Java tutorial
/* * Copyright (C) 2010, 2013, Google Inc. * and other copyright owners as documented in the project's IP log. * * This program and the accompanying materials are made available * under the terms of the Eclipse Distribution License v1.0 which * accompanies this distribution, is reproduced below, and is * available at http://www.eclipse.org/org/documents/edl-v10.php * * All rights reserved. * * Redistribution and use in source and binary forms, with or * without modification, are permitted provided that the following * conditions are met: * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * - Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. * * - Neither the name of the Eclipse Foundation, Inc. nor the * names of its contributors may be used to endorse or promote * products derived from this software without specific prior * written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ package org.eclipse.jgit.transport; import static java.nio.charset.StandardCharsets.UTF_8; import static org.eclipse.jgit.util.HttpSupport.HDR_AUTHORIZATION; import static org.eclipse.jgit.util.HttpSupport.HDR_WWW_AUTHENTICATE; import java.io.IOException; import java.net.URL; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.Collection; import java.util.Collections; import java.util.HashMap; import java.util.LinkedHashMap; import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Map.Entry; import org.eclipse.jgit.transport.http.HttpConnection; import org.eclipse.jgit.util.Base64; import org.eclipse.jgit.util.GSSManagerFactory; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSManager; import org.ietf.jgss.GSSName; import org.ietf.jgss.Oid; /** * Support class to populate user authentication data on a connection. * <p> * Instances of an HttpAuthMethod are not thread-safe, as some implementations * may need to maintain per-connection state information. */ abstract class HttpAuthMethod { /** * Enum listing the http authentication method types supported by jgit. They * are sorted by priority order!!! */ public enum Type { NONE { @Override public HttpAuthMethod method(String hdr) { return None.INSTANCE; } @Override public String getSchemeName() { return "None"; //$NON-NLS-1$ } }, BASIC { @Override public HttpAuthMethod method(String hdr) { return new Basic(); } @Override public String getSchemeName() { return "Basic"; //$NON-NLS-1$ } }, DIGEST { @Override public HttpAuthMethod method(String hdr) { return new Digest(hdr); } @Override public String getSchemeName() { return "Digest"; //$NON-NLS-1$ } }, NEGOTIATE { @Override public HttpAuthMethod method(String hdr) { return new Negotiate(hdr); } @Override public String getSchemeName() { return "Negotiate"; //$NON-NLS-1$ } }; /** * Creates a HttpAuthMethod instance configured with the provided HTTP * WWW-Authenticate header. * * @param hdr the http header * @return a configured HttpAuthMethod instance */ public abstract HttpAuthMethod method(String hdr); /** * @return the name of the authentication scheme in the form to be used * in HTTP authentication headers as specified in RFC2617 and * RFC4559 */ public abstract String getSchemeName(); } static final String EMPTY_STRING = ""; //$NON-NLS-1$ static final String SCHEMA_NAME_SEPARATOR = " "; //$NON-NLS-1$ /** * Handle an authentication failure and possibly return a new response. * * @param conn * the connection that failed. * @param ignoreTypes * authentication types to be ignored. * @return new authentication method to try. */ static HttpAuthMethod scanResponse(final HttpConnection conn, Collection<Type> ignoreTypes) { final Map<String, List<String>> headers = conn.getHeaderFields(); HttpAuthMethod authentication = Type.NONE.method(EMPTY_STRING); for (Entry<String, List<String>> entry : headers.entrySet()) { if (HDR_WWW_AUTHENTICATE.equalsIgnoreCase(entry.getKey())) { if (entry.getValue() != null) { for (String value : entry.getValue()) { if (value != null && value.length() != 0) { final String[] valuePart = value.split(SCHEMA_NAME_SEPARATOR, 2); try { Type methodType = Type.valueOf(valuePart[0].toUpperCase(Locale.ROOT)); if ((ignoreTypes != null) && (ignoreTypes.contains(methodType))) { continue; } if (authentication.getType().compareTo(methodType) >= 0) { continue; } final String param; if (valuePart.length == 1) param = EMPTY_STRING; else param = valuePart[1]; authentication = methodType.method(param); } catch (IllegalArgumentException