Support Preemptive Authentication with RestClient

[pickypg]

This adds the necessary AuthCache needed to support preemptive authentication. By adding every host to the cache, the automatically added RequestAuthCache interceptor will add credentials on the first pass rather than waiting to do it after each anonymous request is rejected (thus always sending everything twice when basic auth is required).

It's easy to test with/without this using a nodejs proxy. package.json:

{
  "name": "proxy-listener",
  "version": "1.0.0",
  "description": "Proxy Listener will print METHOD URL [AUTHORIZATION CONTENT-LENGTH]",
  "main": "proxy.js",
  "dependencies": {
    "http": "^0.0.0",
    "http-proxy": "^1.15.2"
  },
  "devDependencies": {},
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}

Using npm, install necessary dependencies

npm install

Then run the proxy to intercept comms:

node proxy.js

proxy.js:

var http = require('http'),
    httpProxy = require('http-proxy');
    
// Create a new instance of HttProxy to use in your server 
var proxy = httpProxy.createProxyServer({});
 
// Create a regular http server and proxy its handler 
http.createServer(function (req, res) {
  console.log(req.method + ' ' + req.url + ' [' + req.headers['authorization'] + ', ' + req.headers['content-length'] + ']');

  proxy.web(req, res, { target: 'http://localhost:9250' });
}).listen(9550);

console.log('Listening at 9550');

/cc @javanna

[pickypg]

This should probably be volatile and work in the same way as hosts. Built, then set.

I wanted to avoid adding an unnecessary volatile variable; BasicAuthCache is thread safe, but clearing it technically means that an async request could be sent that then does not use preemptive authorization while the new hosts are being set.

[jaymode]

volatile reads are cheap on x86; IIRC mapping to a no-op. I'd prefer volatile; but there is still the issue that there will be a small amount of time when hosts and the auth cache are not in sync (between setting both).

[jaymode]

I do not think we should hardcode the scheme. This makes the assumption that every host uses preemptive basic auth if basic auth credentials are provided. Some requests may not need preemptive authentication. For example, requests could be made with anonymous access, while others from the same client may require authentication. In that scenario you don't want/need preemptive auth but we are forcing it.

I think this should be opt-in like the default behavior of HttpClient. We can do this by providing the ability to specify a callback in the builder that when given a HttpHost it will provide the appropriate scheme.

[pickypg]

I checked with the other HTTP-based ES clients, and they all do it this way. So I think it's best if we match their behavior.

For anyone that does want to opt-out, it's very simple to do with the existing client builder by invoking:

httpClientBuilder.disableAuthCaching(); 

The better approach for users that expect the current behavior is to only supply credentials when they want to use them. This will give the general user the more common approach of using credentials when they're supplied rather than doubling the number of requests for the average auth-based user.

[pickypg]

but there is still the issue that there will be a small amount of time when hosts and the auth cache are not in sync (between setting both).

I'll make them a volatile Tuple that get updated together. That way there's no opportunity for a dirty read.

[jaymode]

volatile reads are cheap on x86; IIRC mapping to a no-op. I'd prefer volatile; but there is still the issue that there will be a small amount of time when hosts and the auth cache are not in sync (between setting both).

[jaymode]

I do not think we should hardcode the scheme. This makes the assumption that every host uses preemptive basic auth if basic auth credentials are provided. Some requests may not need preemptive authentication. For example, requests could be made with anonymous access, while others from the same client may require authentication. In that scenario you don't want/need preemptive auth but we are forcing it.

I think this should be opt-in like the default behavior of HttpClient. We can do this by providing the ability to specify a callback in the builder that when given a HttpHost it will provide the appropriate scheme.

[pickypg]

@nik9000 I've updated as I mentioned before. @jaymode FYI, I've changed it to be volatile-friendly now.

[pickypg]

please test this

[jaymode]

Hmm, I think this might not be desired behavior. On every sniff the auth cache is invalidated completely. I think it would be better to add the hosts to the set. Then we should do a set difference to find the hosts that have been added and a set difference to find the hosts that have been removed. The added hosts get a new entry in the authcache and the removed ones get removed from the cache

[pickypg]

If we update the AuthCache rather than replace it, then it will potentially impact an ongoing request. I checked out the BasicAuthCache and BasicScheme code and it looks pretty lightweight?

[jaymode]

You're right. We do not need to do this

[pickypg]

5.3: bc5d37b