test/jdk/java/net/httpclient/DigestEchoServer.java
author dfuchs
Thu, 18 Apr 2019 17:56:46 +0100
changeset 54579 270557b396eb
parent 53350 a47b8125b7cc
child 58423 54de0c861d32
permissions -rw-r--r--
8222527: HttpClient doesn't send HOST header when tunelling HTTP/1.1 through http proxy Summary: HttpClient no longer filters out system host header when sending tunelling CONNECT request to proxy Reviewed-by: michaelm

/*
 * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

import com.sun.net.httpserver.BasicAuthenticator;
import com.sun.net.httpserver.HttpServer;
import com.sun.net.httpserver.HttpsConfigurator;
import com.sun.net.httpserver.HttpsParameters;
import com.sun.net.httpserver.HttpsServer;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.io.Writer;
import java.math.BigInteger;
import java.net.Authenticator;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.PasswordAuthentication;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.StandardSocketOptions;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Random;
import java.util.StringTokenizer;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.SSLContext;
import sun.net.www.HeaderParser;
import java.net.http.HttpClient.Version;

/**
 * A simple HTTP server that supports Basic or Digest authentication.
 * By default this server will echo back whatever is present
 * in the request body. Note that the Digest authentication is
 * a test implementation implemented only for tests purposes.
 * @author danielfuchs
 */
public abstract class DigestEchoServer implements HttpServerAdapters {

    public static final boolean DEBUG =
            Boolean.parseBoolean(System.getProperty("test.debug", "false"));
    public static final boolean NO_LINGER =
            Boolean.parseBoolean(System.getProperty("test.nolinger", "false"));
    public static final boolean TUNNEL_REQUIRES_HOST =
            Boolean.parseBoolean(System.getProperty("test.requiresHost", "false"));
    public enum HttpAuthType {
        SERVER, PROXY, SERVER307, PROXY305
        /* add PROXY_AND_SERVER and SERVER_PROXY_NONE */
    };
    public enum HttpAuthSchemeType { NONE, BASICSERVER, BASIC, DIGEST };
    public static final HttpAuthType DEFAULT_HTTP_AUTH_TYPE = HttpAuthType.SERVER;
    public static final String DEFAULT_PROTOCOL_TYPE = "https";
    public static final HttpAuthSchemeType DEFAULT_SCHEME_TYPE = HttpAuthSchemeType.DIGEST;

    public static class HttpTestAuthenticator extends Authenticator {
        private final String realm;
        private final String username;
        // Used to prevent incrementation of 'count' when calling the
        // authenticator from the server side.
        private final ThreadLocal<Boolean> skipCount = new ThreadLocal<>();
        // count will be incremented every time getPasswordAuthentication()
        // is called from the client side.
        final AtomicInteger count = new AtomicInteger();

        public HttpTestAuthenticator(String realm, String username) {
            this.realm = realm;
            this.username = username;
        }
        @Override
        protected PasswordAuthentication getPasswordAuthentication() {
            if (skipCount.get() == null || skipCount.get().booleanValue() == false) {
                System.out.println("Authenticator called: " + count.incrementAndGet());
            }
            return new PasswordAuthentication(getUserName(),
                    new char[] {'d','e','n', 't'});
        }
        // Called by the server side to get the password of the user
        // being authentified.
        public final char[] getPassword(String user) {
            if (user.equals(username)) {
                skipCount.set(Boolean.TRUE);
                try {
                    return getPasswordAuthentication().getPassword();
                } finally {
                    skipCount.set(Boolean.FALSE);
                }
            }
            throw new SecurityException("User unknown: " + user);
        }
        public final String getUserName() {
            return username;
        }
        public final String getRealm() {
            return realm;
        }
    }

    public static final HttpTestAuthenticator AUTHENTICATOR;
    static {
        AUTHENTICATOR = new HttpTestAuthenticator("earth", "arthur");
    }


    final HttpTestServer       serverImpl; // this server endpoint
    final DigestEchoServer     redirect;   // the target server where to redirect 3xx
    final HttpTestHandler      delegate;   // unused
    final String               key;

    DigestEchoServer(String key,
                             HttpTestServer server,
                             DigestEchoServer target,
                             HttpTestHandler delegate) {
        this.key = key;
        this.serverImpl = server;
        this.redirect = target;
        this.delegate = delegate;
    }

    public static void main(String[] args)
            throws IOException {

        DigestEchoServer server = create(Version.HTTP_1_1,
                DEFAULT_PROTOCOL_TYPE,
                DEFAULT_HTTP_AUTH_TYPE,
                AUTHENTICATOR,
                DEFAULT_SCHEME_TYPE);
        try {
            System.out.println("Server created at " + server.getAddress());
            System.out.println("Strike <Return> to exit");
            System.in.read();
        } finally {
            System.out.println("stopping server");
            server.stop();
        }
    }

    private static String toString(HttpTestRequestHeaders headers) {
        return headers.entrySet().stream()
                .map((e) -> e.getKey() + ": " + e.getValue())
                .collect(Collectors.joining("\n"));
    }

    public static DigestEchoServer create(Version version,
                                          String protocol,
                                          HttpAuthType authType,
                                          HttpAuthSchemeType schemeType)
            throws IOException {
        return create(version, protocol, authType, AUTHENTICATOR, schemeType);
    }

    public static DigestEchoServer create(Version version,
                                          String protocol,
                                          HttpAuthType authType,
                                          HttpTestAuthenticator auth,
                                          HttpAuthSchemeType schemeType)
            throws IOException {
        return create(version, protocol, authType, auth, schemeType, null);
    }

    public static DigestEchoServer create(Version version,
                                        String protocol,
                                        HttpAuthType authType,
                                        HttpTestAuthenticator auth,
                                        HttpAuthSchemeType schemeType,
                                        HttpTestHandler delegate)
            throws IOException {
        Objects.requireNonNull(authType);
        Objects.requireNonNull(auth);
        switch(authType) {
            // A server that performs Server Digest authentication.
            case SERVER: return createServer(version, protocol, authType, auth,
                                             schemeType, delegate, "/");
            // A server that pretends to be a Proxy and performs
            // Proxy Digest authentication. If protocol is HTTPS,
            // then this will create a HttpsProxyTunnel that will
            // handle the CONNECT request for tunneling.
            case PROXY: return createProxy(version, protocol, authType, auth,
                                           schemeType, delegate, "/");
            // A server that sends 307 redirect to a server that performs
            // Digest authentication.
            // Note: 301 doesn't work here because it transforms POST into GET.
            case SERVER307: return createServerAndRedirect(version,
                                                        protocol,
                                                        HttpAuthType.SERVER,
                                                        auth, schemeType,
                                                        delegate, 307);
            // A server that sends 305 redirect to a proxy that performs
            // Digest authentication.
            // Note: this is not correctly stubbed/implemented in this test.
            case PROXY305:  return createServerAndRedirect(version,
                                                        protocol,
                                                        HttpAuthType.PROXY,
                                                        auth, schemeType,
                                                        delegate, 305);
            default:
                throw new InternalError("Unknown server type: " + authType);
        }
    }


