feat: Add support for authenticated URL access (closes #1009)

Author: rsenden

fcli-core/fcli-app/src/main/resources/com/fortify/cli/app/i18n/FortifyCLIMessages.properties

@@ -31,17 +31,17 @@ log-mask = Log mask level: ${COMPLETION-CANDIDATES}. Default: ${DEFAULT-VALUE}.
 debug = Enable collection of debug logs.
 
 fcli.action.nameOrLocation = The action to load; either simple name or local or remote action \
-  YAML file location.
+  YAML file location. Supports authenticated HTTP(S) URLs.
 fcli.action.asciidoc.manpage-dir = Optional directory to write output. If directory contains fcli \
   manual pages, any (full) fcli commands in the generated documentation will link to the corresponding \
   fcli manual page.
 
 fcli.action.run.action-parameter = Action parameter(s); see 'help' command output to \
   list supported parameters.
 fcli.action.import.zip = Zip-file containing actions to be imported; may be specified as a path to \
-  a local zip-file or a URL. Action names will be based on filenames contained in the zip-file.
+  a local zip-file or a URL. Supports authenticated HTTP(S) URLs. Action names will be based on filenames contained in the zip-file.
 fcli.action.import.file = Single action YAML file to be imported; may be specified as a path to a \
-  local file or a URL. Action name will be based on the given filename.
+  local file or a URL. Supports authenticated HTTP(S) URLs. Action name will be based on the given filename.
 fcli.action.sign.in = Action YAML file to sign.
 fcli.action.sign.out = Signed action output file.
 fcli.action.sign.with = PEM file containing the private key used for signing. The private key must \
@@ -58,7 +58,7 @@ fcli.action.sign.pubout = Optional public key output file. Use this to extract t
   from the private key for distribution. 
 fcli.action.resolver.from-zip = Optional local or remote zip-file from which to load the action if \
   the action is specified as a simple name. For commands that take an action as input (like get, help \
-  or run), this option will be ignored if action is specified as local or remote action YAML file location.
+  or run), this option will be ignored if action is specified as local or remote action YAML file location. Supports authenticated HTTP(S) URLs.
 fcli.action.resolver.pubkey = Optional public key to use for verifying action signature. Can \
   be specified as one of: \
   %n   file:<local file>%n   url:<url>%n   string:<string value>%n   env:<env-var name>\
@@ -70,7 +70,7 @@ fcli.action.resolver.pubkey = Optional public key to use for verifying action si
   example. Note that the given public key will be ignored if its fingerprint doesn't match \
   the public key fingerprint stored in the action signature. If no (matching) public key is \
   provided, action signature will be verified against public keys previously imported through \
-  the 'fcli config public-key import' command.
+  the 'fcli config public-key import' command. Supports authenticated HTTP(S) URLs.
 fcli.action.on-invalid-signature = Action to take if action signature is invalid. Allowed values: ${COMPLETION-CANDIDATES}. Default value: ${DEFAULT-VALUE}.
 fcli.action.on-unsigned = Action to take if action isn't signed. Allowed values: ${COMPLETION-CANDIDATES}. Default value: ${DEFAULT-VALUE}.
 fcli.action.on-no-public-key = Action to take if no matching public key was found. Allowed values: ${COMPLETION-CANDIDATES}. Default value: ${DEFAULT-VALUE}.

fcli-core/fcli-common-action/src/main/java/com/fortify/cli/common/action/cli/mixin/ActionResolverMixin.java

@@ -17,6 +17,9 @@
 import com.fortify.cli.common.action.helper.ActionLoaderHelper.ActionValidationHandler;
 import com.fortify.cli.common.action.model.Action;
 import com.fortify.cli.common.cli.mixin.CommonOptionMixins.AbstractTextResolverMixin;
+import com.fortify.cli.common.log.LogSensitivityLevel;
+import com.fortify.cli.common.log.MaskValue;
+import com.fortify.cli.common.rest.unirest.RemoteUrlAuthHelper;
 
 import lombok.Getter;
 import picocli.CommandLine.Mixin;
@@ -47,14 +50,17 @@ public String loadActionContents(String type, ActionValidationHandler actionVali
     }
 
     public static class RequiredParameter extends AbstractActionResolverMixin {
+        @MaskValue(sensitivity = LogSensitivityLevel.high, description = "REMOTE URL AUTH VALUE", pattern = RemoteUrlAuthHelper.URL_USERINFO_AUTH_VALUE_MASK_PATTERN)
         @Getter @Parameters(arity="1", descriptionKey="fcli.action.nameOrLocation") private String action;
     }
 
