Add a Filter to handle basic authentication

shs96c · shs96c · commit 63fd7f722d36 · 2021-06-08T14:52:58.000+01:00
We could also implement Digest authentication, but this will get us
off the ground, and allow us to start to secure a public-facing
Router.
diff --git a/java/client/test/org/openqa/selenium/devtools/BUILD.bazel b/java/client/test/org/openqa/selenium/devtools/BUILD.bazel
@@ -22,6 +22,7 @@ java_selenium_test_suite(
         "//java/client/test/org/openqa/selenium/environment",
         "//java/client/test/org/openqa/selenium/testing:annotations",
         "//java/client/test/org/openqa/selenium/testing:test-base",
+        "//java/server/src/org/openqa/selenium/grid/security",
         artifact("com.google.guava:guava"),
         artifact("junit:junit"),
         artifact("org.assertj:assertj-core"),
diff --git a/java/client/test/org/openqa/selenium/devtools/CdpFacadeTest.java b/java/client/test/org/openqa/selenium/devtools/CdpFacadeTest.java
@@ -17,21 +17,23 @@
 
 package org.openqa.selenium.devtools;
 
+import com.google.common.net.MediaType;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.openqa.selenium.By;
 import org.openqa.selenium.HasAuthentication;
 import org.openqa.selenium.UsernameAndPassword;
-import org.openqa.selenium.environment.webserver.BasicAuthHandler;
 import org.openqa.selenium.environment.webserver.NettyAppServer;
+import org.openqa.selenium.grid.security.BasicAuthenticationFilter;
+import org.openqa.selenium.remote.http.Contents;
 import org.openqa.selenium.remote.http.HttpResponse;
 import org.openqa.selenium.remote.http.Route;
 import org.openqa.selenium.support.devtools.NetworkInterceptor;
-import org.openqa.selenium.testing.Ignore;
 import org.openqa.selenium.testing.NotYetImplemented;
 import org.openqa.selenium.testing.drivers.Browser;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assumptions.assumeThat;
 import static org.openqa.selenium.remote.http.Contents.utf8String;
@@ -43,7 +45,12 @@ public class CdpFacadeTest extends DevToolsTestBase {
 
   @BeforeClass
   public static void startServer() {
-    server = new NettyAppServer(new BasicAuthHandler());
+    server = new NettyAppServer(
+      new BasicAuthenticationFilter("test", "test")
+        .andFinally(req ->
+          new HttpResponse()
+            .addHeader("Content-Type", MediaType.HTML_UTF_8.toString())
+            .setContent(Contents.string("<h1>authorized</h1>", UTF_8))));
     server.start();
   }
 
diff --git a/java/client/test/org/openqa/selenium/environment/BUILD.bazel b/java/client/test/org/openqa/selenium/environment/BUILD.bazel
@@ -52,6 +52,7 @@ java_library(
         "//java/client/src/org/openqa/selenium/remote/http",
         "//java/client/test/org/openqa/selenium/build",
         "//java/server/src/org/openqa/selenium/grid/config",
+        "//java/server/src/org/openqa/selenium/grid/security",
         "//java/server/src/org/openqa/selenium/grid/server",
         "//java/server/src/org/openqa/selenium/grid/web",
         "//java/server/src/org/openqa/selenium/netty/server",
diff --git a/java/client/test/org/openqa/selenium/environment/webserver/HandlersForTests.java b/java/client/test/org/openqa/selenium/environment/webserver/HandlersForTests.java
@@ -17,9 +17,12 @@
 
 package org.openqa.selenium.environment.webserver;
 
+import com.google.common.net.MediaType;
 import org.openqa.selenium.build.InProject;
+import org.openqa.selenium.grid.security.BasicAuthenticationFilter;
 import org.openqa.selenium.grid.web.PathResource;
 import org.openqa.selenium.grid.web.ResourceHandler;
+import org.openqa.selenium.remote.http.Contents;
 import org.openqa.selenium.remote.http.HttpRequest;
 import org.openqa.selenium.remote.http.HttpResponse;
 import org.openqa.selenium.remote.http.Routable;
@@ -28,6 +31,7 @@
 import java.io.UncheckedIOException;
 import java.nio.file.Path;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.openqa.selenium.remote.http.HttpMethod.GET;
 
 public class HandlersForTests implements Routable {
@@ -46,7 +50,11 @@ public HandlersForTests(String hostname, int port, Path tempPageDir) {
     Path webSrc = InProject.locate("common/src/web");
 
     Route route = Route.combine(
-      Route.get("/basicAuth").to(BasicAuthHandler::new),
+      Route.get("/basicAuth").to(() -> req ->
+        new HttpResponse()
+          .addHeader("Content-Type", MediaType.HTML_UTF_8.toString())
+          .setContent(Contents.string("<h1>authorized</h1>", UTF_8)))
+        .with(new BasicAuthenticationFilter("test", "test")),
       Route.get("/echo").to(EchoHandler::new),
       Route.get("/cookie").to(CookieHandler::new),
       Route.get("/encoding").to(EncodingHandler::new),
diff --git a/java/server/src/org/openqa/selenium/grid/security/BUILD.bazel b/java/server/src/org/openqa/selenium/grid/security/BUILD.bazel
@@ -5,6 +5,7 @@ java_library(
     name = "security",
     srcs = glob(["*.java"]),
     visibility = [
+        "//java/client/test/org/openqa/selenium:__subpackages__",
         "//java/server/src/org/openqa/selenium/events:__subpackages__",
         "//java/server/src/org/openqa/selenium/grid:__subpackages__",
         "//java/server/test/org/openqa/selenium/events:__subpackages__",
diff --git a/java/server/src/org/openqa/selenium/grid/security/BasicAuthenticationFilter.java b/java/server/src/org/openqa/selenium/grid/security/BasicAuthenticationFilter.java
@@ -15,44 +15,48 @@
 // specific language governing permissions and limitations
 // under the License.
 
