Allow chrome to handle 407 auth challenges to CONNECT requests

net/http/http_network_transaction_unittest.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include <math.h>  // ceil
 #include <stdarg.h>
 #include <string>
 #include <vector>
@@ skipping 403 matching lines @@
 bool CheckNTLMServerAuth(const AuthChallengeInfo* auth_challenge) {
   if (!auth_challenge)
     return false;
   EXPECT_FALSE(auth_challenge->is_proxy);
   EXPECT_EQ("172.22.68.17:80", auth_challenge->challenger.ToString());
   EXPECT_EQ(std::string(), auth_challenge->realm);
   EXPECT_EQ("ntlm", auth_challenge->scheme);
   return true;
 }
 
+bool CheckNTLMProxyAuth(const AuthChallengeInfo* auth_challenge) {
+  if (!auth_challenge)
+    return false;
+  EXPECT_TRUE(auth_challenge->is_proxy);
+  EXPECT_EQ("proxy:70", auth_challenge->challenger.ToString());
+  EXPECT_EQ(std::string(), auth_challenge->realm);
+  EXPECT_EQ("ntlm", auth_challenge->scheme);
+  return true;
+}
+
 TEST_F(HttpNetworkTransactionTest, Basic) {
   SessionDependencies session_deps;
   scoped_ptr<HttpTransaction> trans(
       new HttpNetworkTransaction(CreateSession(&session_deps)));
 }
 
 TEST_F(HttpNetworkTransactionTest, SimpleGET) {
   MockRead data_reads[] = {
     MockRead("HTTP/1.0 200 OK\r\n\r\n"),
     MockRead("hello world"),
@@ skipping 1277 matching lines @@
   CapturingBoundNetLog log(CapturingNetLog::kUnbounded);
   session_deps.net_log = log.bound().net_log();
   scoped_refptr<HttpNetworkSession> session(CreateSession(&session_deps));
 
   // Since we have proxy, should try to establish tunnel.
   MockWrite data_writes1[] = {
     MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
               "Host: www.google.com\r\n"
               "Proxy-Connection: keep-alive\r\n\r\n"),
 
+  };
+
+  MockWrite data_writes2[] = {
     // After calling trans->RestartWithAuth(), this is the request we should
     // be issuing -- the final header line contains the credentials.
     MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
               "Host: www.google.com\r\n"
               "Proxy-Connection: keep-alive\r\n"
               "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
 
     MockWrite("GET / HTTP/1.1\r\n"
               "Host: www.google.com\r\n"
               "Connection: keep-alive\r\n\r\n"),
   };
 
   // The proxy responds to the connect with a 407, using a persistent
   // connection.
   MockRead data_reads1[] = {
     // No credentials.
     MockRead("HTTP/1.1 407 Proxy Authentication Required\r\n"),
     MockRead("Proxy-Authenticate: Basic realm=\"MyRealm1\"\r\n"),
     MockRead("Proxy-Connection: close\r\n\r\n"),
+  };
 
+  MockRead data_reads2[] = {
     MockRead("HTTP/1.1 200 Connection Established\r\n\r\n"),
 
     MockRead("HTTP/1.1 200 OK\r\n"),
     MockRead("Content-Type: text/html; charset=iso-8859-1\r\n"),
     MockRead("Content-Length: 5\r\n\r\n"),
     MockRead(false, "hello"),
   };
 
   StaticSocketDataProvider data1(data_reads1, arraysize(data_reads1),
                                  data_writes1, arraysize(data_writes1));
+  StaticSocketDataProvider data2(data_reads2, arraysize(data_reads2),
+                                 data_writes2, arraysize(data_writes2));
   session_deps.socket_factory.AddSocketDataProvider(&data1);
+  session_deps.socket_factory.AddSocketDataProvider(&data2);
   SSLSocketDataProvider ssl(true, OK);
   session_deps.socket_factory.AddSSLSocketDataProvider(&ssl);
 
   TestCompletionCallback callback1;
 
   scoped_ptr<HttpTransaction> trans(new HttpNetworkTransaction(session));
 
   int rv = trans->Start(&request, callback1.callback(), log.bound());
   EXPECT_EQ(ERR_IO_PENDING, rv);
 
@@ skipping 194 matching lines @@
   EXPECT_TRUE(HttpVersion(1, 1) == response->headers->GetHttpVersion());
 
   std::string response_data;
   rv = ReadTransaction(trans.get(), &response_data);
   EXPECT_EQ(ERR_TUNNEL_CONNECTION_FAILED, rv);
 
