Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement experimental NTLM proxy auth support #1926

Draft
wants to merge 3 commits into
base: develop
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions changelog/@unreleased/pr-1926.v2.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
type: improvement
improvement:
description: Implement experimental NTLM proxy auth support
links:
- https://github.com/palantir/dialogue/pull/1926
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,12 @@
import org.apache.hc.client5.http.auth.ChallengeType;
import org.apache.hc.client5.http.auth.Credentials;
import org.apache.hc.client5.http.auth.CredentialsProvider;
import org.apache.hc.client5.http.auth.NTCredentials;
import org.apache.hc.client5.http.auth.StandardAuthScheme;
import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
import org.apache.hc.client5.http.config.RequestConfig;
import org.apache.hc.client5.http.impl.DefaultAuthenticationStrategy;
import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory;
import org.apache.hc.client5.http.impl.auth.NTLMSchemeFactory;
import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
import org.apache.hc.client5.http.impl.classic.HttpClients;
Expand Down Expand Up @@ -567,6 +568,7 @@ public Socket createSocket(HttpContext _context) {
.setProxyAuthenticationStrategy(DefaultAuthenticationStrategy.INSTANCE)
.setDefaultAuthSchemeRegistry(RegistryBuilder.<AuthSchemeFactory>create()
.register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE)
.register(StandardAuthScheme.NTLM, NTLMSchemeFactory.INSTANCE)
.build()));

CloseableHttpClient apacheClient = builder.build();
Expand Down Expand Up @@ -715,8 +717,8 @@ private static final class SingleCredentialsProvider implements CredentialsProvi
private final Credentials credentials;

SingleCredentialsProvider(BasicCredentials basicCredentials) {
credentials = new UsernamePasswordCredentials(
basicCredentials.username(), basicCredentials.password().toCharArray());
credentials = new NTCredentials(
basicCredentials.username(), basicCredentials.password().toCharArray(), null, null);
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ public void testDirectVersusProxyReadTimeout() throws Exception {
}

@Test
public void testAuthenticatedProxy() throws Exception {
public void testBasicAuthenticatedProxy() throws Exception {
AtomicInteger requestIndex = new AtomicInteger();
proxyHandler = exchange -> {
HeaderMap requestHeaders = exchange.getRequestHeaders();
Expand Down Expand Up @@ -192,6 +192,49 @@ public void testAuthenticatedProxy() throws Exception {
}
}

@Test
public void testNtlmAuthenticatedProxy() throws Exception {
// Partial test which primarily validates that we've enabled httpclient ntlm support. This does not
// test the full challenge flow.
AtomicInteger requestIndex = new AtomicInteger();
proxyHandler = exchange -> {
HeaderMap requestHeaders = exchange.getRequestHeaders();
HeaderMap responseHeaders = exchange.getResponseHeaders();

switch (requestIndex.getAndIncrement()) {
case 0:
responseHeaders.putAll(Headers.PROXY_AUTHENTICATE, ImmutableList.of("Negotiate", "NTLM"));
exchange.setStatusCode(407); // indicates authenticated proxy
return;
case 1:
assertThat(requestHeaders.get(Headers.PROXY_AUTHORIZATION))
.containsExactly("NTLM TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==");
new ConnectHandler(ResponseCodeHandler.HANDLE_500).handleRequest(exchange);
return;
}
throw new IllegalStateException("Expected exactly two requests");
};
serverHandler = new BlockingHandler(exchange -> {
String requestBody = new String(ByteStreams.toByteArray(exchange.getInputStream()), StandardCharsets.UTF_8);
assertThat(requestBody).isEqualTo(REQUEST_BODY);
exchange.getResponseSender().send("proxyServer");
});

ClientConfiguration proxiedConfig = ClientConfiguration.builder()
.from(TestConfigurations.create("https://localhost:" + serverPort))
.maxNumRetries(0)
.proxy(createProxySelector("localhost", proxyPort))
.proxyCredentials(BasicCredentials.of("[email protected]", "fake:Password"))
.build();
Channel proxiedChannel = create(proxiedConfig);

try (Response response =
proxiedChannel.execute(TestEndpoint.POST, request).get()) {
assertThat(response.code()).isEqualTo(200);
assertThat(response.body()).hasContent("proxyServer");
}
}

private static ProxySelector createProxySelector(String host, int port) {
return new ProxySelector() {
@Override
Expand Down