[git] Support authentication on the backend (from the frontend)

[akosyakov]

When I try to push changes to GitHub via the UI, I get prompted for my account credentials in a terminal running the backend.

[lmcbout]

I had the same issue . I adjusted my credential to match the upper / lower case of my credentials. It seems we need to match exactly now. @...

[kittaakos]

Worked correctly for me. Could you guys give a pointer what I should do to be able to reproduce this?

[akosyakov]

Did you log out first? https://stackoverflow.com/questions/28238037/git-log-out-user-from-command-line

[kittaakos]

No, but what would you expect? I mean, of course, a nice pop-up dialog should be raised just like in VSCode where the user can authenticate, but in our case the Git executable could be on another machine. I would say it is not a bug but a missing feature? What do you think, @akosyakov?

[kittaakos]

As a workaround: one can do that in a terminal.

[geropl]

Proposal: One unix-user per frontend user

This is an example that should show the basic ideas:

1. the local repository files have a group set that is shared by all users
2. Each user has her own credentials in ~/.git-credentials and user name/email in .git/config
3. Theia would need to be run with a user that is member of the same group
4. Everyone can work with the files and use git with her own preferences + credentials

Preconditions for that this work with Theia:

1. One unix user per frontend user (either created dynamically or statically beforehand)
2. A mapping between frontend user and unix user on the backend
3. Each call to git in the backend has to be done with the respective unix user
4. Each terminal should be opened with the unix backend user
5. chmod files before usage so it belongs to group (see example)

Example:

Terminal 1:
# Prepare users and common group for file access
$ sudo addgroup gitgroup
$ sudo adduser testu1
...answer prompts...
$ sudo adduser testu2
...answer prompts...
$ sudo addgroup testu1 gitgroup
$ sudo addgroup testu2 gitgroup
$ exit

Terminal 1:
$ su testu1
# Store (and read) credentials form per-user file ~/.git-credentials
$ git config --global credential.helper store
# Store user credentials
$ echo "https://<user>:<pw>@github.com/<testrepo>" > ~/.git-credentials
# Git config (--global ends up in ~/.gitconfig, so per-user)
git config --global user.email "..."
git config --global user.name "..."
# Initial clone
$ git clone https://@github.com/<testrepo>
# Set owner group to 'gitgroup' so all its members have access to it
$ sudo chown -R :gitgroup testrepo
# From now on, both users can use git on this repository as ever. Credentials are read from ~/.git-credentials if needed

Terminal 2:
$ su testu2
# Store (and read) credentials form per-user file ~/.git-credentials
$ git config --global credential.helper store
# Store user credentials.
$ echo "https://<user>:<pw>@github.com/<testrepo>" > ~/.git-credentials
# Git config (--global ends up in ~/.gitconfig, so per-user)
git config --global user.email "..."
git config --global user.name "..."
# From now on, both users can use git on this repository as ever. Credentials are read from ~/.git-credentials if needed

[kittaakos]

Alternatively, here is a complete guide to support multiple GitHub accounts with a single Theia backend. It was tested and verified on Windows. It requires having Git Bash installed on the Theia backend.

Discard the current state (if any)

Unsets the credential helper, so Git forgets about any previously authenticated users.

git config --global --unset credential.helper
git config --system --unset credential.helper

Verify, it is unset. The following command must not print anything to the terminal.

git config credential.helper

Unsets any configured username/email pairs.

git config --global --unset user.name
git config --global --unset user.email

Verify the username and the email. The following command must not print anything to the terminal.

git config user.name
git config user.email

Creating a new SSH key per user for GitHub

ssh-keygen -t rsa -b 4096 -C "first.user@domain.com"

Use Git Bash. When asking for the file name, pick one that uniquely identifies the user. Enter file in which to save the key; enter id_rsa_first-user. Note: On my VMWare Windows 10 image, the private/public key pairs were generated under ~/ instead of ~/.ssh.

When prompted for the passphrase, you are free to pick anything. If you specify the password, you have to give it each time when executing for instance git push from the terminal. This implies the following: you will not be able to push from the UI.

Add your SSH-key to the SSH agent. We are still in Git Bash. Make sure, the private key exists under the location we are adding to the SSH agent.

eval $(ssh-agent -s)
ssh-add ~/id_rsa_first-user

If you have given a passphrase, you will be asked for that.

Configuring the SSH key per user on GitHub

Copy the public key from the Git Bash.

clip < ~/id_rsa_first-user.pub

Go to GitHub, and add your SSH key: Profile > Settings > SSH and GPG keys > New SSH key. Pick a good name for the key and paste the public key to GitHub and save. We are done here. You might receive an email notification based on your GitHub notification settings.

Configure the backend to use the SSH keys

Create a file named config under ~/.ssh/. Add the following per user to the SSH configuration file.

# GitHub for user first-user
Host github-first-user
  HostName github.com
  User git
  IdentityFile ~/id_rsa_first-user

Clone with SSH key

Once the Theia backend is running, open a new workspace for the user. Clone the repository in the following way.

 git clone ssh://git@github-first-user/<userOrOrganizationName>/<repositoryName>.git

Or

 git clone ssh://git@github-first-user/<userOrOrganizationName>/<repositoryName>.git first-user

Configure user and email per repository

Navigate into the new local Git clone inside the Theia workspace and set the username and the email for Git.

git config --local user.name "First User"
git config --local user.email first.user@domain.com

If you have configured a passphrase for your SSH keys, you have to push from a Theia terminal with git push, you will be prompted for the password.

Adding multiple users

One has to repeat the steps from above per GitHub accounts.

[JonasHelming]

@tsmaeder Can we close this? If so, please do

[tsmaeder]

We can close this one: our own git Theia extension is deprecated for the VS Code built-in extension. The SCM api does not deal with authentication at all, so as long as we correctly handle secret storage and authentication sessions, we should have everything VS Code has.