1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_HTTP_HTTP_AUTH_H_
#define NET_HTTP_HTTP_AUTH_H_
#include <set>
#include <string>
#include "base/memory/scoped_ptr.h"
#include "net/base/auth.h"
#include "net/base/net_export.h"
#include "net/http/http_util.h"
template <class T> class scoped_refptr;
namespace net {
class BoundNetLog;
class HttpAuthHandler;
class HttpAuthHandlerFactory;
class HttpResponseHeaders;
// Utility class for http authentication.
class NET_EXPORT_PRIVATE HttpAuth {
public:
// Http authentication can be done the the proxy server, origin server,
// or both. This enum tracks who the target is.
enum Target {
AUTH_NONE = -1,
// We depend on the valid targets (!= AUTH_NONE) being usable as indexes
// in an array, so start from 0.
AUTH_PROXY = 0,
AUTH_SERVER = 1,
AUTH_NUM_TARGETS = 2,
};
// What the HTTP WWW-Authenticate/Proxy-Authenticate headers indicate about
// the previous authorization attempt.
enum AuthorizationResult {
AUTHORIZATION_RESULT_ACCEPT, // The authorization attempt was accepted,
// although there still may be additional
// rounds of challenges.
AUTHORIZATION_RESULT_REJECT, // The authorization attempt was rejected.
AUTHORIZATION_RESULT_STALE, // (Digest) The nonce used in the
// authorization attempt is stale, but
// otherwise the attempt was valid.
AUTHORIZATION_RESULT_INVALID, // The authentication challenge headers are
// poorly formed (the authorization attempt
// itself may have been fine).
AUTHORIZATION_RESULT_DIFFERENT_REALM, // The authorization
// attempt was rejected,
// but the realm associated
// with the new challenge
// is different from the
// previous attempt.
};
// Describes where the identity used for authentication came from.
enum IdentitySource {
// Came from nowhere -- the identity is not initialized.
IDENT_SRC_NONE,
// The identity came from the auth cache, by doing a path-based
// lookup (premptive authorization).
IDENT_SRC_PATH_LOOKUP,
// The identity was extracted from a URL of the form:
// http://<username>:<password>@host:port
IDENT_SRC_URL,
// The identity was retrieved from the auth cache, by doing a
// realm lookup.
IDENT_SRC_REALM_LOOKUP,
// The identity was provided by RestartWithAuth -- it likely
// came from a prompt (or maybe the password manager).
IDENT_SRC_EXTERNAL,
// The identity used the default credentials for the computer,
// on schemes that support single sign-on.
IDENT_SRC_DEFAULT_CREDENTIALS,
};
enum Scheme {
AUTH_SCHEME_BASIC = 0,
AUTH_SCHEME_DIGEST,
AUTH_SCHEME_NTLM,
AUTH_SCHEME_NEGOTIATE,
AUTH_SCHEME_SPDYPROXY,
AUTH_SCHEME_MOCK,
AUTH_SCHEME_MAX,
};
// Helper structure used by HttpNetworkTransaction to track
// the current identity being used for authorization.
struct Identity {
Identity();
IdentitySource source;
bool invalid;
AuthCredentials credentials;
};
// Get the name of the header containing the auth challenge
// (either WWW-Authenticate or Proxy-Authenticate).
static std::string GetChallengeHeaderName(Target target);
// Get the name of the header where the credentials go
// (either Authorization or Proxy-Authorization).
static std::string GetAuthorizationHeaderName(Target target);
// Returns a string representation of a Target value that can be used in log
// messages.
static std::string GetAuthTargetString(Target target);
// Returns a string representation of an authentication Scheme.
static const char* SchemeToString(Scheme scheme);
// Iterate through the challenge headers, and pick the best one that
// we support. Obtains the implementation class for handling the challenge,
// and passes it back in |*handler|. If no supported challenge was found,
// |*handler| is set to NULL.
//
// |disabled_schemes| is the set of schemes that we should not use.
//
// |origin| is used by the NTLM and Negotiation authentication scheme to
// construct the service principal name. It is ignored by other schemes.
static void ChooseBestChallenge(
HttpAuthHandlerFactory* http_auth_handler_factory,
const HttpResponseHeaders* headers,
Target target,
const GURL& origin,
const std::set<Scheme>& disabled_schemes,
const BoundNetLog& net_log,
scoped_ptr<HttpAuthHandler>* handler);
// Handle a 401/407 response from a server/proxy after a previous
// authentication attempt. For connection-based authentication schemes, the
// new response may be another round in a multi-round authentication sequence.
// For request-based schemes, a 401/407 response is typically treated like a
// rejection of the previous challenge, except in the Digest case when a
// "stale" attribute is present.
//
// |handler| must be non-NULL, and is the HttpAuthHandler from the previous
// authentication round.
//
// |headers| must be non-NULL and contain the new HTTP response.
//
// |target| specifies whether the authentication challenge response came
// from a server or a proxy.
//
// |disabled_schemes| are the authentication schemes to ignore.
//
// |challenge_used| is the text of the authentication challenge used in
// support of the returned AuthorizationResult. If no headers were used for
// the result (for example, all headers have unknown authentication schemes),
// the value is cleared.
static AuthorizationResult HandleChallengeResponse(
HttpAuthHandler* handler,
const HttpResponseHeaders* headers,
Target target,
const std::set<Scheme>& disabled_schemes,
std::string* challenge_used);
};
} // namespace net
#endif // NET_HTTP_HTTP_AUTH_H_
|