    /**
     * The SocketBindableFactory ensures that the local port used by an HttpServer
     * or a proxy ServerSocket previously created by the current test/VM will not
     * get reused by a subsequent test in the same VM.
     * This is to avoid having the test client trying to reuse cached connections.
     */
    private static abstract class SocketBindableFactory<B> {
        private static final int MAX = 10;
        private static final CopyOnWriteArrayList<String> addresses =
                new CopyOnWriteArrayList<>();
        protected B createInternal() throws IOException {
            final int max = addresses.size() + MAX;
            final List<B> toClose = new ArrayList<>();
            try {
                for (int i = 1; i <= max; i++) {
                    B bindable = createBindable();
                    InetSocketAddress address = getAddress(bindable);
                    String key = "localhost:" + address.getPort();
                    if (addresses.addIfAbsent(key)) {
                        System.out.println("Socket bound to: " + key
                                + " after " + i + " attempt(s)");
                        return bindable;
                    }
                    System.out.println("warning: address " + key
                            + " already used. Retrying bind.");
                    // keep the port bound until we get a port that we haven't
                    // used already
                    toClose.add(bindable);
                }
            } finally {
                // if we had to retry, then close the socket we're not
                // going to use.
                for (B b : toClose) {
                    try { close(b); } catch (Exception x) { /* ignore */ }
                }
            }
            throw new IOException("Couldn't bind socket after " + max + " attempts: "
                    + "addresses used before: " + addresses);
        }

        protected abstract B createBindable() throws IOException;

        protected abstract InetSocketAddress getAddress(B bindable);

        protected abstract void close(B bindable) throws IOException;
    }

    /*
     * Used to create ServerSocket for a proxy.
     */
    private static final class ServerSocketFactory
    extends SocketBindableFactory<ServerSocket> {
        private static final ServerSocketFactory instance = new ServerSocketFactory();

        static ServerSocket create() throws IOException {
            return instance.createInternal();
        }

        @Override
        protected ServerSocket createBindable() throws IOException {
            ServerSocket ss = new ServerSocket();
            ss.setReuseAddress(false);
            ss.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
            return ss;
        }

        @Override
        protected InetSocketAddress getAddress(ServerSocket socket) {
            return new InetSocketAddress(socket.getInetAddress(), socket.getLocalPort());
        }

        @Override
        protected void close(ServerSocket socket) throws IOException {
            socket.close();
        }
    }

    /*
     * Used to create HttpServer
     */
    private static abstract class H1ServerFactory<S extends HttpServer>
            extends SocketBindableFactory<S> {
        @Override
        protected S createBindable() throws IOException {
            S server = newHttpServer();
            server.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
            return server;
        }

        @Override
        protected InetSocketAddress getAddress(S server) {
            return server.getAddress();
        }

        @Override
        protected void close(S server) throws IOException {
            server.stop(1);
        }

        /*
         * Returns a HttpServer or a HttpsServer in different subclasses.
         */
        protected abstract S newHttpServer() throws IOException;
    }

    /*
     * Used to create Http2TestServer
     */
    private static abstract class H2ServerFactory<S extends Http2TestServer>
            extends SocketBindableFactory<S> {
        @Override
        protected S createBindable() throws IOException {
            final S server;
            try {
                server = newHttpServer();
            } catch (IOException io) {
                throw io;
            } catch (Exception x) {
                throw new IOException(x);
            }
            return server;
        }

        @Override
        protected InetSocketAddress getAddress(S server) {
            return server.getAddress();
        }

        @Override
        protected void close(S server) throws IOException {
            server.stop();
        }

        /*
         * Returns a HttpServer or a HttpsServer in different subclasses.
         */
        protected abstract S newHttpServer() throws Exception;
    }

    private static final class Http2ServerFactory extends H2ServerFactory<Http2TestServer> {
        private static final Http2ServerFactory instance = new Http2ServerFactory();

        static Http2TestServer create() throws IOException {
            return instance.createInternal();
        }

        @Override
        protected Http2TestServer newHttpServer() throws Exception {
            return new Http2TestServer("localhost", false, 0);
        }
    }

    private static final class Https2ServerFactory extends H2ServerFactory<Http2TestServer> {
        private static final Https2ServerFactory instance = new Https2ServerFactory();

        static Http2TestServer create() throws IOException {
            return instance.createInternal();
        }

        @Override
        protected Http2TestServer newHttpServer() throws Exception {
            return new Http2TestServer("localhost", true, 0);
        }
    }

    private static final class Http1ServerFactory extends H1ServerFactory<HttpServer> {
        private static final Http1ServerFactory instance = new Http1ServerFactory();

        static HttpServer create() throws IOException {
            return instance.createInternal();
        }

        @Override
        protected HttpServer newHttpServer() throws IOException {
            return HttpServer.create();
        }
    }

    private static final class Https1ServerFactory extends H1ServerFactory<HttpsServer> {
        private static final Https1ServerFactory instance = new Https1ServerFactory();

        static HttpsServer create() throws IOException {
            return instance.createInternal();
        }

        @Override
        protected HttpsServer newHttpServer() throws IOException {
            return HttpsServer.create();
        }
    }

    static Http2TestServer createHttp2Server(String protocol) throws IOException {
        final Http2TestServer server;
        if ("http".equalsIgnoreCase(protocol)) {
            server = Http2ServerFactory.create();
        } else if ("https".equalsIgnoreCase(protocol)) {
            server = Https2ServerFactory.create();
        } else {
            throw new InternalError("unsupported protocol: " + protocol);
        }
        return server;
    }

    static HttpTestServer createHttpServer(Version version, String protocol)
            throws IOException
    {
        switch(version) {
            case HTTP_1_1:
                return HttpTestServer.of(createHttp1Server(protocol));
            case HTTP_2:
                return HttpTestServer.of(createHttp2Server(protocol));
            default:
                throw new InternalError("Unexpected version: " + version);
        }
    }

    static HttpServer createHttp1Server(String protocol) throws IOException {
        final HttpServer server;
        if ("http".equalsIgnoreCase(protocol)) {
            server = Http1ServerFactory.create();
        } else if ("https".equalsIgnoreCase(protocol)) {
            server = configure(Https1ServerFactory.create());
        } else {
            throw new InternalError("unsupported protocol: " + protocol);
        }
        return server;
    }

    static HttpsServer configure(HttpsServer server) throws IOException {
        try {
            SSLContext ctx = SSLContext.getDefault();
            server.setHttpsConfigurator(new Configurator(ctx));
        } catch (NoSuchAlgorithmException ex) {
            throw new IOException(ex);
        }
        return server;
    }


    static void setContextAuthenticator(HttpTestContext ctxt,
                                        HttpTestAuthenticator auth) {
        final String realm = auth.getRealm();
        com.sun.net.httpserver.Authenticator authenticator =
            new BasicAuthenticator(realm) {
                @Override
                public boolean checkCredentials(String username, String pwd) {
                    return auth.getUserName().equals(username)
                           && new String(auth.getPassword(username)).equals(pwd);
                }
        };
        ctxt.setAuthenticator(authenticator);
    }

    public static DigestEchoServer createServer(Version version,
                                        String protocol,
                                        HttpAuthType authType,
                                        HttpTestAuthenticator auth,
                                        HttpAuthSchemeType schemeType,
                                        HttpTestHandler delegate,
                                        String path)
            throws IOException {
        Objects.requireNonNull(authType);
        Objects.requireNonNull(auth);

