Implement the NTLM authentication scheme by porting...

net/http/http_network_transaction.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include "base/scoped_ptr.h"
 #include "base/compiler_specific.h"
 #include "base/string_util.h"
 #include "base/trace_event.h"
@@ skipping 105 matching lines @@
 }
 
 void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) {
   DCHECK(HaveAuth(target));
   DCHECK(auth_identity_[target].source != HttpAuth::IDENT_SRC_PATH_LOOKUP);
 
   // Add the auth entry to the cache before restarting. We don't know whether
   // the identity is valid yet, but if it is valid we want other transactions
   // to know about it. If an entry for (origin, handler->realm()) already
   // exists, we update it.
-  session_->auth_cache()->Add(AuthOrigin(target), auth_handler_[target],
-      auth_identity_[target].username, auth_identity_[target].password,
-      AuthPath(target));
+  //
+  // If auth_identity_[target].source is HttpAuth::IDENT_SRC_NONE,
+  // auth_identity_[target] contains no identity because identity is not
+  // required yet.
+  if (auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE) {
+    session_->auth_cache()->Add(AuthOrigin(target), auth_handler_[target],
+        auth_identity_[target].username, auth_identity_[target].password,
+        AuthPath(target));
+  }
 
   bool keep_alive = false;
   if (response_.headers->IsKeepAlive()) {
     // If there is a response body of known length, we need to drain it first.
     if (content_length_ > 0 || chunked_decoder_.get()) {
       next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
       read_buf_ = new IOBuffer(kDrainBodyBufferSize);  // A bit bucket
       read_buf_len_ = kDrainBodyBufferSize;
       return;
     }
@@ skipping 1116 matching lines @@
     return false;
 
   // SelectPreemptiveAuth() is on the critical path for each request, so it
   // is expected to be fast. LookupByPath() is fast in the common case, since
   // the number of http auth cache entries is expected to be very small.
   // (For most users in fact, it will be 0.)
 
   HttpAuthCache::Entry* entry = session_->auth_cache()->LookupByPath(
       AuthOrigin(target), AuthPath(target));
 
-  if (entry) {
+  // We don't support preemptive authentication for connection-based
+  // authentication schemes because they can't reuse entry->handler().
+  // Hopefully we can remove this limitation in the future.
+  if (entry && !entry->handler()->is_connection_based()) {
     auth_identity_[target].source = HttpAuth::IDENT_SRC_PATH_LOOKUP;
     auth_identity_[target].invalid = false;
     auth_identity_[target].username = entry->username();
     auth_identity_[target].password = entry->password();
     auth_handler_[target] = entry->handler();
     return true;
   }
   return false;
 }
 
@@ skipping 56 matching lines @@
   int status = response_.headers->response_code();
   if (status != 401 && status != 407)
     return OK;
   HttpAuth::Target target = status == 407 ?
       HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
 
   if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct())
     return ERR_UNEXPECTED_PROXY_AUTH;
 
   // The auth we tried just failed, hence it can't be valid. Remove it from
-  // the cache so it won't be used again.
-  if (HaveAuth(target))
+  // the cache so it won't be used again, unless it's a null identity.
+  if (HaveAuth(target) &&
+      auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE)
     InvalidateRejectedAuthFromCache(target);
 
   auth_identity_[target].invalid = true;
 
   // Find the best authentication challenge that we support.
   HttpAuth::ChooseBestChallenge(response_.headers.get(),
                                 target,
                                 &auth_handler_[target]);
 
   if (!auth_handler_[target]) {
     if (establishing_tunnel_) {
       // We are establishing a tunnel, we can't show the error page because an
       // active network attacker could control its contents.  Instead, we just
       // fail to establish the tunnel.
       return ERR_PROXY_AUTH_REQUESTED;
     }
     // We found no supported challenge -- let the transaction continue
     // so we end up displaying the error page.
     return OK;
   }
 
-  // Pick a new auth identity to try, by looking to the URL and auth cache.
-  // If an identity to try is found, it is saved to auth_identity_[target].
-  bool has_identity_to_try = SelectNextAuthIdentityToTry(target);
+  bool has_identity_to_try;
+  if (auth_handler_[target]->NeedsIdentity()) {
+    // Pick a new auth identity to try, by looking to the URL and auth cache.
+    // If an identity to try is found, it is saved to auth_identity_[target].
+    has_identity_to_try = SelectNextAuthIdentityToTry(target);
+  } else {
+    // Proceed with a null identity.
+    //
+    // TODO(wtc): Add a safeguard against infinite transaction restarts, if
+    // the server keeps returning "NTLM".
+    auth_identity_[target].source = HttpAuth::IDENT_SRC_NONE;
+    auth_identity_[target].invalid = false;
+    auth_identity_[target].username.clear();
+    auth_identity_[target].password.clear();
+    has_identity_to_try = true;
+  }
   DCHECK(has_identity_to_try == !auth_identity_[target].invalid);
 
   if (has_identity_to_try) {
     DCHECK(user_callback_);
     PrepareForAuthRestart(target);
     return WILL_RESTART_TRANSACTION;
   }
 
   // We have exhausted all identity possibilities, all we can do now is
   // pass the challenge information back to the client.
@@ skipping 13 matching lines @@
   if (target == HttpAuth::AUTH_PROXY) {
     auth_info->host = ASCIIToWide(proxy_info_.proxy_server().host_and_port());
   } else {
     DCHECK(target == HttpAuth::AUTH_SERVER);
     auth_info->host = ASCIIToWide(request_->url.host());
   }
   response_.auth_challenge = auth_info;
 }
 
 }  // namespace net