Fix Connection initialization problems (#7)

* Fix pre-population of session ID and CSRF token in Connection
* Identify target server with a `URI` instead of a `String`

Author: labkey-tchad

labkey-client-api/CHANGELOG.md

@@ -1,5 +1,11 @@
 # The LabKey Remote API Library for Java - Change Log
 
+## version 1.3.1 (TBD)
+*Released* : TBD
+
+* Fix pre-population of session ID and CSRF token in Connection
+* Identify target server with a `URI` instead of a `String` 
+
 ## version 1.3.0
 *Released* : 16 June 2020
 

labkey-client-api/build.gradle

@@ -60,7 +60,7 @@ buildDir = new File(project.rootProject.buildDir, "/remoteapi/labkey-api-java")
 
 group "org.labkey.api"
 
-version "1.4.0-SNAPSHOT"
+version "1.3.1-SNAPSHOT"
 
 dependencies {
     api "org.apache.httpcomponents:httpmime:${httpmimeVersion}"

labkey-client-api/src/org/labkey/remoteapi/ApiKeyCredentialsProvider.java

@@ -19,7 +19,7 @@
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.protocol.HttpClientContext;
 
-import java.net.URISyntaxException;
+import java.net.URI;
 
 /**
  * Created by adam on 4/15/2016.
@@ -34,7 +34,7 @@ public ApiKeyCredentialsProvider(String apiKey)
     }
 
     @Override
-    public void configureRequest(String baseUrl, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException, URISyntaxException
+    public void configureRequest(URI baseURI, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException
     {
         request.setHeader("apikey", _apiKey);
     }

labkey-client-api/src/org/labkey/remoteapi/BasicAuthCredentialsProvider.java

@@ -25,7 +25,6 @@
 import org.apache.http.impl.client.BasicCredentialsProvider;
 
 import java.net.URI;
-import java.net.URISyntaxException;
 
 /**
  * Created by adam on 4/15/2016.
@@ -42,9 +41,9 @@ public BasicAuthCredentialsProvider(String email, String password)
     }
 
     @Override
-    public void configureRequest(String baseUrl, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException, URISyntaxException
+    public void configureRequest(URI baseURI, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException
     {
-        AuthScope scope = new AuthScope(new URI(baseUrl).getHost(), AuthScope.ANY_PORT, AuthScope.ANY_REALM);
+        AuthScope scope = new AuthScope(baseURI.getHost(), AuthScope.ANY_PORT, AuthScope.ANY_REALM);
         BasicCredentialsProvider provider = new BasicCredentialsProvider();
         Credentials credentials = new UsernamePasswordCredentials(_email, _password);
         provider.setCredentials(scope, credentials);

labkey-client-api/src/org/labkey/remoteapi/Command.java

@@ -489,9 +489,7 @@ protected HttpUriRequest createRequest(URI uri)
      */
     protected URI getActionUrl(Connection connection, String folderPath) throws URISyntaxException
     {
-        //start with the connection's base URL
-        // Use a URI so that it correctly encodes each section of the overall URI
-        URI uri = new URI(connection.getBaseUrl().replace('\\','/'));
+        URI uri = connection.getBaseURI();
 
         StringBuilder path = new StringBuilder(uri.getPath() == null || "".equals(uri.getPath()) ? "/" : uri.getPath());
 

