Changeset 19345 in josm

Timestamp:

2025-03-10T17:38:42+01:00 (8 months ago)

Author:

stoecker

Message:

don't send authentication oinformation to wrong server, fix #24149, patch by ssundell

Location:

trunk

Files:

• src/org/openstreetmap/josm/io/OsmApi.java (modified) (1 diff)
• src/org/openstreetmap/josm/io/OsmServerReader.java (modified) (1 diff)
• src/org/openstreetmap/josm/io/auth/AbstractCredentialsAgent.java (modified) (5 diffs)
• src/org/openstreetmap/josm/io/auth/CredentialsAgent.java (modified) (1 diff)
• src/org/openstreetmap/josm/io/auth/CredentialsManager.java (modified) (3 diffs)
• test/unit/org/openstreetmap/josm/io/auth/CredentialsManagerTest.java (modified) (2 diffs)

trunk/src/org/openstreetmap/josm/io/OsmApi.java

@@ -825 +825 @@
                 case HttpURLConnection.HTTP_UNAUTHORIZED:
                 case HttpURLConnection.HTTP_FORBIDDEN:
-                    CredentialsManager.getInstance().purgeCredentialsCache(RequestorType.SERVER);
+                    CredentialsManager.getInstance().purgeCredentialsCache(RequestorType.SERVER, getHost());
                     throw new OsmApiException(retCode, errorHeader, errorBody, activeConnection.getURL().toString(),
                             doAuthenticate ? retrieveBasicAuthorizationLogin(client) : null, response.getContentType());

trunk/src/org/openstreetmap/josm/io/OsmServerReader.java

@@ -208 +208 @@
             try {
                 if (response.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
-                    CredentialsManager.getInstance().purgeCredentialsCache(RequestorType.SERVER);
+                    CredentialsManager.getInstance().purgeCredentialsCache(RequestorType.SERVER, OsmApi.getOsmApi().getHost());
                     throw new OsmApiException(HttpURLConnection.HTTP_UNAUTHORIZED, null, null);
                 }

trunk/src/org/openstreetmap/josm/io/auth/AbstractCredentialsAgent.java

@@ -4 +4 @@
 import java.net.Authenticator.RequestorType;
 import java.net.PasswordAuthentication;
-import java.util.EnumMap;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Objects;
 
 import org.openstreetmap.josm.tools.Logging;
+import org.openstreetmap.josm.tools.Pair;
 
 /**
@@ -48 +49 @@
     }
 
-    protected Map<RequestorType, PasswordAuthentication> memoryCredentialsCache = new EnumMap<>(RequestorType.class);
+    protected Map<Pair<RequestorType, String>, PasswordAuthentication> memoryCredentialsCache = new HashMap<>();
 
     @Override
@@ -65 +66 @@
          * -> Try to recall credentials that have been entered manually in this session.
          */
-        if (!noSuccessWithLastResponse && memoryCredentialsCache.containsKey(requestorType) &&
+        Pair<RequestorType, String> mccKey = Pair.create(requestorType, host);
+        if (!noSuccessWithLastResponse && memoryCredentialsCache.containsKey(mccKey) &&
                 (credentials == null || credentials.getPassword() == null || credentials.getPassword().length == 0)) {
-            PasswordAuthentication pa = memoryCredentialsCache.get(requestorType);
+            PasswordAuthentication pa = memoryCredentialsCache.get(mccKey);
             response.setUsername(pa.getUserName());
             response.setPassword(pa.getPassword());
@@ -89 +91 @@
             } else {
                 // User decides not to save credentials to file. Keep it in memory so we don't have to ask over and over again.
-                memoryCredentialsCache.put(requestorType, new PasswordAuthentication(response.getUsername(), response.getPassword()));
+                memoryCredentialsCache.put(mccKey, new PasswordAuthentication(response.getUsername(), response.getPassword()));
             }
         } else {
@@ -102 +104 @@
     @Override
     public final void purgeCredentialsCache(RequestorType requestorType) {
-        memoryCredentialsCache.remove(requestorType);
+        memoryCredentialsCache.keySet().removeIf(pair -> pair.a == requestorType);
+    }
+
+    @Override
+    public void purgeCredentialsCache(RequestorType requestorType, String host) {
+        memoryCredentialsCache.remove(Pair.create(requestorType, host));
     }
 

