// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_HTTP_HTTP_AUTH_HANDLER_NEGOTIATE_H_
#define NET_HTTP_HTTP_AUTH_HANDLER_NEGOTIATE_H_

#include <string>

#include "build/build_config.h"

#include "build/build_config.h"
#include "net/base/address_list.h"
#include "net/http/http_auth_handler.h"
#include "net/http/http_auth_handler_factory.h"

#if defined(OS_WIN)
#include "net/http/http_auth_sspi_win.h"
#endif

#if defined(OS_POSIX)
#include "net/http/http_auth_gssapi_posix.h"
#endif

namespace net {

class HostResolver;
class SingleRequestHostResolver;
class URLSecurityManager;

// Handler for WWW-Authenticate: Negotiate protocol.
//
// See http://tools.ietf.org/html/rfc4178 and http://tools.ietf.org/html/rfc4559
// for more information about the protocol.

class HttpAuthHandlerNegotiate : public HttpAuthHandler {
 public:
  class Factory : public HttpAuthHandlerFactory {
   public:
    Factory();
    virtual ~Factory();

    // |disable_cname_lookup()| and |set_disable_cname_lookup()| get/set whether
    // the auth handlers generated by this factory should skip looking up the
    // canonical DNS name of the the host that they are authenticating to when
    // generating the SPN. The default value is false.
    bool disable_cname_lookup() const { return disable_cname_lookup_; }
    void set_disable_cname_lookup(bool disable_cname_lookup) {
      disable_cname_lookup_ = disable_cname_lookup;
    }

    // |use_port()| and |set_use_port()| get/set whether the auth handlers
    // generated by this factory should include the port number of the server
    // they are authenticating to when constructing a Kerberos SPN. The default
    // value is false.
    bool use_port() const { return use_port_; }
    void set_use_port(bool use_port) { use_port_ = use_port; }

    void set_host_resolver(HostResolver* host_resolver);

    virtual int CreateAuthHandler(HttpAuth::ChallengeTokenizer* challenge,
                                  HttpAuth::Target target,
                                  const GURL& origin,
                                  CreateReason reason,
                                  int digest_nonce_count,
                                  const BoundNetLog& net_log,
                                  scoped_ptr<HttpAuthHandler>* handler);

#if defined(OS_WIN)
    // Set the SSPILibrary to use. Typically the only callers which need to
    // use this are unit tests which pass in a mocked-out version of the
    // SSPI library.
    // The caller is responsible for managing the lifetime of |*sspi_library|,
    // and the lifetime must exceed that of this Factory object and all
    // HttpAuthHandler's that this Factory object creates.
    void set_sspi_library(SSPILibrary* sspi_library) {
      sspi_library_ = sspi_library;
    }
#endif  // defined(OS_WIN)
   private:
    bool disable_cname_lookup_;
    bool use_port_;
    scoped_refptr<HostResolver> resolver_;
#if defined(OS_WIN)
    ULONG max_token_length_;
    bool first_creation_;
    bool is_unsupported_;
    SSPILibrary* sspi_library_;
#endif  // defined(OS_WIN)

#if defined(OS_POSIX)
    GSSAPILibrary* gssapi_library_;
#endif
  };

#if defined(OS_WIN)
  HttpAuthHandlerNegotiate(SSPILibrary* sspi_library, ULONG max_token_length,
                           URLSecurityManager* url_security_manager,
                           HostResolver* host_resolver,
                           bool disable_cname_lookup, bool use_port);
#endif

#if defined(OS_POSIX)
  HttpAuthHandlerNegotiate(GSSAPILibrary* gssapi_library,
                           URLSecurityManager* url_security_manager,
                           HostResolver* host_resolver,
                           bool disable_cname_lookup, bool use_port);
#endif

  virtual ~HttpAuthHandlerNegotiate();

  virtual bool NeedsIdentity();

  virtual bool IsFinalRound();

  virtual bool AllowsDefaultCredentials();

  // These are public for unit tests
  std::wstring CreateSPN(const AddressList& address_list, const GURL& orign);
  const std::wstring& spn() const { return spn_; }

 protected:
  virtual bool Init(HttpAuth::ChallengeTokenizer* challenge);

  virtual int GenerateAuthTokenImpl(const std::wstring* username,
                                    const std::wstring* password,
                                    const HttpRequestInfo* request,
                                    CompletionCallback* callback,
                                    std::string* auth_token);

 private:
  enum State {
    STATE_RESOLVE_CANONICAL_NAME,
    STATE_RESOLVE_CANONICAL_NAME_COMPLETE,
    STATE_GENERATE_AUTH_TOKEN,
    STATE_GENERATE_AUTH_TOKEN_COMPLETE,
    STATE_NONE,
  };

  void OnIOComplete(int result);
  void DoCallback(int result);
  int DoLoop(int result);

  int DoResolveCanonicalName();
  int DoResolveCanonicalNameComplete(int rv);
  int DoGenerateAuthToken();
  int DoGenerateAuthTokenComplete(int rv);

#if defined(OS_WIN)
  // Members which are constant for lifetime of the handler.
  HttpAuthSSPI auth_system_;
#endif

#if defined(OS_POSIX)
  HttpAuthGSSAPI auth_system_;
#endif

  bool disable_cname_lookup_;
  bool use_port_;
  CompletionCallbackImpl<HttpAuthHandlerNegotiate> io_callback_;
  scoped_refptr<HostResolver> resolver_;

  // Members which are needed for DNS lookup + SPN.
  AddressList address_list_;
  scoped_ptr<SingleRequestHostResolver> single_resolve_;

  // Things which should be consistent after first call to GenerateAuthToken.
  bool already_called_;
  bool has_username_and_password_;
  std::wstring username_;
  std::wstring password_;
  std::wstring spn_;

  // Things which vary each round.
  CompletionCallback* user_callback_;
  std::string* auth_token_;

  State next_state_;

  URLSecurityManager* url_security_manager_;
};

}  // namespace net

#endif  // NET_HTTP_HTTP_AUTH_HANDLER_NEGOTIATE_H_