Merge branch 'bungle-feat/proxy-authorization'

pintsized · pintsized · commit fb469284662d · 2019-02-03T12:29:59.000Z
diff --git a/README.md b/README.md
@@ -164,14 +164,15 @@ An optional Lua table can be specified as the last argument to this method to sp
 
 ## connect_proxy
 
-`syntax: ok, err = httpc:connect_proxy(proxy_uri, scheme, host, port)`
+`syntax: ok, err = httpc:connect_proxy(proxy_uri, scheme, host, port, proxy_authorization)`
 
 Attempts to connect to the web server through the given proxy server. The method accepts the following arguments:
 
 * `proxy_uri` - Full URI of the proxy server to use (e.g. `http://proxy.example.com:3128/`). Note: Only `http` protocol is supported.
 * `scheme` - The protocol to use between the proxy server and the remote host (`http` or `https`). If `https` is specified as the scheme, `connect_proxy()` makes a `CONNECT` request to establish a TCP tunnel to the remote host through the proxy server.
 * `host` - The hostname of the remote host to connect to.
 * `port` - The port of the remote host to connect to.
+* `proxy_authorization` - The `Proxy-Authorization` header value sent to the proxy server via `CONNECT` when the `scheme` is `https`.
 
 If an error occurs during the connection attempt, this method returns `nil` with a string describing the error. If the connection was successfully established, the method returns `1`.
 
@@ -221,7 +222,9 @@ In case of success, returns `1`. In case of errors, returns `nil, err`. In the c
 Configure an http proxy to be used with this client instance. The `opts` is a table that accepts the following fields:
 
 * `http_proxy` - an URI to a proxy server to be used with http requests
+* `http_proxy_authorization` - a default `Proxy-Authorization` header value to be used with `http_proxy`, e.g. `Basic ZGVtbzp0ZXN0`, which will be overriden if the `Proxy-Authorization` request header is present.
 * `https_proxy` - an URI to a proxy server to be used with https requests
+* `https_proxy_authorization` - as `http_proxy_authorization` but for use with `https_proxy`.
 * `no_proxy` - a comma separated list of hosts that should not be proxied.
 
 Note that proxy options are only applied when using the high-level `request_uri()` API.
diff --git a/lib/resty/http.lua b/lib/resty/http.lua
@@ -829,7 +829,16 @@ function _M.request_uri(self, uri, params)
     local c, err
 
     if proxy_uri then
-        c, err = self:connect_proxy(proxy_uri, scheme, host, port)
+        local proxy_authorization
+        if scheme == "https" then
+            if params.headers and params.headers["Proxy-Authorization"] then
+                proxy_authorization = params.headers["Proxy-Authorization"]
+            else
+                proxy_authorization = self.proxy_opts.https_proxy_authorization
+            end
+        end
+
+        c, err = self:connect_proxy(proxy_uri, scheme, host, port, proxy_authorization)
     else
         c, err = self:connect(host, port)
     end
@@ -854,9 +863,17 @@ function _M.request_uri(self, uri, params)
             else
                 params.path = scheme .. "://" .. host .. ":" .. port .. path
             end
-        end
 
-        if scheme == "https" then
+            if self.proxy_opts.http_proxy_authorization then
+                if not params.headers then
+                    params.headers = {}
+                end
+
+                if not params.headers["Proxy-Authorization"] then
+                    params.headers["Proxy-Authorization"] = self.proxy_opts.http_proxy_authorization
+                end
+            end
+        elseif scheme == "https" then
             -- don't keep this connection alive as the next request could target
             -- any host and re-using the proxy tunnel for that is not possible
             self.keepalive = false
@@ -1051,7 +1068,7 @@ function _M.get_proxy_uri(self, scheme, host)
 end
 
 
-function _M.connect_proxy(self, proxy_uri, scheme, host, port)
+function _M.connect_proxy(self, proxy_uri, scheme, host, port, proxy_authorization)
     -- Parse the provided proxy URI
     local parsed_proxy_uri, err = self:parse_uri(proxy_uri, false)
     if not parsed_proxy_uri then
@@ -1082,7 +1099,8 @@ function _M.connect_proxy(self, proxy_uri, scheme, host, port)
             method = "CONNECT",
             path = destination,
             headers = {
-                ["Host"] = destination
+                ["Host"] = destination,
+                ["Proxy-Authorization"] = proxy_authorization,
             }
         })
 
diff --git a/t/16-http-proxy.t b/t/16-http-proxy.t
@@ -26,6 +26,7 @@ no_long_string();
 run_tests();
 
