Create URL Protection Space from HTTPURLResponse

[lxbndr]

Basic implementation of "Www-Authenticate" parsing. Some real-life responses could crash previous implementation, as it doesn't work with realm in case insensitive way. We decided to modify existing (but unused) internal helper, considering that a good step in iterative improvement of FoundationNetworking.

This also fixes access to "Www-Authenticate" header in some places,
as HTTPURLResponse does capitalize headers after #2728.

[lxbndr]

CC @compnerd @spevans @millenomi

[spevans]

@swift-ci test linux

[spevans]

@swift-ci test linux

[spevans]

It might be better to be stricter on the input validation, it can alway be loosened later on. Rather than defaulting values I would suggest:

guard let url = response.url, let host = url.host, let _protocol = url.scheme, _protocol == "http" || _protocol == "https" else {
    return nil
}
let port = url.port ?? (_protocol == "http" ? 80 : 443)

to tighten up the validation.

[lxbndr]

Makes sense. And less code. I like it. Will do.

[spevans]

Will this split correctly if there are multiple spaces between each part?
I think split(separator: Character, maxSplits: Int = Int.max, omittingEmptySubsequences: Bool = true) -> [Substring] might be a better choice as by default it will not add empty sequences to the output array.

[millenomi]

This is the grammar:

   WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge
    ] )

   auth-param = token BWS "=" BWS ( token / quoted-string )
   auth-scheme = token

   challenge = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *(
    OWS "," [ OWS auth-param ] ) ] ) ]
   credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param )
    *( OWS "," [ OWS auth-param ] ) ] ) ]

where:

     OWS            = *( SP / HTAB )
                    ; optional whitespace
…
     BWS            = OWS
                    ; "bad" whitespace

so it looks like we need to split for " " or "\t". Use the CharacterSet variants maybe?

[millenomi]

https://tools.ietf.org/html/rfc7235#section-4.1 + https://tools.ietf.org/html/rfc7230#section-3.2.3

[spevans]

Will it cause problems to create a URLProtectionSpace for methods that are not currently implemented (ie everything except Basic)? Could always return nil for these other ones for now

[lxbndr]

I actually thought about this helper point as parsing as much info as possible (and reasonable). Hmm, but on the other side it could take responsibility to cut off unsupported things. Agree, this should return nil for everything other than Basic auth.

[spevans]

Give that this is concerned with authentication I think that the complete spec should be followed. Maybe it could be broken out into a separate function that fully parses a String into its constituent parts. If any percent decoding needs to be done on the input string then there is DataURLProtocol._PercentDecoder that could possibly be used.

[lxbndr]

Thanks for hint. I guess I will also look into curl implementation of similar task. AFAIK it is pretty simple. I like the idea of separate parsing, could be also tested separately.

[millenomi]

Good by me once the feedback is looked at.

[millenomi]

I forget if scheme is normalized?

[millenomi]

This should probably be scheme.lowercased().

[millenomi]

This is the grammar:

   WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge
    ] )

   auth-param = token BWS "=" BWS ( token / quoted-string )
   auth-scheme = token

   challenge = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *(
    OWS "," [ OWS auth-param ] ) ] ) ]
   credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param )
    *( OWS "," [ OWS auth-param ] ) ] ) ]

where:

     OWS            = *( SP / HTAB )
                    ; optional whitespace
…
     BWS            = OWS
                    ; "bad" whitespace

so it looks like we need to split for " " or "\t". Use the CharacterSet variants maybe?

[millenomi]

https://tools.ietf.org/html/rfc7235#section-4.1 + https://tools.ietf.org/html/rfc7230#section-3.2.3

[lxbndr]

I'm so sorry, the solution is really delayed. It is still WIP. Had done about 3/4. I am thinking to convert this to draft, to not to look like stale PR.

[millenomi]

@lxbndr are you still unable to finish this patch?

[lxbndr]

@millenomi
I am sorry for delay, again. I've revisited it lately and now think it is ready to be pushed. Will do tomorrow.
It actually blocks me from finishing another auth-related issue, so not going to postpone it anymore.

[millenomi]

Thank you! I'll be here to facilitate.

[lxbndr]

This all started as an attempt to parse "realm" parameter and not to crash. New implementation is RFC-compliant. I think I found perfect place for parsing code, and it is in _HTTPURLProtocol extensions, where other HTTP-related parsing already lives.

All necessary string comparisons are case-insensitive, but internally data stored as is, so _Challenge structure is more like raw parsed data.

Some simplifications made assuming we are supporting only "Basic" scheme. But in general this code could be used to adopt other schemes.

I reused as much existing code as seemed reasonable (like token parsing, whitespace trimming, character constants).

It seems like we could refactor existing code a bit to improve consistency and streamline some logic. E.g. existing code references RFC-2616, which is obsoleted by RFCs 7230-7235. To keep this patch focused I used old code as is.

The general flow of WWW-Authenticate parsing was inspired by CURL's approach, as it seems pretty robust.

[lxbndr]

@millenomi Could you please take a look? I think I took all comments into account. But as changes are much bigger than first time, I am expecting everything.

[millenomi]

Nothing immediately jumps at me. At this point, this looks large and useful enough that we can start taking bug fixes as separate patches if needed.

[millenomi]

@swift-ci please test

[lxbndr]

I found that one line I've changed was unnecessary. Reverted HTTPURLProtocol.swift:137 to original.
No other changes were made.

@millenomi Is there anything else I can do here? I am not in a rush, just thought maybe I missed some requirement.

[xwu]

Nit: Mind if we call this DoubleQuote? We already spell HTAB HorizontalTab instead of Htab, and it just reads a little more clearly, I think, in the context where we have comments referring to "dequoted" strings and then code that refers to "dquote".

[lxbndr]

Sure! Anything to reduce confusion. Change pushed.

[lxbndr]

Build failure on Linux looks unrelated. @MaxDesiatov Could re-run fix that, WDYT?

[lxbndr]

Rebased to latest main.

[MaxDesiatov]

@swift-ci please test

[MaxDesiatov]

Would anyone mind if this is merged?

[MaxDesiatov]

@swift-ci please test

[spevans]

@MaxDesiatov No I dont mind, lets get this in. I think have some URLSession fixes that rely on this so would be good to progress those.

[MaxDesiatov]

Linux failure seems to be unrelated

[MaxDesiatov]

@swift-ci please test Linux platform

[spevans]

@swift-ci please test Linux platform