labkey-client-api/src/org/labkey/remoteapi/Connection.java

@@ -20,20 +20,19 @@
 import org.apache.http.auth.AuthenticationException;
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpRequestBase;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.protocol.HttpClientContext;
 import org.apache.http.conn.HttpClientConnectionManager;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
-import org.apache.http.ssl.SSLContextBuilder;
 import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
 import org.apache.http.cookie.Cookie;
 import org.apache.http.impl.client.BasicCookieStore;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
 import org.apache.http.impl.cookie.BasicClientCookie;
+import org.apache.http.ssl.SSLContextBuilder;
 import org.labkey.remoteapi.security.EnsureLoginCommand;
 import org.labkey.remoteapi.security.ImpersonateUserCommand;
 import org.labkey.remoteapi.security.LogoutCommand;
@@ -100,10 +99,13 @@
  */
 public class Connection
 {
+    public static final String X_LABKEY_CSRF = "X-LABKEY-CSRF";
+    public static final String JSESSIONID = "JSESSIONID";
+
     private static final int DEFAULT_TIMEOUT = 60000;    // 60 seconds
     private static final HttpClientConnectionManager _connectionManager = new PoolingHttpClientConnectionManager();
 
-    private final String _baseUrl;
+    private final URI _baseURI;
     private final CredentialsProvider _credentialsProvider;
     private final HttpClientContext _httpClientContext;
 
@@ -113,6 +115,7 @@ public class Connection
     private String _proxyHost;
     private Integer _proxyPort;
     private String _csrf;
+    private String _sessionId;
 
     // The user email when impersonating a user
     private String _impersonateUser;
@@ -121,65 +124,100 @@ public class Connection
     /**
      * Constructs a new Connection object given a base URL and a credentials provider.
      * <p>
-     * The baseUrl parameter should include the protocol, domain name, port,
+     * The baseURI parameter should include the protocol, domain name, port,
      * and LabKey web application context path (if configured). For example
      * in a typical localhost configuration, the base URL would be:
      * </p>
-     * <code>http://localhost:8080/labkey</code>
+     * <code>new URI("http://localhost:8080/labkey")</code>
      * <p>
      * Note that https may also be used for the protocol. By default the
      * Connection is configured to deny self-signed SSL certificates.
      * If you want to accept self-signed certificates, use
      * <code>setAcceptSelfSignedCerts(false)</code> to enable this behavior.
      * </p>
-     * The email name and password should correspond to a valid user email
-     * and password on the target server.
-     * @param baseUrl The base URL
+     * @param baseURI Base URI for this Connection
      * @param credentialsProvider A credentials provider
      */
-    public Connection(String baseUrl, CredentialsProvider credentialsProvider)
+    public Connection(URI baseURI, CredentialsProvider credentialsProvider)
     {
-        _baseUrl = baseUrl;
+        if (baseURI.getHost() == null || baseURI.getScheme() == null)
+        {
+            throw new IllegalArgumentException("Invalid server URL: " + baseURI.toString());
+        }
+        _baseURI = baseURI;
         _credentialsProvider = credentialsProvider;
         _httpClientContext = HttpClientContext.create();
         _httpClientContext.setCookieStore(new BasicCookieStore());
         setAcceptSelfSignedCerts(false);
     }
 
+    /**
+     * Constructs a new Connection object given a base URL and a credentials provider.
+     * <p>
+     * The baseUrl parameter should include the protocol, domain name, port,
+     * and LabKey web application context path (if configured). For example
+     * in a typical localhost configuration, the base URL would be:
+     * </p>
+     * <code>http://localhost:8080/labkey</code>
+     * <p>
+     * @param baseUrl The base URL
+     * @param credentialsProvider A credentials provider
+     * @see #Connection(URI, CredentialsProvider)
+     */
+    public Connection(String baseUrl, CredentialsProvider credentialsProvider)
+    {
+        this(toURI(baseUrl), credentialsProvider);
+    }
+
     /**
      * Constructs a new Connection object with a base URL that attempts authentication via .netrc/_netrc entry, if present.
      * If not present, connects as guest.
      * @param baseUrl The base URL
      * @throws URISyntaxException if the given url is not a valid URI
      * @throws IOException if there are problems reading the credentials
-     * @see #Connection(String, CredentialsProvider)
+     * @see NetrcCredentialsProvider
+     * @see #Connection(URI, CredentialsProvider)
      */
     public Connection(String baseUrl) throws URISyntaxException, IOException
     {
-        this(baseUrl, new NetrcCredentialsProvider(new URI(baseUrl)));
+        this(toURI(baseUrl), new NetrcCredentialsProvider(toURI(baseUrl)));
     }
 