trunk/src/org/openstreetmap/josm/io/auth/CredentialsAgent.java

@@ -84 +84 @@
      * Purges the internal credentials cache for the given requestor type.
      * @param requestorType the type of service.
-     * {@link RequestorType#SERVER} for the OSM API server, {@link RequestorType#PROXY} for a proxy server
+     * {@link RequestorType#PROXY} for a proxy server, {@link RequestorType#SERVER} for other servers.
      * @since 12992
      */
     void purgeCredentialsCache(RequestorType requestorType);
+
+    /**
+     * Purges the internal credentials cache for the given requestor type and host.
+     * @param requestorType the type of service.
+     * @param host the host.
+     * {@link RequestorType#PROXY} for a proxy server, {@link RequestorType#SERVER} for other servers.
+     */
+    default void purgeCredentialsCache(RequestorType requestorType, String host) {
+        purgeCredentialsCache(requestorType);
+    }
 
     /**

trunk/src/org/openstreetmap/josm/io/auth/CredentialsManager.java

@@ -134 +134 @@
         }
         // see #11914: clear cache before we store new value
-        purgeCredentialsCache(requestorType);
+        purgeCredentialsCache(requestorType, host);
         delegate.store(requestorType, host, credentials);
     }
@@ -142 +142 @@
             throws CredentialsAgentException {
         CredentialsAgentResponse credentials = delegate.getCredentials(requestorType, host, noSuccessWithLastResponse);
-        if (requestorType == RequestorType.SERVER) {
+        if (requestorType == RequestorType.SERVER && Objects.equals(OsmApi.getOsmApi().getHost(), host)) {
             // see #11914 : Keep UserIdentityManager up to date
             String userName = credentials.getUsername();
@@ -175 +175 @@
         delegate.purgeCredentialsCache(requestorType);
     }
+
+    @Override
+    public void purgeCredentialsCache(RequestorType requestorType, String host) {
+        delegate.purgeCredentialsCache(requestorType, host);
+    }
 }

trunk/test/unit/org/openstreetmap/josm/io/auth/CredentialsManagerTest.java

@@ -2 +2 @@
 package org.openstreetmap.josm.io.auth;
 
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
 import org.openstreetmap.josm.testutils.annotations.HTTP;
+
+import java.net.Authenticator;
+import java.util.List;
 
 /**
@@ -13 +18 @@
         return new CredentialsManager(new JosmPreferencesCredentialAgent());
     }
+
+    @Test
+    public void testMultipleUnsavedHostsLookup() throws CredentialsAgentException {
+        final AbstractCredentialsAgent aca = new JosmPreferencesCredentialAgent();
+        // A provider that mimics user giving the credentials and choosing not to store them in preferences.
+        AbstractCredentialsAgent.setCredentialsProvider((requestorType, agent, response, username, password, host) -> {
+            response.setUsername("user" + host);
+            response.setPassword("password".toCharArray());
+            response.setSaveCredentials(false);
+            response.setCanceled(false);
+        });
+        final CredentialsManager agent = new CredentialsManager(aca);
+
+        String host1 = "example.com";
+        String host2 = "example.org";
+        for (String host : List.of(host1, host2)) {
+            // Try to get credentials after "failure" => provider gives the credentials.
+            agent.getCredentials(Authenticator.RequestorType.SERVER, host, true);
+        }
+        // Both hosts should receive their respective credentials.
+        CredentialsAgentResponse response = agent.getCredentials(Authenticator.RequestorType.SERVER, host1, false);
+        Assertions.assertEquals("user" + host1, response.getUsername());
+        response = agent.getCredentials(Authenticator.RequestorType.SERVER, host2, false);
+        Assertions.assertEquals("user" + host2, response.getUsername());
+    }
 }