Do authentication re-tries on HTTP POST

There is at least one git server out there (GOGS) that does
not require authentication on the initial GET for
info/refs?service=git-receive-pack but that _does_ require
authentication for the subsequent POST to actually do the push.

This occurs on GOGS with public repositories; for private
repositories it wants authentication up front.

Handle this behavior by adding 401 handling to our POST request.
Note that this is suboptimal; we'll re-send the push data at
least twice if an authentication failure on POST occurs. It
would be much better if the server required authentication
up-front in the GET request.

Added authentication unit tests (using BASIC auth) to the
SmartClientSmartServerTest:

- clone with authentication
- clone with authentication but lacking CredentialsProvider
- clone with authentication and wrong password
- clone with authentication after redirect
- clone with authentication only on POST, but not on GET

Also tested manually in the wild using repositories at try.gogs.io.
That server offers only BASIC auth, so the other paths
(DIGEST, NEGOTIATE, fall back from DIGEST to BASIC) are untested
and I have no way to test them.

* public repository: GET unauthenticated, POST authenticated
  Also tested after clearing the credentials and then entering a
  wrong password: correctly asks three times during the HTTP
  POST for user name and password, then gives up.
* private repository: authentication already on GET; then gets
  applied correctly initially to the POST request, which succeeds.

Also fix the authentication to use the credentials for the redirected
URI if redirects had occurred. We must not present the credentials
for the original URI in that case. Consider a malicious redirect A->B:
this would allow server B to harvest the user credentials for server
A. The unit test for authentication after a redirect also tests for
this.

Bug: 513043
Change-Id: I97ee5058569efa1545a6c6f6edfd2b357c40592a
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>

3 files changed, 124 insertions, 24 deletions

diff --git a/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties b/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties
index bf2a4a2e0f..c532b328db 100644
--- a/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties
+++ b/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties
@@ -365,7 +365,7 @@ invalidPathContainsSeparator=Invalid path (contains separator ''{0}''): {1}
 invalidPathPeriodAtEndWindows=Invalid path (period at end is ignored by Windows): {0}
 invalidPathSpaceAtEndWindows=Invalid path (space at end is ignored by Windows): {0}
 invalidPathReservedOnWindows=Invalid path (''{0}'' is reserved on Windows): {1}
-invalidRedirectLocation=Redirect or URI ''{0}'': invalid redirect location {1} -> {2}
+invalidRedirectLocation=Invalid redirect location {1} -> {2}
 invalidReflogRevision=Invalid reflog revision: {0}
 invalidRefName=Invalid ref name: {0}
 invalidReftableBlock=Invalid reftable block
@@ -587,7 +587,7 @@ secondsAgo={0} seconds ago
 selectingCommits=Selecting commits
 sequenceTooLargeForDiffAlgorithm=Sequence too large for difference algorithm.
 serviceNotEnabledNoName=Service not enabled
-serviceNotPermitted={0} not permitted
+serviceNotPermitted={1} not permitted on ''{0}''
 sha1CollisionDetected1=SHA-1 collision detected on {0}
 shallowCommitsAlreadyInitialized=Shallow commits have already been initialized
 shallowPacksRequireDepthWalk=Shallow packs require a DepthWalk
@@ -636,6 +636,7 @@ timeIsUncertain=Time is uncertain
 timerAlreadyTerminated=Timer already terminated
 tooManyCommands=Too many commands
 tooManyIncludeRecursions=Too many recursions; circular includes in config file(s)?
+tooManyRedirects=Too many redirects; stopped after {0} redirects at ''{1}''
 topologicalSortRequired=Topological sort required.
 transactionAborted=transaction aborted
 transportExceptionBadRef=Empty ref: {0}: {1}
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java
index 07666eb934..5acf058764 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java
@@ -696,6 +696,7 @@ public class JGitText extends TranslationBundle {
 	/***/ public String timerAlreadyTerminated;
 	/***/ public String tooManyCommands;
 	/***/ public String tooManyIncludeRecursions;
+	/***/ public String tooManyRedirects;
 	/***/ public String topologicalSortRequired;
 	/***/ public String transportExceptionBadRef;
 	/***/ public String transportExceptionEmptyRef;
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
index 327dc39c7f..1647200e65 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
@@ -323,6 +323,13 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
 		}
 	}
 
+	/**
+	 * The current URI we're talking to. The inherited (final) field
+	 * {@link #uri} stores the original URI; {@code currentUri} may be different
+	 * after redirects.
+	 */
+	private URIish currentUri;
+
 	private URL baseUrl;
 
 	private URL objectsUrl;
@@ -360,6 +367,7 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
 	 */
 	protected void setURI(final URIish uri) throws NotSupportedException {
 		try {
+			currentUri = uri;
 			baseUrl = toURL(uri);
 			objectsUrl = new URL(baseUrl, "objects/"); //$NON-NLS-1$
 		} catch (MalformedURLException e) {
@@ -584,9 +592,10 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
 						throw new TransportException(uri,
 								JGitText.get().noCredentialsProvider);
 					if (authAttempts > 1)
-						credentialsProvider.reset(uri);
+						credentialsProvider.reset(currentUri);
 					if (3 < authAttempts
-							|| !authMethod.authorize(uri, credentialsProvider)) {
+							|| !authMethod.authorize(currentUri,
+									credentialsProvider)) {
 						throw new TransportException(uri,
 								JGitText.get().notAuthorized);
 					}
@@ -1096,8 +1105,17 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
 				buf = out;
 			}
 
