Support Kerberos on Android

net/android/http_android_auth_negotiate.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_HTTP_HTTP_ANDROID_AUTH_NEGOTIATE_H_
+#define NET_HTTP_HTTP_ANDROID_AUTH_NEGOTIATE_H_
+
+#include <jni.h>
+#include <string>
+
+#include "base/android/jni_android.h"
+#include "base/callback.h"
+#include "base/macros.h"
+#include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/task_runner.h"
+#include "net/base/completion_callback.h"
+#include "net/http/http_auth.h"
+
+namespace net {
+
+class HttpAuthChallengeTokenizer;
+
+namespace android {
+
+class NET_EXPORT_PRIVATE AndroidAuthNegotiate {

[cbentzel, 2015/06/11 20:51:43]

This should probably be named HttpAuthAndroidNegotiate or similar to make
consistent naming-wise with HttpAuthSSPI and HttpAuthGSSAPI

[aberent, 2015/06/15 15:52:19]

Actually we almost seem to always put the "Android" at the beginning or the end,
so HttpAuthNegotiateAndroid.

+ public:
+  AndroidAuthNegotiate(const std::string& account_type,
+                       const std::string& scheme);

[cbentzel, 2015/06/11 20:51:43]

scheme isn't needed here because this is only being used for Negotiate and not
Negotiate+NTLM. Ditto for scheme_ inside the class.

[aberent, 2015/06/15 15:52:19]

Done.

+  ~AndroidAuthNegotiate();
+  bool Init();
+
+  bool NeedsIdentity() const;
+
+  bool AllowsExplicitCredentials() const;
+
+  HttpAuth::AuthorizationResult ParseChallenge(
+      net::HttpAuthChallengeTokenizer* tok);
+
+  // Generates an authentication token.
+  //
+  // The return value is an error code. The authentication token will be
+  // returned in |*auth_token|. If the result code not |OK|, the value of
+  // |*auth_token| is unspecified.
+  //
+  // If the operation cannot be completed synchronously, |ERR_IO_PENDING| will
+  // be returned and the real result code will be passed to the completion
+  // callback.  Otherwise the result code is returned immediately from this
+  // call.
+  //
+  // If the AndroidAuthNegotiate object is deleted before completion then the
+  // callback will not be called.
+  //
+  // If no immediate result is returned then |auth_token| must remain valid
+  // until the callback has been called.
+  //
+  // |spn| is the Service Principal Name of the server that the token is
+  // being generated for.
+  //
+  // If this is the first round of a multiple round scheme, credentials are
+  // obtained using |*credentials|. If |credentials| is NULL, the default
+  // credentials are used instead.
+  int GenerateAuthToken(const AuthCredentials* credentials,
+                        const std::string& spn,
+                        std::string* auth_token,
+                        const net::CompletionCallback& callback);
+
+  // Delegation is allowed on the Kerberos ticket. This allows certain servers
+  // to act as the user, such as an IIS server retrieving data from a
+  // Kerberized MSSQL server.
+  void Delegate();
+  void SetResult(JNIEnv* env, jobject obj, bool result, jstring token);
+  static bool Register(JNIEnv* env);
+
+ private:
+  void SetResultInternal(bool result, std::string token);

[cbentzel, 2015/06/11 20:51:43]

const std::string& 

[aberent, 2015/06/15 15:52:19]

Done.

+
+  std::string account_type_;
+  std::string scheme_;
+  bool can_delegate_;
+  bool first_challenge_;
+  std::string server_auth_token_;
+  std::string* auth_token_;
+  base::android::ScopedJavaGlobalRef<jobject> java_authenticator_;
+  net::CompletionCallback completion_callback_;
+  scoped_refptr<base::TaskRunner> callback_task_runner_;
+  base::Callback<void(bool, std::string)> thread_safe_callback_;
+
+  base::WeakPtrFactory<AndroidAuthNegotiate> weak_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(AndroidAuthNegotiate);
+};
+
+}  // namespace android
+}  // namespace net
+
+#endif  // NET_HTTP_HTTP_ANDROID_AUTH_NEGOTIATE_H_