     public static class OptionalParameter extends AbstractActionResolverMixin {
+        @MaskValue(sensitivity = LogSensitivityLevel.high, description = "REMOTE URL AUTH VALUE", pattern = RemoteUrlAuthHelper.URL_USERINFO_AUTH_VALUE_MASK_PATTERN)
         @Getter @Parameters(arity="0..1", descriptionKey="fcli.action.nameOrLocation") private String action;
     }
 
     private static class PublicKeyResolverMixin extends AbstractTextResolverMixin {
+        @MaskValue(sensitivity = LogSensitivityLevel.high, description = "REMOTE URL AUTH VALUE", pattern = RemoteUrlAuthHelper.URL_USERINFO_AUTH_VALUE_MASK_PATTERN)
         @Getter @Option(names={"--pubkey"}, required = false, descriptionKey = "fcli.action.resolver.pubkey", paramLabel = "source") private String textSource;
     }
 }

fcli-core/fcli-common-action/src/main/java/com/fortify/cli/common/action/cli/mixin/ActionSourceResolverMixin.java

@@ -17,6 +17,9 @@
 import org.apache.commons.lang3.StringUtils;
 
 import com.fortify.cli.common.action.helper.ActionLoaderHelper.ActionSource;
+import com.fortify.cli.common.log.LogSensitivityLevel;
+import com.fortify.cli.common.log.MaskValue;
+import com.fortify.cli.common.rest.unirest.RemoteUrlAuthHelper;
 
 import lombok.Getter;
 import picocli.CommandLine.Option;
@@ -34,6 +37,7 @@ public List<ActionSource> getActionSources(String type) {
     }
 
     public static class OptionalOption extends AbstractActionSourceResolverMixin {
+        @MaskValue(sensitivity = LogSensitivityLevel.high, description = "REMOTE URL AUTH VALUE", pattern = RemoteUrlAuthHelper.URL_USERINFO_AUTH_VALUE_MASK_PATTERN)
         @Option(names={"--from-zip", "-z"}, required = false, descriptionKey = "fcli.action.resolver.from-zip")
         @Getter private String source;
     }

fcli-core/fcli-common-action/src/main/java/com/fortify/cli/common/action/helper/ActionImportHelper.java

@@ -36,6 +36,7 @@
 import com.fortify.cli.common.action.model.Action.ActionMetadata;
 import com.fortify.cli.common.json.JsonHelper;
 import com.fortify.cli.common.output.transform.IActionCommandResultSupplier;
+import com.fortify.cli.common.rest.unirest.RemoteUrlAuthHelper;
 import com.fortify.cli.common.util.Break;
 import com.fortify.cli.common.util.ZipHelper;
 
@@ -67,7 +68,7 @@ public static ArrayNode importZip(String type, String zip, ActionValidationHandl
     @SneakyThrows
     private static final InputStream createZipFileInputStream(String zip) {
         try {
-            return new URL(zip).openStream();
+            return RemoteUrlAuthHelper.openStream(zip);
         } catch ( MalformedURLException e ) {
             return Files.newInputStream(Path.of(zip));
         }

fcli-core/fcli-common-action/src/main/java/com/fortify/cli/common/action/helper/ActionLoaderHelper.java

@@ -15,7 +15,6 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
-import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -55,6 +54,7 @@
 import com.fortify.cli.common.crypto.helper.impl.SignedTextReader;
 import com.fortify.cli.common.exception.FcliBugException;
 import com.fortify.cli.common.exception.FcliSimpleException;
+import com.fortify.cli.common.rest.unirest.RemoteUrlAuthHelper;
 import com.fortify.cli.common.spel.wrapper.TemplateExpressionKeyDeserializer;
 import com.fortify.cli.common.util.Break;
 import com.fortify.cli.common.util.FcliBuildProperties;
@@ -431,7 +431,7 @@ private static final String commonActionsResourceZip() {
     @SneakyThrows
     private static final InputStream createSourceInputStream(String source, boolean failOnError) {
         try {
-            return new URL(source).openStream();
+            return RemoteUrlAuthHelper.openStream(source);
         } catch (MalformedURLException mue ) {
             try {
                 return Files.newInputStream(Path.of(source));

fcli-core/fcli-common-core/src/main/java/com/fortify/cli/common/cli/mixin/CommonOptionMixins.java

@@ -13,7 +13,6 @@
 package com.fortify.cli.common.cli.mixin;
 
 import java.io.File;
-import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -28,6 +27,7 @@
 import com.fortify.cli.common.log.LogMaskHelper;
 import com.fortify.cli.common.log.LogMaskSource;
 import com.fortify.cli.common.log.MaskValue;
+import com.fortify.cli.common.rest.unirest.RemoteUrlAuthHelper;
 import com.fortify.cli.common.util.EnvHelper;
 
 import lombok.Getter;
@@ -149,7 +149,9 @@ private static final String resolveFile(String file) {
 
