HTTP-76 Allow enforcing the use of raw Authorization header (#77)

AdrianVasiliu · Adrian Vasiliu · web-flow · commit 6926370b77e2 · 2024-03-17T22:56:36.000+01:00
Introduce configuration parameter allowing to use
the Authorization header without b64 and prefixing for
Basic Authentication.

Signed-off-by: Adrian Vasiliu &lt;adrian.vasiliu3@gmail.com&gt;
Co-authored-by: Adrian Vasiliu &lt;vasiliu@fr.ibm.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
 /.idea/
 .idea
 target
+bin
 /flink.http.connector.iml
 /src/main/flink-http-connector.iml
 /src/main/main.iml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 ## [Unreleased]
 
+### Added
+
+-   Added support for passing `Authorization` headers for other purposes than Basic Authentication.
+    New configuration parameter: `gid.connector.http.source.lookup.use-raw-authorization-header`.
+    If set to `'true'`, the connector uses the raw value set for the `Authorization` header, without
+    transformation for Basic Authentication (base64, addition of "Basic " prefix).
+    If not specified, defaults to `'false'`.
+
 ## [0.11.0] - 2023-11-20
 
 ## [0.10.0] - 2023-07-05
diff --git a/README.md b/README.md
@@ -385,28 +385,30 @@ In this special case, you can configure connector to trust all certificates with
 To enable this option use `gid.connector.http.security.cert.server.allowSelfSigned` property setting its value to `true`.
 
 ## Basic Authentication
-Connector supports Basic Authentication mechanism using HTTP `Authorization` header.
-The header value can set via properties same as other headers. Connector will convert passed value to Base64 and use it for request.
-If the used value starts from prefix `Basic `, it will be used as header value as is, without any extra modification.
+The connector supports Basic Authentication mechanism using HTTP `Authorization` header.
+The header value can be set via properties, similarly as for other headers. The connector converts the passed value to Base64 and uses it for the request.
+If the used value starts with the prefix `Basic `, or `gid.connector.http.source.lookup.use-raw-authorization-header`
+is set to `'true'`, it will be used as header value as is, without any extra modification.
 
