Web browser and PAT support for GitLab

Git-Credential-Manager.sln

@@ -59,6 +59,10 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GitHub.UI.Windows", "src\wi
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Atlassian.Bitbucket.UI.Windows", "src\windows\Atlassian.Bitbucket.UI.Windows\Atlassian.Bitbucket.UI.Windows.csproj", "{3F015046-DAF2-4D2A-96EC-F9782F169E45}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GitLab", "src\shared\GitLab\GitLab.csproj", "{570897DC-A85C-4598-B793-9A00CF710119}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GitLab.Tests", "src\shared\GitLab.Tests\GitLab.Tests.csproj", "{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -397,6 +401,38 @@ Global
 		{3F015046-DAF2-4D2A-96EC-F9782F169E45}.MacRelease|Any CPU.ActiveCfg = Release|Any CPU
 		{3F015046-DAF2-4D2A-96EC-F9782F169E45}.WindowsRelease|Any CPU.ActiveCfg = Release|Any CPU
 		{3F015046-DAF2-4D2A-96EC-F9782F169E45}.WindowsRelease|Any CPU.Build.0 = Release|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.MacDebug|Any CPU.ActiveCfg = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.MacDebug|Any CPU.Build.0 = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.MacRelease|Any CPU.ActiveCfg = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.MacRelease|Any CPU.Build.0 = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.Release|Any CPU.Build.0 = Release|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.WindowsDebug|Any CPU.ActiveCfg = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.WindowsDebug|Any CPU.Build.0 = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.WindowsRelease|Any CPU.ActiveCfg = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.WindowsRelease|Any CPU.Build.0 = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.LinuxDebug|Any CPU.ActiveCfg = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.LinuxDebug|Any CPU.Build.0 = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.LinuxRelease|Any CPU.ActiveCfg = Debug|Any CPU
+		{570897DC-A85C-4598-B793-9A00CF710119}.LinuxRelease|Any CPU.Build.0 = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.MacDebug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.MacDebug|Any CPU.Build.0 = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.MacRelease|Any CPU.ActiveCfg = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.MacRelease|Any CPU.Build.0 = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.Release|Any CPU.Build.0 = Release|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.WindowsDebug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.WindowsDebug|Any CPU.Build.0 = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.WindowsRelease|Any CPU.ActiveCfg = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.WindowsRelease|Any CPU.Build.0 = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.LinuxDebug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.LinuxDebug|Any CPU.Build.0 = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.LinuxRelease|Any CPU.ActiveCfg = Debug|Any CPU
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393}.LinuxRelease|Any CPU.Build.0 = Debug|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -429,6 +465,8 @@ Global
 		{714ACBE7-0C69-4D8A-9224-22792CAA8264} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{0A86ED89-1FC5-42AA-925C-4578FA30607A} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}
 		{3F015046-DAF2-4D2A-96EC-F9782F169E45} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}
+		{570897DC-A85C-4598-B793-9A00CF710119} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
+		{1AF9F7C5-FA2E-48F1-B216-4D5E9A27F393} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {0EF9FC65-E6BA-45D4-A455-262A9EA4366B}

README.md

@@ -25,6 +25,7 @@ Secure platform credential storage|&#10003;<br/>[(see more)](docs/credstores.md)
 Multi-factor authentication support for Azure DevOps|&#10003;|&#10003;|&#10003;
 Two-factor authentication support for GitHub|&#10003;|&#10003;|&#10003;
 Two-factor authentication support for Bitbucket|&#10003;|&#10003;|&#10003;
+Two-factor authentication support for GitLab|&#10003;|&#10003;|&#10003;
 Windows Integrated Authentication (NTLM/Kerberos) support|&#10003;|_N/A_|_N/A_
 Basic HTTP authentication support|&#10003;|&#10003;|&#10003;
 Proxy support|&#10003;|&#10003;|&#10003;

docs/configuration.md

@@ -64,6 +64,7 @@ ID|Provider
 `azure-repos`|Azure Repos
 `github`|GitHub
 `bitbucket`|Bitbucket
+`gitlab`|GitLab<br/>_(supports OAuth in browser, personal access token and Basic Authentication)_
 `generic`|Generic (any other provider not listed above)
 
