HttpClientConnector.java

  1. /*
  2.  * Copyright (C) 2018, Thomas Wolf <thomas.wolf@paranor.ch> and others
  3.  *
  4.  * This program and the accompanying materials are made available under the
  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at
  6.  * https://www.eclipse.org/org/documents/edl-v10.php.
  7.  *
  8.  * SPDX-License-Identifier: BSD-3-Clause
  9.  */
  10. package org.eclipse.jgit.internal.transport.sshd.proxy;

  12. import static java.nio.charset.StandardCharsets.US_ASCII;
  13. import static java.nio.charset.StandardCharsets.UTF_8;
  14. import static java.text.MessageFormat.format;

  16. import java.io.IOException;
  17. import java.net.HttpURLConnection;
  18. import java.net.InetSocketAddress;
  19. import java.util.ArrayList;
  20. import java.util.Arrays;
  21. import java.util.Iterator;
  22. import java.util.List;

  24. import org.apache.sshd.client.session.ClientSession;
  25. import org.apache.sshd.common.io.IoSession;
  26. import org.apache.sshd.common.util.Readable;
  27. import org.apache.sshd.common.util.buffer.Buffer;
  28. import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
  29. import org.eclipse.jgit.annotations.NonNull;
  30. import org.eclipse.jgit.internal.transport.sshd.GssApiMechanisms;
  31. import org.eclipse.jgit.internal.transport.sshd.SshdText;
  32. import org.eclipse.jgit.internal.transport.sshd.auth.AuthenticationHandler;
  33. import org.eclipse.jgit.internal.transport.sshd.auth.BasicAuthentication;
  34. import org.eclipse.jgit.internal.transport.sshd.auth.GssApiAuthentication;
  35. import org.eclipse.jgit.util.Base64;
  36. import org.ietf.jgss.GSSContext;

  38. /**
  39.  * Simple HTTP proxy connector using Basic Authentication.
  40.  */
  41. public class HttpClientConnector extends AbstractClientProxyConnector {

  43.     private static final String HTTP_HEADER_PROXY_AUTHENTICATION = "Proxy-Authentication:"; //$NON-NLS-1$

  45.     private static final String HTTP_HEADER_PROXY_AUTHORIZATION = "Proxy-Authorization:"; //$NON-NLS-1$

  47.     private HttpAuthenticationHandler basic;

  49.     private HttpAuthenticationHandler negotiate;

  51.     private List<HttpAuthenticationHandler> availableAuthentications;

  53.     private Iterator<HttpAuthenticationHandler> clientAuthentications;

  55.     private HttpAuthenticationHandler authenticator;

  57.     private boolean ongoing;

  59.     /**
  60.      * Creates a new {@link HttpClientConnector}. The connector supports
  61.      * anonymous proxy connections as well as Basic and Negotiate
  62.      * authentication.
  63.      *
  64.      * @param proxyAddress
  65.      *            of the proxy server we're connecting to
  66.      * @param remoteAddress
  67.      *            of the target server to connect to
  68.      */
  69.     public HttpClientConnector(@NonNull InetSocketAddress proxyAddress,
  70.             @NonNull InetSocketAddress remoteAddress) {
  71.         this(proxyAddress, remoteAddress, null, null);
  72.     }

  74.     /**
  75.      * Creates a new {@link HttpClientConnector}. The connector supports
  76.      * anonymous proxy connections as well as Basic and Negotiate
  77.      * authentication. If a user name and password are given, the connector
  78.      * tries pre-emptive Basic authentication.
  79.      *
  80.      * @param proxyAddress
  81.      *            of the proxy server we're connecting to
  82.      * @param remoteAddress
  83.      *            of the target server to connect to
  84.      * @param proxyUser
  85.      *            to authenticate at the proxy with
  86.      * @param proxyPassword
  87.      *            to authenticate at the proxy with
  88.      */
  89.     public HttpClientConnector(@NonNull InetSocketAddress proxyAddress,
  90.             @NonNull InetSocketAddress remoteAddress, String proxyUser,
  91.             char[] proxyPassword) {
  92.         super(proxyAddress, remoteAddress, proxyUser, proxyPassword);
  93.         basic = new HttpBasicAuthentication();
  94.         negotiate = new NegotiateAuthentication();
  95.         availableAuthentications = new ArrayList<>(2);
  96.         availableAuthentications.add(negotiate);
  97.         availableAuthentications.add(basic);
  98.         clientAuthentications = availableAuthentications.iterator();
  99.     }

  101.     private void close() {
  102.         HttpAuthenticationHandler current = authenticator;
  103.         authenticator = null;
  104.         if (current != null) {
  105.             current.close();
  106.         }
  107.     }