             @SneakyThrows
             private static final String resolveUrl(String url) {
-                return IOUtils.toString(new URL(url), StandardCharsets.US_ASCII);
+                try ( var is = RemoteUrlAuthHelper.openStream(url) ) {
+                    return IOUtils.toString(is, StandardCharsets.US_ASCII);
+                }
             }
 
             private static final String resolveString(String string) {

fcli-core/fcli-common-core/src/main/java/com/fortify/cli/common/cli/util/FcliExecutionStrategy.java

@@ -161,6 +161,13 @@ private static void registerLogMasks(CommandSpec commandSpec) {
                     .ifPresent(field->registerLogMask(field, value));
             }
         }
+        for ( var positionalParameter : commandSpec.positionalParameters() ) {
+            var value = positionalParameter.getValue();
+            if ( value!=null ) {
+                JavaHelper.as(positionalParameter.userObject(), Field.class)
+                    .ifPresent(field->registerLogMask(field, value));
+            }
+        }
     }
 
     private static void registerLogMask(Field field, Object value) {

fcli-core/fcli-common-core/src/main/java/com/fortify/cli/common/rest/unirest/RemoteUrlAuthHelper.java

@@ -0,0 +1,184 @@
+/*
+ * Copyright 2021-2026 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ */
+package com.fortify.cli.common.rest.unirest;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.fortify.cli.common.log.LogMaskHelper;
+import com.fortify.cli.common.log.LogMaskSource;
+import com.fortify.cli.common.log.LogSensitivityLevel;
+
+public final class RemoteUrlAuthHelper {
+    private static final Logger LOG = LoggerFactory.getLogger(RemoteUrlAuthHelper.class);
+    /**
+     * Pattern for masking URL userinfo auth values through {@link com.fortify.cli.common.log.MaskValue}.
+     * Captures password for basic auth URLs and token/header value payload for bearer/header(s) formats.
+     */
+    public static final String URL_USERINFO_AUTH_VALUE_MASK_PATTERN = "https?://(?:[^:@/]+:|bearer:|headers?:)([^@]*)@.*";
+
+    private static final String PREFIX_BEARER = "bearer:";
+    private static final String PREFIX_HEADER = "header:";
+    private static final String PREFIX_HEADERS = "headers:";
+
+    private RemoteUrlAuthHelper() {}
+
+    public static ParsedRemoteUrl parse(String source) throws MalformedURLException {
+        var url = new URL(source);
+        var protocol = url.getProtocol();
+        if ( !"http".equalsIgnoreCase(protocol) && !"https".equalsIgnoreCase(protocol) ) {
+            return new ParsedRemoteUrl(source, Collections.emptyMap());
+        }
+
+        try {
+            var uri = url.toURI();
+            var headers = parseHeaders(uri.getRawUserInfo());
+            return new ParsedRemoteUrl(removeUserInfo(uri), headers);
+        } catch ( URISyntaxException | IllegalArgumentException e ) {
+            var mue = new MalformedURLException("Invalid URL: "+source);
+            mue.initCause(e);
+            throw mue;
+        }
+    }
+
+    public static InputStream openStream(String source) throws IOException {
+        var parsed = parse(source);
+        var url = new URL(parsed.getRequestUrl());
+        if ( parsed.getHeaders().isEmpty() || !isHttpProtocol(url.getProtocol()) ) {
+            return url.openStream();
+        }
+
+        LOG.debug("Opening URL: {}", parsed.getRequestUrl());
+        LogMaskHelper.INSTANCE.registerValue(LogSensitivityLevel.high, LogMaskSource.HTTP_AUTH_HEADER, "REQUEST HEADER", parsed.getHeaders().values(), "");
+        LOG.debug("Request headers: {}", parsed.getHeaders());
+
+        var connection = (HttpURLConnection)url.openConnection();
+        parsed.getHeaders().forEach(connection::setRequestProperty);
+        LOG.debug("Response status: {} {}", connection.getResponseCode(), connection.getResponseMessage());
+        return connection.getInputStream();
+    }
+
+    private static boolean isHttpProtocol(String protocol) {
+        return "http".equalsIgnoreCase(protocol) || "https".equalsIgnoreCase(protocol);
+    }
+
+    private static String removeUserInfo(URI uri) throws URISyntaxException {
+        var rawAuthority = uri.getRawAuthority();
+        if ( rawAuthority!=null ) {
+            var atSignIndex = rawAuthority.lastIndexOf('@');
+            if ( atSignIndex >= 0 ) {
+                rawAuthority = rawAuthority.substring(atSignIndex + 1);
+            }
+        }
+        return new URI(
+            uri.getScheme(),
+            rawAuthority,
+            uri.getRawPath(),
+            uri.getRawQuery(),
+            uri.getRawFragment()
+        ).toString();
+    }
+
+    private static Map<String, String> parseHeaders(String rawUserInfo) {
+        if ( StringUtils.isBlank(rawUserInfo) ) { return Collections.emptyMap(); }
+        if ( rawUserInfo.startsWith(PREFIX_BEARER) ) {
+            return Map.of("Authorization", "Bearer "+decode(rawUserInfo.substring(PREFIX_BEARER.length())));
+        }
+        if ( rawUserInfo.startsWith(PREFIX_HEADER) ) {
+            return parseHeaderAssignments(rawUserInfo.substring(PREFIX_HEADER.length()));
+        }
+        if ( rawUserInfo.startsWith(PREFIX_HEADERS) ) {
+            return parseHeaderAssignments(rawUserInfo.substring(PREFIX_HEADERS.length()));
+        }
+        return parseBasicAuth(rawUserInfo);
+    }
+
+    private static Map<String, String> parseBasicAuth(String rawUserInfo) {
+        var separatorIndex = rawUserInfo.indexOf(':');
+        String username;
+        String password;
+        if ( separatorIndex < 0 ) {
+            username = decode(rawUserInfo);
+            password = "";
+        } else {
+            username = decode(rawUserInfo.substring(0, separatorIndex));
+            password = decode(rawUserInfo.substring(separatorIndex + 1));
+        }
+        var value = Base64.getEncoder().encodeToString((username+":"+password).getBytes(StandardCharsets.UTF_8));
+        return Map.of("Authorization", "Basic "+value);
+    }
+
+    private static Map<String, String> parseHeaderAssignments(String assignments) {
+        if ( StringUtils.isBlank(assignments) ) {
+            throw new IllegalArgumentException("No headers specified in URL userinfo");
+        }
+        var result = new LinkedHashMap<String, String>();
+        for ( var assignment : assignments.split("&") ) {
+            if ( StringUtils.isBlank(assignment) ) { continue; }
+            var separatorIndex = assignment.indexOf('=');
+            if ( separatorIndex <= 0 ) {
+                throw new IllegalArgumentException("Invalid header assignment in URL userinfo: "+assignment);
+            }
+            var name = decode(assignment.substring(0, separatorIndex));
+            var value = decode(assignment.substring(separatorIndex + 1));
+            if ( StringUtils.isBlank(name) ) {
+                throw new IllegalArgumentException("Header name must not be blank in URL userinfo");
+            }
+            result.put(name, value);
+        }
+        if ( result.isEmpty() ) {
+            throw new IllegalArgumentException("No valid headers specified in URL userinfo");
+        }
+        return Collections.unmodifiableMap(result);
+    }
+
+    /**
+     * URLDecoder treats '+' as a space; preserve literal '+' characters in userinfo.
+     */
+    private static String decode(String value) {
+        return URLDecoder.decode(value.replace("+", "%2B"), StandardCharsets.UTF_8);
+    }
+
+    public static final class ParsedRemoteUrl {
+        private final String requestUrl;
+        private final Map<String, String> headers;
+
+        private ParsedRemoteUrl(String requestUrl, Map<String, String> headers) {
+            this.requestUrl = requestUrl;
+            this.headers = headers;
+        }
+
+        public String getRequestUrl() {
+            return requestUrl;
+        }
+
+        public Map<String, String> getHeaders() {
+            return headers;
+        }
+    }
+}

