Add separate flags for requesting and checking mutual auth status.

Update some debug/exception messages

Author: stoty

httpclient5/src/main/java/org/apache/hc/client5/http/auth/gss/GssConfig.java

@@ -49,31 +49,34 @@ public class GssConfig implements Cloneable {
 
     public static final GssConfig DEFAULT = new Builder().build();
     public static final GssConfig LEGACY =
-            new Builder().setIgnoreMissingToken(true).setRequestMutualAuth(false).build();
+            new Builder().setIgnoreMissingToken(true).setRequireMutualAuth(false).build();
 
     private final boolean addPort;
     private final boolean useCanonicalHostname;
     private final boolean requestMutualAuth;
+    private final boolean requireMutualAuth;
     private final boolean requestDelegCreds;
     private final boolean ignoreMissingToken;
 
     /**
      * Intended for CDI compatibility
     */
     protected GssConfig() {
-        this(false, false, true, false, false);
+        this(false, false, true, true, false, false);
     }
 
     GssConfig(
             final boolean addPort,
             final boolean useCanonicalHostname,
             final boolean requestMutualAuth,
+            final boolean requireMutualAuth,
             final boolean requestDelegCreds,
             final boolean ignoreMissingToken) {
         super();
         this.addPort = addPort;
         this.useCanonicalHostname = useCanonicalHostname;
         this.requestMutualAuth = requestMutualAuth;
+        this.requireMutualAuth = requireMutualAuth;
         this.requestDelegCreds = requestDelegCreds;
         this.ignoreMissingToken = ignoreMissingToken;
     }
@@ -94,6 +97,10 @@ public boolean isRequestMutualAuth() {
         return requestMutualAuth;
     }
 
+    public boolean isRequireMutualAuth() {
+        return requireMutualAuth;
+    }
+
     public boolean isIgnoreMissingToken() {
         return ignoreMissingToken;
     }
@@ -111,6 +118,7 @@ public String toString() {
         builder.append(", useCanonicalHostname=").append(useCanonicalHostname);
         builder.append(", requestDelegCreds=").append(requestDelegCreds);
         builder.append(", requestMutualAuth=").append(requestMutualAuth);
+        builder.append(", requireMutualAuth=").append(requireMutualAuth);
         builder.append(", ignoreMissingToken=").append(ignoreMissingToken);
         builder.append("]");
         return builder.toString();
@@ -125,6 +133,7 @@ public static GssConfig.Builder copy(final GssConfig config) {
                 .setAddPort(config.isAddPort())
                 .setUseCanonicalHostname(config.isUseCanonicalHostname())
                 .setRequestDelegCreds(config.isRequestDelegCreds())
+                .setRequireMutualAuth(config.isRequireMutualAuth())
                 .setRequestMutualAuth(config.isRequestMutualAuth())
                 .setIgnoreMissingToken(config.isIgnoreMissingToken());
     }
@@ -134,6 +143,7 @@ public static class Builder {
         private boolean addPort = false;
         private boolean useCanonicalHostname = false;
         private boolean requestMutualAuth = true;
+        private boolean requireMutualAuth = true;
         private boolean requestDelegCreds = false;
         private boolean ignoreMissingToken = false;
 
@@ -157,6 +167,11 @@ public Builder setRequestMutualAuth(final boolean requestMutualAuth) {
             return this;
         }
 
+        public Builder setRequireMutualAuth(final boolean requireMutualAuth) {
+            this.requireMutualAuth = requireMutualAuth;
+            return this;
+        }
+
         public Builder setRequestDelegCreds(final boolean requuestDelegCreds) {
             this.requestDelegCreds = requuestDelegCreds;
             return this;
@@ -168,13 +183,17 @@ public Builder setIgnoreMissingToken(final boolean ignoreMissingToken) {
         }
 
         public GssConfig build() {
-            if (requestMutualAuth && ignoreMissingToken) {
-                throw new IllegalArgumentException("If requestMutualAuth is set then ignoreMissingToken must not be set");
+            if (requireMutualAuth && ignoreMissingToken) {
+                throw new IllegalArgumentException("If requireMutualAuth is set then ignoreMissingToken must not be set");
+            }
+            if (requireMutualAuth && !requestMutualAuth) {
+                throw new IllegalArgumentException("If requireMutualAuth is set then requestMutualAuth must also be set");
             }
             return new GssConfig(
                     addPort,
                     useCanonicalHostname,
                     requestMutualAuth,
+                    requireMutualAuth,
                     requestDelegCreds,
                     ignoreMissingToken
                     );

