Log an INFO message whenever we receive an auth challenge....

net/http/http_network_transaction.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include "base/scoped_ptr.h"
 #include "base/compiler_specific.h"
 #include "base/field_trial.h"
 #include "base/string_util.h"
@@ skipping 148 matching lines @@
     // response_body_length_ is -1 and we're not using chunked encoding. We
     // don't know the length of the response body, so we can't reuse this
     // connection even though the server says it's keep-alive.
   }
 
   // If the auth scheme is connection-based but the proxy/server mistakenly
   // marks the connection as not keep-alive, the auth is going to fail, so log
   // an error message.
   if (!keep_alive && auth_handler_[target]->is_connection_based() &&
       auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE) {
-    std::string auth_target(target == HttpAuth::AUTH_PROXY ?
-                            "proxy" : "server");
     LOG(ERROR) << "Can't perform " << auth_handler_[target]->scheme()
-               << " auth to the " << auth_target << " "
-               << AuthOrigin(target).spec()
-               << " over a non-keep-alive connection";
+               << " auth to the " << AuthTargetString(target) << " "
+               << AuthOrigin(target) << " over a non-keep-alive connection";
 
     HttpVersion http_version = response_.headers->GetHttpVersion();
     LOG(ERROR) << "  HTTP version is " << http_version.major_value() << "."
                << http_version.minor_value();
 
-    std::string connection_val;
+    std::string header_val;
     void* iter = NULL;
     while (response_.headers->EnumerateHeader(&iter, "connection",
-                                              &connection_val)) {
-      LOG(ERROR) << "  Has header Connection: " << connection_val;
+                                              &header_val)) {
+      LOG(ERROR) << "  Has header Connection: " << header_val;
     }
 
     iter = NULL;
     while (response_.headers->EnumerateHeader(&iter, "proxy-connection",
-                                              &connection_val)) {
-      LOG(ERROR) << "  Has header Proxy-Connection: " << connection_val;
+                                              &header_val)) {
+      LOG(ERROR) << "  Has header Proxy-Connection: " << header_val;
+    }
+
+    // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
+    // authentication with a "Proxy-Support: Session-Based-Authentication"
+    // response header.
+    iter = NULL;
+    while (response_.headers->EnumerateHeader(&iter, "proxy-support",
+                                              &header_val)) {
+      LOG(ERROR) << "  Has header Proxy-Support: " << header_val;
     }
   }
 
   // We don't need to drain the response body, so we act as if we had drained
   // the response body.
   DidDrainBodyForAuthRestart(keep_alive);
 }
 
 void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) {
   if (keep_alive) {
@@ skipping 1174 matching lines @@
 }
 
 std::string HttpNetworkTransaction::AuthPath(HttpAuth::Target target)
     const {
   // Proxy authentication realms apply to all paths. So we will use
   // empty string in place of an absolute path.
   return target == HttpAuth::AUTH_PROXY ?
       std::string() : request_->url.path();
 }
 
+// static
+std::string HttpNetworkTransaction::AuthTargetString(
+    HttpAuth::Target target) {
+  return target == HttpAuth::AUTH_PROXY ? "proxy" : "server";
+}
+
 void HttpNetworkTransaction::InvalidateRejectedAuthFromCache(
     HttpAuth::Target target) {
   DCHECK(HaveAuth(target));
 
   // TODO(eroman): this short-circuit can be relaxed. If the realm of
   // the preemptively used auth entry matches the realm of the subsequent
   // challenge, then we can invalidate the preemptively used entry.
   // Otherwise as-is we may send the failed credentials one extra time.
   if (auth_identity_[target].source == HttpAuth::IDENT_SRC_PATH_LOOKUP)
     return;
@@ skipping 83 matching lines @@
 
     auth_identity_[target].source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
     auth_identity_[target].invalid = false;
     auth_identity_[target].username = entry->username();
     auth_identity_[target].password = entry->password();
     return true;
   }
   return false;
 }
 