        HttpTestServer impl = createHttpServer(version, protocol);
        String key = String.format("DigestEchoServer[PID=%s,PORT=%s]:%s:%s:%s:%s",
                ProcessHandle.current().pid(),
                impl.getAddress().getPort(),
                version, protocol, authType, schemeType);
        final DigestEchoServer server = new DigestEchoServerImpl(key, impl, null, delegate);
        final HttpTestHandler handler =
                server.createHandler(schemeType, auth, authType, false);
        HttpTestContext context = impl.addHandler(handler, path);
        server.configureAuthentication(context, schemeType, auth, authType);
        impl.start();
        return server;
    }

    public static DigestEchoServer createProxy(Version version,
                                        String protocol,
                                        HttpAuthType authType,
                                        HttpTestAuthenticator auth,
                                        HttpAuthSchemeType schemeType,
                                        HttpTestHandler delegate,
                                        String path)
            throws IOException {
        Objects.requireNonNull(authType);
        Objects.requireNonNull(auth);

        if (version == Version.HTTP_2 && protocol.equalsIgnoreCase("http")) {
            System.out.println("WARNING: can't use HTTP/1.1 proxy with unsecure HTTP/2 server");
            version = Version.HTTP_1_1;
        }
        HttpTestServer impl = createHttpServer(version, protocol);
        String key = String.format("DigestEchoServer[PID=%s,PORT=%s]:%s:%s:%s:%s",
                ProcessHandle.current().pid(),
                impl.getAddress().getPort(),
                version, protocol, authType, schemeType);
        final DigestEchoServer server = "https".equalsIgnoreCase(protocol)
                ? new HttpsProxyTunnel(key, impl, null, delegate)
                : new DigestEchoServerImpl(key, impl, null, delegate);

        final HttpTestHandler hh = server.createHandler(HttpAuthSchemeType.NONE,
                                         null, HttpAuthType.SERVER,
                                         server instanceof HttpsProxyTunnel);
        HttpTestContext ctxt = impl.addHandler(hh, path);
        server.configureAuthentication(ctxt, schemeType, auth, authType);
        impl.start();

        return server;
    }

    public static DigestEchoServer createServerAndRedirect(
                                        Version version,
                                        String protocol,
                                        HttpAuthType targetAuthType,
                                        HttpTestAuthenticator auth,
                                        HttpAuthSchemeType schemeType,
                                        HttpTestHandler targetDelegate,
                                        int code300)
            throws IOException {
        Objects.requireNonNull(targetAuthType);
        Objects.requireNonNull(auth);

        // The connection between client and proxy can only
        // be a plain connection: SSL connection to proxy
        // is not supported by our client connection.
        String targetProtocol = targetAuthType == HttpAuthType.PROXY
                                          ? "http"
                                          : protocol;
        DigestEchoServer redirectTarget =
                (targetAuthType == HttpAuthType.PROXY)
                ? createProxy(version, protocol, targetAuthType,
                              auth, schemeType, targetDelegate, "/")
                : createServer(version, targetProtocol, targetAuthType,
                               auth, schemeType, targetDelegate, "/");
        HttpTestServer impl = createHttpServer(version, protocol);
        String key = String.format("RedirectingServer[PID=%s,PORT=%s]:%s:%s:%s:%s",
                ProcessHandle.current().pid(),
                impl.getAddress().getPort(),
                version, protocol,
                HttpAuthType.SERVER, code300)
                + "->" + redirectTarget.key;
        final DigestEchoServer redirectingServer =
                 new DigestEchoServerImpl(key, impl, redirectTarget, null);
        InetSocketAddress redirectAddr = redirectTarget.getAddress();
        URL locationURL = url(targetProtocol, redirectAddr, "/");
        final HttpTestHandler hh = redirectingServer.create300Handler(key, locationURL,
                                             HttpAuthType.SERVER, code300);
        impl.addHandler(hh,"/");
        impl.start();
        return redirectingServer;
    }

    public abstract InetSocketAddress getServerAddress();
    public abstract InetSocketAddress getProxyAddress();
    public abstract InetSocketAddress getAddress();
    public abstract void stop();
    public abstract Version getServerVersion();

    private static class DigestEchoServerImpl extends DigestEchoServer {
        DigestEchoServerImpl(String key,
                             HttpTestServer server,
                             DigestEchoServer target,
                             HttpTestHandler delegate) {
            super(key, Objects.requireNonNull(server), target, delegate);
        }

        public InetSocketAddress getAddress() {
            return new InetSocketAddress(InetAddress.getLoopbackAddress(),
                    serverImpl.getAddress().getPort());
        }

        public InetSocketAddress getServerAddress() {
            return new InetSocketAddress(InetAddress.getLoopbackAddress(),
                    serverImpl.getAddress().getPort());
        }

        public InetSocketAddress getProxyAddress() {
            return new InetSocketAddress(InetAddress.getLoopbackAddress(),
                    serverImpl.getAddress().getPort());
        }

        public Version getServerVersion() {
            return serverImpl.getVersion();
        }

        public void stop() {
            serverImpl.stop();
            if (redirect != null) {
                redirect.stop();
            }
        }
    }

    protected void writeResponse(HttpTestExchange he) throws IOException {
        if (delegate == null) {
            he.sendResponseHeaders(HttpURLConnection.HTTP_OK, -1);
            he.getResponseBody().write(he.getRequestBody().readAllBytes());
        } else {
            delegate.handle(he);
        }
    }

    private HttpTestHandler createHandler(HttpAuthSchemeType schemeType,
                                      HttpTestAuthenticator auth,
                                      HttpAuthType authType,
                                      boolean tunelled) {
        return new HttpNoAuthHandler(key, authType, tunelled);
    }

    void configureAuthentication(HttpTestContext ctxt,
                                 HttpAuthSchemeType schemeType,
                                 HttpTestAuthenticator auth,
                                 HttpAuthType authType) {
        switch(schemeType) {
            case DIGEST:
                // DIGEST authentication is handled by the handler.
                ctxt.addFilter(new HttpDigestFilter(key, auth, authType));
                break;
            case BASIC:
                // BASIC authentication is handled by the filter.
                ctxt.addFilter(new HttpBasicFilter(key, auth, authType));
                break;
            case BASICSERVER:
                switch(authType) {
                    case PROXY: case PROXY305:
                        // HttpServer can't support Proxy-type authentication
                        // => we do as if BASIC had been specified, and we will
                        //    handle authentication in the handler.
                        ctxt.addFilter(new HttpBasicFilter(key, auth, authType));
                        break;
                    case SERVER: case SERVER307:
                        if (ctxt.getVersion() == Version.HTTP_1_1) {
                            // Basic authentication is handled by HttpServer
                            // directly => the filter should not perform
                            // authentication again.
                            setContextAuthenticator(ctxt, auth);
                            ctxt.addFilter(new HttpNoAuthFilter(key, authType));
                        } else {
                            ctxt.addFilter(new HttpBasicFilter(key, auth, authType));
                        }
                        break;
                    default:
                        throw new InternalError(key + ": Invalid combination scheme="
                             + schemeType + " authType=" + authType);
                }
            case NONE:
                // No authentication at all.
                ctxt.addFilter(new HttpNoAuthFilter(key, authType));
                break;
            default:
                throw new InternalError(key + ": No such scheme: " + schemeType);
        }
    }

    private HttpTestHandler create300Handler(String key, URL proxyURL,
                                             HttpAuthType type, int code300)
            throws MalformedURLException
    {
        return new Http3xxHandler(key, proxyURL, type, code300);
    }

    // Abstract HTTP filter class.
    private abstract static class AbstractHttpFilter extends HttpTestFilter {

        final HttpAuthType authType;
        final String type;
        public AbstractHttpFilter(HttpAuthType authType, String type) {
            this.authType = authType;
            this.type = type;
        }

