OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_ | 5 #ifndef NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_ |
6 #define NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_ | 6 #define NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/gtest_prod_util.h" | 10 #include "base/gtest_prod_util.h" |
11 #include "base/native_library.h" | 11 #include "base/native_library.h" |
| 12 #include "net/base/completion_callback.h" |
12 #include "net/base/net_export.h" | 13 #include "net/base/net_export.h" |
13 #include "net/http/http_auth.h" | 14 #include "net/http/http_auth.h" |
14 | 15 |
15 #if defined(OS_MACOSX) | 16 #if defined(OS_MACOSX) |
16 // The OSX 10.9+ SDKs mark the functions in Kereberos.framework as deprecated, | 17 // The OSX 10.9+ SDKs mark the functions in Kereberos.framework as deprecated, |
17 // so the warnings must be manually suppressed. | 18 // so the warnings must be manually suppressed. |
18 #if defined(MAC_OS_X_VERSION_10_9) && \ | 19 #if defined(MAC_OS_X_VERSION_10_9) && \ |
19 MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_9 | 20 MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_9 |
20 #define GSSKRB_APPLE_DEPRECATED(x) | 21 #define GSSKRB_APPLE_DEPRECATED(x) |
21 #endif | 22 #endif |
22 | 23 |
23 // Chrome supports OSX 10.6, which doesn't have access to GSS.framework. Chrome | 24 // Chrome supports OSX 10.6, which doesn't have access to GSS.framework. Chrome |
24 // always dlopens libgssapi_krb5.dylib, which is provided by | 25 // always dlopens libgssapi_krb5.dylib, which is provided by |
25 // Kerberos.framework. On OSX 10.7+ this is an ABI comptabile shim that loads | 26 // Kerberos.framework. On OSX 10.7+ this is an ABI compatible shim that loads |
26 // GSS.framework. | 27 // GSS.framework. |
27 #include <Kerberos/gssapi.h> | 28 #include <Kerberos/gssapi.h> |
28 #elif defined(OS_FREEBSD) | 29 #elif defined(OS_FREEBSD) |
29 #include <gssapi/gssapi.h> | 30 #include <gssapi/gssapi.h> |
30 #else | 31 #else |
31 #include <gssapi.h> | 32 #include <gssapi.h> |
32 #endif | 33 #endif |
33 | 34 |
34 namespace net { | 35 namespace net { |
35 | 36 |
(...skipping 199 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
235 const std::string& scheme, | 236 const std::string& scheme, |
236 const gss_OID gss_oid); | 237 const gss_OID gss_oid); |
237 ~HttpAuthGSSAPI(); | 238 ~HttpAuthGSSAPI(); |
238 | 239 |
239 bool Init(); | 240 bool Init(); |
240 | 241 |
241 bool NeedsIdentity() const; | 242 bool NeedsIdentity() const; |
242 | 243 |
243 bool AllowsExplicitCredentials() const; | 244 bool AllowsExplicitCredentials() const; |
244 | 245 |
245 HttpAuth::AuthorizationResult ParseChallenge( | |
246 HttpAuthChallengeTokenizer* tok); | |
247 | |
248 // Generates an authentication token. | 246 // Generates an authentication token. |
249 // The return value is an error code. If it's not |OK|, the value of | 247 // |
| 248 // The return value is an error code. The authentication token will be |
| 249 // returned in |*auth_token|. If the result code is not |OK|, the value of |
250 // |*auth_token| is unspecified. | 250 // |*auth_token| is unspecified. |
| 251 // |
| 252 // If the operation cannot be completed synchronously, |ERR_IO_PENDING| will |
| 253 // be returned and the real result code will be passed to the completion |
| 254 // callback. Otherwise the result code is returned immediately from this |
| 255 // call. |
| 256 // |
| 257 // If the HttpAuthGSSAPI object is deleted before completion then the callback |
| 258 // will not be called. |
| 259 // |
| 260 // If no immediate result is returned then |auth_token| must remain valid |
| 261 // until the callback has been called. |
| 262 // |
251 // |spn| is the Service Principal Name of the server that the token is | 263 // |spn| is the Service Principal Name of the server that the token is |
252 // being generated for. | 264 // being generated for. |
| 265 // |
253 // If this is the first round of a multiple round scheme, credentials are | 266 // If this is the first round of a multiple round scheme, credentials are |
254 // obtained using |*credentials|. If |credentials| is NULL, the default | 267 // obtained using |*credentials|. If |credentials| is NULL, the default |
255 // credentials are used instead. | 268 // credentials are used instead. |
256 int GenerateAuthToken(const AuthCredentials* credentials, | 269 int GenerateAuthToken(const AuthCredentials* credentials, |
257 const std::string& spn, | 270 const std::string& spn, |
258 std::string* auth_token); | 271 std::string* auth_token, |
| 272 const CompletionCallback& callback); |
259 | 273 |
260 // Delegation is allowed on the Kerberos ticket. This allows certain servers | 274 // Delegation is allowed on the Kerberos ticket. This allows certain servers |
261 // to act as the user, such as an IIS server retrieiving data from a | 275 // to act as the user, such as an IIS server retrieving data from a |
262 // Kerberized MSSQL server. | 276 // Kerberized MSSQL server. |
263 void Delegate(); | 277 void Delegate(); |
| 278 void SetServerAuthToken(const std::string& encoded_auth_token, |
| 279 const std::string& decoded_auth_token) { |
| 280 decoded_server_auth_token_ = decoded_auth_token; |
| 281 } |
264 | 282 |
265 private: | 283 private: |
266 int GetNextSecurityToken(const std::string& spn, | 284 int GetNextSecurityToken(const std::string& spn, |
267 gss_buffer_t in_token, | 285 gss_buffer_t in_token, |
268 gss_buffer_t out_token); | 286 gss_buffer_t out_token); |
269 | 287 |
270 std::string scheme_; | 288 std::string scheme_; |
271 gss_OID gss_oid_; | 289 gss_OID gss_oid_; |
272 GSSAPILibrary* library_; | 290 GSSAPILibrary* library_; |
273 std::string decoded_server_auth_token_; | 291 std::string decoded_server_auth_token_; |
274 ScopedSecurityContext scoped_sec_context_; | 292 ScopedSecurityContext scoped_sec_context_; |
275 bool can_delegate_; | 293 bool can_delegate_; |
276 }; | 294 }; |
277 | 295 |
278 } // namespace net | 296 } // namespace net |
279 | 297 |
280 #endif // NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_ | 298 #endif // NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_ |
OLD | NEW |