   // Flush the idle socket before the HttpNetworkTransaction goes out of scope.
   session->CloseAllConnections();
 }
 
+// Test the request-challenge-retry sequence for basic auth, over a connection
+// that requires a restart when setting up an SSL tunnel.
+TEST_F(HttpNetworkTransactionTest, BasicAuthHttpsProxyNoKeepAlive) {
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("https://www.google.com/");
+  // when the no authentication data flag is set.
+  request.load_flags = net::LOAD_DO_NOT_SEND_AUTH_DATA;
+
+  // Configure against https proxy server "myproxy:70".
+  SessionDependencies session_deps(
+      ProxyService::CreateFixed("https://myproxy:70"));
+  CapturingBoundNetLog log(CapturingNetLog::kUnbounded);
+  session_deps.net_log = log.bound().net_log();
+  scoped_refptr<HttpNetworkSession> session(CreateSession(&session_deps));
+
+  // Since we have proxy, should try to establish tunnel.
+  MockWrite data_writes1[] = {
+    MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Proxy-Connection: keep-alive\r\n\r\n"),
+  };
+
+  MockWrite data_writes2[] = {
+    // After calling trans->RestartWithAuth(), this is the request we should
+    // be issuing -- the final header line contains the credentials.
+    MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Proxy-Connection: keep-alive\r\n"
+              "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
+
+    MockWrite("GET / HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Connection: keep-alive\r\n\r\n"),
+  };
+
+  // The proxy responds to the connect with a 407, using a persistent
+  // connection.
+  MockRead data_reads1[] = {
+    // No credentials.
+    MockRead("HTTP/1.1 407 Proxy Authentication Required\r\n"),
+    MockRead("Proxy-Authenticate: Basic realm=\"MyRealm1\"\r\n"),
+    MockRead("Proxy-Connection: close\r\n\r\n"),
+  };
+
+  MockRead data_reads2[] = {
+    MockRead("HTTP/1.1 200 Connection Established\r\n\r\n"),
+
+    MockRead("HTTP/1.1 200 OK\r\n"),
+    MockRead("Content-Type: text/html; charset=iso-8859-1\r\n"),
+    MockRead("Content-Length: 5\r\n\r\n"),
+    MockRead(false, "hello"),
+  };
+
+  StaticSocketDataProvider data1(data_reads1, arraysize(data_reads1),
+                                 data_writes1, arraysize(data_writes1));
+  StaticSocketDataProvider data2(data_reads2, arraysize(data_reads2),
+                                 data_writes2, arraysize(data_writes2));
+  session_deps.socket_factory.AddSocketDataProvider(&data1);
+  session_deps.socket_factory.AddSocketDataProvider(&data2);
+  SSLSocketDataProvider proxy(true, OK);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&proxy);
+  SSLSocketDataProvider proxy2(true, OK);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&proxy2);
+  SSLSocketDataProvider server(true, OK);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&server);
+
+  TestCompletionCallback callback1;
+
+  scoped_ptr<HttpTransaction> trans(new HttpNetworkTransaction(session));
+
+  int rv = trans->Start(&request, callback1.callback(), log.bound());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback1.WaitForResult();
+  EXPECT_EQ(OK, rv);
+  net::CapturingNetLog::EntryList entries;
+  log.GetEntries(&entries);
+  size_t pos = ExpectLogContainsSomewhere(
+      entries, 0, NetLog::TYPE_HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
+      NetLog::PHASE_NONE);
+  ExpectLogContainsSomewhere(
+      entries, pos,
+      NetLog::TYPE_HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
+      NetLog::PHASE_NONE);
+
+  const HttpResponseInfo* response = trans->GetResponseInfo();
+  ASSERT_TRUE(response != NULL);
+  ASSERT_FALSE(response->headers == NULL);
+  EXPECT_EQ(407, response->headers->response_code());
+  EXPECT_TRUE(HttpVersion(1, 1) == response->headers->GetHttpVersion());
+  EXPECT_TRUE(CheckBasicProxyAuth(response->auth_challenge.get()));
+
+  TestCompletionCallback callback2;
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo, kBar),
+                              callback2.callback());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback2.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response != NULL);
+
+  EXPECT_TRUE(response->headers->IsKeepAlive());
+  EXPECT_EQ(200, response->headers->response_code());
+  EXPECT_EQ(5, response->headers->GetContentLength());
+  EXPECT_TRUE(HttpVersion(1, 1) == response->headers->GetHttpVersion());
+
+  // The password prompt info should not be set.
+  EXPECT_TRUE(response->auth_challenge.get() == NULL);
+
+  trans.reset();
+  session->CloseAllConnections();
+}
+
+// Test the request-challenge-retry sequence for basic auth, over a keep-alive
+// proxy connection, when setting up an SSL tunnel.
+TEST_F(HttpNetworkTransactionTest, BasicAuthHttpsProxyKeepAlive) {
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("https://www.google.com/");
+  // Ensure that proxy authentication is attempted even