 __DATA__
+
 === TEST 1: get_proxy_uri returns nil if proxy is not configured
 --- http_config eval: $::HttpConfig
 --- config
@@ -44,6 +45,8 @@ nil
 [error]
 [warn]
 
+
+
 === TEST 2: get_proxy_uri matches no_proxy hosts correctly
 --- http_config eval: $::HttpConfig
 --- config
@@ -111,6 +114,8 @@ scheme: http, host: notexample.com, no_proxy: example.com, proxy_uri: http://htt
 [error]
 [warn]
 
+
+
 === TEST 3: get_proxy_uri returns correct proxy URIs for http and https URIs
 --- http_config eval: $::HttpConfig
 --- config
@@ -157,6 +162,8 @@ scheme: https, host: example.com, http_proxy: http_proxy, https_proxy: nil, prox
 [error]
 [warn]
 
+
+
 === TEST 4: request_uri uses http_proxy correctly for non-standard destination ports
 --- http_config
     lua_package_path "$TEST_NGINX_PWD/lib/?.lua;;";
@@ -200,6 +207,8 @@ GET /lua
 [error]
 [warn]
 
+
+
 === TEST 5: request_uri uses http_proxy correctly for standard destination port
 --- http_config
     lua_package_path "$TEST_NGINX_PWD/lib/?.lua;;";
@@ -246,6 +255,8 @@ GET /lua
 [error]
 [warn]
 
