Log the "Proxy-Support: Session-Based-Authentication"

response header.

Log an INFO message whenever we receive an auth challenge.

R=eroman
BUG=8771
Review URL: http://codereview.chromium.org/67117

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@14108 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 68 insertions, 29 deletions

diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 0db4315..3e878ca 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -166,28 +166,34 @@ void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) {
   // an error message.
   if (!keep_alive && auth_handler_[target]->is_connection_based() &&
       auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE) {
-    std::string auth_target(target == HttpAuth::AUTH_PROXY ?
-                            "proxy" : "server");
     LOG(ERROR) << "Can't perform " << auth_handler_[target]->scheme()
-               << " auth to the " << auth_target << " "
-               << AuthOrigin(target).spec()
-               << " over a non-keep-alive connection";
+               << " auth to the " << AuthTargetString(target) << " "
+               << AuthOrigin(target) << " over a non-keep-alive connection";
 
     HttpVersion http_version = response_.headers->GetHttpVersion();
     LOG(ERROR) << "  HTTP version is " << http_version.major_value() << "."
                << http_version.minor_value();
 
-    std::string connection_val;
+    std::string header_val;
     void* iter = NULL;
     while (response_.headers->EnumerateHeader(&iter, "connection",
-                                              &connection_val)) {
-      LOG(ERROR) << "  Has header Connection: " << connection_val;
+                                              &header_val)) {
+      LOG(ERROR) << "  Has header Connection: " << header_val;
     }
 
     iter = NULL;
     while (response_.headers->EnumerateHeader(&iter, "proxy-connection",
-                                              &connection_val)) {
-      LOG(ERROR) << "  Has header Proxy-Connection: " << connection_val;
+                                              &header_val)) {
+      LOG(ERROR) << "  Has header Proxy-Connection: " << header_val;
+    }
+
+    // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
+    // authentication with a "Proxy-Support: Session-Based-Authentication"
+    // response header.
+    iter = NULL;
+    while (response_.headers->EnumerateHeader(&iter, "proxy-support",
+                                              &header_val)) {
+      LOG(ERROR) << "  Has header Proxy-Support: " << header_val;
     }
   }
 
@@ -1390,6 +1396,12 @@ std::string HttpNetworkTransaction::AuthPath(HttpAuth::Target target)
       std::string() : request_->url.path();
 }
 
+// static
+std::string HttpNetworkTransaction::AuthTargetString(
+    HttpAuth::Target target) {
+  return target == HttpAuth::AUTH_PROXY ? "proxy" : "server";
+}
+
 void HttpNetworkTransaction::InvalidateRejectedAuthFromCache(
     HttpAuth::Target target) {
   DCHECK(HaveAuth(target));
@@ -1493,6 +1505,36 @@ bool HttpNetworkTransaction::SelectNextAuthIdentityToTry(
   return false;
 }
 
+std::string HttpNetworkTransaction::AuthChallengeLogMessage() const {
+  std::string msg;
+  std::string header_val;
+  void* iter = NULL;
+  while (response_.headers->EnumerateHeader(&iter, "proxy-authenticate",
+                                            &header_val)) {
+    msg.append("\n  Has header Proxy-Authenticate: ");
+    msg.append(header_val);
+  }
+
+  iter = NULL;
+  while (response_.headers->EnumerateHeader(&iter, "www-authenticate",
+                                            &header_val)) {
+    msg.append("\n  Has header WWW-Authenticate: ");
+    msg.append(header_val);
+  }
+
+  // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
+  // authentication with a "Proxy-Support: Session-Based-Authentication"
+  // response header.
+  iter = NULL;
+  while (response_.headers->EnumerateHeader(&iter, "proxy-support",
+                                            &header_val)) {
+    msg.append("\n  Has header Proxy-Support: ");
+    msg.append(header_val);
+  }
+
+  return msg;
+}
+
 int HttpNetworkTransaction::HandleAuthChallenge() {
   DCHECK(response_.headers);
 
@@ -1502,6 +1544,10 @@ int HttpNetworkTransaction::HandleAuthChallenge() {
   HttpAuth::Target target = status == 407 ?
       HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
 
+  LOG(INFO) << "The " << AuthTargetString(target) << " "
+            << AuthOrigin(target) << " requested auth"
+            << AuthChallengeLogMessage();
+
   if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct())
     return ERR_UNEXPECTED_PROXY_AUTH;
 
@@ -1520,25 +1566,10 @@ int HttpNetworkTransaction::HandleAuthChallenge() {
 
   if (!auth_handler_[target]) {
     if (establishing_tunnel_) {
-      // Log an error message to help debug http://crbug.com/8771.
-      std::string auth_target(target == HttpAuth::AUTH_PROXY ?
-                              "proxy" : "server");
-      LOG(ERROR) << "Can't perform auth to the " << auth_target << " "
-                 << AuthOrigin(target).spec()
-                 << " when establishing a tunnel";
-
-      std::string challenge;
-      void* iter = NULL;
-      while (response_.headers->EnumerateHeader(&iter, "Proxy-Authenticate",
-                                                &challenge)) {
-        LOG(ERROR) << "  Has header Proxy-Authenticate: " << challenge;
-      }
-
-      iter = NULL;
-      while (response_.headers->EnumerateHeader(&iter, "WWW-Authenticate",
-                                                &challenge)) {
-        LOG(ERROR) << "  Has header WWW-Authenticate: " << challenge;
-      }
+      LOG(ERROR) << "Can't perform auth to the " << AuthTargetString(target)
+                 << " " << AuthOrigin(target)
+                 << " when establishing a tunnel"
+                 << AuthChallengeLogMessage();
 
       // We are establishing a tunnel, we can't show the error page because an
       // active network attacker could control its contents.  Instead, we just
diff --git a/net/http/http_network_transaction.h b/net/http/http_network_transaction.h
index 3915c7e..ed63db0 100644
--- a/net/http/http_network_transaction.h
+++ b/net/http/http_network_transaction.h
@@ -162,6 +162,10 @@ class HttpNetworkTransaction : public HttpTransaction {
   // origin server auth header, as specified by |target|
   void AddAuthorizationHeader(HttpAuth::Target target);
 
+  // Returns a log message for all the response headers related to the auth
+  // challenge.
+  std::string AuthChallengeLogMessage() const;
+
   // Handles HTTP status code 401 or 407.
   // HandleAuthChallenge() returns a network error code, or OK on success.
   // May update |pending_auth_target_| or |response_.auth_challenge|.
@@ -197,6 +201,10 @@ class HttpNetworkTransaction : public HttpTransaction {
   // For proxy authentication the path is always empty string.
   std::string AuthPath(HttpAuth::Target target) const;
 
+  // Returns a string representation of a HttpAuth::Target value that can be
+  // used in log messages.
+  static std::string AuthTargetString(HttpAuth::Target target);
+
   // The following three auth members are arrays of size two -- index 0 is
   // for the proxy server, and index 1 is for the origin server.
   // Use the enum HttpAuth::Target to index into them.