Create URL Protection Space from HTTPURLResponse

Basic implementation of realm parsing.
Also fixes access to "Www-Authenticate" header in some places,
as HTTPURLResponse does capitalize headers now.

Author: lxbndr

Sources/FoundationNetworking/URLProtectionSpace.swift

@@ -332,19 +332,93 @@ open class URLProtectionSpace : NSObject, NSCopying {
 
 extension URLProtectionSpace {
     //an internal helper to create a URLProtectionSpace from a HTTPURLResponse 
-    static func create(using response: HTTPURLResponse) -> URLProtectionSpace {
+    static func create(with response: HTTPURLResponse) -> URLProtectionSpace? {
         let host = response.url?.host ?? ""
-        let port = response.url?.port ?? 80        //HTTP
-        let _protocol = response.url?.scheme
-        guard let wwwAuthHeader = response.allHeaderFields["Www-Authenticate"] as? String else {
-            fatalError("Authentication failed but no Www-Authenticate header in response")
+
+        let scheme = response.url?.scheme
+
+        let port: Int = {
+            if let port = response.url?.port {
+                return port
+            }
+
+            switch scheme {
+            case "http":
+                return 80
+            case "https":
+                return 443
+            default:
+                return 80
+            }
+        }()
+
+        // Assuming HTTPURLResponse does capitalization of standard headers
+        guard let authenticateValue = response.allHeaderFields["Www-Authenticate"] as? String else {
+            return nil
         }
 
-        //The format of the authentication header is `<auth-scheme> realm="<realm value>"`
-        //Example: `Basic realm="Fake Realm"`
-        let authMethod = wwwAuthHeader.components(separatedBy: " ")[0]
-        let realm = String(String(wwwAuthHeader.components(separatedBy: "realm=")[1].dropFirst()).dropLast())
-        return URLProtectionSpace(host: host, port: port, protocol: _protocol, realm: realm, authenticationMethod: authMethod)
+        // Typical Www-Authenticate header is something like
+        //   Www-Authenticate: Digest realm="test", domain="/HTTP/Digest", nonce="e3d002b9b2080453fdacea2d89f2d102"
+
+        let components = authenticateValue.components(separatedBy: " ")
+        let authMethod: String? = {
+            guard let authMethod = components.first else {
+                return nil
+            }
+
+            switch authMethod.lowercased() {
+            case "basic":
+                return NSURLAuthenticationMethodHTTPBasic
+            case "digest":
+                return NSURLAuthenticationMethodHTTPDigest
+            case "ntlm":
+                return NSURLAuthenticationMethodNTLM
+            case "negotiate":
+                return NSURLAuthenticationMethodNegotiate
+            default:
+                return nil
+            }
+        }()
+
+        let realm: String? = {
+            guard let openingQuoteIndex = authenticateValue.range(of: "realm=\"", options: .caseInsensitive)?.upperBound else {
+                return nil
+            }
+
+            // Basic implementation.
+            // Doesn't follow complete spec of quoted strings (RFC-7230, p. 3.2.6).
+            // Handles escaping of quotes only.
+            
+            let realmStart = openingQuoteIndex
+
+            guard let closingQuoteIndex = { () -> String.Index? in
+                var searchFrom = realmStart
+                while(true) {
+                    // Look for quote
+                    guard let quoteRange = authenticateValue.range(of: "\"", range: searchFrom..<authenticateValue.endIndex) else {
+                        return nil
+                    }
+                    // Check is it escaped
+                    guard authenticateValue[authenticateValue.index(before: quoteRange.lowerBound)] != "\\" else {
+                        searchFrom = quoteRange.upperBound
+                        continue
+                    }
+                    return quoteRange.lowerBound
+                }
+            }() else {
+                return nil
+            }
+
+            let quotedRealm = authenticateValue[realmStart..<closingQuoteIndex]
+            let realm = quotedRealm.replacingOccurrences(of: "\\\"", with: "\"")
+            return realm
+        }()
+
+        return URLProtectionSpace(host: host,
+                                  port: port,
+                                  protocol: scheme,
+                                  realm: realm,
+                                  authenticationMethod: authMethod)
     }
 }
 

Sources/FoundationNetworking/URLSession/HTTP/HTTPURLProtocol.swift

@@ -134,7 +134,7 @@ internal class _HTTPURLProtocol: _NativeProtocol {
         }
 
