Support Kerberos on Android

net/android/http_auth_negotiate_android.h

Index: net/android/http_auth_negotiate_android.h
diff --git a/net/android/http_auth_negotiate_android.h b/net/android/http_auth_negotiate_android.h
new file mode 100644
index 0000000000000000000000000000000000000000..24b2c245324284da0969c8ab341f38d529da8511
--- /dev/null
+++ b/net/android/http_auth_negotiate_android.h
@@ -0,0 +1,97 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_ANDROID_HTTP_AUTH_NEGOTIATE_ANDROID_H_
+#define NET_ANDROID_HTTP_AUTH_NEGOTIATE_ANDROID_H_
+
+#include <jni.h>
+#include <string>
+
+#include "base/android/jni_android.h"
+#include "base/callback.h"
+#include "base/macros.h"
+#include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/task_runner.h"

[Ryan Sleevi, 2015/06/16 01:07:46]

You can forward declare this

[aberent, 2015/06/19 15:06:24]

Done.

+#include "net/base/completion_callback.h"
+#include "net/http/http_auth.h"
+
+namespace net {
+
+class HttpAuthChallengeTokenizer;
+
+namespace android {
+
+class NET_EXPORT_PRIVATE HttpAuthNegotiateAndroid {

[Ryan Sleevi, 2015/06/16 01:07:46]

Could you comment this class?

[aberent, 2015/06/19 15:06:24]

Done.

+ public:
+  HttpAuthNegotiateAndroid(const std::string& account_type);

[Ryan Sleevi, 2015/06/16 01:07:46]

Could you document this constructor?

[aberent, 2015/06/19 15:06:24]

Done.

+  ~HttpAuthNegotiateAndroid();
+  bool Init();

[Ryan Sleevi, 2015/06/16 01:07:46]

Could you add a newline between 29/30

And document what these methods do?

[aberent, 2015/06/19 15:06:24]

Done.

+
+  bool NeedsIdentity() const;
+
+  bool AllowsExplicitCredentials() const;
+
+  // Generates an authentication token.
+  //
+  // The return value is an error code. The authentication token will be
+  // returned in |*auth_token|. If the result code not |OK|, the value of
+  // |*auth_token| is unspecified.
+  //
+  // If the operation cannot be completed synchronously, |ERR_IO_PENDING| will
+  // be returned and the real result code will be passed to the completion
+  // callback.  Otherwise the result code is returned immediately from this
+  // call.
+  //
+  // If the AndroidAuthNegotiate object is deleted before completion then the
+  // callback will not be called.
+  //
+  // If no immediate result is returned then |auth_token| must remain valid
+  // until the callback has been called.
+  //
+  // |spn| is the Service Principal Name of the server that the token is
+  // being generated for.
+  //
+  // If this is the first round of a multiple round scheme, credentials are
+  // obtained using |*credentials|. If |credentials| is NULL, the default
+  // credentials are used instead.
+  int GenerateAuthToken(const AuthCredentials* credentials,
+                        const std::string& spn,
+                        std::string* auth_token,
+                        const net::CompletionCallback& callback);
+
+  // Delegation is allowed on the Kerberos ticket. This allows certain servers
+  // to act as the user, such as an IIS server retrieving data from a
+  // Kerberized MSSQL server.
+  void Delegate();

[Ryan Sleevi, 2015/06/16 01:07:46]

The naming of this is weird, especially when this mutates state. Should this be
SetDelegationAllowed()? Something more expressive?

And it's unclear why you inlined 70-73 but not this method, which is
substantially cheaper.

[aberent, 2015/06/19 15:06:24]

The naming of the members of this class has to match that of the existing
classes for the other OSs, e.g. HttpAuthGSSAPI, so that common code can use all
of these.

I also think the inlining of 70-73 was a mistake, and have removed it (none of
this is performance critical, so the code is cleaner without inlining).

Actually, for other reasons, SetServerAuthToken is no longer needed and has been
removed.

+  void SetResult(JNIEnv* env, jobject obj, bool result, jstring token);
+  static bool Register(JNIEnv* env);

[Ryan Sleevi, 2015/06/16 01:07:46]

Most of the code in Android I've seen makes this the first publicly declared
member.

They've also split up registration from implementation / JNI callbacks.

[aberent, 2015/06/19 15:06:24]

Done.
Not clear what you mean by this.

+  void SetServerAuthToken(const std::string& encoded_auth_token,
+                          const std::string& decoded_auth_token) {
+    server_auth_token_ = encoded_auth_token;
+  }
+
+ private:
+  void SetResultInternal(bool result, const std::string& token);
+
+  std::string account_type_;
+  std::string scheme_;
+  bool can_delegate_;
+  bool first_challenge_;
+  std::string server_auth_token_;
+  std::string* auth_token_;
+  base::android::ScopedJavaGlobalRef<jobject> java_authenticator_;
+  net::CompletionCallback completion_callback_;
+  scoped_refptr<base::TaskRunner> callback_task_runner_;
+  base::Callback<void(bool, const std::string&)> thread_safe_callback_;
+
+  base::WeakPtrFactory<HttpAuthNegotiateAndroid> weak_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(HttpAuthNegotiateAndroid);
+};
+
+}  // namespace android
+}  // namespace net
+
+#endif  // NET_ANDROID_HTTP_AUTH_NEGOTIATE_ANDROID_H_