[net/http auth] Make HttpAuthHandler challenge handling asynchronous.

net/http/http_auth_controller.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
+#include "base/callback_helpers.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/platform_thread.h"
+#include "base/values.h"
 #include "net/base/auth.h"
 #include "net/base/net_util.h"
 #include "net/dns/host_resolver.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
+#include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_handler.h"
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 
 namespace net {
 
 namespace {
 
-// Returns a log message for all the response headers related to the auth
-// challenge.
-std::string AuthChallengeLogMessage(HttpResponseHeaders* headers) {
-  std::string msg;
-  std::string header_val;
-  void* iter = NULL;
-  while (headers->EnumerateHeader(&iter, "proxy-authenticate", &header_val)) {
-    msg.append("\n  Has header Proxy-Authenticate: ");
-    msg.append(header_val);
-  }
-
-  iter = NULL;
-  while (headers->EnumerateHeader(&iter, "www-authenticate", &header_val)) {
-    msg.append("\n  Has header WWW-Authenticate: ");
-    msg.append(header_val);
-  }
-
-  // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
-  // authentication with a "Proxy-Support: Session-Based-Authentication"
-  // response header.
-  iter = NULL;
-  while (headers->EnumerateHeader(&iter, "proxy-support", &header_val)) {
-    msg.append("\n  Has header Proxy-Support: ");
-    msg.append(header_val);
-  }
-
-  return msg;
-}
-
 enum AuthEvent {
   AUTH_EVENT_START = 0,
   AUTH_EVENT_REJECT,
   AUTH_EVENT_MAX,
 };
 
 enum AuthTarget {
   AUTH_TARGET_PROXY = 0,
   AUTH_TARGET_SECURE_PROXY,
   AUTH_TARGET_SERVER,
@@ skipping 111 matching lines @@
   if (auth_event != AUTH_EVENT_START)
     return;
   static const int kTargetBucketsEnd = AUTH_SCHEME_MAX * AUTH_TARGET_MAX;
   AuthTarget auth_target = DetermineAuthTarget(handler);
   int target_bucket = auth_scheme * AUTH_TARGET_MAX + auth_target;
   DCHECK(target_bucket >= 0 && target_bucket < kTargetBucketsEnd);
   UMA_HISTOGRAM_ENUMERATION("Net.HttpAuthTarget", target_bucket,
                             kTargetBucketsEnd);
 }
 
+// Hardcoded map of HTTP authentication scheme priorities. Higher priorities are
+// preferred over lower.
+struct SchemePriority {
+  const char* scheme;
+  int priority;
+} kSchemeScores[] = {
+    {"basic", 1},
+    {"digest", 2},
+    {"ntlm", 3},
+    {"negotiate", 4},
+};
+
+// Priority assigned to unknown authentication schemes. They are currently
+// ranked lower than Basic, which might be a bit too conservative.
+const int kSchemePriorityDefault = 0;
+
+// Higher priority schemes are preferred over lower priority schemes.
+int GetSchemePriority(const std::string& scheme) {
+  DCHECK(HttpAuth::IsValidNormalizedScheme(scheme));
+  for (const auto& iter : kSchemeScores) {
+    if (scheme == iter.scheme)
+      return iter.priority;
+  }
+  return kSchemePriorityDefault;
+}
+
 }  // namespace
 
 HttpAuthController::HttpAuthController(
     HttpAuth::Target target,
     const GURL& auth_url,
     HttpAuthCache* http_auth_cache,
     HttpAuthHandlerFactory* http_auth_handler_factory)
     : target_(target),
       auth_url_(auth_url),
       auth_origin_(auth_url.GetOrigin()),
       auth_path_(HttpAuth::AUTH_PROXY ? std::string() : auth_url.path()),
       embedded_identity_used_(false),
       default_credentials_used_(false),
       http_auth_cache_(http_auth_cache),
-      http_auth_handler_factory_(http_auth_handler_factory) {
+      http_auth_handler_factory_(http_auth_handler_factory),
+      weak_ptr_factory_(this) {
+  io_callback_ = base::Bind(&HttpAuthController::OnIOComplete,
+                            weak_ptr_factory_.GetWeakPtr());
 }
 