         // We opt not to cache any requests or responses that contain authorization headers.
-        if httpResponse.allHeaderFields["WWW-Authenticate"] != nil ||
+        if httpResponse.allHeaderFields["Www-Authenticate"] != nil ||
            httpResponse.allHeaderFields["Proxy-Authenticate"] != nil ||
            httpRequest.allHTTPHeaderFields?["Authorization"] != nil ||
            httpRequest.allHTTPHeaderFields?["Proxy-Authorization"] != nil {

Sources/FoundationNetworking/URLSession/URLSessionTask.swift

@@ -775,11 +775,8 @@ extension _ProtocolClient : URLProtocolClient {
         let host = response.url?.host ?? ""
         let port = response.url?.port ?? 80        //we're doing http
         let _protocol = response.url?.scheme
-        if response.allHeaderFields["WWW-Authenticate"] != nil {
-            let wwwAuthHeaderValue = response.allHeaderFields["WWW-Authenticate"] as! String
-            let authMethod = wwwAuthHeaderValue.components(separatedBy: " ")[0]
-            let realm = String(String(wwwAuthHeaderValue.components(separatedBy: "realm=")[1].dropFirst()).dropLast())
-            return URLProtectionSpace(host: host, port: port, protocol: _protocol, realm: realm, authenticationMethod: authMethod)
+        if response.allHeaderFields["Www-Authenticate"] != nil {
+            return URLProtectionSpace.create(with: response)
         } else {
             return nil
         }

Tests/Foundation/Tests/TestURLProtectionSpace.swift

@@ -7,12 +7,30 @@
 // See http://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
 //
 
+#if NS_FOUNDATION_ALLOWS_TESTABLE_IMPORT
+    #if canImport(SwiftFoundationNetworking) && !DEPLOYMENT_RUNTIME_OBJC
+    @testable import SwiftFoundationNetworking
+    #else
+        #if canImport(FoundationNetworking)
+        @testable import FoundationNetworking
+        #endif
+    #endif
+#endif
+
 class TestURLProtectionSpace : XCTestCase {
 
     static var allTests: [(String, (TestURLProtectionSpace) -> () throws -> Void)] {
-        return [
+        var tests: [(String, (TestURLProtectionSpace) -> () throws -> ())] = [
             ("test_description", test_description),
         ]
+        
+        #if NS_FOUNDATION_ALLOWS_TESTABLE_IMPORT
+        tests.append(contentsOf: [
+            ("test_createWithHTTPURLresponse", test_createWithHTTPURLresponse),
+        ])
+        #endif
+        
+        return tests
     }
 