        String getLocation() {
            return "Location";
        }
        String getAuthenticate() {
            return authType == HttpAuthType.PROXY
                    ? "Proxy-Authenticate" : "WWW-Authenticate";
        }
        String getAuthorization() {
            return authType == HttpAuthType.PROXY
                    ? "Proxy-Authorization" : "Authorization";
        }
        int getUnauthorizedCode() {
            return authType == HttpAuthType.PROXY
                    ? HttpURLConnection.HTTP_PROXY_AUTH
                    : HttpURLConnection.HTTP_UNAUTHORIZED;
        }
        String getKeepAlive() {
            return "keep-alive";
        }
        String getConnection() {
            return authType == HttpAuthType.PROXY
                    ? "Proxy-Connection" : "Connection";
        }
        protected abstract boolean isAuthentified(HttpTestExchange he) throws IOException;
        protected abstract void requestAuthentication(HttpTestExchange he) throws IOException;
        protected void accept(HttpTestExchange he, HttpChain chain) throws IOException {
            chain.doFilter(he);
        }

        @Override
        public String description() {
            return "Filter for " + type;
        }
        @Override
        public void doFilter(HttpTestExchange he, HttpChain chain) throws IOException {
            try {
                System.out.println(type + ": Got " + he.getRequestMethod()
                    + ": " + he.getRequestURI()
                    + "\n" + DigestEchoServer.toString(he.getRequestHeaders()));

                // Assert only a single value for Expect. Not directly related
                // to digest authentication, but verifies good client behaviour.
                List<String> expectValues = he.getRequestHeaders().get("Expect");
                if (expectValues != null && expectValues.size() > 1) {
                    throw new IOException("Expect:  " + expectValues);
                }

                if (!isAuthentified(he)) {
                    try {
                        requestAuthentication(he);
                        he.sendResponseHeaders(getUnauthorizedCode(), -1);
                        System.out.println(type
                            + ": Sent back " + getUnauthorizedCode());
                    } finally {
                        he.close();
                    }
                } else {
                    accept(he, chain);
                }
            } catch (RuntimeException | Error | IOException t) {
               System.err.println(type
                    + ": Unexpected exception while handling request: " + t);
               t.printStackTrace(System.err);
               he.close();
               throw t;
            }
        }

    }

    // WARNING: This is not a full fledged implementation of DIGEST.
    // It does contain bugs and inaccuracy.
    final static class DigestResponse {
        final String realm;
        final String username;
        final String nonce;
        final String cnonce;
        final String nc;
        final String uri;
        final String algorithm;
        final String response;
        final String qop;
        final String opaque;

        public DigestResponse(String realm, String username, String nonce,
                              String cnonce, String nc, String uri,
                              String algorithm, String qop, String opaque,
                              String response) {
            this.realm = realm;
            this.username = username;
            this.nonce = nonce;
            this.cnonce = cnonce;
            this.nc = nc;
            this.uri = uri;
            this.algorithm = algorithm;
            this.qop = qop;
            this.opaque = opaque;
            this.response = response;
        }

        String getAlgorithm(String defval) {
            return algorithm == null ? defval : algorithm;
        }
        String getQoP(String defval) {
            return qop == null ? defval : qop;
        }

        // Code stolen from DigestAuthentication:

        private static final char charArray[] = {
            '0', '1', '2', '3', '4', '5', '6', '7',
            '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
        };

        private static String encode(String src, char[] passwd, MessageDigest md) {
            try {
                md.update(src.getBytes("ISO-8859-1"));
            } catch (java.io.UnsupportedEncodingException uee) {
                assert false;
            }
            if (passwd != null) {
                byte[] passwdBytes = new byte[passwd.length];
                for (int i=0; i<passwd.length; i++)
                    passwdBytes[i] = (byte)passwd[i];
                md.update(passwdBytes);
                Arrays.fill(passwdBytes, (byte)0x00);
            }
            byte[] digest = md.digest();

            StringBuilder res = new StringBuilder(digest.length * 2);
            for (int i = 0; i < digest.length; i++) {
                int hashchar = ((digest[i] >>> 4) & 0xf);
                res.append(charArray[hashchar]);
                hashchar = (digest[i] & 0xf);
                res.append(charArray[hashchar]);
            }
            return res.toString();
        }

        public static String computeDigest(boolean isRequest,
                                           String reqMethod,
                                           char[] password,
                                           DigestResponse params)
            throws NoSuchAlgorithmException
        {

            String A1, HashA1;
            String algorithm = params.getAlgorithm("MD5");
            boolean md5sess = algorithm.equalsIgnoreCase ("MD5-sess");

            MessageDigest md = MessageDigest.getInstance(md5sess?"MD5":algorithm);

            if (params.username == null) {
                throw new IllegalArgumentException("missing username");
            }
            if (params.realm == null) {
                throw new IllegalArgumentException("missing realm");
            }
            if (params.uri == null) {
                throw new IllegalArgumentException("missing uri");
            }
            if (params.nonce == null) {
                throw new IllegalArgumentException("missing nonce");
            }

            A1 = params.username + ":" + params.realm + ":";
            HashA1 = encode(A1, password, md);

            String A2;
            if (isRequest) {
                A2 = reqMethod + ":" + params.uri;
            } else {
                A2 = ":" + params.uri;
            }
            String HashA2 = encode(A2, null, md);
            String combo, finalHash;

            if ("auth".equals(params.qop)) { /* RRC2617 when qop=auth */
                if (params.cnonce == null) {
                    throw new IllegalArgumentException("missing nonce");
                }
                if (params.nc == null) {
                    throw new IllegalArgumentException("missing nonce");
                }
                combo = HashA1+ ":" + params.nonce + ":" + params.nc + ":" +
                            params.cnonce + ":auth:" +HashA2;

            } else { /* for compatibility with RFC2069 */
                combo = HashA1 + ":" +
                           params.nonce + ":" +
                           HashA2;
            }
            finalHash = encode(combo, null, md);
            return finalHash;
        }

        public static DigestResponse create(String raw) {
            String username, realm, nonce, nc, uri, response, cnonce,
                   algorithm, qop, opaque;
            HeaderParser parser = new HeaderParser(raw);
            username = parser.findValue("username");
            realm = parser.findValue("realm");
            nonce = parser.findValue("nonce");
            nc = parser.findValue("nc");
            uri = parser.findValue("uri");
            cnonce = parser.findValue("cnonce");
            response = parser.findValue("response");
            algorithm = parser.findValue("algorithm");
            qop = parser.findValue("qop");
            opaque = parser.findValue("opaque");
            return new DigestResponse(realm, username, nonce, cnonce, nc, uri,
                                      algorithm, qop, opaque, response);
        }

    }

    private static class HttpNoAuthFilter extends AbstractHttpFilter {

        static String type(String key, HttpAuthType authType) {
            String type = authType == HttpAuthType.SERVER
                    ? "NoAuth Server Filter" : "NoAuth Proxy Filter";
            return "["+type+"]:"+key;
        }

        public HttpNoAuthFilter(String key, HttpAuthType authType) {
            super(authType, type(key, authType));
        }

        @Override
        protected boolean isAuthentified(HttpTestExchange he) throws IOException {
            return true;
        }

        @Override
        protected void requestAuthentication(HttpTestExchange he) throws IOException {
            throw new InternalError("Should not com here");
        }

