Use HttpAuthController in SocketStream

net/socket_stream/socket_stream.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // TODO(ukai): code is similar with http_network_transaction.cc.  We should
 //   think about ways to share code, if possible.
 
 #include "net/socket_stream/socket_stream.h"
 
 #include <set>
 #include <string>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/message_loop.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/utf_string_conversions.h"
 #include "net/base/auth.h"
 #include "net/base/host_resolver.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/ssl_cert_request_info.h"
-#include "net/http/http_auth_handler_factory.h"
+#include "net/http/http_auth_controller.h"
 #include "net/http/http_network_session.h"
+#include "net/http/http_request_headers.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_stream_factory.h"
 #include "net/http/http_transaction_factory.h"
 #include "net/http/http_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/socks5_client_socket.h"
 #include "net/socket/socks_client_socket.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/socket/tcp_client_socket.h"
@@ skipping 45 matching lines @@
 
 SocketStream::SocketStream(const GURL& url, Delegate* delegate)
     : delegate_(delegate),
       url_(url),
       max_pending_send_allowed_(kMaxPendingSendAllowed),
       context_(NULL),
       next_state_(STATE_NONE),
       host_resolver_(NULL),
       cert_verifier_(NULL),
       server_bound_cert_service_(NULL),
-      http_auth_handler_factory_(NULL),
       factory_(ClientSocketFactory::GetDefaultFactory()),
       proxy_mode_(kDirectConnection),
       proxy_url_(url),
       pac_request_(NULL),
       // Unretained() is required; without it, Bind() creates a circular
       // dependency and the SocketStream object will not be freed.
       ALLOW_THIS_IN_INITIALIZER_LIST(
           io_callback_(base::Bind(&SocketStream::OnIOCompleted,
                                   base::Unretained(this)))),
       read_buf_(NULL),
@@ skipping 47 matching lines @@
           NetLog::SOURCE_SOCKET_STREAM);
 
       net_log_.BeginEvent(NetLog::TYPE_REQUEST_ALIVE);
     }
   }
 
   if (context_) {
     host_resolver_ = context_->host_resolver();
     cert_verifier_ = context_->cert_verifier();
     server_bound_cert_service_ = context_->server_bound_cert_service();
-    http_auth_handler_factory_ = context_->http_auth_handler_factory();
   }
 }
 
 void SocketStream::Connect() {
   DCHECK(MessageLoop::current()) <<
       "The current MessageLoop must exist";
   DCHECK_EQ(MessageLoop::TYPE_IO, MessageLoop::current()->type()) <<
       "The current MessageLoop must be TYPE_IO";
   if (context_) {
     ssl_config_service()->GetSSLConfig(&server_ssl_config_);
@@ skipping 63 matching lines @@
   MessageLoop::current()->PostTask(
       FROM_HERE,
       base::Bind(&SocketStream::DoClose, this));
 }
 
 void SocketStream::RestartWithAuth(const AuthCredentials& credentials) {
   DCHECK(MessageLoop::current()) <<
       "The current MessageLoop must exist";
   DCHECK_EQ(MessageLoop::TYPE_IO, MessageLoop::current()->type()) <<
       "The current MessageLoop must be TYPE_IO";
-  DCHECK(auth_handler_.get());
+  DCHECK(proxy_auth_controller_.get());
   if (!socket_.get()) {
     LOG(ERROR) << "Socket is closed before restarting with auth.";
     return;
   }
 
-  if (auth_identity_.invalid) {
-    // Update the credentials.
-    auth_identity_.source = HttpAuth::IDENT_SRC_EXTERNAL;
-    auth_identity_.invalid = false;
-    auth_identity_.credentials = credentials;
-  }
+  proxy_auth_controller_->ResetAuth(credentials);
 
