Merge pull request #431 from cuixq:md5

PiperOrigin-RevId: 727625584

Author: copybara-github

clients/datasource/http_auth.go

@@ -15,10 +15,13 @@
 package datasource
 
 import (
+	"bytes"
 	"context"
+	"crypto/md5"
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/hex"
+	"fmt"
 	"net/http"
 	"slices"
 	"strings"
@@ -186,84 +189,82 @@ func (auth *HTTPAuthentication) addBearer(req *http.Request) bool {
 }
 
 func (auth *HTTPAuthentication) addDigest(req *http.Request, challenge string) bool {
-	// The original implementation of this function depends on crypto/md5, which
-	// is not allowed internally so comment out the implementation for now.
-	return false
 	// Mostly following the algorithm as outlined in https://en.wikipedia.org/wiki/Digest_access_authentication
 	// And also https://datatracker.ietf.org/doc/html/rfc2617
-	/*
-		if auth.Username == "" || auth.Password == "" {
-			return false
-		}
-		params := auth.parseChallenge(challenge)
-		realm, ok := params["realm"]
-		if !ok {
-			return false
-		}
-
-		nonce, ok := params["nonce"]
-		if !ok {
-			return false
-		}
-		var cnonce string
+	if auth.Username == "" || auth.Password == "" {
+		return false
+	}
+	params := auth.parseChallenge(challenge)
+	realm, ok := params["realm"]
+	if !ok {
+		return false
+	}
 
-		ha1 := md5.Sum([]byte(auth.Username + ":" + realm + ":" + auth.Password)) //nolint:gosec
-		switch params["algorithm"] {
-		case "MD5-sess":
-			cnonce = auth.cnonce()
-			if cnonce == "" {
-				return false
-			}
-			var b bytes.Buffer
-			fmt.Fprintf(&b, "%x:%s:%s", ha1, nonce, cnonce)
-			ha1 = md5.Sum(b.Bytes()) //nolint:gosec
-		case "MD5":
-		case "":
-		default:
+	nonce, ok := params["nonce"]
+	if !ok {
+		return false
+	}
+	var cnonce string
+	//nolint:gosec
+	ha1 := md5.Sum([]byte(auth.Username + ":" + realm + ":" + auth.Password))
+	switch params["algorithm"] {
+	case "MD5-sess":
+		cnonce = auth.cnonce()
+		if cnonce == "" {
 			return false
 		}
+		var b bytes.Buffer
+		fmt.Fprintf(&b, "%x:%s:%s", ha1, nonce, cnonce)
+		//nolint:gosec
+		ha1 = md5.Sum(b.Bytes())
+	case "MD5":
+	case "":
+	default:
+		return false
+	}
 
-		// Only support "auth" qop
-		if qop, ok := params["qop"]; ok && !slices.Contains(strings.Split(qop, ","), "auth") {
-			return false
-		}
+	// Only support "auth" qop
+	if qop, ok := params["qop"]; ok && !slices.Contains(strings.Split(qop, ","), "auth") {
+		return false
+	}
 
-		uri := req.URL.Path // is this sufficient?
+	uri := req.URL.Path
 
-		ha2 := md5.Sum([]byte(req.Method + ":" + uri)) //nolint:gosec
+	//nolint:gosec
+	ha2 := md5.Sum([]byte(req.Method + ":" + uri))
 
-		// hard-coding nonceCount to 1 since we don't make a request more than once
-		nonceCount := "00000001"
+	// hard-coding nonceCount to 1 since we don't make a request more than once
+	nonceCount := "00000001"
 
