Implementation of HTTP digest authentication

sdk/lib/io/http_impl.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.io;
 
 class _HttpIncoming extends Stream<List<int>> {
   final int _transferLength;
   final Completer _dataCompleter = new Completer();
   Stream<List<int>> _stream;
@@ skipping 256 matching lines @@
   bool get _shouldAuthenticate {
     // Only try to authenticate if there is a challenge in the response.
     List<String> challenge = headers[HttpHeaders.WWW_AUTHENTICATE];
     return statusCode == HttpStatus.UNAUTHORIZED &&
         challenge != null && challenge.length == 1;
   }
 
   Future<HttpClientResponse> _authenticate() {
     Future<HttpClientResponse> retryWithCredentials(_Credentials cr) {
       if (cr != null) {
-        // TODO(sgjesse): Support digest.
-        if (cr.scheme == _AuthenticationScheme.BASIC) {
+        if (cr.scheme != _AuthenticationScheme.UNKNOWN) {

[Anders Johnsen, 2013/05/02 19:10:19]

Merge ifs.

[Søren Gjesse, 2013/05/03 08:10:36]

Done.

           // Drain body and retry.
           return fold(null, (x, y) {}).then((_) {
               return _httpClient._openUrlFromRequest(_httpRequest.method,
                                                      _httpRequest.uri,
                                                      _httpRequest)
                   .then((request) => request.close());
             });
         }
       }
 
       // Fall through to here to perform normal response handling if
       // there is no sensible authorization handling.
       return new Future.value(this);
     }
 
     List<String> challenge = headers[HttpHeaders.WWW_AUTHENTICATE];
     assert(challenge != null || challenge.length == 1);
     _HeaderValue header =
         new _HeaderValue.fromString(challenge[0], parameterSeparator: ",");
     _AuthenticationScheme scheme =
         new _AuthenticationScheme.fromString(header.value);
     String realm = header.parameters["realm"];
 
-    // See if any credentials are available.
+    // See if any matching credentials are available.
     _Credentials cr = _httpClient._findCredentials(_httpRequest.uri, scheme);
+    if (cr != null) {
+      if (cr.scheme == _AuthenticationScheme.BASIC && !cr.used) {
+        // If credentials found prepare for retrying the request.
+        return retryWithCredentials(cr);
+      }
 
-    if (cr != null && !cr.used) {
-      // If credentials found prepare for retrying the request.
-      return retryWithCredentials(cr);
+      // Digest authentication only supports the MD5 algorithm.
+      if (cr.scheme == _AuthenticationScheme.DIGEST &&

[Anders Johnsen, 2013/05/02 19:10:19]

No used check? If missing, maybe move it to line 303.

[Søren Gjesse, 2013/05/03 08:10:36]

The checking for whether the nonce is set works like the used check for basic
authentication. Updated comment and added TODO for handling changing nonce.

+          (header.parameters["algorithm"] == null ||

[Anders Johnsen, 2013/05/02 19:10:19]

!= String, or do we always know it's either null or String?

[Søren Gjesse, 2013/05/03 08:10:36]

Done.

[Søren Gjesse, 2013/05/03 08:10:36]

The HeaderValue only adds Strings to the map.

+           header.parameters["algorithm"].toLowerCase() == "md5")) {
+        if (cr.nonce == null) {
+          // Set up authentication state.
+          cr.nonce = header.parameters["nonce"];
+          cr.algorithm = "MD5";
+          cr.qop = header.parameters["qop"];
+          cr.nonceCount = 0;
+        }
+        // If credentials found prepare for retrying the request.
+        return retryWithCredentials(cr);
+      }
     }
 
     // Ask for more credentials if none found or the one found has
     // already been used. If it has already been used it must now be
     // invalid and is removed.
     if (cr != null) {
       _httpClient._removeCredentials(cr);
       cr = null;
     }
     if (_httpClient._authenticate != null) {
@@ skipping 1623 matching lines @@
     if (this == BASIC) return "Basic";
     if (this == DIGEST) return "Digest";
     return "Unknown";
   }
 
   final int _scheme;
 }
 
 
 class _Credentials {
-  _Credentials(this.uri, this.realm, this.credentials);
+  _Credentials(this.uri, this.realm, this.credentials) {
+    // Calculate the H(A1) value once.
+    var hasher = new MD5();
+    hasher.add(credentials.username.codeUnits);

[Anders Johnsen, 2013/05/02 19:10:19]

Should we do any String encoding here, and below?

[Søren Gjesse, 2013/05/03 08:10:36]

Added UTF-8 encoding and moved the coment from line 2082.

All the remaining strings should be fine.

