Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quarkus-rest-client-reactive-jackson removing credentials from URIs and URLs #30289

Closed
Cs4r opened this issue Jan 10, 2023 · 11 comments · Fixed by #30344
Closed

quarkus-rest-client-reactive-jackson removing credentials from URIs and URLs #30289

Cs4r opened this issue Jan 10, 2023 · 11 comments · Fixed by #30344
Assignees
@geoand
Labels
area/jackson Issues related to Jackson (JSON library) area/rest-client kind/bug Something isn't working
Milestone
2.16.0.Final

Comments

@Cs4r
Copy link

Cs4r commented Jan 10, 2023
edited
Loading

Describe the bug

The quarkus-rest-client-reactive-jackson is not properly handling URIs that contain a username and password. When making a request to such a URI, the username and password are being removed from the URI, resulting in the request failing due to authentication issues.

PD: It's also happening when using URLs:

RestClientBuilder.newBuilder().baseUrl(urlToInvoke)...build();

Expected behavior

The POST request should be made to the URI "https://USER:[email protected]:23090/topics/topic-name" and include the username and password in the URI.

Actual behavior

The request is made to the URI "https://public-develop-company-dev.cloud.com:23090/topics/topic-name" hence the username and password are removed from the URI

How to Reproduce?

  1. Create a new Quarkus application and add the quarkus-rest-client-reactive-jackson dependency to the project.
  2. In the code, use the RestClientBuilder (RestClientBuilder.newBuilder().baseUri(uriToInvoke)...build();) to create a new client and set the base URI to a URI that includes a username and password, such as "https://USER:[email protected]:23090/topics/topic-name".
  3. Make a request to the URI using the created client.
  4. Actual URI invoked: "https://public-develop-company-dev.cloud.com:23090/topics/topic-name"

Quarkus version or git rev

2.12.0.CR1 and 2.15.2.Final

Additional information

As seen in the provided log below, got using the following application properties:

quarkus.rest-client.logging.scope=request-response
quarkus.rest-client.logging.body-limit=1024
quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG

the quarkus-rest-client-reactive-jackson library is sending the request with an incorrect URI:

Request:

POST https://public-develop-company-dev.cloud.com:23090/topics/topic-name Headers[Accept=application/json Content-Type=application/vnd.kafka.json.v2+json User-Agent=Resteasy Reactive Client content-length=407], Body: {"records":[{"value":{ "body": "theBody" }}]}

As you can see, it is not including the credentials "USER:PASSWORD" in the URI. Instead, the credentials are being removed, resulting in the request failing due to authentication issues.

Also, it can be noticed that the request contains headers such as Accept=application/json, Content-Type=application/vnd.kafka.json.v2+json, User-Agent=Resteasy Reactive Client and content-length=407 which can also provide some information about the request.

It is important to note that this bug can cause issues when trying to connect to a service that requires authentication and can prevent the application from communicating with this service.
@Cs4r Cs4r added the kind/bug Something isn't working label Jan 10, 2023
@quarkus-bot quarkus-bot bot added area/jackson Issues related to Jackson (JSON library) area/rest-client labels Jan 10, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Jan 10, 2023

/cc @Sgitario(rest-client), @cescoffier(rest-client), @geoand(jackson,rest-client), @gsmet(jackson)

@geoand
Copy link
Contributor

geoand commented Jan 10, 2023
edited
Loading

Does the same happen with Quarkus 2.15.2.Final?

@Cs4r
Copy link
Author

Cs4r commented Jan 11, 2023

Hey @geoand,

I have just tried and it also happens with 2.15.3.Final

@geoand
Copy link
Contributor

geoand commented Jan 11, 2023

Thanks for checking. We will have a look soon

@geoand
Copy link
Contributor

geoand commented Jan 12, 2023

Would you mind uploading a sample so we can use it for testing?

@Cs4r
Copy link
Author

Cs4r commented Jan 12, 2023

@geoand here's the minimum code to reproduce the bug => https://github.com/Cs4r/quarkus-rest-client-bug

If you run the test named QuarkusContextIT you will be able to see the Request and Response in the logs:

Request:

2023-01-12 14:08:09,113 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-3) Request: POST https://public-develop-lottoland-dev.aivencloud.com:23090/topics/topic Headers[Accept=application/json Content-Type=application/vnd.kafka.json.v2+json User-Agent=Resteasy Reactive Client content-length=41], Body:
{"records":[{"value":{"status": "ok" }}]}

Please observe that POSTed URL lacks username and password, as it should be https://USER:[email protected]:23090/topics/topic).

Response

2023-01-12 14:08:09,206 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-3) Response: POST https://public-develop-lottoland-dev.aivencloud.com:23090/topics/topic, Status[401 Unauthorized], Headers[Content-Length=110 WWW-Authenticate=Basic realm="service_rest_users" Cache-Control=no-cache Content-Type=text/html Strict-Transport-Security=max-age=31536000; includeSubDomains Referrer-Policy=no-referrer], Body:
<html><body><h1>401 Unauthorized</h1>You need a valid user and password to access this content.</body></html>

@geoand
Copy link
Contributor

geoand commented Jan 12, 2023

Thank you

@gsmet
Copy link
Member

gsmet commented Jan 12, 2023

Probably a good idea to check we don't convert that to basic authentication headers. i know some layers are doing that automatically.

@Cs4r
Copy link
Author

Cs4r commented Jan 12, 2023
edited
Loading

@gsmet according to the logs it seems it doesn't transform the USER:PASSWORD into authentication headers

@geoand
Copy link
Contributor

geoand commented Jan 12, 2023

I'll try and have a look tomorrow

@geoand geoand self-assigned this Jan 12, 2023
geoand added a commit to geoand/quarkus that referenced this issue Jan 12, 2023
@geoand
Support URIs userInfo data in REST Client Reactive
27752d2 
Fixes: quarkusio#30289
@geoand geoand mentioned this issue Jan 12, 2023
Merged
@geoand
Copy link
Contributor

geoand commented Jan 12, 2023

#30344 takes care of the issue

geoand added a commit that referenced this issue Jan 13, 2023
@geoand
Merge pull request #30344 from geoand/#30289
ca34a5a 
Support URIs userInfo data in REST Client Reactive
@quarkus-bot quarkus-bot bot added this to the 2.17 - main milestone Jan 13, 2023
@gsmet gsmet modified the milestones: 2.17 - main, 2.16.0.Final Jan 17, 2023
gsmet pushed a commit to gsmet/quarkus that referenced this issue Jan 17, 2023
@geoand @gsmet
Support URIs userInfo data in REST Client Reactive
989b2a9 
Fixes: quarkusio#30289
(cherry picked from commit 27752d2)
ebullient pushed a commit to maxandersen/quarkus that referenced this issue Jan 24, 2023
@geoand @ebullient
Support URIs userInfo data in REST Client Reactive
95017b1 
Fixes: quarkusio#30289
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geoand geoand

Labels
area/jackson Issues related to Jackson (JSON library) area/rest-client kind/bug Something isn't working
Projects
None yet
Milestone
2.16.0.Final
Development

Successfully merging a pull request may close this issue.

Support URIs userInfo data in REST Client Reactive geoand/quarkus
3 participants
@gsmet @Cs4r @geoand