+  // when the no authentication data flag is set.
+  request.load_flags = net::LOAD_DO_NOT_SEND_AUTH_DATA;
+
+  // Configure against https proxy server "myproxy:70".
+  SessionDependencies session_deps(
+      ProxyService::CreateFixed("https://myproxy:70"));
+  CapturingBoundNetLog log(CapturingNetLog::kUnbounded);
+  session_deps.net_log = log.bound().net_log();
+  scoped_refptr<HttpNetworkSession> session(CreateSession(&session_deps));
+
+  scoped_ptr<HttpTransaction> trans(new HttpNetworkTransaction(session));
+
+  // Since we have proxy, should try to establish tunnel.
+  MockWrite data_writes1[] = {
+    MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Proxy-Connection: keep-alive\r\n\r\n"),
+
+    // After calling trans->RestartWithAuth(), this is the request we should
+    // be issuing -- the final header line contains the credentials.
+    MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Proxy-Connection: keep-alive\r\n"
+              "Proxy-Authorization: Basic Zm9vOmJheg==\r\n\r\n"),
+  };
+
+  // The proxy responds to the connect with a 407, using a persistent
+  // connection.
+  MockRead data_reads1[] = {
+    // No credentials.
+    MockRead("HTTP/1.1 407 Proxy Authentication Required\r\n"),
+    MockRead("Proxy-Authenticate: Basic realm=\"MyRealm1\"\r\n"),
+    MockRead("Content-Length: 10\r\n\r\n"),
+    MockRead("0123456789"),
+
+    // Wrong credentials (wrong password).
+    MockRead("HTTP/1.1 407 Proxy Authentication Required\r\n"),
+    MockRead("Proxy-Authenticate: Basic realm=\"MyRealm1\"\r\n"),
+    MockRead("Content-Length: 10\r\n\r\n"),
+    // No response body because the test stops reading here.
+    MockRead(false, ERR_UNEXPECTED),  // Should not be reached.
+  };
+
+  StaticSocketDataProvider data1(data_reads1, arraysize(data_reads1),
+                                 data_writes1, arraysize(data_writes1));
+  session_deps.socket_factory.AddSocketDataProvider(&data1);
+  SSLSocketDataProvider ssl(true, OK);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&ssl);
+
+  TestCompletionCallback callback1;
+
+  int rv = trans->Start(&request, callback1.callback(), log.bound());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback1.WaitForResult();
+  EXPECT_EQ(OK, rv);
+  net::CapturingNetLog::EntryList entries;
+  log.GetEntries(&entries);
+  size_t pos = ExpectLogContainsSomewhere(
+      entries, 0, NetLog::TYPE_HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
+      NetLog::PHASE_NONE);
+  ExpectLogContainsSomewhere(
+      entries, pos,
+      NetLog::TYPE_HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
+      NetLog::PHASE_NONE);
+
+  const HttpResponseInfo* response = trans->GetResponseInfo();
+  ASSERT_TRUE(response != NULL);
+  ASSERT_FALSE(response->headers == NULL);
+  EXPECT_TRUE(response->headers->IsKeepAlive());
+  EXPECT_EQ(407, response->headers->response_code());
+  EXPECT_EQ(10, response->headers->GetContentLength());
+  EXPECT_TRUE(HttpVersion(1, 1) == response->headers->GetHttpVersion());
+  EXPECT_TRUE(CheckBasicProxyAuth(response->auth_challenge.get()));
+
+  TestCompletionCallback callback2;
+
+  // Wrong password (should be "bar").
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo, kBaz),
+                              callback2.callback());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback2.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response != NULL);
+  ASSERT_FALSE(response->headers == NULL);
+  EXPECT_TRUE(response->headers->IsKeepAlive());
+  EXPECT_EQ(407, response->headers->response_code());
+  EXPECT_EQ(10, response->headers->GetContentLength());
+  EXPECT_TRUE(HttpVersion(1, 1) == response->headers->GetHttpVersion());
+  EXPECT_TRUE(CheckBasicProxyAuth(response->auth_challenge.get()));
+
+  // Flush the idle socket before the NetLog and HttpNetworkTransaction go
+  // out of scope.
+  session->CloseAllConnections();
+}
+
+// Test the request-challenge-retry sequence for basic auth, through
+// a SPDY proxy over a single SPDY session.
+TEST_F(HttpNetworkTransactionTest, BasicAuthSpdyProxy) {
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("https://www.google.com/");
+  // when the no authentication data flag is set.
+  request.load_flags = net::LOAD_DO_NOT_SEND_AUTH_DATA;
+
+  // Configure against https proxy server "myproxy:70".
+  SessionDependencies session_deps(
+      ProxyService::CreateFixed("https://myproxy:70"));
+  CapturingBoundNetLog log(CapturingNetLog::kUnbounded);
+  session_deps.net_log = log.bound().net_log();
+  scoped_refptr<HttpNetworkSession> session(CreateSession(&session_deps));
+
+  // Since we have proxy, should try to establish tunnel.
+  scoped_ptr<spdy::SpdyFrame> req(ConstructSpdyConnect(NULL, 0, 1));
+  scoped_ptr<spdy::SpdyFrame> rst(ConstructSpdyRstStream(1, spdy::CANCEL));
+
+  // After calling trans->RestartWithAuth(), this is the request we should
