Use HttpAuthController in SocketStream

net/socket_stream/socket_stream.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // TODO(ukai): code is similar with http_network_transaction.cc.  We should
 //   think about ways to share code, if possible.
 
 #include "net/socket_stream/socket_stream.h"
 
 #include <set>
 #include <string>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/message_loop.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/utf_string_conversions.h"
 #include "net/base/auth.h"
 #include "net/base/host_resolver.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/ssl_cert_request_info.h"
+#include "net/http/http_auth_controller.h"
 #include "net/http/http_auth_handler_factory.h"

[cbentzel, 2012/08/15 18:08:01]

http_auth_handler_factory include no longer needed.

[bashi, 2012/08/20 01:35:10]

Done.

 #include "net/http/http_network_session.h"
+#include "net/http/http_request_headers.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_stream_factory.h"
 #include "net/http/http_transaction_factory.h"
 #include "net/http/http_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/socks5_client_socket.h"
 #include "net/socket/socks_client_socket.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/socket/tcp_client_socket.h"
@@ skipping 45 matching lines @@
 
 SocketStream::SocketStream(const GURL& url, Delegate* delegate)
     : delegate_(delegate),
       url_(url),
       max_pending_send_allowed_(kMaxPendingSendAllowed),
       context_(NULL),
       next_state_(STATE_NONE),
       host_resolver_(NULL),
       cert_verifier_(NULL),
       server_bound_cert_service_(NULL),
-      http_auth_handler_factory_(NULL),
       factory_(ClientSocketFactory::GetDefaultFactory()),
       proxy_mode_(kDirectConnection),
       proxy_url_(url),
       pac_request_(NULL),
       // Unretained() is required; without it, Bind() creates a circular
       // dependency and the SocketStream object will not be freed.
       ALLOW_THIS_IN_INITIALIZER_LIST(
           io_callback_(base::Bind(&SocketStream::OnIOCompleted,
                                   base::Unretained(this)))),
       read_buf_(NULL),
@@ skipping 47 matching lines @@
           NetLog::SOURCE_SOCKET_STREAM);
 
       net_log_.BeginEvent(NetLog::TYPE_REQUEST_ALIVE);
     }
   }
 
   if (context_) {
     host_resolver_ = context_->host_resolver();
     cert_verifier_ = context_->cert_verifier();
     server_bound_cert_service_ = context_->server_bound_cert_service();
-    http_auth_handler_factory_ = context_->http_auth_handler_factory();
   }
 }
 
 void SocketStream::Connect() {
   DCHECK(MessageLoop::current()) <<
       "The current MessageLoop must exist";
   DCHECK_EQ(MessageLoop::TYPE_IO, MessageLoop::current()->type()) <<
       "The current MessageLoop must be TYPE_IO";
   if (context_) {
     ssl_config_service()->GetSSLConfig(&server_ssl_config_);
@@ skipping 63 matching lines @@
   MessageLoop::current()->PostTask(
       FROM_HERE,
       base::Bind(&SocketStream::DoClose, this));
 }
 
 void SocketStream::RestartWithAuth(const AuthCredentials& credentials) {
   DCHECK(MessageLoop::current()) <<
       "The current MessageLoop must exist";
   DCHECK_EQ(MessageLoop::TYPE_IO, MessageLoop::current()->type()) <<
       "The current MessageLoop must be TYPE_IO";
-  DCHECK(auth_handler_.get());
+  DCHECK(proxy_auth_controller_.get());
   if (!socket_.get()) {
     LOG(ERROR) << "Socket is closed before restarting with auth.";
     return;
   }
 
-  if (auth_identity_.invalid) {
-    // Update the credentials.
-    auth_identity_.source = HttpAuth::IDENT_SRC_EXTERNAL;
-    auth_identity_.invalid = false;
-    auth_identity_.credentials = credentials;
-  }
+  proxy_auth_controller_->ResetAuth(credentials);
 
