# This is a combination of 3 commits.

# This is the 1st commit message:

Added HTTP authentication to HTTPServer

Signed-off-by: Doug Hoard <doug.hoard@gmail.com>

# This is the commit message #2:

Added BasicAuthenticator for HTTPServer

Signed-off-by: Doug Hoard <doug.hoard@gmail.com>

# This is the commit message #3:

Simplified code

Author: dhoard

simpleclient_httpserver/pom.xml

@@ -56,5 +56,11 @@
             <version>2.6.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+            <version>2.3.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>

simpleclient_httpserver/src/main/java/io/prometheus/client/exporter/HTTPServer.java

@@ -26,6 +26,8 @@
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.zip.GZIPOutputStream;
 
+import com.sun.net.httpserver.Authenticator;
+import com.sun.net.httpserver.HttpContext;
 import com.sun.net.httpserver.HttpExchange;
 import com.sun.net.httpserver.HttpHandler;
 import com.sun.net.httpserver.HttpServer;
@@ -195,6 +197,7 @@ public static class Builder {
         private boolean daemon = false;
         private Predicate<String> sampleNameFilter;
         private Supplier<Predicate<String>> sampleNameFilterSupplier;
+        private Authenticator authenticator;
 
         /**
          * Port to bind to. Must not be called together with {@link #withInetSocketAddress(InetSocketAddress)}
@@ -286,6 +289,18 @@ public Builder withRegistry(CollectorRegistry registry) {
             return this;
         }
 
+        /**
+         * Optional: {@link Authenticator} to use to support authentication.
+         */
+        public Builder withAuthenticator(Authenticator authenticator) {
+            this.authenticator = authenticator;
+            return this;
+        }
+
+        /**
+         * Build the HTTPServer
+         * @throws IOException
+         */
         public HTTPServer build() throws IOException {
             if (sampleNameFilter != null) {
                 assertNull(sampleNameFilterSupplier, "cannot configure 'sampleNameFilter' and 'sampleNameFilterSupplier' at the same time");
@@ -296,7 +311,7 @@ public HTTPServer build() throws IOException {
                 assertNull(hostname, "cannot configure 'httpServer' and 'hostname' at the same time");
                 assertNull(inetAddress, "cannot configure 'httpServer' and 'inetAddress' at the same time");
                 assertNull(inetSocketAddress, "cannot configure 'httpServer' and 'inetSocketAddress' at the same time");
-                return new HTTPServer(httpServer, registry, daemon, sampleNameFilterSupplier);
+                return new HTTPServer(httpServer, registry, daemon, sampleNameFilterSupplier, authenticator);
             } else if (inetSocketAddress != null) {
                 assertZero(port, "cannot configure 'inetSocketAddress' and 'port' at the same time");
                 assertNull(hostname, "cannot configure 'inetSocketAddress' and 'hostname' at the same time");
@@ -309,7 +324,7 @@ public HTTPServer build() throws IOException {
             } else {
                 inetSocketAddress = new InetSocketAddress(port);
             }
-            return new HTTPServer(HttpServer.create(inetSocketAddress, 3), registry, daemon, sampleNameFilterSupplier);
+            return new HTTPServer(HttpServer.create(inetSocketAddress, 3), registry, daemon, sampleNameFilterSupplier, authenticator);
         }
 
         private void assertNull(Object o, String msg) {
@@ -330,7 +345,7 @@ private void assertZero(int i, String msg) {
      * The {@code httpServer} is expected to already be bound to an address
      */
     public HTTPServer(HttpServer httpServer, CollectorRegistry registry, boolean daemon) throws IOException {
-        this(httpServer, registry, daemon, null);
+        this(httpServer, registry, daemon, null, null);
     }
 
     /**
@@ -375,15 +390,24 @@ public HTTPServer(String host, int port) throws IOException {
         this(new InetSocketAddress(host, port), CollectorRegistry.defaultRegistry, false);
     }
 