     /**
      * Constructs a new Connection object for a base URL that attempts basic authentication.
      * <p>
      * This is equivalent to calling <code>Connection(baseUrl, new BasicAuthCredentialsProvider(email, password))</code>.
+     * The email and password should correspond to a valid user email
+     * and password on the target server.
      * @param baseUrl The base URL
      * @param email The user email address to pass for authentication
      * @param password The user password to send for authentication
-     * @see #Connection(String, CredentialsProvider)
+     * @see BasicAuthCredentialsProvider#BasicAuthCredentialsProvider(String, String)
+     * @see #Connection(URI, CredentialsProvider)
      */
     public Connection(String baseUrl, String email, String password)
     {
-        this(baseUrl, new BasicAuthCredentialsProvider(email, password));
+        this(toURI(baseUrl), new BasicAuthCredentialsProvider(email, password));
     }
 
     /**
      * Returns the base URL for this connection.
      * @return The base URL.
+     * @deprecated Use {@link #getBaseURI()}
      */
+    @Deprecated
     public String getBaseUrl()
     {
-        return _baseUrl;
+        return _baseURI.toString();
+    }
+
+    /**
+     * Returns the base URI for this connection.
+     * @return The target LabKey instance's base URI
+     */
+    public URI getBaseURI()
+    {
+        return _baseURI;
     }
 
     /**
@@ -228,11 +266,15 @@ protected HttpClientBuilder clientBuilder()
         return builder;
     }
 
-
-
-    protected void beforeExecute(HttpRequest request) throws IOException, CommandException
+    /**
+     * If necessary, prime the Connection for non-GET requests.
+     * Executes a dummy command to trigger authentication and populate CSRF and session info.
+     * @param request HttpRequest that is about to be executed
+     */
+    protected void beforeExecute(HttpRequest request)
     {
-        if (null == _csrf && request instanceof HttpPost)
+        if (null == _csrf &&
+                request instanceof HttpRequestBase && !"GET".equals(((HttpRequestBase) request).getMethod()))
         {
             // make a request to get a JSESSIONID
             try
@@ -244,7 +286,9 @@ protected void beforeExecute(HttpRequest request) throws IOException, CommandExc
             }
         }
         if (null != _csrf)
-            request.setHeader("X-LABKEY-CSRF", _csrf);
+            request.setHeader(X_LABKEY_CSRF, _csrf);
+        if (null != _sessionId)
+            request.setHeader(JSESSIONID, _sessionId);
     }
 
 
@@ -253,8 +297,11 @@ protected void afterExecute()
         // Always update our CSRF token as the session may be new since our last request
         for (Cookie c : _httpClientContext.getCookieStore().getCookies())
         {
-            if ("JSESSIONID".equals(c.getName()))
+            if (X_LABKEY_CSRF.equals(c.getName()))
                 _csrf = c.getValue();
+
+            if (JSESSIONID.equals(c.getName()))
+                _sessionId = c.getValue();
         }
     }
 
@@ -354,10 +401,10 @@ public Connection stopImpersonate() throws IOException, CommandException
         return this;
     }
 
-    CloseableHttpResponse executeRequest(HttpUriRequest request, Integer timeout) throws IOException, URISyntaxException, AuthenticationException, CommandException
+    CloseableHttpResponse executeRequest(HttpUriRequest request, Integer timeout) throws IOException, URISyntaxException, AuthenticationException
     {
         // Delegate authentication setup to CredentialsProvider
-        _credentialsProvider.configureRequest(getBaseUrl(), request, _httpClientContext);
+        _credentialsProvider.configureRequest(getBaseURI(), request, _httpClientContext);
 
         CloseableHttpClient client = getHttpClient();
 