+    hasher.add([_CharCode.COLON]);
+    hasher.add(realm.codeUnits);
+    hasher.add([_CharCode.COLON]);
+    hasher.add(credentials.password.codeUnits);
+    ha1 = CryptoUtils.bytesToHex(hasher.close());
+  }
 
   _AuthenticationScheme get scheme => credentials.scheme;
 
   bool applies(Uri uri, _AuthenticationScheme scheme) {
     if (scheme != null && credentials.scheme != scheme) return false;
     if (uri.domain != this.uri.domain) return false;
     int thisPort =
         this.uri.port == 0 ? HttpClient.DEFAULT_HTTP_PORT : this.uri.port;
     int otherPort = uri.port == 0 ? HttpClient.DEFAULT_HTTP_PORT : uri.port;
     if (otherPort != thisPort) return false;
     return uri.path.startsWith(this.uri.path);
   }
 
   void authorize(HttpClientRequest request) {
+    // Digest credentials cannot be used without a nonce from the
+    // server.
+    if (credentials.scheme == _AuthenticationScheme.DIGEST &&
+        nonce == null) {
+      return;
+    }
     credentials.authorize(this, request);
     used = true;
   }
 
   bool used = false;
   Uri uri;
   String realm;
   _HttpClientCredentials credentials;
 
   // Digest specific fields.
+  String ha1;
   String nonce;
   String algorithm;
   String qop;
+  int nonceCount;
 }
 
 
 class _ProxyCredentials {
   _ProxyCredentials(this.host, this.port, this.realm, this.credentials);
 
   _AuthenticationScheme get scheme => credentials.scheme;
 
   bool applies(_Proxy proxy, _AuthenticationScheme scheme) {
     return proxy.host == host && proxy.port == port;
@@ skipping 51 matching lines @@
 
 
 class _HttpClientDigestCredentials
     extends _HttpClientCredentials
     implements HttpClientDigestCredentials {
   _HttpClientDigestCredentials(this.username,
                                this.password);
 
   _AuthenticationScheme get scheme => _AuthenticationScheme.DIGEST;
 
+  String authorization(_Credentials credentials, HttpClientRequest request) {
+    // There is no mentioning of username/password encoding in RFC
+    // 2617. However there is an open draft for adding an additional
+    // accept-charset parameter to the WWW-Authenticate and
+    // Proxy-Authenticate headers, see
+    // http://tools.ietf.org/html/draft-reschke-basicauth-enc-06. For
+    // now always use UTF-8 encoding.
+    MD5 hasher = new MD5();
+    hasher.add(request.method.codeUnits);
+    hasher.add([_CharCode.COLON]);
+    hasher.add(request.uri.path.codeUnits);
+    var ha2 = CryptoUtils.bytesToHex(hasher.close());
+
+    String qop;
+    String cnonce;
+    String nc;
+    var x;
+    hasher = new MD5();
+    hasher.add(credentials.ha1.codeUnits);
+    hasher.add([_CharCode.COLON]);
+    if (credentials.qop == "auth") {
+      qop = credentials.qop;
+      cnonce = CryptoUtils.bytesToHex(_IOCrypto.getRandomBytes(4));
+      nc = (++credentials.nonceCount).toRadixString(16);
+      nc = "00000000".substring(0, 8 - nc.length + 1) + nc;
+      hasher.add(credentials.nonce.codeUnits);
+      hasher.add([_CharCode.COLON]);
+      hasher.add(nc.codeUnits);
+      hasher.add([_CharCode.COLON]);
+      hasher.add(cnonce.codeUnits);
+      hasher.add([_CharCode.COLON]);
+      hasher.add(credentials.qop.codeUnits);
+      hasher.add([_CharCode.COLON]);
+      hasher.add(ha2.codeUnits);
+    } else {
+      hasher.add(credentials.nonce.codeUnits);
+      hasher.add([_CharCode.COLON]);
+      hasher.add(ha2.codeUnits);
+    }
+    var response = CryptoUtils.bytesToHex(hasher.close());
+
+    StringBuffer buffer = new StringBuffer();
+    buffer.write('Digest ');
+    buffer.write('username="$username"');
+    buffer.write(', realm="${credentials.realm}"');
+    buffer.write(', nonce="${credentials.nonce}"');
+    buffer.write(', uri="${request.uri.path}"');
+    buffer.write(', algorithm="${credentials.algorithm}"');
+    if (qop == "auth") {
+      buffer.write(', qop="$qop"');
+      buffer.write(', cnonce="$cnonce"');
+      buffer.write(', nc="$nc"');
+    }
+    buffer.write(', response="$response"');
+    return buffer.toString();
+  }
+
   void authorize(_Credentials credentials, HttpClientRequest request) {
-    // TODO(sgjesse): Implement!!!
-    throw new UnsupportedError("Digest authentication not yet supported");
+    request.headers.set(HttpHeaders.AUTHORIZATION, authorization(credentials, request));
   }
 
   void authorizeProxy(_ProxyCredentials credentials,
                       HttpClientRequest request) {
     // TODO(sgjesse): Implement!!!
     throw new UnsupportedError("Digest authentication not yet supported");
   }
 
   String username;
   String password;
 }
 
 
 class _RedirectInfo implements RedirectInfo {
   const _RedirectInfo(int this.statusCode,
                       String this.method,
                       Uri this.location);
   final int statusCode;
   final String method;
   final Uri location;
 }