Support Kerberos on Android

net/android/http_android_auth_negotiate.cc

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/android/http_android_auth_negotiate.h"
+
+#include "base/android/jni_android.h"
+#include "base/android/jni_string.h"
+#include "base/android/scoped_java_ref.h"
+#include "base/base64.h"
+#include "base/location.h"
+#include "base/logging.h"
+#include "base/message_loop/message_loop.h"
+#include "base/strings/string_util.h"
+#include "jni/HttpNegotiateAuthenticator_jni.h"
+#include "net/base/net_errors.h"
+#include "net/http/http_auth.h"
+#include "net/http/http_auth_challenge_tokenizer.h"
+
+using base::android::AttachCurrentThread;
+using base::android::ConvertUTF8ToJavaString;
+using base::android::ConvertJavaStringToUTF8;
+using base::android::ScopedJavaLocalRef;
+
+namespace net {
+namespace android {
+
+AndroidAuthNegotiate::AndroidAuthNegotiate(const std::string& account_type,
+                                           const std::string& scheme)
+    : account_type_(account_type),
+      scheme_(scheme),
+      can_delegate_(false),
+      first_challenge_(true),
+      auth_token_(nullptr),
+      weak_factory_(this) {
+  DCHECK(!account_type.empty());
+  JNIEnv* env = AttachCurrentThread();
+  java_authenticator_.Reset(Java_HttpNegotiateAuthenticator_create(
+      env, reinterpret_cast<intptr_t>(this),
+      ConvertUTF8ToJavaString(env, account_type).obj()));
+}
+
+AndroidAuthNegotiate::~AndroidAuthNegotiate() {
+}
+
+bool AndroidAuthNegotiate::Init() {
+  return true;
+}
+
+bool AndroidAuthNegotiate::NeedsIdentity() const {
+  return false;
+}
+
+bool AndroidAuthNegotiate::AllowsExplicitCredentials() const {
+  return false;
+}
+
+HttpAuth::AuthorizationResult AndroidAuthNegotiate::ParseChallenge(
+    net::HttpAuthChallengeTokenizer* tok) {
+  // Verify the challenge's auth-scheme.

[cbentzel, 2015/06/11 20:51:43]

I wonder if this could be moved into a common function. Main concern is the
first_challenge_ state needing to be preserved. But we now have three very close
copies in HttpAuthGSSAPI and HttpAuthSSPI

[aberent, 2015/06/15 15:52:19]

Done, or more precisely, moved into http_auth_handler.cc and then refactored out
of existence. Please take a careful look at my changes to http_auth_handler.cc
to see if I have missed anything.

[aberent, 2015/06/15 16:57:47]

Realized that there are problems with my changes here. Please wait for next
patch set to review.

[aberent, 2015/06/19 15:06:24]

I have now made a second attempt at this. I have left the ParseChallenge
functions in the Authenticator classes, but have factored out the common code
into new, common functions. See http_auth_negotiate_parse...

+  if (!base::LowerCaseEqualsASCII(tok->scheme(),
+                                  base::StringToLowerASCII(scheme_).c_str()))
+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+
+  std::string encoded_auth_token = tok->base64_param();
+  if (encoded_auth_token.empty()) {
+    if (!first_challenge_)
+      return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+    first_challenge_ = false;
+    return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
+  } else {
+    // If a context has not already been established, additional tokens should
+    // not be present in the auth challenge.
+    if (first_challenge_)
+      return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+  }
+  // Make sure the additional token is base64 encoded.
+  std::string decoded_auth_token;
+  bool base64_rv = base::Base64Decode(encoded_auth_token, &decoded_auth_token);
+  if (!base64_rv)
+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+  server_auth_token_ = encoded_auth_token;
+  return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
+}
+
+int AndroidAuthNegotiate::GenerateAuthToken(
+    const AuthCredentials* credentials,
+    const std::string& spn,
+    std::string* auth_token,
+    const net::CompletionCallback& callback) {
+  DCHECK(auth_token);
+  DCHECK(completion_callback_.is_null());
+  DCHECK(!callback.is_null());
+  auth_token_ = auth_token;
+  completion_callback_ = callback;
+  callback_task_runner_ = base::MessageLoop::current()->task_runner();
+  thread_safe_callback_ = base::Bind(&AndroidAuthNegotiate::SetResultInternal,
+                                     weak_factory_.GetWeakPtr());
+  JNIEnv* env = AttachCurrentThread();
+  ScopedJavaLocalRef<jstring> java_server_auth_token =
+      ConvertUTF8ToJavaString(env, server_auth_token_);
+  ScopedJavaLocalRef<jstring> java_spn = ConvertUTF8ToJavaString(env, spn);
+  ScopedJavaLocalRef<jstring> java_account_type =
+      ConvertUTF8ToJavaString(env, account_type_);
+  bool result = Java_HttpNegotiateAuthenticator_getNextAuthToken(
+      env, java_authenticator_.obj(), java_spn.obj(),
+      java_server_auth_token.obj(), can_delegate_);
+  return result ? ERR_IO_PENDING : ERR_INVALID_AUTH_CREDENTIALS;
+}
+
+void AndroidAuthNegotiate::Delegate() {
+  can_delegate_ = true;
+}
+
+void AndroidAuthNegotiate::SetResultInternal(bool result,
+                                             std::string raw_token) {
+  DCHECK(auth_token_);
+  DCHECK(!completion_callback_.is_null());
+  if (result)
+    *auth_token_ = scheme_ + " " + raw_token;
+  completion_callback_.Run(result ? OK : ERR_INVALID_AUTH_CREDENTIALS);
+  completion_callback_.Reset();
+}
+
+void AndroidAuthNegotiate::SetResult(JNIEnv* env,
+                                     jobject obj,
+                                     bool result,
+                                     jstring token) {
+  // This will be called on the UI thread, so we have to post a task back to the
+  // correct thread to actually save the result
+  std::string raw_token = ConvertJavaStringToUTF8(env, token);
+  callback_task_runner_->PostTask(
+      FROM_HERE, base::Bind(thread_safe_callback_, result, raw_token));
+}
+
+bool AndroidAuthNegotiate::Register(JNIEnv* env) {
+  return RegisterNativesImpl(env);
+}
+
+}  // namespace android
+}  // namespace net