+			HttpAuthMethod authenticator = null;
+			Collection<Type> ignoreTypes = EnumSet.noneOf(Type.class);
+			// Counts number of repeated authentication attempts using the same
+			// authentication scheme
+			int authAttempts = 1;
 			int redirects = 0;
 			for (;;) {
+				// The very first time we will try with the authentication
+				// method used on the initial GET request. This is a hint only;
+				// it may fail. If so, we'll then re-try with proper 401
+				// handling, going through the available authentication schemes.
 				openStream();
 				if (buf != out) {
 					conn.setRequestProperty(HDR_CONTENT_ENCODING, ENCODING_GZIP);
@@ -1107,31 +1125,111 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
 					buf.writeTo(httpOut, null);
 				}
 
-				if (http.followRedirects == HttpRedirectMode.TRUE) {
-					final int status = HttpSupport.response(conn);
-					switch (status) {
-					case HttpConnection.HTTP_MOVED_PERM:
-					case HttpConnection.HTTP_MOVED_TEMP:
-					case HttpConnection.HTTP_11_MOVED_TEMP:
-						// SEE_OTHER after a POST doesn't make sense for a git
-						// server, so we don't handle it here and thus we'll
-						// report an error in openResponse() later on.
-						URIish newUri = redirect(
-								conn.getHeaderField(HDR_LOCATION),
-								'/' + serviceName, redirects++);
-						try {
-							baseUrl = toURL(newUri);
-						} catch (MalformedURLException e) {
-							throw new TransportException(MessageFormat.format(
-									JGitText.get().invalidRedirectLocation,
-									uri, baseUrl, newUri), e);
+				final int status = HttpSupport.response(conn);
+				switch (status) {
+				case HttpConnection.HTTP_OK:
+					// We're done.
+					return;
+
+				case HttpConnection.HTTP_NOT_FOUND:
+					throw new NoRemoteRepositoryException(uri, MessageFormat
+							.format(JGitText.get().uriNotFound, conn.getURL()));
+
+				case HttpConnection.HTTP_FORBIDDEN:
+					throw new TransportException(uri,
+							MessageFormat.format(
+									JGitText.get().serviceNotPermitted,
+									baseUrl, serviceName));
+
+				case HttpConnection.HTTP_MOVED_PERM:
+				case HttpConnection.HTTP_MOVED_TEMP:
+				case HttpConnection.HTTP_11_MOVED_TEMP:
+					// SEE_OTHER after a POST doesn't make sense for a git
+					// server, so we don't handle it here and thus we'll
+					// report an error in openResponse() later on.
+					if (http.followRedirects != HttpRedirectMode.TRUE) {
+						// Let openResponse() issue an error
+						return;
+					}
+					currentUri = redirect(
+							conn.getHeaderField(HDR_LOCATION),
+							'/' + serviceName, redirects++);
+					try {
+						baseUrl = toURL(currentUri);
+					} catch (MalformedURLException e) {
+						throw new TransportException(uri, MessageFormat.format(
+								JGitText.get().invalidRedirectLocation,
+								baseUrl, currentUri), e);
+					}
+					continue;
+
+				case HttpConnection.HTTP_UNAUTHORIZED:
+					HttpAuthMethod nextMethod = HttpAuthMethod
+							.scanResponse(conn, ignoreTypes);
+					switch (nextMethod.getType()) {
+					case NONE:
+						throw new TransportException(uri,
+								MessageFormat.format(
+										JGitText.get().authenticationNotSupported,
+										conn.getURL()));
+					case NEGOTIATE:
+						// RFC 4559 states "When using the SPNEGO [...] with
+						// [...] POST, the authentication should be complete
+						// [...] before sending the user data." So in theory
+						// the initial GET should have been authenticated
+						// already. (Unless there was a redirect?)
+						//
+						// We try this only once:
+						ignoreTypes.add(HttpAuthMethod.Type.NEGOTIATE);
+						if (authenticator != null) {
+							ignoreTypes.add(authenticator.getType());
 						}
-						continue;
+						authAttempts = 1;
+						// We only do the Kerberos part of SPNEGO, which
+						// requires only one attempt. We do *not* to the
+						// NTLM part of SPNEGO; it's a multi-round
+						// negotiation and among other problems it would
+						// be unclear when to stop if no HTTP_OK is
+						// forthcoming. In theory a malicious server
+						// could keep sending requests for another NTLM
+						// round, keeping a client stuck here.
+						break;
 					default:
+						// DIGEST or BASIC. Let's be sure we ignore NEGOTIATE;
+						// if it was available, we have tried it before.
+						ignoreTypes.add(HttpAuthMethod.Type.NEGOTIATE);
+						if (authenticator == null || authenticator
+								.getType() != nextMethod.getType()) {
+							if (authenticator != null) {
+								ignoreTypes.add(authenticator.getType());
+							}
+							authAttempts = 1;
+						}
 						break;
 					}
+					authMethod = nextMethod;
+					authenticator = nextMethod;
+					CredentialsProvider credentialsProvider = getCredentialsProvider();
+					if (credentialsProvider == null) {
+						throw new TransportException(uri,
+								JGitText.get().noCredentialsProvider);
+					}
+					if (authAttempts > 1) {
+						credentialsProvider.reset(currentUri);
+					}
+					if (3 < authAttempts || !authMethod.authorize(currentUri,
+							credentialsProvider)) {
+						throw new TransportException(uri,
+								JGitText.get().notAuthorized);
+					}
+					authAttempts++;
+					continue;
+
+				default:
+					// Just return here; openResponse() will report an appropriate
+					// error.
+					return;
 				}
-				break;
 			}
 		}