   MessageLoop::current()->PostTask(
       FROM_HERE,
       base::Bind(&SocketStream::DoRestartWithAuth, this));
 }
 
 void SocketStream::DetachDelegate() {
   if (!delegate_)
     return;
   delegate_ = NULL;
@@ skipping 199 matching lines @@
         break;
       case STATE_RESOLVE_PROTOCOL_COMPLETE:
         result = DoResolveProtocolComplete(result);
         break;
       case STATE_TCP_CONNECT:
         result = DoTcpConnect(result);
         break;
       case STATE_TCP_CONNECT_COMPLETE:
         result = DoTcpConnectComplete(result);
         break;
+      case STATE_GENERATE_PROXY_AUTH_TOKEN:
+        result = DoGenerateProxyAuthToken();
+        break;
+      case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE:
+        result = DoGenerateProxyAuthTokenComplete(result);
+        break;
       case STATE_WRITE_TUNNEL_HEADERS:
         DCHECK_EQ(OK, result);
         result = DoWriteTunnelHeaders();
         break;
       case STATE_WRITE_TUNNEL_HEADERS_COMPLETE:
         result = DoWriteTunnelHeadersComplete(result);
         break;
       case STATE_READ_TUNNEL_HEADERS:
         DCHECK_EQ(OK, result);
         result = DoReadTunnelHeaders();
@@ skipping 113 matching lines @@
     LOG(ERROR) << "Failed to resolve proxy: " << result;
     if (delegate_)
       delegate_->OnError(this, result);
     proxy_info_.UseDirect();
   }
   if (proxy_info_.is_direct()) {
     // If proxy was not found for original URL (i.e. websocket URL),
     // try again with https URL, like Safari implementation.
     // Note that we don't want to use http proxy, because we'll use tunnel
     // proxy using CONNECT method, which is used by https proxy.
     if (!proxy_url_.SchemeIs("https")) {

[cbentzel, 2012/08/15 18:08:01]

Not part of this CL - but do you only want to do this if the scheme is wss? 

If the scheme is ws, should you fall back to http when doing proxy evaluation?

[bashi, 2012/08/20 01:35:10]

I'm not familiar with the logic, but according to the git log and above comment,
we would want to use https proxy (if exists) even if the scheme is ws. WebSocket
always uses CONNECT method.

[cbentzel, 2012/08/20 11:23:01]

What is going on here is if you fail to find a proxy using the ws or wss
schemes, try to find one using the https scheme. The resulting proxy may be
DIRECT, or may be an http, https, or even SOCKS proxy.

It's a bit of a hack in my opinion, but probably needed to deal with PAC scripts
which haven't added support for ws and wss URLs.

[bashi, 2012/08/22 08:36:44]

Sorry for lack of explanation. I should have said that CONNECT is used when we
use a proxy. If the proxy rejects CONNECT request, we drop the connection and I
think it's reasonable.

       const std::string scheme = "https";
       GURL::Replacements repl;
       repl.SetSchemeStr(scheme);
       proxy_url_ = url_.ReplaceComponents(repl);
       DVLOG(1) << "Try https proxy: " << proxy_url_;
       next_state_ = STATE_RESOLVE_PROXY;
       return OK;
     }
   }
 
@@ skipping 79 matching lines @@
   }
   next_state_ = STATE_TCP_CONNECT_COMPLETE;
   DCHECK(factory_);
   socket_.reset(factory_->CreateTransportClientSocket(addresses_,
                                                       net_log_.net_log(),
                                                       net_log_.source()));
   metrics_->OnStartConnection();
   return socket_->Connect(io_callback_);
 }
 
+bool SocketStream::ShouldApplyProxyAuth() const {
+  // The same logic as HttpNetworkTransaction::ShouldApplyProxyAuth().
+  return !is_secure() && (proxy_info_.is_http() || proxy_info_.is_https());

[cbentzel, 2012/08/15 18:08:01]

This isn't going to work when tunneling WSS connections over an authenticating
HTTP or HTTPS proxy.

The reason we have the |is_https_request| logic in
HttpNetworkTransaction::ShouldApplyProxyAuth is that the tunneling
authentication logic takes place earlier, during the STATE_CREATE_STREAM. See
net/http/http_stream_factory_impl_job.cc if you are curious.

It looks like there is no equivalent of this for SocketStream - you are
establishing the tunnel directly.

[bashi, 2012/08/20 01:35:10]

Yes. the logic was wrong. Thank you for pointing this out. Updated the logic.

