fixup! SCANJLIB-306 Restore authentication support for proxy + SSL

Author: henryju

lib/pom.xml

@@ -141,6 +141,7 @@
           <systemPropertyVariables>
             <user.language>en</user.language>
             <user.country>US</user.country>
+            <jdk.http.auth.tunneling.disabledSchemes>foo</jdk.http.auth.tunneling.disabledSchemes>
           </systemPropertyVariables>
           <environmentVariables>
             <LANGUAGE>en_US</LANGUAGE>

lib/src/main/java/org/sonarsource/scanner/lib/internal/http/ScannerHttpClient.java

@@ -142,28 +142,23 @@ private <G> G callUrl(String url, boolean authentication, @Nullable String accep
   }
 
   private <G> G callUrlWithRedirects(String url, boolean authentication, @Nullable String acceptHeader, ResponseHandler<G> responseHandler) {
-    return callUrlWithRedirectsAndProxyAuth(url, authentication, acceptHeader, responseHandler, 0, false);
+    return callUrlWithRedirectsAndProxyAuth(url, authentication, acceptHeader, responseHandler, 0);
   }
 
   private <G> G callUrlWithRedirectsAndProxyAuth(String url, boolean authentication, @Nullable String acceptHeader, ResponseHandler<G> responseHandler,
-    int redirectCount, boolean proxyAuthRetry) {
+    int redirectCount) {
     if (redirectCount > 10) {
       throw new IllegalStateException("Too many redirects (>10) for URL: " + url);
     }
 
-    var request = prepareRequest(url, acceptHeader, authentication, proxyAuthRetry);
+    var request = prepareRequest(url, acceptHeader, authentication);
 
     HttpResponse<InputStream> response = null;
     Instant start = Instant.now();
     try {
       LOG.debug("--> {} {}", request.method(), request.uri());
       response = httpClient.send(request, HttpResponse.BodyHandlers.ofInputStream());
 
-      if (response.statusCode() == 407 && !proxyAuthRetry && httpConfig.getProxyUser() != null) {
-        LOG.debug("Received 407 Proxy Authentication Required, retrying request");
-        return callUrlWithRedirectsAndProxyAuth(url, authentication, acceptHeader, responseHandler, redirectCount, true);
-      }
-
       if (isRedirect(response.statusCode())) {
         var locationHeader = response.headers().firstValue("Location");
         if (locationHeader.isPresent()) {
@@ -172,7 +167,7 @@ private <G> G callUrlWithRedirectsAndProxyAuth(String url, boolean authenticatio
             URI originalUri = URI.create(url);
             redirectUrl = originalUri.getScheme() + "://" + originalUri.getAuthority() + redirectUrl;
           }
-          return callUrlWithRedirectsAndProxyAuth(redirectUrl, authentication, acceptHeader, responseHandler, redirectCount + 1, proxyAuthRetry);
+          return callUrlWithRedirectsAndProxyAuth(redirectUrl, authentication, acceptHeader, responseHandler, redirectCount + 1);
         }
       }
 
@@ -218,7 +213,7 @@ private interface ResponseHandler<G> {
     G apply(HttpResponse<InputStream> response) throws IOException;
   }
 
-  private HttpRequest prepareRequest(String url, @Nullable String acceptHeader, boolean authentication, boolean proxyAuthRetry) {
+  private HttpRequest prepareRequest(String url, @Nullable String acceptHeader, boolean authentication) {
     var timeout = httpConfig.getResponseTimeout().isZero() ? httpConfig.getSocketTimeout() : httpConfig.getResponseTimeout();
 
     var requestBuilder = HttpRequest.newBuilder()

lib/src/test/java/org/sonarsource/scanner/lib/internal/http/ScannerHttpClientTest.java

@@ -46,6 +46,7 @@
 import org.sonarsource.scanner.lib.internal.util.System2;
 import testutils.LogTester;
 
+import static com.github.tomakehurst.wiremock.client.WireMock.absent;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -264,9 +265,14 @@ class WithProxy {
     @BeforeEach
     void configureMocks(TestInfo info) {
       if (info.getTags().contains(PROXY_AUTH_ENABLED)) {
+        // This scenario simulates a proxy that requires authentication and does not accept preemptive auth:
+        // the first request without Proxy-Authorization header gets a 407 with the Proxy-Authenticate challenge, then the client retries with the Proxy-Authorization header.
+        // This is not used because the Scanner HttpClient sends Proxy-Authorization preemptively by default,
+        // but keep it just in case we want to support it once we upgrade to JDK 24+ (because of https://bugs.openjdk.org/browse/JDK-8326949)
         proxyMock.stubFor(get(urlMatching("/batch/.*"))
           .inScenario("Proxy Auth")
           .whenScenarioStateIs(STARTED)
+            .withHeader("Proxy-Authorization", absent())
           .willReturn(aResponse()
             .withStatus(407)
             .withHeader("Proxy-Authenticate", "Basic realm=\"Access to the proxy\""))
@@ -275,6 +281,12 @@ void configureMocks(TestInfo info) {
           .inScenario("Proxy Auth")
           .whenScenarioStateIs("Challenge returned")
           .willReturn(aResponse().proxiedFrom(sonarqube.baseUrl())));
+        // Preemptive authentication (if client sends Proxy-Authorization on the first try) should also be accepted by the proxy
+        proxyMock.stubFor(get(urlMatching("/batch/.*"))
+          .inScenario("Proxy Auth")
+          .whenScenarioStateIs(STARTED)
+          .withHeader("Proxy-Authorization", equalTo("Basic " + Base64.getEncoder().encodeToString("proxyUser:proxyPassword".getBytes(StandardCharsets.UTF_8))))
+          .willReturn(aResponse().proxiedFrom(sonarqube.baseUrl())));
       } else {
         proxyMock.stubFor(get(urlMatching("/batch/.*")).willReturn(aResponse().proxiedFrom(sonarqube.baseUrl())));
       }