-package org.openqa.selenium.environment.webserver;
+package org.openqa.selenium.grid.security;
 
-import com.google.common.net.MediaType;
-import org.openqa.selenium.remote.http.Contents;
+import org.openqa.selenium.internal.Require;
+import org.openqa.selenium.remote.http.Filter;
 import org.openqa.selenium.remote.http.HttpHandler;
-import org.openqa.selenium.remote.http.HttpRequest;
 import org.openqa.selenium.remote.http.HttpResponse;
 
-import java.io.UncheckedIOException;
 import java.net.HttpURLConnection;
 import java.util.Base64;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
-public class BasicAuthHandler implements HttpHandler {
-  private static final String CREDENTIALS = "test:test";
-  private final Base64.Decoder decoder = Base64.getDecoder();
+public class BasicAuthenticationFilter implements Filter {
+
+  private static final Base64.Decoder DECODER = Base64.getDecoder();
+  private final String passphrase;
+
+  public BasicAuthenticationFilter(String user, String password) {
+    passphrase = Base64.getEncoder().encodeToString((user + ":" + password).getBytes(UTF_8));
+  }
 
   @Override
-  public HttpResponse execute(HttpRequest req) throws UncheckedIOException {
-    if (isAuthorized(req.getHeader("Authorization"))) {
-      return new HttpResponse()
-        .addHeader("Content-Type", MediaType.HTML_UTF_8.toString())
-        .setContent(Contents.string("<h1>authorized</h1>", UTF_8));
-    }
+  public HttpHandler apply(HttpHandler next) {
+    return req -> {
+      Require.nonNull("Request", req);
+
+      if (!isAuthorized(req.getHeader("Authorization"))) {
+        return new HttpResponse()
+          .setStatus(HttpURLConnection.HTTP_UNAUTHORIZED)
+          .addHeader("WWW-Authenticate", "Basic realm=\"selenium-server\"");
+      }
 
-    return new HttpResponse()
-      .setStatus(HttpURLConnection.HTTP_UNAUTHORIZED)
-      .addHeader("WWW-Authenticate", "Basic realm=\"basic-auth-test\"");
+      return next.execute(req);
+    };
   }
 
   private boolean isAuthorized(String auth) {
     if (auth != null) {
       final int index = auth.indexOf(' ') + 1;
 
       if (index > 0) {
-        final String credentials = new String(decoder.decode(auth.substring(index)), UTF_8);
-        return CREDENTIALS.equals(credentials);
+        return passphrase.equals(auth.substring(index));
       }
     }
 
diff --git a/java/server/src/org/openqa/selenium/grid/web/AuthenticationFilter.java b/java/server/src/org/openqa/selenium/grid/web/AuthenticationFilter.java
diff --git a/java/server/test/org/openqa/selenium/grid/security/BUILD.bazel b/java/server/test/org/openqa/selenium/grid/security/BUILD.bazel
@@ -0,0 +1,13 @@
+load("//java:defs.bzl", "artifact", "java_test_suite")
+
+java_test_suite(
+  name = "small-tests",
+  size = "small",
+  srcs = glob(["*.java"]),
+  deps = [
+    "//java/client/src/org/openqa/selenium/remote/http",
+    "//java/server/src/org/openqa/selenium/grid/security",
+    artifact("junit:junit"),
+    artifact("org.assertj:assertj-core"),
+  ]
+)
diff --git a/java/server/test/org/openqa/selenium/grid/security/BasicAuthenticationFilterTest.java b/java/server/test/org/openqa/selenium/grid/security/BasicAuthenticationFilterTest.java
@@ -0,0 +1,55 @@
+// Licensed to the Software Freedom Conservancy (SFC) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The SFC licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.openqa.selenium.grid.security;
+
+import org.junit.Test;
+import org.openqa.selenium.remote.http.HttpHandler;
+import org.openqa.selenium.remote.http.HttpRequest;
+import org.openqa.selenium.remote.http.HttpResponse;
+
+import java.net.HttpURLConnection;
+import java.util.Base64;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.openqa.selenium.remote.http.HttpMethod.GET;
+
+public class BasicAuthenticationFilterTest {
+
+  @Test
+  public void shouldAskAnUnauthenticatedRequestToAuthenticate() {
+    HttpHandler handler = new BasicAuthenticationFilter("cheese", "cheddar").apply(req -> new HttpResponse());
+
+    HttpResponse res = handler.execute(new HttpRequest(GET, "/"));
+
+    assertThat(res.getStatus()).isEqualTo(HttpURLConnection.HTTP_UNAUTHORIZED);
+    assertThat(res.getHeader("Www-Authenticate")).startsWith("Basic ");
+    assertThat(res.getHeader("Www-Authenticate")).contains("Basic ");
+  }
+
+  @Test
+  public void shouldAllowAuthenticatedTrafficThrough() {
+    HttpHandler handler = new BasicAuthenticationFilter("cheese", "cheddar").apply(req -> new HttpResponse());
+
+    HttpResponse res = handler.execute(
+      new HttpRequest(GET, "/")
+        .setHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString("cheese:cheddar".getBytes(UTF_8))));
+
+    assertThat(res.isSuccessful()).isTrue();
+  }
+}
