mirrors
/
jgit
espelhamento de https://github.com/eclipse/jgit.git
Observar 1
Favorito 0
Fork 0
Código Issues 0 Versões 204 Wiki Atividade
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
6501 Commits
49 Branches
Tag: 6c14d273fa
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 6c14d273fa
${ noResults }
jgit/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/proxy/HttpClientConnector.java

HttpClientConnector.java 12KB
Original Anotar Histórico

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403 
  1. /*

  2.  * Copyright (C) 2018, Thomas Wolf <thomas.wolf@paranor.ch>

  3.  * and other copyright owners as documented in the project's IP log.

  4.  *

  5.  * This program and the accompanying materials are made available

  6.  * under the terms of the Eclipse Distribution License v1.0 which

  7.  * accompanies this distribution, is reproduced below, and is

  8.  * available at http://www.eclipse.org/org/documents/edl-v10.php

  9.  *

  10.  * All rights reserved.

  11.  *

  12.  * Redistribution and use in source and binary forms, with or

  13.  * without modification, are permitted provided that the following

  14.  * conditions are met:

  15.  *

  16.  * - Redistributions of source code must retain the above copyright

  17.  *   notice, this list of conditions and the following disclaimer.

  18.  *

  19.  * - Redistributions in binary form must reproduce the above

  20.  *   copyright notice, this list of conditions and the following

  21.  *   disclaimer in the documentation and/or other materials provided

  22.  *   with the distribution.

  23.  *

  24.  * - Neither the name of the Eclipse Foundation, Inc. nor the

  25.  *   names of its contributors may be used to endorse or promote

  26.  *   products derived from this software without specific prior

  27.  *   written permission.

  28.  *

  29.  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND

  30.  * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,

  31.  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

  32.  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  33.  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR

  34.  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  35.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  36.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  37.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

  38.  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  39.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  40.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF

  41.  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  42.  */

  43. package org.eclipse.jgit.internal.transport.sshd.proxy;

  44. 

  45. import static java.text.MessageFormat.format;

  46. 

  47. import java.io.IOException;

  48. import java.net.HttpURLConnection;

  49. import java.net.InetSocketAddress;

  50. import java.nio.charset.StandardCharsets;

  51. import java.util.ArrayList;

  52. import java.util.Arrays;

  53. import java.util.Iterator;

  54. import java.util.List;

  55. 

  56. import org.apache.sshd.client.session.ClientSession;

  57. import org.apache.sshd.common.io.IoSession;

  58. import org.apache.sshd.common.util.Readable;

  59. import org.apache.sshd.common.util.buffer.Buffer;

  60. import org.apache.sshd.common.util.buffer.ByteArrayBuffer;

  61. import org.eclipse.jgit.annotations.NonNull;

  62. import org.eclipse.jgit.internal.transport.sshd.GssApiMechanisms;

  63. import org.eclipse.jgit.internal.transport.sshd.SshdText;

  64. import org.eclipse.jgit.internal.transport.sshd.auth.AuthenticationHandler;

  65. import org.eclipse.jgit.internal.transport.sshd.auth.BasicAuthentication;

  66. import org.eclipse.jgit.internal.transport.sshd.auth.GssApiAuthentication;

  67. import org.eclipse.jgit.util.Base64;

  68. import org.ietf.jgss.GSSContext;

  69. 

  70. /**

  71.  * Simple HTTP proxy connector using Basic Authentication.

  72.  */

  73. public class HttpClientConnector extends AbstractClientProxyConnector {

  74. 

  75. 	private static final String HTTP_HEADER_PROXY_AUTHENTICATION = "Proxy-Authentication:"; //$NON-NLS-1$

  76. 

  77. 	private static final String HTTP_HEADER_PROXY_AUTHORIZATION = "Proxy-Authorization:"; //$NON-NLS-1$

  78. 

  79. 	private HttpAuthenticationHandler basic;

  80. 

  81. 	private HttpAuthenticationHandler negotiate;

  82. 

  83. 	private List<HttpAuthenticationHandler> availableAuthentications;

  84. 

  85. 	private Iterator<HttpAuthenticationHandler> clientAuthentications;

  86. 

  87. 	private HttpAuthenticationHandler authenticator;

  88. 

  89. 	private boolean ongoing;

  90. 

