OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/http_auth_handler_negotiate.h" | 5 #include "net/http/http_auth_handler_negotiate.h" |
6 | 6 |
7 #include "base/bind.h" | 7 #include "base/bind.h" |
8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/strings/string_number_conversions.h" | |
11 #include "base/strings/string_util.h" | |
10 #include "base/strings/stringprintf.h" | 12 #include "base/strings/stringprintf.h" |
13 #include "base/values.h" | |
11 #include "net/base/address_family.h" | 14 #include "net/base/address_family.h" |
12 #include "net/base/net_errors.h" | 15 #include "net/base/net_errors.h" |
16 #include "net/cert/x509_util.h" | |
13 #include "net/dns/host_resolver.h" | 17 #include "net/dns/host_resolver.h" |
14 #include "net/dns/single_request_host_resolver.h" | 18 #include "net/dns/single_request_host_resolver.h" |
15 #include "net/http/http_auth_filter.h" | 19 #include "net/http/http_auth_filter.h" |
16 #include "net/http/http_auth_preferences.h" | 20 #include "net/http/http_auth_preferences.h" |
21 #include "net/http/http_response_info.h" | |
22 #include "net/log/net_log.h" | |
17 | 23 |
18 namespace net { | 24 namespace net { |
19 | 25 |
26 namespace { | |
27 | |
28 scoped_ptr<base::Value> NetLogParameterChannelBindings( | |
29 const std::string& channel_binding_token, | |
30 NetLogCaptureMode capture_mode) { | |
31 scoped_ptr<base::DictionaryValue> dict; | |
32 if (!capture_mode.include_socket_bytes()) | |
33 return std::move(dict); | |
34 | |
35 dict.reset(new base::DictionaryValue()); | |
36 auto colon = channel_binding_token.find(':'); | |
Ryan Sleevi
2016/03/18 21:27:40
Is it necessary to split this? I'm not sure why yo
asanka
2016/03/23 04:51:30
Done. Yeah, went with logging the token in hex wit
| |
37 if (colon == channel_binding_token.npos || colon < 1 || | |
Ryan Sleevi
2016/03/18 21:27:40
Shouldn't this be std::string::npos? It's a static
asanka
2016/03/23 04:51:30
Either is valid for a static member of a class, bu
| |
38 !base::IsStringASCII(channel_binding_token.substr(0, colon))) { | |
39 dict->SetString("type", "(unknown)"); | |
40 dict->SetString("token", base::HexEncode(channel_binding_token.data(), | |
41 channel_binding_token.size())); | |
42 } else { | |
43 dict->SetString("type", channel_binding_token.substr(0, colon)); | |
44 ++colon; | |
45 dict->SetString("token", | |
46 base::HexEncode(channel_binding_token.data() + colon, | |
47 channel_binding_token.size() - colon)); | |
48 } | |
49 return std::move(dict); | |
50 } | |
51 | |
52 } // namespace | |
53 | |
20 HttpAuthHandlerNegotiate::Factory::Factory() | 54 HttpAuthHandlerNegotiate::Factory::Factory() |
21 : resolver_(NULL), | 55 : resolver_(NULL), |
22 #if defined(OS_WIN) | 56 #if defined(OS_WIN) |
23 max_token_length_(0), | 57 max_token_length_(0), |
24 #endif | 58 #endif |
25 is_unsupported_(false) { | 59 is_unsupported_(false) { |
26 } | 60 } |
27 | 61 |
28 HttpAuthHandlerNegotiate::Factory::~Factory() { | 62 HttpAuthHandlerNegotiate::Factory::~Factory() { |
29 } | 63 } |
30 | 64 |
31 void HttpAuthHandlerNegotiate::Factory::set_host_resolver( | 65 void HttpAuthHandlerNegotiate::Factory::set_host_resolver( |
32 HostResolver* resolver) { | 66 HostResolver* resolver) { |
33 resolver_ = resolver; | 67 resolver_ = resolver; |
34 } | 68 } |
35 | 69 |
36 int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler( | 70 int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler( |
37 HttpAuthChallengeTokenizer* challenge, | 71 HttpAuthChallengeTokenizer* challenge, |
38 HttpAuth::Target target, | 72 HttpAuth::Target target, |
73 const HttpResponseInfo& response_info, | |
39 const GURL& origin, | 74 const GURL& origin, |
40 CreateReason reason, | 75 CreateReason reason, |
41 int digest_nonce_count, | 76 int digest_nonce_count, |
42 const BoundNetLog& net_log, | 77 const BoundNetLog& net_log, |
43 scoped_ptr<HttpAuthHandler>* handler) { | 78 scoped_ptr<HttpAuthHandler>* handler) { |
44 #if defined(OS_WIN) | 79 #if defined(OS_WIN) |
