Implemented authentication via http basic auth

Author: chernser

clickhouse-http-client/src/main/java/com/clickhouse/client/http/ClickHouseHttpConnection.java

@@ -9,6 +9,7 @@
 import java.net.URLEncoder;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
@@ -38,6 +39,7 @@
 import com.clickhouse.data.ClickHouseUtils;
 import com.clickhouse.logging.Logger;
 import com.clickhouse.logging.LoggerFactory;
+import org.apache.hc.core5.http.HttpHeaders;
 
 public abstract class ClickHouseHttpConnection implements AutoCloseable {
     private static final Logger log = LoggerFactory.getLogger(ClickHouseHttpConnection.class);
@@ -238,11 +240,12 @@ protected static Map<String, String> createDefaultHeaders(ClickHouseConfig confi
             // TODO check if auth-scheme is available and supported
             map.put("authorization", credentials.getAccessToken());
         } else if (!hasAuthorizationHeader) {
-            map.put("x-clickhouse-user", credentials.getUserName());
             if (config.isSsl() && !ClickHouseChecker.isNullOrEmpty(config.getSslCert())) {
+                map.put("x-clickhouse-user", credentials.getUserName());
                 map.put("x-clickhouse-ssl-certificate-auth", "on");
             } else if (!ClickHouseChecker.isNullOrEmpty(credentials.getPassword())) {
-                map.put("x-clickhouse-key", credentials.getPassword());
+                map.put(HttpHeaders.AUTHORIZATION, "Basic " + Base64.getEncoder()
+                        .encodeToString((credentials.getUserName() + ":" + credentials.getPassword()).getBytes(StandardCharsets.UTF_8)));
             }
         }
 

clickhouse-http-client/src/main/java/com/clickhouse/client/http/ClickHouseHttpProto.java

@@ -44,6 +44,10 @@ public class ClickHouseHttpProto {
      */
     public static final String HEADER_DB_USER = "X-ClickHouse-User";
 
+    /**
+     * Password of user to be used to authenticate. Note: header value should be unencoded, so using
+     * special characters might cause issues. It is recommended to use the Basic Authentication instead.
+     */
     public static final String HEADER_DB_PASSWORD = "X-ClickHouse-Key";
 
     public static final String HEADER_SSL_CERT_AUTH = "x-clickhouse-ssl-certificate-auth";

clickhouse-jdbc/src/test/java/com/clickhouse/jdbc/AccessManagementTest.java

@@ -176,4 +176,43 @@ public void testSetRolesAccessingTableRows() throws SQLException {
             Assert.fail("Failed to check roles", e);
         }
     }
+
+    @Test(groups = "integration", dataProvider = "passwordAuthMethods")
+    public void testPasswordAuthentication(String identifyWith, String identifyBy) throws SQLException {
+        if (isCloud()) return; // TODO: testPasswordAuthentication - Revisit, see:
+        String url = String.format("jdbc:ch:%s", getEndpointString());
+        Properties properties = new Properties();
+        properties.setProperty(ClickHouseHttpOption.REMEMBER_LAST_SET_ROLES.getKey(), "true");
+        ClickHouseDataSource dataSource = new ClickHouseDataSource(url, properties);
+
+        try (Connection connection = dataSource.getConnection("access_dba", "123")) {
+            Statement st = connection.createStatement();
+            st.execute("DROP USER IF EXISTS some_user");
+            st.execute("CREATE USER some_user IDENTIFIED WITH " + identifyWith + " BY '" + identifyBy + "'");
+        } catch (Exception e) {
+            Assert.fail("Failed on setup", e);
+        }
+
+        try (Connection connection = dataSource.getConnection("some_user", identifyBy)) {
+            Statement st = connection.createStatement();
+            ResultSet rs = st.executeQuery("SELECT 1");
+            Assert.assertTrue(rs.next());
+            Assert.assertEquals(rs.getInt(1), 1);
+        } catch (Exception e) {
+            Assert.fail("Failed to authenticate", e);
+        }
+    }
+
+    @DataProvider(name = "passwordAuthMethods")
+    private static Object[][] passwordAuthMethods() {
+        return new Object[][] {
+                { "plaintext_password", "password" },
+                { "plaintext_password", "S3Cr=?t"},
+                { "plaintext_password", "123§" },
+                { "sha256_password", "password" },
+                { "sha256_password", "123§" },
+                { "sha256_password", "S3Cr=?t"},
+                { "sha256_password", "S3Cr?=t"},
+        };
+    }
 }

client-v2/src/main/java/com/clickhouse/client/api/internal/HttpAPIClientHelper.java