+  // be issuing -- the final header line contains the credentials.
+  const char* const kAuthCredentials[] = {
+      "proxy-authorization", "Basic Zm9vOmJhcg==",
+  };
+  scoped_ptr<spdy::SpdyFrame> connect2(
+      ConstructSpdyConnect(kAuthCredentials, arraysize(kAuthCredentials)/2, 3));
+  // fetch https://www.google.com/ via HTTP
+  const char get[] = "GET / HTTP/1.1\r\n"
+    "Host: www.google.com\r\n"
+    "Connection: keep-alive\r\n\r\n";
+  scoped_ptr<spdy::SpdyFrame> wrapped_get(
+      ConstructSpdyBodyFrame(3, get, strlen(get), false));
+
+  MockWrite spdy_writes[] = {
+    CreateMockWrite(*req, 0, true),
+    CreateMockWrite(*rst, 2, true),
+    CreateMockWrite(*connect2, 3),
+    CreateMockWrite(*wrapped_get, 5)
+  };
+
+  // The proxy responds to the connect with a 407, using a persistent
+  // connection.
+  const char* const kAuthChallenge[] = {
+    "status", "407 Proxy Authentication Required",
+    "version", "HTTP/1.1",
+    "proxy-authenticate", "Basic realm=\"MyRealm1\"",
+  };
+
+  scoped_ptr<spdy::SpdyFrame> conn_auth_resp(
+      ConstructSpdyControlFrame(NULL,
+                                0,
+                                false,
+                                1,
+                                LOWEST,
+                                spdy::SYN_REPLY,
+                                spdy::CONTROL_FLAG_NONE,
+                                kAuthChallenge,
+                                arraysize(kAuthChallenge)));
+
+  scoped_ptr<spdy::SpdyFrame> conn_resp(ConstructSpdyGetSynReply(NULL, 0, 3));
+  const char resp[] = "HTTP/1.1 200 OK\r\n"
+      "Content-Length: 5\r\n\r\n";
+
+  scoped_ptr<spdy::SpdyFrame> wrapped_get_resp(
+      ConstructSpdyBodyFrame(3, resp, strlen(resp), false));
+  scoped_ptr<spdy::SpdyFrame> wrapped_body(
+      ConstructSpdyBodyFrame(3, "hello", 5, false));
+  MockRead spdy_reads[] = {
+    CreateMockRead(*conn_auth_resp, 1, true),
+    CreateMockRead(*conn_resp, 4, true),
+    CreateMockRead(*wrapped_get_resp, 5, true),
+    CreateMockRead(*wrapped_body, 6, true),
+    MockRead(false, ERR_IO_PENDING),
+  };
+
+  scoped_refptr<OrderedSocketData> spdy_data(
+      new OrderedSocketData(
+          spdy_reads, arraysize(spdy_reads),
+          spdy_writes, arraysize(spdy_writes)));
+  session_deps.socket_factory.AddSocketDataProvider(spdy_data);
+  // Negotiate SPDY to the proxy
+  SSLSocketDataProvider proxy(true, OK);
+  proxy.next_proto_status = SSLClientSocket::kNextProtoNegotiated;
+  proxy.next_proto = "spdy/2";
+  proxy.was_npn_negotiated = true;
+  session_deps.socket_factory.AddSSLSocketDataProvider(&proxy);
+  // Vanilla SSL to the server
+  SSLSocketDataProvider server(true, OK);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&server);
+
+  TestCompletionCallback callback1;
+
+  scoped_ptr<HttpTransaction> trans(new HttpNetworkTransaction(session));
+
+  int rv = trans->Start(&request, callback1.callback(), log.bound());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback1.WaitForResult();
+  EXPECT_EQ(OK, rv);
+  net::CapturingNetLog::EntryList entries;
+  log.GetEntries(&entries);
+  size_t pos = ExpectLogContainsSomewhere(
+      entries, 0, NetLog::TYPE_HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
+      NetLog::PHASE_NONE);
+  ExpectLogContainsSomewhere(
+      entries, pos,
+      NetLog::TYPE_HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
+      NetLog::PHASE_NONE);
+
+  const HttpResponseInfo* response = trans->GetResponseInfo();
+  ASSERT_TRUE(response != NULL);
+  ASSERT_FALSE(response->headers == NULL);
+  EXPECT_EQ(407, response->headers->response_code());
+  EXPECT_TRUE(HttpVersion(1, 1) == response->headers->GetHttpVersion());
+  EXPECT_TRUE(response->auth_challenge.get() != NULL);
+  EXPECT_TRUE(CheckBasicProxyAuth(response->auth_challenge.get()));
+
+  TestCompletionCallback callback2;
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo, kBar),
+                              callback2.callback());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback2.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response != NULL);
+
+  EXPECT_TRUE(response->headers->IsKeepAlive());
+  EXPECT_EQ(200, response->headers->response_code());
+  EXPECT_EQ(5, response->headers->GetContentLength());
+  EXPECT_TRUE(HttpVersion(1, 1) == response->headers->GetHttpVersion());
+
+  // The password prompt info should not be set.
+  EXPECT_TRUE(response->auth_challenge.get() == NULL);
+
+  trans.reset();
+  session->CloseAllConnections();
+}
+
+
 // Test when a server (non-proxy) returns a 407 (proxy-authenticate).
 // The request should fail with ERR_UNEXPECTED_PROXY_AUTH.
 TEST_F(HttpNetworkTransactionTest, UnexpectedProxyAuth) {
   HttpRequestInfo request;
   request.method = "GET";
   request.url = GURL("http://www.google.com/");
   request.load_flags = 0;
 
