feat(utils): Improve authentication of default HTTP client

The standard `JAVA_NET_AUTHENTICATOR` provided by OkHttp that was used
so far was only querying the global Java Authenticator when the
response contained a challenge with scheme `Basic`. There are,
however, servers that do not send this challenge, but for which
authentication with the credentials from the Java Authenticator would
work. The GitHub package registry is an example of such a server.

To support those servers, add a new `Authenticator`
implementation that always queries credentials from the Java
`Authenticator`.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

utils/ort/src/main/kotlin/OkHttpClientHelper.kt

@@ -22,6 +22,7 @@ package org.ossreviewtoolkit.utils.ort
 import java.io.File
 import java.io.IOException
 import java.lang.invoke.MethodHandles
+import java.net.HttpURLConnection
 import java.net.URI
 import java.time.Duration
 import java.util.concurrent.ConcurrentHashMap
@@ -41,6 +42,7 @@ import okhttp3.OkHttpClient
 import okhttp3.Request
 import okhttp3.Response
 import okhttp3.ResponseBody
+import okhttp3.Route
 
 import okio.buffer
 import okio.sink
@@ -88,6 +90,7 @@ private val logger = loggerOf(MethodHandles.lookup().lookupClass())
 private const val CACHE_DIRECTORY = "cache/http"
 private val MAX_CACHE_SIZE_IN_BYTES = 1.gibibytes
 private const val READ_TIMEOUT_IN_SECONDS = 30L
+private const val AUTHORIZATION_HEADER = "Authorization"
 
 /**
  * The default [OkHttpClient] for ORT to use.
@@ -124,7 +127,7 @@ val okHttpClient: OkHttpClient by lazy {
         .cache(cache)
         .connectionSpecs(specs)
         .readTimeout(Duration.ofSeconds(READ_TIMEOUT_IN_SECONDS))
-        .authenticator(Authenticator.JAVA_NET_AUTHENTICATOR)
+        .authenticator(JavaNetAuthenticatorWrapper())
         .proxyAuthenticator(Authenticator.JAVA_NET_AUTHENTICATOR)
         .build()
 }
@@ -276,3 +279,42 @@ suspend fun Call.await(): Response =
             }
         })
     }
+
+/**
+ * A wrapper implementation around OkHttp's [Authenticator.JAVA_NET_AUTHENTICATOR] that is less strict about querying
+ * credentials for requests from the global Java authenticator.
+ *
+ * OkHttp already has a built-in [Authenticator] that uses the global Java authenticator; however, this implementation
+ * is rather picky about the requests for which it delegates to the Java authenticator. It only kicks in for responses
+ * containing a challenge with the "Basic" scheme. This excludes a number of servers that could be handled by the Java
+ * authenticator. For instance, the GitHub package registry does not send any challenges, but it can be accessed with a
+ * token provided by the Java authenticator.
+ *
+ * This implementation handles default authentication request by always querying the Java authenticator for credentials,
+ * no matter which challenges are sent by the server. Only in special cases, such as unexpected response codes, it
+ * delegates to the default OkHttp authenticator.
+ */
+internal class JavaNetAuthenticatorWrapper(
+    private val wrappedAuthenticator: Authenticator = Authenticator.JAVA_NET_AUTHENTICATOR
+) : Authenticator {
+    override fun authenticate(route: Route?, response: Response): Request? {
+        if (response.code != HttpURLConnection.HTTP_UNAUTHORIZED) {
+            return wrappedAuthenticator.authenticate(route, response)
+        }
+
+        // The request already had an Authorization header; so obviously the credentials are not valid.
+        if (response.request.header(AUTHORIZATION_HEADER) != null) return null
+
+        val requestUri = response.request.url.toUri()
+        return requestPasswordAuthentication(requestUri)?.let { authentication ->
+            response.request.newBuilder()
+                .header(
+                    AUTHORIZATION_HEADER,
+                    Credentials.basic(
+                        authentication.userName,
+                        String(authentication.password)
+                    )
+                ).build()
+        }
+    }
+}

utils/ort/src/test/kotlin/OkHttpClientHelperTest.kt

@@ -21,6 +21,8 @@ package org.ossreviewtoolkit.utils.ort
 
 import io.kotest.core.spec.style.WordSpec
 import io.kotest.engine.spec.tempdir
+import io.kotest.matchers.nulls.beNull
+import io.kotest.matchers.nulls.shouldNotBeNull
 import io.kotest.matchers.result.shouldBeFailure
 import io.kotest.matchers.should
 import io.kotest.matchers.shouldBe
@@ -34,13 +36,21 @@ import io.mockk.mockkStatic
 import io.mockk.unmockkAll
 
 import java.io.IOException
+import java.net.HttpURLConnection
+import java.net.PasswordAuthentication
+import java.net.URI
 import java.time.Duration
 