  91. 	/**

  92. 	 * Creates a new {@link HttpClientConnector}. The connector supports

  93. 	 * anonymous proxy connections as well as Basic and Negotiate

  94. 	 * authentication.

  95. 	 *

  96. 	 * @param proxyAddress

  97. 	 *            of the proxy server we're connecting to

  98. 	 * @param remoteAddress

  99. 	 *            of the target server to connect to

  100. 	 */

  101. 	public HttpClientConnector(@NonNull InetSocketAddress proxyAddress,

  102. 			@NonNull InetSocketAddress remoteAddress) {

  103. 		this(proxyAddress, remoteAddress, null, null);

  104. 	}

  105. 

  106. 	/**

  107. 	 * Creates a new {@link HttpClientConnector}. The connector supports

  108. 	 * anonymous proxy connections as well as Basic and Negotiate

  109. 	 * authentication. If a user name and password are given, the connector

  110. 	 * tries pre-emptive Basic authentication.

  111. 	 *

  112. 	 * @param proxyAddress

  113. 	 *            of the proxy server we're connecting to

  114. 	 * @param remoteAddress

  115. 	 *            of the target server to connect to

  116. 	 * @param proxyUser

  117. 	 *            to authenticate at the proxy with

  118. 	 * @param proxyPassword

  119. 	 *            to authenticate at the proxy with

  120. 	 */

  121. 	public HttpClientConnector(@NonNull InetSocketAddress proxyAddress,

  122. 			@NonNull InetSocketAddress remoteAddress, String proxyUser,

  123. 			char[] proxyPassword) {

  124. 		super(proxyAddress, remoteAddress, proxyUser, proxyPassword);

  125. 		basic = new HttpBasicAuthentication();

  126. 		negotiate = new NegotiateAuthentication();

  127. 		availableAuthentications = new ArrayList<>(2);

  128. 		availableAuthentications.add(negotiate);

  129. 		availableAuthentications.add(basic);

  130. 		clientAuthentications = availableAuthentications.iterator();

  131. 	}

  132. 

  133. 	private void close() {

  134. 		HttpAuthenticationHandler current = authenticator;

  135. 		authenticator = null;

  136. 		if (current != null) {

  137. 			current.close();

  138. 		}

  139. 	}

  140. 

  141. 	@Override

  142. 	public void sendClientProxyMetadata(ClientSession sshSession)

  143. 			throws Exception {

  144. 		init(sshSession);

  145. 		IoSession session = sshSession.getIoSession();

  146. 		session.addCloseFutureListener(f -> close());

  147. 		StringBuilder msg = connect();

  148. 		if (proxyUser != null && !proxyUser.isEmpty()

  149. 				|| proxyPassword != null && proxyPassword.length > 0) {

  150. 			authenticator = basic;

  151. 			basic.setParams(null);

  152. 			basic.start();

  153. 			msg = authenticate(msg, basic.getToken());

  154. 			clearPassword();

  155. 			proxyUser = null;

  156. 		}

  157. 		ongoing = true;

  158. 		try {

  159. 			send(msg, session);

  160. 		} catch (Exception e) {

  161. 			ongoing = false;

  162. 			throw e;

  163. 		}

  164. 	}

  165. 

  166. 	private void send(StringBuilder msg, IoSession session) throws Exception {

  167. 		byte[] data = eol(msg).toString().getBytes(StandardCharsets.US_ASCII);

  168. 		Buffer buffer = new ByteArrayBuffer(data.length, false);

  169. 		buffer.putRawBytes(data);

  170. 		session.writePacket(buffer).verify(getTimeout());

  171. 	}

  172. 

  173. 	private StringBuilder connect() {

  174. 		StringBuilder msg = new StringBuilder();

  175. 		// Persistent connections are the default in HTTP 1.1 (see RFC 2616),

  176. 		// but let's be explicit.

  177. 		return msg.append(format(

  178. 				"CONNECT {0}:{1} HTTP/1.1\r\nProxy-Connection: keep-alive\r\nConnection: keep-alive\r\nHost: {0}:{1}\r\n", //$NON-NLS-1$

  179. 				remoteAddress.getHostString(),

  180. 				Integer.toString(remoteAddress.getPort())));

  181. 	}

  182. 

  183. 	private StringBuilder authenticate(StringBuilder msg, String token) {

  184. 		msg.append(HTTP_HEADER_PROXY_AUTHORIZATION).append(' ').append(token);

  185. 		return eol(msg);

  186. 	}

  187. 