@@ -462,7 +509,37 @@ public Connection addCookie(String name, String value, String domain, String pat
         cookie.setExpiryDate(expiry);
         cookie.setSecure(isSecure);
         _httpClientContext.getCookieStore().addCookie(cookie);
+
+        // Don't use session info from different server
+        if (combineHostPath(_baseURI.getHost(), _baseURI.getPath()).equals(combineHostPath(domain, path)))
+        {
+            if (X_LABKEY_CSRF.equals(name))
+                _csrf = value;
+            if (JSESSIONID.equals(name))
+                _sessionId = value;
+        }
+
         return this;
     }
 
+    private String combineHostPath(String host, String path)
+    {
+        String hostPath = (host == null ? "" : host.trim()) + (path == null ? "" : path.trim());
+        return hostPath.replaceAll("//+", "/").replaceFirst("/$", "");
+    }
+
+    /**
+     * Utility method to construct a URI without modifying constructor signature
+     */
+    private static URI toURI(String baseUrl)
+    {
+        try
+        {
+            return new URI(baseUrl);
+        }
+        catch (URISyntaxException e)
+        {
+            throw new IllegalArgumentException("Invalid target server URL: " + baseUrl);
+        }
+    }
 }

labkey-client-api/src/org/labkey/remoteapi/CredentialsProvider.java

@@ -19,12 +19,22 @@
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.protocol.HttpClientContext;
 
+import java.net.URI;
 import java.net.URISyntaxException;
 
 /**
  * Created by adam on 4/15/2016.
  */
 public interface CredentialsProvider
 {
-    void configureRequest(String baseUrl, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException, URISyntaxException;
+    /**
+     * @deprecated Use {@link #configureRequest(URI, HttpUriRequest, HttpClientContext)}
+     */
+    @Deprecated
+    default void configureRequest(String baseUrl, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException, URISyntaxException
+    {
+        configureRequest(new URI(baseUrl), request, httpClientContext);
+    }
+
+    void configureRequest(URI baseURI, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException;
 }

labkey-client-api/src/org/labkey/remoteapi/GuestCredentialsProvider.java

@@ -18,18 +18,18 @@
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.protocol.HttpClientContext;
 
-/**
- * Created by adam on 4/15/2016.
- */
+import java.net.URI;
 
 /**
+ * Created by adam on 4/15/2016.
+ *
  * A credentials provider that provides no credentials. Connections using
  * this provider will be granted guest access only.
  */
 public class GuestCredentialsProvider implements CredentialsProvider
 {
     @Override
-    public void configureRequest(String baseUrl, HttpUriRequest request, HttpClientContext httpClientContext)
+    public void configureRequest(URI baseURI, HttpUriRequest request, HttpClientContext httpClientContext)
     {
         httpClientContext.setCredentialsProvider(null);
         request.removeHeaders("Authenticate");

labkey-client-api/src/org/labkey/remoteapi/NetrcCredentialsProvider.java

@@ -21,14 +21,11 @@
 
 import java.io.IOException;
 import java.net.URI;
-import java.net.URISyntaxException;
 
 
 /**
  * Created by adam on 4/15/2016.
- */
-
-/**
+ *
  * Attempts to find a .netrc or _netrc file and entry for the given host. If found, it will attempt basic auth using
  * the email and password in the entry. If file or entry are not found, it connects as guest.
  */
@@ -65,8 +62,8 @@ public NetrcCredentialsProvider(String host) throws IOException
     }
 
     @Override
-    public void configureRequest(String baseUrl, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException, URISyntaxException
+    public void configureRequest(URI baseURI, HttpUriRequest request, HttpClientContext httpClientContext) throws AuthenticationException
     {
-        _wrappedCredentialsProvider.configureRequest(baseUrl, request, httpClientContext);
+        _wrappedCredentialsProvider.configureRequest(baseURI, request, httpClientContext);
     }
 }