Proxyv2 (#306)

* Move all public proxy types to proxy.h
* Add support for proxy strategies - polymorphic policies for proxy connection and authentication. Existing auth configuration still works (by injecting the appropriate strategy internally) but is deprecated.
* Add backwards-compatible support for explicitly requesting tunneling vs. forwarding proxy connections.
* Add support for synchronous ntlm and kerberos proxy authentication via callbacks to gather necessary tokens

Co-authored-by: Abhishek Jain <61713632+ajainaus@users.noreply.github.com>

Author: bretambrose

include/aws/http/connection.h

@@ -121,54 +121,6 @@ struct aws_http_connection_monitoring_options {
     uint32_t allowable_throughput_failure_interval_seconds;
 };
 
-/**
- * Supported proxy authentication modes
- */
-enum aws_http_proxy_authentication_type {
-    AWS_HPAT_NONE = 0,
-    AWS_HPAT_BASIC,
-};
-
-/**
- * Options for http proxy server usage
- */
-struct aws_http_proxy_options {
-
-    /**
-     * Proxy host to connect to, in lieu of actual target
-     */
-    struct aws_byte_cursor host;
-
-    /**
-     * Port to make the proxy connection to
-     */
-    uint16_t port;
-
-    /**
-     * Optional.
-     * TLS configuration for the Local <-> Proxy connection
-     * Must be distinct from the the TLS options in the parent aws_http_connection_options struct
-     */
-    const struct aws_tls_connection_options *tls_options;
-
-    /**
-     * What type of proxy authentication to use, if any
-     */
-    enum aws_http_proxy_authentication_type auth_type;
-
-    /**
-     * Optional
-     * User name to use for authentication, basic only
-     */
-    struct aws_byte_cursor auth_username;
-
-    /**
-     * Optional
-     * Password to use for authentication, basic only
-     */
-    struct aws_byte_cursor auth_password;
-};
-
 /**
  * Options specific to HTTP/1.x connections.
  * Initialize with AWS_HTTP1_CONNECTION_OPTIONS_INIT to set default values.
@@ -482,6 +434,12 @@ enum aws_http_version aws_http_connection_get_version(const struct aws_http_conn
 AWS_HTTP_API
 struct aws_channel *aws_http_connection_get_channel(struct aws_http_connection *connection);
 
+/**
+ * Checks http proxy options for correctness
+ */
+AWS_HTTP_API
+int aws_http_options_validate_proxy_configuration(const struct aws_http_client_connection_options *options);
+
 /**
  * Send a SETTINGS frame (HTTP/2 only).
  * SETTINGS will be applied locally when SETTINGS ACK is received from peer.

include/aws/http/http.h

@@ -36,7 +36,7 @@ enum aws_http_errors {
     AWS_ERROR_HTTP_CONNECTION_MANAGER_INVALID_STATE_FOR_ACQUIRE,
     AWS_ERROR_HTTP_CONNECTION_MANAGER_VENDED_CONNECTION_UNDERFLOW,
     AWS_ERROR_HTTP_SERVER_CLOSED,
-    AWS_ERROR_HTTP_PROXY_TLS_CONNECT_FAILED,
+    AWS_ERROR_HTTP_PROXY_CONNECT_FAILED,
     AWS_ERROR_HTTP_CONNECTION_MANAGER_SHUTTING_DOWN,
     AWS_ERROR_HTTP_CHANNEL_THROUGHPUT_FAILURE,
     AWS_ERROR_HTTP_PROTOCOL_ERROR,
@@ -46,6 +46,9 @@ enum aws_http_errors {
     AWS_ERROR_HTTP_RST_STREAM_SENT,
     AWS_ERROR_HTTP_STREAM_NOT_ACTIVATED,
     AWS_ERROR_HTTP_STREAM_HAS_COMPLETED,
+    AWS_ERROR_HTTP_PROXY_STRATEGY_NTLM_CHALLENGE_TOKEN_MISSING,
+    AWS_ERROR_HTTP_PROXY_STRATEGY_TOKEN_RETRIEVAL_FAILURE,
+    AWS_ERROR_HTTP_PROXY_CONNECT_FAILED_RETRYABLE,
 
     AWS_ERROR_HTTP_END_RANGE = AWS_ERROR_ENUM_END_RANGE(AWS_C_HTTP_PACKAGE_ID)
 };
@@ -79,6 +82,7 @@ enum aws_http_log_subject {
     AWS_LS_HTTP_CONNECTION_MANAGER,
     AWS_LS_HTTP_WEBSOCKET,
     AWS_LS_HTTP_WEBSOCKET_SETUP,
+    AWS_LS_HTTP_PROXY_NEGOTIATION,
 };
 
 enum aws_http_version {

include/aws/http/private/proxy_impl.h

@@ -9,11 +9,20 @@
 #include <aws/http/http.h>
 
 #include <aws/http/connection.h>
+#include <aws/http/proxy.h>
+#include <aws/http/status_code.h>
+#include <aws/io/socket.h>
 
+struct aws_http_connection_manager_options;
 struct aws_http_message;
 struct aws_channel_slot;
 struct aws_string;
 struct aws_tls_connection_options;
+struct aws_http_proxy_negotiator;
+struct aws_http_proxy_strategy;
+struct aws_http_proxy_strategy_tunneling_sequence_options;
+struct aws_http_proxy_strategy_tunneling_kerberos_options;
+struct aws_http_proxy_strategy_tunneling_ntlm_options;
 
 /*
  * (Successful) State transitions for proxy connections
@@ -37,17 +46,15 @@ struct aws_http_proxy_config {
 
     struct aws_allocator *allocator;
 
