Allow chrome to handle 407 auth challenges to CONNECT requests

net/http/http_proxy_client_socket.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_proxy_client_socket.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
@@ skipping 13 matching lines @@
 #include "net/socket/client_socket_handle.h"
 
 namespace net {
 
 HttpProxyClientSocket::HttpProxyClientSocket(
     ClientSocketHandle* transport_socket,
     const GURL& request_url,
     const std::string& user_agent,
     const HostPortPair& endpoint,
     const HostPortPair& proxy_server,
-    HttpAuthCache* http_auth_cache,
-    HttpAuthHandlerFactory* http_auth_handler_factory,
+    HttpAuthController* http_auth_controller,
     bool tunnel,
     bool using_spdy,
     SSLClientSocket::NextProto protocol_negotiated,
     bool is_https_proxy)
     : ALLOW_THIS_IN_INITIALIZER_LIST(io_callback_(
         base::Bind(&HttpProxyClientSocket::OnIOComplete,
                    base::Unretained(this)))),
       next_state_(STATE_NONE),
       transport_(transport_socket),
       endpoint_(endpoint),
-      auth_(tunnel ?
-          new HttpAuthController(HttpAuth::AUTH_PROXY,
-                                 GURL((is_https_proxy ? "https://" : "http://")
-                                      + proxy_server.ToString()),
-                                 http_auth_cache,
-                                 http_auth_handler_factory)
-          : NULL),
+      auth_(http_auth_controller),
       tunnel_(tunnel),
       using_spdy_(using_spdy),
       protocol_negotiated_(protocol_negotiated),
       is_https_proxy_(is_https_proxy),
       net_log_(transport_socket->socket()->NetLog()) {
   // Synthesize the bits of a request that we actually use.
   request_.url = request_url;
   request_.method = "GET";
   if (!user_agent.empty())
     request_.extra_headers.SetHeader(HttpRequestHeaders::kUserAgent,
                                      user_agent);
 }
 
 HttpProxyClientSocket::~HttpProxyClientSocket() {
   Disconnect();
 }
 
+const
+scoped_refptr<HttpAuthController>& HttpProxyClientSocket::GetAuthController() {
+  return auth_;
+}
+
 int HttpProxyClientSocket::RestartWithAuth(const CompletionCallback& callback) {
   DCHECK_EQ(STATE_NONE, next_state_);
   DCHECK(user_callback_.is_null());
 
   int rv = PrepareForAuthRestart();
-  if (rv != OK)
+  if (rv != OK || next_state_ == STATE_NONE)

[vandebo (ex-Chrome), 2012/01/20 20:49:29]

This change isn't needed, rv will now be ERR_NO_KEEP_ALIVE_ON_AUTH_RESTART for
this case.

[Ryan Hamilton, 2012/01/20 21:51:35]

Done.

[Ryan Hamilton, 2012/01/20 21:51:35]

Done.

     return rv;
 
   rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING) {
     if (!callback.is_null())
       user_callback_ =  callback;
   }
 
   return rv;
 }
@@ skipping 165 matching lines @@
   // We don't need to drain the response body, so we act as if we had drained
   // the response body.
   return DidDrainBodyForAuthRestart(keep_alive);
 }
 
 int HttpProxyClientSocket::DidDrainBodyForAuthRestart(bool keep_alive) {
   if (keep_alive && transport_->socket()->IsConnectedAndIdle()) {
     next_state_ = STATE_GENERATE_AUTH_TOKEN;
     transport_->set_is_reused(true);
   } else {
-    // This assumes that the underlying transport socket is a TCP socket,
-    // since only TCP sockets are restartable.
-    next_state_ = STATE_TCP_RESTART;
-    transport_->socket()->Disconnect();

[vandebo (ex-Chrome), 2012/01/20 20:49:29]

I think we still want to disconnect the socket, otherwise it could go back to
the pool and get reused. I don't remember if there's another check for keep
alive down stream, but it doesn't hurt to disconnect it here.

[Ryan Hamilton, 2012/01/20 21:51:35]

Done.

