Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1010)

Issue 2382293004: [net/auth] Don't abort network transaction over non-permanent auth errors. (Closed)

Created:
4 years, 2 months ago by asanka
Modified:
4 years, 2 months ago
Reviewers:
mmenke
CC:
cbentzel+watch_chromium.org, chromium-reviews
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

[net/auth] Don't abort network transaction over non-permanent auth errors. A multi-round authentication handshake may break partway through with an error that indicates that the credentials used were invalid. With GSSAPI we've seen this come up when the underlying library attempted to authenticate against an endpoint even though no valid credentials were available to finish the handshake. On Windows, this is now possible since KB3189866. Due to the fact that the underlying libraries attempt to start the authentication handshake, the HttpNetworkTransaction proceeds past the point where the HttpAuthController accepts the challenge and picks an identity to use for the handshake. However, when the time comes to generate a token, which happens just prior to sending the next HTTP request, the HttpAuthController fails the operation with an ERR_INVALID_AUTH_CREDENTIALS error. The state machine can't proceed past this error and the user ends up looking at an error page. e.g.: C->S : GET something S->C : HTTP/1.1 401 You shall not pass WWW-Authenticate: Negotiate C->[underlying authentication library, hereafter called UAL] : "Can you authenticate to example.com?" [UAL]->C: "Sure thing. Here's a token to get started : [token1]" C->S : GET something Authorization: Negotiate [token1] S->C : HTTP/1.1 401 Need moar authentication WWW-Authenticate: Negotiate [token2] C->[UAL]: "example.com gave us [token2]. What should we do now?" [UAL]->C: "LOL. Who knows? Look a squirrel!" C: ... C: Shows ERR_INVALID_AUTH_CREDENTIALS to the user. This should be considered a permanent error if there is actually no other way to proceed. However, if there are other authentication schemes to try, or if the initial authentication attempt was made using ambient credentials and the scheme supports explicit credentials, then those should be attempted next. This CL changes the response of the network stack at the final step to restart the network transaction by sending a request with no Authorization header. This signals to the server that the client is restarting the authentication handshake. It can then start over at which point the client can attempt to use a different identity or a different authentication scheme to proceed. R=mmenke BUG=648366 Committed: https://crrev.com/e2257db89c38e2846d27a6de41a1ed4804ee5cab Cr-Commit-Position: refs/heads/master@{#424563}

Patch Set 1 #

Total comments: 18

Patch Set 2 : Address comments #

Total comments: 5

Patch Set 3 : Improve testing #

Patch Set 4 : Don't change auth_info_ lifetime. #

Patch Set 5 : Add two hard fail test cases. #

Patch Set 6 : Moar tests. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+287 lines, -50 lines) Patch
M net/http/http_auth_controller.h View 1 1 chunk +4 lines, -4 lines 0 comments Download
M net/http/http_auth_controller.cc View 1 3 3 chunks +22 lines, -12 lines 0 comments Download
M net/http/http_auth_controller_unittest.cc View 1 1 chunk +9 lines, -2 lines 0 comments Download
M net/http/http_network_transaction_unittest.cc View 1 2 3 4 5 25 chunks +252 lines, -32 lines 0 comments Download

Messages

Total messages: 33 (15 generated)
asanka
https://codereview.chromium.org/2382293004/diff/1/net/http/http_network_transaction_unittest.cc File net/http/http_network_transaction_unittest.cc (right): https://codereview.chromium.org/2382293004/diff/1/net/http/http_network_transaction_unittest.cc#newcode11554 net/http/http_network_transaction_unittest.cc:11554: {TestRound(kGet, kServerChallenge, OK), TestRound(kGet, kSuccess, OK)}}, The implication here ...
4 years, 2 months ago (2016-09-30 22:57:11 UTC) #1
mmenke
I'll try to get to this today, but may not get to it until tomorrow ...
4 years, 2 months ago (2016-10-03 15:08:32 UTC) #6
asanka
On 2016/10/03 at 15:08:32, mmenke wrote: > I'll try to get to this today, but ...
4 years, 2 months ago (2016-10-03 15:16:25 UTC) #7
mmenke
Sorry for all the questions, but I always have trouble figuring out how the auth ...
4 years, 2 months ago (2016-10-04 19:42:15 UTC) #8
asanka
https://codereview.chromium.org/2382293004/diff/1/net/http/http_auth_controller.cc File net/http/http_auth_controller.cc (right): https://codereview.chromium.org/2382293004/diff/1/net/http/http_auth_controller.cc#newcode165 net/http/http_auth_controller.cc:165: OnIOComplete(rv); On 2016/10/04 at 19:42:14, mmenke wrote: > OnIOComplete ...
4 years, 2 months ago (2016-10-06 14:16:35 UTC) #9
mmenke
Sorry for the delay on this one - I want to better understand the tests. ...
4 years, 2 months ago (2016-10-10 20:07:53 UTC) #10
mmenke
Thanks for bearing. Think I have a reasonable handle on these now, just a couple ...
4 years, 2 months ago (2016-10-10 21:06:10 UTC) #11
mmenke
Thanks for bearing with me, rather. On 2016/10/10 21:06:10, mmenke wrote: > Thanks for bearing. ...
4 years, 2 months ago (2016-10-10 21:11:49 UTC) #12
asanka
PTAL? Made the test changes. https://codereview.chromium.org/2382293004/diff/20001/net/http/http_network_transaction_unittest.cc File net/http/http_network_transaction_unittest.cc (right): https://codereview.chromium.org/2382293004/diff/20001/net/http/http_network_transaction_unittest.cc#newcode11561 net/http/http_network_transaction_unittest.cc:11561: {TestRound(kGet, kServerChallenge, OK), TestRound(kGet, ...
4 years, 2 months ago (2016-10-11 19:47:26 UTC) #14
mmenke
PS4 LGTM, modulo comment about the hard failures (Basically, where we had tests with ERR_INVALID_AUTH_CREDENTIALS ...
4 years, 2 months ago (2016-10-11 20:02:19 UTC) #16
asanka
On 2016/10/11 at 20:02:19, mmenke wrote: > PS4 LGTM, modulo comment about the hard failures ...
4 years, 2 months ago (2016-10-11 20:14:19 UTC) #17
mmenke
On 2016/10/11 20:14:19, asanka wrote: > On 2016/10/11 at 20:02:19, mmenke wrote: > > PS4 ...
4 years, 2 months ago (2016-10-11 20:15:43 UTC) #20
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2382293004/100001
4 years, 2 months ago (2016-10-11 20:33:04 UTC) #25
commit-bot: I haz the power
Try jobs failed on following builders: mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng/builds/312556)
4 years, 2 months ago (2016-10-11 20:57:27 UTC) #27
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2382293004/100001
4 years, 2 months ago (2016-10-11 21:09:51 UTC) #29
asanka
On 2016/10/11 at 20:15:43, mmenke wrote: > On 2016/10/11 20:14:19, asanka wrote: > > On ...
4 years, 2 months ago (2016-10-11 21:29:53 UTC) #30
commit-bot: I haz the power
Committed patchset #6 (id:100001)
4 years, 2 months ago (2016-10-11 22:03:38 UTC) #31
commit-bot: I haz the power
4 years, 2 months ago (2016-10-11 22:06:07 UTC) #33
Message was sent while issue was closed.
Patchset 6 (id:??) landed as
https://crrev.com/e2257db89c38e2846d27a6de41a1ed4804ee5cab
Cr-Commit-Position: refs/heads/master@{#424563}

Powered by Google App Engine
This is Rietveld 408576698