net/http/http_auth_handler.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_HTTP_HTTP_AUTH_HANDLER_H_
#define NET_HTTP_HTTP_AUTH_HANDLER_H_

#include <string>

#include "base/ref_counted.h"
#include "net/http/http_auth.h"

namespace net {

class HttpRequestInfo;
class ProxyInfo;

// HttpAuthHandler is the interface for the authentication schemes
// (basic, digest, ...)
// The registry mapping auth-schemes to implementations is hardcoded in
// HttpAuth::CreateAuthHandler().
class HttpAuthHandler : public base::RefCounted<HttpAuthHandler> {
 public:
  // Initialize the handler by parsing a challenge string.
  bool InitFromChallenge(std::string::const_iterator begin,
                         std::string::const_iterator end,
                         HttpAuth::Target target,
                         const GURL& origin);

  // Lowercase name of the auth scheme
  const std::string& scheme() const {
    return scheme_;
  }

  // The realm value that was parsed during Init().
  const std::string& realm() const {
    return realm_;
  }

  // Numeric rank based on the challenge's security level. Higher
  // numbers are better. Used by HttpAuth::ChooseBestChallenge().
  int score() const {
    return score_;
  }

  HttpAuth::Target target() const {
    return target_;
  }

  // Returns true if the authentication scheme does not send the username and
  // password in the clear.
  bool encrypts_identity() const {
    return (properties_ & ENCRYPTS_IDENTITY) != 0;
  }

  // Returns true if the authentication scheme is connection-based, for
  // example, NTLM.  A connection-based authentication scheme does not support
  // preemptive authentication, and must use the same handler object
  // throughout the life of an HTTP transaction.
  bool is_connection_based() const {
    return (properties_ & IS_CONNECTION_BASED) != 0;
  }

  // Returns true if the response to the current authentication challenge
  // requires an identity.
  // TODO(wtc): Find a better way to handle a multi-round challenge-response
  // sequence used by a connection-based authentication scheme.
  virtual bool NeedsIdentity() { return true; }

  // Returns true if this is the final round of the authentication sequence.
  // For Basic and Digest, the method always returns true because they are
  // single-round schemes.
  virtual bool IsFinalRound() { return true; }

  // Returns whether the default credentials may be used for the |origin| passed
  // into |InitFromChallenge|. If true, the user does not need to be prompted
  // for username and password to establish credentials.
  virtual bool AllowDefaultCredentials() { return false; }

  // TODO(cbentzel): Separate providing credentials from generating the
  // authentication token in the API.

  // Generates an authentication token.
  // The return value is an error code. If the code is not |OK|, the value of
  // |*auth_token| is unspecified.
  // |auth_token| is a return value and must be non-NULL.
  virtual int GenerateAuthToken(const std::wstring& username,
                                const std::wstring& password,
                                const HttpRequestInfo* request,
                                const ProxyInfo* proxy,
                                std::string* auth_token) = 0;

  // Generates an authentication token using default credentials.
  // The return value is an error code. If the code is not |OK|, the value of
  // |*auth_token| is unspecified.
  // |auth_token| is a return value and must be non-NULL.
  // This should only be called after |AllowDefaultCredentials| returns true.
  virtual int GenerateDefaultAuthToken(const HttpRequestInfo* request,
                                       const ProxyInfo* proxy,
                                       std::string* auth_token) = 0;

 protected:
  enum Property {
    ENCRYPTS_IDENTITY = 1 << 0,
    IS_CONNECTION_BASED = 1 << 1,
  };

  friend class base::RefCounted<HttpAuthHandler>;

  virtual ~HttpAuthHandler() { }

  // Initialize the handler by parsing a challenge string.
  // Implementations are expcted to initialize the following members:
  // scheme_, realm_, score_, properties_
  virtual bool Init(std::string::const_iterator challenge_begin,
                    std::string::const_iterator challenge_end) = 0;

  // The lowercase auth-scheme {"basic", "digest", "ntlm", ...}
  std::string scheme_;

  // The realm.  Used by "basic" and "digest".
  std::string realm_;

  // The {scheme, host, port} for the authentication target.  Used by "ntlm"
  // to construct the service principal name.
  GURL origin_;

  // The score for this challenge. Higher numbers are better.
  int score_;

  // Whether this authentication request is for a proxy server, or an
  // origin server.
  HttpAuth::Target target_;

  // A bitmask of the properties of the authentication scheme.
  int properties_;
};

}  // namespace net

#endif  // NET_HTTP_HTTP_AUTH_HANDLER_H_