+}
+
 int SocketStream::DoTcpConnectComplete(int result) {
   // TODO(ukai): if error occured, reconsider proxy after error.
   if (result != OK) {
     next_state_ = STATE_CLOSE;
     return result;
   }
 
+  if (ShouldApplyProxyAuth())
+    next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN;
+  else
+    next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE;
+  return result;
+}
+
+int SocketStream::DoGenerateProxyAuthToken() {
+  next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE;
+  if (!proxy_auth_controller_.get()) {
+    DCHECK(context_);
+    DCHECK(context_->http_transaction_factory());
+    DCHECK(context_->http_transaction_factory()->GetSession());
+    HttpNetworkSession* session =
+        context_->http_transaction_factory()->GetSession();
+    const char* scheme = proxy_info_.is_https() ? "https://" : "http://";

[cbentzel, 2012/08/15 18:08:01]

Perhaps share with HttpNetworkTransaction::AuthURL?

[bashi, 2012/08/20 01:35:10]

I'd like to keep this because:
- SocketStream only needs proxy auth at this time
- SocketStream will eventually be removed

+    GURL auth_url(scheme +
+                  proxy_info_.proxy_server().host_port_pair().ToString());
+    proxy_auth_controller_ =
+        new HttpAuthController(HttpAuth::AUTH_PROXY,
+                               auth_url,
+                               session->http_auth_cache(),
+                               session->http_auth_handler_factory());
+  }
+  HttpRequestInfo request_info;
+  request_info.method = "GET";
+  request_info.load_flags = 0;
+  request_info.priority = MEDIUM;
+  request_info.request_id = 0;
+  return proxy_auth_controller_->MaybeGenerateAuthToken(
+      &request_info, io_callback_, net_log_);
+}
+
+int SocketStream::DoGenerateProxyAuthTokenComplete(int result) {
+  if (result != OK) {
+    next_state_ = STATE_CLOSE;
+    return result;
+  }
+
   if (proxy_mode_ == kTunnelProxy) {
     if (proxy_info_.is_https())
       next_state_ = STATE_SECURE_PROXY_CONNECT;
     else
       next_state_ = STATE_WRITE_TUNNEL_HEADERS;
   } else if (proxy_mode_ == kSOCKSProxy) {
     next_state_ = STATE_SOCKS_CONNECT;
   } else if (is_secure()) {
     next_state_ = STATE_SSL_CONNECT;
   } else {
     result = DidEstablishConnection();
   }
   return result;
 }
 
 int SocketStream::DoWriteTunnelHeaders() {
   DCHECK_EQ(kTunnelProxy, proxy_mode_);
 
   next_state_ = STATE_WRITE_TUNNEL_HEADERS_COMPLETE;
 
   if (!tunnel_request_headers_.get()) {
     metrics_->OnCountConnectionType(SocketStreamMetrics::TUNNEL_CONNECTION);
     tunnel_request_headers_ = new RequestHeaders();
     tunnel_request_headers_bytes_sent_ = 0;
   }
   if (tunnel_request_headers_->headers_.empty()) {
-    std::string authorization_headers;
-
-    if (!auth_handler_.get()) {
-      // Do preemptive authentication.
-      HttpAuthCache::Entry* entry = auth_cache_.LookupByPath(
-          ProxyAuthOrigin(), std::string());
-      if (entry) {
-        scoped_ptr<HttpAuthHandler> handler_preemptive;
-        int rv_create = http_auth_handler_factory_->
-            CreatePreemptiveAuthHandlerFromString(
-                entry->auth_challenge(), HttpAuth::AUTH_PROXY,
-                ProxyAuthOrigin(), entry->IncrementNonceCount(),
-                net_log_, &handler_preemptive);
-        if (rv_create == OK) {
-          auth_identity_.source = HttpAuth::IDENT_SRC_PATH_LOOKUP;
-          auth_identity_.invalid = false;
-          auth_identity_.credentials = AuthCredentials();
-          auth_handler_.swap(handler_preemptive);
-        }
-      }
-    }
-
-    // Support basic authentication scheme only, because we don't have
-    // HttpRequestInfo.
-    // TODO(ukai): Add support other authentication scheme.
-    if (auth_handler_.get() &&
-        auth_handler_->auth_scheme() == HttpAuth::AUTH_SCHEME_BASIC) {
-      HttpRequestInfo request_info;
-      std::string auth_token;
-      int rv = auth_handler_->GenerateAuthToken(
-          &auth_identity_.credentials,
-          &request_info,
-          CompletionCallback(),
-          &auth_token);
-      // TODO(cbentzel): Support async auth handlers.
-      DCHECK_NE(ERR_IO_PENDING, rv);
-      if (rv != OK)
-        return rv;
-      authorization_headers.append(
-          HttpAuth::GetAuthorizationHeaderName(HttpAuth::AUTH_PROXY) +
-          ": " + auth_token + "\r\n");
-    }
-
+    HttpRequestHeaders request_headers;
+    request_headers.SetHeader("Host", GetHostAndOptionalPort(url_));
+    request_headers.SetHeader("Proxy-Connection", "keep-alive");
+    if (proxy_auth_controller_.get() && proxy_auth_controller_->HaveAuth())
+      proxy_auth_controller_->AddAuthorizationHeader(&request_headers);
     tunnel_request_headers_->headers_ = base::StringPrintf(
         "CONNECT %s HTTP/1.1\r\n"
-        "Host: %s\r\n"
-        "Proxy-Connection: keep-alive\r\n",
+        "%s",
         GetHostAndPort(url_).c_str(),
-        GetHostAndOptionalPort(url_).c_str());
-    if (!authorization_headers.empty())
-      tunnel_request_headers_->headers_ += authorization_headers;
-    tunnel_request_headers_->headers_ += "\r\n";
+        request_headers.ToString().c_str());
   }
   tunnel_request_headers_->SetDataOffset(tunnel_request_headers_bytes_sent_);
   int buf_len = static_cast<int>(tunnel_request_headers_->headers_.size() -
                                  tunnel_request_headers_bytes_sent_);
   DCHECK_GT(buf_len, 0);
   return socket_->Write(tunnel_request_headers_, buf_len, io_callback_);
 }
 
