Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
/*
* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.hc.client5.http.impl;

import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.List;

import org.apache.hc.core5.annotation.Contract;
import org.apache.hc.core5.annotation.Internal;
import org.apache.hc.core5.annotation.ThreadingBehavior;
import org.apache.hc.core5.http.Header;
import org.apache.hc.core5.http.HttpHeaders;
import org.apache.hc.core5.http.ProtocolException;
import org.apache.hc.core5.http.message.MessageSupport;
import org.apache.hc.core5.net.PercentCodec;
import org.apache.hc.core5.util.Args;

/**
* Codec for the HTTP {@code ALPN} header field (RFC 7639).
*
* @since 5.7
*/
@Contract(threading = ThreadingBehavior.IMMUTABLE)
@Internal
public final class AlpnHeaderSupport {

private AlpnHeaderSupport() {
}

/**
* Formats a list of raw ALPN protocol IDs into a single {@code ALPN} header.
*/
public static Header formatValue(final List<String> protocolIds) {
Args.notEmpty(protocolIds, "protocolIds");
return MessageSupport.headerOfTokens(HttpHeaders.ALPN, protocolIds, AlpnHeaderSupport::encodeId);
}

/**
* Parses an {@code ALPN} header into decoded protocol IDs.
*
* @throws ProtocolException if a token is not a well-formed percent-encoded protocol ID.
*/
public static List<String> parseValue(final Header header) throws ProtocolException {
final List<String> tokens = new ArrayList<>();
MessageSupport.parseTokens(header, tokens::add);
final List<String> out = new ArrayList<>(tokens.size());
for (final String token : tokens) {
out.add(decodeId(token));
}
return out;
}

/**
* Encodes a single raw protocol ID to canonical token form using the HTTP token codec
* from core, which keeps RFC 7230 {@code tchar} octets literal and percent-encodes the
* rest (including {@code '%'}) with uppercase hexadecimal.
*/
public static String encodeId(final String id) {
Args.notBlank(id, "id");
return PercentCodec.HTTP_TOKEN.encode(id);
}

/**
* Decodes a percent-encoded token to a raw protocol ID using UTF-8.
* <p>
* A {@code '%'} that is not followed by two hexadecimal digits is a malformed
* token and is rejected as a protocol error.
*
* @throws ProtocolException if the token contains malformed percent-encoding.
*/
public static String decodeId(final String token) throws ProtocolException {
Args.notBlank(token, "token");
for (int i = 0; i < token.length(); i++) {
if (token.charAt(i) == '%') {
if (i + 2 >= token.length()
|| Character.digit(token.charAt(i + 1), 16) < 0
|| Character.digit(token.charAt(i + 2), 16) < 0) {
throw new ProtocolException("Malformed percent-encoding in ALPN protocol id: " + token);
}
i += 2;
}
}
return PercentCodec.decode(token, StandardCharsets.UTF_8);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import java.io.IOException;
import java.io.InterruptedIOException;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.atomic.AtomicReference;

Expand All @@ -47,6 +48,8 @@
import org.apache.hc.client5.http.auth.ChallengeType;
import org.apache.hc.client5.http.auth.MalformedChallengeException;
import org.apache.hc.client5.http.config.RequestConfig;
import org.apache.hc.client5.http.config.TlsConfig;
import org.apache.hc.client5.http.impl.AlpnHeaderSupport;
import org.apache.hc.client5.http.impl.auth.AuthCacheKeeper;
import org.apache.hc.client5.http.impl.auth.AuthenticationHandler;
import org.apache.hc.client5.http.impl.routing.BasicRouteDirector;
Expand All @@ -55,6 +58,7 @@
import org.apache.hc.core5.annotation.Contract;
import org.apache.hc.core5.annotation.Internal;
import org.apache.hc.core5.annotation.ThreadingBehavior;
import org.apache.hc.core5.function.Resolver;
import org.apache.hc.core5.concurrent.CancellableDependency;
import org.apache.hc.core5.concurrent.FutureCallback;
import org.apache.hc.core5.http.EntityDetails;
Expand All @@ -76,6 +80,8 @@
import org.apache.hc.core5.http.nio.RequestChannel;
import org.apache.hc.core5.http.protocol.HttpContext;
import org.apache.hc.core5.http.protocol.HttpProcessor;
import org.apache.hc.core5.http2.HttpVersionPolicy;
import org.apache.hc.core5.http2.ssl.H2TlsSupport;
import org.apache.hc.core5.util.Args;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand All @@ -99,18 +105,31 @@ public final class AsyncConnectExec implements AsyncExecChainHandler {
private final AuthCacheKeeper authCacheKeeper;
private final HttpRouteDirector routeDirector;

