-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Expand file tree
/
Copy pathAuthenticatorUtils.java
More file actions
233 lines (207 loc) · 9.77 KB
/
AuthenticatorUtils.java
File metadata and controls
233 lines (207 loc) · 9.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
/*
* Copyright (c) 2010-2013 Sonatype, Inc. All rights reserved.
*
* This program is licensed to you under the Apache License Version 2.0,
* and you may not use this file except in compliance with the Apache License Version 2.0.
* You may obtain a copy of the Apache License Version 2.0 at http://www.apache.org/licenses/LICENSE-2.0.
*
* Unless required by applicable law or agreed to in writing, software distributed under the Apache License Version 2.0 is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Apache License Version 2.0 for the specific language governing permissions and limitations there under.
*/
package org.asynchttpclient.util;
import org.asynchttpclient.Realm;
import org.asynchttpclient.Request;
import org.asynchttpclient.ntlm.NtlmEngine;
import org.asynchttpclient.proxy.ProxyServer;
import org.asynchttpclient.spnego.SpnegoEngine;
import org.asynchttpclient.spnego.SpnegoEngineException;
import org.asynchttpclient.uri.Uri;
import org.jetbrains.annotations.Nullable;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.List;
import static io.netty.handler.codec.http.HttpHeaderNames.PROXY_AUTHORIZATION;
import static java.nio.charset.StandardCharsets.ISO_8859_1;
import static org.asynchttpclient.Dsl.realm;
import static org.asynchttpclient.util.MiscUtils.isNonEmpty;
public final class AuthenticatorUtils {
public static final String NEGOTIATE = "Negotiate";
private AuthenticatorUtils() {
// Prevent outside initialization
}
public static @Nullable String getHeaderWithPrefix(@Nullable List<String> authenticateHeaders, String prefix) {
if (authenticateHeaders != null) {
for (String authenticateHeader : authenticateHeaders) {
if (authenticateHeader.regionMatches(true, 0, prefix, 0, prefix.length())) {
return authenticateHeader;
}
}
}
return null;
}
private static @Nullable String computeBasicAuthentication(@Nullable Realm realm) {
return realm != null ? computeBasicAuthentication(realm.getPrincipal(), realm.getPassword(), realm.getCharset()) : null;
}
private static String computeBasicAuthentication(@Nullable String principal, @Nullable String password, Charset charset) {
String s = principal + ':' + password;
return "Basic " + Base64.getEncoder().encodeToString(s.getBytes(charset));
}
public static String computeRealmURI(Uri uri, boolean useAbsoluteURI, boolean omitQuery) {
if (useAbsoluteURI) {
return omitQuery && isNonEmpty(uri.getQuery()) ? uri.withNewQuery(null).toUrl() : uri.toUrl();
} else {
String path = uri.getNonEmptyPath();
return omitQuery || !isNonEmpty(uri.getQuery()) ? path : path + '?' + uri.getQuery();
}
}
private static String computeDigestAuthentication(Realm realm, Uri uri) {
String realmUri = computeRealmURI(uri, realm.isUseAbsoluteURI(), realm.isOmitQuery());
StringBuilder builder = new StringBuilder().append("Digest ");
append(builder, "username", realm.getPrincipal(), true);
append(builder, "realm", realm.getRealmName(), true);
append(builder, "nonce", realm.getNonce(), true);
append(builder, "uri", realmUri, true);
if (isNonEmpty(realm.getAlgorithm())) {
append(builder, "algorithm", realm.getAlgorithm(), false);
}
append(builder, "response", realm.getResponse(), true);
if (realm.getOpaque() != null) {
append(builder, "opaque", realm.getOpaque(), true);
}
if (realm.getQop() != null) {
append(builder, "qop", realm.getQop(), false);
append(builder, "nc", realm.getNc(), false);
append(builder, "cnonce", realm.getCnonce(), true);
}
// RFC7616: userhash parameter (optional, not implemented yet)