-    private HTTPServer(HttpServer httpServer, CollectorRegistry registry, boolean daemon, Supplier<Predicate<String>> sampleNameFilterSupplier) {
+    private HTTPServer(HttpServer httpServer, CollectorRegistry registry, boolean daemon, Supplier<Predicate<String>> sampleNameFilterSupplier, Authenticator authenticator) {
         if (httpServer.getAddress() == null)
             throw new IllegalArgumentException("HttpServer hasn't been bound to an address");
 
         server = httpServer;
         HttpHandler mHandler = new HTTPMetricHandler(registry, sampleNameFilterSupplier);
-        server.createContext("/", mHandler);
-        server.createContext("/metrics", mHandler);
-        server.createContext("/-/healthy", mHandler);
+        HttpContext mContext = server.createContext("/", mHandler);
+        if (authenticator != null) {
+            mContext.setAuthenticator(authenticator);
+        }
+        mContext = server.createContext("/metrics", mHandler);
+        if (authenticator != null) {
+            mContext.setAuthenticator(authenticator);
+        }
+        mContext = server.createContext("/-/healthy", mHandler);
+        if (authenticator != null) {
+            mContext.setAuthenticator(authenticator);
+        }
         executorService = Executors.newFixedThreadPool(5, NamedDaemonThreadFactory.defaultThreadFactory(daemon));
         server.setExecutor(executorService);
         start(daemon);

simpleclient_httpserver/src/main/java/io/prometheus/client/exporter/HTTPServerBasicAuthenticator.java

@@ -0,0 +1,38 @@
+package io.prometheus.client.exporter;
+
+/**
+ * Basic HTTP authenticator
+ */
+public class HTTPServerBasicAuthenticator extends com.sun.net.httpserver.BasicAuthenticator {
+
+    private static final String REALM = "/";
+
+    private String username;
+    private String password;
+
+    public HTTPServerBasicAuthenticator(String username, String password) {
+        super(REALM);
+
+        if ((username == null) || (username.trim().length() == 0)) {
+            throw new IllegalArgumentException("username is null or empty");
+        }
+
+        if ((password == null) || (password.trim().length() == 0)) {
+            throw new IllegalArgumentException("password is null or empty");
+        }
+
+        this.username = username;
+        this.password = password;
+    }
+
+    /**
+     * Check username and password
+     * @param username
+     * @param password
+     * @return
+     */
+    @Override
+    public boolean checkCredentials(String username, String password) {
+        return (this.username.equals(username) && this.password.equals(password));
+    }
+}

simpleclient_httpserver/src/test/java/io/prometheus/client/exporter/TestHTTPServer.java

@@ -4,16 +4,20 @@
 import io.prometheus.client.Gauge;
 import io.prometheus.client.CollectorRegistry;
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.net.InetSocketAddress;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.Scanner;
 import java.util.zip.GZIPInputStream;
 
 import io.prometheus.client.SampleNameFilter;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
+import javax.xml.bind.DatatypeConverter;
+
 import static org.assertj.core.api.Java6Assertions.assertThat;
 
 public class TestHTTPServer {
@@ -67,6 +71,30 @@ String requestWithAccept(HTTPServer s, String accept) throws IOException {
     return scanner.hasNext() ? scanner.next() : "";
   }
 
