maven-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ol...@apache.org
Subject [05/15] maven-aether git commit: Bug 445283 - HTTP transporter can mistake server authentication for proxy authentication
Date Sun, 01 May 2016 10:57:03 GMT
Bug 445283 - HTTP transporter can mistake server authentication for proxy authentication

Stored server and proxy credentials in separate providers and used new DemuxCredentialsProvider
to delegate to one of those providers depending on host in auth request


Project: http://git-wip-us.apache.org/repos/asf/maven-aether/repo
Commit: http://git-wip-us.apache.org/repos/asf/maven-aether/commit/535df408
Tree: http://git-wip-us.apache.org/repos/asf/maven-aether/tree/535df408
Diff: http://git-wip-us.apache.org/repos/asf/maven-aether/diff/535df408

Branch: refs/heads/1.0.x
Commit: 535df4084a29e9aa91a7d0bbeac5a5e6e7948454
Parents: e114670
Author: Benjamin Bentmann <bentmann@sonatype.com>
Authored: Tue Nov 11 15:00:35 2014 +0100
Committer: Benjamin Bentmann <bentmann@sonatype.com>
Committed: Tue Nov 11 15:00:35 2014 +0100

----------------------------------------------------------------------
 .../http/DemuxCredentialsProvider.java          | 67 ++++++++++++++++++++
 .../aether/transport/http/HttpTransporter.java  | 28 +++++---
 .../transport/http/HttpTransporterTest.java     | 42 +++++++++++-
 3 files changed, 126 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/maven-aether/blob/535df408/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/DemuxCredentialsProvider.java
----------------------------------------------------------------------
diff --git a/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/DemuxCredentialsProvider.java
b/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/DemuxCredentialsProvider.java
new file mode 100644
index 0000000..4b89639
--- /dev/null
+++ b/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/DemuxCredentialsProvider.java
@@ -0,0 +1,67 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sonatype, Inc.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *    Sonatype, Inc. - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.aether.transport.http;
+
+import org.apache.http.HttpHost;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.Credentials;
+import org.apache.http.client.CredentialsProvider;
+
+/**
+ * Credentials provider that helps to isolate server from proxy credentials. Apache HttpClient
uses a single provider
+ * for both server and proxy auth, using the auth scope (host, port, etc.) to select the
proper credentials. With regard
+ * to redirects, we use an auth scope for server credentials that's not specific enough to
not be mistaken for proxy
+ * auth. This provider helps to maintain the proper isolation.
+ */
+final class DemuxCredentialsProvider
+    implements CredentialsProvider
+{
+
+    private final CredentialsProvider serverCredentialsProvider;
+
+    private final CredentialsProvider proxyCredentialsProvider;
+
+    private final HttpHost proxy;
+
+    public DemuxCredentialsProvider( CredentialsProvider serverCredentialsProvider,
+                                     CredentialsProvider proxyCredentialsProvider, HttpHost
proxy )
+    {
+        this.serverCredentialsProvider = serverCredentialsProvider;
+        this.proxyCredentialsProvider = proxyCredentialsProvider;
+        this.proxy = proxy;
+    }
+
+    private CredentialsProvider getDelegate( AuthScope authScope )
+    {
+        if ( proxy.getPort() == authScope.getPort() && proxy.getHostName().equalsIgnoreCase(
authScope.getHost() ) )
+        {
+            return proxyCredentialsProvider;
+        }
+        return serverCredentialsProvider;
+    }
+
+    public Credentials getCredentials( AuthScope authScope )
+    {
+        return getDelegate( authScope ).getCredentials( authScope );
+    }
+
+    public void setCredentials( AuthScope authScope, Credentials credentials )
+    {
+        getDelegate( authScope ).setCredentials( authScope, credentials );
+    }
+
+    public void clear()
+    {
+        serverCredentialsProvider.clear();
+        proxyCredentialsProvider.clear();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/maven-aether/blob/535df408/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/HttpTransporter.java
----------------------------------------------------------------------
diff --git a/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/HttpTransporter.java
b/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/HttpTransporter.java
index 1eda25e..001d760 100644
--- a/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/HttpTransporter.java
+++ b/aether-transport-http/src/main/java/org/eclipse/aether/transport/http/HttpTransporter.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2013 Sonatype, Inc.
+ * Copyright (c) 2013, 2014 Sonatype, Inc.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -32,6 +32,7 @@ import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.params.AuthParams;
+import org.apache.http.client.CredentialsProvider;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.HttpResponseException;
 import org.apache.http.client.methods.HttpGet;
@@ -134,13 +135,7 @@ final class HttpTransporter
 
         configureClient( client.getParams(), session, repository, proxy );
 
