Allow chrome to handle 407 auth challenges to CONNECT requests

net/spdy/spdy_proxy_client_socket.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/spdy/spdy_proxy_client_socket.h"
 
 #include <algorithm>  // min
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/logging.h"
 #include "base/string_util.h"
 #include "googleurl/src/gurl.h"
 #include "net/base/auth.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_util.h"
-#include "net/http/http_auth_cache.h"
-#include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_net_log_params.h"
 #include "net/http/http_proxy_utils.h"
 #include "net/http/http_response_headers.h"
 #include "net/spdy/spdy_http_utils.h"
 
 namespace net {
 
 SpdyProxyClientSocket::SpdyProxyClientSocket(
     SpdyStream* spdy_stream,
     const std::string& user_agent,
     const HostPortPair& endpoint,
     const GURL& url,
     const HostPortPair& proxy_server,
-    HttpAuthCache* auth_cache,
-    HttpAuthHandlerFactory* auth_handler_factory)
+    HttpAuthController* http_auth_controller)
     : next_state_(STATE_DISCONNECTED),
       spdy_stream_(spdy_stream),
       endpoint_(endpoint),
-      auth_(
-          new HttpAuthController(HttpAuth::AUTH_PROXY,
-                                 GURL("https://" + proxy_server.ToString()),
-                                 auth_cache,
-                                 auth_handler_factory)),
+      auth_(http_auth_controller),
       user_buffer_(NULL),
       write_buffer_len_(0),
       write_bytes_outstanding_(0),
       ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)),
       net_log_(spdy_stream->net_log()) {
   request_.method = "CONNECT";
   request_.url = url;
   if (!user_agent.empty())
     request_.extra_headers.SetHeader(HttpRequestHeaders::kUserAgent,
                                      user_agent);
   spdy_stream_->SetDelegate(this);
   was_ever_used_ = spdy_stream_->WasEverUsed();
 }
 
 SpdyProxyClientSocket::~SpdyProxyClientSocket() {
   Disconnect();
 }
 
 const HttpResponseInfo* SpdyProxyClientSocket::GetConnectResponseInfo() const {
   return response_.headers ? &response_ : NULL;
 }
 
+const
+scoped_refptr<HttpAuthController>& SpdyProxyClientSocket::GetAuthController() {
+  return auth_;
+}
+
+int SpdyProxyClientSocket::RestartWithAuth(const CompletionCallback& callback) {
+  // A SPDY Stream can only handle a single request, so the underlying
+  // stream may not be reused and a new SpdyProxyClientSocket must be
+  // created (possibly on top of the same SPDY Session).
+  next_state_ = STATE_DISCONNECTED;
+  return ERR_NO_KEEP_ALIVE_ON_AUTH_RESTART;
+}
+
 HttpStream* SpdyProxyClientSocket::CreateConnectResponseStream() {
   DCHECK(response_stream_.get());
   return response_stream_.release();
 }
 
 // Sends a SYN_STREAM frame to the proxy with a CONNECT request
 // for the specified endpoint.  Waits for the server to send back
 // a SYN_REPLY frame.  OK will be returned if the status is 200.
 // ERR_TUNNEL_CONNECTION_FAILED will be returned for any other status.
 // In any of these cases, Read() may be called to retrieve the HTTP
 // response body.  Any other return values should be considered fatal.
-// TODO(rch): handle 407 proxy auth requested correctly, perhaps
-// by creating a new stream for the subsequent request.
 // TODO(rch): create a more appropriate error code to disambiguate
 // the HTTPS Proxy tunnel failure from an HTTP Proxy tunnel failure.
 int SpdyProxyClientSocket::Connect(const CompletionCallback& callback) {
   DCHECK(read_callback_.is_null());
   if (next_state_ == STATE_OPEN)
     return OK;
 
   DCHECK_EQ(STATE_DISCONNECTED, next_state_);
   next_state_ = STATE_GENERATE_AUTH_TOKEN;
 
@@ skipping 285 matching lines @@
   next_state_ = STATE_OPEN;
   if (net_log_.IsLoggingAllEvents()) {
     net_log_.AddEvent(
         NetLog::TYPE_HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
         make_scoped_refptr(new NetLogHttpResponseParameter(response_.headers)));
   }
 
   if (response_.headers->response_code() == 200) {
     return OK;
   } else if (response_.headers->response_code() == 407) {
-    return ERR_TUNNEL_CONNECTION_FAILED;
+    int rv = HandleAuthChallenge(auth_, &response_, net_log_);
+    if (rv != ERR_PROXY_AUTH_REQUESTED) {
+      return rv;
+    }
+    // SPDY only supports basic and digest auth
+    if (!auth_->auth_info() ||
+        (auth_->auth_info()->scheme != "basic" &&
+         auth_->auth_info()->scheme != "digest")) {
+      return ERR_PROXY_AUTH_UNSUPPORTED;
+    }
+    return ERR_PROXY_AUTH_REQUESTED;
   } else {
     // Immediately hand off our SpdyStream to a newly created SpdyHttpStream
     // so that any subsequent SpdyFrames are processed in the context of
     // the HttpStream, not the socket.
     DCHECK(spdy_stream_);
     SpdyStream* stream = spdy_stream_;
     spdy_stream_ = NULL;
     response_stream_.reset(new SpdyHttpStream(NULL, false));
     response_stream_->InitializeWithExistingStream(stream);
     next_state_ = STATE_DISCONNECTED;
@@ skipping 114 matching lines @@
   }
   // This may have been deleted by read_callback_, so check first.
   if (weak_ptr && !write_callback.is_null())
     write_callback.Run(ERR_CONNECTION_CLOSED);
 }
 
 void SpdyProxyClientSocket::set_chunk_callback(ChunkCallback* /*callback*/) {
 }
 
 }  // namespace net