@@ -63,6 +63,7 @@
 import java.net.NoRouteToHostException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URLEncoder;
 import java.net.UnknownHostException;
 import java.nio.charset.StandardCharsets;
 import java.security.NoSuchAlgorithmException;
@@ -338,13 +339,14 @@ public ClassicHttpResponse executeRequest(ClickHouseNode server, Map<String, Obj
                 .build();
         req.setConfig(httpReqConfig);
         // setting entity. wrapping if compression is enabled
-        req.setEntity(wrapEntity(new EntityTemplate(-1, CONTENT_TYPE, null, writeCallback), false));
+        req.setEntity(wrapEntity(new EntityTemplate(-1, CONTENT_TYPE, null, writeCallback), HttpStatus.SC_OK, false));
 
         HttpClientContext context = HttpClientContext.create();
 
         try {
             ClassicHttpResponse httpResponse = httpClient.executeOpen(null, req, context);
-            httpResponse.setEntity(wrapEntity(httpResponse.getEntity(), true));
+            httpResponse.setEntity(wrapEntity(httpResponse.getEntity(), httpResponse.getCode(), true));
+
             if (httpResponse.getCode() == HttpStatus.SC_PROXY_AUTHENTICATION_REQUIRED) {
                 throw new ClientMisconfigurationException("Proxy authentication required. Please check your proxy settings.");
             } else if (httpResponse.getCode() == HttpStatus.SC_BAD_GATEWAY) {
@@ -395,11 +397,12 @@ private void addHeaders(HttpPost req, Map<String, String> chConfig, Map<String,
                 req.addHeader(ClickHouseHttpProto.HEADER_QUERY_ID, requestConfig.get(ClickHouseClientOption.QUERY_ID.getKey()).toString());
             }
         }
-        req.addHeader(ClickHouseHttpProto.HEADER_DB_USER, chConfig.get(ClickHouseDefaults.USER.getKey()));
         if (MapUtils.getFlag(chConfig, "ssl_authentication", false)) {
+            req.addHeader(ClickHouseHttpProto.HEADER_DB_USER, chConfig.get(ClickHouseDefaults.USER.getKey()));
             req.addHeader(ClickHouseHttpProto.HEADER_SSL_CERT_AUTH, "on");
         } else {
-            req.addHeader(ClickHouseHttpProto.HEADER_DB_PASSWORD, chConfig.get(ClickHouseDefaults.PASSWORD.getKey()));
+            req.addHeader(HttpHeaders.AUTHORIZATION, "Basic " + Base64.getEncoder().encodeToString(
+                    (chConfig.get(ClickHouseDefaults.USER.getKey()) + ":" + chConfig.get(ClickHouseDefaults.PASSWORD.getKey())).getBytes(StandardCharsets.UTF_8)));
         }
         if (proxyAuthHeaderValue != null) {
             req.addHeader(HttpHeaders.PROXY_AUTHORIZATION, proxyAuthHeaderValue);
@@ -487,15 +490,26 @@ private void addQueryParams(URIBuilder req, Map<String, String> chConfig, Map<St
         }
     }
 