        @Override
        public String description() {
            return "Passthrough Filter";
        }

    }

    // An HTTP Filter that performs Basic authentication
    private static class HttpBasicFilter extends AbstractHttpFilter {

        static String type(String key, HttpAuthType authType) {
            String type = authType == HttpAuthType.SERVER
                    ? "Basic Server Filter" : "Basic Proxy Filter";
            return "["+type+"]:"+key;
        }

        private final HttpTestAuthenticator auth;
        public HttpBasicFilter(String key, HttpTestAuthenticator auth,
                               HttpAuthType authType) {
            super(authType, type(key, authType));
            this.auth = auth;
        }

        @Override
        protected void requestAuthentication(HttpTestExchange he)
            throws IOException
        {
            String headerName = getAuthenticate();
            String headerValue = "Basic realm=\"" + auth.getRealm() + "\"";
            he.getResponseHeaders().addHeader(headerName, headerValue);
            System.out.println(type + ": Requesting Basic Authentication, "
                               + headerName + " : "+ headerValue);
        }

        @Override
        protected boolean isAuthentified(HttpTestExchange he) {
            if (he.getRequestHeaders().containsKey(getAuthorization())) {
                List<String> authorization =
                    he.getRequestHeaders().get(getAuthorization());
                for (String a : authorization) {
                    System.out.println(type + ": processing " + a);
                    int sp = a.indexOf(' ');
                    if (sp < 0) return false;
                    String scheme = a.substring(0, sp);
                    if (!"Basic".equalsIgnoreCase(scheme)) {
                        System.out.println(type + ": Unsupported scheme '"
                                           + scheme +"'");
                        return false;
                    }
                    if (a.length() <= sp+1) {
                        System.out.println(type + ": value too short for '"
                                            + scheme +"'");
                        return false;
                    }
                    a = a.substring(sp+1);
                    return validate(a);
                }
                return false;
            }
            return false;
        }

        boolean validate(String a) {
            byte[] b = Base64.getDecoder().decode(a);
            String userpass = new String (b);
            int colon = userpass.indexOf (':');
            String uname = userpass.substring (0, colon);
            String pass = userpass.substring (colon+1);
            return auth.getUserName().equals(uname) &&
                   new String(auth.getPassword(uname)).equals(pass);
        }

        @Override
        public String description() {
            return "Filter for BASIC authentication: " + type;
        }

    }


    // An HTTP Filter that performs Digest authentication
    // WARNING: This is not a full fledged implementation of DIGEST.
    // It does contain bugs and inaccuracy.
    private static class HttpDigestFilter extends AbstractHttpFilter {

        static String type(String key, HttpAuthType authType) {
            String type = authType == HttpAuthType.SERVER
                    ? "Digest Server Filter" : "Digest Proxy Filter";
            return "["+type+"]:"+key;
        }

        // This is a very basic DIGEST - used only for the purpose of testing
        // the client implementation. Therefore we can get away with never
        // updating the server nonce as it makes the implementation of the
        // server side digest simpler.
        private final HttpTestAuthenticator auth;
        private final byte[] nonce;
        private final String ns;
        public HttpDigestFilter(String key, HttpTestAuthenticator auth, HttpAuthType authType) {
            super(authType, type(key, authType));
            this.auth = auth;
            nonce = new byte[16];
            new Random(Instant.now().toEpochMilli()).nextBytes(nonce);
            ns = new BigInteger(1, nonce).toString(16);
        }

        @Override
        protected void requestAuthentication(HttpTestExchange he)
                throws IOException {
            String separator;
            Version v = he.getExchangeVersion();
            if (v == Version.HTTP_1_1) {
                separator = "\r\n    ";
            } else if (v == Version.HTTP_2) {
                separator = " ";
            } else {
                throw new InternalError(String.valueOf(v));
            }
            String headerName = getAuthenticate();
            String headerValue = "Digest realm=\"" + auth.getRealm() + "\","
                    + separator + "qop=\"auth\","
                    + separator + "nonce=\"" + ns +"\"";
            he.getResponseHeaders().addHeader(headerName, headerValue);
            System.out.println(type + ": Requesting Digest Authentication, "
                               + headerName + " : " + headerValue);
        }

        @Override
        protected boolean isAuthentified(HttpTestExchange he) {
            if (he.getRequestHeaders().containsKey(getAuthorization())) {
                List<String> authorization = he.getRequestHeaders().get(getAuthorization());
                for (String a : authorization) {
                    System.out.println(type + ": processing " + a);
                    int sp = a.indexOf(' ');
                    if (sp < 0) return false;
                    String scheme = a.substring(0, sp);
                    if (!"Digest".equalsIgnoreCase(scheme)) {
                        System.out.println(type + ": Unsupported scheme '" + scheme +"'");
                        return false;
                    }
                    if (a.length() <= sp+1) {
                        System.out.println(type + ": value too short for '" + scheme +"'");
                        return false;
                    }
                    a = a.substring(sp+1);
                    DigestResponse dgr = DigestResponse.create(a);
                    return validate(he.getRequestURI(), he.getRequestMethod(), dgr);
                }
                return false;
            }
            return false;
        }

        boolean validate(URI uri, String reqMethod, DigestResponse dg) {
            if (!"MD5".equalsIgnoreCase(dg.getAlgorithm("MD5"))) {
                System.out.println(type + ": Unsupported algorithm "
                                   + dg.algorithm);
                return false;
            }
            if (!"auth".equalsIgnoreCase(dg.getQoP("auth"))) {
                System.out.println(type + ": Unsupported qop "
                                   + dg.qop);
                return false;
            }
            try {
                if (!dg.nonce.equals(ns)) {
                    System.out.println(type + ": bad nonce returned by client: "
                                    + nonce + " expected " + ns);
                    return false;
                }
                if (dg.response == null) {
                    System.out.println(type + ": missing digest response.");
                    return false;
                }
                char[] pa = auth.getPassword(dg.username);
                return verify(uri, reqMethod, dg, pa);
            } catch(IllegalArgumentException | SecurityException
                    | NoSuchAlgorithmException e) {
                System.out.println(type + ": " + e.getMessage());
                return false;
            }
        }


        boolean verify(URI uri, String reqMethod, DigestResponse dg, char[] pw)
            throws NoSuchAlgorithmException {
            String response = DigestResponse.computeDigest(true, reqMethod, pw, dg);
            if (!dg.response.equals(response)) {
                System.out.println(type + ": bad response returned by client: "
                                    + dg.response + " expected " + response);
                return false;
            } else {
                // A real server would also verify the uri=<request-uri>
                // parameter - but this is just a test...
                System.out.println(type + ": verified response " + response);
            }
            return true;
        }


        @Override
        public String description() {
            return "Filter for DIGEST authentication: " + type;
        }
    }

    // Abstract HTTP handler class.
    private abstract static class AbstractHttpHandler implements HttpTestHandler {

        final HttpAuthType authType;
        final String type;
        public AbstractHttpHandler(HttpAuthType authType, String type) {
            this.authType = authType;
            this.type = type;
        }

        String getLocation() {
            return "Location";
        }

        @Override
        public void handle(HttpTestExchange he) throws IOException {
            try {
                sendResponse(he);
            } catch (RuntimeException | Error | IOException t) {
               System.err.println(type
                    + ": Unexpected exception while handling request: " + t);
               t.printStackTrace(System.err);
               throw t;
            } finally {
                he.close();
            }
        }

        protected abstract void sendResponse(HttpTestExchange he) throws IOException;