   // We are using a DIRECT connection (i.e. no proxy) for this session.
   SessionDependencies session_deps;
@@ skipping 1082 matching lines @@
 
   rv = callback3.WaitForResult();
   EXPECT_EQ(OK, rv);
 
   response = trans->GetResponseInfo();
   ASSERT_TRUE(response != NULL);
   EXPECT_TRUE(response->auth_challenge.get() == NULL);
   EXPECT_EQ(13, response->headers->GetContentLength());
 }
 
+
+// Enter the correct password and authenticate successfully.
+TEST_F(HttpNetworkTransactionTest, NTLMAuthFull) {

[cbentzel, 2012/01/20 02:09:46]

Should the name/description of this test include anything about establishing a
tunnel through an NTLM authentication proxy?

[Ryan Hamilton, 2012/01/20 04:20:04]

Done.

+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("https://www.google.com/");
+  request.load_flags = 0;
+
+  HttpAuthHandlerNTLM::ScopedProcSetter proc_setter(MockGenerateRandom1,
+                                                    MockGetHostName);
+  SessionDependencies session_deps(ProxyService::CreateFixed(
+      "https://proxy:70"));
+
+  MockWrite data_writes1[] = {
+    MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Proxy-Connection: keep-alive\r\n\r\n"),
+  };
+
+  MockRead data_reads1[] = {
+    MockRead("HTTP/1.1 407 Access Denied\r\n"),
+    // Negotiate and NTLM are often requested together.  However, we only want
+    // to test NTLM. Since Negotiate is preferred over NTLM, we have to skip
+    // the header that requests Negotiate for this test.
+    MockRead("Proxy-Authenticate: NTLM\r\n"),
+    MockRead("Connection: close\r\n"),
+    MockRead("Content-Length: 42\r\n"),
+    MockRead("Content-Type: text/html\r\n\r\n"),
+    // Missing content -- won't matter, as connection will be reset.
+    MockRead(false, ERR_UNEXPECTED),
+  };
+
+  MockWrite data_writes2[] = {
+    // After restarting with a null identity, this is the
+    // request we should be issuing -- the final header line contains a Type
+    // 1 message.
+    MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Proxy-Connection: keep-alive\r\n"
+              "Proxy-Authorization: NTLM "
+              "TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\r\n\r\n"),
+
+    // After calling trans->RestartWithAuth(), we should send a Type 3 message
+    // (the credentials for the origin server).  The second request continues
+    // on the same connection.
+    MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Proxy-Connection: keep-alive\r\n"
+              "Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgA"
+              "AAAAAAAABAAAAAGAAYAEAAAAAQABAAWAAAAAAAAAAAAAAABYIIAHQA"
+              "ZQBzAHQAaQBuAGcALQBuAHQAbABtAFcAVABDAC0AVwBJAE4ANwBVKW"
+              "Yma5xzVAAAAAAAAAAAAAAAAAAAAACH+gWcm+YsP9Tqb9zCR3WAeZZX"
+              "ahlhx5I=\r\n\r\n"),
+
+    MockWrite("GET / HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Connection: keep-alive\r\n\r\n"),
+  };
+
+  MockRead data_reads2[] = {
+    // The origin server responds with a Type 2 message.
+    MockRead("HTTP/1.1 407 Access Denied\r\n"),
+    MockRead("Proxy-Authenticate: NTLM "
+             "TlRMTVNTUAACAAAADAAMADgAAAAFgokCjGpMpPGlYKkAAAAAAAAAALo"
+             "AugBEAAAABQEoCgAAAA9HAE8ATwBHAEwARQACAAwARwBPAE8ARwBMAE"
