All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.grpc.internal.ProxyDetectorImpl Maven / Gradle / Ivy

There is a newer version: 1.68.1
Show newest version
/*
 * Copyright 2017 The gRPC Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package io.grpc.internal;

import static com.google.common.base.Preconditions.checkNotNull;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Supplier;
import io.grpc.HttpConnectProxiedSocketAddress;
import io.grpc.ProxiedSocketAddress;
import io.grpc.ProxyDetector;
import java.io.IOException;
import java.net.Authenticator;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.ProxySelector;
import java.net.SocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nullable;

/**
 * A utility class that detects proxies using {@link ProxySelector} and detects authentication
 * credentials using {@link Authenticator}.
 *
 */
class ProxyDetectorImpl implements ProxyDetector {
  // To validate this code: set up a local squid proxy instance, and
  // try to communicate with grpc-test.sandbox.googleapis.com:443.
  // The endpoint runs an instance of TestServiceGrpc, see
  // AbstractInteropTest for an example how to run a
  // TestService.EmptyCall RPC.
  //
  // The instructions below assume Squid 3.5.23 and a recent
  // version of Debian.
  //
  // Set the contents of /etc/squid/squid.conf to be:
  // WARNING: THESE CONFIGS HAVE NOT BEEN REVIEWED FOR SECURITY, DO
  // NOT USE OUTSIDE OF TESTING. COMMENT OUT THIS WARNING TO
  // UNBREAK THE CONFIG FILE.
  // acl SSL_ports port 443
  // acl Safe_ports port 80
  // acl Safe_ports port 21
  // acl Safe_ports port 443
  // acl Safe_ports port 70
  // acl Safe_ports port 210
  // acl Safe_ports port 1025-65535
  // acl Safe_ports port 280
  // acl Safe_ports port 488
  // acl Safe_ports port 591
  // acl Safe_ports port 777
  // acl CONNECT method CONNECT
  // http_access deny !Safe_ports
  // http_access deny CONNECT !SSL_ports
  // http_access allow localhost manager
  // http_access deny manager
  // http_access allow localhost
  // http_access deny all
  // http_port 3128
  // coredump_dir /var/spool/squid
  // refresh_pattern ^ftp: 1440 20% 10080
  // refresh_pattern ^gopher: 1440 0% 1440
  // refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
  // refresh_pattern . 0 20% 4320
  //
  // Restart squid:
  // $ sudo /etc/init.d/squid restart
  //
  // To test with passwords:
  //
  // Run this command and follow the instructions to set up a user/pass:
  // $ sudo htpasswd -c /etc/squid/passwd myuser1
  //
  // Make the file readable to squid:
  // $ sudo chmod 644 /etc/squid/passwd
  //
  // Validate the username and password, you should see OK printed:
  // $ /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwd
  // myuser1 
  //
  // Add these additional lines to the beginning of squid.conf (the ordering matters):
  // auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwd
  // auth_param basic children 5
  // auth_param basic realm Squid proxy-caching web server
  // auth_param basic credentialsttl 2 hours
  // acl ncsa_users proxy_auth REQUIRED
  // http_access allow ncsa_users
  //
  // Restart squid:
  // $ sudo /etc/init.d/squid restart
  //
  // In both cases, start the JVM with -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=3128 to
  // configure the proxy. For passwords, use java.net.Authenticator.setDefault().
  //
  // Testing with curl, no password:
  // $ curl -U myuser1:pass1 -x http://localhost:3128 -L grpc.io
  // Testing with curl, with password:
  // $ curl -U myuser1:pass1 -x http://localhost:3128 -L grpc.io
  //
  // It may be helpful to monitor the squid access logs:
  // $ sudo tail -f /var/log/squid/access.log

  private static final Logger log = Logger.getLogger(ProxyDetectorImpl.class.getName());
  private static final AuthenticationProvider DEFAULT_AUTHENTICATOR = new AuthenticationProvider() {
    @Override
    public PasswordAuthentication requestPasswordAuthentication(
        String host, InetAddress addr, int port, String protocol, String prompt, String scheme) {
      URL url = null;
      try {
        url = new URL(protocol, host, port, "");
      } catch (MalformedURLException e) {
        // let url be null
        log.log(
            Level.WARNING,
            "failed to create URL for Authenticator: {0} {1}", new Object[] {protocol, host});
      }
      return Authenticator.requestPasswordAuthentication(
          host, addr, port, protocol, prompt, scheme, url, Authenticator.RequestorType.PROXY);
    }
  };
  private static final Supplier DEFAULT_PROXY_SELECTOR =
      new Supplier() {
        @Override
        public ProxySelector get() {
          return ProxySelector.getDefault();
        }
      };

  /**
   * Experimental environment variable name for enabling proxy support.
   *
   * @deprecated Use the standard Java proxy configuration instead with flags such as:
   *     -Dhttps.proxyHost=HOST -Dhttps.proxyPort=PORT
   */
  @Deprecated
  private static final String GRPC_PROXY_ENV_VAR = "GRPC_PROXY_EXP";
  // Do not hard code a ProxySelector because the global default ProxySelector can change
  private final Supplier proxySelector;
  private final AuthenticationProvider authenticationProvider;
  private final InetSocketAddress overrideProxyAddress;