 ## Table API Connector Options
 ### HTTP TableLookup Source
-| Option                                                     | Required | Description/Value                                                                                                                                                                                                                  |
-|------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| connector                                                  | required | The Value should be set to _rest-lookup_                                                                                                                                                                                           |
-| format                                                     | required | Flink's format name that should be used to decode REST response, Use `json` for a typical REST endpoint.                                                                                                                           |
-| url                                                        | required | The base URL that should be use for GET requests. For example _http://localhost:8080/client_                                                                                                                                       |
-| asyncPolling                                               | optional | true/false - determines whether Async Pooling should be used. Mechanism is based on Flink's Async I/O.                                                                                                                             |
-| lookup-method                                              | optional | GET/POST/PUT (and any other) - determines what REST method should be used for lookup REST query. If not specified, `GET` method will be used.                                                                                      |
-| gid.connector.http.lookup.error.code                       | optional | List of HTTP status codes that should be treated as errors by HTTP Source, separated with comma.                                                                                                                                   |
-| gid.connector.http.lookup.error.code.exclude               | optional | List of HTTP status codes that should be excluded from the `gid.connector.http.lookup.error.code` list, separated with comma.                                                                                                      |
-| gid.connector.http.security.cert.server                    | optional | Path to trusted HTTP server certificate that should be add to connectors key store. More than one path can be specified using `,` as path delimiter.                                                                               |
-| gid.connector.http.security.cert.client                    | optional | Path to trusted certificate that should be used by connector's HTTP client for mTLS communication.                                                                                                                                 |
-| gid.connector.http.security.key.client                     | optional | Path to trusted private key that should be used by connector's HTTP client for mTLS communication.                                                                                                                                 |
-| gid.connector.http.security.cert.server.allowSelfSigned    | optional | Accept untrusted certificates for TLS communication.                                                                                                                                                                               |
-| gid.connector.http.source.lookup.request.timeout           | optional | Sets HTTP request timeout in seconds. If not specified, the default value of 30 seconds will be used.                                                                                                                              |
-| gid.connector.http.source.lookup.request.thread-pool.size  | optional | Sets the size of pool thread for HTTP lookup request processing. Increasing this value would mean that more concurrent requests can be processed in the same time. If not specified, the default value of 8 threads will be used.  |
-| gid.connector.http.source.lookup.response.thread-pool.size | optional | Sets the size of pool thread for HTTP lookup response processing. Increasing this value would mean that more concurrent requests can be processed in the same time. If not specified, the default value of 4 threads will be used. |
+| Option                                                        | Required | Description/Value                                                                                                                                                                                                                  |
+|---------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| connector                                                     | required | The Value should be set to _rest-lookup_                                                                                                                                                                                           |
+| format                                                        | required | Flink's format name that should be used to decode REST response, Use `json` for a typical REST endpoint.                                                                                                                           |
+| url                                                           | required | The base URL that should be use for GET requests. For example _http://localhost:8080/client_                                                                                                                                       |
+| asyncPolling                                                  | optional | true/false - determines whether Async Pooling should be used. Mechanism is based on Flink's Async I/O.                                                                                                                             |
+| lookup-method                                                 | optional | GET/POST/PUT (and any other) - determines what REST method should be used for lookup REST query. If not specified, `GET` method will be used.                                                                                      |
+| gid.connector.http.lookup.error.code                          | optional | List of HTTP status codes that should be treated as errors by HTTP Source, separated with comma.                                                                                                                                   |
+| gid.connector.http.lookup.error.code.exclude                  | optional | List of HTTP status codes that should be excluded from the `gid.connector.http.lookup.error.code` list, separated with comma.                                                                                                      |
+| gid.connector.http.security.cert.server                       | optional | Path to trusted HTTP server certificate that should be add to connectors key store. More than one path can be specified using `,` as path delimiter.                                                                               |
+| gid.connector.http.security.cert.client                       | optional | Path to trusted certificate that should be used by connector's HTTP client for mTLS communication.                                                                                                                                 |
+| gid.connector.http.security.key.client                        | optional | Path to trusted private key that should be used by connector's HTTP client for mTLS communication.                                                                                                                                 |
+| gid.connector.http.security.cert.server.allowSelfSigned       | optional | Accept untrusted certificates for TLS communication.                                                                                                                                                                               |
+| gid.connector.http.source.lookup.request.timeout              | optional | Sets HTTP request timeout in seconds. If not specified, the default value of 30 seconds will be used.                                                                                                                              |
+| gid.connector.http.source.lookup.request.thread-pool.size     | optional | Sets the size of pool thread for HTTP lookup request processing. Increasing this value would mean that more concurrent requests can be processed in the same time. If not specified, the default value of 8 threads will be used.  |
+| gid.connector.http.source.lookup.response.thread-pool.size    | optional | Sets the size of pool thread for HTTP lookup response processing. Increasing this value would mean that more concurrent requests can be processed in the same time. If not specified, the default value of 4 threads will be used. |
+| gid.connector.http.source.lookup.use-raw-authorization-header | optional | If set to `'true'`, uses the raw value set for the `Authorization` header, without transformation for Basic Authentication (base64, addition of "Basic " prefix). If not specified, defaults to `'false'`.                         |
 
 ### HTTP Sink
 | Option                                                  | Required | Description/Value                                                                                                                                                                                                                                |
diff --git a/src/main/java/com/getindata/connectors/http/internal/BasicAuthHeaderValuePreprocessor.java b/src/main/java/com/getindata/connectors/http/internal/BasicAuthHeaderValuePreprocessor.java
@@ -1,6 +1,7 @@
 package com.getindata.connectors.http.internal;
 
 import java.util.Base64;
+import java.util.Objects;
 
 /**
  * Header processor for HTTP Basic Authentication mechanism.
@@ -10,20 +11,43 @@ public class BasicAuthHeaderValuePreprocessor implements HeaderValuePreprocessor
 
     public static final String BASIC = "Basic ";
 