45 if (is_unsupported_ || reason == CREATE_PREEMPTIVE) | 80 if (is_unsupported_ || reason == CREATE_PREEMPTIVE) |
46 return ERR_UNSUPPORTED_AUTH_SCHEME; | 81 return ERR_UNSUPPORTED_AUTH_SCHEME; |
47 if (max_token_length_ == 0) { | 82 if (max_token_length_ == 0) { |
48 int rv = DetermineMaxTokenLength(auth_library_.get(), NEGOSSP_NAME, | 83 int rv = DetermineMaxTokenLength(auth_library_.get(), NEGOSSP_NAME, |
(...skipping 22 matching lines...) Expand all Loading... | |
71 return ERR_UNSUPPORTED_AUTH_SCHEME; | 106 return ERR_UNSUPPORTED_AUTH_SCHEME; |
72 if (!auth_library_->Init()) { | 107 if (!auth_library_->Init()) { |
73 is_unsupported_ = true; | 108 is_unsupported_ = true; |
74 return ERR_UNSUPPORTED_AUTH_SCHEME; | 109 return ERR_UNSUPPORTED_AUTH_SCHEME; |
75 } | 110 } |
76 // TODO(ahendrickson): Move towards model of parsing in the factory | 111 // TODO(ahendrickson): Move towards model of parsing in the factory |
77 // method and only constructing when valid. | 112 // method and only constructing when valid. |
78 scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate( | 113 scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate( |
79 auth_library_.get(), http_auth_preferences(), resolver_)); | 114 auth_library_.get(), http_auth_preferences(), resolver_)); |
80 #endif | 115 #endif |
81 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log)) | 116 if (!tmp_handler->InitFromChallenge(challenge, target, response_info, origin, |
117 net_log)) | |
82 return ERR_INVALID_RESPONSE; | 118 return ERR_INVALID_RESPONSE; |
83 handler->swap(tmp_handler); | 119 handler->swap(tmp_handler); |
84 return OK; | 120 return OK; |
85 } | 121 } |
86 | 122 |
87 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate( | 123 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate( |
88 #if !defined(OS_ANDROID) | 124 #if !defined(OS_ANDROID) |
89 AuthLibrary* auth_library, | 125 AuthLibrary* auth_library, |
90 #endif | 126 #endif |
91 #if defined(OS_WIN) | 127 #if defined(OS_WIN) |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
178 return false; | 214 return false; |
179 return http_auth_preferences_->CanUseDefaultCredentials(origin_); | 215 return http_auth_preferences_->CanUseDefaultCredentials(origin_); |
180 } | 216 } |
181 | 217 |
182 bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() { | 218 bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() { |
183 return auth_system_.AllowsExplicitCredentials(); | 219 return auth_system_.AllowsExplicitCredentials(); |
184 } | 220 } |
185 | 221 |
186 // The Negotiate challenge header looks like: | 222 // The Negotiate challenge header looks like: |
187 // WWW-Authenticate: NEGOTIATE auth-data | 223 // WWW-Authenticate: NEGOTIATE auth-data |
188 bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge) { | 224 bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge, |
225 const HttpResponseInfo& response_info) { | |
189 #if defined(OS_POSIX) | 226 #if defined(OS_POSIX) |
190 if (!auth_system_.Init()) { | 227 if (!auth_system_.Init()) { |
191 VLOG(1) << "can't initialize GSSAPI library"; | 228 VLOG(1) << "can't initialize GSSAPI library"; |
192 return false; | 229 return false; |
193 } | 230 } |
194 // GSSAPI does not provide a way to enter username/password to | 231 // GSSAPI does not provide a way to enter username/password to |
195 // obtain a TGT. If the default credentials are not allowed for | 232 // obtain a TGT. If the default credentials are not allowed for |
196 // a particular site (based on whitelist), fall back to a | 233 // a particular site (based on whitelist), fall back to a |
197 // different scheme. | 234 // different scheme. |
198 if (!AllowsDefaultCredentials()) | 235 if (!AllowsDefaultCredentials()) |
199 return false; | 236 return false; |
200 #endif | 237 #endif |
201 if (CanDelegate()) | 238 if (CanDelegate()) |
202 auth_system_.Delegate(); | 239 auth_system_.Delegate(); |
203 auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE; | 240 auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE; |