e) { // This auth method is not supported } } } } break; } } return authentication; } protected final Type type; /** * Constructor for HttpAuthMethod. * * @param type * authentication method type */ protected HttpAuthMethod(Type type) { this.type = type; } /** * Update this method with the credentials from the URIish. * * @param uri * the URI used to create the connection. * @param credentialsProvider * the credentials provider, or null. If provided, * {@link URIish#getPass() credentials in the URI} are ignored. * * @return true if the authentication method is able to provide * authorization for the given URI */ boolean authorize(URIish uri, CredentialsProvider credentialsProvider) { String username; String password; if (credentialsProvider != null) { CredentialItem.Username u = new CredentialItem.Username(); CredentialItem.Password p = new CredentialItem.Password(); if (credentialsProvider.supports(u, p) && credentialsProvider.get(uri, u, p)) { username = u.getValue(); char[] v = p.getValue(); password = (v == null) ? null : new String(p.getValue()); p.clear(); } else return false; } else { username = uri.getUser(); password = uri.getPass(); } if (username != null) { authorize(username, password); return true; } return false; } /** * Update this method with the given username and password pair. * * @param user * @param pass */ abstract void authorize(String user, String pass); /** * Update connection properties based on this authentication method. * * @param conn * @throws IOException */ abstract void configureRequest(HttpConnection conn) throws IOException; /** * Gives the method type associated to this http auth method * * @return the method type */ public Type getType() { return type; } /** Performs no user authentication. */ private static class None extends HttpAuthMethod { static final None INSTANCE = new None(); public None() { super(Type.NONE); } @Override void authorize(String user, String pass) { // Do nothing when no authentication is enabled. } @Override void configureRequest(HttpConnection conn) throws IOException { // Do nothing when no authentication is enabled. } } /** Performs HTTP basic authentication (plaintext username/password). */ private static class Basic extends HttpAuthMethod { private String user; private String pass; public Basic() { super(Type.BASIC); } @Override void authorize(String username, String password) { this.user = username; this.pass = password; } @Override void configureRequest(HttpConnection conn) throws IOException { String ident = user + ":" + pass; //$NON-NLS-1$ String enc = Base64.encodeBytes(ident.getBytes(UTF_8)); conn.setRequestProperty(HDR_AUTHORIZATION, type.getSchemeName() + " " + enc); //$NON-NLS-1$ } } /** Performs HTTP digest authentication. */ private static class Digest extends HttpAuthMethod { private static final SecureRandom PRNG = new SecureRandom(); private final Map<String, String> params; private int requestCount; private String user; private String pass; Digest(String hdr) { super(Type.DIGEST); params = parse(hdr); final String qop = params.get("qop"); //$NON-NLS-1$ if ("auth".equals(qop)) { //$NON-NLS-1$ final byte[] bin = new byte[8]; PRNG.nextBytes(bin); params.put("cnonce", Base64.encodeBytes(bin)); //$NON-NLS-1$ } } @Override void authorize(String username, String password) { this.user = username; this.pass = password; } @SuppressWarnings("boxing") @Override void configureRequest(HttpConnection conn) throws IOException { final Map<String, String> r = new LinkedHashMap<>(); final String realm = params.get("realm"); //$NON-NLS-1$ final String nonce = params.get("nonce"); //$NON-NLS-1$ final String cnonce = params.get("cnonce"); //$NON-NLS-1$ final String uri = uri(conn.getURL()); final String qop = params.get("qop"); //$NON-NLS-1$ final String method = conn.getRequestMethod(); final String A1 = user + ":" + realm + ":" + pass; //$NON-NLS-1$ //$NON-NLS-2$ final String A2 = method + ":" + uri; //$NON-NLS-1$ r.put("username", user); //$NON-NLS-1$ r.put("realm", realm); //$NON-NLS-1$ r.put("nonce", nonce); //$NON-NLS-1$ r.put("uri", uri); //$NON-NLS-1$ final String response, nc; if ("auth".equals(qop)) { //$NON-NLS-1$ nc = String.format("%08x", ++requestCount); //$NON-NLS-1$ response = KD(H(A1), nonce + ":" + nc + ":" + cnonce + ":" //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ + qop + ":" //$NON-NLS-1$ + H(A2)); } else { nc = null; response = KD(H(A1), nonce + ":" + H(A2)); //$NON-NLS-1$ } r.put("response", response); //$NON-NLS-1$ if (params.containsKey("algorithm")) //$NON-NLS-1$ r.put("algorithm", "MD5"); //$NON-NLS-1$ //$NON-NLS-2$ if (cnonce != null && qop != null) r.put("cnonce", cnonce); //$NON-NLS-1$ if (params.containsKey("opaque")) //$NON-NLS-1$ r.put("opaque", params.get("opaque")); //$NON-NLS-1$ //$NON-NLS-2$ if (qop != null) r.put("qop", qop); //$NON-NLS-1$ if (nc != null) r.put("nc", nc); //$NON-NLS-1$ StringBuilder v = new StringBuilder(); for (Map.Entry<String, String> e : r.entrySet()) { if (v.length() > 0) v.append(", "); //$NON-NLS-1$ v.append(e.getKey()); v.append('='); v.append('"'); v.append(e.getValue()); v.append('"'); } conn.setRequestProperty(HDR_AUTHORIZATION, type.getSchemeName() + " " + v); //$NON-NLS-1$ } private static String uri(URL u) { StringBuilder r = new StringBuilder(); r.append(u.getProtocol()); r.append("://"); //$NON-NLS-1$ r.append(u.getHost()); if (0 < u.getPort()) { if (u.getPort() == 80 && "http".equals(u.getProtocol())) { //$NON-NLS-1$ /* nothing */ } else if (u.getPort() == 443 && "https".equals(u.getProtocol())) { //$NON-NLS-1$ /* nothing */ } else { r.append(':').append(u.getPort()); } } r.append(u.getPath()); if (u.getQuery() != null) r.append('?').append(u.getQuery()); return r.toString(); } private static String H(String data) { MessageDigest md = newMD5(); md.update(data.getBytes(UTF_8)); return LHEX(md.digest()); } private static String KD(String secret, String data) { MessageDigest md = newMD5(); md.update(secret.getBytes(UTF_8)); md.update((byte) ':'); md.update(data.getBytes(UTF_8)); return LHEX(md.digest()); } private static MessageDigest newMD5() { try { return MessageDigest.getInstance("MD5"); //$NON-NLS-1$ } catch (NoSuchAlgorithmException e) { throw new RuntimeException("No MD5 available", e); //$NON-NLS-1$ } } private static final char[] LHEX = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', // 'a', 'b', 'c', 'd', 'e', 'f' }; private static String LHEX(byte[] bin) { StringBuilder r = new StringBuilder(bin.length * 2); for (int i = 0; i < bin.length; i++) { byte b = bin[i]; r.append(LHEX[(b >>> 4) & 0x0f]); r.append(LHEX[b & 0x0f]); } return r.toString(); } private static Map<String, String> parse(String auth) { Map<String, String> p = new HashMap<>(); int next = 0; while (next < auth.length()) { if (next < auth.length() && auth.charAt(next) == ',') { next++; } while (next < auth.length() && Character.isWhitespace(auth.charAt(next))) { next++; } int eq = auth.indexOf('=', next); if (eq < 0 || eq + 1 == auth.length()) { return Collections.emptyMap(); } final String name = auth.substring(next, eq); final String value; if (auth.charAt(eq + 1) == '"') { int dq = auth.indexOf('"', eq + 2); if (dq < 0) { return Collections.emptyMap(); } value = auth.substring(eq + 2, dq); next = dq + 1; } else { int space = auth.indexOf(' ', eq + 1); int comma = auth.indexOf(',', eq + 1); if (space < 0) space = auth.length(); if (comma < 0) comma = auth.length(); final int e = Math.min(space, comma); value = auth.substring(eq + 1, e); next = e + 1; } p.put(name, value); } return p; } } private static class Negotiate extends HttpAuthMethod { private static final GSSManagerFactory GSS_MANAGER_FACTORY = GSSManagerFactory.detect(); private static final Oid OID; static { try { // OID for SPNEGO OID = new Oid("1.3.6.1.5.5.2"); //$NON-NLS-1$ } catch (GSSException e) { throw new Error("Cannot create NEGOTIATE oid.", e); //$NON-NLS-1$ } } private final byte[] prevToken; public Negotiate(String hdr) { super(Type.NEGOTIATE); prevToken = Base64.decode(hdr); } @Override void authorize(String user, String pass) { // not used } @Override void configureRequest(HttpConnection conn) throws IOException { GSSManager gssManager = GSS_MANAGER_FACTORY.newInstance(conn.getURL()); String host = conn.getURL().getHost(); String peerName = "HTTP@" + host.toLowerCase(Locale.ROOT); //$NON-NLS-1$ try { GSSName gssName = gssManager.createName(peerName, GSSName.NT_HOSTBASED_SERVICE); GSSContext context = gssManager.createContext(gssName, OID, null, GSSContext.DEFAULT_LIFETIME); // Respect delegation policy in HTTP/SPNEGO. context.requestCredDeleg(true); byte[] token = context.initSecContext(prevToken, 0, prevToken.length); conn.setRequestProperty(HDR_AUTHORIZATION, getType().getSchemeName() + " " + Base64.encodeBytes(token)); //$NON-NLS-1$ } catch (GSSException e) { throw new IOException(e); } } } }