-		var b bytes.Buffer
-		if _, ok := params["qop"]; ok {
+	var b bytes.Buffer
+	if _, ok := params["qop"]; ok {
+		if cnonce == "" {
+			cnonce = auth.cnonce()
 			if cnonce == "" {
-				cnonce = auth.cnonce()
-				if cnonce == "" {
-					return false
-				}
+				return false
 			}
-			fmt.Fprintf(&b, "%x:%s:%s:%s:%s:%x", ha1, nonce, nonceCount, cnonce, "auth", ha2)
-		} else {
-			fmt.Fprintf(&b, "%x:%s:%x", ha1, nonce, ha2)
 		}
-		response := md5.Sum(b.Bytes()) //nolint:gosec
-
-		var sb strings.Builder
-		fmt.Fprintf(&sb, "Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\"",
-			auth.Username, realm, nonce, uri)
-		if _, ok := params["qop"]; ok {
-			fmt.Fprintf(&sb, ", qop=auth, nc=%s, cnonce=\"%s\"", nonceCount, cnonce)
-		}
-		if alg, ok := params["algorithm"]; ok {
-			fmt.Fprintf(&sb, ", algorithm=%s", alg)
-		}
-		fmt.Fprintf(&sb, ", response=\"%x\", opaque=\"%s\"", response, params["opaque"])
+		fmt.Fprintf(&b, "%x:%s:%s:%s:%s:%x", ha1, nonce, nonceCount, cnonce, "auth", ha2)
+	} else {
+		fmt.Fprintf(&b, "%x:%s:%x", ha1, nonce, ha2)
+	}
+	//nolint:gosec
+	response := md5.Sum(b.Bytes())
+
+	var sb strings.Builder
+	fmt.Fprintf(&sb, "Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\"",
+		auth.Username, realm, nonce, uri)
+	if _, ok := params["qop"]; ok {
+		fmt.Fprintf(&sb, ", qop=auth, nc=%s, cnonce=\"%s\"", nonceCount, cnonce)
+	}
+	if alg, ok := params["algorithm"]; ok {
+		fmt.Fprintf(&sb, ", algorithm=%s", alg)
+	}
+	fmt.Fprintf(&sb, ", response=\"%x\", opaque=\"%s\"", response, params["opaque"])
 
-		req.Header.Add("Authorization", sb.String())
+	req.Header.Add("Authorization", sb.String())
 
-		return true
-	*/
+	return true
 }
 
 func (auth *HTTPAuthentication) parseChallenge(challenge string) map[string]string {

