remote: Add support for HTTP Basic Auth

Closes bazelbuild#4609.

PiperOrigin-RevId: 185032751

site/docs/remote-caching.md

@@ -19,6 +19,7 @@ make builds significantly faster.
     * [Bazel Remote Cache](#bazel-remote-cache)
     * [Google Cloud Storage](#google-cloud-storage)
     * [Other servers](#other-servers)
+* [Authentication](#authentication)
 * [HTTP Caching Protocol](#http-caching-protocol)
 * [Run Bazel using the remote cache](#run-bazel-using-the-remote-cache)
     * [Read from and write to the remote cache](#read-from-and-write-to-the-remote-cache)
@@ -174,6 +175,14 @@ You can set up any HTTP/1.1 server that supports PUT and GET as the cache's
 backend. Users have reported success with caching backends such as [Hazelcast],
 [Apache httpd], and [AWS S3].
 
+## Authentication
+
+As of version 0.11.0 support for HTTP Basic Authentication was added to Bazel.
+You can pass a username and password to Bazel via the remote cache URL. The
+syntax is `https://username:[email protected]:port/path`. Please note that
+HTTP Basic Authentication transmits username and password in plaintext over the
+network and it's thus critical to always use it with HTTPS.
+
 ## HTTP Caching Protocol
 
 Bazel supports remote caching via HTTP/1.1. The protocol is conceptually simple:

src/main/java/com/google/devtools/build/lib/remote/blobstore/http/AbstractHttpHandler.java

@@ -14,10 +14,13 @@
 package com.google.devtools.build.lib.remote.blobstore.http;
 
 import com.google.auth.Credentials;
+import com.google.common.base.Charsets;
+import com.google.common.io.BaseEncoding;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelOutboundHandler;
 import io.netty.channel.ChannelPromise;
 import io.netty.channel.SimpleChannelInboundHandler;
+import io.netty.handler.codec.http.HttpHeaderNames;
 import io.netty.handler.codec.http.HttpObject;
 import io.netty.handler.codec.http.HttpRequest;
 import java.io.IOException;
@@ -53,6 +56,12 @@ protected void succeedAndResetUserPromise() {
   }
 
   protected void addCredentialHeaders(HttpRequest request, URI uri) throws IOException {
+    String userInfo = uri.getUserInfo();
+    if (userInfo != null) {
+      String value = BaseEncoding.base64Url().encode(userInfo.getBytes(Charsets.UTF_8));
+      request.headers().set(HttpHeaderNames.AUTHORIZATION, "Basic " + value);
+      return;
+    }
     if (credentials == null || !credentials.hasRequestMetadata()) {
       return;
     }

src/test/java/com/google/devtools/build/lib/remote/blobstore/http/AbstractHttpHandlerTest.java

@@ -0,0 +1,60 @@
+// Copyright 2018 The Bazel Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.devtools.build.lib.remote.blobstore.http;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import io.netty.channel.ChannelPromise;
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.handler.codec.http.HttpHeaderNames;
+import io.netty.handler.codec.http.HttpRequest;
+import java.io.ByteArrayOutputStream;
+import java.net.URI;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+import org.mockito.Mockito;
+
+/** Tests for {@link AbstractHttpHandlerTest}. */
+@RunWith(JUnit4.class)
+public abstract class AbstractHttpHandlerTest {
+
+  @Test
+  public void basicAuthShouldWork() throws Exception {
+    URI uri = new URI("http://user:[email protected]/foo");
+    EmbeddedChannel ch = new EmbeddedChannel(new HttpDownloadHandler(null));
+    ByteArrayOutputStream out = Mockito.spy(new ByteArrayOutputStream());
+    DownloadCommand cmd = new DownloadCommand(uri, true, "abcdef", new ByteArrayOutputStream());
+    ChannelPromise writePromise = ch.newPromise();
+    ch.writeOneOutbound(cmd, writePromise);
+
+    HttpRequest request = ch.readOutbound();
+    assertThat(request.headers().get(HttpHeaderNames.AUTHORIZATION))
+        .isEqualTo("Basic dXNlcjpwYXNzd29yZA==");
+  }
+
+  @Test
+  public void basicAuthShouldNotEnabled() throws Exception {
+    URI uri = new URI("http://does.not.exist/foo");
+    EmbeddedChannel ch = new EmbeddedChannel(new HttpDownloadHandler(null));
+    ByteArrayOutputStream out = Mockito.spy(new ByteArrayOutputStream());
+    DownloadCommand cmd = new DownloadCommand(uri, true, "abcdef", new ByteArrayOutputStream());
+    ChannelPromise writePromise = ch.newPromise();
+    ch.writeOneOutbound(cmd, writePromise);
+
+    HttpRequest request = ch.readOutbound();
+    assertThat(request.headers().contains(HttpHeaderNames.AUTHORIZATION)).isFalse();
+  }
+}

src/test/java/com/google/devtools/build/lib/remote/blobstore/http/HttpDownloadHandlerTest.java

@@ -40,7 +40,7 @@
 
 /** Tests for {@link HttpDownloadHandler}. */
 @RunWith(JUnit4.class)
-public class HttpDownloadHandlerTest {
+public class HttpDownloadHandlerTest extends AbstractHttpHandlerTest {
 
   private static final URI CACHE_URI = URI.create("http://storage.googleapis.com:80/cache-bucket");
 

src/test/java/com/google/devtools/build/lib/remote/blobstore/http/HttpUploadHandlerTest.java

@@ -37,7 +37,7 @@
 
 /** Tests for {@link HttpUploadHandler}. */
 @RunWith(JUnit4.class)
-public class HttpUploadHandlerTest {
+public class HttpUploadHandlerTest extends AbstractHttpHandlerTest {
 
   private static final URI CACHE_URI = URI.create("http://storage.googleapis.com:80/cache-bucket");