#1265) - Suppress GUI from command-line argument (#1267) - Add github (login|logout|list) commands (#1267) - cURL Cookie file support (#1251) - Update target framework on Mac/Linux to .NET 7 (#1274, #1282) - Replace JSON.NET with System.Text.Json (#1274) - Preserve exact redirect URI formatting in OAuth requests (#1281) - Use IP localhost redirect for GitHub (#1286) - Use WWW-Authenticate headers from Git for Azure Repos authority (#1288) - Better GitHub Enterprise Managed User (EMU) account support (#1190)
tsvietOK
reviewed
Sep 26, 2023
| { | ||
| if (!IsGitHubDotCom(remoteUri)) | ||
| { | ||
| _context.Trace.WriteLine("No account filtering outside of GitHub.com."); |
There was a problem hiding this comment.
Should everything below be skipped if remoteUri is not a github.com by returning a false? Like, in case there is a link to the GHES.
|
Sorry to bump an old topic, but I'm curious if there's been any plans for Github.com to support the enterprise/domain hints that have been implemented here? |
Hello! 👋 When you say "plans for Github.com to support the .. hints" I'm not sure what you mean? GitHub.com will return Do you mean hints for non-EMU/public repos? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add support for GitHub enterprise-manage users (EMU) to the GitHub host provider.
Accounts in an 'EMU' enterprise/business are siloed from the regular, public GitHub.com accounts. EMU accounts are identified by the
_shortcodesuffix, where theshortcodeis a moniker for the enterprise/business, for examplealice_contoso.When asked to recall credentials for the GitHub.com host we now attempt to filter stored accounts by the
shortcode, given information provided inWWW-Authenticateheaders from upcoming versions of Git that support these headers (as of gitgitgadget/git@92c56da).The format of the header is:
..where
Xis the shortcode, andYis the enterprise name.If multiple accounts are available for the given 'domain' then we present an account selection prompt. Users can avoid this prompt in the case of multiple user accounts by specifying the desired account in the remote URL (e.g.
https://alice@github.com/mona/testto always use thealiceaccount).Note that GitHub.com does not yet return such
WWW-Authenticateheaders, except alwaysBasic realm="GitHub", so this may be subject to fixes later. In the case ofrealm="GitHub", i.e., public accounts, there is no change.Testing
To test the new behaviour before GitHub.com returns such headers, it's possible to fake the server response using
mitmproxyand the following script:Replace
orgNwith the org names that are backed by an EMU Enterprise, and filldomainNfor the shortcode, andenterpriseNfor the enterprise slug/name.Configure Git to use the proxy and run
mitmproxywith the--scriptsargument:Now all Git interactions that touch
orgNwill include thedomain_hintandenterprise_hints as defined.I use these two helpful aliases to quickly add and remove the local proxy from Git's config: