The documentation for `git config annex.web-options` says that I should be able to use it to set up HTTP credentials in a ~/.netrc file, but it doesn't work.
I have been given some repos that are password-protected, I want to be able to download them non-interactively in a CI system. I won't sit there typing in the password 500 times for 500 files, and ideally I don't want to even type it once.
`git` reads `~/.netrc` if it exists, and does so consistently enough that http://droneci.com/ has built that in as the default way it passes CI credentials to workers. It would be really great if `git-annex` did the same, and did it instead of spawning `curl`. When using an ssh remote, git and git-annex already share the same ssh credentials; it would be awesome if the same could be transparently true for http remotes as well :)
### What steps will reproduce the problem?
1. Set up an HTTP server following https://git-annex.branchable.com/tips/setup_a_public_repository_on_a_web_site/, but password-protect it.
I set up my server on Arch, but I tested the client from both Arch and Ubuntu. Here's the server set up; it should adapt to Debian or Fedora easily enough:
1. `sudo pacman -S --noconfirm apache`
2. `echo 'Include conf/extra/git-annex.conf' | sudo tee -a /etc/httpd/conf/httpd.conf`
3. `sha256sum large.bin` should succeed, and match the value shown in the symlink in `ls -l large.bin`
6. Password protect the repo
While still in `/srv/http/annex`:
1. ```
cat <<EOF | tee .htaccess
AuthType Basic
AuthName gitannex
AuthUserFile /srv/http/annex/.htpasswd
Require valid-user
```
2. `htpasswd -bc .htpasswd user4 password`
2. Download the password-protected repo
0. If the test server is on the same machine: `git config --global annex.security.allowed-ip-addresses all`
1. Download the repo without any password helper: 🫤🫤🫤
1. `git clone http://localhost/.git annex-test; cd annex-test`; this will prompt for the password set above, e.g.
```
$ git clone http://localhost/.git annex-test
Cloning into 'annex-test'...
Username for 'http://localhost': user4
Password for 'http://user4@localhost':
```
2. `git annex get`; this will prompt for the password **twice**: once for the implicit `git annex init` (that needs to read the remote `.git/config`) and once for downloading large.bin.
Running `pstree` while the prompts are waiting, or using `git config annex.debug true`, reveals that the prompts are coming from [`git credential fill`](https://git-scm.com/docs/git-credential).
8. Drop the annoying redundant password prompts using [git-credential-store(1)](https://git-scm.com/docs/git-credential-store): ✔️✔️✔️
1. `cd $(mktemp -d)`
2. `git config --global credential.helper store`
3. `git clone http://localhost/.git annex-test; cd annex-test`; this will prompt for the password
4. `git annex get`; but this will not prompt for any passwords
This works. So that's awesome, I can use `credential.helper store` to make my passworded downloads non-interactive by filling in `~/.git-credentials`, which, for the record, has one credential per line in this format:
```
$ cat ~/.git-credentials
http://user4:password@localhost
```
or if a non-standard port is involved:
```
$ cat ~/.git-credentials
http://user4:password@localhost%3a8080
```
5. (Undo: `git config --global --unset credential.helper` to avoid contaminating the next test)
9. Attempt to drop the redundant password prompts using `annex.web-options`: ❌❌❌
5. `git clone http://localhost/.git annex-test; cd annex-test`; this will **not** prompt for a password because `git` picks up `~/.netrc` automatically.
6. `git annex get`; this **will** prompt for passwords, n+1 times in fact for n=the number of annexed files
I don't understand why this isn't working. The docs say
> Setting this option makes git-annex use curl, but only when annex.security.allowed-ip-addresses is configured in a specific way.
and I set `allowed-ip-addressess` in the specific way, so why is this no bueno?
From these, I understand I need to `git config --global annex.security.allowed-ip-addresses all`, which I did, but otherwise my best guess is that `web-options` only works when [using the web as as _special remote_](https://git-annex.branchable.com/tips/using_the_web_as_a_special_remote/) with `addurl`. But here I'm using the web as a _regular remote_, something which [git-annex has support for](https://git-annex.branchable.com/tips/setup_a_public_repository_on_a_web_site/). But seemingly this corner case isn't working.
I can work around it by rewriting the contents of `~/.netrc` into `~/.git-credentials` and setting `git config --global credential.helper store`, but I don't want to duplicate the credentials every time I'm in this situation.
### What version of git-annex are you using? On what operating system?
git-annex 10.20220504-g4e4c44ed8 on ArchLinux, and git-annex 8.20210223 on Ubuntu 22.04.
### Please provide any additional information below.
[[!format sh """
[kousu@nigiri tmp.ztnHTYA3ZC]$ cd $(mktemp -d)
[kousu@nigiri tmp.H5EkrNMUPc]$ git config --global annex.security.allowed-ip-addresses all
### Have you had any luck using git-annex before? (Sometimes we get tired of reading bug reports all day and a lil' positive end note does wonders)
Sure! Lots! We use it to share a large open access dataset at https://github.com/spine-generic, and [I'm working on](https://github.com/neuropoly/gitea/pull/1) helping other researchers share their datasets on their own infrastructure using git-annex + gitea.