 int SocketStream::DoWriteTunnelHeadersComplete(int result) {
   DCHECK_EQ(kTunnelProxy, proxy_mode_);
@@ skipping 86 matching lines @@
           next_state_ = STATE_CLOSE;
           return result;
         }
         if ((eoh < tunnel_response_headers_len_) && delegate_)
           delegate_->OnReceivedData(
               this, tunnel_response_headers_->headers() + eoh,
               tunnel_response_headers_len_ - eoh);
       }
       return OK;
     case 407:  // Proxy Authentication Required.
-      result = HandleAuthChallenge(headers.get());
-      if (result == ERR_PROXY_AUTH_UNSUPPORTED &&
-          auth_handler_.get() && delegate_) {
+      if (!proxy_auth_controller_.get() || proxy_mode_ != kTunnelProxy ||
+          proxy_info_.is_direct()) {
+        return ERR_UNEXPECTED_PROXY_AUTH;
+      }
+      result = proxy_auth_controller_->HandleAuthChallenge(
+          headers, false, true, net_log_);
+      if (result == OK && delegate_) {
         DCHECK(!proxy_info_.is_empty());
-        auth_info_ = new AuthChallengeInfo;
-        auth_info_->is_proxy = true;
-        auth_info_->challenger = proxy_info_.proxy_server().host_port_pair();
-        auth_info_->scheme = HttpAuth::SchemeToString(
-            auth_handler_->auth_scheme());
-        auth_info_->realm = auth_handler_->realm();
         // Wait until RestartWithAuth or Close is called.
         MessageLoop::current()->PostTask(
             FROM_HERE,
             base::Bind(&SocketStream::DoAuthRequired, this));
         next_state_ = STATE_AUTH_REQUIRED;
         return ERR_IO_PENDING;
       }
+      break;
     default:
       break;
   }
   next_state_ = STATE_CLOSE;
   return ERR_TUNNEL_CONNECTION_FAILED;
 }
 
 int SocketStream::DoSOCKSConnect() {
   DCHECK_EQ(kSOCKSProxy, proxy_mode_);
 
@@ skipping 208 matching lines @@
   // We arrived here when both operation is pending.
   return ERR_IO_PENDING;
 }
 
 GURL SocketStream::ProxyAuthOrigin() const {
   DCHECK(!proxy_info_.is_empty());
   return GURL("http://" +
               proxy_info_.proxy_server().host_port_pair().ToString());
 }
 
