GIT_ASKPASS with more than echo

Question

I am playing around with different variations on GIT_ASKPASS and I wanted to make a POC that it is literally possible to pull password from external "storage". To prove a point, I though it will be quite simple to just call an API and return password from response. Problem is that git hangs on a script I provided and I have no idea why.

Some info:

• script was chmod +x-ed
• command inside of $(...) is working correctly
• I read response here git, oauth2 token and GIT_ASKPASS but all it told me is that we are doing same thing
• my git is git version 2.26.2

Here's the script:

#!/usr/bin/env bash

password="$(http https://postman-echo.com/get password=="trust-me" | jq '.args | .password' | tr -d '"')"
exec echo "${password}"

and here's the log:

GIT_TRACE=1 GIT_ASKPASS=./git_ask_pass_url git clone "https://askpass-git-2@github.com/kornicameister/askpass-git-test.git" /tmp/ddddd
23:43:22.266086 git.c:439               trace: built-in: git clone https://da-user@github.com/kornicameister/askpass-git-test.git /tmp/ddddd
Cloning into '/tmp/ddddd'...
23:43:22.270259 run-command.c:663       trace: run_command: git-remote-https origin https://askpass-git-2@github.com/kornicameister/askpass-git-test.git
23:43:23.054837 run-command.c:663       trace: run_command: 'git credential-cache --timeout=28800 get'
23:43:23.057470 git.c:703               trace: exec: git-credential-cache --timeout=28800 get
23:43:23.057506 run-command.c:663       trace: run_command: git-credential-cache --timeout=28800 get
23:43:23.059112 run-command.c:663       trace: run_command: ./git_ask_pass_url 'Password for '\''https://askpass-git-2@github.com'\'': '

---

Update:

Alright, I changed the script to be:

#!/usr/bin/env bash

test "${GIT_TRACE}" -eq 1 && set -x
curl "https://postman-echo.com/get?password=${GIT_PASSWORD}" | jq -r '.args | .password'

and with that setup we have:

GIT_PASSWORD="foo-course" GIT_TRACE=1 GIT_ASKPASS=./git_ask_pass_url git clone "https://foo-1@github.com/kornicameister/foo-test.git" /tmp/b              20:57:03
20:57:04.473789 git.c:439               trace: built-in: git clone https://foo-1@github.com/kornicameister/foo-test.git /tmp/b
Cloning into '/tmp/b'...
20:57:04.478021 run-command.c:663       trace: run_command: git-remote-https origin https://foo-1@github.com/kornicameister/foo-test.git
20:57:05.258448 run-command.c:663       trace: run_command: 'git credential-cache --timeout=28800 get'
20:57:05.262080 git.c:703               trace: exec: git-credential-cache --timeout=28800 get
20:57:05.262126 run-command.c:663       trace: run_command: git-credential-cache --timeout=28800 get
20:57:05.264706 run-command.c:663       trace: run_command: ./git_ask_pass_url 'Password for '\''https://foo-1@github.com'\'': '
++ curl 'https://postman-echo.com/get?password=foo-course'
++ jq -r '.args | .password'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   238  100   238    0     0    409      0 --:--:-- --:--:-- --:--:--   409
+ password=foo-course
+ exec echo foo-course
20:57:06.387701 run-command.c:663       trace: run_command: 'git credential-cache --timeout=28800 store'
20:57:06.391164 git.c:703               trace: exec: git-credential-cache --timeout=28800 store
20:57:06.391214 run-command.c:663       trace: run_command: git-credential-cache --timeout=28800 store
20:57:07.176076 run-command.c:663       trace: run_command: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 24977 on kornicameister' --check-self-contained-and-connected
20:57:07.177517 git.c:439               trace: built-in: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 24977 on kornicameister' --check-self-contained-and-connected
remote: Enumerating objects: 10, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 10 (delta 2), reused 10 (delta 2), pack-reused 0
Receiving objects: 100% (10/10), done.
Resolving deltas: 100% (2/2), done.
20:57:07.202708 run-command.c:663       trace: run_command: git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'
20:57:07.204214 git.c:439               trace: built-in: git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'
20:57:07.206501 run-command.c:663       trace: run_command: /tmp/b/.git/hooks/post-checkout 0000000000000000000000000000000000000000 581d755bfb10e1beee93fc190cd99428f9f1595c 1

so it really sounds as if problem was with using http instead of plain curl.

Answer 1

Ok, you can use curl as posted in update above, but I have to give some honor back to http. If you wish to use it in GIT_ASKPASS it is quite important to do it like so:

http -I "https://postman-echo.com/get" password=="${GIT_PASSWORD}" | jq -r '.args | .password'

Note -I flags. It prevents from reading from stdin. GIT_ASKPASS actually receives some string on stdin and hence it was stuck in original attempt.

So yeah, I guess a conclusion is that sometimes simplest tool do work and more advanced causes unexpected issues.