   MessageLoop::current()->PostTask(
       FROM_HERE,
       base::Bind(&SocketStream::DoRestartWithAuth, this));
 }
 
 void SocketStream::DetachDelegate() {
   if (!delegate_)
     return;
   delegate_ = NULL;
@@ skipping 199 matching lines @@
         break;
       case STATE_RESOLVE_PROTOCOL_COMPLETE:
         result = DoResolveProtocolComplete(result);
         break;
       case STATE_TCP_CONNECT:
         result = DoTcpConnect(result);
         break;
       case STATE_TCP_CONNECT_COMPLETE:
         result = DoTcpConnectComplete(result);
         break;
+      case STATE_GENERATE_PROXY_AUTH_TOKEN:
+        result = DoGenerateProxyAuthToken();
+        break;
+      case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE:
+        result = DoGenerateProxyAuthTokenComplete(result);
+        break;
       case STATE_WRITE_TUNNEL_HEADERS:
         DCHECK_EQ(OK, result);
         result = DoWriteTunnelHeaders();
         break;
       case STATE_WRITE_TUNNEL_HEADERS_COMPLETE:
         result = DoWriteTunnelHeadersComplete(result);
         break;
       case STATE_READ_TUNNEL_HEADERS:
         DCHECK_EQ(OK, result);
         result = DoReadTunnelHeaders();
@@ skipping 220 matching lines @@
   return socket_->Connect(io_callback_);
 }
 
 int SocketStream::DoTcpConnectComplete(int result) {
   // TODO(ukai): if error occured, reconsider proxy after error.
   if (result != OK) {
     next_state_ = STATE_CLOSE;
     return result;
   }
 
+  if (proxy_mode_ == kTunnelProxy)
+    next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN;
+  else
+    next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE;
+  return result;
+}
+
+int SocketStream::DoGenerateProxyAuthToken() {
+  next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE;
+  if (!proxy_auth_controller_.get()) {
+    DCHECK(context_);
+    DCHECK(context_->http_transaction_factory());
+    DCHECK(context_->http_transaction_factory()->GetSession());
+    HttpNetworkSession* session =
+        context_->http_transaction_factory()->GetSession();
+    const char* scheme = proxy_info_.is_https() ? "https://" : "http://";
+    GURL auth_url(scheme +
+                  proxy_info_.proxy_server().host_port_pair().ToString());
+    proxy_auth_controller_ =
+        new HttpAuthController(HttpAuth::AUTH_PROXY,
+                               auth_url,
+                               session->http_auth_cache(),
+                               session->http_auth_handler_factory());
+  }
+  HttpRequestInfo request_info;
+  request_info.method = "CONNECT";

[cbentzel, 2012/08/22 20:19:43]

BUG: This isn't sufficient for a digest-authenticating proxy, which includes
information about the path in the auth challenge. They are fairly rare, but they
do exist.

Essentially, part of the text that gets hashed is the HTTP method and the
host-port-pair, which matches the first line in an HTTP request. These are both
determined from request_info.url, which you do not set here. The details of how
the extraction takes place is in HttpAuthHandlerDigest::GetRequestMethodAndPath.

That does look at if the URL scheme is https. It may need to change to look at
the other scheme. I don't believe we can use request_info.method because the
method would typically be "GET", but we happen to be trying to establish a
tunnel at the time so the verb needs to be "CONNECT".

In summary:  you definitely need to fill in request_info.url here, and may need
to change HttpAuthHandlerDigest::GetRequestMethodAndPath.

[bashi, 2012/08/23 09:54:15]

Thanks. I didn't realized the issue. Changed to set request_info.url and
modified HttpAuthHandlerDigest::GetRequestMethodAndPath so that it use CONNECT
when the scheme is ws or wss.

