rewrite GSS established logic, and add new option for compatibility for non-compliant servers

Author: stoty

httpclient5-testing/src/test/java/org/apache/hc/client5/testing/compatibility/async/HttpAsyncClientCompatibilityTest.java

@@ -87,7 +87,7 @@ public HttpAsyncClientCompatibilityTest(
                 secretPath = "/private_spnego/big-secret.txt";
                 this.clientResource.configure(builder -> builder
                     .setTargetAuthenticationStrategy(new SpnegoAuthenticationStrategy())
-                    .setDefaultAuthSchemeRegistry(SpnegoTestUtil.getSpnegoSchemeRegistry()));
+                    .setDefaultAuthSchemeRegistry(SpnegoTestUtil.getDefaultSpnegoSchemeRegistry()));
             }
         }
         if (proxy != null) {
@@ -100,7 +100,7 @@ public HttpAsyncClientCompatibilityTest(
                     // but that's not a problem as SPNEGO cannot be proxied anyway.
                     this.clientResource.configure(builder ->
                     builder.setProxyAuthenticationStrategy(new SpnegoAuthenticationStrategy())
-                    .setDefaultAuthSchemeRegistry(SpnegoTestUtil.getSpnegoSchemeRegistryNoMutual()));
+                    .setDefaultAuthSchemeRegistry(SpnegoTestUtil.getLegacySpnegoSchemeRegistry()));
                 }
             }
         }

httpclient5-testing/src/test/java/org/apache/hc/client5/testing/compatibility/spnego/SpnegoTestUtil.java

@@ -46,10 +46,8 @@
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 
-import org.apache.hc.client5.http.SystemDefaultDnsResolver;
 import org.apache.hc.client5.http.auth.AuthSchemeFactory;
 import org.apache.hc.client5.http.auth.StandardAuthScheme;
-import org.apache.hc.client5.http.auth.gss.GssConfig;
 import org.apache.hc.client5.http.auth.gss.GssCredentials;
 import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory;
 import org.apache.hc.client5.http.impl.auth.BearerSchemeFactory;
@@ -65,11 +63,6 @@
 
 public class SpnegoTestUtil {
 
-    static private final GssConfig NO_MUTUAL_KERBEROS_CONFIG =
-            GssConfig.custom().setRequestMutualAuth(false).build();
-    static private final SpnegoSchemeFactory NO_MUTUAL_SCHEME_FACTORY =
-            new SpnegoSchemeFactory(NO_MUTUAL_KERBEROS_CONFIG, SystemDefaultDnsResolver.INSTANCE);
-
     public static GssCredentials createCredentials(final Subject subject) {
         return SecurityUtils.callAs(subject, new Callable<GssCredentials>() {
             @Override
@@ -89,7 +82,7 @@ public static Path createKeytabDir() {
         }
     }
 
-    public static Registry<AuthSchemeFactory> getSpnegoSchemeRegistry() {
+    public static Registry<AuthSchemeFactory> getDefaultSpnegoSchemeRegistry() {
         return RegistryBuilder.<AuthSchemeFactory>create()
                 .register(StandardAuthScheme.BEARER, BearerSchemeFactory.INSTANCE)
                 .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE)
@@ -100,12 +93,12 @@ public static Registry<AuthSchemeFactory> getSpnegoSchemeRegistry() {
     }
 
     //Squid does not support mutual auth
-    public static Registry<AuthSchemeFactory> getSpnegoSchemeRegistryNoMutual() {
+    public static Registry<AuthSchemeFactory> getLegacySpnegoSchemeRegistry() {
         return RegistryBuilder.<AuthSchemeFactory>create()
                 .register(StandardAuthScheme.BEARER, BearerSchemeFactory.INSTANCE)
                 .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE)
                 .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE)
-                .register(StandardAuthScheme.SPNEGO, NO_MUTUAL_SCHEME_FACTORY)
+                .register(StandardAuthScheme.SPNEGO, SpnegoSchemeFactory.LEGACY)
                 // register other schemes as needed
                 .build();
     }

httpclient5-testing/src/test/java/org/apache/hc/client5/testing/compatibility/sync/HttpClientCompatibilityTest.java