+    enum aws_http_proxy_connection_type connection_type;
+
     struct aws_byte_buf host;
 
     uint16_t port;
 
     struct aws_tls_connection_options *tls_options;
 
-    enum aws_http_proxy_authentication_type auth_type;
-
-    struct aws_byte_buf auth_username;
-
-    struct aws_byte_buf auth_password;
+    struct aws_http_proxy_strategy *proxy_strategy;
 };
 
 /*
@@ -61,19 +68,31 @@ struct aws_http_proxy_config {
 struct aws_http_proxy_user_data {
     struct aws_allocator *allocator;
 
+    /*
+     * dynamic proxy connection resolution state
+     */
     enum aws_proxy_bootstrap_state state;
     int error_code;
+    enum aws_http_status_code connect_status_code;
     struct aws_http_connection *connection;
     struct aws_http_message *connect_request;
     struct aws_http_stream *connect_stream;
+    struct aws_http_proxy_negotiator *proxy_negotiator;
 
+    /*
+     * Cached original connect options
+     */
     struct aws_string *original_host;
     uint16_t original_port;
     aws_http_on_client_connection_setup_fn *original_on_setup;
     aws_http_on_client_connection_shutdown_fn *original_on_shutdown;
     void *original_user_data;
 
     struct aws_tls_connection_options *tls_options;
+    struct aws_client_bootstrap *bootstrap;
+    struct aws_socket_options socket_options;
+    bool manual_window_management;
+    size_t initial_window_size;
 
     struct aws_http_proxy_config *proxy_config;
 };
@@ -103,18 +122,81 @@ int aws_http_rewrite_uri_for_proxy_request(
 AWS_HTTP_API
 void aws_http_proxy_system_set_vtable(struct aws_http_proxy_system_vtable *vtable);
 
+/**
+ * Checks if tunneling proxy negotiation should continue to try and connect
+ * @param proxy_negotiator negotiator to query
+ * @return true if another connect request should be attempted, false otherwise
+ */
+AWS_HTTP_API
+enum aws_http_proxy_negotiation_retry_directive aws_http_proxy_negotiator_get_retry_directive(
+    struct aws_http_proxy_negotiator *proxy_negotiator);
+
+/**
+ * Constructor for a tunnel-only proxy strategy that applies no changes to outbound CONNECT requests.  Intended to be
+ * the first link in an adaptive sequence for a tunneling proxy: first try a basic CONNECT, then based on the response,
+ * later links are allowed to make attempts.
+ *
+ * @param allocator memory allocator to use
+ * @return a new proxy strategy if successfully constructed, otherwise NULL
+ */
+AWS_HTTP_API
+struct aws_http_proxy_strategy *aws_http_proxy_strategy_new_tunneling_one_time_identity(
+    struct aws_allocator *allocator);
+
+/**
+ * Constructor for a forwarding-only proxy strategy that does nothing. Exists so that all proxy logic uses a
+ * strategy.
+ *
+ * @param allocator memory allocator to use
+ * @return a new proxy strategy if successfully constructed, otherwise NULL
+ */
+AWS_HTTP_API
+struct aws_http_proxy_strategy *aws_http_proxy_strategy_new_forwarding_identity(struct aws_allocator *allocator);
+
+/**
+ * Constructor for a tunneling proxy strategy that contains a set of sub-strategies which are tried
+ * sequentially in order.  Each strategy has the choice to either proceed on a fresh connection or
+ * reuse the current one.
+ *
+ * @param allocator memory allocator to use
+ * @param config sequence configuration options
+ * @return a new proxy strategy if successfully constructed, otherwise NULL
+ */
 AWS_HTTP_API
-struct aws_http_proxy_config *aws_http_proxy_config_new(
+struct aws_http_proxy_strategy *aws_http_proxy_strategy_new_tunneling_sequence(
     struct aws_allocator *allocator,
-    const struct aws_http_proxy_options *options);
+    struct aws_http_proxy_strategy_tunneling_sequence_options *config);
 
+/**
+ * A constructor for a proxy strategy that performs kerberos authentication by adding the appropriate
+ * header and header value to CONNECT requests.
+ *
+ * Currently only supports synchronous fetch of kerberos token values.
+ *
+ * @param allocator memory allocator to use
+ * @param config kerberos authentication configuration info
+ * @return a new proxy strategy if successfully constructed, otherwise NULL
+ */
 AWS_HTTP_API
-void aws_http_proxy_config_destroy(struct aws_http_proxy_config *config);
+struct aws_http_proxy_strategy *aws_http_proxy_strategy_new_tunneling_kerberos(
+    struct aws_allocator *allocator,
+    struct aws_http_proxy_strategy_tunneling_kerberos_options *config);
 
+/**
+ * Constructor for an NTLM proxy strategy.  Because ntlm is a challenge-response authentication protocol, this
+ * strategy will only succeed in a chain in a non-leading position.  The strategy extracts the challenge from the
+ * proxy's response to a previous CONNECT request in the chain.
+ *
+ * Currently only supports synchronous fetch of token values.
+ *
+ * @param allocator memory allocator to use
+ * @param config configuration options for the strategy
+ * @return a new proxy strategy if successfully constructed, otherwise NULL
+ */
 AWS_HTTP_API
-void aws_http_proxy_options_init_from_config(
-    struct aws_http_proxy_options *options,
-    const struct aws_http_proxy_config *config);
+struct aws_http_proxy_strategy *aws_http_proxy_strategy_new_tunneling_ntlm(
+    struct aws_allocator *allocator,
+    struct aws_http_proxy_strategy_tunneling_ntlm_options *config);
 
 AWS_EXTERN_C_END