+  request_info.load_flags = 0;
+  request_info.priority = MEDIUM;
+  request_info.request_id = 0;
+  return proxy_auth_controller_->MaybeGenerateAuthToken(
+      &request_info, io_callback_, net_log_);
+}
+
+int SocketStream::DoGenerateProxyAuthTokenComplete(int result) {
+  if (result != OK) {
+    next_state_ = STATE_CLOSE;
+    return result;
+  }
+
   if (proxy_mode_ == kTunnelProxy) {
     if (proxy_info_.is_https())
       next_state_ = STATE_SECURE_PROXY_CONNECT;
     else
       next_state_ = STATE_WRITE_TUNNEL_HEADERS;

[wtc, 2012/08/22 19:42:27]

I think we can simplify state transition by keeping the
structure of the original DoTcpConnectComplete method,
but simply replacing
    next_state_ = STATE_WRITE_TUNNEL_HEADERS;
with
    next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN;
here.  Similarly, any place in the original code where
we do
    next_state_ = STATE_WRITE_TUNNEL_HEADERS;
should be replaced with
    next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN;

Then, DoGenerateProxyAuthTokenComplete() just needs
to transition to
    next_state_ = STATE_WRITE_TUNNEL_HEADERS;
on success.

You don't need to make this change if I didn't describe it
clearly.  I will try it if I have time.

[bashi, 2012/08/23 09:54:15]

Thank you so much for detailed suggestion. I followed your way:)

   } else if (proxy_mode_ == kSOCKSProxy) {
     next_state_ = STATE_SOCKS_CONNECT;
   } else if (is_secure()) {
     next_state_ = STATE_SSL_CONNECT;
   } else {
     result = DidEstablishConnection();
   }
   return result;
 }
 
 int SocketStream::DoWriteTunnelHeaders() {
   DCHECK_EQ(kTunnelProxy, proxy_mode_);
 
   next_state_ = STATE_WRITE_TUNNEL_HEADERS_COMPLETE;
 
   if (!tunnel_request_headers_.get()) {
     metrics_->OnCountConnectionType(SocketStreamMetrics::TUNNEL_CONNECTION);
     tunnel_request_headers_ = new RequestHeaders();
     tunnel_request_headers_bytes_sent_ = 0;
   }
   if (tunnel_request_headers_->headers_.empty()) {
-    std::string authorization_headers;
-
-    if (!auth_handler_.get()) {
-      // Do preemptive authentication.
-      HttpAuthCache::Entry* entry = auth_cache_.LookupByPath(
-          ProxyAuthOrigin(), std::string());
-      if (entry) {
-        scoped_ptr<HttpAuthHandler> handler_preemptive;
-        int rv_create = http_auth_handler_factory_->
-            CreatePreemptiveAuthHandlerFromString(
-                entry->auth_challenge(), HttpAuth::AUTH_PROXY,
-                ProxyAuthOrigin(), entry->IncrementNonceCount(),
-                net_log_, &handler_preemptive);
-        if (rv_create == OK) {
-          auth_identity_.source = HttpAuth::IDENT_SRC_PATH_LOOKUP;
-          auth_identity_.invalid = false;
-          auth_identity_.credentials = AuthCredentials();
-          auth_handler_.swap(handler_preemptive);
-        }
-      }
-    }
-
-    // Support basic authentication scheme only, because we don't have
-    // HttpRequestInfo.
-    // TODO(ukai): Add support other authentication scheme.
-    if (auth_handler_.get() &&
-        auth_handler_->auth_scheme() == HttpAuth::AUTH_SCHEME_BASIC) {
-      HttpRequestInfo request_info;
-      std::string auth_token;
-      int rv = auth_handler_->GenerateAuthToken(
-          &auth_identity_.credentials,
-          &request_info,
-          CompletionCallback(),
-          &auth_token);
-      // TODO(cbentzel): Support async auth handlers.
-      DCHECK_NE(ERR_IO_PENDING, rv);
-      if (rv != OK)
-        return rv;
-      authorization_headers.append(
-          HttpAuth::GetAuthorizationHeaderName(HttpAuth::AUTH_PROXY) +
-          ": " + auth_token + "\r\n");
-    }
-
+    HttpRequestHeaders request_headers;
+    request_headers.SetHeader("Host", GetHostAndOptionalPort(url_));
+    request_headers.SetHeader("Proxy-Connection", "keep-alive");
+    if (proxy_auth_controller_.get() && proxy_auth_controller_->HaveAuth())
+      proxy_auth_controller_->AddAuthorizationHeader(&request_headers);
     tunnel_request_headers_->headers_ = base::StringPrintf(
         "CONNECT %s HTTP/1.1\r\n"
-        "Host: %s\r\n"
-        "Proxy-Connection: keep-alive\r\n",
+        "%s",
         GetHostAndPort(url_).c_str(),
-        GetHostAndOptionalPort(url_).c_str());
-    if (!authorization_headers.empty())
-      tunnel_request_headers_->headers_ += authorization_headers;
-    tunnel_request_headers_->headers_ += "\r\n";
+        request_headers.ToString().c_str());
   }
   tunnel_request_headers_->SetDataOffset(tunnel_request_headers_bytes_sent_);
   int buf_len = static_cast<int>(tunnel_request_headers_->headers_.size() -
                                  tunnel_request_headers_bytes_sent_);
   DCHECK_GT(buf_len, 0);
   return socket_->Write(tunnel_request_headers_, buf_len, io_callback_);
 }
 
