Support Kerberos on Android

net/android/http_android_auth_negotiate.h

Index: net/android/http_android_auth_negotiate.h
diff --git a/net/android/http_android_auth_negotiate.h b/net/android/http_android_auth_negotiate.h
new file mode 100644
index 0000000000000000000000000000000000000000..2679e7be9c4ebcae1730fe6e44591c370d95cac6
--- /dev/null
+++ b/net/android/http_android_auth_negotiate.h
@@ -0,0 +1,76 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_HTTP_HTTP_ANDROID_AUTH_NEGOTIATE_H_
+#define NET_HTTP_HTTP_ANDROID_AUTH_NEGOTIATE_H_
+
+#include <jni.h>
+#include <string>
+
+#include "base/android/jni_android.h"
+#include "base/macros.h"
+

[Bernhard Bauer, 2015/06/01 14:51:13]

Remove empty line?

[aberent, 2015/06/10 15:48:56]

Done.

+#include "net/base/completion_callback.h"
+#include "net/http/http_auth.h"
+
+namespace net {
+
+class HttpAuthChallengeTokenizer;
+
+namespace android {
+
+class NET_EXPORT_PRIVATE AndroidAuthNegotiate {
+ public:
+  AndroidAuthNegotiate(const std::string& account_type,
+                       const std::string& scheme);
+  ~AndroidAuthNegotiate();
+  bool Init();
+
+  bool NeedsIdentity() const;
+
+  bool AllowsExplicitCredentials() const;
+
+  HttpAuth::AuthorizationResult ParseChallenge(
+      net::HttpAuthChallengeTokenizer* tok);
+
+  // Generates an authentication token.
+  // The return value is an error code. If it's not |OK|, the value of
+  // |*auth_token| is unspecified.
+  // The function may return |IO_PENDING|, and call |callback| on completion.

[Bernhard Bauer, 2015/05/15 15:06:16]

Do we want to mention that the callback will not end up being called if this
object is destroyed before?

Also, now that doing authentication might not lock up the IO thread anymore, do
we have to deal with more than one request calling this method before the
initial one is finished?

[aberent, 2015/05/18 13:45:28]

Other similar examples typically don't. I would tend to assume this. See, for
example, Resolver in
https://cs.corp.google.com/#clankium/src/net/dns/host_resolver.h&q=host_resol....

Is there any particular reason for concern in this case?
Other stages of the authentication process are already potentially asynchronous
(for example resolving the canonical name), The existing code already deals with
this, and which stage failed to complete synchronously isn't visible outside
HttpAuthHandlerNegotiate. I don't think making this step (potentially)
asynchronous introduces any new problems.

[Bernhard Bauer, 2015/05/18 15:11:53]

Not in this particular case, but it's good to be able to guarantee a caller that
the callback they pass only has to be valid as long as the object lives (which
is necessary for using base::Unretained, for example).

I like the way the comment on HostResolver is phrased, BTW. Can we use that here
as well?
OK, good. Can we add a DCHECK just to make sure?

[aberent, 2015/05/18 17:07:30]

Done.
No obvious way in AndroidAuthNegotiate. HttpAuthHandlerNegotiate (which is the
owner and only caller of AndroidAuthNegotiate) already contains DCHECKs that
will fail if callers attempt to start a second authentication with the same
object.

[Bernhard Bauer, 2015/06/01 14:51:13]

You could add a DCHECK(completion_callback_.is_null()) and reset the callback
after running it. But if you feel that the existing DCHECK in the caller is
sufficient, that's fine with me.

[aberent, 2015/06/10 15:48:56]

Done, together with a couple of other checks.

+  // |auth_token| must remain valid until the callback has been called.
+  // |spn| is the Service Principal Name of the server that the token is
+  // being generated for.
+  // If this is the first round of a multiple round scheme, credentials are
+  // obtained using |*credentials|. If |credentials| is NULL, the default
+  // credentials are used instead.
+  int GenerateAuthToken(const AuthCredentials* credentials,
+                        const std::string& spn,
+                        std::string* auth_token,
+                        const net::CompletionCallback& callback);
+
+  // Delegation is allowed on the Kerberos ticket. This allows certain servers
+  // to act as the user, such as an IIS server retrieiving data from a
+  // Kerberized MSSQL server.
+  void Delegate();
+  void SetResult(JNIEnv* env, jobject obj, bool result, jstring token);
+
+ private:
+  std::string account_type_;
+  std::string scheme_;
+  bool can_delegate_;
+  bool first_challenge_;
+  std::string server_auth_token_;
+  std::string* auth_token_;
+  base::android::ScopedJavaGlobalRef<jobject> java_authenticator_;
+  net::CompletionCallback completion_callback_;
+
+  DISALLOW_COPY_AND_ASSIGN(AndroidAuthNegotiate);
+};
+
+bool RegisterHttpNegotiateAuthenticator(JNIEnv* env);
+
+}  // namespace android
+}  // namespace net
+
+#endif  // NET_HTTP_HTTP_ANDROID_AUTH_NEGOTIATE_H_