/* * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ /* * @test * @summary Verify that some special headers - such as User-Agent * can be specified by the caller. * @bug 8203771 8218546 8297200 * @modules java.base/sun.net.www.http * java.net.http/jdk.internal.net.http.common * java.net.http/jdk.internal.net.http.frame * java.net.http/jdk.internal.net.http.hpack * java.logging * jdk.httpserver * @library /test/lib http2/server * @build Http2TestServer HttpServerAdapters SpecialHeadersTest * @build jdk.test.lib.net.SimpleSSLContext * @run testng/othervm * -Djdk.httpclient.HttpClient.log=requests,headers,errors * SpecialHeadersTest * @run testng/othervm -Djdk.httpclient.allowRestrictedHeaders=Host * -Djdk.httpclient.HttpClient.log=requests,headers,errors * SpecialHeadersTest */ import com.sun.net.httpserver.HttpServer; import com.sun.net.httpserver.HttpsConfigurator; import com.sun.net.httpserver.HttpsServer; import jdk.internal.net.http.common.OperationTrackers.Tracker; import jdk.test.lib.net.SimpleSSLContext; import org.testng.ITestContext; import org.testng.ITestResult; import org.testng.SkipException; import org.testng.annotations.AfterClass; import org.testng.annotations.AfterTest; import org.testng.annotations.BeforeMethod; import org.testng.annotations.BeforeTest; import org.testng.annotations.DataProvider; import org.testng.annotations.Test; import javax.net.ssl.SSLContext; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.URI; import java.net.http.HttpClient; import java.net.http.HttpHeaders; import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.net.http.HttpResponse.BodyHandlers; import java.time.Duration; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Objects; import java.util.Optional; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import java.util.concurrent.Executor; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicLong; import java.util.concurrent.atomic.AtomicReference; import java.util.function.Function; import java.util.stream.Collectors; import static java.lang.System.err; import static java.lang.System.out; import static java.net.http.HttpClient.Builder.NO_PROXY; import static java.net.http.HttpClient.Version.HTTP_2; import static java.nio.charset.StandardCharsets.US_ASCII; import org.testng.Assert; import static org.testng.Assert.assertEquals; import static org.testng.Assert.assertTrue; public class SpecialHeadersTest implements HttpServerAdapters { SSLContext sslContext; HttpTestServer httpTestServer; // HTTP/1.1 [ 4 servers ] HttpTestServer httpsTestServer; // HTTPS/1.1 HttpTestServer http2TestServer; // HTTP/2 ( h2c ) HttpTestServer https2TestServer; // HTTP/2 ( h2 ) String httpURI; String httpsURI; String http2URI; String https2URI; static final String[][] headerNamesAndValues = new String[][]{ {"User-Agent: "}, {"User-Agent: camel-cased"}, {"user-agent: all-lower-case"}, {"user-Agent: mixed"}, // headers which were restricted before and are now allowable {"referer: lower"}, {"Referer: normal"}, {"REFERER: upper"}, {"origin: lower"}, {"Origin: normal"}, {"ORIGIN: upper"}, }; // Needs net.property enabled for this part of test static final String[][] headerNamesAndValues1 = new String[][]{ {"Host: "}, {"Host: camel-cased"}, {"host: all-lower-case"}, {"hoSt: mixed"} }; @DataProvider(name = "variants") public Object[][] variants() { String prop = System.getProperty("jdk.httpclient.allowRestrictedHeaders"); boolean hostTest = prop != null && prop.equalsIgnoreCase("host"); final String[][] testInput = hostTest ? headerNamesAndValues1 : headerNamesAndValues; List list = new ArrayList<>(); for (boolean sameClient : new boolean[] { false, true }) { Arrays.asList(testInput).stream() .map(e -> new Object[] {httpURI, e[0], sameClient}) .forEach(list::add); Arrays.asList(testInput).stream() .map(e -> new Object[] {httpsURI, e[0], sameClient}) .forEach(list::add); Arrays.asList(testInput).stream() .map(e -> new Object[] {http2URI, e[0], sameClient}) .forEach(list::add); Arrays.asList(testInput).stream() .map(e -> new Object[] {https2URI, e[0], sameClient}) .forEach(list::add); } return list.stream().toArray(Object[][]::new); } static final int ITERATION_COUNT = 3; // checks upgrade and re-use // a shared executor helps reduce the amount of threads created by the test static final TestExecutor executor = new TestExecutor(Executors.newCachedThreadPool()); static final ConcurrentMap FAILURES = new ConcurrentHashMap<>(); static volatile boolean tasksFailed; static final AtomicLong serverCount = new AtomicLong(); static final AtomicLong