+             "UAAQAaAEEASwBFAEUAUwBBAFIAQQAtAEMATwBSAFAABAAeAGMAbwByA"
+             "HAALgBnAG8AbwBnAGwAZQAuAGMAbwBtAAMAQABhAGsAZQBlAHMAYQBy"
+             "AGEALQBjAG8AcgBwAC4AYQBkAC4AYwBvAHIAcAAuAGcAbwBvAGcAbAB"
+             "lAC4AYwBvAG0ABQAeAGMAbwByAHAALgBnAG8AbwBnAGwAZQAuAGMAbw"
+             "BtAAAAAAA=\r\n"),
+    MockRead("Content-Length: 42\r\n"),
+    MockRead("Content-Type: text/html\r\n\r\n"),
+    MockRead("You are not authorized to view this page\r\n"),
+
+    // Connect succeeds
+    MockRead("HTTP/1.0 200 Connected\r\n\r\n"),
+
+    // Lastly we get the desired content.
+    MockRead("HTTP/1.1 200 OK\r\n"),
+    MockRead("Content-Type: text/html; charset=utf-8\r\n"),
+    MockRead("Content-Length: 13\r\n\r\n"),
+    MockRead("Please Login\r\n"),
+    MockRead(false, OK),
+  };
+
+  StaticSocketDataProvider data1(data_reads1, arraysize(data_reads1),
+                                 data_writes1, arraysize(data_writes1));
+  StaticSocketDataProvider data2(data_reads2, arraysize(data_reads2),
+                                 data_writes2, arraysize(data_writes2));
+  SSLSocketDataProvider ssl(true, OK);
+  SSLSocketDataProvider ssl2(true, OK);
+  SSLSocketDataProvider ssl3(true, OK);
+  SSLSocketDataProvider ssl_server(true, OK);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&ssl);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&ssl2);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&ssl3);
+  session_deps.socket_factory.AddSSLSocketDataProvider(&ssl_server);
+  session_deps.socket_factory.AddSocketDataProvider(&data1);
+  session_deps.socket_factory.AddSocketDataProvider(&data2);
+  scoped_refptr<HttpNetworkSession> session(CreateSession(&session_deps));
+
+  TestCompletionCallback callback1;
+
+  scoped_ptr<HttpTransaction> trans(new HttpNetworkTransaction(session));
+
+  int rv = trans->Start(&request, callback1.callback(), BoundNetLog());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback1.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  EXPECT_FALSE(trans->IsReadyToRestartForAuth());
+
+  const HttpResponseInfo* response = trans->GetResponseInfo();
+  ASSERT_FALSE(response == NULL);
+  EXPECT_TRUE(CheckNTLMProxyAuth(response->auth_challenge.get()));
+
+  TestCompletionCallback callback2;
+
+  rv = trans->RestartWithAuth(AuthCredentials(kTestingNTLM, kTestingNTLM),
+                              callback2.callback());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback2.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  EXPECT_TRUE(trans->IsReadyToRestartForAuth());
+
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response != NULL);
+  EXPECT_TRUE(response->auth_challenge.get() == NULL);
+
+  TestCompletionCallback callback3;
+
+  rv = trans->RestartWithAuth(AuthCredentials(), callback3.callback());
+  EXPECT_EQ(ERR_IO_PENDING, rv);
+
+  rv = callback3.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response != NULL);
+  EXPECT_TRUE(response->auth_challenge.get() == NULL);
+  EXPECT_EQ(13, response->headers->GetContentLength());
+}
+
 // Enter a wrong password, and then the correct one.
 TEST_F(HttpNetworkTransactionTest, NTLMAuth2) {
   HttpRequestInfo request;
   request.method = "GET";
   request.url = GURL("http://172.22.68.17/kids/login.aspx");
   request.load_flags = 0;
 