 HttpAuthController::~HttpAuthController() {
   DCHECK(CalledOnValidThread());
 }
 
 int HttpAuthController::MaybeGenerateAuthToken(
     const HttpRequestInfo* request, const CompletionCallback& callback,
     const BoundNetLog& net_log) {
   DCHECK(CalledOnValidThread());
-  DCHECK(request);
+  DCHECK(callback_.is_null());
+  DCHECK(!callback.is_null());
+
   bool needs_auth = HaveAuth() || SelectPreemptiveAuth(net_log);
   if (!needs_auth)
     return OK;
-  const AuthCredentials* credentials = NULL;
-  if (identity_.source != HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS)
-    credentials = &identity_.credentials;
-  DCHECK(auth_token_.empty());
-  DCHECK(callback_.is_null());
-  int rv = handler_->GenerateAuthToken(
-      credentials, *request,
-      base::Bind(&HttpAuthController::OnIOComplete, base::Unretained(this)),
-      &auth_token_);
-  if (DisableOnAuthHandlerResult(rv))
-    rv = OK;
+  request_info_ = request;
+  next_state_ = STATE_GENERATE_TOKEN;
+  net_log_ = net_log;
+  int rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING)
     callback_ = callback;
-  else
-    OnIOComplete(rv);
   return rv;
 }
 
 bool HttpAuthController::SelectPreemptiveAuth(const BoundNetLog& net_log) {
   DCHECK(CalledOnValidThread());
   DCHECK(!HaveAuth());
   DCHECK(identity_.invalid);
 
   // Don't do preemptive authorization if the URL contains a username:password,
   // since we must first be challenged in order to use the URL's identity.
   if (auth_url_.has_username())
     return false;
 
   // SelectPreemptiveAuth() is on the critical path for each request, so it
   // is expected to be fast. LookupByPath() is fast in the common case, since
   // the number of http auth cache entries is expected to be very small.
   // (For most users in fact, it will be 0.)
   HttpAuthCache::Entry* entry = http_auth_cache_->LookupByPath(
       auth_origin_, auth_path_);
   if (!entry)
     return false;
 
   // Try to create a handler using the previous auth challenge.
-  std::string challenge = entry->auth_challenge();
-  HttpAuthChallengeTokenizer tokenizer(challenge.begin(), challenge.end());
   scoped_ptr<HttpAuthHandler> handler_preemptive =
       http_auth_handler_factory_->CreateAndInitPreemptiveAuthHandler(
-          entry, tokenizer, target_, net_log);
+          entry, target_, net_log);
   if (!handler_preemptive)
     return false;
 
   // Set the state
   identity_.source = HttpAuth::IDENT_SRC_PATH_LOOKUP;
   identity_.invalid = false;
   identity_.credentials = entry->credentials();
   handler_.swap(handler_preemptive);
   return true;
 }
 
 void HttpAuthController::AddAuthorizationHeader(
     HttpRequestHeaders* authorization_headers) {
   DCHECK(CalledOnValidThread());
   DCHECK(HaveAuth());
   // auth_token_ can be empty if we encountered a permanent error with
   // the auth scheme and want to retry.
   if (!auth_token_.empty()) {
     authorization_headers->SetHeader(
         HttpAuth::GetAuthorizationHeaderName(target_), auth_token_);
     auth_token_.clear();
   }
 }
 
 int HttpAuthController::HandleAuthChallenge(
-    scoped_refptr<HttpResponseHeaders> headers,
-    bool do_not_send_server_auth,
-    bool establishing_tunnel,
+    const HttpResponseInfo& response_info,
+    const CompletionCallback& callback,
     const BoundNetLog& net_log) {
   DCHECK(CalledOnValidThread());
-  DCHECK(headers.get());
+  DCHECK(response_info.headers.get());
   DCHECK(auth_origin_.is_valid());
-  VLOG(1) << "The " << HttpAuth::GetAuthTargetString(target_) << " "
-          << auth_origin_ << " requested auth "
-          << AuthChallengeLogMessage(headers.get());
+  DCHECK(callback_.is_null());
+  DCHECK(!callback.is_null());
 