-    private HttpEntity wrapEntity(HttpEntity httpEntity, boolean isResponse) {
-        boolean serverCompression = chConfiguration.getOrDefault(ClickHouseClientOption.COMPRESS.getKey(), "false").equalsIgnoreCase("true");
-        boolean clientCompression = chConfiguration.getOrDefault(ClickHouseClientOption.DECOMPRESS.getKey(), "false").equalsIgnoreCase("true");
-        boolean useHttpCompression = chConfiguration.getOrDefault("client.use_http_compression", "false").equalsIgnoreCase("true");
-        if (serverCompression || clientCompression) {
-            return new LZ4Entity(httpEntity, useHttpCompression, serverCompression, clientCompression,
-                    MapUtils.getInt(chConfiguration, "compression.lz4.uncompressed_buffer_size"), isResponse);
-        } else {
-            return httpEntity;
+    private HttpEntity wrapEntity(HttpEntity httpEntity, int httpStatus, boolean isResponse) {
+
+        switch (httpStatus) {
+            case HttpStatus.SC_OK:
+            case HttpStatus.SC_CREATED:
+            case HttpStatus.SC_ACCEPTED:
+            case HttpStatus.SC_NO_CONTENT:
+            case HttpStatus.SC_PARTIAL_CONTENT:
+            case HttpStatus.SC_RESET_CONTENT:
+            case HttpStatus.SC_NOT_MODIFIED:
+            case HttpStatus.SC_BAD_REQUEST:
+                boolean serverCompression = chConfiguration.getOrDefault(ClickHouseClientOption.COMPRESS.getKey(), "false").equalsIgnoreCase("true");
+                boolean clientCompression = chConfiguration.getOrDefault(ClickHouseClientOption.DECOMPRESS.getKey(), "false").equalsIgnoreCase("true");
+                boolean useHttpCompression = chConfiguration.getOrDefault("client.use_http_compression", "false").equalsIgnoreCase("true");
+                if (serverCompression || clientCompression) {
+                    return new LZ4Entity(httpEntity, useHttpCompression, serverCompression, clientCompression,
+                            MapUtils.getInt(chConfiguration, "compression.lz4.uncompressed_buffer_size"), isResponse);
+                }
+            default:
+                return httpEntity;
         }
     }
 

client-v2/src/test/java/com/clickhouse/client/HttpTransportTests.java

@@ -458,6 +458,7 @@ public void testServerSettings() {
     static {
         System.setProperty("org.slf4j.simpleLogger.defaultLogLevel", "DEBUG");
     }
+
     @Test(groups = { "integration" })
     public void testSSLAuthentication() throws Exception {
         if (isCloud()) {
@@ -491,6 +492,52 @@ public void testSSLAuthentication() throws Exception {
         }
     }
 
+    @Test(groups = { "integration" }, dataProvider = "testPasswordAuthenticationProvider", dataProviderClass = HttpTransportTests.class)
+    public void testPasswordAuthentication(String identifyWith, String identifyBy) throws Exception {
+        if (isCloud()) {
+            return; // Current test is working only with local server because of self-signed certificates.
+        }
+        ClickHouseNode server = getServer(ClickHouseProtocol.HTTP);
+
+        try (Client client = new Client.Builder().addEndpoint(Protocol.HTTP, "localhost",server.getPort(), false)
+                .setUsername("default")
+                .setPassword("")
+                .build()) {
+
+            try (CommandResponse resp = client.execute("DROP USER IF EXISTS some_user").get()) {
+            }
+            try (CommandResponse resp = client.execute("CREATE USER some_user IDENTIFIED WITH " + identifyWith + " BY '" + identifyBy + "'").get()) {
+            }
+        } catch (Exception e) {
+            Assert.fail("Failed on setup", e);
+        }
+
+        try (Client client = new Client.Builder().addEndpoint(Protocol.HTTP, "localhost",server.getPort(), false)
+                .setUsername("some_user")
+                .setPassword(identifyBy)
+                .build()) {
+
+            try (QueryResponse resp = client.query("SELECT 1").get()) {
+                Assert.assertEquals(resp.getReadRows(), 1);
+            }
+        } catch (Exception e) {
+            Assert.fail("Failed to authenticate", e);
+        }
+    }
+
+    @DataProvider(name = "testPasswordAuthenticationProvider")
+    public static Object[][] testPasswordAuthenticationProvider() {
+        return new Object[][] {
+                { "plaintext_password", "password" },
+                { "plaintext_password", "S3Cr=?t"},
+                { "plaintext_password", "123§" },
+                { "sha256_password", "password" },
+                { "sha256_password", "123§" },
+                { "sha256_password", "S3Cr=?t"},
+                { "sha256_password", "S3Cr?=t"},
+        };
+    }
+
     @Test(groups = { "integration" })
     public void testSSLAuthentication_invalidConfig() throws Exception {
         if (isCloud()) {