   HttpAuthHandlerNTLM::ScopedProcSetter proc_setter(MockGenerateRandom2,
                                                     MockGetHostName);
   SessionDependencies session_deps;
@@ skipping 4313 matching lines @@
 }
 
 // GenerateAuthToken is a mighty big test.
 // It tests all permutation of GenerateAuthToken behavior:
 //   - Synchronous and Asynchronous completion.
 //   - OK or error on completion.
 //   - Direct connection, non-authenticating proxy, and authenticating proxy.
 //   - HTTP or HTTPS backend (to include proxy tunneling).
 //   - Non-authenticating and authenticating backend.
 //
-// In all, there are 44 reasonable permuations (for example, if there are
+// In all, there are 44 reasonable permutations (for example, if there are
 // problems generating an auth token for an authenticating proxy, we don't
 // need to test all permutations of the backend server).
 //
 // The test proceeds by going over each of the configuration cases, and
 // potentially running up to three rounds in each of the tests. The TestConfig
 // specifies both the configuration for the test as well as the expectations
 // for the results.
 TEST_F(HttpNetworkTransactionTest, GenerateAuthToken) {
   static const char kServer[] = "http://www.example.com";
   static const char kSecureServer[] = "https://www.example.com";
@@ skipping 837 matching lines @@
   };
   StaticSocketDataProvider data_1(data_reads_1, arraysize(data_reads_1),
                                   data_writes_1, arraysize(data_writes_1));
 
   // Second round tries to tunnel to www.google.com due to the
   // Alternate-Protocol announcement in the first round. It fails due
   // to a proxy authentication challenge.
   // After the failure, a tunnel is established to www.google.com using
   // Proxy-Authorization headers. There is then a SPDY request round.
   //
-  // NOTE: Despite the "Proxy-Connection: Close", these are done on the
-  // same MockTCPClientSocket since the underlying HttpNetworkClientSocket
-  // does a Disconnect and Connect on the same socket, rather than trying
-  // to obtain a new one.
-  //
   // NOTE: Originally, the proxy response to the second CONNECT request
   // simply returned another 407 so the unit test could skip the SSL connection
   // establishment and SPDY framing issues. Alas, the
   // retry-http-when-alternate-protocol fails logic kicks in, which was more
   // complicated to set up expectations for than the SPDY session.
 
   scoped_ptr<spdy::SpdyFrame> req(ConstructSpdyGet(NULL, 0, false, 1, LOWEST));
   scoped_ptr<spdy::SpdyFrame> resp(ConstructSpdyGetSynReply(NULL, 0, 1));
   scoped_ptr<spdy::SpdyFrame> data(ConstructSpdyBodyFrame(1, true));
 
   MockWrite data_writes_2[] = {
     // First connection attempt without Proxy-Authorization.
     MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
               "Host: www.google.com\r\n"
               "Proxy-Connection: keep-alive\r\n"
               "\r\n"),
+  };
 
+  MockWrite data_writes_3[] = {
+    // Non-alternate protocol job that will run in parallel
+    MockWrite("GET https://www.google.com/ HTTP/1.1\r\n"
+              "Host: www.google.com\r\n"
+              "Proxy-Connection: keep-alive\r\n"
+              "\r\n"),
+  };
+
+  MockWrite data_writes_4[] = {
     // Second connection attempt with Proxy-Authorization.
     MockWrite("CONNECT www.google.com:443 HTTP/1.1\r\n"
               "Host: www.google.com\r\n"
               "Proxy-Connection: keep-alive\r\n"
               "Proxy-Authorization: auth_token\r\n"
               "\r\n"),
 