    }

    static String stype(String type, String key, HttpAuthType authType, boolean tunnelled) {
        type = type + (authType == HttpAuthType.SERVER
                       ? " Server" : " Proxy")
                + (tunnelled ? " Tunnelled" : "");
        return "["+type+"]:"+key;
    }

    private class HttpNoAuthHandler extends AbstractHttpHandler {

        // true if this server is behind a proxy tunnel.
        final boolean tunnelled;
        public HttpNoAuthHandler(String key, HttpAuthType authType, boolean tunnelled) {
            super(authType, stype("NoAuth", key, authType, tunnelled));
            this.tunnelled = tunnelled;
        }

        @Override
        protected void sendResponse(HttpTestExchange he) throws IOException {
            if (DEBUG) {
                System.out.println(type + ": headers are: "
                        + DigestEchoServer.toString(he.getRequestHeaders()));
            }
            if (authType == HttpAuthType.SERVER && tunnelled) {
                // Verify that the client doesn't send us proxy-* headers
                // used to establish the proxy tunnel
                Optional<String> proxyAuth = he.getRequestHeaders()
                        .keySet().stream()
                        .filter("proxy-authorization"::equalsIgnoreCase)
                        .findAny();
                if (proxyAuth.isPresent()) {
                    System.out.println(type + " found "
                            + proxyAuth.get() + ": failing!");
                    throw new IOException(proxyAuth.get()
                            + " found by " + type + " for "
                            + he.getRequestURI());
                }
            }
            DigestEchoServer.this.writeResponse(he);
        }

    }

    // A dummy HTTP Handler that redirects all incoming requests
    // by sending a back 3xx response code (301, 305, 307 etc..)
    private class Http3xxHandler extends AbstractHttpHandler {

        private final URL redirectTargetURL;
        private final int code3XX;
        public Http3xxHandler(String key, URL proxyURL, HttpAuthType authType, int code300) {
            super(authType, stype("Server" + code300, key, authType, false));
            this.redirectTargetURL = proxyURL;
            this.code3XX = code300;
        }

        int get3XX() {
            return code3XX;
        }

        @Override
        public void sendResponse(HttpTestExchange he) throws IOException {
            System.out.println(type + ": Got " + he.getRequestMethod()
                    + ": " + he.getRequestURI()
                    + "\n" + DigestEchoServer.toString(he.getRequestHeaders()));
            System.out.println(type + ": Redirecting to "
                               + (authType == HttpAuthType.PROXY305
                                    ? "proxy" : "server"));
            he.getResponseHeaders().addHeader(getLocation(),
                redirectTargetURL.toExternalForm().toString());
            he.sendResponseHeaders(get3XX(), -1);
            System.out.println(type + ": Sent back " + get3XX() + " "
                 + getLocation() + ": " + redirectTargetURL.toExternalForm().toString());
        }
    }

    static class Configurator extends HttpsConfigurator {
        public Configurator(SSLContext ctx) {
            super(ctx);
        }

        @Override
        public void configure (HttpsParameters params) {
            params.setSSLParameters (getSSLContext().getSupportedSSLParameters());
        }
    }

    static final long start = System.nanoTime();
    public static String now() {
        long now = System.nanoTime() - start;
        long secs = now / 1000_000_000;
        long mill = (now % 1000_000_000) / 1000_000;
        long nan = now % 1000_000;
        return String.format("[%d s, %d ms, %d ns] ", secs, mill, nan);
    }

    static class  ProxyAuthorization {
        final HttpAuthSchemeType schemeType;
        final HttpTestAuthenticator authenticator;
        private final byte[] nonce;
        private final String ns;
        private final String key;

        ProxyAuthorization(String key, HttpAuthSchemeType schemeType, HttpTestAuthenticator auth) {
            this.key = key;
            this.schemeType = schemeType;
            this.authenticator = auth;
            nonce = new byte[16];
            new Random(Instant.now().toEpochMilli()).nextBytes(nonce);
            ns = new BigInteger(1, nonce).toString(16);
        }

        String doBasic(Optional<String> authorization) {
            String offset = "proxy-authorization: basic ";
            String authstring = authorization.orElse("");
            if (!authstring.toLowerCase(Locale.US).startsWith(offset)) {
                return "Proxy-Authenticate: BASIC " + "realm=\""
                        + authenticator.getRealm() +"\"";
            }
            authstring = authstring
                    .substring(offset.length())
                    .trim();
            byte[] base64 = Base64.getDecoder().decode(authstring);
            String up = new String(base64, StandardCharsets.UTF_8);
            int colon = up.indexOf(':');
            if (colon < 1) {
                return "Proxy-Authenticate: BASIC " + "realm=\""
                        + authenticator.getRealm() +"\"";
            }
            String u = up.substring(0, colon);
            String p = up.substring(colon+1);
            char[] pw = authenticator.getPassword(u);
            if (!p.equals(new String(pw))) {
                return "Proxy-Authenticate: BASIC " + "realm=\""
                        + authenticator.getRealm() +"\"";
            }
            System.out.println(now() + key + " Proxy basic authentication success");
            return null;
        }

        String doDigest(Optional<String> authorization) {
            String offset = "proxy-authorization: digest ";
            String authstring = authorization.orElse("");
            if (!authstring.toLowerCase(Locale.US).startsWith(offset)) {
                return "Proxy-Authenticate: " +
                        "Digest realm=\"" + authenticator.getRealm() + "\","
                        + "\r\n    qop=\"auth\","
                        + "\r\n    nonce=\"" + ns +"\"";
            }
            authstring = authstring
                    .substring(offset.length())
                    .trim();
            boolean validated = false;
            try {
                DigestResponse dgr = DigestResponse.create(authstring);
                validated = validate("CONNECT", dgr);
            } catch (Throwable t) {
                t.printStackTrace();
            }
            if (!validated) {
                return "Proxy-Authenticate: " +
                        "Digest realm=\"" + authenticator.getRealm() + "\","
                        + "\r\n    qop=\"auth\","
                        + "\r\n    nonce=\"" + ns +"\"";
            }
            return null;
        }




        boolean validate(String reqMethod, DigestResponse dg) {
            String type = now() + this.getClass().getSimpleName() + ":" + key;
            if (!"MD5".equalsIgnoreCase(dg.getAlgorithm("MD5"))) {
                System.out.println(type + ": Unsupported algorithm "
                        + dg.algorithm);
                return false;
            }
            if (!"auth".equalsIgnoreCase(dg.getQoP("auth"))) {
                System.out.println(type + ": Unsupported qop "
                        + dg.qop);
                return false;
            }
            try {
                if (!dg.nonce.equals(ns)) {
                    System.out.println(type + ": bad nonce returned by client: "
                            + nonce + " expected " + ns);
                    return false;
                }
                if (dg.response == null) {
                    System.out.println(type + ": missing digest response.");
                    return false;
                }
                char[] pa = authenticator.getPassword(dg.username);
                return verify(type, reqMethod, dg, pa);
            } catch(IllegalArgumentException | SecurityException
                    | NoSuchAlgorithmException e) {
                System.out.println(type + ": " + e.getMessage());
                return false;
            }
        }


        boolean verify(String type, String reqMethod, DigestResponse dg, char[] pw)
                throws NoSuchAlgorithmException {
            String response = DigestResponse.computeDigest(true, reqMethod, pw, dg);
            if (!dg.response.equals(response)) {
                System.out.println(type + ": bad response returned by client: "
                        + dg.response + " expected " + response);
                return false;
            } else {
                // A real server would also verify the uri=<request-uri>
                // parameter - but this is just a test...
                System.out.println(type + ": verified response " + response);
            }
            return true;
        }