  109.     @Override
  110.     public void sendClientProxyMetadata(ClientSession sshSession)
  111.             throws Exception {
  112.         init(sshSession);
  113.         IoSession session = sshSession.getIoSession();
  114.         session.addCloseFutureListener(f -> close());
  115.         StringBuilder msg = connect();
  116.         if ((proxyUser != null && !proxyUser.isEmpty())
  117.                 || (proxyPassword != null && proxyPassword.length > 0)) {
  118.             authenticator = basic;
  119.             basic.setParams(null);
  120.             basic.start();
  121.             msg = authenticate(msg, basic.getToken());
  122.             clearPassword();
  123.             proxyUser = null;
  124.         }
  125.         ongoing = true;
  126.         try {
  127.             send(msg, session);
  128.         } catch (Exception e) {
  129.             ongoing = false;
  130.             throw e;
  131.         }
  132.     }

  134.     private void send(StringBuilder msg, IoSession session) throws Exception {
  135.         byte[] data = eol(msg).toString().getBytes(US_ASCII);
  136.         Buffer buffer = new ByteArrayBuffer(data.length, false);
  137.         buffer.putRawBytes(data);
  138.         session.writeBuffer(buffer).verify(getTimeout());
  139.     }

  141.     private StringBuilder connect() {
  142.         StringBuilder msg = new StringBuilder();
  143.         // Persistent connections are the default in HTTP 1.1 (see RFC 2616),
  144.         // but let's be explicit.
  145.         return msg.append(format(
  146.                 "CONNECT {0}:{1} HTTP/1.1\r\nProxy-Connection: keep-alive\r\nConnection: keep-alive\r\nHost: {0}:{1}\r\n", //$NON-NLS-1$
  147.                 remoteAddress.getHostString(),
  148.                 Integer.toString(remoteAddress.getPort())));
  149.     }

  151.     private StringBuilder authenticate(StringBuilder msg, String token) {
  152.         msg.append(HTTP_HEADER_PROXY_AUTHORIZATION).append(' ').append(token);
  153.         return eol(msg);
  154.     }

  156.     private StringBuilder eol(StringBuilder msg) {
  157.         return msg.append('\r').append('\n');
  158.     }

  160.     @Override
  161.     public void messageReceived(IoSession session, Readable buffer)
  162.             throws Exception {
  163.         try {
  164.             int length = buffer.available();
  165.             byte[] data = new byte[length];
  166.             buffer.getRawBytes(data, 0, length);
  167.             String[] reply = new String(data, US_ASCII)
  168.                     .split("\r\n"); //$NON-NLS-1$
  169.             handleMessage(session, Arrays.asList(reply));
  170.         } catch (Exception e) {
  171.             if (authenticator != null) {
  172.                 authenticator.close();
  173.                 authenticator = null;
  174.             }
  175.             ongoing = false;
  176.             try {
  177.                 setDone(false);
  178.             } catch (Exception inner) {
  179.                 e.addSuppressed(inner);
  180.             }
  181.             throw e;
  182.         }
  183.     }

  185.     private void handleMessage(IoSession session, List<String> reply)
  186.             throws Exception {
  187.         if (reply.isEmpty() || reply.get(0).isEmpty()) {
  188.             throw new IOException(
  189.                     format(SshdText.get().proxyHttpUnexpectedReply,
  190.                             proxyAddress, "<empty>")); //$NON-NLS-1$
  191.         }
  192.         try {
  193.             StatusLine status = HttpParser.parseStatusLine(reply.get(0));
  194.             if (!ongoing) {
  195.                 throw new IOException(format(
  196.                         SshdText.get().proxyHttpUnexpectedReply, proxyAddress,
  197.                         Integer.toString(status.getResultCode()),
  198.                         status.getReason()));
  199.             }
  200.             switch (status.getResultCode()) {
  201.             case HttpURLConnection.HTTP_OK:
  202.                 if (authenticator != null) {
  203.                     authenticator.close();
  204.                 }
  205.                 authenticator = null;
  206.                 ongoing = false;
  207.                 setDone(true);
  208.                 break;
  209.             case HttpURLConnection.HTTP_PROXY_AUTH:
  210.                 List<AuthenticationChallenge> challenges = HttpParser
  211.                         .getAuthenticationHeaders(reply,
  212.                                 HTTP_HEADER_PROXY_AUTHENTICATION);
  213.                 authenticator = selectProtocol(challenges, authenticator);
  214.                 if (authenticator == null) {
  215.                     throw new IOException(
  216.                             format(SshdText.get().proxyCannotAuthenticate,
  217.                                     proxyAddress));
  218.                 }
  219.                 String token = authenticator.getToken();
  220.                 if (token == null) {
  221.                     throw new IOException(
  222.                             format(SshdText.get().proxyCannotAuthenticate,
  223.                                     proxyAddress));
  224.                 }
  225.                 send(authenticate(connect(), token), session);
  226.                 break;
  227.             default:
  228.                 throw new IOException(format(SshdText.get().proxyHttpFailure,
  229.                         proxyAddress, Integer.toString(status.getResultCode()),
  230.                         status.getReason()));
  231.             }
  232.         } catch (HttpParser.ParseException e) {
  233.             throw new IOException(
  234.                     format(SshdText.get().proxyHttpUnexpectedReply,
  235.                             proxyAddress, reply.get(0)),
  236.                     e);
  237.         }
  238.     }