 int SocketStream::DoWriteTunnelHeadersComplete(int result) {
   DCHECK_EQ(kTunnelProxy, proxy_mode_);
@@ skipping 86 matching lines @@
           next_state_ = STATE_CLOSE;
           return result;
         }
         if ((eoh < tunnel_response_headers_len_) && delegate_)
           delegate_->OnReceivedData(
               this, tunnel_response_headers_->headers() + eoh,
               tunnel_response_headers_len_ - eoh);
       }
       return OK;
     case 407:  // Proxy Authentication Required.
-      result = HandleAuthChallenge(headers.get());
-      if (result == ERR_PROXY_AUTH_UNSUPPORTED &&
-          auth_handler_.get() && delegate_) {
+      if (proxy_mode_ != kTunnelProxy)
+        return ERR_UNEXPECTED_PROXY_AUTH;
+
+      result = proxy_auth_controller_->HandleAuthChallenge(
+          headers, false, true, net_log_);
+      if (result == OK && delegate_) {
         DCHECK(!proxy_info_.is_empty());
-        auth_info_ = new AuthChallengeInfo;
-        auth_info_->is_proxy = true;
-        auth_info_->challenger = proxy_info_.proxy_server().host_port_pair();
-        auth_info_->scheme = HttpAuth::SchemeToString(
-            auth_handler_->auth_scheme());
-        auth_info_->realm = auth_handler_->realm();
         // Wait until RestartWithAuth or Close is called.
         MessageLoop::current()->PostTask(
             FROM_HERE,
             base::Bind(&SocketStream::DoAuthRequired, this));
         next_state_ = STATE_AUTH_REQUIRED;
         return ERR_IO_PENDING;
       }
+      break;
     default:
       break;
   }
   next_state_ = STATE_CLOSE;
   return ERR_TUNNEL_CONNECTION_FAILED;
 }
 
 int SocketStream::DoSOCKSConnect() {
   DCHECK_EQ(kSOCKSProxy, proxy_mode_);
 
@@ skipping 208 matching lines @@
   // We arrived here when both operation is pending.
   return ERR_IO_PENDING;
 }
 
 GURL SocketStream::ProxyAuthOrigin() const {
   DCHECK(!proxy_info_.is_empty());
   return GURL("http://" +
               proxy_info_.proxy_server().host_port_pair().ToString());
 }
 
