net/http/http_auth_handler_negotiate.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_HTTP_HTTP_AUTH_HANDLER_NEGOTIATE_H_
#define NET_HTTP_HTTP_AUTH_HANDLER_NEGOTIATE_H_

#include "build/build_config.h"

#include <string>

#include "net/base/address_list.h"
#include "net/http/http_auth_handler.h"
#include "net/http/http_auth_handler_factory.h"

#if defined(OS_WIN)
#include "net/http/http_auth_sspi_win.h"
#endif

namespace net {

class SingleRequestHostResolver;
class URLSecurityManager;

// Handler for WWW-Authenticate: Negotiate protocol.
//
// See http://tools.ietf.org/html/rfc4178 and http://tools.ietf.org/html/rfc4559
// for more information about the protocol.

class HttpAuthHandlerNegotiate : public HttpAuthHandler {
 public:
  class Factory : public HttpAuthHandlerFactory {
   public:
    Factory();
    virtual ~Factory();

    // |disable_cname_lookup()| and |set_disable_cname_lookup()| get/set whether
    // the auth handlers generated by this factory should skip looking up the
    // canonical DNS name of the the host that they are authenticating to when
    // generating the SPN. The default value is false.
    bool disable_cname_lookup() const { return disable_cname_lookup_; }
    void set_disable_cname_lookup(bool disable_cname_lookup) {
      disable_cname_lookup_ = disable_cname_lookup;
    }

    // |use_port()| and |set_use_port()| get/set whether the auth handlers
    // generated by this factory should include the port number of the server
    // they are authenticating to when constructing a Kerberos SPN. The default
    // value is false.
    bool use_port() const { return use_port_; }
    void set_use_port(bool use_port) { use_port_ = use_port; }

    virtual int CreateAuthHandler(HttpAuth::ChallengeTokenizer* challenge,
                                  HttpAuth::Target target,
                                  const GURL& origin,
                                  CreateReason reason,
                                  int digest_nonce_count,
                                  scoped_refptr<HttpAuthHandler>* handler);

#if defined(OS_WIN)
    // Set the SSPILibrary to use. Typically the only callers which need to
    // use this are unit tests which pass in a mocked-out version of the
    // SSPI library.
    // The caller is responsible for managing the lifetime of |*sspi_library|,
    // and the lifetime must exceed that of this Factory object and all
    // HttpAuthHandler's that this Factory object creates.
    void set_sspi_library(SSPILibrary* sspi_library) {
      sspi_library_ = sspi_library;
    }
#endif  // defined(OS_WIN)
   private:
    bool disable_cname_lookup_;
    bool use_port_;
#if defined(OS_WIN)
    ULONG max_token_length_;
    bool first_creation_;
    bool is_unsupported_;
    SSPILibrary* sspi_library_;
#endif  // defined(OS_WIN)
  };

#if defined(OS_WIN)
  HttpAuthHandlerNegotiate(SSPILibrary* sspi_library, ULONG max_token_length,
                           URLSecurityManager* url_security_manager,
                           bool disable_cname_lookup, bool use_port);
#else
  explicit HttpAuthHandlerNegotiate(URLSecurityManager* url_security_manager);
#endif

  virtual bool NeedsIdentity();

  virtual bool IsFinalRound();

  virtual bool AllowsDefaultCredentials();

  virtual bool NeedsCanonicalName();

  virtual int GenerateAuthToken(const std::wstring& username,
                                const std::wstring& password,
                                const HttpRequestInfo* request,
                                const ProxyInfo* proxy,
                                std::string* auth_token);

  virtual int GenerateDefaultAuthToken(const HttpRequestInfo* request,
                                       const ProxyInfo* proxy,
                                       std::string* auth_token);

  virtual int ResolveCanonicalName(HostResolver* host_resolver,
                                   CompletionCallback* callback,
                                   const BoundNetLog& net_log);

#if defined(OS_WIN)
  // These are public for unit tests
  std::wstring CreateSPN(const AddressList& address_list, const GURL& orign);
  const std::wstring& spn() const { return spn_; }
#endif  // defined(OS_WIN)

 protected:
  virtual bool Init(HttpAuth::ChallengeTokenizer* challenge);

 private:
  ~HttpAuthHandlerNegotiate();

#if defined(OS_WIN)
  void OnResolveCanonicalName(int result);
  HttpAuthSSPI auth_sspi_;
  AddressList address_list_;
  scoped_ptr<SingleRequestHostResolver> single_resolve_;
  CompletionCallback* user_callback_;
  CompletionCallbackImpl<HttpAuthHandlerNegotiate> resolve_cname_callback_;
  bool disable_cname_lookup_;
  bool use_port_;
  std::wstring spn_;
#endif

  URLSecurityManager* url_security_manager_;
};

}  // namespace net

#endif  // NET_HTTP_HTTP_AUTH_HANDLER_NEGOTIATE_H_