Support Kerberos on Android

net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticator.java

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package org.chromium.net.test;
+
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.accounts.AccountManager;
+import android.accounts.AuthenticatorException;
+import android.accounts.NetworkErrorException;
+import android.accounts.OperationCanceledException;
+import android.app.Activity;
+import android.content.Context;
+import android.os.Bundle;
+
+import org.chromium.base.ApplicationStatus;
+import org.chromium.base.CalledByNative;
+import org.chromium.net.HttpNegotiateConstants;
+
+import java.io.IOException;
+
+/**
+ * Dummy Android authenticator, to test SPNEGO/Keberos support on Android. This is deliberately
+ * minimal, and is not intended as an example of how to write a real SPNEGO Authenticator.
+ */
+public class DummySpnegoAuthenticator extends AbstractAccountAuthenticator {
+    private static final String ACCOUNT_TYPE = "org.chromium.test.DummySpnegoAuthenticator";
+    private static final String ACCOUNT_NAME = "DummySpnegoAccount";
+    private static int sResult;
+    private static String sToken;
+    private static final int GSS_S_COMPLETE = 0;
+    private static final int GSS_S_FAILURE = 2;
+
+    /**
+     * @param context
+     */
+    public DummySpnegoAuthenticator(Context context) {
+        super(context);
+    }
+
+    @Override
+    public Bundle addAccount(AccountAuthenticatorResponse arg0, String accountType, String arg2,
+            String[] arg3, Bundle arg4) throws NetworkErrorException {
+        Bundle result = new Bundle();
+        result.putInt(AccountManager.KEY_ERROR_CODE, AccountManager.ERROR_CODE_BAD_REQUEST);
+        result.putString(AccountManager.KEY_ERROR_MESSAGE, "Can't add new SPNEGO accounts");
+        return result;
+    }
+
+    @Override
+    public Bundle confirmCredentials(AccountAuthenticatorResponse arg0, Account arg1, Bundle arg2)
+            throws NetworkErrorException {
+        Bundle result = new Bundle();
+        result.putBoolean(AccountManager.KEY_BOOLEAN_RESULT, true);
+        return result;
+    }
+
+    @Override
+    public Bundle editProperties(AccountAuthenticatorResponse arg0, String arg1) {
+        return new Bundle();
+    }
+
+    @Override
+    public Bundle getAuthToken(AccountAuthenticatorResponse response, Account account,
+            String authTokenType, Bundle options) throws NetworkErrorException {
+        Bundle result = new Bundle();
+        result.putString(AccountManager.KEY_ACCOUNT_NAME, account.name);
+        result.putString(AccountManager.KEY_ACCOUNT_TYPE, account.type);
+        result.putString(AccountManager.KEY_AUTHTOKEN, sToken);
+        result.putInt(HttpNegotiateConstants.KEY_SPNEGO_RESULT, sResult);

[cbentzel, 2015/06/30 12:53:55]

Should this also be providing a SPNEGO_CONTEXT, with expectations set up
elsewhere?

[aberent, 2015/07/02 21:13:37]

We could do; however SPNEGO context handling is, I think, adequately tested by
the Junit test, and, as far as I can see, none of the existing platform
independent Negotiate tests have any sensitivity to the SPNEGO context. As such
adding it here seems an unnecessary complication.

[cbentzel, 2015/07/08 18:27:11]

Acknowledged.

+        return result;
+    }
+
+    @Override
+    public String getAuthTokenLabel(String arg0) {
+        return "Spnego " + arg0;
+    }
+
+    @Override
+    public Bundle hasFeatures(AccountAuthenticatorResponse arg0, Account arg1, String[] features)
+            throws NetworkErrorException {
+        Bundle result = new Bundle();
+        for (String feature : features) {
+            if (!feature.equals(HttpNegotiateConstants.SPNEGO_FEATURE)) {
+                result.putBoolean(AccountManager.KEY_BOOLEAN_RESULT, false);
+                return result;
+            }
+        }
+        result.putBoolean(AccountManager.KEY_BOOLEAN_RESULT, true);
+        return result;
+    }
+
+    @Override
+    public Bundle updateCredentials(AccountAuthenticatorResponse arg0, Account arg1, String arg2,
+            Bundle arg3) throws NetworkErrorException {
+        Bundle result = new Bundle();
+        result.putInt(AccountManager.KEY_ERROR_CODE, AccountManager.ERROR_CODE_BAD_REQUEST);
+        result.putString(AccountManager.KEY_ERROR_MESSAGE, "Can't add new SPNEGO accounts");
+        return result;
+    }
+
+    /**
+     * Called from tests, sets up the test account, if it doesn't already exist
+     */
+    @CalledByNative
+    private static void ensureTestAccountExists() {
+        Activity activity = ApplicationStatus.getLastTrackedFocusedActivity();
+        AccountManager am = AccountManager.get(activity);
+        Account account = new Account(ACCOUNT_NAME, ACCOUNT_TYPE);
+        am.addAccountExplicitly(account, null, null);
+    }
+
+    /**
+     * Called from tests to tidy up test accounts.
+     */
+    @SuppressWarnings("deprecation")

[cbentzel, 2015/06/30 12:53:55]

why was this @SuppressWarnings needed? Is it due to the comment below about
am.removeAccount? If so, is there another workaround?

[aberent, 2015/07/02 21:13:37]

Yes. It is for removeAccount. I don't know of a cleaner workaround. There are
only three functions for removing accounts in AccountManager, two were added in
API level 22, and the third is deprecated (see
http://developer.android.com/reference/android/accounts/AccountManager.html). We
could, of course, test the API level, but that is messy, and I think we would
still need the @SuppressWarnings for the old version of removeAccount since
testing the API level is a runtime test.

There doesn't seem to be an Android support library version of AccountManager,
which would often be the solution to such problems on Android

+    @CalledByNative
+    private static void removeTestAccounts() {
+        Activity activity = ApplicationStatus.getLastTrackedFocusedActivity();
+        AccountManager am = AccountManager.get(activity);
+        String features[] = {HttpNegotiateConstants.SPNEGO_FEATURE};
+        try {
+            Account accounts[] =
+                    am.getAccountsByTypeAndFeatures(ACCOUNT_TYPE, features, null, null).getResult();
+            for (Account account : accounts) {
+                // Deprecated, but the replacement not available on Android JB.
+                am.removeAccount(account, null, null).getResult();
+            }
+        } catch (OperationCanceledException | AuthenticatorException | IOException e) {
+            // Should never happen. This is tidy-up after the tests. Ignore.
+        }
+    }
+
+    /**
+     * Called from tests to set the result that should be returned from the next call to
+     * getAuthToken.
+     * @param gssApiResult The GSSAPI result.
+     * @param token The token to return.
+     */
+    @CalledByNative
+    private static void setNextResult(int gssApiResult, String token) {
+        // This only handles the result values currently used in the tests.
+        switch (gssApiResult) {
+            case GSS_S_COMPLETE:
+                sResult = 0;
+                break;
+            case GSS_S_FAILURE:
+                sResult = HttpNegotiateConstants.ERR_MISSING_AUTH_CREDENTIALS;
+                break;
+            default:
+                sResult = HttpNegotiateConstants.ERR_UNEXPECTED;
+                break;
+        }
+        sToken = token;
+    }
+}