     func test_description() {
@@ -36,4 +54,100 @@ class TestURLProtectionSpace : XCTestCase {
         XCTAssert(space.description.hasPrefix("<\(type(of: space))"))
         XCTAssert(space.description.hasSuffix(": Host:apple.com, Server:http, Auth-Scheme:NSURLAuthenticationMethodHTMLForm, Realm:(null), Port:80, Proxy:NO, Proxy-Type:(null)"))
     }
+
+    #if NS_FOUNDATION_ALLOWS_TESTABLE_IMPORT
+    func test_createWithHTTPURLresponse() throws {
+        // Real responce from outlook.office365.com
+        let headerFields1 = [
+            "Server": "Microsoft-IIS/10.0",
+            "request-id": "c71c2202-4013-4d64-9319-d40aba6bbe5c",
+            "WWW-Authenticate": "Basic Realm=\"\"",
+            "X-Powered-By": "ASP.NET",
+            "X-FEServer": "AM6PR0502CA0062",
+            "Date": "Sat, 04 Apr 2020 16:19:39 GMT",
+            "Content-Length": "0",
+        ]
+        let response1 = try XCTUnwrap(HTTPURLResponse(url: URL(string: "https://outlook.office365.com/Microsoft-Server-ActiveSync")!,
+                                                      statusCode: 401,
+                                                      httpVersion: "HTTP/1.1",
+                                                      headerFields: headerFields1))
+        let space1 = try XCTUnwrap(URLProtectionSpace.create(with: response1), "Failed to create protection space from valid response")
+
+        XCTAssertEqual(space1.authenticationMethod, NSURLAuthenticationMethodHTTPBasic)
+        XCTAssertEqual(space1.protocol, "https")
+        XCTAssertEqual(space1.host, "outlook.office365.com")
+        XCTAssertEqual(space1.port, 443)
+        XCTAssertEqual(space1.realm, "")
+
+        // Real response from jigsaw.w3.org
+        let headerFields2 = [
+            "date": "Sat, 04 Apr 2020 17:24:23 GMT",
+            "content-length": "261",
+            "content-type": "text/html;charset=ISO-8859-1",
+            "server": "Jigsaw/2.3.0-beta3",
+            "www-authenticate": "Basic realm=\"test\"",
+            "strict-transport-security": "max-age=15552015; includeSubDomains; preload",
+            "public-key-pins": "pin-sha256=\"cN0QSpPIkuwpT6iP2YjEo1bEwGpH/yiUn6yhdy+HNto=\"; pin-sha256=\"WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=\"; pin-sha256=\"LrKdTxZLRTvyHM4/atX2nquX9BeHRZMCxg3cf4rhc2I=\"; max-age=864000",
+            "x-frame-options": "deny",
+            "x-xss-protection": "1; mode=block",
+        ]
+        let response2 = try XCTUnwrap(HTTPURLResponse(url: URL(string: "https://jigsaw.w3.org/HTTP/Basic/")!,
+                                                      statusCode: 401,
+                                                      httpVersion: "HTTP/2",
+                                                      headerFields: headerFields2))
+        let space2 = try XCTUnwrap(URLProtectionSpace.create(with: response2), "Failed to create protection space from valid response")
+
+        XCTAssertEqual(space2.authenticationMethod, NSURLAuthenticationMethodHTTPBasic)
+        XCTAssertEqual(space2.protocol, "https")
+        XCTAssertEqual(space2.host, "jigsaw.w3.org")
+        XCTAssertEqual(space2.port, 443)
+        XCTAssertEqual(space2.realm, "test")
+
+        // More cases with partial response
+        let authenticate3 = "Digest realm=\"Test \\\"quoted\\\"\", domain=\"/HTTP/Digest\", nonce=\"be2e96ad8ab8acb7ccfb49bc7e162914\""
+        let response3 = try XCTUnwrap(HTTPURLResponse(url: URL(string: "http://jigsaw.w3.org/HTTP/Basic/")!,
+                                                      statusCode: 401,
+                                                      httpVersion: "HTTP/1.1",
+                                                      headerFields: ["www-authenticate" : authenticate3]))
+        let space3 = try XCTUnwrap(URLProtectionSpace.create(with: response3), "Failed to create protection space from valid response")
+
+        XCTAssertEqual(space3.authenticationMethod, NSURLAuthenticationMethodHTTPDigest)
+        XCTAssertEqual(space3.protocol, "http")
+        XCTAssertEqual(space3.host, "jigsaw.w3.org")
+        XCTAssertEqual(space3.port, 80)
+        XCTAssertEqual(space3.realm, "Test \"quoted\"")
+
+        let response4 = try XCTUnwrap(HTTPURLResponse(url: URL(string: "http://apple.com:333")!,
+                                                      statusCode: 401,
+                                                      httpVersion: "HTTP/1.1",
+                                                      headerFields: ["www-authenTicate" : "NTLM realm=\"\\\"\""]))
+        let space4 = try XCTUnwrap(URLProtectionSpace.create(with: response4), "Failed to create protection space from valid response")
+
+        XCTAssertEqual(space4.authenticationMethod, NSURLAuthenticationMethodNTLM)
+        XCTAssertEqual(space4.protocol, "http")
+        XCTAssertEqual(space4.host, "apple.com")
+        XCTAssertEqual(space4.port, 333)
+        XCTAssertEqual(space4.realm, "\"")
+
+        // Some broken headers
+        let response5 = try XCTUnwrap(HTTPURLResponse(url: URL(string: "http://apple.com")!,
+                                                      statusCode: 401,
+                                                      httpVersion: "HTTP/1.1",
+                                                      headerFields: ["www-authenicate" : "Basic"]))
+        let space5 = URLProtectionSpace.create(with: response5)
+        XCTAssertNil(space5, "Should not create protection space for response without valid header")
+
+        let response6 = try XCTUnwrap(HTTPURLResponse(url: URL(string: "http://apple.com")!,
+                                                      statusCode: 401,
+                                                      httpVersion: "HTTP/1.1",
+                                                      headerFields: ["www-authenticate" : "NT LM realm="]))
+        let space6 = try XCTUnwrap(URLProtectionSpace.create(with: response6), "Failed to create protection space from valid response")
+
+        XCTAssertEqual(space6.authenticationMethod, NSURLAuthenticationMethodDefault)
+        XCTAssertEqual(space6.protocol, "http")
+        XCTAssertEqual(space6.host, "apple.com")
+        XCTAssertEqual(space6.port, 80)
+        XCTAssertNil(space6.realm)
+    }
+    #endif
 }