fcli-core/fcli-common-core/src/main/java/com/fortify/cli/common/rest/unirest/UnirestHelper.java

@@ -28,13 +28,24 @@
  */
 public class UnirestHelper {
     public static final File download(String fcliModule, String url, File dest) {
+        var parsedUrl = parseRemoteUrl(url);
         try (var unirest = createUnirestInstance()) {
-            ProxyHelper.configureProxy(unirest, fcliModule, url);
-            unirest.get(url).asFile(dest.getAbsolutePath(), StandardCopyOption.REPLACE_EXISTING).getBody();
+            ProxyHelper.configureProxy(unirest, fcliModule, parsedUrl.getRequestUrl());
+            var request = unirest.get(parsedUrl.getRequestUrl());
+            parsedUrl.getHeaders().forEach(request::headerReplace);
+            request.asFile(dest.getAbsolutePath(), StandardCopyOption.REPLACE_EXISTING).getBody();
             return dest;
         }
     }
 
+    private static RemoteUrlAuthHelper.ParsedRemoteUrl parseRemoteUrl(String url) {
+        try {
+            return RemoteUrlAuthHelper.parse(url);
+        } catch (Exception e) {
+            throw new IllegalArgumentException("Invalid URL: "+url, e);
+        }
+    }
+
     /**
      * Create a new Unirest instance, configured with the standard FCLI JSON object mapper.
      * Callers are responsible for closing the returned instance.