Exposed authSchemeProviderRegistry in apache http client builder (#5874)

Fred1155 · web-flow · commit 08e703e1fa7c · 2025-02-13T17:18:37.000Z
* authSchemeProviderRegistry field added

* auth scheme registry added

* unit test added

* default registry deleted

* minor fix

* added changelog
diff --git a/.changes/next-release/feature-ApacheHttpClient-b5823c7.json b/.changes/next-release/feature-ApacheHttpClient-b5823c7.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "Apache Http Client",
+    "contributor": "",
+    "description": "Allow users to configure authSchemeProviderRegistry for ApacheHttpClient"
+}
diff --git a/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java b/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java
@@ -40,6 +40,7 @@
 import org.apache.http.Header;
 import org.apache.http.HeaderIterator;
 import org.apache.http.HttpResponse;
+import org.apache.http.auth.AuthSchemeProvider;
 import org.apache.http.client.CredentialsProvider;
 import org.apache.http.client.methods.HttpRequestBase;
 import org.apache.http.client.protocol.HttpClientContext;
@@ -149,6 +150,12 @@ private ConnectionManagerAwareHttpClient createClient(ApacheHttpClient.DefaultBu
         // from the reaper. See https://github.com/aws/aws-sdk-java/issues/722.
         HttpClientConnectionManager cm = cmFactory.create(configuration, standardOptions);
 
+        Registry<AuthSchemeProvider> authSchemeProviderRegistry = configuration.authSchemeProviderRegistry;
+        if (authSchemeProviderRegistry != null) {
+            builder.setDefaultAuthSchemeRegistry(authSchemeProviderRegistry);
+        }
+
+
         builder.setRequestExecutor(new HttpRequestExecutor())
                // SDK handles decompression
                .disableContentCompression()
@@ -449,10 +456,17 @@ public interface Builder extends SdkHttpClient.Builder<ApacheHttpClient.Builder>
          * when constructing the SSL context.
          */
         Builder tlsTrustManagersProvider(TlsTrustManagersProvider tlsTrustManagersProvider);
+
+        /**
+         * Configure the authentication scheme registry that can be used to obtain the corresponding authentication scheme
+         * implementation for a given type of authorization challenge.
+         */
+        Builder authSchemeProviderRegistry(Registry<AuthSchemeProvider> authSchemeProviderRegistry);
     }
 
     private static final class DefaultBuilder implements Builder {
         private final AttributeMap.Builder standardOptions = AttributeMap.builder();
+        private Registry<AuthSchemeProvider> authSchemeProviderRegistry;
         private ProxyConfiguration proxyConfiguration = ProxyConfiguration.builder().build();
         private InetAddress localAddress;
         private Boolean expectContinueEnabled;
@@ -640,6 +654,16 @@ public void setTlsTrustManagersProvider(TlsTrustManagersProvider tlsTrustManager
             tlsTrustManagersProvider(tlsTrustManagersProvider);
         }
 