-int SocketStream::HandleAuthChallenge(const HttpResponseHeaders* headers) {
-  GURL auth_origin(ProxyAuthOrigin());
-
-  VLOG(1) << "The proxy " << auth_origin << " requested auth";
-
-  // TODO(cbentzel): Since SocketStream only suppports basic authentication
-  // right now, another challenge is always treated as a rejection.
-  // Ultimately this should be converted to use HttpAuthController like the
-  // HttpNetworkTransaction has.
-  if (auth_handler_.get() && !auth_identity_.invalid) {
-    if (auth_identity_.source != HttpAuth::IDENT_SRC_PATH_LOOKUP)
-      auth_cache_.Remove(auth_origin,
-                         auth_handler_->realm(),
-                         auth_handler_->auth_scheme(),
-                         auth_identity_.credentials);
-    auth_handler_.reset();
-    auth_identity_ = HttpAuth::Identity();
-  }
-
-  auth_identity_.invalid = true;
-  std::set<HttpAuth::Scheme> disabled_schemes;
-  HttpAuth::ChooseBestChallenge(http_auth_handler_factory_, headers,
-                                HttpAuth::AUTH_PROXY,
-                                auth_origin, disabled_schemes,
-                                net_log_, &auth_handler_);
-  if (!auth_handler_.get()) {
-    LOG(ERROR) << "Can't perform auth to the proxy " << auth_origin;
-    return ERR_TUNNEL_CONNECTION_FAILED;
-  }
-  if (auth_handler_->NeedsIdentity()) {
-    // We only support basic authentication scheme now.
-    // TODO(ukai): Support other authentication scheme.
-    HttpAuthCache::Entry* entry = auth_cache_.Lookup(
-        auth_origin, auth_handler_->realm(), HttpAuth::AUTH_SCHEME_BASIC);
-    if (entry) {
-      auth_identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
-      auth_identity_.invalid = false;
-      auth_identity_.credentials = AuthCredentials();
-      // Restart with auth info.
-    }
-    return ERR_PROXY_AUTH_UNSUPPORTED;
-  } else {
-    auth_identity_.invalid = false;
-  }
-  return ERR_TUNNEL_CONNECTION_FAILED;
-}
-
 int SocketStream::HandleCertificateRequest(int result, SSLConfig* ssl_config) {
   if (ssl_config->send_client_cert)
     // We already have performed SSL client authentication once and failed.
     return result;
 
   DCHECK(socket_.get());
   scoped_refptr<SSLCertRequestInfo> cert_request_info = new SSLCertRequestInfo;
   SSLClientSocket* ssl_socket =
       static_cast<SSLClientSocket*>(socket_.get());
   ssl_socket->GetSSLCertRequestInfo(cert_request_info);
@@ skipping 60 matching lines @@
   bad_cert.cert_status = ssl_info.cert_status;
   ssl_config->allowed_bad_certs.push_back(bad_cert);
   // Restart connection ignoring the bad certificate.
   socket_->Disconnect();
   socket_.reset();
   next_state_ = STATE_TCP_CONNECT;
   return OK;
 }
 
 void SocketStream::DoAuthRequired() {
-  if (delegate_ && auth_info_.get())
-    delegate_->OnAuthRequired(this, auth_info_.get());
+  if (delegate_ && proxy_auth_controller_.get())
+    delegate_->OnAuthRequired(this, proxy_auth_controller_->auth_info().get());
   else
     DoLoop(ERR_UNEXPECTED);
 }
 
 void SocketStream::DoRestartWithAuth() {
   DCHECK_EQ(next_state_, STATE_AUTH_REQUIRED);
-  auth_cache_.Add(ProxyAuthOrigin(),
-                  auth_handler_->realm(),
-                  auth_handler_->auth_scheme(),
-                  auth_handler_->challenge(),
-                  auth_identity_.credentials,
-                  std::string());
-
   tunnel_request_headers_ = NULL;
   tunnel_request_headers_bytes_sent_ = 0;
   tunnel_response_headers_ = NULL;
   tunnel_response_headers_capacity_ = 0;
   tunnel_response_headers_len_ = 0;
 
   next_state_ = STATE_TCP_CONNECT;
   DoLoop(OK);
 }
 
@@ skipping 27 matching lines @@
 
 SSLConfigService* SocketStream::ssl_config_service() const {
   return context_->ssl_config_service();
 }
 
 ProxyService* SocketStream::proxy_service() const {
   return context_->proxy_service();
 }
 
 }  // namespace net