Implement experimental NTLM proxy auth support

changelog/@unreleased/pr-1926.v2.yml

@@ -0,0 +1,5 @@
+type: improvement
+improvement:
+  description: Implement experimental NTLM proxy auth support
+  links:
+  - https://github.com/palantir/dialogue/pull/1926

dialogue-apache-hc5-client/src/main/java/com/palantir/dialogue/hc5/ApacheHttpClientChannels.java

@@ -69,11 +69,12 @@
 import org.apache.hc.client5.http.auth.ChallengeType;
 import org.apache.hc.client5.http.auth.Credentials;
 import org.apache.hc.client5.http.auth.CredentialsProvider;
+import org.apache.hc.client5.http.auth.NTCredentials;
 import org.apache.hc.client5.http.auth.StandardAuthScheme;
-import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
 import org.apache.hc.client5.http.config.RequestConfig;
 import org.apache.hc.client5.http.impl.DefaultAuthenticationStrategy;
 import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory;
+import org.apache.hc.client5.http.impl.auth.NTLMSchemeFactory;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
@@ -567,6 +568,7 @@ public Socket createSocket(HttpContext _context) {
                     .setProxyAuthenticationStrategy(DefaultAuthenticationStrategy.INSTANCE)
                     .setDefaultAuthSchemeRegistry(RegistryBuilder.<AuthSchemeFactory>create()
                             .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE)
+                            .register(StandardAuthScheme.NTLM, NTLMSchemeFactory.INSTANCE)
                             .build()));
 
             CloseableHttpClient apacheClient = builder.build();
@@ -715,8 +717,8 @@ private static final class SingleCredentialsProvider implements CredentialsProvi
         private final Credentials credentials;
 
         SingleCredentialsProvider(BasicCredentials basicCredentials) {
-            credentials = new UsernamePasswordCredentials(
-                    basicCredentials.username(), basicCredentials.password().toCharArray());
+            credentials = new NTCredentials(
+                    basicCredentials.username(), basicCredentials.password().toCharArray(), null, null);
         }
 
         @Override

dialogue-test-common/src/main/java/com/palantir/dialogue/AbstractProxyConfigTlsTest.java

@@ -149,7 +149,7 @@ public void testDirectVersusProxyReadTimeout() throws Exception {
     }
 
     @Test
-    public void testAuthenticatedProxy() throws Exception {
+    public void testBasicAuthenticatedProxy() throws Exception {
         AtomicInteger requestIndex = new AtomicInteger();
         proxyHandler = exchange -> {
             HeaderMap requestHeaders = exchange.getRequestHeaders();
@@ -192,6 +192,49 @@ public void testAuthenticatedProxy() throws Exception {
         }
     }
 
+    @Test
+    public void testNtlmAuthenticatedProxy() throws Exception {
+        // Partial test which primarily validates that we've enabled httpclient ntlm support. This does not
+        // test the full challenge flow.
+        AtomicInteger requestIndex = new AtomicInteger();
+        proxyHandler = exchange -> {
+            HeaderMap requestHeaders = exchange.getRequestHeaders();
+            HeaderMap responseHeaders = exchange.getResponseHeaders();
+
+            switch (requestIndex.getAndIncrement()) {
+                case 0:
+                    responseHeaders.putAll(Headers.PROXY_AUTHENTICATE, ImmutableList.of("Negotiate", "NTLM"));
+                    exchange.setStatusCode(407); // indicates authenticated proxy
+                    return;
+                case 1:
+                    assertThat(requestHeaders.get(Headers.PROXY_AUTHORIZATION))
+                            .containsExactly("NTLM TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==");
+                    new ConnectHandler(ResponseCodeHandler.HANDLE_500).handleRequest(exchange);
+                    return;
+            }
+            throw new IllegalStateException("Expected exactly two requests");
+        };
+        serverHandler = new BlockingHandler(exchange -> {
+            String requestBody = new String(ByteStreams.toByteArray(exchange.getInputStream()), StandardCharsets.UTF_8);
+            assertThat(requestBody).isEqualTo(REQUEST_BODY);
+            exchange.getResponseSender().send("proxyServer");
+        });
+
+        ClientConfiguration proxiedConfig = ClientConfiguration.builder()
+                .from(TestConfigurations.create("https://localhost:" + serverPort))
+                .maxNumRetries(0)
+                .proxy(createProxySelector("localhost", proxyPort))
+                .proxyCredentials(BasicCredentials.of("[email protected]", "fake:Password"))
+                .build();
+        Channel proxiedChannel = create(proxiedConfig);
+
+        try (Response response =
+                proxiedChannel.execute(TestEndpoint.POST, request).get()) {
+            assertThat(response.code()).isEqualTo(200);
+            assertThat(response.body()).hasContent("proxyServer");
+        }
+    }
+
     private static ProxySelector createProxySelector(String host, int port) {
         return new ProxySelector() {
             @Override