clientCount = new AtomicLong(); static final long start = System.nanoTime(); public static String now() { long now = System.nanoTime() - start; long secs = now / 1000_000_000; long mill = (now % 1000_000_000) / 1000_000; long nan = now % 1000_000; return String.format("[%d s, %d ms, %d ns] ", secs, mill, nan); } final ReferenceTracker TRACKER = ReferenceTracker.INSTANCE; private volatile HttpClient sharedClient; static class TestExecutor implements Executor { final AtomicLong tasks = new AtomicLong(); Executor executor; TestExecutor(Executor executor) { this.executor = executor; } @Override public void execute(Runnable command) { long id = tasks.incrementAndGet(); executor.execute(() -> { try { command.run(); } catch (Throwable t) { tasksFailed = true; out.printf(now() + "Task %s failed: %s%n", id, t); err.printf(now() + "Task %s failed: %s%n", id, t); FAILURES.putIfAbsent("Task " + id, t); throw t; } }); } public void shutdown() throws InterruptedException { if (executor instanceof ExecutorService service) { service.shutdown(); service.awaitTermination(1000, TimeUnit.MILLISECONDS); } } } protected boolean stopAfterFirstFailure() { return Boolean.getBoolean("jdk.internal.httpclient.debug"); } final AtomicReference skiptests = new AtomicReference<>(); void checkSkip() { var skip = skiptests.get(); if (skip != null) throw skip; } static String name(ITestResult result) { var params = result.getParameters(); return result.getName() + (params == null ? "()" : Arrays.toString(result.getParameters())); } @BeforeMethod void beforeMethod(ITestContext context) { if (stopAfterFirstFailure() && context.getFailedTests().size() > 0) { if (skiptests.get() == null) { SkipException skip = new SkipException("some tests failed"); skip.setStackTrace(new StackTraceElement[0]); skiptests.compareAndSet(null, skip); } } } @AfterClass static final void printFailedTests(ITestContext context) { out.println("\n========================="); var failed = context.getFailedTests().getAllResults().stream() .collect(Collectors.toMap(r -> name(r), ITestResult::getThrowable)); FAILURES.putAll(failed); try { out.printf("%n%sCreated %d servers and %d clients%n", now(), serverCount.get(), clientCount.get()); if (FAILURES.isEmpty()) return; out.println("Failed tests: "); FAILURES.entrySet().forEach((e) -> { out.printf("\t%s: %s%n", e.getKey(), e.getValue()); e.getValue().printStackTrace(out); }); if (tasksFailed) { out.println("WARNING: Some tasks failed"); } } finally { out.println("\n=========================\n"); } } private HttpClient makeNewClient() { clientCount.incrementAndGet(); return HttpClient.newBuilder() .proxy(NO_PROXY) .executor(executor) .sslContext(sslContext) .build(); } static volatile String lastMethod; HttpClient newHttpClient(String method, boolean share) { if (!share) return TRACKER.track(makeNewClient()); HttpClient shared = sharedClient; String last = lastMethod; if (shared != null && Objects.equals(last, method)) return shared; synchronized (this) { shared = sharedClient; last = lastMethod; if (!Objects.equals(last, method)) { // reset sharedClient to avoid side effects // between methods. This is needed to keep the test // expectation that the first HTTP/2 clear request // will be an upgrade if (shared != null) { TRACKER.track(shared); shared = sharedClient = null; } } if (shared == null) { shared = sharedClient = makeNewClient(); last = lastMethod = method; } return shared; } } static String userAgent() { return "Java-http-client/" + System.getProperty("java.version"); } static final Map> DEFAULTS = Map.of( "USER-AGENT", u -> userAgent(), "HOST", u -> u.getRawAuthority()); static void throwIfNotNull(Throwable throwable) throws Exception { if (throwable instanceof Exception ex) throw ex; if (throwable instanceof Error e) throw e; } @Test(dataProvider = "variants") void test(String uriString, String headerNameAndValue, boolean sameClient) throws Exception { out.println("\n--- Starting test " + now()); int index = headerNameAndValue.indexOf(":"); String name = headerNameAndValue.substring(0, index); String v = headerNameAndValue.substring(index+1).trim(); String key = name.toUpperCase(Locale.ROOT); boolean useDefault = "".equals(v); URI uri = URI.create(uriString+"?name="+key); String value = useDefault ? DEFAULTS.get(key).apply(uri) : v; HttpClient client = null; Tracker tracker = null; Throwable thrown = null; for (int i=0; i< ITERATION_COUNT; i++) { try { if (!sameClient || client == null) { client = newHttpClient("test", sameClient); tracker = TRACKER.getTracker(client); } HttpRequest.Builder