clients/datasource/http_auth_test.go

@@ -179,102 +179,100 @@ func TestHTTPAuthentication(t *testing.T) {
 			expectedAuths:         []string{"", "Bearer PleaseUseThis"},
 			expectedResponseCodes: []int{http.StatusOK},
 		},
-		// Digest authentication is not supported for now so temperatily comment out the tests.
-		/*
-			{
-				name: "digest auth",
-				// Example from https://en.wikipedia.org/wiki/Digest_access_authentication#Example_with_explanation
-				httpAuth: &datasource.HTTPAuthentication{
-					SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},
-					AlwaysAuth:       false,
-					Username:         "Mufasa",
-					Password:         "Circle Of Life",
-					CnonceFunc:       func() string { return "0a4f113b" },
-				},
-				requestURL: "https://127.0.0.1/dir/index.html",
-				wwwAuth: []string{
-					"Digest realm=\"[email protected]\", " +
-						"qop=\"auth,auth-int\", " +
-						"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " +
-						"opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"",
-				},
-				expectedAuths: []string{
-					"",
-					// The order of these fields shouldn't actually matter
-					"Digest username=\"Mufasa\", " +
-						"realm=\"[email protected]\", " +
-						"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " +
-						"uri=\"/dir/index.html\", " +
-						"qop=auth, " +
-						"nc=00000001, " +
-						"cnonce=\"0a4f113b\", " +
-						"response=\"6629fae49393a05397450978507c4ef1\", " +
-						"opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"",
-				},
-				expectedResponseCodes: []int{http.StatusOK},
+		{
+			name: "digest auth",
+			// Example from https://en.wikipedia.org/wiki/Digest_access_authentication#Example_with_explanation
+			httpAuth: &datasource.HTTPAuthentication{
+				SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},
+				AlwaysAuth:       false,
+				Username:         "Mufasa",
+				Password:         "Circle Of Life",
+				CnonceFunc:       func() string { return "0a4f113b" },
+			},
+			requestURL: "https://127.0.0.1/dir/index.html",
+			wwwAuth: []string{
+				"Digest realm=\"[email protected]\", " +
+					"qop=\"auth,auth-int\", " +
+					"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " +
+					"opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"",
+			},
+			expectedAuths: []string{
+				"",
+				// The order of these fields shouldn't actually matter
+				"Digest username=\"Mufasa\", " +
+					"realm=\"[email protected]\", " +
+					"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " +
+					"uri=\"/dir/index.html\", " +
+					"qop=auth, " +
+					"nc=00000001, " +
+					"cnonce=\"0a4f113b\", " +
+					"response=\"6629fae49393a05397450978507c4ef1\", " +
+					"opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"",
+			},
+			expectedResponseCodes: []int{http.StatusOK},
+		},
+		{
+			name: "digest auth rfc2069", // old spec, without qop header
+			httpAuth: &datasource.HTTPAuthentication{
+				SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},
+				AlwaysAuth:       false,
+				Username:         "Mufasa",
+				Password:         "Circle Of Life",
 			},
-			{
-				name: "digest auth rfc2069", // old spec, without qop header
-				httpAuth: &datasource.HTTPAuthentication{
-					SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},
-					AlwaysAuth:       false,
-					Username:         "Mufasa",
-					Password:         "Circle Of Life",
-				},
-				requestURL: "https://127.0.0.1/dir/index.html",
-				wwwAuth: []string{
-					"Digest realm=\"[email protected]\", " +
-						"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " +
-						"opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"",
-				},
-				expectedAuths: []string{
-					"",
-					// The order of these fields shouldn't actually matter
-					"Digest username=\"Mufasa\", " +
-						"realm=\"[email protected]\", " +
-						"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " +
-						"uri=\"/dir/index.html\", " +
-						"response=\"670fd8c2df070c60b045671b8b24ff02\", " +
-						"opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"",
-				},
-				expectedResponseCodes: []int{http.StatusOK},
+			requestURL: "https://127.0.0.1/dir/index.html",
+			wwwAuth: []string{
+				"Digest realm=\"[email protected]\", " +
+					"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " +
+					"opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"",
 			},
-			{
-				name: "digest auth mvn",
-				// From what mvn sends.
-				httpAuth: &datasource.HTTPAuthentication{
-					SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},
-					AlwaysAuth:       false,
-					Username:         "my-username",
-					Password:         "cool-password",
-					CnonceFunc:       func() string { return "f7ef2d457dabcd54" },
-				},
-				requestURL: "https://127.0.0.1:41565/commons-io/commons-io/1.0/commons-io-1.0.pom",
-				wwwAuth: []string{
-					"Digest realm=\"[email protected]\"," +
-						"qop=\"auth\"," +
-						"nonce=\"deadbeef\"," +
-						"opaque=\"aaaa\"," +
-						"algorithm=\"MD5-sess\"," +
-						"domain=\"/test\"",
-				},
-				expectedAuths: []string{
-					"",
-					// The order of these fields shouldn't actually matter
-					"Digest username=\"my-username\", " +
-						"realm=\"[email protected]\", " +
-						"nonce=\"deadbeef\", " +
-						"uri=\"/commons-io/commons-io/1.0/commons-io-1.0.pom\", " +
-						"qop=auth, " +
-						"nc=00000001, " +
-						"cnonce=\"f7ef2d457dabcd54\", " +
-						"algorithm=MD5-sess, " +
-						"response=\"15a35e7018a0fc7db05d31185e0d2c9e\", " +
-						"opaque=\"aaaa\"",
-				},
-				expectedResponseCodes: []int{http.StatusOK},
+			expectedAuths: []string{
+				"",
+				// The order of these fields shouldn't actually matter
+				"Digest username=\"Mufasa\", " +
+					"realm=\"[email protected]\", " +
+					"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " +
+					"uri=\"/dir/index.html\", " +
+					"response=\"670fd8c2df070c60b045671b8b24ff02\", " +
+					"opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"",
 			},
-		*/
+			expectedResponseCodes: []int{http.StatusOK},
+		},
+		{
+			name: "digest auth mvn",
+			// From what mvn sends.
+			httpAuth: &datasource.HTTPAuthentication{
+				SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},
+				AlwaysAuth:       false,
+				Username:         "my-username",
+				Password:         "cool-password",
+				CnonceFunc:       func() string { return "f7ef2d457dabcd54" },
+			},
+			requestURL: "https://127.0.0.1:41565/commons-io/commons-io/1.0/commons-io-1.0.pom",
+			wwwAuth: []string{
+				"Digest realm=\"[email protected]\"," +
+					"qop=\"auth\"," +
+					"nonce=\"deadbeef\"," +
+					"opaque=\"aaaa\"," +
+					"algorithm=\"MD5-sess\"," +
+					"domain=\"/test\"",
+			},
+			expectedAuths: []string{
+				"",
+				// The order of these fields shouldn't actually matter
+				"Digest username=\"my-username\", " +
+					"realm=\"[email protected]\", " +
+					"nonce=\"deadbeef\", " +
+					"uri=\"/commons-io/commons-io/1.0/commons-io-1.0.pom\", " +
+					"qop=auth, " +
+					"nc=00000001, " +
+					"cnonce=\"f7ef2d457dabcd54\", " +
+					"algorithm=MD5-sess, " +
+					"response=\"15a35e7018a0fc7db05d31185e0d2c9e\", " +
+					"opaque=\"aaaa\"",
+			},
+			expectedResponseCodes: []int{http.StatusOK},
+		},
+
 		{
 			name: "basic auth reuse on subsequent",
 			httpAuth: &datasource.HTTPAuthentication{