builder.setLength(builder.length() - 2); // remove tailing ", "
return new String(StringUtils.charSequence2Bytes(builder, ISO_8859_1), StandardCharsets.UTF_8);
}
private static void append(StringBuilder builder, String name, @Nullable String value, boolean quoted) {
builder.append(name).append('=');
if (quoted) {
builder.append('"').append(value).append('"');
} else {
builder.append(value);
}
builder.append(", ");
}
public static @Nullable String perConnectionProxyAuthorizationHeader(Request request, @Nullable Realm proxyRealm) {
String proxyAuthorization = null;
if (proxyRealm != null && proxyRealm.isUsePreemptiveAuth()) {
switch (proxyRealm.getScheme()) {
case NTLM:
case KERBEROS:
case SPNEGO:
List<String> auth = request.getHeaders().getAll(PROXY_AUTHORIZATION);
if (getHeaderWithPrefix(auth, "NTLM") == null) {
String msg = NtlmEngine.INSTANCE.generateType1Msg();
proxyAuthorization = "NTLM " + msg;
}
break;
default:
}
}
return proxyAuthorization;
}
public static @Nullable String perRequestProxyAuthorizationHeader(Request request, @Nullable Realm proxyRealm) {
String proxyAuthorization = null;
if (proxyRealm != null && proxyRealm.isUsePreemptiveAuth()) {
switch (proxyRealm.getScheme()) {
case BASIC:
proxyAuthorization = computeBasicAuthentication(proxyRealm);
break;
case DIGEST:
if (isNonEmpty(proxyRealm.getNonce())) {
// update realm with request information
final Uri uri = request.getUri();
proxyRealm = realm(proxyRealm)
.setUri(uri)
.setMethodName(request.getMethod())
.build();
proxyAuthorization = computeDigestAuthentication(proxyRealm, uri);
}
break;
case NTLM:
case KERBEROS:
case SPNEGO:
// NTLM, KERBEROS and SPNEGO are only set on the first request with a connection,
// see perConnectionProxyAuthorizationHeader
break;
default:
throw new IllegalStateException("Invalid Authentication scheme " + proxyRealm.getScheme());
}
}
return proxyAuthorization;
}
public static @Nullable String perConnectionAuthorizationHeader(Request request, @Nullable ProxyServer proxyServer,
@Nullable Realm realm) {
String authorizationHeader = null;
if (realm != null && realm.isUsePreemptiveAuth()) {
switch (realm.getScheme()) {
case NTLM:
String msg = NtlmEngine.INSTANCE.generateType1Msg();
authorizationHeader = "NTLM " + msg;
break;
case KERBEROS:
case SPNEGO:
String host;
if (proxyServer != null) {
host = proxyServer.getHost();
} else if (request.getVirtualHost() != null) {
host = request.getVirtualHost();
} else {
host = request.getUri().getHost();
}
try {
authorizationHeader = NEGOTIATE + ' ' + SpnegoEngine.instance(
realm.getPrincipal(),
realm.getPassword(),
realm.getServicePrincipalName(),
realm.getRealmName(),
realm.isUseCanonicalHostname(),
realm.getCustomLoginConfig(),
realm.getLoginContextName()).generateToken(host);
} catch (SpnegoEngineException e) {
throw new RuntimeException(e);
}
break;
default:
break;
}
}
return authorizationHeader;
}
public static @Nullable String perRequestAuthorizationHeader(Request request, @Nullable Realm realm) {
String authorizationHeader = null;
if (realm != null && realm.isUsePreemptiveAuth()) {
switch (realm.getScheme()) {
case BASIC:
authorizationHeader = computeBasicAuthentication(realm);
break;
case DIGEST:
if (isNonEmpty(realm.getNonce())) {
// update realm with request information
final Uri uri = request.getUri();
realm = realm(realm)
.setUri(uri)
.setMethodName(request.getMethod())
.build();
authorizationHeader = computeDigestAuthentication(realm, uri);
}
break;
case NTLM:
case KERBEROS:
case SPNEGO:
// NTLM, KERBEROS and SPNEGO are only set on the first request with a connection,
// see perConnectionAuthorizationHeader
break;
default:
throw new IllegalStateException("Invalid Authentication " + realm);
}
}
return authorizationHeader;
}
}