-        DeferredCredentialsProvider credsProvider = new DeferredCredentialsProvider();
-        addCredentials( credsProvider, server.getHostName(), AuthScope.ANY_PORT, repoAuthContext
);
-        if ( proxy != null )
-        {
-            addCredentials( credsProvider, proxy.getHostName(), proxy.getPort(), proxyAuthContext
);
-        }
-        client.setCredentialsProvider( credsProvider );
+        client.setCredentialsProvider( toCredentialsProvider( server, repoAuthContext, proxy,
proxyAuthContext ) );
 
         this.client = new DecompressingHttpClient( client );
     }
@@ -182,9 +177,21 @@ final class HttpTransporter
                                                                         ConfigurationProperties.USER_AGENT
) );
     }
 
-    private static void addCredentials( DeferredCredentialsProvider provider, String host,
int port,
-                                        AuthenticationContext ctx )
+    private static CredentialsProvider toCredentialsProvider( HttpHost server, AuthenticationContext
serverAuthCtx,
+                                                              HttpHost proxy, AuthenticationContext
proxyAuthCtx )
+    {
+        CredentialsProvider provider = toCredentialsProvider( server.getHostName(), AuthScope.ANY_PORT,
serverAuthCtx );
+        if ( proxy != null )
+        {
+            CredentialsProvider p = toCredentialsProvider( proxy.getHostName(), proxy.getPort(),
proxyAuthCtx );
+            provider = new DemuxCredentialsProvider( provider, p, proxy );
+        }
+        return provider;
+    }
+
+    private static CredentialsProvider toCredentialsProvider( String host, int port, AuthenticationContext
ctx )
     {
+        DeferredCredentialsProvider provider = new DeferredCredentialsProvider();
         if ( ctx != null )
         {
             AuthScope basicScope = new AuthScope( host, port );
@@ -193,6 +200,7 @@ final class HttpTransporter
             AuthScope ntlmScope = new AuthScope( host, port, AuthScope.ANY_REALM, "ntlm"
);
             provider.setCredentials( ntlmScope, new DeferredCredentialsProvider.NtlmFactory(
ctx ) );
         }
+        return provider;
     }
 
     LocalState getState()

http://git-wip-us.apache.org/repos/asf/maven-aether/blob/535df408/aether-transport-http/src/test/java/org/eclipse/aether/transport/http/HttpTransporterTest.java
----------------------------------------------------------------------
diff --git a/aether-transport-http/src/test/java/org/eclipse/aether/transport/http/HttpTransporterTest.java
b/aether-transport-http/src/test/java/org/eclipse/aether/transport/http/HttpTransporterTest.java
index 16fe0c4..1c85c38 100644
--- a/aether-transport-http/src/test/java/org/eclipse/aether/transport/http/HttpTransporterTest.java
+++ b/aether-transport-http/src/test/java/org/eclipse/aether/transport/http/HttpTransporterTest.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2013 Sonatype, Inc.
+ * Copyright (c) 2013, 2014 Sonatype, Inc.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -1042,6 +1042,46 @@ public class HttpTransporterTest
     }
 
     @Test
+    public void testServerAuthScope_NotUsedForProxy()
+        throws Exception
+    {
+        String username = "testuser", password = "testpass";
+        httpServer.setProxyAuthentication( username, password );
+        auth = new AuthenticationBuilder().addUsername( username ).addPassword( password
).build();
+        proxy = new Proxy( Proxy.TYPE_HTTP, httpServer.getHost(), httpServer.getHttpPort()
);
+        newTransporter( "http://" + httpServer.getHost() + ":12/" );
+        try
+        {
+            transporter.get( new GetTask( URI.create( "repo/file.txt" ) ) );
+            fail( "Server auth must not be used as proxy auth" );
+        }
+        catch ( HttpResponseException e )
+        {
+            assertEquals( 407, e.getStatusCode() );
+        }
+    }
+
+    @Test
+    public void testProxyAuthScope_NotUsedForServer()
+        throws Exception
+    {
+        String username = "testuser", password = "testpass";
+        httpServer.setAuthentication( username, password );
+        Authentication auth = new AuthenticationBuilder().addUsername( username ).addPassword(
password ).build();
+        proxy = new Proxy( Proxy.TYPE_HTTP, httpServer.getHost(), httpServer.getHttpPort(),
auth );
+        newTransporter( "http://" + httpServer.getHost() + ":12/" );
+        try
+        {
+            transporter.get( new GetTask( URI.create( "repo/file.txt" ) ) );
+            fail( "Proxy auth must not be used as server auth" );
+        }
+        catch ( HttpResponseException e )
+        {
+            assertEquals( 401, e.getStatusCode() );
+        }
+    }
+
+    @Test
     public void testAuthSchemeReuse()
         throws Exception
     {


Mime
View raw message