        public boolean authorize(StringBuilder response, String requestLine, String headers) {
            String message = "<html><body><p>Authorization Failed%s</p></body></html>\r\n";
            if (authenticator == null && schemeType != HttpAuthSchemeType.NONE) {
                message = String.format(message, " No Authenticator Set");
                response.append("HTTP/1.1 407 Proxy Authentication Failed\r\n");
                response.append("Content-Length: ")
                        .append(message.getBytes(StandardCharsets.UTF_8).length)
                        .append("\r\n\r\n");
                response.append(message);
                return false;
            }
            Optional<String> authorization = Stream.of(headers.split("\r\n"))
                    .filter((k) -> k.toLowerCase(Locale.US).startsWith("proxy-authorization:"))
                    .findFirst();
            String authenticate = null;
            switch(schemeType) {
                case BASIC:
                case BASICSERVER:
                    authenticate = doBasic(authorization);
                    break;
                case DIGEST:
                    authenticate = doDigest(authorization);
                    break;
                case NONE:
                    response.append("HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n");
                    return true;
                default:
                    throw new InternalError("Unknown scheme type: " + schemeType);
            }
            if (authenticate != null) {
                message = String.format(message, "");
                response.append("HTTP/1.1 407 Proxy Authentication Required\r\n");
                response.append("Content-Length: ")
                        .append(message.getBytes(StandardCharsets.UTF_8).length)
                        .append("\r\n")
                        .append(authenticate)
                        .append("\r\n\r\n");
                response.append(message);
                return false;
            }
            response.append("HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n");
            return true;
        }
    }

    public interface TunnelingProxy {
        InetSocketAddress getProxyAddress();
        void stop();
    }

    // This is a bit hacky: HttpsProxyTunnel is an HTTPTestServer hidden
    // behind a fake proxy that only understands CONNECT requests.
    // The fake proxy is just a server socket that intercept the
    // CONNECT and then redirect streams to the real server.
    static class HttpsProxyTunnel extends DigestEchoServer
            implements Runnable, TunnelingProxy {

        final ServerSocket ss;
        final CopyOnWriteArrayList<CompletableFuture<Void>> connectionCFs
                = new CopyOnWriteArrayList<>();
        volatile ProxyAuthorization authorization;
        volatile boolean stopped;
        public HttpsProxyTunnel(String key, HttpTestServer server, DigestEchoServer target,
                                HttpTestHandler delegate)
                throws IOException {
            this(key, server, target, delegate, ServerSocketFactory.create());
        }
        private HttpsProxyTunnel(String key, HttpTestServer server, DigestEchoServer target,
                                HttpTestHandler delegate, ServerSocket ss)
                throws IOException {
            super("HttpsProxyTunnel:" + ss.getLocalPort() + ":" + key,
                    server, target, delegate);
            System.out.flush();
            System.err.println("WARNING: HttpsProxyTunnel is an experimental test class");
            this.ss = ss;
            start();
        }

        final void start() throws IOException {
            Thread t = new Thread(this, "ProxyThread");
            t.setDaemon(true);
            t.start();
        }

        @Override
        public Version getServerVersion() {
            // serverImpl is not null when this proxy
            // serves a single server. It will be null
            // if this proxy can serve multiple servers.
            if (serverImpl != null) return serverImpl.getVersion();
            return null;
        }

        @Override
        public void stop() {
            stopped = true;
            if (serverImpl != null) {
                serverImpl.stop();
            }
            if (redirect != null) {
                redirect.stop();
            }
            try {
                ss.close();
            } catch (IOException ex) {
                if (DEBUG) ex.printStackTrace(System.out);
            }
        }


        @Override
        void configureAuthentication(HttpTestContext ctxt,
                                     HttpAuthSchemeType schemeType,
                                     HttpTestAuthenticator auth,
                                     HttpAuthType authType) {
            if (authType == HttpAuthType.PROXY || authType == HttpAuthType.PROXY305) {
                authorization = new ProxyAuthorization(key, schemeType, auth);
            } else {
                super.configureAuthentication(ctxt, schemeType, auth, authType);
            }
        }

        boolean badRequest(StringBuilder response, String hostport, List<String> hosts) {
            String message = null;
            if (hosts.isEmpty()) {
                message = "No host header provided\r\n";
            } else if (hosts.size() > 1) {
                message = "Multiple host headers provided\r\n";
                for (String h : hosts) {
                    message = message + "host: " + h + "\r\n";
                }
            } else {
                String h = hosts.get(0);
                if (!hostport.equalsIgnoreCase(h)
                        && !hostport.equalsIgnoreCase(h + ":80")
                        && !hostport.equalsIgnoreCase(h + ":443")) {
                    message = "Bad host provided: [" + h
                            + "] doesnot match [" + hostport + "]\r\n";
                }
            }
            if (message != null) {
                int length = message.getBytes(StandardCharsets.UTF_8).length;
                response.append("HTTP/1.1 400 BadRequest\r\n")
                        .append("Content-Length: " + length)
                        .append("\r\n\r\n")
                        .append(message);
                return true;
            }

            return false;
        }

        boolean authorize(StringBuilder response, String requestLine, String headers) {
            if (authorization != null) {
                return authorization.authorize(response, requestLine, headers);
            }
            response.append("HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n");
            return true;
        }

        // Pipe the input stream to the output stream.
        private synchronized Thread pipe(InputStream is, OutputStream os, char tag, CompletableFuture<Void> end) {
            return new Thread("TunnelPipe("+tag+")") {
                @Override
                public void run() {
                    try {
                        try {
                            int c;
                            while ((c = is.read()) != -1) {
                                os.write(c);
                                os.flush();
                                // if DEBUG prints a + or a - for each transferred
                                // character.
                                if (DEBUG) System.out.print(tag);
                            }
                            is.close();
                        } finally {
                            os.close();
                        }
                    } catch (IOException ex) {
                        if (DEBUG) ex.printStackTrace(System.out);
                    } finally {
                        end.complete(null);
                    }
                }
            };
        }

        @Override
        public InetSocketAddress getAddress() {
            return new InetSocketAddress(InetAddress.getLoopbackAddress(),
                    ss.getLocalPort());
        }
        @Override
        public InetSocketAddress getProxyAddress() {
            return getAddress();
        }
        @Override
        public InetSocketAddress getServerAddress() {
            // serverImpl can be null if this proxy can serve
            // multiple servers.
            if (serverImpl != null) {
                return serverImpl.getAddress();
            }
            return null;
        }


        // This is a bit shaky. It doesn't handle continuation
        // lines, but our client shouldn't send any.
        // Read a line from the input stream, swallowing the final
        // \r\n sequence. Stops at the first \n, doesn't complain
        // if it wasn't preceded by '\r'.
        //
        String readLine(InputStream r) throws IOException {
            StringBuilder b = new StringBuilder();
            int c;
            while ((c = r.read()) != -1) {
                if (c == '\n') break;
                b.appendCodePoint(c);
            }
            if (b.codePointAt(b.length() -1) == '\r') {
                b.delete(b.length() -1, b.length());
            }
            return b.toString();
        }

        @Override
        public void run() {
            Socket clientConnection = null;
            try {
                while (!stopped) {
                    System.out.println(now() + "Tunnel: Waiting for client");
                    Socket toClose;
                    try {
                        toClose = clientConnection = ss.accept();
                        if (NO_LINGER) {
                            // can be useful to trigger "Connection reset by peer"
                            // errors on the client side.
                            clientConnection.setOption(StandardSocketOptions.SO_LINGER, 0);
                        }
                    } catch (IOException io) {
                        if (DEBUG || !stopped) io.printStackTrace(System.out);
                        break;
                    }
                    System.out.println(now() + "Tunnel: Client accepted");
                    StringBuilder headers = new StringBuilder();
                    Socket targetConnection = null;
                    InputStream  ccis = clientConnection.getInputStream();
                    OutputStream ccos = clientConnection.getOutputStream();
                    Writer w = new OutputStreamWriter(
                                   clientConnection.getOutputStream(), "UTF-8");
                    PrintWriter pw = new PrintWriter(w);
                    System.out.println(now() + "Tunnel: Reading request line");
                    String requestLine = readLine(ccis);
                    System.out.println(now() + "Tunnel: Request line: " + requestLine);
                    if (requestLine.startsWith("CONNECT ")) {
                        // We should probably check that the next word following
                        // CONNECT is the host:port of our HTTPS serverImpl.
                        // Some improvement for a followup!
                        StringTokenizer tokenizer = new StringTokenizer(requestLine);
                        String connect = tokenizer.nextToken();
                        assert connect.equalsIgnoreCase("connect");
                        String hostport = tokenizer.nextToken();
                        InetSocketAddress targetAddress;
                        List<String> hosts = new ArrayList<>();
                        try {
                            URI uri = new URI("https", hostport, "/", null, null);
                            int port = uri.getPort();
                            port = port == -1 ? 443 : port;
                            targetAddress = new InetSocketAddress(uri.getHost(), port);
                            if (serverImpl != null) {
                                assert targetAddress.getHostString()
                                        .equalsIgnoreCase(serverImpl.getAddress().getHostString());
                                assert targetAddress.getPort() == serverImpl.getAddress().getPort();
                            }
                        } catch (Throwable x) {
                            System.err.printf("Bad target address: \"%s\" in \"%s\"%n",
                                    hostport, requestLine);
                            toClose.close();
                            continue;
                        }

                        // Read all headers until we find the empty line that
                        // signals the end of all headers.
                        String line = requestLine;
                        while(!line.equals("")) {
                            System.out.println(now() + "Tunnel: Reading header: "
                                               + (line = readLine(ccis)));
                            headers.append(line).append("\r\n");
                            int index = line.indexOf(':');
                            if (index >= 0) {
                                String key = line.substring(0, index).trim();
                                if (key.equalsIgnoreCase("host")) {
                                    hosts.add(line.substring(index+1).trim());
                                }
                            }
                        }
                        StringBuilder response = new StringBuilder();
                        if (TUNNEL_REQUIRES_HOST) {
                            if (badRequest(response, hostport, hosts)) {
                                System.out.println(now() + "Tunnel: Sending " + response);
                                // send the 400 response
                                pw.print(response.toString());
                                pw.flush();
                                toClose.close();
                                continue;
                            } else {
                                assert hosts.size() == 1;
                                System.out.println(now()
                                        + "Tunnel: Host header verified " + hosts);
                            }
                        }

                        final boolean authorize = authorize(response, requestLine, headers.toString());
                        if (!authorize) {
                            System.out.println(now() + "Tunnel: Sending "
                                    + response);
                            // send the 407 response
                            pw.print(response.toString());
                            pw.flush();
                            toClose.close();
                            continue;
                        }
                        System.out.println(now()
                                + "Tunnel connecting to target server at "
                                + targetAddress.getAddress() + ":" + targetAddress.getPort());
                        targetConnection = new Socket(
                                targetAddress.getAddress(),
                                targetAddress.getPort());

                        // Then send the 200 OK response to the client
                        System.out.println(now() + "Tunnel: Sending "
                                           + response);
                        pw.print(response);
                        pw.flush();
                    } else {
                        // This should not happen. If it does then just print an
                        // error - both on out and err, and close the accepted
                        // socket
                        System.out.println("WARNING: Tunnel: Unexpected status line: "
                                + requestLine + " received by "
                                + ss.getLocalSocketAddress()
                                + " from "
                                + toClose.getRemoteSocketAddress()
                                + " - closing accepted socket");
                        // Print on err
                        System.err.println("WARNING: Tunnel: Unexpected status line: "
                                             + requestLine + " received by "
                                           + ss.getLocalSocketAddress()
                                           + " from "
                                           + toClose.getRemoteSocketAddress());
                        // close accepted socket.
                        toClose.close();
                        System.err.println("Tunnel: accepted socket closed.");
                        continue;
                    }

                    // Pipe the input stream of the client connection to the
                    // output stream of the target connection and conversely.
                    // Now the client and target will just talk to each other.
                    System.out.println(now() + "Tunnel: Starting tunnel pipes");
                    CompletableFuture<Void> end, end1, end2;
                    Thread t1 = pipe(ccis, targetConnection.getOutputStream(), '+',
                            end1 = new CompletableFuture<>());
                    Thread t2 = pipe(targetConnection.getInputStream(), ccos, '-',
                            end2 = new CompletableFuture<>());
                    end = CompletableFuture.allOf(end1, end2);
                    end.whenComplete(
                            (r,t) -> {
                                try { toClose.close(); } catch (IOException x) { }
                                finally {connectionCFs.remove(end);}
                            });
                    connectionCFs.add(end);
                    t1.start();
                    t2.start();
                }
            } catch (Throwable ex) {
                try {
                    ss.close();
                } catch (IOException ex1) {
                    ex.addSuppressed(ex1);
                }
                ex.printStackTrace(System.err);
            } finally {
                System.out.println(now() + "Tunnel: exiting (stopped=" + stopped + ")");
                connectionCFs.forEach(cf -> cf.complete(null));
            }
        }
    }

    /**
     * Creates a TunnelingProxy that can serve multiple servers.
     * The server address is extracted from the CONNECT request line.
     * @param authScheme The authentication scheme supported by the proxy.
     *                   Typically one of DIGEST, BASIC, NONE.
     * @return A new TunnelingProxy able to serve multiple servers.
     * @throws IOException If the proxy could not be created.
     */
    public static TunnelingProxy createHttpsProxyTunnel(HttpAuthSchemeType authScheme)
            throws IOException {
        HttpsProxyTunnel result = new HttpsProxyTunnel("", null, null, null);
        if (authScheme != HttpAuthSchemeType.NONE) {
            result.configureAuthentication(null,
                                           authScheme,
                                           AUTHENTICATOR,
                                           HttpAuthType.PROXY);
        }
        return result;
    }

    private static String protocol(String protocol) {
        if ("http".equalsIgnoreCase(protocol)) return "http";
        else if ("https".equalsIgnoreCase(protocol)) return "https";
        else throw new InternalError("Unsupported protocol: " + protocol);
    }

    public static URL url(String protocol, InetSocketAddress address,
                          String path) throws MalformedURLException {
        return new URL(protocol(protocol),
                address.getHostString(),
                address.getPort(), path);
    }

    public static URI uri(String protocol, InetSocketAddress address,
                          String path) throws URISyntaxException {
        return new URI(protocol(protocol) + "://" +
                address.getHostString() + ":" +
                address.getPort() + path);
    }
}