-  // Give the existing auth handler first try at the authentication headers.
-  // This will also evict the entry in the HttpAuthCache if the previous
-  // challenge appeared to be rejected, or is using a stale nonce in the Digest
-  // case.
-  if (HaveAuth()) {
-    std::string challenge_used;
-    HttpAuth::AuthorizationResult result =
-        HttpAuth::HandleChallengeResponse(handler_.get(),
-                                          headers.get(),
-                                          target_,
-                                          disabled_schemes_,
-                                          &challenge_used);
-    switch (result) {
-      case HttpAuth::AUTHORIZATION_RESULT_ACCEPT:
-        break;
-      case HttpAuth::AUTHORIZATION_RESULT_INVALID:
-        InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
-        break;
-      case HttpAuth::AUTHORIZATION_RESULT_REJECT:
-        HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
-        InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
-        break;
-      case HttpAuth::AUTHORIZATION_RESULT_STALE:
-        if (http_auth_cache_->UpdateStaleChallenge(auth_origin_,
-                                                   handler_->realm(),
-                                                   handler_->auth_scheme(),
-                                                   challenge_used)) {
-          InvalidateCurrentHandler(INVALIDATE_HANDLER);
-        } else {
-          // It's possible that a server could incorrectly issue a stale
-          // response when the entry is not in the cache. Just evict the
-          // current value from the cache.
-          InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
-        }
-        break;
-      case HttpAuth::AUTHORIZATION_RESULT_DIFFERENT_REALM:
-        // If the server changes the authentication realm in a
-        // subsequent challenge, invalidate cached credentials for the
-        // previous realm.  If the server rejects a preemptive
-        // authorization and requests credentials for a different
-        // realm, we keep the cached credentials.
-        InvalidateCurrentHandler(
-            (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP) ?
-            INVALIDATE_HANDLER :
-            INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
-        break;
-      default:
-        NOTREACHED();
-        break;
-    }
-  }
+  next_state_ = HaveAuthHandler() ? STATE_HANDLE_ANOTHER_CHALLENGE
+                                  : STATE_CHOOSE_CHALLENGE;
+  response_info_ = &response_info;
+  net_log_ = net_log;
+  int result = DoLoop(OK);
 
-  identity_.invalid = true;
-
-  bool can_send_auth = (target_ != HttpAuth::AUTH_SERVER ||
-                        !do_not_send_server_auth);
-
-  do {
-    if (!handler_.get() && can_send_auth) {
-      // Find the best authentication challenge that we support.
-      HttpAuth::ChooseBestChallenge(http_auth_handler_factory_,
-                                    headers.get(),
-                                    target_,
-                                    auth_origin_,
-                                    disabled_schemes_,
-                                    net_log,
-                                    &handler_);
-      if (handler_.get())
-        HistogramAuthEvent(handler_.get(), AUTH_EVENT_START);
-    }
-
-    if (!handler_.get()) {
-      if (establishing_tunnel) {
-        LOG(ERROR) << "Can't perform auth to the "
-                   << HttpAuth::GetAuthTargetString(target_) << " "
-                   << auth_origin_ << " when establishing a tunnel"
-                   << AuthChallengeLogMessage(headers.get());
-
-        // We are establishing a tunnel, we can't show the error page because an
-        // active network attacker could control its contents.  Instead, we just
-        // fail to establish the tunnel.
-        DCHECK(target_ == HttpAuth::AUTH_PROXY);
-        return ERR_PROXY_AUTH_UNSUPPORTED;
-      }
-      // We found no supported challenge -- let the transaction continue so we
-      // end up displaying the error page.
-      return OK;
-    }
-
-    if (handler_->NeedsIdentity()) {
-      // Pick a new auth identity to try, by looking to the URL and auth cache.
-      // If an identity to try is found, it is saved to identity_.
-      SelectNextAuthIdentityToTry();
-    } else {
-      // Proceed with the existing identity or a null identity.
-      identity_.invalid = false;
-    }
-
-    // From this point on, we are restartable.
-
-    if (identity_.invalid) {
-      // We have exhausted all identity possibilities.
-      if (!handler_->AllowsExplicitCredentials()) {
-        // If the handler doesn't accept explicit credentials, then we need to
-        // choose a different auth scheme.
-        HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
-        InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_DISABLE_SCHEME);
-      } else {
-        // Pass the challenge information back to the client.
-        PopulateAuthChallenge();
-      }
-    } else {
-      auth_info_ = NULL;
-    }
-
-    // If we get here and we don't have a handler_, that's because we
-    // invalidated it due to not having any viable identities to use with it. Go
-    // back and try again.
-    // TODO(asanka): Instead we should create a priority list of
-    //     <handler,identity> and iterate through that.
-  } while(!handler_.get());
-  return OK;
+  if (result == ERR_IO_PENDING)
+    callback_ = callback;
+  return result;
 }
 