+    private boolean useRawAuthHeader = false;
+
+    /**
+     * Creates a new instance of BasicAuthHeaderValuePreprocessor that uses
+     * the default processing of the Authorization header.
+     */
+    public BasicAuthHeaderValuePreprocessor() {
+        this(false);
+    }
+
+    /**
+     * Creates a new instance of BasicAuthHeaderValuePreprocessor.
+     *
+     * @param useRawAuthHeader If set to true, the Authorization header is kept as-is,
+     *                         untransformed. Otherwise, uses the default processing of the
+     *                         Authorization header.
+     */
+    public BasicAuthHeaderValuePreprocessor(boolean useRawAuthHeader) {
+        this.useRawAuthHeader = useRawAuthHeader;
+    }
+
     /**
      * Calculates {@link Base64} value of provided header value. For Basic authentication mechanism,
      * the raw value is expected to match user:password pattern.
      * <p>
-     * If rawValue starts with "Basic " prefix it is assumed that this value is already converted to
-     * expected "Authorization" header value.
+     * If rawValue starts with "Basic " prefix, or useRawAuthHeader has been set to true, it is
+     * assumed that this value is already converted to the expected "Authorization" header value.
      *
      * @param rawValue header original value to modify.
      * @return value of "Authorization" header with format "Basic " + Base64 from rawValue or
-     * rawValue without any changes if it starts with "Basic " prefix.
+     * rawValue without any changes if it starts with "Basic " prefix or useRawAuthHeader is
+     * set to true.
      */
     @Override
     public String preprocessHeaderValue(String rawValue) {
-        if (rawValue.startsWith(BASIC)) {
+        Objects.requireNonNull(rawValue);
+        if (useRawAuthHeader || rawValue.startsWith(BASIC)) {
             return rawValue;
         } else {
             return BASIC + Base64.getEncoder().encodeToString(rawValue.getBytes());
diff --git a/src/main/java/com/getindata/connectors/http/internal/config/HttpConnectorConfigConstants.java b/src/main/java/com/getindata/connectors/http/internal/config/HttpConnectorConfigConstants.java
@@ -27,6 +27,14 @@ public final class HttpConnectorConfigConstants {
     public static final String LOOKUP_SOURCE_HEADER_PREFIX = GID_CONNECTOR_HTTP
         + "source.lookup.header.";
 
+    /**
+     * Whether to use the raw value of the Authorization header. If set, it prevents
+     * the special treatment of the header for Basic Authentication, thus preserving the passed
+     * raw value. Defaults to false.
+     */
+    public static final String LOOKUP_SOURCE_HEADER_USE_RAW = GID_CONNECTOR_HTTP
+        + "source.lookup.use-raw-authorization-header";
+
     // --------- Error code handling configuration ---------
     public static final String HTTP_ERROR_SINK_CODE_WHITE_LIST =
         GID_CONNECTOR_HTTP + "sink.error.code.exclude";
diff --git a/src/main/java/com/getindata/connectors/http/internal/table/lookup/HttpLookupConnectorOptions.java b/src/main/java/com/getindata/connectors/http/internal/table/lookup/HttpLookupConnectorOptions.java
@@ -3,6 +3,7 @@
 import org.apache.flink.configuration.ConfigOption;
 import org.apache.flink.configuration.ConfigOptions;
 
+import static com.getindata.connectors.http.internal.config.HttpConnectorConfigConstants.LOOKUP_SOURCE_HEADER_USE_RAW;
 import static com.getindata.connectors.http.internal.config.HttpConnectorConfigConstants.SOURCE_LOOKUP_QUERY_CREATOR_IDENTIFIER;
 
 public class HttpLookupConnectorOptions {
@@ -40,4 +41,10 @@ public class HttpLookupConnectorOptions {
         ConfigOptions.key("lookup-request.format")
             .stringType()
             .defaultValue("json");
+
+    public static final ConfigOption<Boolean> USE_RAW_AUTH_HEADER =
+        ConfigOptions.key(LOOKUP_SOURCE_HEADER_USE_RAW)
+            .booleanType()
+            .defaultValue(false)
+            .withDescription("Whether to use the raw value of Authorization header");
 }
diff --git a/src/main/java/com/getindata/connectors/http/internal/table/lookup/HttpLookupTableSource.java b/src/main/java/com/getindata/connectors/http/internal/table/lookup/HttpLookupTableSource.java
@@ -134,7 +134,11 @@ private PollingClientFactory<RowData> createPollingClientFactory(
             LookupQueryCreator lookupQueryCreator,
             HttpLookupConfig lookupConfig) {
 
-        HeaderPreprocessor headerPreprocessor = HttpHeaderUtils.createDefaultHeaderPreprocessor();
+        boolean useRawAuthHeader =
+            lookupConfig.getReadableConfig().get(HttpLookupConnectorOptions.USE_RAW_AUTH_HEADER);
+
+        HeaderPreprocessor headerPreprocessor =
+            HttpHeaderUtils.createDefaultHeaderPreprocessor(useRawAuthHeader);
         String lookupMethod = lookupConfig.getLookupMethod();
 