@@ -72,7 +72,7 @@ public HttpClientCompatibilityTest(final HttpHost target, final Credentials targ
                 secretPath = "/private_spnego/big-secret.txt";
                 this.clientResource.configure(builder -> builder
                     .setTargetAuthenticationStrategy(new SpnegoAuthenticationStrategy())
-                    .setDefaultAuthSchemeRegistry(SpnegoTestUtil.getSpnegoSchemeRegistry()));
+                    .setDefaultAuthSchemeRegistry(SpnegoTestUtil.getDefaultSpnegoSchemeRegistry()));
             }
         }
         if (proxy != null) {
@@ -85,7 +85,7 @@ public HttpClientCompatibilityTest(final HttpHost target, final Credentials targ
                     // but that's not a problem as SPNEGO cannot be proxied anyway.
                     this.clientResource.configure(builder ->
                     builder.setProxyAuthenticationStrategy(new SpnegoAuthenticationStrategy())
-                    .setDefaultAuthSchemeRegistry(SpnegoTestUtil.getSpnegoSchemeRegistryNoMutual()));
+                    .setDefaultAuthSchemeRegistry(SpnegoTestUtil.getLegacySpnegoSchemeRegistry()));
                 }
             }
         }

httpclient5-testing/src/test/java/org/apache/hc/client5/testing/sync/TestSpnegoScheme.java

@@ -420,7 +420,7 @@ void testMutualFailureNoToken() throws Exception {
             Assertions.assertTrue(e.getCause() instanceof AuthenticationException);
         }
 
-        Mockito.verify(mockAuthScheme.context, Mockito.atLeastOnce()).isEstablished();
+        Mockito.verify(mockAuthScheme.context, Mockito.never()).isEstablished();
         Mockito.verify(mockAuthScheme.context, Mockito.never()).getMutualAuthState();
     }
 

httpclient5/src/main/java/org/apache/hc/client5/http/auth/gss/GssConfig.java

@@ -48,29 +48,34 @@ public class GssConfig implements Cloneable {
 
 
     public static final GssConfig DEFAULT = new Builder().build();
+    public static final GssConfig LEGACY =
+            new Builder().setIgnoreMissingToken(true).setRequestMutualAuth(false).build();
 
     private final boolean addPort;
     private final boolean useCanonicalHostname;
     private final boolean requestMutualAuth;
     private final boolean requestDelegCreds;
+    private final boolean ignoreMissingToken;
 
     /**
      * Intended for CDI compatibility
     */
     protected GssConfig() {
-        this(false, false, true, false);
+        this(false, false, true, false, false);
     }
 
     GssConfig(
             final boolean addPort,
             final boolean useCanonicalHostname,
             final boolean requestMutualAuth,
-            final boolean requestDelegCreds) {
+            final boolean requestDelegCreds,
+            final boolean ignoreMissingToken) {
         super();
         this.addPort = addPort;
         this.useCanonicalHostname = useCanonicalHostname;
         this.requestMutualAuth = requestMutualAuth;
         this.requestDelegCreds = requestDelegCreds;
+        this.ignoreMissingToken = ignoreMissingToken;
     }
 
     public boolean isAddPort() {
@@ -89,6 +94,10 @@ public boolean isRequestMutualAuth() {
         return requestMutualAuth;
     }
 
+    public boolean isIgnoreMissingToken() {
+        return ignoreMissingToken;
+    }
+
     @Override
     protected GssConfig clone() throws CloneNotSupportedException {
         return (GssConfig) super.clone();
@@ -102,6 +111,7 @@ public String toString() {
         builder.append(", useCanonicalHostname=").append(useCanonicalHostname);
         builder.append(", requestDelegCreds=").append(requestDelegCreds);
         builder.append(", requestMutualAuth=").append(requestMutualAuth);
+        builder.append(", ignoreMissingToken=").append(ignoreMissingToken);
         builder.append("]");
         return builder.toString();
     }
@@ -115,7 +125,8 @@ public static GssConfig.Builder copy(final GssConfig config) {
                 .setAddPort(config.isAddPort())
                 .setUseCanonicalHostname(config.isUseCanonicalHostname())
                 .setRequestDelegCreds(config.isRequestDelegCreds())
-                .setRequestMutualAuth(config.isRequestMutualAuth());
+                .setRequestMutualAuth(config.isRequestMutualAuth())
+                .setIgnoreMissingToken(config.isIgnoreMissingToken());
     }
 
     public static class Builder {
@@ -124,6 +135,8 @@ public static class Builder {
         private boolean useCanonicalHostname = false;
         private boolean requestMutualAuth = true;
         private boolean requestDelegCreds = false;
+        private boolean ignoreMissingToken = false;
+
 