-int SocketStream::HandleAuthChallenge(const HttpResponseHeaders* headers) {
-  GURL auth_origin(ProxyAuthOrigin());
-
-  VLOG(1) << "The proxy " << auth_origin << " requested auth";
-
-  // TODO(cbentzel): Since SocketStream only suppports basic authentication
-  // right now, another challenge is always treated as a rejection.
-  // Ultimately this should be converted to use HttpAuthController like the
-  // HttpNetworkTransaction has.
-  if (auth_handler_.get() && !auth_identity_.invalid) {
-    if (auth_identity_.source != HttpAuth::IDENT_SRC_PATH_LOOKUP)
-      auth_cache_.Remove(auth_origin,
-                         auth_handler_->realm(),
-                         auth_handler_->auth_scheme(),
-                         auth_identity_.credentials);
-    auth_handler_.reset();
-    auth_identity_ = HttpAuth::Identity();
-  }
-
-  auth_identity_.invalid = true;
-  std::set<HttpAuth::Scheme> disabled_schemes;
-  HttpAuth::ChooseBestChallenge(http_auth_handler_factory_, headers,
-                                HttpAuth::AUTH_PROXY,
-                                auth_origin, disabled_schemes,
-                                net_log_, &auth_handler_);
-  if (!auth_handler_.get()) {
-    LOG(ERROR) << "Can't perform auth to the proxy " << auth_origin;
-    return ERR_TUNNEL_CONNECTION_FAILED;
-  }
-  if (auth_handler_->NeedsIdentity()) {
-    // We only support basic authentication scheme now.
-    // TODO(ukai): Support other authentication scheme.
-    HttpAuthCache::Entry* entry = auth_cache_.Lookup(
-        auth_origin, auth_handler_->realm(), HttpAuth::AUTH_SCHEME_BASIC);
-    if (entry) {
-      auth_identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
-      auth_identity_.invalid = false;
-      auth_identity_.credentials = AuthCredentials();
-      // Restart with auth info.
-    }
-    return ERR_PROXY_AUTH_UNSUPPORTED;
-  } else {
-    auth_identity_.invalid = false;
-  }
-  return ERR_TUNNEL_CONNECTION_FAILED;
-}
-
 int SocketStream::HandleCertificateRequest(int result, SSLConfig* ssl_config) {
   if (ssl_config->send_client_cert)
     // We already have performed SSL client authentication once and failed.
     return result;
 
   DCHECK(socket_.get());
   scoped_refptr<SSLCertRequestInfo> cert_request_info = new SSLCertRequestInfo;
   SSLClientSocket* ssl_socket =
       static_cast<SSLClientSocket*>(socket_.get());
   ssl_socket->GetSSLCertRequestInfo(cert_request_info);
@@ skipping 60 matching lines @@
   bad_cert.cert_status = ssl_info.cert_status;
   ssl_config->allowed_bad_certs.push_back(bad_cert);
   // Restart connection ignoring the bad certificate.
   socket_->Disconnect();
   socket_.reset();
   next_state_ = STATE_TCP_CONNECT;
   return OK;
 }
 
 void SocketStream::DoAuthRequired() {
-  if (delegate_ && auth_info_.get())
-    delegate_->OnAuthRequired(this, auth_info_.get());
+  if (delegate_ && proxy_auth_controller_.get())
+    delegate_->OnAuthRequired(this, proxy_auth_controller_->auth_info().get());
   else
     DoLoop(ERR_UNEXPECTED);
 }
 
 void SocketStream::DoRestartWithAuth() {
   DCHECK_EQ(next_state_, STATE_AUTH_REQUIRED);
-  auth_cache_.Add(ProxyAuthOrigin(),
-                  auth_handler_->realm(),
-                  auth_handler_->auth_scheme(),
-                  auth_handler_->challenge(),
-                  auth_identity_.credentials,
-                  std::string());
-
   tunnel_request_headers_ = NULL;
   tunnel_request_headers_bytes_sent_ = 0;
   tunnel_response_headers_ = NULL;
   tunnel_response_headers_capacity_ = 0;
   tunnel_response_headers_len_ = 0;
 
   next_state_ = STATE_TCP_CONNECT;
   DoLoop(OK);
 }
 
@@ skipping 27 matching lines @@
 
 SSLConfigService* SocketStream::ssl_config_service() const {
   return context_->ssl_config_service();
 }
 
 ProxyService* SocketStream::proxy_service() const {
   return context_->proxy_service();
 }
 
 }  // namespace net