+
+
 === TEST 6: request_uri makes a proper CONNECT request when proxying https resources
 --- http_config eval: $::HttpConfig
 --- config
@@ -295,3 +306,217 @@ GET /lua
 --- no_error_log
 [error]
 [warn]
+
+
+
+=== TEST 7: request_uri uses http_proxy_authorization option
+--- http_config
+    lua_package_path "$TEST_NGINX_PWD/lib/?.lua;;";
+    error_log logs/error.log debug;
+    resolver 8.8.8.8;
+    server {
+        listen *:8080;
+
+        location / {
+            content_by_lua_block {
+                ngx.print(ngx.var.http_proxy_authorization or "no-header")
+            }
+        }
+    }
+--- config
+    location /lua {
+        content_by_lua_block {
+            local http = require "resty.http"
+            local httpc = http.new()
+            httpc:set_proxy_options({
+                http_proxy = "http://127.0.0.1:8080",
+                http_proxy_authorization = "Basic ZGVtbzp0ZXN0",
+                https_proxy = "http://127.0.0.1:8080",
+                https_proxy_authorization = "Basic ZGVtbzpwYXNz"
+            })
+
+            -- request should go to the proxy server
+            local res, err = httpc:request_uri("http://127.0.0.1/")
+            if not res then
+                ngx.log(ngx.ERR, err)
+                return
+            end
+
+            -- the proxy echoed the proxy authorization header
+            -- to the test harness
+            ngx.status = res.status
+            ngx.say(res.body)
+        }
+    }
+--- request
+GET /lua
+--- response_body
+Basic ZGVtbzp0ZXN0
+--- no_error_log
+[error]
+[warn]
+
+
+
+=== TEST 8: request_uri uses https_proxy_authorization option
+--- http_config eval: $::HttpConfig
+--- config
+    location /lua {
+        content_by_lua_block {
+            local http = require "resty.http"
+            local httpc = http.new()
+            httpc:set_proxy_options({
+                http_proxy = "http://127.0.0.1:12345",
+                http_proxy_authorization = "Basic ZGVtbzp0ZXN0",
+                https_proxy = "http://127.0.0.1:12345",
+                https_proxy_authorization = "Basic ZGVtbzpwYXNz"
+            })
+
+            -- Slight Hack: temporarily change the module global user agent to make it
+            -- predictable for this test case
+            local ua = http._USER_AGENT
+            http._USER_AGENT = "test_ua"
+            local res, err = httpc:request_uri("https://127.0.0.1/target?a=1&b=2")
+            http._USER_AGENT = ua
+
+            if not err then
+                -- The proxy request should fail as the TCP server listening returns
+                -- 403 response. We cannot really test the success case here as that
+                -- would require an actual reverse proxy to be implemented through
+                -- the limited functionality we have available in the raw TCP sockets
+                ngx.log(ngx.ERR, "unexpected success")
+                return
+            end
+
+            ngx.status = 403
+            ngx.say(err)
+        }
+    }
+--- tcp_listen: 12345
+--- tcp_query eval
+qr/CONNECT 127.0.0.1:443 HTTP\/1.1\r\n.*Proxy-Authorization: Basic ZGVtbzpwYXNz\r\n.*Host: 127.0.0.1:443\r\n.*/s
+
+# The reply cannot be successful or otherwise the client would start
+# to do a TLS handshake with the proxied host and that we cannot
+# do with these sockets
+--- tcp_reply
+HTTP/1.1 403 Forbidden
+Connection: close
+
+--- request
+GET /lua
+--- error_code: 403
+--- no_error_log
+[error]
+[warn]
+
+
+
+=== TEST 9: request_uri does not use http_proxy_authorization option when overridden
+--- http_config
+    lua_package_path "$TEST_NGINX_PWD/lib/?.lua;;";
+    error_log logs/error.log debug;
+    resolver 8.8.8.8;
+    server {
+        listen *:8080;
+
+        location / {
+            content_by_lua_block {
+                ngx.print(ngx.var.http_proxy_authorization or "no-header")
+            }
+        }
+    }
+--- config
+    location /lua {
+        content_by_lua_block {
+            local http = require "resty.http"
+            local httpc = http.new()
+            httpc:set_proxy_options({
+                http_proxy = "http://127.0.0.1:8080",
+                http_proxy_authorization = "Basic ZGVtbzp0ZXN0",
+                https_proxy = "http://127.0.0.1:8080",
+                https_proxy_authorization = "Basic ZGVtbzpwYXNz"
+            })
+
+            -- request should go to the proxy server
+            local res, err = httpc:request_uri("http://127.0.0.1/", {
+                headers = {
+                    ["Proxy-Authorization"] = "Basic ZGVtbzp3b3Jk"
+                }
+            })
+            if not res then
+                ngx.log(ngx.ERR, err)
+                return
+            end
+
+            -- the proxy echoed the proxy authorization header
+            -- to the test harness
+            ngx.status = res.status
+            ngx.say(res.body)
+        }
+    }
+--- request
+GET /lua
+--- response_body
+Basic ZGVtbzp3b3Jk
+--- no_error_log
+[error]
+[warn]
+
+
+
+=== TEST 10: request_uri does not use https_proxy_authorization option when overridden
+--- http_config eval: $::HttpConfig
+--- config
+    location /lua {
+        content_by_lua_block {
+            local http = require "resty.http"
+            local httpc = http.new()
+            httpc:set_proxy_options({
+                http_proxy = "http://127.0.0.1:12345",
+                http_proxy_authorization = "Basic ZGVtbzp0ZXN0",
+                https_proxy = "http://127.0.0.1:12345",
+                https_proxy_authorization = "Basic ZGVtbzpwYXNz"
+            })
+
+            -- Slight Hack: temporarily change the module global user agent to make it
+            -- predictable for this test case
+            local ua = http._USER_AGENT
+            http._USER_AGENT = "test_ua"
+            local res, err = httpc:request_uri("https://127.0.0.1/target?a=1&b=2", {
+                headers = {
+                    ["Proxy-Authorization"] = "Basic ZGVtbzp3b3Jk"
+                }
+            })
+            http._USER_AGENT = ua
+
+            if not err then
+                -- The proxy request should fail as the TCP server listening returns
+                -- 403 response. We cannot really test the success case here as that
+                -- would require an actual reverse proxy to be implemented through
+                -- the limited functionality we have available in the raw TCP sockets
+                ngx.log(ngx.ERR, "unexpected success")
+                return
+            end
+
+            ngx.status = 403
+            ngx.say(err)
+        }
+    }
+--- tcp_listen: 12345
+--- tcp_query eval
+qr/CONNECT 127.0.0.1:443 HTTP\/1.1\r\n.*Proxy-Authorization: Basic ZGVtbzp3b3Jk\r\n.*Host: 127.0.0.1:443\r\n.*/s
+
+# The reply cannot be successful or otherwise the client would start
+# to do a TLS handshake with the proxied host and that we cannot
+# do with these sockets
+--- tcp_reply
+HTTP/1.1 403 Forbidden
+Connection: close
+
+--- request
+GET /lua
+--- error_code: 403
+--- no_error_log
+[error]
+[warn]
