1. 14 Jun, 2019 2 commits
  2. 13 Jun, 2019 10 commits
  3. 11 Jun, 2019 7 commits
  4. 10 Jun, 2019 21 commits
    • http: free auth context on failure · 7ea8630e
      When we send HTTP credentials but the server rejects them, tear down the
      authentication context so that we can start fresh.  To maintain this
      state, additionally move all of the authentication handling into
      `on_auth_required`.
      Edward Thomson committed
    • http: reconnect to proxy on connection close · 005b5bc2
      When we're issuing a CONNECT to a proxy, we expect to keep-alive to the
      proxy.  However, during authentication negotiations, the proxy may close
      the connection.  Reconnect if the server closes the connection.
      Edward Thomson committed
    • http: allow server to drop a keepalive connection · d171fbee
      When we have a keep-alive connection to the server, that server may
      legally drop the connection for any reason once a successful request and
      response has occurred.  It's common for servers to drop the connection
      after some amount of time or number of requests have occurred.
      Edward Thomson committed
    • http: stop on server EOF · 9af1de5b
      We stop the read loop when we have read all the data.  We should also
      consider the server's feelings.
      
      If the server hangs up on us, we need to stop our read loop.  Otherwise,
      we'll try to read from the server - and fail - ad infinitum.
      Edward Thomson committed
    • http: teach auth mechanisms about connection affinity · 539e6293
      Instead of using `is_complete` to decide whether we have connection or
      request affinity for authentication mechanisms, set a boolean on the
      mechanism definition itself.
      Edward Thomson committed
    • http: maintain authentication across connections · 3e0b4b43
      For request-based authentication mechanisms (Basic, Digest) we should
      keep the authentication context alive across socket connections, since
      the authentication headers must be transmitted with every request.
      
      However, we should continue to remove authentication contexts for
      mechanisms with connection affinity (NTLM, Negotiate) since we need to
      reauthenticate for every socket connection.
      Edward Thomson committed
    • http: simplify authentication mechanisms · ce72ae95
      Hold an individual authentication context instead of trying to maintain
      all the contexts; we can select the preferred context during the initial
      negotiation.
      
      Subsequent authentication steps will re-use the chosen authentication
      (until such time as it's rejected) instead of trying to manage multiple
      contexts when all but one will never be used (since we can only
      authenticate with a single mechanism at a time.)
      
      Also, when we're given a 401 or 407 in the middle of challenge/response
      handling, short-circuit immediately without incrementing the retry
      count.  The multi-step authentication is expected, and not a "retry" and
      should not be penalized as such.
      
      This means that we don't need to keep the contexts around and ensures
      that we do not unnecessarily fail for too many retries when we have
      challenge/response auth on a proxy and a server and potentially
      redirects in play as well.
      Edward Thomson committed
    • http: don't reset replay count after connection · 10718526
      A "connection" to a server is transient, and we may reconnect to a
      server in the midst of authentication failures (if the remote indicates
      that we should, via `Connection: close`) or in a redirect.
      Edward Thomson committed
    • http: validate server's authentication types · 79fc8281
      Ensure that the server supports the particular credential type that
      we're specifying.  Previously we considered credential types as an
      input to an auth mechanism - since the HTTP transport only supported
      default credentials (via negotiate) and username/password credentials
      (via basic), this worked.  However, if we are to add another mechanism
      that uses username/password credentials, we'll need to be careful to
      identify the types that are accepted.
      Edward Thomson committed
    • http: consume body on proxy auth failure · 5ad99210
      We must always consume the full parser body if we're going to
      keep-alive.  So in the authentication failure case, continue advancing
      the http message parser until it's complete, then we can retry the
      connection.
      
      Not doing so would mean that we have to tear the connection down and
      start over.  Advancing through fully (even though we don't use the data)
      will ensure that we can retry a connection with keep-alive.
      Edward Thomson committed
    • http: always consume body on auth failure · 75b20458
      When we get an authentication failure, we must consume the entire body
      of the response.  If we only read half of the body (on the assumption
      that we can ignore the rest) then we will never complete the parsing of
      the message.  This means that we will never set the complete flag, and
      our replay must actually tear down the connection and try again.
      
      This is particularly problematic for stateful authentication mechanisms
      (SPNEGO, NTLM) that require that we keep the connection alive.
      
      Note that the prior code is only a problem when the 401 that we are
      parsing is too large to be read in a single chunked read from the http
      parser.
      
      But now we will continue to invoke the http parser until we've got a
      complete message in the authentication failed scenario.  Note that we
      need not do anything with the message, so when we get an authentication
      failed, we'll stop adding data to our buffer, we'll simply loop in the
      parser and let it advance its internal state.
      Edward Thomson committed
    • transports: add an `is_complete` function for auth · 10e8fe55
      Some authentication mechanisms (like HTTP Basic and Digest) have a
      one-step mechanism to create credentials, but there are more complex
      mechanisms like NTLM and Negotiate that require challenge/response after
      negotiation, requiring several round-trips.  Add an `is_complete`
      function to know when they have round-tripped enough to be a single
      authentication and should now either have succeeded or failed to
      authenticate.
      Edward Thomson committed
    • http: examine keepalive status at message end · 9050c69c
      We cannot examine the keep-alive status of the http parser in
      `http_connect`; it's too late and the critical information about whether
      keep-alive is supported has been destroyed.
      
      Per the documentation for `http_should_keep_alive`:
      
      > If http_should_keep_alive() in the on_headers_complete or
      > on_message_complete callback returns 0, then this should be
      > the last message on the connection.
      
      Query then and set the state.
      Edward Thomson committed
    • http: increase the replay count · 956ba48b
      Increase the permissible replay count; with multiple-step authentication
      schemes (NTLM, Negotiate), proxy authentication and redirects, we need
      to be mindful of the number of steps it takes to get connected.
      
      7 seems high but can be exhausted quickly with just a single authentication
      failure over a redirected multi-state authentication pipeline.
      Edward Thomson committed
    • ci: enable all proxy tests · 7912db49
      Edward Thomson committed