+std::string HttpNetworkTransaction::AuthChallengeLogMessage() const {
+  std::string msg;
+  std::string header_val;
+  void* iter = NULL;
+  while (response_.headers->EnumerateHeader(&iter, "proxy-authenticate",
+                                            &header_val)) {
+    msg.append("\n  Has header Proxy-Authenticate: ");
+    msg.append(header_val);
+  }
+
+  iter = NULL;
+  while (response_.headers->EnumerateHeader(&iter, "www-authenticate",
+                                            &header_val)) {
+    msg.append("\n  Has header WWW-Authenticate: ");
+    msg.append(header_val);
+  }
+
+  // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
+  // authentication with a "Proxy-Support: Session-Based-Authentication"
+  // response header.
+  iter = NULL;
+  while (response_.headers->EnumerateHeader(&iter, "proxy-support",
+                                            &header_val)) {
+    msg.append("\n  Has header Proxy-Support: ");
+    msg.append(header_val);
+  }
+
+  return msg;
+}
+
 int HttpNetworkTransaction::HandleAuthChallenge() {
   DCHECK(response_.headers);
 
   int status = response_.headers->response_code();
   if (status != 401 && status != 407)
     return OK;
   HttpAuth::Target target = status == 407 ?
       HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
 
+  LOG(INFO) << "The " << AuthTargetString(target) << " "
+            << AuthOrigin(target) << " requested auth"
+            << AuthChallengeLogMessage();
+
   if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct())
     return ERR_UNEXPECTED_PROXY_AUTH;
 
   // The auth we tried just failed, hence it can't be valid. Remove it from
   // the cache so it won't be used again, unless it's a null identity.
   if (HaveAuth(target) &&
       auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE)
     InvalidateRejectedAuthFromCache(target);
 
   auth_identity_[target].invalid = true;
 
   // Find the best authentication challenge that we support.
   HttpAuth::ChooseBestChallenge(response_.headers.get(),
                                 target,
                                 &auth_handler_[target]);
 
   if (!auth_handler_[target]) {
     if (establishing_tunnel_) {
-      // Log an error message to help debug http://crbug.com/8771.
-      std::string auth_target(target == HttpAuth::AUTH_PROXY ?
-                              "proxy" : "server");
-      LOG(ERROR) << "Can't perform auth to the " << auth_target << " "
-                 << AuthOrigin(target).spec()
-                 << " when establishing a tunnel";
-
-      std::string challenge;
-      void* iter = NULL;
-      while (response_.headers->EnumerateHeader(&iter, "Proxy-Authenticate",
-                                                &challenge)) {
-        LOG(ERROR) << "  Has header Proxy-Authenticate: " << challenge;
-      }
-
-      iter = NULL;
-      while (response_.headers->EnumerateHeader(&iter, "WWW-Authenticate",
-                                                &challenge)) {
-        LOG(ERROR) << "  Has header WWW-Authenticate: " << challenge;
-      }
+      LOG(ERROR) << "Can't perform auth to the " << AuthTargetString(target)
+                 << " " << AuthOrigin(target)
+                 << " when establishing a tunnel"
+                 << AuthChallengeLogMessage();
 
       // We are establishing a tunnel, we can't show the error page because an
       // active network attacker could control its contents.  Instead, we just
       // fail to establish the tunnel.
       DCHECK(target == HttpAuth::AUTH_PROXY);
       return ERR_PROXY_AUTH_REQUESTED;
     }
     // We found no supported challenge -- let the transaction continue
     // so we end up displaying the error page.
     return OK;
@@ skipping 38 matching lines @@
   if (target == HttpAuth::AUTH_PROXY) {
     auth_info->host = ASCIIToWide(proxy_info_.proxy_server().host_and_port());
   } else {
     DCHECK(target == HttpAuth::AUTH_SERVER);
     auth_info->host = ASCIIToWide(request_->url.host());
   }
   response_.auth_challenge = auth_info;
 }
 
 }  // namespace net