         Builder() {
             super();
@@ -149,12 +162,21 @@ public Builder setRequestDelegCreds(final boolean requuestDelegCreds) {
             return this;
         }
 
+        public Builder setIgnoreMissingToken(final boolean ignoreMissingToken) {
+            this.ignoreMissingToken = ignoreMissingToken;
+            return this;
+        }
+
         public GssConfig build() {
+            if (requestMutualAuth && ignoreMissingToken) {
+                throw new IllegalArgumentException("If requestMutualAuth is set then ignoreMissingToken must not be set");
+            }
             return new GssConfig(
                     addPort,
                     useCanonicalHostname,
                     requestMutualAuth,
-                    requestDelegCreds
+                    requestDelegCreds,
+                    ignoreMissingToken
                     );
         }
 

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java

@@ -121,8 +121,7 @@ public boolean isChallenged(
     }
 
     /**
-     * Determines whether the given response represents an authentication challenge, without
-     * changing the {@link AuthExchange} state.
+     * Determines whether the response is 401/407 response depending to the challengeType
      *
      * @param challengeType the challenge type (target or proxy).
      * @param response the response message head.

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/gss/GssSchemeBase.java

@@ -77,7 +77,6 @@ enum State {
     }
 
     private static final Logger LOG = LoggerFactory.getLogger(GssSchemeBase.class);
-    private static final String NO_TOKEN = "";
     private static final String KERBEROS_SCHEME = "HTTP";
 
     // The GSS spec does not specify how long the conversation can be. This should be plenty.
@@ -86,6 +85,7 @@ enum State {
     private final GssConfig config;
     private final DnsResolver dnsResolver;
     private final boolean mutualAuth;
+    private final boolean ignoreMissingToken;
     private int challengesLeft = MAX_GSS_CHALLENGES;
 
     /** Authentication process state */
@@ -100,6 +100,7 @@ enum State {
         this.config = config != null ? config : GssConfig.DEFAULT;
         this.dnsResolver = dnsResolver != null ? dnsResolver : SystemDefaultDnsResolver.INSTANCE;
         this.mutualAuth = config.isRequestMutualAuth();
+        this.ignoreMissingToken = config.isIgnoreMissingToken();
         this.state = State.UNINITIATED;
     }
 
