Don't try to use explicit credentials with schemes that don't support it.

net/http/http_auth_controller_unittest.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/test_completion_callback.h"
 #include "net/http/http_auth_cache.h"
@@ skipping 10 matching lines @@
 enum HandlerRunMode {
   RUN_HANDLER_SYNC,
   RUN_HANDLER_ASYNC
 };
 
 enum SchemeState {
   SCHEME_IS_DISABLED,
   SCHEME_IS_ENABLED
 };
 
+scoped_refptr<HttpResponseHeaders> HeadersFromString(const char* string) {
+  std::string raw_string(string);
+  std::string headers_string = HttpUtil::AssembleRawHeaders(
+      raw_string.c_str(), raw_string.length());
+  scoped_refptr<HttpResponseHeaders> headers(
+      new HttpResponseHeaders(headers_string));
+  return headers;
+}
+
 // Runs an HttpAuthController with a single round mock auth handler
 // that returns |handler_rv| on token generation.  The handler runs in
 // async if |run_mode| is RUN_HANDLER_ASYNC.  Upon completion, the
 // return value of the controller is tested against
 // |expected_controller_rv|.  |scheme_state| indicates whether the
 // auth scheme used should be disabled after this run.
 void RunSingleRoundAuthTest(HandlerRunMode run_mode,
                             int handler_rv,
                             int expected_controller_rv,
                             SchemeState scheme_state) {
   BoundNetLog dummy_log;
   HttpAuthCache dummy_auth_cache;
 
   HttpRequestInfo request;
   request.method = "GET";
   request.url = GURL("http://example.com");
 
-  const std::string headers_raw_string =
+  scoped_refptr<HttpResponseHeaders> headers(HeadersFromString(
       "HTTP/1.1 407\r\n"
       "Proxy-Authenticate: MOCK foo\r\n"
-      "\r\n";
-  std::string headers_string = HttpUtil::AssembleRawHeaders(
-      headers_raw_string.c_str(), headers_raw_string.length());
-  scoped_refptr<HttpResponseHeaders> headers(
-      new HttpResponseHeaders(headers_string));
+      "\r\n"));
 
   HttpAuthHandlerMock::Factory auth_handler_factory;
   HttpAuthHandlerMock* auth_handler = new HttpAuthHandlerMock();
   auth_handler->SetGenerateExpectation((run_mode == RUN_HANDLER_ASYNC),
                                        handler_rv);
   auth_handler_factory.AddMockHandler(auth_handler, HttpAuth::AUTH_PROXY);
   auth_handler_factory.set_do_init_from_challenge(true);
 
   scoped_refptr<HttpAuthController> controller(
       new HttpAuthController(HttpAuth::AUTH_PROXY,
                              GURL("http://example.com"),
                              &dummy_auth_cache, &auth_handler_factory));
   ASSERT_EQ(OK,
             controller->HandleAuthChallenge(headers, false, false, dummy_log));
-  EXPECT_TRUE(controller->HaveAuthHandler());
+  ASSERT_TRUE(controller->HaveAuthHandler());
   controller->ResetAuth(string16(), string16());
   EXPECT_TRUE(controller->HaveAuth());
 
   TestCompletionCallback callback;
   EXPECT_EQ((run_mode == RUN_HANDLER_ASYNC)? ERR_IO_PENDING:
             expected_controller_rv,
             controller->MaybeGenerateAuthToken(&request, &callback,
                                                dummy_log));
   if (run_mode == RUN_HANDLER_ASYNC)
     EXPECT_EQ(expected_controller_rv, callback.WaitForResult());
@@ skipping 21 matching lines @@
   // tokens.
   RunSingleRoundAuthTest(RUN_HANDLER_ASYNC, ERR_MISSING_AUTH_CREDENTIALS, OK,
                          SCHEME_IS_DISABLED);
 
   // If a non-permanent error is returned by the handler, then the
   // controller should report it unchanged.
   RunSingleRoundAuthTest(RUN_HANDLER_ASYNC, ERR_INVALID_AUTH_CREDENTIALS,
                          ERR_INVALID_AUTH_CREDENTIALS, SCHEME_IS_ENABLED);
 }
 
+// If an HttpAuthHandler indicates that it doesn't allow explicit
+// credentials, don't prompt for credentials.
+TEST(HttpAuthControllerTest, NoExplicitCredentialsAllowed) {
+  BoundNetLog dummy_log;
+  HttpAuthCache dummy_auth_cache;
+
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("http://example.com");
+
+  scoped_refptr<HttpResponseHeaders> headers(HeadersFromString(
+      "HTTP/1.1 401\r\n"
+      "WWW-Authenticate: MOCK\r\n"
+      "\r\n"));
+
+  HttpAuthHandlerMock::Factory auth_handler_factory;
+
+  // auth_handler_1 is the handler for the first attempt at authentication.  It
+  // accepts the default identity and successfully constructs a token.
+  HttpAuthHandlerMock* auth_handler_1 = new HttpAuthHandlerMock();
+  auth_handler_1->SetGenerateExpectation(true, OK);
+  auth_handler_1->set_allows_default_credentials(true);
+  auth_handler_1->set_allows_explicit_credentials(false);
+  auth_handler_1->set_connection_based(true);
+  auth_handler_factory.AddMockHandler(auth_handler_1, HttpAuth::AUTH_SERVER);
+
+  // auth_handler_2 is the handler for the second attempt.  It should not be
+  // used to generate a token.  Instead the controller should realize that there
+  // are no viable identities to use with this handler and fail.

[cbentzel, 2011/08/30 14:16:51]

Should you do test that we fallback to a less-secure auth scheme in this case?
Not quite sure how to do it with the mocking infrastructure, though.

[asanka, 2011/08/30 18:55:44]

I added a mock class that pretends to be Basic and gives itself a lower score so
we can test failover to a weaker scheme.

+  HttpAuthHandlerMock* auth_handler_2 = new HttpAuthHandlerMock();
+  auth_handler_2->SetGenerateExpectation(true, ERR_UNEXPECTED);
+  auth_handler_2->set_allows_default_credentials(true);
+  auth_handler_2->set_allows_explicit_credentials(false);
+  auth_handler_2->set_connection_based(true);
+  auth_handler_factory.AddMockHandler(auth_handler_2, HttpAuth::AUTH_SERVER);
+  auth_handler_factory.set_do_init_from_challenge(true);
+
+  scoped_refptr<HttpAuthController> controller(
+      new HttpAuthController(HttpAuth::AUTH_SERVER,
+                             GURL("http://example.com"),
+                             &dummy_auth_cache, &auth_handler_factory));
+  ASSERT_EQ(OK,
+            controller->HandleAuthChallenge(headers, false, false, dummy_log));
+  ASSERT_TRUE(controller->HaveAuthHandler());
+  controller->ResetAuth(string16(), string16());
+  EXPECT_TRUE(controller->HaveAuth());
+
+  {
+    TestCompletionCallback callback;
+    int result = controller->MaybeGenerateAuthToken(&request, &callback,
+                                                    dummy_log);
+    EXPECT_EQ(ERR_IO_PENDING, result);
+    EXPECT_EQ(OK, callback.WaitForResult());
+  }
+
+  // Once a token is generated, simulate the receipt of a server response
+  // indicating that the authentication attempt was rejected.
+  EXPECT_EQ(OK,
+            controller->HandleAuthChallenge(headers, false, false, dummy_log));
+  EXPECT_FALSE(controller->HaveAuthHandler());
+  EXPECT_TRUE(controller->IsAuthSchemeDisabled(HttpAuth::AUTH_SCHEME_MOCK));
+}
+
 }  // namespace net