Fix multi-round authentication.

In the case of Negotiate, authentication can look like

C: GET
S: 401, WWW-Authenticate: Negotiate

C: GET, WWW-Authorization: Negotiate <client_token_1>
S: 401, WWW-Authenticate: Negotiate <server_token_1>

C: GET, WWW-Authorization: Negotiate <client_token_2>
S: 401, WWW-Authenticate: Negotiate <server_token_2>

on that third challenge, the handler was reported as being in "the final round" and this was treated as a rejection of the authentication attempt. After that, the new challenge token was used by a new auth handler that hadn't established a security context, and an ERR_INVALID_HANDLE would be returned.

This CL also does some prep work to correctly handle the "stale=true" value for Digest authentication, but I decided to defer the HttpAuthCache changes needed for that to a separate CL since this was large enough.

BUG=53282
TEST=net_unittests. Unfortunately, I haven't been able to set up a proxy/server to do more than two auth challenges, but this does happen in the wild.

Review URL: http://codereview.chromium.org/3360017

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59188 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 27 insertions, 15 deletions

diff --git a/net/http/http_auth.cc b/net/http/http_auth.cc
index bb8c805..aaa4de0 100644
--- a/net/http/http_auth.cc
+++ b/net/http/http_auth.cc
@@ -28,21 +28,7 @@ void HttpAuth::ChooseBestChallenge(
     const BoundNetLog& net_log,
     scoped_ptr<HttpAuthHandler>* handler) {
   DCHECK(http_auth_handler_factory);
-
-  // A connection-based authentication scheme must continue to use the
-  // existing handler object in |*handler|.
-  if (handler->get() && (*handler)->is_connection_based() &&
-      (disabled_schemes.find((*handler)->scheme()) == disabled_schemes.end())) {
-    const std::string header_name = GetChallengeHeaderName(target);
-    std::string challenge;
-    void* iter = NULL;
-    while (headers->EnumerateHeader(&iter, header_name, &challenge)) {
-      ChallengeTokenizer props(challenge.begin(), challenge.end());
-      if (LowerCaseEqualsASCII(props.scheme(), (*handler)->scheme().c_str()) &&
-          (*handler)->InitFromChallenge(&props, target, origin, net_log))
-        return;
-    }
-  }
+  DCHECK(handler->get() == NULL);
 
   // Choose the challenge whose authentication handler gives the maximum score.
   scoped_ptr<HttpAuthHandler> best;
@@ -65,6 +51,32 @@ void HttpAuth::ChooseBestChallenge(
   handler->swap(best);
 }
 
+// static
+HttpAuth::AuthorizationResult HttpAuth::HandleChallengeResponse(
+    HttpAuthHandler* handler,
+    const HttpResponseHeaders* headers,
+    Target target,
+    const std::set<std::string>& disabled_schemes) {
+  const std::string& current_scheme = handler->scheme();
+  if (disabled_schemes.find(current_scheme) != disabled_schemes.end())
+    return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+  const std::string header_name = GetChallengeHeaderName(target);
+  void* iter = NULL;
+  std::string challenge;
+  HttpAuth::AuthorizationResult authorization_result =
+      HttpAuth::AUTHORIZATION_RESULT_INVALID;
+  while (headers->EnumerateHeader(&iter, header_name, &challenge)) {
+    HttpAuth::ChallengeTokenizer props(challenge.begin(), challenge.end());
+    if (!LowerCaseEqualsASCII(props.scheme(), current_scheme.c_str()))
+      continue;
+    authorization_result = handler->HandleAnotherChallenge(&props);
+    if (authorization_result != HttpAuth::AUTHORIZATION_RESULT_INVALID)
+      return authorization_result;
+  }
+  // Finding no matches is equivalent to rejection
+  return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+}
+
 void HttpAuth::ChallengeTokenizer::Init(std::string::const_iterator begin,
                                         std::string::const_iterator end) {
   // The first space-separated token is the auth-scheme.