204 score_ = 4; | 241 score_ = 4; |
205 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; | 242 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; |
243 | |
206 HttpAuth::AuthorizationResult auth_result = | 244 HttpAuth::AuthorizationResult auth_result = |
207 auth_system_.ParseChallenge(challenge); | 245 auth_system_.ParseChallenge(challenge); |
208 return (auth_result == HttpAuth::AUTHORIZATION_RESULT_ACCEPT); | 246 if (auth_result != HttpAuth::AUTHORIZATION_RESULT_ACCEPT) |
247 return false; | |
248 | |
249 // Try to extract channel bindings. | |
250 if (response_info.ssl_info.is_valid()) | |
251 x509_util::GetTLSServerEndPointChannelBinding(*response_info.ssl_info.cert, | |
252 &channel_bindings_); | |
253 if (!channel_bindings_.empty()) | |
254 net_log_.AddEvent( | |
255 NetLog::TYPE_AUTH_CHANNEL_BINDINGS, | |
256 base::Bind(&NetLogParameterChannelBindings, channel_bindings_)); | |
257 return true; | |
209 } | 258 } |
210 | 259 |
211 int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl( | 260 int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl( |
212 const AuthCredentials* credentials, const HttpRequestInfo* request, | 261 const AuthCredentials* credentials, const HttpRequestInfo* request, |
213 const CompletionCallback& callback, std::string* auth_token) { | 262 const CompletionCallback& callback, std::string* auth_token) { |
214 DCHECK(callback_.is_null()); | 263 DCHECK(callback_.is_null()); |
215 DCHECK(auth_token_ == NULL); | 264 DCHECK(auth_token_ == NULL); |
216 auth_token_ = auth_token; | 265 auth_token_ = auth_token; |
217 if (already_called_) { | 266 if (already_called_) { |
218 DCHECK((!has_credentials_ && credentials == NULL) || | 267 DCHECK((!has_credentials_ && credentials == NULL) || |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
312 next_state_ = STATE_GENERATE_AUTH_TOKEN; | 361 next_state_ = STATE_GENERATE_AUTH_TOKEN; |
313 spn_ = CreateSPN(address_list_, origin_); | 362 spn_ = CreateSPN(address_list_, origin_); |
314 address_list_ = AddressList(); | 363 address_list_ = AddressList(); |
315 return rv; | 364 return rv; |
316 } | 365 } |
317 | 366 |
318 int HttpAuthHandlerNegotiate::DoGenerateAuthToken() { | 367 int HttpAuthHandlerNegotiate::DoGenerateAuthToken() { |
319 next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE; | 368 next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE; |
320 AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL; | 369 AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL; |
321 return auth_system_.GenerateAuthToken( | 370 return auth_system_.GenerateAuthToken( |
322 credentials, spn_, auth_token_, | 371 credentials, spn_, channel_bindings_, auth_token_, |
323 base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete, | 372 base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete, |
324 base::Unretained(this))); | 373 base::Unretained(this))); |
325 } | 374 } |
326 | 375 |
327 int HttpAuthHandlerNegotiate::DoGenerateAuthTokenComplete(int rv) { | 376 int HttpAuthHandlerNegotiate::DoGenerateAuthTokenComplete(int rv) { |
328 DCHECK_NE(ERR_IO_PENDING, rv); | 377 DCHECK_NE(ERR_IO_PENDING, rv); |
329 auth_token_ = NULL; | 378 auth_token_ = NULL; |
330 return rv; | 379 return rv; |
331 } | 380 } |
332 | 381 |
333 bool HttpAuthHandlerNegotiate::CanDelegate() const { | 382 bool HttpAuthHandlerNegotiate::CanDelegate() const { |
334 // TODO(cbentzel): Should delegation be allowed on proxies? | 383 // TODO(cbentzel): Should delegation be allowed on proxies? |
335 if (target_ == HttpAuth::AUTH_PROXY) | 384 if (target_ == HttpAuth::AUTH_PROXY) |
336 return false; | 385 return false; |
337 if (!http_auth_preferences_) | 386 if (!http_auth_preferences_) |
338 return false; | 387 return false; |
339 return http_auth_preferences_->CanDelegate(origin_); | 388 return http_auth_preferences_->CanDelegate(origin_); |
340 } | 389 } |
341 | 390 |
342 } // namespace net | 391 } // namespace net |
OLD | NEW |