 void HttpAuthController::ResetAuth(const AuthCredentials& credentials) {
   DCHECK(CalledOnValidThread());
   DCHECK(identity_.invalid || credentials.Empty());
 
   if (identity_.invalid) {
     // Update the credentials.
     identity_.source = HttpAuth::IDENT_SRC_EXTERNAL;
     identity_.invalid = false;
@@ skipping 104 matching lines @@
     identity_.invalid = false;
     default_credentials_used_ = true;
     return true;
   }
 
   return false;
 }
 
 void HttpAuthController::PopulateAuthChallenge() {
   DCHECK(CalledOnValidThread());
+  DCHECK(!auth_info_);
 
   // Populates response_.auth_challenge with the authentication challenge info.
   // This info is consumed by URLRequestHttpJob::GetAuthChallengeInfo().
 
   auth_info_ = new AuthChallengeInfo;
   auth_info_->is_proxy = (target_ == HttpAuth::AUTH_PROXY);
   auth_info_->challenger = HostPortPair::FromURL(auth_origin_);
   auth_info_->scheme = handler_->auth_scheme();
   auth_info_->realm = handler_->realm();
 }
@@ skipping 23 matching lines @@
       auth_token_.clear();
       return true;
 
     default:
       return false;
   }
 }
 
 void HttpAuthController::OnIOComplete(int result) {
   DCHECK(CalledOnValidThread());
-  if (DisableOnAuthHandlerResult(result))
-    result = OK;
-  if (!callback_.is_null()) {
-    CompletionCallback c = callback_;
-    callback_.Reset();
-    c.Run(result);
+  result = DoLoop(result);
+
+  if (result != ERR_IO_PENDING && !callback_.is_null()) {
+    base::ResetAndReturn(&callback_).Run(result);
   }
 }
 
 scoped_refptr<AuthChallengeInfo> HttpAuthController::auth_info() {
   DCHECK(CalledOnValidThread());
   return auth_info_;
 }
 
 bool HttpAuthController::IsAuthSchemeDisabled(const std::string& scheme) const {
   DCHECK(CalledOnValidThread());
   return disabled_schemes_.Contains(scheme);
 }
 
 void HttpAuthController::DisableAuthScheme(const std::string& scheme) {
   DCHECK(CalledOnValidThread());
   disabled_schemes_.Add(scheme);
 }
 
 void HttpAuthController::DisableEmbeddedIdentity() {
   DCHECK(CalledOnValidThread());
   embedded_identity_used_ = true;
 }
 