private final Resolver<HttpHost, TlsConfig> tlsConfigResolver;


public AsyncConnectExec(
final HttpProcessor proxyHttpProcessor,
final AuthenticationStrategy proxyAuthStrategy,
final SchemePortResolver schemePortResolver,
final boolean authCachingDisabled) {
this(proxyHttpProcessor, proxyAuthStrategy, schemePortResolver, authCachingDisabled, null);
}

public AsyncConnectExec(
final HttpProcessor proxyHttpProcessor,
final AuthenticationStrategy proxyAuthStrategy,
final SchemePortResolver schemePortResolver,
final boolean authCachingDisabled,
final Resolver<HttpHost, TlsConfig> tlsConfigResolver) {
Args.notNull(proxyHttpProcessor, "Proxy HTTP processor");
Args.notNull(proxyAuthStrategy, "Proxy authentication strategy");
this.proxyHttpProcessor = proxyHttpProcessor;
this.proxyAuthStrategy = proxyAuthStrategy;
this.authenticator = new AuthenticationHandler();
this.authCacheKeeper = authCachingDisabled ? null : new AuthCacheKeeper(schemePortResolver);
this.routeDirector = BasicRouteDirector.INSTANCE;
this.tlsConfigResolver = tlsConfigResolver;
}

static class State {
Expand Down Expand Up @@ -275,7 +294,7 @@ public void cancelled() {
if (LOG.isDebugEnabled()) {
LOG.debug("{} create tunnel", exchangeId);
}
createTunnel(state, proxy, target, scope, new AsyncExecCallback() {
createTunnel(state, proxy, target, route, scope, new AsyncExecCallback() {

@Override
public AsyncDataConsumer handleResponse(final HttpResponse response, final EntityDetails entityDetails) throws HttpException, IOException {
Expand Down Expand Up @@ -380,6 +399,7 @@ private void createTunnel(
final State state,
final HttpHost proxy,
final HttpHost nextHop,
final HttpRoute route,
final AsyncExecChain.Scope scope,
final AsyncExecCallback asyncExecCallback) {

Expand Down Expand Up @@ -426,6 +446,19 @@ public void produceRequest(final RequestChannel requestChannel,
final HttpRequest connect = new BasicHttpRequest(Method.CONNECT, nextHop, nextHop.toHostString());
connect.setVersion(HttpVersion.HTTP_1_1);

// RFC 7639: advertise the same ALPN protocols the tunnel's TLS layer will offer,
// derived from the target's HttpVersionPolicy so the header cannot diverge from the
// protocol actually negotiated inside the tunnel.
if (route.isSecure()) {
final TlsConfig tlsConfig = tlsConfigResolver != null
? tlsConfigResolver.resolve(route.getTargetHost())
: null;
final HttpVersionPolicy versionPolicy = tlsConfig != null
? tlsConfig.getHttpVersionPolicy()
: HttpVersionPolicy.NEGOTIATE;
connect.setHeader(AlpnHeaderSupport.formatValue(
Arrays.asList(H2TlsSupport.selectApplicationProtocols(versionPolicy))));
}
proxyHttpProcessor.process(connect, null, clientContext);
authenticator.addAuthResponse(proxy, ChallengeType.PROXY, connect, proxyAuthExchange, clientContext);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@
import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory;
import org.apache.hc.client5.http.impl.auth.ScramSchemeFactory;
import org.apache.hc.client5.http.impl.auth.SystemDefaultCredentialsProvider;
import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager;
import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder;
import org.apache.hc.client5.http.impl.routing.DefaultProxyRoutePlanner;
import org.apache.hc.client5.http.impl.routing.SystemDefaultRoutePlanner;
Expand Down Expand Up @@ -936,6 +937,7 @@ public final HttpAsyncClientBuilder disableRequestPriority() {
return this;
}


/**
* Registers a global {@link org.apache.hc.client5.http.EarlyHintsListener}
* that will be notified when the client receives {@code 103 Early Hints}
Expand Down Expand Up @@ -1086,7 +1088,10 @@ public CloseableHttpAsyncClient build() {
new DefaultHttpProcessor(new RequestTargetHost(), new RequestUserAgent(userAgentCopy)),
proxyAuthStrategyCopy,
schemePortResolver != null ? schemePortResolver : DefaultSchemePortResolver.INSTANCE,
authCachingDisabled),
authCachingDisabled,
connManagerCopy instanceof PoolingAsyncClientConnectionManager
? ((PoolingAsyncClientConnectionManager) connManagerCopy).getTlsConfigResolver()
: null),
ChainElement.CONNECT.name());

if (earlyHintsListener != null) {
Expand Down
Loading
Loading