  // We want an HTTPS proxy, which operates on the entire data stream (See IETF rfc2817).
  static final String PROXY_SCHEME = "https";

  /**
   * A proxy selector that uses the global {@link ProxySelector#getDefault()} and
   * {@link ProxyDetectorImpl.AuthenticationProvider} to detect proxy parameters.
   */
  public ProxyDetectorImpl() {
    this(DEFAULT_PROXY_SELECTOR, DEFAULT_AUTHENTICATOR, System.getenv(GRPC_PROXY_ENV_VAR));
  }

  @VisibleForTesting
  ProxyDetectorImpl(
      Supplier proxySelector,
      AuthenticationProvider authenticationProvider,
      @Nullable String proxyEnvString) {
    this.proxySelector = checkNotNull(proxySelector);
    this.authenticationProvider = checkNotNull(authenticationProvider);
    if (proxyEnvString != null) {
      overrideProxyAddress = overrideProxy(proxyEnvString);
    } else {
      overrideProxyAddress = null;
    }
  }

  @Nullable
  @Override
  public ProxiedSocketAddress proxyFor(SocketAddress targetServerAddress) throws IOException {
    if (!(targetServerAddress instanceof InetSocketAddress)) {
      return null;
    }
    if (overrideProxyAddress != null) {
      return HttpConnectProxiedSocketAddress.newBuilder()
          .setProxyAddress(overrideProxyAddress)
          .setTargetAddress((InetSocketAddress) targetServerAddress)
          .build();
    }
    return detectProxy((InetSocketAddress) targetServerAddress);
  }

  private ProxiedSocketAddress detectProxy(InetSocketAddress targetAddr) throws IOException {
    URI uri;
    String host = targetAddr.getHostString();
    try {
      uri =
          new URI(
              PROXY_SCHEME,
              null, /* userInfo */
              host,
              targetAddr.getPort(),
              null, /* path */
              null, /* query */
              null /* fragment */);
    } catch (final URISyntaxException e) {
      log.log(
          Level.WARNING,
          "Failed to construct URI for proxy lookup, proceeding without proxy",
          e);
      return null;
    }

    ProxySelector proxySelector = this.proxySelector.get();
    if (proxySelector == null) {
      log.log(Level.FINE, "proxy selector is null, so continuing without proxy lookup");
      return null;
    }

    List proxies = proxySelector.select(uri);
    if (proxies.size() > 1) {
      log.warning("More than 1 proxy detected, gRPC will select the first one");
    }
    Proxy proxy = proxies.get(0);

    if (proxy.type() == Proxy.Type.DIRECT) {
      return null;
    }
    InetSocketAddress proxyAddr = (InetSocketAddress) proxy.address();
    // The prompt string should be the realm as returned by the server.
    // We don't have it because we are avoiding the full handshake.
    String promptString = "";
    PasswordAuthentication auth =
        authenticationProvider.requestPasswordAuthentication(
            proxyAddr.getHostString(),
            proxyAddr.getAddress(),
            proxyAddr.getPort(),
            PROXY_SCHEME,
            promptString,
            null);

    final InetSocketAddress resolvedProxyAddr;
    if (proxyAddr.isUnresolved()) {
      InetAddress resolvedAddress = InetAddress.getByName(proxyAddr.getHostName());
      resolvedProxyAddr = new InetSocketAddress(resolvedAddress, proxyAddr.getPort());
    } else {
      resolvedProxyAddr = proxyAddr;
    }

    HttpConnectProxiedSocketAddress.Builder builder =
        HttpConnectProxiedSocketAddress.newBuilder()
        .setTargetAddress(targetAddr)
        .setProxyAddress(resolvedProxyAddr);

    if (auth == null) {
      return builder.build();
    }

    return builder
        .setUsername(auth.getUserName())
        .setPassword(auth.getPassword() == null ? null : new String(auth.getPassword()))
        .build();
  }

  /**
   * GRPC_PROXY_EXP is deprecated but let's maintain compatibility for now.
   */
  private static InetSocketAddress overrideProxy(String proxyHostPort) {
    if (proxyHostPort == null) {
      return null;
    }

    String[] parts = proxyHostPort.split(":", 2);
    int port = 80;
    if (parts.length > 1) {
      port = Integer.parseInt(parts[1]);
    }
    log.warning(
        "Detected GRPC_PROXY_EXP and will honor it, but this feature will "
            + "be removed in a future release. Use the JVM flags "
            + "\"-Dhttps.proxyHost=HOST -Dhttps.proxyPort=PORT\" to set the https proxy for "
            + "this JVM.");
    return new InetSocketAddress(parts[0], port);
  }

  /**
   * This interface makes unit testing easier by avoiding direct calls to static methods.
   */
  interface AuthenticationProvider {
    PasswordAuthentication requestPasswordAuthentication(
        String host,
        InetAddress addr,
        int port,
        String protocol,
        String prompt,
        String scheme);
  }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy