Support Kerberos on Android

net/http/http_auth_handler_negotiate.cc

Index: net/http/http_auth_handler_negotiate.cc
diff --git a/net/http/http_auth_handler_negotiate.cc b/net/http/http_auth_handler_negotiate.cc
index 422ddd729a27cf4dc9c24198c4dc30e0087cd60c..0a3f2a55876c6ef026acee1e291139e05ab2d0cf 100644
--- a/net/http/http_auth_handler_negotiate.cc
+++ b/net/http/http_auth_handler_negotiate.cc
@@ -4,14 +4,17 @@
 
 #include "net/http/http_auth_handler_negotiate.h"
 
+#include "base/base64.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/logging.h"
+#include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "net/base/address_family.h"
 #include "net/base/net_errors.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/single_request_host_resolver.h"
+#include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_filter.h"
 #include "net/http/url_security_manager.h"
 
@@ -65,6 +68,19 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
     return ERR_INVALID_RESPONSE;
   handler->swap(tmp_handler);
   return OK;
+#elif defined(OS_ANDROID)
+  if (is_unsupported_ || account_type_.empty())
+    return ERR_UNSUPPORTED_AUTH_SCHEME;
+  // TODO(ahendrickson): Move towards model of parsing in the factory
+  //                     method and only constructing when valid.

[Ryan Sleevi, 2015/06/16 01:07:47]

This looks like you just copy-pasted the TODO from 61/62 - seems like that
should still point to Chris.

[aberent, 2015/06/19 15:06:25]

Actually copied it from 91/92, but happy to switch this one Chris. Done.

+  scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate(
+      account_type_, url_security_manager(), resolver_, disable_cname_lookup_,
+      use_port_));
+  if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log))
+    return ERR_INVALID_RESPONSE;
+  handler->swap(tmp_handler);
+  return OK;
+
 #elif defined(OS_POSIX)
   if (is_unsupported_)
     return ERR_UNSUPPORTED_AUTH_SCHEME;
@@ -72,7 +88,7 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
     is_unsupported_ = true;
     return ERR_UNSUPPORTED_AUTH_SCHEME;
   }
-  // TODO(ahendrickson): Move towards model of parsing in the factory
+  // TODO(ahendrickHson): Move towards model of parsing in the factory

[Bernhard Bauer, 2015/06/15 16:43:11]

Nit: Capital H snuck in here somehow :)

[aberent, 2015/06/19 15:06:24]

Done.

   //                     method and only constructing when valid.
   scoped_ptr<HttpAuthHandler> tmp_handler(
       new HttpAuthHandlerNegotiate(auth_library_.get(), url_security_manager(),
@@ -86,7 +102,12 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
 }
 
 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate(
+#if defined(OS_ANDROID)
+    std::string account_type,
+#endif
+#if defined(OS_WIN) || (defined(OS_POSIX) && !defined(OS_ANDROID))
     AuthLibrary* auth_library,
+#endif
 #if defined(OS_WIN)
     ULONG max_token_length,
 #endif
@@ -94,7 +115,9 @@ HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate(
     HostResolver* resolver,
     bool disable_cname_lookup,
     bool use_port)
-#if defined(OS_WIN)
+#if defined(OS_ANDROID)
+    : auth_system_(account_type),
+#elif defined(OS_WIN)
     : auth_system_(auth_library, "Negotiate", NEGOSSP_NAME, max_token_length),
 #elif defined(OS_POSIX)
     : auth_system_(auth_library, "Negotiate", CHROME_GSS_SPNEGO_MECH_OID_DESC),
@@ -162,7 +185,21 @@ std::string HttpAuthHandlerNegotiate::CreateSPN(
 
 HttpAuth::AuthorizationResult HttpAuthHandlerNegotiate::HandleAnotherChallenge(
     HttpAuthChallengeTokenizer* challenge) {
-  return auth_system_.ParseChallenge(challenge);
+  // Verify the challenge's auth-scheme.
+  if (!base::LowerCaseEqualsASCII(challenge->scheme(), "negotiate"))

[Ryan Sleevi, 2015/06/16 01:07:47]

DANGER: It's worth noting here that there isn't a guarantee that
challenge->scheme() contains ASCII, but in fact contains untrusted server input.

That is, it could contain something like "Negotiate\0Foo"

As it happens, LowerCaseEqualsASCII 'does the right thing', but I think it may
merit noting the danger

[aberent, 2015/06/19 15:06:25]

Note that there is substantial refactoring of this in the next version. The body
of it has moved into http_auth_negotiate_parse.

Done.

+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+
+  std::string encoded_auth_token = challenge->base64_param();
+  if (encoded_auth_token.empty()) {
+    return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+  }

[Ryan Sleevi, 2015/06/16 01:07:47]

Consistent with lines 189/190 and 199/200 (and really, the rest of //net),
remove the braces here

[aberent, 2015/06/19 15:06:25]

Done.

+  // Make sure the additional token is base64 encoded.
+  std::string decoded_auth_token;
+  bool base64_rv = base::Base64Decode(encoded_auth_token, &decoded_auth_token);
+  if (!base64_rv)

[Ryan Sleevi, 2015/06/16 01:07:47]

Does not seem like there's any reason to use a temporary here.

if (!base::Base64Decode(...)))

that avoids the naming nit of base64_rv I was going to leave ;)

[aberent, 2015/06/19 15:06:24]

Done.

+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+  auth_system_.SetServerAuthToken(encoded_auth_token, decoded_auth_token);
+  return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
 }
 
 // Require identity on first pass instead of second.
@@ -202,9 +239,9 @@ bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge) {
   auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE;
   score_ = 4;
   properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
-  HttpAuth::AuthorizationResult auth_result =
-      auth_system_.ParseChallenge(challenge);
-  return (auth_result == HttpAuth::AUTHORIZATION_RESULT_ACCEPT);
+  if (!base::LowerCaseEqualsASCII(challenge->scheme(), "negotiate"))
+    return false;
+  return challenge->base64_param().empty();
 }
 
 int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl(
@@ -315,8 +352,10 @@ int HttpAuthHandlerNegotiate::DoResolveCanonicalNameComplete(int rv) {
 int HttpAuthHandlerNegotiate::DoGenerateAuthToken() {
   next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE;
   AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL;
-  // TODO(cbentzel): This should possibly be done async.
-  return auth_system_.GenerateAuthToken(credentials, spn_, auth_token_);
+  return auth_system_.GenerateAuthToken(
+      credentials, spn_, auth_token_,
+      base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete,
+                 base::Unretained(this)));
 }
 
 int HttpAuthHandlerNegotiate::DoGenerateAuthTokenComplete(int rv) {