+    next_state_ = STATE_NONE;
   }
 
   // Reset the other member variables.
   drain_buf_ = NULL;
   parser_buf_ = NULL;
   http_stream_parser_.reset();
   request_line_.clear();
   request_headers_.Clear();
   response_ = HttpResponseInfo();
-  return OK;
-}
-
-int HttpProxyClientSocket::HandleAuthChallenge() {
-  DCHECK(response_.headers);
-
-  int rv = auth_->HandleAuthChallenge(response_.headers, false, true, net_log_);
-  response_.auth_challenge = auth_->auth_info();
-  if (rv == OK)
-    return ERR_PROXY_AUTH_REQUESTED;
-
-  return rv;
+  return next_state_ == STATE_NONE ? ERR_NO_KEEP_ALIVE_ON_AUTH_RESTART : OK;

[vandebo (ex-Chrome), 2012/01/20 20:49:29]

nit: a tristate isn't necessary.  int ret = OK at the top, reset in the
conditional, and return ret 

[Ryan Hamilton, 2012/01/20 21:51:35]

Done.

 }
 
 void HttpProxyClientSocket::LogBlockedTunnelResponse(int response_code) const {
   LOG(WARNING) << "Blocked proxy response with status " << response_code
                << " to CONNECT request for "
                << GetHostAndPort(request_.url) << ".";
 }
 
 void HttpProxyClientSocket::DoCallback(int result) {
   DCHECK_NE(ERR_IO_PENDING, result);
@@ skipping 51 matching lines @@
         net_log_.EndEventWithNetErrorCode(
             NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS, rv);
         break;
       case STATE_DRAIN_BODY:
         DCHECK_EQ(OK, rv);
         rv = DoDrainBody();
         break;
       case STATE_DRAIN_BODY_COMPLETE:
         rv = DoDrainBodyComplete(rv);
         break;
-      case STATE_TCP_RESTART:
-        DCHECK_EQ(OK, rv);
-        rv = DoTCPRestart();
-        break;
-      case STATE_TCP_RESTART_COMPLETE:
-        rv = DoTCPRestartComplete(rv);
-        break;
       case STATE_DONE:
         break;
       default:
         NOTREACHED() << "bad state";
         rv = ERR_UNEXPECTED;
         break;
     }
   } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE &&
            next_state_ != STATE_DONE);
   return rv;
@@ skipping 78 matching lines @@
       // need to be very suspicious about the response because an active network
       // attacker can force us into this state by masquerading as the proxy.
       // The only safe thing to do here is to fail the connection because our
       // client is expecting an SSL protected response.
       // See http://crbug.com/7338.
     case 407:  // Proxy Authentication Required
       // We need this status code to allow proxy authentication.  Our
       // authentication code is smart enough to avoid being tricked by an
       // active network attacker.
       // The next state is intentionally not set as it should be STATE_NONE;
-      return HandleAuthChallenge();
+      return HandleAuthChallenge(auth_, &response_, net_log_);
 
     default:
       if (is_https_proxy_)
         return ERR_HTTPS_PROXY_TUNNEL_RESPONSE;
       // For all other status codes, we conservatively fail the CONNECT
       // request.
       // We lose something by doing this.  We have seen proxy 403, 404, and
       // 501 response bodies that contain a useful error message.  For
       // example, Squid uses a 404 response to report the DNS error: "The
       // domain name does not exist."
@@ skipping 15 matching lines @@
     return result;
 
   if (http_stream_parser_->IsResponseBodyComplete())
     return DidDrainBodyForAuthRestart(true);
 
   // Keep draining.
   next_state_ = STATE_DRAIN_BODY;
   return OK;
 }
 
-int HttpProxyClientSocket::DoTCPRestart() {
-  next_state_ = STATE_TCP_RESTART_COMPLETE;
-  return transport_->socket()->Connect(
-      base::Bind(&HttpProxyClientSocket::OnIOComplete, base::Unretained(this)));
-}
-
-int HttpProxyClientSocket::DoTCPRestartComplete(int result) {
-  if (result != OK)
-    return result;
-
-  next_state_ = STATE_GENERATE_AUTH_TOKEN;
-  return result;
-}
-
 }  // namespace net