 Automatic provider selection is based on the remote URL.
@@ -94,6 +95,7 @@ Authority|Provider(s)
 `msa`, `microsoft`, `microsoftaccount`,<br/>`aad`, `azure`, `azuredirectory`,</br>`live`, `liveconnect`, `liveid`|Azure Repos<br/>_(supports Microsoft Authentication)_
 `github`|GitHub<br/>_(supports GitHub Authentication)_
 `bitbucket`|Bitbucket.org<br/>_(supports Basic Authentication and OAuth)_<br/>Bitbucket Server<br/>_(supports Basic Authentication)_
+`gitlab`|GitLab<br/>_(supports OAuth in browser, personal access token and Basic Authentication)_
 `basic`, `integrated`, `windows`, `kerberos`, `ntlm`,<br/>`tfs`, `sso`|Generic<br/>_(supports Basic and Windows Integrated Authentication)_
 
 #### Example
@@ -250,6 +252,31 @@ git config --global credential.gitHubAuthModes "oauth,basic"
 
 ---
 
+### credential.gitLabAuthModes
+
+Override the available authentication modes presented during GitLab authentication.
+If this option is not set, then the available authentication modes will be automatically detected.
+
+**Note:** This setting supports multiple values separated by commas.
+
+Value|Authentication Mode
+-|-
+_(unset)_|Automatically detect modes
+`browser`|OAuth authentication via a web browser _(requires a GUI)_
+`basic`|Basic authentication using username and password
+`pat`|Personal Access Token (pat)-based authentication
+
+#### Example
+
+```shell
+git config --global credential.gitLabAuthModes "browser"
+```
+
+**Also see: [GCM_GITLAB_AUTHMODES](environment.md#GCM_GITLAB_AUTHMODES)**
+
+---
+
+
 ### credential.namespace
 
 Use a custom namespace prefix for credentials read and written in the OS credential store.

docs/environment.md

@@ -169,6 +169,7 @@ ID|Provider
 `auto` _(default)_|_\[automatic\]_ ([learn more](autodetect.md))
 `azure-repos`|Azure Repos
 `github`|GitHub
+`gitlab`|GitLab<br/>_(supports OAuth in browser, personal access token and Basic Authentication)_
 `generic`|Generic (any other provider not listed above)
 
 Automatic provider selection is based on the remote URL.
@@ -206,6 +207,7 @@ Authority|Provider(s)
 `auto` _(default)_|_\[automatic\]_
 `msa`, `microsoft`, `microsoftaccount`,<br/>`aad`, `azure`, `azuredirectory`,</br>`live`, `liveconnect`, `liveid`|Azure Repos<br/>_(supports Microsoft Authentication)_
 `github`|GitHub<br/>_(supports GitHub Authentication)_
+`gitlab`|GitLab<br/>_(supports OAuth in browser, personal access token and Basic Authentication)_
 `basic`, `integrated`, `windows`, `kerberos`, `ntlm`,<br/>`tfs`, `sso`|Generic<br/>_(supports Basic and Windows Integrated Authentication)_
 
 #### Example
@@ -409,6 +411,36 @@ export GCM_GITHUB_AUTHMODES="oauth,basic"
 
 ---
 
+### GCM_GITLAB_AUTHMODES
+
+Override the available authentication modes presented during GitLab authentication.
+If this option is not set, then the available authentication modes will be automatically detected.
+
+**Note:** This setting supports multiple values separated by commas.
+
+Value|Authentication Mode
+-|-
+_(unset)_|Automatically detect modes
+`browser`|OAuth authentication via a web browser _(requires a GUI)_
+`basic`|Basic authentication using username and password
+`pat`|Personal Access Token (pat)-based authentication
+
+##### Windows
+
+```batch
+SET GCM_GITLAB_AUTHMODES="browser"
+```
+
+##### macOS/Linux
+
+```bash
+export GCM_GITLAB_AUTHMODES="browser"
+```
+
+**Also see: [credential.gitLabAuthModes](configuration.md#credentialgitLabAuthModes)**
+
+---
+
 ### GCM_NAMESPACE
 
 Use a custom namespace prefix for credentials read and written in the OS credential store.