requestBuilder = HttpRequest.newBuilder(uri); if (!useDefault) { requestBuilder.header(name, value); } HttpRequest request = requestBuilder.build(); HttpResponse resp = client.send(request, BodyHandlers.ofString()); out.println("Got response: " + resp); out.println("Got body: " + resp.body()); assertEquals(resp.statusCode(), 200, "Expected 200, got:" + resp.statusCode()); boolean isInitialRequest = i == 0; boolean isSecure = uri.getScheme().equalsIgnoreCase("https"); boolean isHTTP2 = resp.version() == HTTP_2; boolean isNotH2CUpgrade = isSecure || (sameClient == true && !isInitialRequest); boolean isDefaultHostHeader = name.equalsIgnoreCase("host") && useDefault; // By default, HTTP/2 sets the `:authority:` pseudo-header, instead // of the `Host` header. Therefore, there should be no "X-Host" // header in the response, except the response to the h2c Upgrade // request which will have been sent through HTTP/1.1. if (isDefaultHostHeader && isHTTP2 && isNotH2CUpgrade) { assertTrue(resp.headers().firstValue("X-" + key).isEmpty()); assertTrue(resp.headers().allValues("X-" + key).isEmpty()); out.println("No X-" + key + " header received, as expected"); } else { String receivedHeaderString = value == null ? null : resp.headers().firstValue("X-" + key).orElse(null); out.println("Got X-" + key + ": " + resp.headers().allValues("X-" + key)); if (value != null) { assertEquals(receivedHeaderString, value); assertEquals(resp.headers().allValues("X-" + key), List.of(value)); } else { assertEquals(resp.headers().allValues("X-" + key).size(), 0); } } } catch (Throwable x) { thrown = x; } finally { if (!sameClient) { client = null; System.gc(); var error = TRACKER.check(tracker, 500); if (error != null) { if (thrown != null) error.addSuppressed(thrown); throw error; } } } throwIfNotNull(thrown); } } @Test(dataProvider = "variants") void testHomeMadeIllegalHeader(String uriString, String headerNameAndValue, boolean sameClient) throws Exception { out.println("\n--- Starting testHomeMadeIllegalHeader " + now()); final URI uri = URI.create(uriString); HttpClient client = newHttpClient("testHomeMadeIllegalHeader", sameClient); Tracker tracker = TRACKER.getTracker(client); Throwable thrown = null; try { // Test a request which contains an illegal header created HttpRequest req = new HttpRequest() { @Override public Optional bodyPublisher() { return Optional.of(BodyPublishers.noBody()); } @Override public String method() { return "GET"; } @Override public Optional timeout() { return Optional.empty(); } @Override public boolean expectContinue() { return false; } @Override public URI uri() { return uri; } @Override public Optional version() { return Optional.empty(); } @Override public HttpHeaders headers() { Map> map = Map.of("upgrade", List.of("http://foo.com")); return HttpHeaders.of(map, (x, y) -> true); } }; try { HttpResponse response = client.send(req, BodyHandlers.ofString()); Assert.fail("Unexpected reply: " + response); } catch (IllegalArgumentException ee) { out.println("Got IAE as expected"); } } catch (Throwable x) { thrown = x; } finally { if (!sameClient) { client = null; System.gc(); var error = TRACKER.check(tracker, 500); if (error != null) { if (thrown != null) error.addSuppressed(thrown); throw error; } } } throwIfNotNull(thrown); } @Test(dataProvider = "variants") void testAsync(String uriString, String headerNameAndValue, boolean sameClient) throws Exception { out.println("\n--- Starting testAsync " + now()); int index = headerNameAndValue.indexOf(":"); String name = headerNameAndValue.substring(0, index); String v = headerNameAndValue.substring(index+1).trim(); String key = name.toUpperCase(Locale.ROOT); boolean useDefault = "".equals(v); URI uri = URI.create(uriString+"?name="+key); String value = useDefault ? DEFAULTS.get(key).apply(uri) : v; HttpClient client = null; Tracker tracker = null; Throwable thrown = null; for (int i=0; i< ITERATION_COUNT; i++) { try { if (!sameClient || client == null) { client = newHttpClient("testAsync", sameClient); tracker = TRACKER.getTracker(client); } HttpRequest.Builder requestBuilder = HttpRequest.newBuilder(uri); if (!useDefault) { requestBuilder.header(name, value); } HttpRequest request = requestBuilder.build(); boolean isInitialRequest = i == 0; boolean isSecure = uri.getScheme().equalsIgnoreCase("https"); boolean isNotH2CUpgrade = isSecure || (sameClient == true && !isInitialRequest); boolean isDefaultHostHeader = name.equalsIgnoreCase("host") && useDefault; client.sendAsync(request, BodyHandlers.ofString()) .thenApply(response -> { out.println("Got response: " + response); out.println("Got body: " + response.body()); assertEquals(response.statusCode(), 200); return response; }) .thenAccept(resp -> { // By default, HTTP/2 sets the `:authority:` pseudo-header, instead // of the `Host` header. Therefore, there should be no "X-Host" // header in the response, except the response to the h2c Upgrade // request which will have been sent through HTTP/1.1. if (isDefaultHostHeader && resp.version() == HTTP_2 && isNotH2CUpgrade) { assertTrue(resp.headers().firstValue("X-" + key).isEmpty()); assertTrue(resp.headers().allValues("X-" + key).isEmpty()); out.println("No X-" + key + " header received, as expected"); } else { String receivedHeaderString = value == null ? null : resp.headers().firstValue("X-" + key).orElse(null); out.println("Got X-" + key + ": " + resp.headers().allValues("X-" + key)); if (value != null) { assertEquals(receivedHeaderString, value); assertEquals(resp.headers().allValues("X-" + key), List.of(value)); } else { assertEquals(resp.headers().allValues("X-" + key).size(), 1); } } }) .join(); } catch (Throwable x) { thrown = x; } finally { if (!sameClient) { client = null; System.gc(); var error = TRACKER.check(tracker, 500); if (error != null) { if (thrown != null) error.addSuppressed(thrown); throw error; } } } throwIfNotNull(thrown); } } static String serverAuthority(HttpTestServer server) { return InetAddress.getLoopbackAddress().getHostName() + ":" + server.getAddress().getPort(); } @BeforeTest public void setup() throws Exception { out.println("--- Starting setup " + now()); sslContext = new SimpleSSLContext().get(); if (sslContext == null) throw new AssertionError("Unexpected null sslContext"); HttpTestHandler handler = new HttpUriStringHandler(); InetSocketAddress sa = new InetSocketAddress(InetAddress.getLoopbackAddress(), 0); httpTestServer = HttpTestServer.of(HttpServer.create(sa, 0)); httpTestServer.addHandler(handler, "/http1"); httpURI = "http://" + serverAuthority(httpTestServer) + "/http1"; HttpsServer httpsServer = HttpsServer.create(sa, 0); httpsServer.setHttpsConfigurator(new HttpsConfigurator(sslContext)); httpsTestServer = HttpTestServer.of(httpsServer); httpsTestServer.addHandler(handler, "/https1"); httpsURI = "https://" + serverAuthority(httpsTestServer) + "/https1"; http2TestServer = HttpTestServer.of(new Http2TestServer("localhost", false, 0)); http2TestServer.addHandler(handler, "/http2"); http2URI = "http://" + http2TestServer.serverAuthority() + "/http2"; https2TestServer = HttpTestServer.of(new Http2TestServer("localhost", true, sslContext)); https2TestServer.addHandler(handler, "/https2"); https2URI = "https://" + https2TestServer.serverAuthority() + "/https2"; httpTestServer.start(); httpsTestServer.start(); http2TestServer.start(); https2TestServer.start(); } @AfterTest public void teardown() throws Exception { out.println("\n--- Teardown " + now()); HttpClient shared = sharedClient; String sharedClientName = shared == null ? null : shared.toString(); if (shared != null) TRACKER.track(shared); shared = sharedClient = null; Thread.sleep(100); AssertionError fail = TRACKER.check(2500); out.println("--- Stopping servers " + now()); try { httpTestServer.stop(); httpsTestServer.stop(); http2TestServer.stop(); https2TestServer.stop(); executor.shutdown(); } finally { if (fail != null) { if (sharedClientName != null) { err.println("Shared client name is: " + sharedClientName); } throw fail; } } } /** A handler that returns, as its body, the exact received request URI. * The header whose name is in the URI query and is set in the request is * returned in the response with its name prefixed by X- */ static class HttpUriStringHandler implements HttpTestHandler { @Override public void handle(HttpTestExchange t) throws IOException { URI uri = t.getRequestURI(); String uriString = uri.toString(); out.println("HttpUriStringHandler received, uri: " + uriString); String query = uri.getQuery(); String headerName = query.substring(query.indexOf("=")+1).trim(); out.println("HttpUriStringHandler received, headerName: " + headerName + "\n\theaders: " + t.getRequestHeaders()); try (InputStream is = t.getRequestBody(); OutputStream os = t.getResponseBody()) { is.readAllBytes(); byte[] bytes = uriString.getBytes(US_ASCII); t.getRequestHeaders().keySet().stream() .filter(headerName::equalsIgnoreCase) .forEach(h -> { for (String v : t.getRequestHeaders().get(headerName)) { t.getResponseHeaders().addHeader("X-"+h, v); } }); t.sendResponseHeaders(200, bytes.length); os.write(bytes); } } } }