1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/http/http_auth_handler_negotiate.h"
#include "base/logging.h"
#include "net/base/net_errors.h"
#include "net/http/http_auth_filter.h"
namespace net {
HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate(SSPILibrary* library,
ULONG max_token_length)
: auth_sspi_(library, "Negotiate", NEGOSSP_NAME, max_token_length) {
}
HttpAuthHandlerNegotiate::~HttpAuthHandlerNegotiate() {
}
int HttpAuthHandlerNegotiate::GenerateAuthToken(
const std::wstring& username,
const std::wstring& password,
const HttpRequestInfo* request,
const ProxyInfo* proxy,
std::string* auth_token) {
return auth_sspi_.GenerateAuthToken(
&username,
&password,
origin_,
request,
proxy,
auth_token);
}
// The Negotiate challenge header looks like:
// WWW-Authenticate: NEGOTIATE auth-data
bool HttpAuthHandlerNegotiate::Init(HttpAuth::ChallengeTokenizer* challenge) {
scheme_ = "negotiate";
score_ = 4;
properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
return auth_sspi_.ParseChallenge(challenge);
}
// Require identity on first pass instead of second.
bool HttpAuthHandlerNegotiate::NeedsIdentity() {
return auth_sspi_.NeedsIdentity();
}
bool HttpAuthHandlerNegotiate::IsFinalRound() {
return auth_sspi_.IsFinalRound();
}
bool HttpAuthHandlerNegotiate::AllowDefaultCredentials() {
// NOTE: Temporarily disabled. SSO is a potential security risk.
// TODO(cbentzel): Add a pointer to Firefox documentation about risk.
// TODO(cbentzel): Add a blanket command line flag to enable/disable?
// TODO(cbentzel): Add a whitelist regexp command line flag?
// TODO(cbentzel): Resolve the origin_ (helpful if doing already) and see if
// it is in private IP space?
// TODO(cbentzel): Compare origin_ to this machine's hostname and allow if
// it matches at least two or three layers deep?
return false;
}
int HttpAuthHandlerNegotiate::GenerateDefaultAuthToken(
const HttpRequestInfo* request,
const ProxyInfo* proxy,
std::string* auth_token) {
return auth_sspi_.GenerateAuthToken(
NULL, // username
NULL, // password
origin_,
request,
proxy,
auth_token);
}
HttpAuthHandlerNegotiate::Factory::Factory()
: max_token_length_(0),
first_creation_(true),
is_unsupported_(false),
sspi_library_(SSPILibrary::GetDefault()) {
}
HttpAuthHandlerNegotiate::Factory::~Factory() {
}
int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
HttpAuth::ChallengeTokenizer* challenge,
HttpAuth::Target target,
const GURL& origin,
scoped_refptr<HttpAuthHandler>* handler) {
if (is_unsupported_)
return ERR_UNSUPPORTED_AUTH_SCHEME;
if (filter() && !filter()->IsValid(origin, target)) {
LOG(INFO) << "URL " << origin
<< "fails filter validation for authentication method "
<< "Negotiate";
return ERR_INVALID_AUTH_CREDENTIALS;
}
if (max_token_length_ == 0) {
int rv = DetermineMaxTokenLength(sspi_library_, NEGOSSP_NAME,
&max_token_length_);
if (rv == ERR_UNSUPPORTED_AUTH_SCHEME)
is_unsupported_ = true;
if (rv != OK)
return rv;
}
// TODO(cbentzel): Move towards model of parsing in the factory
// method and only constructing when valid.
scoped_refptr<HttpAuthHandler> tmp_handler(
new HttpAuthHandlerNegotiate(sspi_library_, max_token_length_));
if (!tmp_handler->InitFromChallenge(challenge, target, origin))
return ERR_INVALID_RESPONSE;
handler->swap(tmp_handler);
return OK;
}
} // namespace net
|