         HttpRequestFactory requestFactory = (lookupMethod.equalsIgnoreCase("GET")) ?
diff --git a/src/main/java/com/getindata/connectors/http/internal/utils/HttpHeaderUtils.java b/src/main/java/com/getindata/connectors/http/internal/utils/HttpHeaderUtils.java
@@ -68,8 +68,13 @@ public static String[] toHeaderAndValueArray(Map<String, String> headerMap) {
     }
 
     public static HeaderPreprocessor createDefaultHeaderPreprocessor() {
+        return createDefaultHeaderPreprocessor(false);
+    }
+
+    public static HeaderPreprocessor createDefaultHeaderPreprocessor(boolean useRawAuthHeader) {
         return new ComposeHeaderPreprocessor(
-            Collections.singletonMap("Authorization", new BasicAuthHeaderValuePreprocessor())
+            Collections.singletonMap(
+                "Authorization", new BasicAuthHeaderValuePreprocessor(useRawAuthHeader))
         );
     }
 }
diff --git a/src/test/java/com/getindata/connectors/http/internal/BasicAuthHeaderValuePreprocessorTest.java b/src/test/java/com/getindata/connectors/http/internal/BasicAuthHeaderValuePreprocessorTest.java
@@ -1,28 +1,26 @@
 package com.getindata.connectors.http.internal;
 
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
 import static org.assertj.core.api.Assertions.assertThat;
 
 class BasicAuthHeaderValuePreprocessorTest {
 
-    private BasicAuthHeaderValuePreprocessor preprocessor;
-
-    @BeforeEach
-    public void setUp() {
-        this.preprocessor = new BasicAuthHeaderValuePreprocessor();
-    }
-
     @ParameterizedTest
     @CsvSource({
-        "user:password, Basic dXNlcjpwYXNzd29yZA==",
-        "Basic dXNlcjpwYXNzd29yZA==, Basic dXNlcjpwYXNzd29yZA=="
+        "user:password, Basic dXNlcjpwYXNzd29yZA==, false",
+        "Basic dXNlcjpwYXNzd29yZA==, Basic dXNlcjpwYXNzd29yZA==, false",
+        "abc123, abc123, true",
+        "Basic dXNlcjpwYXNzd29yZA==, Basic dXNlcjpwYXNzd29yZA==, true",
+        "Bearer dXNlcjpwYXNzd29yZA==, Bearer dXNlcjpwYXNzd29yZA==, true"
     })
     public void testAuthorizationHeaderPreprocess(
             String headerRawValue,
-            String expectedHeaderValue) {
-        String headerValue = this.preprocessor.preprocessHeaderValue(headerRawValue);
+            String expectedHeaderValue,
+            boolean useRawAuthHeader) {
+        BasicAuthHeaderValuePreprocessor preprocessor =
+            new BasicAuthHeaderValuePreprocessor(useRawAuthHeader);
+        String headerValue = preprocessor.preprocessHeaderValue(headerRawValue);
         assertThat(headerValue).isEqualTo(expectedHeaderValue);
     }
 }
diff --git a/src/test/java/com/getindata/connectors/http/internal/table/lookup/HttpLookupTableSourceITCaseTest.java b/src/test/java/com/getindata/connectors/http/internal/table/lookup/HttpLookupTableSourceITCaseTest.java
diff --git a/src/test/java/com/getindata/connectors/http/internal/table/lookup/JavaNetHttpPollingClientConnectionTest.java b/src/test/java/com/getindata/connectors/http/internal/table/lookup/JavaNetHttpPollingClientConnectionTest.java

Original file line number	Diff line number	Diff line change
`@@ -68,8 +68,13 @@ public static String[] toHeaderAndValueArray(Map<String, String> headerMap) {`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`public static HeaderPreprocessor createDefaultHeaderPreprocessor() {`
	`71`	`+ return createDefaultHeaderPreprocessor(false);`
	`72`	`+ }`
	`73`	`+`
	`74`	`+ public static HeaderPreprocessor createDefaultHeaderPreprocessor(boolean useRawAuthHeader) {`
`71`	`75`	`return new ComposeHeaderPreprocessor(`
`72`		`- Collections.singletonMap("Authorization", new BasicAuthHeaderValuePreprocessor())`
	`76`	`+ Collections.singletonMap(`
	`77`	`+ "Authorization", new BasicAuthHeaderValuePreprocessor(useRawAuthHeader))`
`73`	`78`	`);`
`74`	`79`	`}`
`75`	`80`	`}`