Support Kerberos on Android

net/android/java/src/org/chromium/net/HttpNegotiateAuthenticator.java

Index: net/android/java/src/org/chromium/net/HttpNegotiateAuthenticator.java
diff --git a/net/android/java/src/org/chromium/net/HttpNegotiateAuthenticator.java b/net/android/java/src/org/chromium/net/HttpNegotiateAuthenticator.java
new file mode 100644
index 0000000000000000000000000000000000000000..4cf160f7e0463aacdfd05b8e2ee33f60f0ec254f
--- /dev/null
+++ b/net/android/java/src/org/chromium/net/HttpNegotiateAuthenticator.java
@@ -0,0 +1,137 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package org.chromium.net;
+
+import android.accounts.AccountManager;
+import android.accounts.AccountManagerCallback;
+import android.accounts.AccountManagerFuture;
+import android.accounts.AuthenticatorException;
+import android.accounts.OperationCanceledException;
+import android.app.Activity;
+import android.os.Bundle;
+import android.os.Handler;
+
+import org.chromium.base.ApplicationStatus;
+import org.chromium.base.CalledByNative;
+import org.chromium.base.JNINamespace;
+import org.chromium.base.ThreadUtils;
+import org.chromium.base.VisibleForTesting;
+
+import java.io.IOException;
+
+/**
+ * Class to get Auth Tokens for HTTP Negotiate authentication (typically used for Kerberos) An
+ * instance of this class is created for each separate negotiation.
+ */
+@JNINamespace("net::android")
+public class HttpNegotiateAuthenticator {
+    private Bundle mSpnegoContext = null;
+    private final String mAccountType;
+    private AccountManagerFuture<Bundle> mFuture;
+
+    private HttpNegotiateAuthenticator(String accountType) {
+        assert !android.text.TextUtils.isEmpty(accountType);
+        mAccountType = accountType;
+    }
+
+    /**
+     * @param nativeObject The corresponding HttpAuthNegotiateAndroid C++ object

[cbentzel, 2015/06/30 12:53:55]

nativeObject is not passed in.

[aberent, 2015/07/02 21:13:35]

Done.

+     * @param accountType The Android account type to use.
+     */
+    @VisibleForTesting
+    @CalledByNative
+    static HttpNegotiateAuthenticator create(String accountType) {
+        return new HttpNegotiateAuthenticator(accountType);
+    }
+
+    /**
+     * @param principal The principal (must be host based).
+     * @param authToken The previous auth token, if any.
+     * @return false for immediate failure, true otherwise.
+     */
+    @VisibleForTesting
+    @CalledByNative
+    void getNextAuthToken(final long nativeResultObject, final String principal, String authToken,
+            boolean canDelegate) {
+        assert principal != null;
+        String authTokenType = HttpNegotiateConstants.SPNEGO_TOKEN_TYPE_BASE + principal;
+        Activity activity = ApplicationStatus.getLastTrackedFocusedActivity();
+        if (activity == null) {
+            nativeSetResult(nativeResultObject, NetError.ERR_UNEXPECTED, null);
+            return;
+        }
+        AccountManager am = AccountManager.get(activity);
+        String features[] = {HttpNegotiateConstants.SPNEGO_FEATURE};
+
+        Bundle options = new Bundle();
+
+        if (authToken != null) {
+            options.putString(HttpNegotiateConstants.KEY_INCOMING_AUTH_TOKEN, authToken);
+        }
+        if (mSpnegoContext != null) {
+            options.putBundle(HttpNegotiateConstants.KEY_SPNEGO_CONTEXT, mSpnegoContext);
+        }
+        options.putBoolean(HttpNegotiateConstants.KEY_CAN_DELEGATE, canDelegate);
+
+        mFuture = am.getAuthTokenByFeatures(mAccountType, authTokenType, features, activity, null,
+                options, new AccountManagerCallback<Bundle>() {
+
+                    @Override
+                    public void run(AccountManagerFuture<Bundle> future) {
+                        try {
+                            Bundle result = future.getResult();
+                            mSpnegoContext =

[cbentzel, 2015/06/30 12:53:55]

Do you know if this gets cleared when KEY_SPNEGO_RESULT is an error?

[aberent, 2015/07/02 21:13:35]

I don't, it depends on the Keberos authenication app, however I don't think we
care. Every negotiation creates a new instance of this class, and I don't think
the negotiation ever continues after an error. As such, if it isn't cleared, it
will freed by normal Java garbage collection.

+                                    result.getBundle(HttpNegotiateConstants.KEY_SPNEGO_CONTEXT);
+                            int status;
+                            switch (result.getInt(HttpNegotiateConstants.KEY_SPNEGO_RESULT)) {

[cbentzel, 2015/06/30 12:53:55]

This will go to OK if KEY_SPNEGO_RESULT is not present - is that intended, or
should that be treated as an error?

[aberent, 2015/07/02 21:13:35]

Done. Changed to return ERR_UNEXPECTED.

+                                case HttpNegotiateConstants.OK:
+                                    status = 0;
+                                    break;
+                                case HttpNegotiateConstants.ERR_UNEXPECTED:
+                                    status = NetError.ERR_UNEXPECTED;
+                                    break;
+                                case HttpNegotiateConstants.ERR_ABORTED:
+                                    status = NetError.ERR_ABORTED;
+                                    break;
+                                case HttpNegotiateConstants.ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS:
+                                    status = NetError.ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS;
+                                    break;
+                                case HttpNegotiateConstants.ERR_INVALID_RESPONSE:
+                                    status = NetError.ERR_INVALID_RESPONSE;
+                                    break;
+                                case HttpNegotiateConstants.ERR_INVALID_AUTH_CREDENTIALS:
+                                    status = NetError.ERR_INVALID_AUTH_CREDENTIALS;
+                                    break;
+                                case HttpNegotiateConstants.ERR_UNSUPPORTED_AUTH_SCHEME:
+                                    status = NetError.ERR_UNSUPPORTED_AUTH_SCHEME;
+                                    break;
+                                case HttpNegotiateConstants.ERR_MISSING_AUTH_CREDENTIALS:
+                                    status = NetError.ERR_MISSING_AUTH_CREDENTIALS;
+                                    break;
+                                case HttpNegotiateConstants
+                                        .ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS:
+                                    status = NetError.ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS;
+                                    break;
+                                case HttpNegotiateConstants.ERR_MALFORMED_IDENTITY:
+                                    status = NetError.ERR_MALFORMED_IDENTITY;
+                                    break;
+                                default:
+                                    status = NetError.ERR_UNEXPECTED;
+                            }
+                            nativeSetResult(nativeResultObject, status,
+                                    result.getString(AccountManager.KEY_AUTHTOKEN));

[cbentzel, 2015/06/30 12:53:55]

What happens when KEY_AUTHTOKEN is called for non-OK status codes? Does it have
defined behavior?

[aberent, 2015/07/02 21:13:35]

The value returned will be whatever the Kerberos Authentication app set for this
key, or NULL if it didn't set anything for this key. Either way it will be
ignored on the C++ side, see HttpAuthNegotiateAndroid::SetResultInternal.

+                        } catch (OperationCanceledException | AuthenticatorException
+                                | IOException e) {
+                            nativeSetResult(nativeResultObject, NetError.ERR_ABORTED, null);
+                        }
+                    }
+
+                }, new Handler(ThreadUtils.getUiThreadLooper()));
+    }
+
+    @VisibleForTesting
+    native void nativeSetResult(
+            long nativeJavaNegotiateResultWrapper, int status, String authToken);
+}