docs/gitlab.md

@@ -0,0 +1,44 @@
+# GitLab support
+
+Git Credential Manager supports [gitlab.com](https://gitlab.com) out the box.
+
+## Using on a another instance
+
+To use on another instance, eg. `https://gitlab.example.com` requires setup and configuration:
+
+1. [Create an OAuth application](https://docs.gitlab.com/ee/integration/oauth_provider.html). This can be at the user, group or instance level. Specify a name and use a redirect URI of `http://127.0.0.1/`. _Unselect_ the 'Confidential' option, and ensure the 'Expire access tokens' option is selected. Set the scope to 'write_repository'.
+2. Copy the application ID and configure `git config --global credential.https://gitlab.example.com.GitLabDevClientId <APPLICATION_ID>`
+3. Copy the application secret and configure `git config --global credential.https://gitlab.example.com.GitLabDevClientSecret <APPLICATION_SECRET>`
+4. Configure authentication modes to include 'browser' `git config --global credential.https://gitlab.example.com.gitLabAuthModes browser`
+5. For good measure, configure `git config --global credential.https://gitlab.example.com.provider gitlab`
+6. Verify the config is as expected `git config --global --get-urlmatch credential https://gitlab.example.com`
+
+### Clearing config
+
+```
+    git config --global --unset-all credential.https://gitlab.example.com.GitLabDevClientId
+    git config --global --unset-all credential.https://gitlab.example.com.GitLabDevClientSecret
+    git config --global --unset-all credential.https://gitlab.example.com.provider
+```
+
+## Preferences
+
+```
+Select an authentication method for 'https://gitlab.com/':
+  1. Web browser (default)
+  2. Personal access token
+  3. Username/password
+option (enter for default): 
+```
+
+If you have a preferred authentication mode, you can specify [credential.gitLabAuthModes](configuration.md#credential.gitLabAuthModes):
+
+    `git config --global credential.gitlabauthmodes browser`
+
+## Caveats
+
+Improved support requires changes in GitLab. Please vote for these issues if they affect you:
+
+1. No support for OAuth device authorization (necessary for machines without web browser) https://gitlab.com/gitlab-org/gitlab/-/issues/332682
+2. Only domains with prefix `gitlab.` are recognised as GitLab remotes https://gitlab.com/gitlab-org/gitlab/-/issues/349464
+3. Username/password authentication is suggested even if disabled on server https://gitlab.com/gitlab-org/gitlab/-/issues/349463

src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj

@@ -17,6 +17,7 @@
   <ItemGroup>
     <ProjectReference Include="..\Atlassian.Bitbucket\Atlassian.Bitbucket.csproj" />
     <ProjectReference Include="..\GitHub\GitHub.csproj" />
+    <ProjectReference Include="..\GitLab\GitLab.csproj" />
     <ProjectReference Include="..\Microsoft.AzureRepos\Microsoft.AzureRepos.csproj" />
     <ProjectReference Include="..\Core\Core.csproj" />
   </ItemGroup>

src/shared/Git-Credential-Manager/Program.cs

@@ -1,6 +1,7 @@
 using System;
 using Atlassian.Bitbucket;
 using GitHub;
+using GitLab;
 using Microsoft.AzureRepos;
 using GitCredentialManager.Authentication;
 
@@ -35,6 +36,7 @@ public static void Main(string[] args)
                 app.RegisterProvider(new AzureReposHostProvider(context), HostProviderPriority.Normal);
                 app.RegisterProvider(new BitbucketHostProvider(context),  HostProviderPriority.Normal);
                 app.RegisterProvider(new GitHubHostProvider(context),     HostProviderPriority.Normal);
+                app.RegisterProvider(new GitLabHostProvider(context),     HostProviderPriority.Normal);
                 app.RegisterProvider(new GenericHostProvider(context),    HostProviderPriority.Low);
 
                 int exitCode = app.RunAsync(args)

src/shared/GitLab.Tests/GitLab.Tests.csproj

@@ -0,0 +1,26 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+    <LangVersion>latest</LangVersion>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="coverlet.collector" Version="3.1.0">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.7.0" />
+    <PackageReference Include="ReportGenerator" Version="4.8.13" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.3.1" />
+    <DotNetCliToolReference Include="dotnet-xunit" Version="2.3.1" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\GitLab\GitLab.csproj" />
+    <ProjectReference Include="..\TestInfrastructure\TestInfrastructure.csproj" />
+  </ItemGroup>
+
+</Project>