+int HttpAuthController::DoLoop(int result) {
+  DCHECK(CalledOnValidThread());
+
+  do {
+    State state = next_state_;
+    next_state_ = STATE_NONE;
+
+    switch (state) {
+      case STATE_CHOOSE_CHALLENGE:
+        DCHECK_EQ(OK, result);
+        result = DoChooseChallenge();
+        break;
+
+      case STATE_TRY_NEXT_CHALLENGE:
+        DCHECK_EQ(OK, result);
+        result = DoTryNextChallenge();
+        break;
+
+      case STATE_TRY_NEXT_CHALLENGE_COMPLETE:
+        result = DoTryNextChallengeComplete(result);
+        break;
+
+      case STATE_CHOOSE_IDENTITY:
+        DCHECK_EQ(OK, result);
+        result = DoChooseIdentity();
+        break;
+
+      case STATE_HANDLE_ANOTHER_CHALLENGE:
+        DCHECK_EQ(OK, result);
+        result = DoHandleAnotherChallenge();
+        break;
+
+      case STATE_HANDLE_ANOTHER_CHALLENGE_COMPLETE:
+        result = DoHandleAnotherChallengeComplete(result);
+        break;
+
+      case STATE_GENERATE_TOKEN:
+        DCHECK_EQ(OK, result);
+        result = DoGenerateToken();
+        break;
+
+      case STATE_GENERATE_TOKEN_COMPLETE:
+        result = DoGenerateTokenComplete(result);
+        break;
+
+      case STATE_NONE:
+        NOTREACHED() << "next_state_: " << next_state_;
+    }
+  } while (next_state_ != STATE_NONE && result != ERR_IO_PENDING);
+
+  if (result != ERR_IO_PENDING) {
+    // Exiting the state machine.
+    request_info_ = nullptr;
+    response_info_ = nullptr;
+    net_log_ = BoundNetLog();
+  }
+
+  return result;
+}
+
+int HttpAuthController::DoChooseChallenge() {
+  DCHECK(response_info_);
+  DCHECK(response_info_->headers.get());
+  DCHECK(!handler_);
+  DCHECK(auth_token_.empty());
+
+  auth_info_ = nullptr;
+
+  std::priority_queue<CandidateChallenge> old_challenges;
+  candidate_challenges_.swap(old_challenges);
+
+  void* iter = nullptr;
+  const std::string header_name = HttpAuth::GetChallengeHeaderName(target_);
+  std::string current_challenge;
+  while (response_info_->headers->EnumerateHeader(&iter, header_name,
+                                                  &current_challenge)) {
+    HttpAuthChallengeTokenizer tokenizer(current_challenge.begin(),
+                                         current_challenge.end());
+    std::string current_scheme = tokenizer.NormalizedScheme();
+    if (current_scheme.empty())
+      continue;
+    if (IsAuthSchemeDisabled(current_scheme))
+      continue;
+
+    CandidateChallenge candidate_challenge;
+    candidate_challenge.scheme = current_scheme;
+    candidate_challenge.priority = GetSchemePriority(current_scheme);
+    candidate_challenge.challenge = current_challenge;
+    candidate_challenges_.push(candidate_challenge);
+  }
+  next_state_ = STATE_TRY_NEXT_CHALLENGE;
+  return OK;
+}
+
+int HttpAuthController::DoTryNextChallenge() {
+  DCHECK(!handler_);
+  DCHECK(auth_token_.empty());
+  DCHECK(response_info_);
+
+  for (; !handler_ && !candidate_challenges_.empty();
+       candidate_challenges_.pop()) {
+    const CandidateChallenge& candidate = candidate_challenges_.top();
+    selected_auth_challenge_ = candidate.challenge;
+    if (IsAuthSchemeDisabled(candidate.scheme))
+      continue;
+    handler_ = http_auth_handler_factory_->CreateAuthHandlerForScheme(
+        candidate.scheme);
+  }
+
+  if (!handler_)
+    return OK;
+
+  HttpAuthChallengeTokenizer tokenizer(selected_auth_challenge_.begin(),
+                                       selected_auth_challenge_.end());
+  next_state_ = STATE_TRY_NEXT_CHALLENGE_COMPLETE;
+  return handler_->HandleInitialChallenge(tokenizer, *response_info_, target_,
+                                          auth_origin_, net_log_, io_callback_);
+}
+
+int HttpAuthController::DoTryNextChallengeComplete(int result) {
+  DCHECK(handler_);
+
+  if (result != OK) {
+    InvalidateCurrentHandler(INVALIDATE_HANDLER);
+    next_state_ = STATE_TRY_NEXT_CHALLENGE;
+    return OK;
+  }
+
+  HistogramAuthEvent(handler_.get(), AUTH_EVENT_START);
+  next_state_ = STATE_CHOOSE_IDENTITY;
+  return OK;
+}
+
+int HttpAuthController::DoChooseIdentity() {
+  DCHECK(handler_.get());
+  DCHECK(identity_.invalid);
+  DCHECK(!auth_info_);