  240.     private HttpAuthenticationHandler selectProtocol(
  241.             List<AuthenticationChallenge> challenges,
  242.             HttpAuthenticationHandler current) throws Exception {
  243.         if (current != null && !current.isDone()) {
  244.             AuthenticationChallenge challenge = getByName(challenges,
  245.                     current.getName());
  246.             if (challenge != null) {
  247.                 current.setParams(challenge);
  248.                 current.process();
  249.                 return current;
  250.             }
  251.         }
  252.         if (current != null) {
  253.             current.close();
  254.         }
  255.         while (clientAuthentications.hasNext()) {
  256.             HttpAuthenticationHandler next = clientAuthentications.next();
  257.             if (!next.isDone()) {
  258.                 AuthenticationChallenge challenge = getByName(challenges,
  259.                         next.getName());
  260.                 if (challenge != null) {
  261.                     next.setParams(challenge);
  262.                     next.start();
  263.                     return next;
  264.                 }
  265.             }
  266.         }
  267.         return null;
  268.     }

  270.     private AuthenticationChallenge getByName(
  271.             List<AuthenticationChallenge> challenges,
  272.             String name) {
  273.         return challenges.stream()
  274.                 .filter(c -> c.getMechanism().equalsIgnoreCase(name))
  275.                 .findFirst().orElse(null);
  276.     }

  278.     private interface HttpAuthenticationHandler
  279.             extends AuthenticationHandler<AuthenticationChallenge, String> {

  281.         public String getName();
  282.     }

  284.     /**
  285.      * @see <a href="https://tools.ietf.org/html/rfc7617">RFC 7617</a>
  286.      */
  287.     private class HttpBasicAuthentication
  288.             extends BasicAuthentication<AuthenticationChallenge, String>
  289.             implements HttpAuthenticationHandler {

  291.         private boolean asked;

  293.         public HttpBasicAuthentication() {
  294.             super(proxyAddress, proxyUser, proxyPassword);
  295.         }

  297.         @Override
  298.         public String getName() {
  299.             return "Basic"; //$NON-NLS-1$
  300.         }

  302.         @Override
  303.         protected void askCredentials() {
  304.             // We ask only once.
  305.             if (asked) {
  306.                 throw new IllegalStateException(
  307.                         "Basic auth: already asked user for password"); //$NON-NLS-1$
  308.             }
  309.             asked = true;
  310.             super.askCredentials();
  311.             done = true;
  312.         }

  314.         @Override
  315.         public String getToken() throws Exception {
  316.             if (user.indexOf(':') >= 0) {
  317.                 throw new IOException(format(
  318.                         SshdText.get().proxyHttpInvalidUserName, proxy, user));
  319.             }
  320.             byte[] rawUser = user.getBytes(UTF_8);
  321.             byte[] toEncode = new byte[rawUser.length + 1 + password.length];
  322.             System.arraycopy(rawUser, 0, toEncode, 0, rawUser.length);
  323.             toEncode[rawUser.length] = ':';
  324.             System.arraycopy(password, 0, toEncode, rawUser.length + 1,
  325.                     password.length);
  326.             Arrays.fill(password, (byte) 0);
  327.             String result = Base64.encodeBytes(toEncode);
  328.             Arrays.fill(toEncode, (byte) 0);
  329.             return getName() + ' ' + result;
  330.         }

  332.     }

  334.     /**
  335.      * @see <a href="https://tools.ietf.org/html/rfc4559">RFC 4559</a>
  336.      */
  337.     private class NegotiateAuthentication
  338.             extends GssApiAuthentication<AuthenticationChallenge, String>
  339.             implements HttpAuthenticationHandler {

  341.         public NegotiateAuthentication() {
  342.             super(proxyAddress);
  343.         }

  345.         @Override
  346.         public String getName() {
  347.             return "Negotiate"; //$NON-NLS-1$
  348.         }

  350.         @Override
  351.         public String getToken() throws Exception {
  352.             return getName() + ' ' + Base64.encodeBytes(token);
  353.         }

  355.         @Override
  356.         protected GSSContext createContext() throws Exception {
  357.             return GssApiMechanisms.createContext(GssApiMechanisms.SPNEGO,
  358.                     GssApiMechanisms.getCanonicalName(proxyAddress));
  359.         }

  361.         @Override
  362.         protected byte[] extractToken(AuthenticationChallenge input)
  363.                 throws Exception {
  364.             String received = input.getToken();
  365.             if (received == null) {
  366.                 return new byte[0];
  367.             }
  368.             return Base64.decode(received);
  369.         }

  371.     }
  372. }
Created with JaCoCo 0.8.7.202105040129