HTTPCLIENT-1873: Config option for Kerberos delegation

httpclient5-testing/src/test/java/org/apache/hc/client5/testing/sync/TestSPNegoScheme.java

@@ -29,10 +29,12 @@ package org.apache.hc.client5.testing.sync;
 import java.io.IOException;
 import java.security.Principal;
 
+import org.apache.hc.client5.http.SystemDefaultDnsResolver;
 import org.apache.hc.client5.http.auth.AuthScheme;
 import org.apache.hc.client5.http.auth.AuthSchemeProvider;
 import org.apache.hc.client5.http.auth.AuthScope;
 import org.apache.hc.client5.http.auth.Credentials;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.apache.hc.client5.http.classic.methods.HttpGet;
 import org.apache.hc.client5.http.config.AuthSchemes;
 import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider;
@@ -94,7 +96,7 @@ public class TestSPNegoScheme extends LocalServerTestBase {
         GSSContext context = Mockito.mock(GSSContext.class);
 
         NegotiateSchemeWithMockGssManager() throws Exception {
-            super(true);
+            super(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE);
             Mockito.when(context.initSecContext(
                     ArgumentMatchers.<byte[]>any(), ArgumentMatchers.anyInt(), ArgumentMatchers.anyInt()))
                     .thenReturn("12345678".getBytes());

httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosConfig.java

@@ -0,0 +1,158 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.client5.http.auth;
+
+import org.apache.hc.core5.annotation.Contract;
+import org.apache.hc.core5.annotation.ThreadingBehavior;
+
+/**
+ *  Immutable class encapsulating Kerberos configuration options.
+ *
+ *  @since 4.6
+ */
+@Contract(threading = ThreadingBehavior.IMMUTABLE)
+public class KerberosConfig implements Cloneable {
+
+    public enum Option {
+
+        DEFAULT,
+        ENABLE,
+        DISABLE
+
+    }
+
+    public static final KerberosConfig DEFAULT = new Builder().build();
+
+    private final Option stripPort;
+    private final Option useCanonicalHostname;
+    private final Option requestDelegCreds;
+
+    /**
+     * Intended for CDI compatibility
+    */
+    protected KerberosConfig() {
+        this(Option.DEFAULT, Option.DEFAULT, Option.DEFAULT);
+    }
+
+    KerberosConfig(
+            final Option stripPort,
+            final Option useCanonicalHostname,
+            final Option requestDelegCreds) {
+        super();
+        this.stripPort = stripPort;
+        this.useCanonicalHostname = useCanonicalHostname;
+        this.requestDelegCreds = requestDelegCreds;
+    }
+
+    public Option getStripPort() {
+        return stripPort;
+    }
+
+    public Option getUseCanonicalHostname() {
+        return useCanonicalHostname;
+    }
+
+    public Option getRequestDelegCreds() {
+        return requestDelegCreds;
+    }
+
+    @Override
+    protected KerberosConfig clone() throws CloneNotSupportedException {
+        return (KerberosConfig) super.clone();
+    }
+
+    @Override
+    public String toString() {
+        final StringBuilder builder = new StringBuilder();
+        builder.append("[");
+        builder.append("stripPort=").append(stripPort);
+        builder.append(", useCanonicalHostname=").append(useCanonicalHostname);
+        builder.append(", requestDelegCreds=").append(requestDelegCreds);
+        builder.append("]");
+        return builder.toString();
+    }
+
+    public static KerberosConfig.Builder custom() {
+        return new Builder();
+    }
+
+    public static KerberosConfig.Builder copy(final KerberosConfig config) {
+        return new Builder()
+                .setStripPort(config.getStripPort())
+                .setUseCanonicalHostname(config.getUseCanonicalHostname())
+                .setRequestDelegCreds(config.getRequestDelegCreds());
+    }
+
+    public static class Builder {
+
+        private Option stripPort;
+        private Option useCanonicalHostname;
+        private Option requestDelegCreds;
+
+        Builder() {
+            super();
+            this.stripPort = Option.DEFAULT;
+            this.useCanonicalHostname = Option.DEFAULT;
+            this.requestDelegCreds = Option.DEFAULT;
+        }
+
+        public Builder setStripPort(final Option stripPort) {
+            this.stripPort = stripPort;
+            return this;
+        }
+
+        public Builder setStripPort(final boolean stripPort) {
+            this.stripPort = stripPort ? Option.ENABLE : Option.DISABLE;
+            return this;
+        }
+
+        public Builder setUseCanonicalHostname(final Option useCanonicalHostname) {
+            this.useCanonicalHostname = useCanonicalHostname;
+            return this;
+        }
+
+        public Builder setUseCanonicalHostname(final boolean useCanonicalHostname) {
+            this.useCanonicalHostname = useCanonicalHostname ? Option.ENABLE : Option.DISABLE;
+            return this;
+        }
+
+        public Builder setRequestDelegCreds(final Option requestDelegCreds) {
+            this.requestDelegCreds = requestDelegCreds;
+            return this;
+        }
+
+        public KerberosConfig build() {
+            return new KerberosConfig(
+                    stripPort,
+                    useCanonicalHostname,
+                    requestDelegCreds);
+        }
+
+    }
+
+}

httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java

@@ -47,6 +47,7 @@ import org.apache.hc.client5.http.UserTokenHandler;
 import org.apache.hc.client5.http.async.AsyncExecChainHandler;
 import org.apache.hc.client5.http.auth.AuthSchemeProvider;
 import org.apache.hc.client5.http.auth.CredentialsProvider;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.apache.hc.client5.http.config.AuthSchemes;
 import org.apache.hc.client5.http.config.RequestConfig;
 import org.apache.hc.client5.http.cookie.BasicCookieStore;
@@ -963,8 +964,8 @@ public class HttpAsyncClientBuilder {
                     .register(AuthSchemes.DIGEST, new DigestSchemeFactory())
                     .register(AuthSchemes.CREDSSP, new CredSspSchemeFactory())
                     .register(AuthSchemes.NTLM, new NTLMSchemeFactory())
-                    .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(SystemDefaultDnsResolver.INSTANCE, true, true))
-                    .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(SystemDefaultDnsResolver.INSTANCE, true, true))
+                    .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE))
+                    .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE))
                     .build();
         }
         Lookup<CookieSpecProvider> cookieSpecRegistryCopy = this.cookieSpecRegistry;

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java

@@ -40,6 +40,7 @@ import org.apache.hc.client5.http.auth.AuthenticationException;
 import org.apache.hc.client5.http.auth.Credentials;
 import org.apache.hc.client5.http.auth.CredentialsProvider;
 import org.apache.hc.client5.http.auth.InvalidCredentialsException;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.apache.hc.client5.http.auth.KerberosCredentials;
 import org.apache.hc.client5.http.auth.MalformedChallengeException;
 import org.apache.hc.core5.http.HttpHost;
@@ -69,9 +70,8 @@ public abstract class GGSSchemeBase implements AuthScheme {
 
     private final Logger log = LogManager.getLogger(getClass());
 
+    private final KerberosConfig config;
     private final DnsResolver dnsResolver;
-    private final boolean stripPort;
-    private final boolean useCanonicalHostname;
 
     /** Authentication process state */
     private State state;
@@ -79,23 +79,19 @@ public abstract class GGSSchemeBase implements AuthScheme {
     private String challenge;
     private byte[] token;
 
-    GGSSchemeBase(
-            final DnsResolver dnsResolver,
-            final boolean stripPort,
-            final boolean useCanonicalHostname) {
+    GGSSchemeBase(final KerberosConfig config, final DnsResolver dnsResolver) {
         super();
+        this.config = config != null ? config : KerberosConfig.DEFAULT;
         this.dnsResolver = dnsResolver != null ? dnsResolver : SystemDefaultDnsResolver.INSTANCE;
-        this.stripPort = stripPort;
-        this.useCanonicalHostname = useCanonicalHostname;
         this.state = State.UNINITIATED;
     }
 
-    GGSSchemeBase(final boolean stripPort) {
-        this(null, stripPort, true);
+    GGSSchemeBase(final KerberosConfig config) {
+        this(config, SystemDefaultDnsResolver.INSTANCE);
     }
 
     GGSSchemeBase() {
-        this(null, true, true);
+        this(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE);
     }
 
     @Override
@@ -152,6 +148,9 @@ public abstract class GGSSchemeBase implements AuthScheme {
         final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, gssCredential,
                 GSSContext.DEFAULT_LIFETIME);
         gssContext.requestMutualAuth(true);
+        if (config.getRequestDelegCreds() != KerberosConfig.Option.DEFAULT) {
+            gssContext.requestCredDeleg(config.getRequestDelegCreds() == KerberosConfig.Option.ENABLE);
+        }
         return gssContext;
     }
     /**
@@ -204,13 +203,13 @@ public abstract class GGSSchemeBase implements AuthScheme {
             try {
                 final String authServer;
                 String hostname = host.getHostName();
-                if (this.useCanonicalHostname){
+                if (config.getUseCanonicalHostname() != KerberosConfig.Option.DISABLE){
                     try {
                          hostname = dnsResolver.resolveCanonicalHostname(host.getHostName());
                     } catch (final UnknownHostException ignore){
                     }
                 }
-                if (this.stripPort) {
+                if (config.getStripPort() != KerberosConfig.Option.DISABLE) {
                     authServer = hostname;
                 } else {
                     authServer = hostname + ":" + host.getPort();

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosScheme.java

@@ -27,6 +27,7 @@
 package org.apache.hc.client5.http.impl.auth;
 
 import org.apache.hc.client5.http.DnsResolver;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.Oid;
 
@@ -40,14 +41,10 @@ public class KerberosScheme extends GGSSchemeBase {
     private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
 
     /**
-     * @since 4.4
+     * @since 5.0
      */
-    public KerberosScheme(final DnsResolver dnsResolver, final boolean stripPort, final boolean useCanonicalHostname) {
-        super(dnsResolver, stripPort, useCanonicalHostname);
-    }
-
-    public KerberosScheme(final boolean stripPort) {
-        super(stripPort);
+    public KerberosScheme(final KerberosConfig config, final DnsResolver dnsResolver) {
+        super(config, dnsResolver);
     }
 
     public KerberosScheme() {

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosSchemeFactory.java

@@ -29,6 +29,7 @@ package org.apache.hc.client5.http.impl.auth;
 import org.apache.hc.client5.http.DnsResolver;
 import org.apache.hc.client5.http.auth.AuthScheme;
 import org.apache.hc.client5.http.auth.AuthSchemeProvider;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.apache.hc.core5.annotation.Contract;
 import org.apache.hc.core5.annotation.ThreadingBehavior;
 import org.apache.hc.core5.http.protocol.HttpContext;
@@ -42,23 +43,21 @@ import org.apache.hc.core5.http.protocol.HttpContext;
 @Contract(threading = ThreadingBehavior.IMMUTABLE)
 public class KerberosSchemeFactory implements AuthSchemeProvider {
 
+    private final KerberosConfig config;
     private final DnsResolver dnsResolver;
-    private final boolean stripPort;
-    private final boolean useCanonicalHostname;
 
     /**
-     * @since 4.4
+     * @since 5.0
      */
-    public KerberosSchemeFactory(final DnsResolver dnsResolver, final boolean stripPort, final boolean useCanonicalHostname) {
+    public KerberosSchemeFactory(final KerberosConfig config, final DnsResolver dnsResolver) {
         super();
+        this.config = config;
         this.dnsResolver = dnsResolver;
-        this.stripPort = stripPort;
-        this.useCanonicalHostname = useCanonicalHostname;
     }
 
     @Override
     public AuthScheme create(final HttpContext context) {
-        return new KerberosScheme(this.dnsResolver, this.stripPort, this.useCanonicalHostname);
+        return new KerberosScheme(this.config, this.dnsResolver);
     }
 
 }

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoScheme.java

@@ -27,6 +27,7 @@
 package org.apache.hc.client5.http.impl.auth;
 
 import org.apache.hc.client5.http.DnsResolver;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.Oid;
 
@@ -41,14 +42,10 @@ public class SPNegoScheme extends GGSSchemeBase {
     private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
 
