http remote backend initialization fails due to unescaped username

[FalcoSuessgott]

Backend initialization fails if the username contains a .

The problem is the setting of the basic auth header without escaping the parameters:

terraform/backend/remote-state/http/client.go

Lines 53 to 56 in 6697245

	if c.Username != "" {
	req.SetBasicAuth(c.Username, c.Password)
	}

In that PR I escaped the url, username and password using url.EscapeQuery, now it works:

$> terraform init \
-backend-config="address=url" \
-backend-config="lock_address=url" \
-backend-config="unlock_address=url" \
-backend-config="password=foo" \
-backend-config="lock_method=POST" \
-backend-config="unlock_method=DELETE" \
-backend-config="retry_wait_min=5" \
-backend-config="username=user.name"
Terraform initialized in an empty directory!

related Issues:

• https://github.com/gitlabhq/terraform-provider-gitlab/issues/476

[hashicorp-cla]

All committers have signed the CLA.

[codecov]

Codecov Report

Merging #28302 (69a1fef) into main (b7fb533) will not change coverage.
The diff coverage is 50.00%.

Impacted Files	Coverage Δ
backend/remote-state/http/client.go	50.42% <50.00%> (ø)

[apparentlymart]

Hi @FalcoSuessgott! Thanks for working on this.

This SetBasicAuth function populates an Authorization header in the request, and such headers are not subject to URL encoding. Instead, the encoding of this would be Authorization: Basic followed by a base64-encoded version of the username and password concatenated together using a colon, as we can see in RFC 7617 section 2.

If your particular target system is requiring the username to be encoded then this seems to be a quirk of that particular system rather than a general HTTP requirement, because RFC 7617 and RFC 7235 don't call for any encoding other than octet encoding (as UTF-8) and base64 encoding for these values.

For that reason, I don't think it would be appropriate to force this on all users of the http backend. Instead, this seems better addressed by you configuring the HTTP backend to send the username in the form your server expects, which I guess in this case would involve using percent-encoding for that period:

-backend-config="username=user%2Ename"

Please let me know if I've missed something here! Thanks,

[FalcoSuessgott]

@apparentlymart thanks for that explanation, your right! :) 👍

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.