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/gss/GssSchemeBase.java

@@ -84,7 +84,7 @@ enum State {
     private static final int MAX_GSS_CHALLENGES = 3;
     private final GssConfig config;
     private final DnsResolver dnsResolver;
-    private final boolean mutualAuth;
+    private final boolean requireMutualAuth;
     private final boolean ignoreMissingToken;
     private int challengesLeft = MAX_GSS_CHALLENGES;
 
@@ -99,7 +99,7 @@ enum State {
         super();
         this.config = config != null ? config : GssConfig.DEFAULT;
         this.dnsResolver = dnsResolver != null ? dnsResolver : SystemDefaultDnsResolver.INSTANCE;
-        this.mutualAuth = config.isRequestMutualAuth();
+        this.requireMutualAuth = config.isRequireMutualAuth();
         this.ignoreMissingToken = config.isIgnoreMissingToken();
         this.state = State.UNINITIATED;
     }
@@ -186,7 +186,7 @@ public void processChallenge(
             case TOKEN_SENT:
                 if (challengeToken == null) {
                     if (!challenged && ignoreMissingToken) {
-                        // Got a 200 without a challenge. Old non RFC compliant server.
+                        // Got a Non 401/407 code without a challenge. Old non RFC compliant server.
                         if (LOG.isDebugEnabled()) {
                             final HttpClientContext clientContext = HttpClientContext.cast(context);
                             final String exchangeId = clientContext.getExchangeId();
@@ -213,23 +213,32 @@ public void processChallenge(
                     if (LOG.isDebugEnabled()) {
                         final HttpClientContext clientContext = HttpClientContext.cast(context);
                         final String exchangeId = clientContext.getExchangeId();
-                        LOG.debug("{} GSSContext is not established ", exchangeId);
+                        LOG.debug("{} GSSContext is not established.", exchangeId);
                     }
                     state = State.FAILED;
                     // TODO should we have specific exception(s) for these ?
                     throw new AuthenticationException(
-                            "requireMutualAuth is set but GSSContext is not established");
-                } else if (mutualAuth && !gssContext.getMutualAuthState()) {
-                    if (LOG.isDebugEnabled()) {
-                        final HttpClientContext clientContext = HttpClientContext.cast(context);
-                        final String exchangeId = clientContext.getExchangeId();
-                        LOG.debug("{} requireMutualAuth is set but GSSAUthContext does not have"
-                                + " mutualAuthState set",
-                            exchangeId);
+                            "GSSContext is not established.");
+                } else if (!gssContext.getMutualAuthState()) {
+                    if (requireMutualAuth) {
+                        if (LOG.isDebugEnabled()) {
+                            final HttpClientContext clientContext = HttpClientContext.cast(context);
+                            final String exchangeId = clientContext.getExchangeId();
+                            LOG.debug("{} requireMutualAuth is true but GSSContext mutualAuthState is false",
+                                exchangeId);
+                        }
+                        state = State.FAILED;
+                        throw new AuthenticationException(
+                                "requireMutualAuth is true but GSSContext mutualAuthState is false");
+                    } else {
+                        if (LOG.isDebugEnabled()) {
+                            final HttpClientContext clientContext = HttpClientContext.cast(context);
+                            final String exchangeId = clientContext.getExchangeId();
+                            LOG.debug("{} GSSContext MutualAuthState is false, but continuing because GssConfig.requireMutualAuth is false.",
+                                exchangeId);
+                        }
+                        state = State.FAILED;
                     }
-                    state = State.FAILED;
-                    throw new AuthenticationException(
-                            "requireMutualAuth is set but GSSContext mutualAuthState is not set");
                 } else {
                     state = State.SUCCEEDED;
                 }
@@ -289,7 +298,7 @@ protected GSSContext createGSSContext(
             final GSSCredential gssCredential) throws GSSException {
         final GSSContext gssContext = manager.createContext(peerName.canonicalize(oid), oid, gssCredential,
                 GSSContext.DEFAULT_LIFETIME);
-        gssContext.requestMutualAuth(mutualAuth);
+        gssContext.requestMutualAuth(config.isRequestMutualAuth());
         gssContext.requestCredDeleg(config.isRequestDelegCreds());
         return gssContext;
     }