     /**
-     * @since 4.4
+     * @since 5.0
      */
-    public SPNegoScheme(final DnsResolver dnsResolver, final boolean stripPort, final boolean useCanonicalHostname) {
-        super(dnsResolver, stripPort, useCanonicalHostname);
-    }
-
-    public SPNegoScheme(final boolean stripPort) {
-        super(stripPort);
+    public SPNegoScheme(final KerberosConfig config, final DnsResolver dnsResolver) {
+        super(config, dnsResolver);
     }
 
     public SPNegoScheme() {

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoSchemeFactory.java

@@ -29,6 +29,7 @@ package org.apache.hc.client5.http.impl.auth;
 import org.apache.hc.client5.http.DnsResolver;
 import org.apache.hc.client5.http.auth.AuthScheme;
 import org.apache.hc.client5.http.auth.AuthSchemeProvider;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.apache.hc.core5.annotation.Contract;
 import org.apache.hc.core5.annotation.ThreadingBehavior;
 import org.apache.hc.core5.http.protocol.HttpContext;
@@ -42,23 +43,21 @@ import org.apache.hc.core5.http.protocol.HttpContext;
 @Contract(threading = ThreadingBehavior.IMMUTABLE)
 public class SPNegoSchemeFactory implements AuthSchemeProvider {
 
+    private final KerberosConfig config;
     private final DnsResolver dnsResolver;
-    private final boolean stripPort;
-    private final boolean useCanonicalHostname;
 
     /**
-     * @since 4.4
+     * @since 5.0
      */
-    public SPNegoSchemeFactory(final DnsResolver dnsResolver, final boolean stripPort, final boolean useCanonicalHostname) {
+    public SPNegoSchemeFactory(final KerberosConfig config, final DnsResolver dnsResolver) {
         super();
+        this.config = config;
         this.dnsResolver = dnsResolver;
-        this.stripPort = stripPort;
-        this.useCanonicalHostname = useCanonicalHostname;
     }
 
     @Override
     public AuthScheme create(final HttpContext context) {
-        return new SPNegoScheme(this.dnsResolver, this.stripPort, this.useCanonicalHostname);
+        return new SPNegoScheme(this.config, this.dnsResolver);
     }
 
 }

httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java

@@ -47,6 +47,7 @@ import org.apache.hc.client5.http.SystemDefaultDnsResolver;
 import org.apache.hc.client5.http.UserTokenHandler;
 import org.apache.hc.client5.http.auth.AuthSchemeProvider;
 import org.apache.hc.client5.http.auth.CredentialsProvider;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.apache.hc.client5.http.classic.BackoffManager;
 import org.apache.hc.client5.http.classic.ConnectionBackoffStrategy;
 import org.apache.hc.client5.http.classic.ExecChainHandler;
@@ -952,8 +953,8 @@ public class HttpClientBuilder {
                 .register(AuthSchemes.DIGEST, new DigestSchemeFactory())
                 .register(AuthSchemes.CREDSSP, new CredSspSchemeFactory())
                 .register(AuthSchemes.NTLM, new NTLMSchemeFactory())
-                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(SystemDefaultDnsResolver.INSTANCE, true, true))
-                .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(SystemDefaultDnsResolver.INSTANCE, true, true))
+                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE))
+                .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE))
                 .build();
         }
         Lookup<CookieSpecProvider> cookieSpecRegistryCopy = this.cookieSpecRegistry;

httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java

@@ -40,6 +40,7 @@ import org.apache.hc.client5.http.auth.AuthSchemeProvider;
 import org.apache.hc.client5.http.auth.AuthScope;
 import org.apache.hc.client5.http.auth.ChallengeType;
 import org.apache.hc.client5.http.auth.Credentials;
+import org.apache.hc.client5.http.auth.KerberosConfig;
 import org.apache.hc.client5.http.config.AuthSchemes;
 import org.apache.hc.client5.http.config.RequestConfig;
 import org.apache.hc.client5.http.impl.DefaultAuthenticationStrategy;
@@ -117,8 +118,8 @@ public class ProxyClient {
                 .register(AuthSchemes.BASIC, new BasicSchemeFactory())
                 .register(AuthSchemes.DIGEST, new DigestSchemeFactory())
                 .register(AuthSchemes.NTLM, new NTLMSchemeFactory())
-                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(SystemDefaultDnsResolver.INSTANCE, true, true))
-                .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(SystemDefaultDnsResolver.INSTANCE, true, true))
+                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE))
+                .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE))
                 .build();
         this.reuseStrategy = new DefaultConnectionReuseStrategy();
     }