+
+  if (handler_->NeedsIdentity()) {
+    SelectNextAuthIdentityToTry();
+  } else {
+    // TODO(asanka): This is a false flag and shouldn't be necessary. Instead
+    // rely on NeedsIdentity() to determine if the handler needs an identity.
+    identity_.invalid = false;
+  }
+
+  if (!identity_.invalid) {
+    return OK;
+  }
+
+  if (!handler_->AllowsExplicitCredentials()) {
+    HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
+    InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_DISABLE_SCHEME);
+    next_state_ = STATE_TRY_NEXT_CHALLENGE;
+    return OK;
+  }
+
+  PopulateAuthChallenge();
+  return OK;
+}
+
+int HttpAuthController::DoHandleAnotherChallenge() {
+  DCHECK(HaveAuth());
+  DCHECK(response_info_);
+  DCHECK(response_info_->headers.get());
+  DCHECK(auth_token_.empty());
+
+  next_state_ = STATE_HANDLE_ANOTHER_CHALLENGE_COMPLETE;
+  auth_info_ = nullptr;
+
+  selected_auth_challenge_.clear();
+  if (disabled_schemes_.Contains(handler_->auth_scheme()))
+    return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+
+  std::string current_scheme_name = handler_->auth_scheme();
+  std::string challenge_header_name = HttpAuth::GetChallengeHeaderName(target_);
+
+  std::string challenge;
+  void* iter = nullptr;
+  HttpAuth::AuthorizationResult authorization_result =
+      HttpAuth::AUTHORIZATION_RESULT_INVALID;
+  while (response_info_->headers->EnumerateHeader(&iter, challenge_header_name,
+                                                  &challenge)) {
+    HttpAuthChallengeTokenizer tokenizer(challenge.begin(), challenge.end());
+    if (!tokenizer.SchemeIs(current_scheme_name))
+      continue;
+
+    authorization_result = handler_->HandleAnotherChallenge(tokenizer);
+    if (authorization_result != HttpAuth::AUTHORIZATION_RESULT_INVALID) {
+      selected_auth_challenge_ = challenge;
+      return authorization_result;
+    }
+  }
+
+  return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+}
+
+int HttpAuthController::DoHandleAnotherChallengeComplete(int result) {
+  if (result < 0)
+    return result;
+
+  HttpAuth::AuthorizationResult auth_result =
+      static_cast<HttpAuth::AuthorizationResult>(result);
+  switch (auth_result) {
+    case HttpAuth::AUTHORIZATION_RESULT_ACCEPT:
+      return OK;
+
+    case HttpAuth::AUTHORIZATION_RESULT_INVALID:
+      InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
+      break;
+
+    case HttpAuth::AUTHORIZATION_RESULT_REJECT:
+      HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
+      InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
+      break;
+
+    case HttpAuth::AUTHORIZATION_RESULT_STALE:
+      if (http_auth_cache_->UpdateStaleChallenge(
+              auth_origin_, handler_->realm(), handler_->auth_scheme(),
+              selected_auth_challenge_)) {
+        InvalidateCurrentHandler(INVALIDATE_HANDLER);
+      } else {
+        InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
+      }
+      break;
+
+    case HttpAuth::AUTHORIZATION_RESULT_DIFFERENT_REALM:
+      InvalidateCurrentHandler(identity_.source ==
+                                       HttpAuth::IDENT_SRC_PATH_LOOKUP
+                                   ? INVALIDATE_HANDLER
+                                   : INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
+      break;
+  }
+
+  DCHECK(!handler_.get());
+  next_state_ = STATE_CHOOSE_CHALLENGE;
+  return OK;
+}
+
+int HttpAuthController::DoGenerateToken() {
+  DCHECK(handler_.get());
+  DCHECK(!identity_.invalid || !handler_->NeedsIdentity());
+  DCHECK(request_info_);
+  DCHECK(HaveAuth());
+  DCHECK(auth_token_.empty());
+
+  next_state_ = STATE_GENERATE_TOKEN_COMPLETE;
+  const AuthCredentials* credentials =
+      identity_.source == HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS
+          ? nullptr
+          : &identity_.credentials;
+  return handler_->GenerateAuthToken(credentials, *request_info_, io_callback_,
+                                     &auth_token_);
+}
+
+int HttpAuthController::DoGenerateTokenComplete(int result) {
+  if (DisableOnAuthHandlerResult(result))
+    result = OK;
+  return result;
+}
+
 }  // namespace net