是否可以使用非交互式的默认Windows凭据对远程Git存储库进行身份验证？

Posted 2021-03-31

我的远程Git存储库由内部TFS服务器托管。有两种方法可以访问其内容：

• 使用TFS Restful API - https://docs.microsoft.com/en-us/rest/api/vsts/git/items/get?view=vsts-rest-4.1
• 使用本机git客户端，例如git clone命令

要使用Restful API，可以使用powershell Invoke-RestMethod命令和-UseDefaultCredentials，它可以正常工作，没有问题。

但是，使用git clone，我不知道如何使用默认凭据。 manager credential helper不使用它们。首次使用时，它会要求提供凭据。

所以，我看到的选项是：

• 有一个替代的git客户端，可能具有有限的功能，但足以运行可以使用默认Windows凭据的克隆。
• 有一个可以使用默认Windows凭据的Windows凭据帮助程序。
• 有一个可以使用默认Windows凭据的Windows的askpass实现。

问题是我在网上找不到任何实现这些选项的东西。

编辑1

https://github.com/git-for-windows/git/wiki/FAQ#how-do-i-access-a-repository-hosted-on-a-microsoft-team-foundation-server-inside-a-windows-domain建议的方法似乎不起作用。请观察：

C:xyzDevOps> $GitApiUrl
http://tfsserver:8080/tfs/DefaultCollection/code/_apis/git/repositories/MyConfigData
C:xyzDevOps> $ProjectName
dev_smoketest56oc
C:xyzDevOps> Test-Path .params.json
False
C:xyzDevOps> Invoke-RestMethod -Uri "$GitApiUrl/items?path=$ProjectName.json&api-version=4.1" -UseDefaultCredentials -OutFile params.json
C:xyzDevOps> Test-Path .params.json
True

正如您所看到的，Restful API可以在不需要凭据的情况下工作。现在让我们尝试git clone：

C:xyzDevOps> $env:GIT_TRACE=1
C:xyzDevOps> git clone http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp a
09:13:21.405748 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
09:13:21.406249 git.c:415               trace: built-in: git clone http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp a
Cloning into 'a'...
09:13:21.430369 run-command.c:637       trace: run_command: git remote-http origin http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp
09:13:21.459149 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:13:21.460654 git.c:654               trace: exec: git-remote-http origin http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp
09:13:21.460654 run-command.c:637       trace: run_command: git-remote-http origin http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp
09:13:21.481711 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:13:21.539575 run-command.c:637       trace: run_command: 'git credential-manager erase'
09:13:21.642660 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:13:21.644162 git.c:654               trace: exec: git-credential-manager erase
09:13:21.644162 run-command.c:637       trace: run_command: git-credential-manager erase
fatal: Authentication failed for 'http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp/'
C:xyzDevOps> $env:GIT_TRACE=0
C:xyzDevOps>

验证失败。

编辑2

在bash控制台上：

$ GIT_CURL_VERBOSE=1

$ curl -v --ntlm -u : http://tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp -o 1.html 2> out.txt

$ curl -v --ntlm -u : http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp -o 2.html 2> out2.txt

文件1.html和2.html似乎代表了浏览器中的存储库的网页，因此两个curl命令都是成功的。

输出文件out.txt和out2.txt非常相似，区别在于时间戳，guids和加密字符串。所以，这里是out.txt（我冒昧地删除空行并擦洗几个字符串）：

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.17.155...* TCP_NODELAY set* Connected to tfsserver (192.168.17.155) port 8080 (#0)* Server auth using NTLM with user ''> GET /tfs/DefaultCollection/code/_git/MyApp HTTP/1.1
> Host: tfsserver:8080
> Authorization: NTLM ***SCRUBBED***
> User-Agent: curl/7.60.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=us-ascii
< Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: NTLM ***SCRUBBED***
< Date: Thu, 15 Nov 2018 23:07:58 GMT
< Content-Length: 341
< 
* Ignoring the response-body{ [341 bytes data]
100   341  100   341    0     0    642      0 --:--:-- --:--:-- --:--:--   642* Connection #0 to host tfsserver left intact* Issue another request to this URL: 'http://tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp'* Found bundle for host tfsserver: 0x4116f20 [can pipeline]* Re-using existing connection! (#0) with host tfsserver* Connected to tfsserver (192.168.17.155) port 8080 (#0)* Server auth using NTLM with user ''> GET /tfs/DefaultCollection/code/_git/MyApp HTTP/1.1
> Host: tfsserver:8080
> Authorization: NTLM ***SCRUBBED***
> User-Agent: curl/7.60.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: e5b67424-832f-468b-8787-c7c05aef5396
< ActivityId: 50f62941-8163-4ee9-9c2b-81359ca72838
< X-TFS-Session: 50f62941-8163-4ee9-9c2b-81359ca72838
< X-VSS-E2EID: 50f62941-8163-4ee9-9c2b-81359ca72838
< X-FRAME-OPTIONS: SAMEORIGIN
< X-VSS-UserData: 34be4ed8-c4fd-4e9f-bdae-d1843df36b0f:mkharitonov
< X-AspNetMvc-Version: 4.0
< X-AspNet-Version: 4.0.30319
< Set-Cookie: __RequestVerificationToken_L3Rmcw2=***SCRUBBED***; path=/; HttpOnly
< Set-Cookie: __RequestVerificationToken27563503a-8c73-4ee0-8930-e1f466b255f5=***SCRUBBED***; path=/; HttpOnly
< Persistent-Auth: true
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Thu, 15 Nov 2018 23:07:58 GMT
< Content-Length: 120608
< 
{ [183 bytes data]
100  117k  100  117k    0     0   167k      0 --:--:-- --:--:-- --:--:--  167k* Connection #0 to host tfsserver left intact

答案

我无法验证它到底，但可能你应该在config（命令http.emptyAuth）中将true设置为git config --global http.emptyAuth true。至少在设置它之后我的git 2.19.1.windows.1已经向服务器发送了一个Authorization: Negotiate ...标头，该服务器通告了这个协议。

底线：

git config --global http.emptyAuth true

是否LFS不在图片中。如果涉及LFS，则在:@前加上主机名，例如：

http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp