Add authenticated HTTP proxy support for Bazel downloads #28088
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
github-actions
bot
added
team-ExternalDeps
ptarjan
force-pushed
the
claude/fix-bazel-proxy-auth-HOYrA
branch
from
f2ca315 to
eddc40c
Compare
![gemini-code-assist[bot]](https://cdn.statically.io/img/avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds support for authenticated HTTP proxies in Bazel, a significant feature enhancement. The changes involve introducing a ProxyInfo class to handle proxy configurations and credentials, reading credentials from system properties, and using Java's Authenticator for HTTPS tunneling. While the implementation is thorough and includes extensive tests, I've identified a critical race condition concerning the use of the global Authenticator.setDefault. This could lead to authentication failures during parallel downloads. The rest of the implementation appears solid.
src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/ProxyHelper.java
Show resolved
Hide resolved
ptarjan
force-pushed
the
claude/fix-bazel-proxy-auth-HOYrA
branch
from
eddc40c to
7c4b023
Compare
src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/ProxyHelper.java
Show resolved
Hide resolved
src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/ProxyHelper.java
Show resolved
Hide resolved
ptarjan
force-pushed
the
claude/fix-bazel-proxy-auth-HOYrA
branch
2 times, most recently
from
24bd974 to
1f3857a
Compare
ptarjan
force-pushed
the
claude/fix-bazel-proxy-auth-HOYrA
branch
from
1f3857a to
0573e72
Compare
This change enables Bazel to work with authenticated HTTP proxies by: 1. Reading proxy credentials from http.proxyUser/http.proxyPassword and https.proxyUser/https.proxyPassword system properties 2. Setting the Proxy-Authorization header directly on HTTP connections to ensure proper authentication with the proxy server 3. Automatically enabling Basic auth for HTTPS tunneling by clearing jdk.http.auth.tunneling.disabledSchemes (which defaults to "Basic") 4. Using Java's Authenticator mechanism for HTTPS CONNECT tunneling, with RequestorType.PROXY check to prevent credential leakage The ProxyHelper now returns a ProxyInfo object that contains both the Proxy and optional authentication credentials, allowing HttpConnector to set appropriate headers. Fixes bazelbuild#14675 Fixes bazelbuild#7487 Fixes bazelbuild#6196 Fixes bazelbuild#26674 Related to bazelbuild#601 Related to bazelbuild#587 Related to bazelbuild#11374 Related to bazelbuild#15740 Related to bazelbuild#3993
ptarjan
force-pushed
the
claude/fix-bazel-proxy-auth-HOYrA
branch
from
0573e72 to
c4f0e10
Compare
2 participants
This change enables Bazel to work with authenticated HTTP proxies by:
Reading proxy credentials from http.proxyUser/http.proxyPassword and https.proxyUser/https.proxyPassword system properties
Setting the Proxy-Authorization header directly on HTTP connections to ensure proper authentication with the proxy server
Automatically enabling Basic auth for HTTPS tunneling by clearing jdk.http.auth.tunneling.disabledSchemes (which defaults to "Basic")
Using Java's Authenticator mechanism for HTTPS CONNECT tunneling, with RequestorType.PROXY check to prevent credential leakage
The ProxyHelper now returns a ProxyInfo object that contains both the Proxy and optional authentication credentials, allowing HttpConnector to set appropriate headers.
Fixes #14675
Fixes #7487
Fixes #6196
Fixes #26674
Related to #601
Related to #587
Related to #11374
Related to #15740
Related to #3993