+  String requestWithCredentials(HTTPServer httpServer, String context, String suffix, String username, String password) throws IOException {
+    String url = "http://localhost:" + httpServer.server.getAddress().getPort() + context + suffix;
+    URLConnection connection = new URL(url).openConnection();
+    connection.setDoOutput(true);
+    if (username != null && password != null) {
+      connection.setRequestProperty("Authorization", encodeCredentials(username, password));
+    }
+    connection.connect();
+    Scanner s = new Scanner(connection.getInputStream(), "UTF-8").useDelimiter("\\A");
+    return s.hasNext() ? s.next() : "";
+  }
+
+  String encodeCredentials(String user, String password) {
+    // Per RFC4648 table 2. We support Java 6, and java.util.Base64 was only added in Java 8,
+    try {
+      byte[] credentialsBytes = (user + ":" + password).getBytes("UTF-8");
+      String encoded = DatatypeConverter.printBase64Binary(credentialsBytes);
+      encoded = String.format("Basic %s", encoded);
+      return encoded;
+    } catch (UnsupportedEncodingException e) {
+      throw new IllegalArgumentException(e);
+    }
+  }
+
   @Test(expected = IllegalArgumentException.class)
   public void testRefuseUsingUnbound() throws IOException {
     CollectorRegistry registry = new CollectorRegistry();
@@ -202,4 +230,59 @@ public void testHealthGzipCompression() throws IOException {
       s.close();
     }
   }
+
+  @Test
+  public void testBasicAuthSuccess() throws IOException {
+    String username = "user";
+    String password = "secret";
+    HTTPServerBasicAuthenticator authenticator = new HTTPServerBasicAuthenticator(username, password);
+    HTTPServer s = new HTTPServer.Builder()
+            .withRegistry(registry)
+            .withAuthenticator(authenticator)
+            .build();
+    try {
+      String response = requestWithCredentials(s, "/metrics","?name[]=a&name[]=b", "user", "secret");
+      assertThat(response).contains("a 0.0");
+    } finally {
+      s.close();
+    }
+  }
+
+  @Test
+  public void testBasicAuthCredentialsMissing() throws IOException {
+    String username = "user";
+    String password = "secret";
+    HTTPServerBasicAuthenticator authenticator = new HTTPServerBasicAuthenticator(username, password);
+    HTTPServer s = new HTTPServer.Builder()
+            .withRegistry(registry)
+            .withAuthenticator(authenticator)
+            .build();
+    try {
+      request(s, "/metrics", "?name[]=a&name[]=b");
+      Assert.fail("expected IOException with HTTP 401");
+    } catch (IOException e) {
+      Assert.assertTrue(e.getMessage().contains("401"));
+    } finally {
+      s.close();
+    }
+  }
+
+  @Test
+  public void testBasicAuthWrongCredentials() throws IOException {
+    String username = "user";
+    String password = "secret";
+    HTTPServerBasicAuthenticator authenticator = new HTTPServerBasicAuthenticator(username, password);
+    HTTPServer s = new HTTPServer.Builder()
+            .withRegistry(registry)
+            .withAuthenticator(authenticator)
+            .build();
+    try {
+      requestWithCredentials(s, "/metrics", "?name[]=a&name[]=b", username, "wrong");
+      Assert.fail("expected IOException with HTTP 401");
+    } catch (IOException e) {
+      Assert.assertTrue(e.getMessage().contains("401"));
+    } finally {
+      s.close();
+    }
+  }
 }

simpleclient_httpserver/src/test/java/io/prometheus/client/exporter/TestHTTPServerBasicAuthenticator.java

@@ -0,0 +1,68 @@
+package io.prometheus.client.exporter;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.assertj.core.api.Java6Assertions.assertThat;
+
+public class TestHTTPServerBasicAuthenticator {
+
+    @Test
+    public void testUsernameAndPassword() {
+        HTTPServerBasicAuthenticator authenticator = new HTTPServerBasicAuthenticator("test", "secret");
+        Assert.assertTrue(authenticator.checkCredentials("test", "secret"));
+    }
+
+    @Test
+    public void testWrongUsername() {
+        HTTPServerBasicAuthenticator authenticator = new HTTPServerBasicAuthenticator("test", "secret");
+
+        Assert.assertFalse(authenticator.checkCredentials("wrong", "secret"));
+    }
+
+    @Test
+    public void testWrongPassword() {
+        HTTPServerBasicAuthenticator authenticator = new HTTPServerBasicAuthenticator("test", "secret");
+        Assert.assertFalse(authenticator.checkCredentials("test", "wrong"));
+    }
+
+    @Test
+    public void testNullUsername() {
+        try {
+            new HTTPServerBasicAuthenticator(null, "secret");
+            Assert.fail("Expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertThat(e.getMessage().contains("username is null or empty"));
+        }
+    }
+
+    @Test
+    public void testEmptyUsername() {
+        try {
+            new HTTPServerBasicAuthenticator("", "secret");
+            Assert.fail("Expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertThat(e.getMessage().contains("username is null or empty"));
+        }
+    }
+
+    @Test
+    public void testNullPassword() {
+        try {
+            new HTTPServerBasicAuthenticator("test", null);
+            Assert.fail("Expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertThat(e.getMessage().contains("password is null or empty"));
+        }
+    }
+
+    @Test
+    public void testEmptyPassword() {
+        try {
+            new HTTPServerBasicAuthenticator("test", "");
+            Assert.fail("Expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertThat(e.getMessage().contains("password is null or empty"));
+        }
+    }
+}