Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement AnyAuth Proxy Authentication support #3486

Merged
merged 1 commit into from
Aug 3, 2022
Merged

Implement AnyAuth Proxy Authentication support #3486

merged 1 commit into from
Aug 3, 2022

Conversation

PeterSchafer
Copy link
Collaborator

@PeterSchafer PeterSchafer commented Jul 25, 2022
edited
Loading

What does this PR do?

It introduces the support for AnyAuth Proxy Authentication, which enables to automatically detect if a proxy requires authentication and determine if both sides support the same mechanisms. Currently the client only supports Negotiate and will require the proxy server to also support it. Depending on the platform Kerberos and on Windows additionally NTLM authentication via Negotiate are supported.

  • The command line argument --proxy-negotiate is dropped, instead AnyAuth is enabled by default.
  • A new command line argument is introduced --proxy-noauth, which disables any proxy authentication.
  • In addition multiple tests are added.

Where should the reviewer start?

cliv2/internal/httpauth/proxy_authenticator.go

How to test manually?

  • Launch a local proxy using docker
    PROXY_HOSTNAME=kerberos.snyk.local SCRIPTS_PATH='<PATH_TO_REPO>cliv2/internal/httpauth/test/fixtures/squid_environment/scripts' CONTAINER_NAME=spnego_test HTTP_PROXY_PORT=3128 docker-compose --file <PATH_TO_REPO>cliv2/internal/httpauth/test/fixtures/squid_environment/docker-compose.yml up --build

  • Launch the cli like this
    snyk --proxy=http://localhost:3128 -d woof

@PeterSchafer PeterSchafer requested a review from a team as a code owner July 25, 2022 14:28
@PeterSchafer PeterSchafer marked this pull request as draft July 25, 2022 14:28
@PeterSchafer PeterSchafer changed the title test: add first tests for ProxyAuthenticator chore: Implement AnyAuth Proxy Authentication support Aug 1, 2022
@PeterSchafer PeterSchafer marked this pull request as ready for review August 1, 2022 12:39
@PeterSchafer PeterSchafer requested a review from a team as a code owner August 1, 2022 12:39
@PeterSchafer PeterSchafer changed the title chore: Implement AnyAuth Proxy Authentication support Implement AnyAuth Proxy Authentication support Aug 2, 2022
@PeterSchafer
feat: Implement AnyAuth Proxy Authentication support
467b621 
* includes refactorings for improved testability

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: add go get to download gomock

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: check in generated mock

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: added additional test cases

refactored common test code

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: add simple minimal test for GetToken()

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: added comment

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: improve proxy tests

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: introduce case insensitive mechanisms and …

… support for AnyAuth, which selects out of multiple mechanisms proposed by the proxy

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: updating cache file which expired …

… will look into a more permanent solution later

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: minor improvements

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: fix and add tests

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: adapt/fix test

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: adapt to handle tcp reconnect on anyauth

Any initial connection without authorization values will be closed by the proxy and a new connection has to be established

* some minor refactorings and logging improvements

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: improve docker checks in acceptance tests

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: add ntlm and basic fake auth to proxy config

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: simplify proxy test

* includes renaming of IsSupportMechanism()

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: move mock server out of specific test …

… for better re-use

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: move some things into httpauth to enable …

… creating a module from it

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: use docker based proxy if possible …

… to avoid expired checked in files

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: fix and improve test

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: increase timeout and add log message

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: attempt to make test run in CI

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: attempt to make test run in CI

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: attempt to make test run in CI

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: attempt to make test run in CI

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: apply prettier

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

test: added unit test for AuthenticationHandler

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

chore: run go mod tidy

Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>
Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>
Signed-off-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>
@PeterSchafer PeterSchafer merged commit b4215b0 into master Aug 3, 2022
@PeterSchafer PeterSchafer deleted the test/cliv2_proxy_auth branch August 3, 2022 07:41
This was referenced Apr 26, 2023
Open
Open
Open
@snyk-bot snyk-bot mentioned this pull request May 25, 2023
Open
@aliscco aliscco mentioned this pull request Jun 7, 2023
Open
This was referenced Jun 27, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Avishagp Avishagp Avishagp approved these changes

@jonathansantilli jonathansantilli Awaiting requested review from jonathansantilli jonathansantilli was automatically assigned from snyk/snyk-open-source

@dagrest dagrest Awaiting requested review from dagrest dagrest was automatically assigned from snyk/snyk-open-source

@julianpellasrice-snyk julianpellasrice-snyk Awaiting requested review from julianpellasrice-snyk julianpellasrice-snyk was automatically assigned from snyk/snyk-open-source

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PeterSchafer @Avishagp