@@ -167,10 +168,10 @@ public void processChallenge(
             LOG.debug("{} GSS init {}", exchangeId, gssHostname);
         }
         try {
-            setGssCredential(HttpClientContext.cast(context).getCredentialsProvider(), host, context);
-            queuedToken = generateToken(challengeToken, KERBEROS_SCHEME, gssHostname);
             switch (state) {
             case UNINITIATED:
+                setGssCredential(HttpClientContext.cast(context).getCredentialsProvider(), host, context);
+                queuedToken = generateToken(challengeToken, KERBEROS_SCHEME, gssHostname);
                 if (challengeToken != null) {
                     if (LOG.isDebugEnabled()) {
                         final HttpClientContext clientContext = HttpClientContext.cast(context);
@@ -183,35 +184,54 @@ public void processChallenge(
                 state = State.TOKEN_READY;
                 break;
             case TOKEN_SENT:
-                if (challenged) {
-                    state = State.TOKEN_READY;
-                } else if (mutualAuth) {
-                    // We should have received a valid mutualAuth token
-                    if (!gssContext.isEstablished()) {
+                if (challengeToken == null) {
+                    if (!challenged && ignoreMissingToken) {
+                        // Got a 200 without a challenge. Old non RFC compliant server.
                         if (LOG.isDebugEnabled()) {
-                            final HttpClientContext clientContext =
-                                    HttpClientContext.cast(context);
+                            final HttpClientContext clientContext = HttpClientContext.cast(context);
                             final String exchangeId = clientContext.getExchangeId();
-                            LOG.debug("{} GSSContext is not established ", exchangeId);
+                            LOG.debug("{} GSS Context is not established, but continuing because GssConfig.ignoreMissingToken is true.", exchangeId);
                         }
-                        state = State.FAILED;
-                        // TODO should we have specific exception(s) for these ?
-                        throw new AuthenticationException(
-                                "requireMutualAuth is set but GSSContext is not established");
-                    } else if (!gssContext.getMutualAuthState()) {
+                        state = State.SUCCEEDED;
+                        break;
+                    } else {
                         if (LOG.isDebugEnabled()) {
-                            final HttpClientContext clientContext =
-                                    HttpClientContext.cast(context);
+                            final HttpClientContext clientContext = HttpClientContext.cast(context);
                             final String exchangeId = clientContext.getExchangeId();
-                            LOG.debug("{} requireMutualAuth is set but GSSAUthContext does not have"
-                                    + " mutualAuthState set", exchangeId);
+                            LOG.debug("{} Did not receive required challenge and GssConfig.ignoreMissingToken is false.",
+                                exchangeId);
                         }
                         state = State.FAILED;
                         throw new AuthenticationException(
-                                "requireMutualAuth is set but GSSContext mutualAuthState is not set");
-                    } else {
-                        state = State.SUCCEEDED;
+                                "Did not receive required challenge and GssConfig.ignoreMissingToken is false.");
+                    }
+                }
+                queuedToken = generateToken(challengeToken, KERBEROS_SCHEME, gssHostname);
+                if (challenged) {
+                    state = State.TOKEN_READY;
+                } else if (!gssContext.isEstablished()) {
+                    if (LOG.isDebugEnabled()) {
+                        final HttpClientContext clientContext = HttpClientContext.cast(context);
+                        final String exchangeId = clientContext.getExchangeId();
+                        LOG.debug("{} GSSContext is not established ", exchangeId);
+                    }
+                    state = State.FAILED;
+                    // TODO should we have specific exception(s) for these ?
+                    throw new AuthenticationException(
+                            "requireMutualAuth is set but GSSContext is not established");
+                } else if (mutualAuth && !gssContext.getMutualAuthState()) {
+                    if (LOG.isDebugEnabled()) {
+                        final HttpClientContext clientContext = HttpClientContext.cast(context);
+                        final String exchangeId = clientContext.getExchangeId();
+                        LOG.debug("{} requireMutualAuth is set but GSSAUthContext does not have"
+                                + " mutualAuthState set",
+                            exchangeId);
                     }
+                    state = State.FAILED;
+                    throw new AuthenticationException(
+                            "requireMutualAuth is set but GSSContext mutualAuthState is not set");
+                } else {
+                    state = State.SUCCEEDED;
                 }
                 break;
             default:
@@ -289,7 +309,7 @@ public boolean isChallengeComplete() {
 
     @Override
     public boolean isChallengeExpected() {
-        return state == State.TOKEN_SENT && mutualAuth;
+        return state == State.TOKEN_SENT;
     }
 
     @Override
@@ -301,7 +321,6 @@ public boolean isResponseReady(
         Args.notNull(host, "Auth host");
         Args.notNull(credentialsProvider, "CredentialsProvider");
 
-        setGssCredential(credentialsProvider, host, context);
         return true;
     }
 

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/gss/SpnegoSchemeFactory.java

@@ -56,6 +56,9 @@ public class SpnegoSchemeFactory implements AuthSchemeFactory {
     public static final SpnegoSchemeFactory DEFAULT = new SpnegoSchemeFactory(org.apache.hc.client5.http.auth.gss.GssConfig.DEFAULT,
             SystemDefaultDnsResolver.INSTANCE);
 
+    public static final SpnegoSchemeFactory LEGACY = new SpnegoSchemeFactory(org.apache.hc.client5.http.auth.gss.GssConfig.LEGACY,
+        SystemDefaultDnsResolver.INSTANCE);
+
     private final org.apache.hc.client5.http.auth.gss.GssConfig config;
     private final DnsResolver dnsResolver;