+        @Override
+        public Builder authSchemeProviderRegistry(Registry<AuthSchemeProvider> authSchemeProviderRegistry) {
+            this.authSchemeProviderRegistry = authSchemeProviderRegistry;
+            return this;
+        }
+
+        public void setAuthSchemeProviderRegistry(Registry<AuthSchemeProvider> authSchemeProviderRegistry) {
+            authSchemeProviderRegistry(authSchemeProviderRegistry);
+        }
+
         @Override
         public SdkHttpClient buildWithDefaults(AttributeMap serviceDefaults) {
             AttributeMap resolvedOptions = standardOptions.build().merge(serviceDefaults).merge(
diff --git a/http-clients/apache-client/src/test/java/software/amazon/awssdk/http/apache/ApacheHttpClientAuthRegistryTest.java b/http-clients/apache-client/src/test/java/software/amazon/awssdk/http/apache/ApacheHttpClientAuthRegistryTest.java
@@ -0,0 +1,157 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.apache;
+
+
+import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
+
+import java.net.URI;
+import org.apache.http.auth.AuthSchemeProvider;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.client.config.AuthSchemes;
+import org.apache.http.config.Registry;
+import org.apache.http.config.RegistryBuilder;
+import org.apache.http.impl.auth.BasicSchemeFactory;
+import org.apache.http.impl.auth.KerberosSchemeFactory;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import software.amazon.awssdk.http.HttpExecuteRequest;
+import software.amazon.awssdk.http.SdkHttpMethod;
+import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.http.ExecutableHttpRequest;
+import software.amazon.awssdk.http.HttpExecuteResponse;
+
+import static com.github.tomakehurst.wiremock.client.WireMock.*;
+import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
+import static com.github.tomakehurst.wiremock.stubbing.Scenario.STARTED;
+
+
+class ApacheHttpClientAuthRegistryTest {
+
+    @RegisterExtension
+    static WireMockExtension proxyWireMock = WireMockExtension.newInstance()
+                                                         .options(wireMockConfig().dynamicPort())
+                                                         .build();
+    @RegisterExtension
+    static WireMockExtension serverWireMock = WireMockExtension.newInstance()
+                                                              .options(wireMockConfig().dynamicPort())
+                                                              .build();
+
+    private ApacheHttpClient httpClient;
+    private static final String PROXY_AUTH_SCENARIO = "Proxy Auth";
+    private static final String SERVER_AUTH_SCENARIO = "Server Auth";
+    private static final String CHALLENGED_STATE = "Challenged";
+
+
+    private Registry<AuthSchemeProvider> createAuthSchemeRegistry(String scheme, AuthSchemeProvider provider) {
+        return RegistryBuilder.<AuthSchemeProvider>create()
+                              .register(scheme, provider)
+                              .build();
+    }
+
+    private ApacheHttpClient createHttpClient(Registry<AuthSchemeProvider> authSchemeRegistry) {
+        CredentialsProvider credsProvider = new BasicCredentialsProvider();
+        credsProvider.setCredentials(
+            new AuthScope("localhost", AuthScope.ANY_PORT),
+            new UsernamePasswordCredentials("u1", "p1"));
+
+        return (ApacheHttpClient) ApacheHttpClient.builder()
+            .proxyConfiguration(ProxyConfiguration.builder().endpoint(URI.create("http://localhost:" + proxyWireMock.getPort()))
+                                                   .build())
+                                                  .authSchemeProviderRegistry(authSchemeRegistry)
+            .credentialsProvider(credsProvider)
+                                                  .build();
+    }
+
+    private SdkHttpRequest createHttpRequest() {
+        return SdkHttpRequest.builder()
+                             .uri(URI.create("http://localhost:" + serverWireMock.getPort()))
+                             .method(SdkHttpMethod.GET)
+                             .build();
+    }
+    private void setupProxyWireMockStub() {
+        proxyWireMock.stubFor(get(urlMatching(".*"))
+                             .inScenario(PROXY_AUTH_SCENARIO)
+                             .whenScenarioStateIs(STARTED)
+                             .willReturn(aResponse()
+                                             .withStatus(401)
+                                             .withHeader("WWW-Authenticate", "Basic"))
+                             .willSetStateTo(CHALLENGED_STATE));
+
+        proxyWireMock.stubFor(get(urlMatching(".*"))
+                                  .inScenario(PROXY_AUTH_SCENARIO)
+                                  .whenScenarioStateIs(CHALLENGED_STATE)
+                                  //.withHeader("WWW-Authenticate", matching(".*"))
+                                  .willReturn(aResponse()
+                                                  .withStatus(200))
+                                  .willSetStateTo("success"));
+    }
+
+    private void setupWireMockStub() {
+        serverWireMock.stubFor(get(urlMatching(".*"))
+                             .inScenario(SERVER_AUTH_SCENARIO)
+                             .whenScenarioStateIs(STARTED)
+                                   .withHeader("Authorization", matching(".*"))
+                             .willReturn(aResponse().withStatus(200)));
+    }
+
+    private HttpExecuteResponse executeRequest(SdkHttpRequest request) throws Exception {
+        HttpExecuteRequest executeRequest = HttpExecuteRequest.builder()
+                                                              .request(request)
+                                                              .build();
+        ExecutableHttpRequest executableRequest = httpClient.prepareRequest(executeRequest);
+        return executableRequest.call();
+    }
+
+    @Test
+    void authSchemeRegistryConfigured_registeredAuthShouldPass() throws Exception {
+        Registry<AuthSchemeProvider> authSchemeRegistry = createAuthSchemeRegistry(
+            AuthSchemes.BASIC,
+            new BasicSchemeFactory()
+        );
+
+        httpClient = createHttpClient(authSchemeRegistry);
+        setupProxyWireMockStub();
+        setupWireMockStub();
+
+        HttpExecuteResponse response = executeRequest(createHttpRequest());
+
+        proxyWireMock.verify(1, getRequestedFor(urlMatching(".*"))
+            .withHeader("Authorization", matching(".*"))
+        );
+    }
+
+    @Test
+    void authSchemeRegistryConfigured_unRegisteredAuthShouldWarn() throws Exception {
+        Registry<AuthSchemeProvider> authSchemeRegistry = createAuthSchemeRegistry(
+            AuthSchemes.KERBEROS,
+            new KerberosSchemeFactory()
+        );
+
+        httpClient = createHttpClient(authSchemeRegistry);
+        setupProxyWireMockStub();
+        setupWireMockStub();
+
+        HttpExecuteResponse response = executeRequest(createHttpRequest());
+        proxyWireMock.verify(0, getRequestedFor(urlMatching(".*"))
+            .withHeader("Authorization", matching(".*"))
+        );
+    }
+}