src/shared/GitLab.Tests/GitLabAuthenticationTests.cs

@@ -0,0 +1,100 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Threading.Tasks;
+using GitCredentialManager.Tests.Objects;
+using Moq;
+using Moq.Protected;
+using Xunit;
+
+namespace GitLab.Tests
+{
+    public class GitLabAuthenticationTests
+    {
+        [Fact]
+        public void GitLabAuthentication_GetAuthenticationAsync_AuthenticationModesNone_ThrowsException()
+        {
+            var context = new TestCommandContext();
+            var auth = new GitLabAuthentication(context);
+            Assert.Throws<ArgumentException>("modes",
+                () => auth.GetAuthentication(null, null, AuthenticationModes.None)
+            );
+        }
+
+        [Theory]
+        [InlineData(AuthenticationModes.Browser)]
+        public void GitLabAuthentication_GetAuthenticationAsync_SingleChoice_TerminalAndInteractionNotRequired(GitLab.AuthenticationModes modes)
+        {
+            var context = new TestCommandContext();
+            context.Settings.IsTerminalPromptsEnabled = false;
+            context.Settings.IsInteractionAllowed = false;
+            context.SessionManager.IsDesktopSession = true; // necessary for browser
+            var auth = new GitLabAuthentication(context);
+            var result = auth.GetAuthentication(null, null, modes);
+            Assert.Equal(modes, result.AuthenticationMode);
+        }
+
+        [Fact]
+        public void GitLabAuthentication_GetAuthenticationAsync_TerminalPromptsDisabled_Throws()
+        {
+            var context = new TestCommandContext();
+            context.Settings.IsTerminalPromptsEnabled = false;
+            var auth = new GitLabAuthentication(context);
+            var exception = Assert.Throws<InvalidOperationException>(
+                () => auth.GetAuthentication(null, null, AuthenticationModes.All)
+            );
+            Assert.Equal("Cannot prompt because terminal prompts have been disabled.", exception.Message);
+        }
+
+        [Fact]
+        public void GitLabAuthentication_GetAuthenticationAsync_Terminal()
+        {
+            var context = new TestCommandContext();
+            var auth = new GitLabAuthentication(context);
+            context.SessionManager.IsDesktopSession = true;
+            context.Terminal.Prompts["option (enter for default)"] = "";
+            var result = auth.GetAuthentication(null, null, AuthenticationModes.All);
+            Assert.Equal(AuthenticationModes.Browser, result.AuthenticationMode);
+        }
+
+        [Fact]
+        public void GitLabAuthentication_GetAuthenticationAsync_ChoosePat()
+        {
+            var context = new TestCommandContext();
+            var auth = new GitLabAuthentication(context);
+            context.Terminal.Prompts["option (enter for default)"] = "";
+            context.Terminal.Prompts["Username"] = "username";
+            context.Terminal.SecretPrompts["Personal access token"] = "token";
+            var result = auth.GetAuthentication(null, null, AuthenticationModes.All);
+            Assert.Equal(AuthenticationModes.Pat, result.AuthenticationMode);
+            Assert.Equal("username", result.Credential.Account);
+            Assert.Equal("token", result.Credential.Password);
+        }
+
+        [Fact]
+        public void GitLabAuthentication_GetAuthenticationAsync_ChooseBasic()
+        {
+            var context = new TestCommandContext();
+            var auth = new GitLabAuthentication(context);
+            context.Terminal.Prompts["option (enter for default)"] = "2";
+            context.Terminal.Prompts["Username"] = "username";
+            context.Terminal.SecretPrompts["Password"] = "password";
+            var result = auth.GetAuthentication(null, null, AuthenticationModes.All);
+            Assert.Equal(AuthenticationModes.Basic, result.AuthenticationMode);
+            Assert.Equal("username", result.Credential.Account);
+            Assert.Equal("password", result.Credential.Password);
+        }
+
+        [Fact]
+        public void GitLabAuthentication_GetAuthenticationAsync_AuthenticationModesAll_RequiresInteraction()
+        {
+            var context = new TestCommandContext();
+            context.Settings.IsInteractionAllowed = false;
+            var auth = new GitLabAuthentication(context);
+            var exception = Assert.Throws<InvalidOperationException>(
+                () => auth.GetAuthentication(new Uri("https://GitLab.com"), null, AuthenticationModes.All)
+            );
+            Assert.Equal("Cannot prompt because user interactivity has been disabled.", exception.Message);
+        }
+    }
+}

src/shared/GitLab.Tests/GitLabHostProviderTests.cs

@@ -0,0 +1,32 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using GitCredentialManager;
+using GitCredentialManager.Authentication.OAuth;
+using GitCredentialManager.Tests.Objects;
+using Moq;
+using Xunit;
+
+namespace GitLab.Tests
+{
+    public class GitLabHostProviderTests
+    {
+        [Theory]
+        [InlineData("https", "gitlab.com", true)]
+        [InlineData("http", "gitlab.com", true)]
+        [InlineData("https", "gitlab.example.com", true)]
+        [InlineData("https", "github.com", false)]
+        [InlineData("https", "github.example.com", false)]
+        public void GitLabHostProvider_IsSupported(string protocol, string host, bool expected)
+        {
+            var input = new InputArguments(new Dictionary<string, string>
+            {
+                ["protocol"] = protocol,
+                ["host"] = host,
+            });
+
+            var provider = new GitLabHostProvider(new TestCommandContext());
+            Assert.Equal(expected, provider.IsSupported(input));
+        }
+    }
+}