Support Kerberos on Android

net/android/http_android_auth_negotiate.cc

Index: net/android/http_android_auth_negotiate.cc
diff --git a/net/android/http_android_auth_negotiate.cc b/net/android/http_android_auth_negotiate.cc
new file mode 100644
index 0000000000000000000000000000000000000000..5f8cfefc875dd3720f9cd1d5272e4f33a9a65c23
--- /dev/null
+++ b/net/android/http_android_auth_negotiate.cc
@@ -0,0 +1,120 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/android/http_android_auth_negotiate.h"
+
+#include "base/android/jni_android.h"
+#include "base/android/jni_string.h"
+#include "base/android/scoped_java_ref.h"
+#include "base/base64.h"
+#include "base/strings/string_util.h"
+
+#include "jni/HttpNegotiateAuthenticator_jni.h"

[Bernhard Bauer, 2015/05/15 15:06:16]

The generated JNI include usually goes at the end.

[aberent, 2015/05/18 13:45:27]

The pre-submit checks complain if I move it.

[Bernhard Bauer, 2015/05/18 15:11:53]

Hm, in that case let's remove the empty lines. Either this is a regular include
and gets treated like any other include, or it's not.

[aberent, 2015/05/18 17:07:30]

Done.

+
+#include "net/base/net_errors.h"
+#include "net/http/http_auth.h"
+#include "net/http/http_auth_challenge_tokenizer.h"
+
+using base::android::AttachCurrentThread;
+using base::android::ConvertUTF8ToJavaString;
+using base::android::ConvertJavaStringToUTF8;
+using base::android::ScopedJavaLocalRef;
+
+namespace net {
+namespace android {
+
+AndroidAuthNegotiate::AndroidAuthNegotiate(const std::string& account_type,
+                                           const std::string& scheme)
+    : account_type_(account_type),

[Bernhard Bauer, 2015/05/15 15:06:16]

Would it make sense to pass the account type to the Java class right at
initialization?

[aberent, 2015/05/18 13:45:27]

Done.

+      scheme_(scheme),
+      can_delegate_(false),
+      first_challenge_(true),
+      server_auth_token_(""),

[Bernhard Bauer, 2015/05/15 15:06:16]

You don't need an explicit initializer.

[aberent, 2015/05/18 13:45:27]

Done.

+      java_authenticator_(Java_HttpNegotiateAuthenticator_create(
+          AttachCurrentThread(),
+          reinterpret_cast<intptr_t>(this))) {
+}
+
+AndroidAuthNegotiate::~AndroidAuthNegotiate() {
+}
+
+bool AndroidAuthNegotiate::Init() {
+  return !account_type_.empty();
+}
+
+bool AndroidAuthNegotiate::NeedsIdentity() const {
+  return false;
+}
+
+bool AndroidAuthNegotiate::AllowsExplicitCredentials() const {
+  return false;
+}
+
+HttpAuth::AuthorizationResult AndroidAuthNegotiate::ParseChallenge(
+    net::HttpAuthChallengeTokenizer* tok) {
+  // Verify the challenge's auth-scheme.
+  if (!LowerCaseEqualsASCII(tok->scheme(),
+                            base::StringToLowerASCII(scheme_).c_str()))
+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+
+  std::string encoded_auth_token = tok->base64_param();
+  if (encoded_auth_token.empty()) {
+    if (!first_challenge_) {
+      return HttpAuth::AUTHORIZATION_RESULT_REJECT;

[Bernhard Bauer, 2015/05/15 15:06:16]

Nit: No braces.

[aberent, 2015/05/18 13:45:27]

Done.

+    }
+    return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
+  } else {
+    // If a context has not already been established, additional tokens should
+    // not be present in the auth challenge.
+    if (first_challenge_)
+      return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+  }
+  // Make sure the additional token is base64 encoded.
+  std::string decoded_auth_token;
+  bool base64_rv = base::Base64Decode(encoded_auth_token, &decoded_auth_token);
+  if (!base64_rv)
+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+  server_auth_token_ = encoded_auth_token;
+  return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
+}
+
+int AndroidAuthNegotiate::GenerateAuthToken(
+    const AuthCredentials* credentials,
+    const std::string& spn,
+    std::string* auth_token,
+    const net::CompletionCallback& callback) {
+  DCHECK(auth_token);
+  auth_token_ = auth_token;
+  completion_callback_ = callback;
+  JNIEnv* env = AttachCurrentThread();
+  ScopedJavaLocalRef<jstring> java_server_auth_token =
+      ConvertUTF8ToJavaString(env, server_auth_token_);
+  ScopedJavaLocalRef<jstring> java_spn = ConvertUTF8ToJavaString(env, spn);
+  ScopedJavaLocalRef<jstring> java_account_type =
+      ConvertUTF8ToJavaString(env, account_type_);
+  bool result = Java_HttpNegotiateAuthenticator_getNextAuthToken(
+      env, java_authenticator_.obj(), java_account_type.obj(), java_spn.obj(),
+      java_server_auth_token.obj());
+  return result ? ERR_IO_PENDING : ERR_INVALID_AUTH_CREDENTIALS;
+}
+
+void AndroidAuthNegotiate::Delegate() {
+  can_delegate_ = true;
+}
+
+void AndroidAuthNegotiate::SetResult(JNIEnv* env,
+                                     jobject obj,
+                                     bool result,
+                                     jstring token) {
+  if (result)
+    *auth_token_ = ConvertJavaStringToUTF8(env, token);
+  completion_callback_.Run(result);
+}
+
+bool RegisterHttpNegotiateAuthenticator(JNIEnv* env) {
+  return RegisterNativesImpl(env);
+}
+
+}  // namespace android
+}  // namespace net