     // SPDY request
     CreateMockWrite(*req),
   };
   const char kRejectConnectResponse[] = ("HTTP/1.1 407 Unauthorized\r\n"
                                          "Proxy-Authenticate: Mock\r\n"
                                          "Proxy-Connection: close\r\n"
+                                         "Content-Length: 0\r\n"
                                          "\r\n");
   const char kAcceptConnectResponse[] = "HTTP/1.1 200 Connected\r\n\r\n";
   MockRead data_reads_2[] = {
     // First connection attempt fails
     MockRead(false, ERR_TEST_PEER_CLOSE_AFTER_NEXT_MOCK_READ, 1),
     MockRead(true, kRejectConnectResponse,
              arraysize(kRejectConnectResponse) - 1, 1),
+  };
 
+  // Hang forever so we can ensure the alt job wins
+  MockRead data_reads_3[] = {
+    MockRead(false, ERR_IO_PENDING),
+  };
+
+  MockRead data_reads_4[] = {
     // Second connection attempt passes
     MockRead(true, kAcceptConnectResponse,
-             arraysize(kAcceptConnectResponse) -1, 4),
+             arraysize(kAcceptConnectResponse) -1, 1),
 
     // SPDY response
-    CreateMockRead(*resp.get(), 6),
-    CreateMockRead(*data.get(), 6),
-    MockRead(true, 0, 0, 6),
+    CreateMockRead(*resp.get(), 3),
+    CreateMockRead(*data.get(), 3),
+    MockRead(true, 0, 0, 4),
   };
   scoped_refptr<OrderedSocketData> data_2(
       new OrderedSocketData(data_reads_2, arraysize(data_reads_2),
                             data_writes_2, arraysize(data_writes_2)));
+  scoped_refptr<OrderedSocketData> data_3(
+    new OrderedSocketData(data_reads_3, arraysize(data_reads_3),
+                          data_writes_3, arraysize(data_writes_3)));
+  // Hang forever so we can ensure the alt job wins
+  MockConnect conn_3(false, ERR_IO_PENDING);
+  data_3->set_connect_data(conn_3);
+  scoped_refptr<OrderedSocketData> data_4(
+    new OrderedSocketData(data_reads_4, arraysize(data_reads_4),
+                          data_writes_4, arraysize(data_writes_4)));
 
   SSLSocketDataProvider ssl(true, OK);
   ssl.next_proto_status = SSLClientSocket::kNextProtoNegotiated;
   ssl.next_proto = "spdy/2";
   ssl.was_npn_negotiated = true;
   ssl.protocol_negotiated = SSLClientSocket::kProtoSPDY2;
 
   MockConnect never_finishing_connect(false, ERR_IO_PENDING);
   StaticSocketDataProvider hanging_non_alternate_protocol_socket(
       NULL, 0, NULL, 0);
   hanging_non_alternate_protocol_socket.set_connect_data(
       never_finishing_connect);
 
   session_deps.socket_factory.AddSocketDataProvider(&data_1);
   session_deps.socket_factory.AddSocketDataProvider(data_2.get());
+  session_deps.socket_factory.AddSocketDataProvider(data_3.get());
+  session_deps.socket_factory.AddSocketDataProvider(data_4.get());
+  session_deps.socket_factory.AddSSLSocketDataProvider(&ssl);
   session_deps.socket_factory.AddSSLSocketDataProvider(&ssl);
   session_deps.socket_factory.AddSocketDataProvider(
       &hanging_non_alternate_protocol_socket);
   scoped_refptr<HttpNetworkSession> session(CreateSession(&session_deps));
 
   // First round should work and provide the Alternate-Protocol state.
   TestCompletionCallback callback_1;
   scoped_ptr<HttpTransaction> trans_1(new HttpNetworkTransaction(session));
   int rv = trans_1->Start(&request, callback_1.callback(), BoundNetLog());
   EXPECT_EQ(ERR_IO_PENDING, rv);
@@ skipping 1160 matching lines @@
       session->spdy_session_pool()->HasSession(host_port_proxy_pair_b));
 
   HttpStreamFactory::set_next_protos(std::vector<std::string>());
   ClientSocketPoolManager::set_max_sockets_per_pool(old_max_sockets_per_pool);
   ClientSocketPoolManager::set_max_sockets_per_proxy_server(
       old_max_sockets_per_proxy_server);
   ClientSocketPoolManager::set_max_sockets_per_group(old_max_sockets_per_group);
 }
 
 }  // namespace net