+import kotlin.reflect.KFunction
+
+import okhttp3.Authenticator as OkAuthenticator
 import okhttp3.HttpUrl.Companion.toHttpUrl
 import okhttp3.OkHttpClient
+import okhttp3.Protocol
 import okhttp3.Request
 import okhttp3.Response
 import okhttp3.ResponseBody
+import okhttp3.Route
 
 import okio.BufferedSource
 
@@ -135,4 +145,92 @@ class OkHttpClientHelperTest : WordSpec({
             }
         }
     }
+
+    "JavaNetAuthenticatorWrapper" should {
+        "delegate to the default authenticator if the response code is not 401" {
+            val authenticator = mockk<OkAuthenticator>()
+            val route = mockk<Route>()
+            val response = createResponse(HttpURLConnection.HTTP_FORBIDDEN)
+            val modifiedRequest = mockk<Request>()
+            every { authenticator.authenticate(route, response) } returns modifiedRequest
+
+            val lenientAuthenticator = JavaNetAuthenticatorWrapper(authenticator)
+
+            lenientAuthenticator.authenticate(route, response) shouldBe modifiedRequest
+        }
+
+        "query the Java authenticator" {
+            val response = createResponse()
+            preparePasswordAuthentication(success = true)
+
+            val lenientAuthenticator = JavaNetAuthenticatorWrapper(mockk())
+
+            lenientAuthenticator.authenticate(mockk(), response) shouldNotBeNull {
+                header("Authorization") shouldBe "Basic c2NvdHQ6dGlnZXI="
+                url shouldBe AUTH_URL.toHttpUrl()
+            }
+        }
+
+        "return null if the Java authenticator does not return a password authentication" {
+            val response = createResponse()
+            preparePasswordAuthentication(success = false)
+
+            val lenientAuthenticator = JavaNetAuthenticatorWrapper(mockk())
+
+            lenientAuthenticator.authenticate(mockk(), response) should beNull()
+        }
+
+        "return null if the request already has an Authorization header" {
+            val requestWithAuth = Request.Builder()
+                .url(AUTH_URL)
+                .header("Authorization", "Basic wrong-credentials")
+                .build()
+            val response = createResponse(originalRequest = requestWithAuth)
+            preparePasswordAuthentication(success = true)
+
+            val lenientAuthenticator = JavaNetAuthenticatorWrapper(mockk())
+
+            lenientAuthenticator.authenticate(mockk(), response) should beNull()
+        }
+    }
 })
+
+private const val USERNAME = "scott"
+private const val PASSWORD = "tiger"
+private const val AUTH_URL = "https://example.org/auth"
+
+/**
+ * Create a [Response] object with the given response [code]. The request of this response is set to [originalRequest]
+ * if it is provided; otherwise, a default request to [AUTH_URL] is created.
+ */
+private fun createResponse(
+    code: Int = HttpURLConnection.HTTP_UNAUTHORIZED,
+    originalRequest: Request? = null
+): Response {
+    val request = originalRequest ?: Request.Builder()
+        .url(AUTH_URL)
+        .build()
+    return Response.Builder()
+        .request(request)
+        .code(code)
+        .protocol(Protocol.HTTP_2)
+        .message("Unauthorized")
+        .build()
+}
+
+/**
+ * Mock the [requestPasswordAuthentication] function to return a [PasswordAuthentication] object for the test URI
+ * based on the given [success] flag.
+ */
+private fun preparePasswordAuthentication(success: Boolean) {
+    val result = if (success) {
+        PasswordAuthentication(USERNAME, PASSWORD.toCharArray())
+    } else {
+        null
+    }
+
+    val resolveFunc: (URI) -> PasswordAuthentication? = ::requestPasswordAuthentication
+    mockkStatic(resolveFunc as KFunction<*>)
+
+    every { requestPasswordAuthentication(URI.create(AUTH_URL)) } returns result
+}