/*
* Copyright (C) 2012 Square, Inc.
* Copyright (C) 2011 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.squareup.okhttp.internal.http;
import com.squareup.okhttp.OkAuthenticator;
import com.squareup.okhttp.OkAuthenticator.Challenge;
import java.io.IOException;
import java.net.Authenticator;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import static com.squareup.okhttp.OkAuthenticator.Credential;
import static java.net.HttpURLConnection.HTTP_PROXY_AUTH;
import static java.net.HttpURLConnection.HTTP_UNAUTHORIZED;
/** Handles HTTP authentication headers from origin and proxy servers. */
public final class HttpAuthenticator {
/** Uses the global authenticator to get the password. */
public static final OkAuthenticator SYSTEM_DEFAULT = new OkAuthenticator() {
@Override public Credential authenticate(
Proxy proxy, URL url, List<Challenge> challenges) throws IOException {
for (Challenge challenge : challenges) {
if (!"Basic".equalsIgnoreCase(challenge.getScheme())) {
continue;
}
PasswordAuthentication auth = Authenticator.requestPasswordAuthentication(url.getHost(),
getConnectToInetAddress(proxy, url), url.getPort(), url.getProtocol(),
challenge.getRealm(), challenge.getScheme(), url, Authenticator.RequestorType.SERVER);
if (auth != null) {
return Credential.basic(auth.getUserName(), new String(auth.getPassword()));
}
}
return null;
}
@Override public Credential authenticateProxy(
Proxy proxy, URL url, List<Challenge> challenges) throws IOException {
for (Challenge challenge : challenges) {
if (!"Basic".equalsIgnoreCase(challenge.getScheme())) {
continue;
}
InetSocketAddress proxyAddress = (InetSocketAddress) proxy.address();
PasswordAuthentication auth = Authenticator.requestPasswordAuthentication(
proxyAddress.getHostName(), getConnectToInetAddress(proxy, url), proxyAddress.getPort(),
url.getProtocol(), challenge.getRealm(), challenge.getScheme(), url,
Authenticator.RequestorType.PROXY);
if (auth != null) {
return Credential.basic(auth.getUserName(), new String(auth.getPassword()));
}
}
return null;
}
private InetAddress getConnectToInetAddress(Proxy proxy, URL url) throws IOException {
return (proxy != null && proxy.type() != Proxy.Type.DIRECT)
? ((InetSocketAddress) proxy.address()).getAddress()
: InetAddress.getByName(url.getHost());
}
};
private HttpAuthenticator() {
}
/**
* React to a failed authorization response by looking up new credentials.
*
* @return true if credentials have been added to successorRequestHeaders
* and another request should be attempted.
*/
public static boolean processAuthHeader(OkAuthenticator authenticator, int responseCode,
RawHeaders responseHeaders, RawHeaders successorRequestHeaders, Proxy proxy, URL url)
throws IOException {
String responseField;
String requestField;
if (responseCode == HTTP_UNAUTHORIZED) {
responseField = "WWW-Authenticate";
requestField = "Authorization";
} else if (responseCode == HTTP_PROXY_AUTH) {
responseField = "Proxy-Authenticate";
requestField = "Proxy-Authorization";
} else {
throw new IllegalArgumentException(); // TODO: ProtocolException?
}
List<Challenge> challenges = parseChallenges(responseHeaders, responseField);
if (challenges.isEmpty()) {
return false; // Could not find a challenge so end the request cycle.
}
Credential credential = responseHeaders.getResponseCode() == HTTP_PROXY_AUTH
? authenticator.authenticateProxy(proxy, url, challenges)
: authenticator.authenticate(proxy, url, challenges);
if (credential == null) {
return false; // Could not satisfy the challenge so end the request cycle.
}
// Add authorization credentials, bypassing the already-connected check.
successorRequestHeaders.set(requestField, credential.getHeaderValue());
return true;
}
/**
* Parse RFC 2617 challenges. This API is only interested in the scheme
* name and realm.
*/
private static List<Challenge> parseChallenges(RawHeaders responseHeaders,
String challengeHeader) {
// auth-scheme = token
// auth-param = token "=" ( token | quoted-string )
// challenge = auth-scheme 1*SP 1#auth-param
// realm = "realm" "=" realm-value
// realm-value = quoted-string
List<Challenge> result = new ArrayList<Challenge>();
for (int h = 0; h < responseHeaders.length(); h++) {
if (!challengeHeader.equalsIgnoreCase(responseHeaders.getFieldName(h))) {
continue;
}
String value = responseHeaders.getValue(h);
int pos = 0;
while (pos < value.length()) {
int tokenStart = pos;
pos = HeaderParser.skipUntil(value, pos, " ");
String scheme = value.substring(tokenStart, pos).trim();
pos = HeaderParser.skipWhitespace(value, pos);
// TODO: This currently only handles schemes with a 'realm' parameter;
// It needs to be fixed to handle any scheme and any parameters
// http://code.google.com/p/android/issues/detail?id=11140
if (!value.regionMatches(true, pos, "realm=\"", 0, "realm=\"".length())) {
break; // Unexpected challenge parameter; give up!
}
pos += "realm=\"".length();
int realmStart = pos;
pos = HeaderParser.skipUntil(value, pos, "\"");
String realm = value.substring(realmStart, pos);
pos++; // Consume '"' close quote.
pos = HeaderParser.skipUntil(value, pos, ",");
pos++; // Consume ',' comma.
pos = HeaderParser.skipWhitespace(value, pos);
result.add(new Challenge(scheme, realm));
}
}
return result;
}
}