  188. 	private StringBuilder eol(StringBuilder msg) {

  189. 		return msg.append('\r').append('\n');

  190. 	}

  191. 

  192. 	@Override

  193. 	public void messageReceived(IoSession session, Readable buffer)

  194. 			throws Exception {

  195. 		try {

  196. 			int length = buffer.available();

  197. 			byte[] data = new byte[length];

  198. 			buffer.getRawBytes(data, 0, length);

  199. 			String[] reply = new String(data, StandardCharsets.US_ASCII)

  200. 					.split("\r\n"); //$NON-NLS-1$

  201. 			handleMessage(session, Arrays.asList(reply));

  202. 		} catch (Exception e) {

  203. 			if (authenticator != null) {

  204. 				authenticator.close();

  205. 				authenticator = null;

  206. 			}

  207. 			ongoing = false;

  208. 			try {

  209. 				setDone(false);

  210. 			} catch (Exception inner) {

  211. 				e.addSuppressed(inner);

  212. 			}

  213. 			throw e;

  214. 		}

  215. 	}

  216. 

  217. 	private void handleMessage(IoSession session, List<String> reply)

  218. 			throws Exception {

  219. 		if (reply.isEmpty() || reply.get(0).isEmpty()) {

  220. 			throw new IOException(

  221. 					format(SshdText.get().proxyHttpUnexpectedReply,

  222. 							proxyAddress, "<empty>")); //$NON-NLS-1$

  223. 		}

  224. 		try {

  225. 			StatusLine status = HttpParser.parseStatusLine(reply.get(0));

  226. 			if (!ongoing) {

  227. 				throw new IOException(format(

  228. 						SshdText.get().proxyHttpUnexpectedReply, proxyAddress,

  229. 						Integer.toString(status.getResultCode()),

  230. 						status.getReason()));

  231. 			}

  232. 			switch (status.getResultCode()) {

  233. 			case HttpURLConnection.HTTP_OK:

  234. 				if (authenticator != null) {

  235. 					authenticator.close();

  236. 				}

  237. 				authenticator = null;

  238. 				ongoing = false;

  239. 				setDone(true);

  240. 				break;

  241. 			case HttpURLConnection.HTTP_PROXY_AUTH:

  242. 				List<AuthenticationChallenge> challenges = HttpParser

  243. 						.getAuthenticationHeaders(reply,

  244. 								HTTP_HEADER_PROXY_AUTHENTICATION);

  245. 				authenticator = selectProtocol(challenges, authenticator);

  246. 				if (authenticator == null) {

  247. 					throw new IOException(

  248. 							format(SshdText.get().proxyCannotAuthenticate,

  249. 									proxyAddress));

  250. 				}

  251. 				String token = authenticator.getToken();

  252. 				if (token == null) {

  253. 					throw new IOException(

  254. 							format(SshdText.get().proxyCannotAuthenticate,

  255. 									proxyAddress));

  256. 				}

  257. 				send(authenticate(connect(), token), session);

  258. 				break;

  259. 			default:

  260. 				throw new IOException(format(SshdText.get().proxyHttpFailure,

  261. 						proxyAddress, Integer.toString(status.getResultCode()),

  262. 						status.getReason()));

  263. 			}

  264. 		} catch (HttpParser.ParseException e) {

  265. 			throw new IOException(

  266. 					format(SshdText.get().proxyHttpUnexpectedReply,

  267. 					proxyAddress, reply.get(0)));

  268. 		}

  269. 	}

  270. 

  271. 	private HttpAuthenticationHandler selectProtocol(

  272. 			List<AuthenticationChallenge> challenges,

  273. 			HttpAuthenticationHandler current) throws Exception {

  274. 		if (current != null && !current.isDone()) {

  275. 			AuthenticationChallenge challenge = getByName(challenges,

  276. 					current.getName());

  277. 			if (challenge != null) {

  278. 				current.setParams(challenge);

  279. 				current.process();

  280. 				return current;

  281. 			}

  282. 		}

  283. 		if (current != null) {

  284. 			current.close();

  285. 		}

  286. 		while (clientAuthentications.hasNext()) {

  287. 			HttpAuthenticationHandler next = clientAuthentications.next();

  288. 			if (!next.isDone()) {

  289. 				AuthenticationChallenge challenge = getByName(challenges,

  290. 						next.getName());

  291. 				if (challenge != null) {

  292. 					next.setParams(challenge);

  293. 					next.start();

  294. 					return next;

  295. 				}

  296. 			}

  297. 		}

  298. 		return null;

  299. 	}

  300. 

  301. 	private AuthenticationChallenge getByName(

  302. 			List<AuthenticationChallenge> challenges,

  303. 			String name) {

  304. 		return challenges.stream()

  305. 				.filter(c -> c.getMechanism().equalsIgnoreCase(name))

  306. 				.findFirst().orElse(null);

  307. 	}

  308. 

  309. 	private interface HttpAuthenticationHandler

  310. 			extends AuthenticationHandler<AuthenticationChallenge, String> {

  311. 

  312. 		public String getName();

  313. 	}

  314. 

  315. 	/**

  316. 	 * @see <a href="https://tools.ietf.org/html/rfc7617">RFC 7617</a>

  317. 	 */

  318. 	private class HttpBasicAuthentication

  319. 			extends BasicAuthentication<AuthenticationChallenge, String>

  320. 			implements HttpAuthenticationHandler {

  321. 

  322. 		private boolean asked;

  323. 

  324. 		public HttpBasicAuthentication() {

  325. 			super(proxyAddress, proxyUser, proxyPassword);

  326. 		}

  327. 

  328. 		@Override

  329. 		public String getName() {

  330. 			return "Basic"; //$NON-NLS-1$

  331. 		}

  332. 

  333. 		@Override

  334. 		protected void askCredentials() {

  335. 			// We ask only once.

  336. 			if (asked) {

  337. 				throw new IllegalStateException(

  338. 						"Basic auth: already asked user for password"); //$NON-NLS-1$

  339. 			}

  340. 			asked = true;

  341. 			super.askCredentials();

  342. 			done = true;

  343. 		}

  344. 

  345. 		@Override

  346. 		public String getToken() throws Exception {

  347. 			if (user.indexOf(':') >= 0) {

  348. 				throw new IOException(format(

  349. 						SshdText.get().proxyHttpInvalidUserName, proxy, user));

  350. 			}

  351. 			byte[] rawUser = user.getBytes(StandardCharsets.UTF_8);

  352. 			byte[] toEncode = new byte[rawUser.length + 1 + password.length];

  353. 			System.arraycopy(rawUser, 0, toEncode, 0, rawUser.length);

  354. 			toEncode[rawUser.length] = ':';

  355. 			System.arraycopy(password, 0, toEncode, rawUser.length + 1,

  356. 					password.length);

  357. 			Arrays.fill(password, (byte) 0);

  358. 			String result = Base64.encodeBytes(toEncode);

  359. 			Arrays.fill(toEncode, (byte) 0);

  360. 			return getName() + ' ' + result;

  361. 		}

  362. 

  363. 	}

  364. 

  365. 	/**

  366. 	 * @see <a href="https://tools.ietf.org/html/rfc4559">RFC 4559</a>

  367. 	 */

  368. 	private class NegotiateAuthentication

  369. 			extends GssApiAuthentication<AuthenticationChallenge, String>

  370. 			implements HttpAuthenticationHandler {

  371. 

  372. 		public NegotiateAuthentication() {

  373. 			super(proxyAddress);

  374. 		}

  375. 

  376. 		@Override

  377. 		public String getName() {

  378. 			return "Negotiate"; //$NON-NLS-1$

  379. 		}

  380. 

  381. 		@Override

  382. 		public String getToken() throws Exception {

  383. 			return getName() + ' ' + Base64.encodeBytes(token);

  384. 		}

  385. 

  386. 		@Override

  387. 		protected GSSContext createContext() throws Exception {

  388. 			return GssApiMechanisms.createContext(GssApiMechanisms.SPNEGO,

  389. 					GssApiMechanisms.getCanonicalName(proxyAddress));

  390. 		}

  391. 

  392. 		@Override

  393. 		protected byte[] extractToken(AuthenticationChallenge input)

  394. 				throws Exception {

  395. 			String received = input.getToken();

  396. 			if (received == null) {

  397. 				return new byte[0];

  398. 			}

  399. 			return Base64.decode(received);

  400. 		}

  401. 

  402. 	}

  403. }