[net/auth] Don't abort network transaction over non-permanent auth errors.

net/http/http_auth_controller.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_util.h"
@@ skipping 140 matching lines @@
     return OK;
   const AuthCredentials* credentials = NULL;
   if (identity_.source != HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS)
     credentials = &identity_.credentials;
   DCHECK(auth_token_.empty());
   DCHECK(callback_.is_null());
   int rv = handler_->GenerateAuthToken(
       credentials, request,
       base::Bind(&HttpAuthController::OnIOComplete, base::Unretained(this)),
       &auth_token_);
-  if (DisableOnAuthHandlerResult(rv))
-    rv = OK;
+  rv = HandleGenerateTokenResult(rv);
   if (rv == ERR_IO_PENDING)
     callback_ = callback;
   else
     OnIOComplete(rv);

[mmenke, 2016/10/04 19:42:14]

OnIOComplete calls HandleGenerateTokenResult itself, which seems weird...Also,
won't callback be NULL at this point, so this OnIOComplete call effectively does
nothing?  Or am I missing something?  Know this is old code, just trying to
understand what's going on.

[asanka, 2016/10/06 14:16:35]

Thanks for catching this. I moved things around so it's clearer what happens.
The OnIOComplete() callback wasn't doing anything.

   return rv;
 }
 
 bool HttpAuthController::SelectPreemptiveAuth(const NetLogWithSource& net_log) {
   DCHECK(CalledOnValidThread());
   DCHECK(!HaveAuth());
   DCHECK(identity_.invalid);
 
   // Don't do preemptive authorization if the URL contains a username:password,
   // since we must first be challenged in order to use the URL's identity.
@@ skipping 287 matching lines @@
   // Populates response_.auth_challenge with the authentication challenge info.
   // This info is consumed by URLRequestHttpJob::GetAuthChallengeInfo().
 
   auth_info_ = new AuthChallengeInfo;
   auth_info_->is_proxy = (target_ == HttpAuth::AUTH_PROXY);
   auth_info_->challenger = url::Origin(auth_origin_);
   auth_info_->scheme = HttpAuth::SchemeToString(handler_->auth_scheme());
   auth_info_->realm = handler_->realm();
 }
 
-bool HttpAuthController::DisableOnAuthHandlerResult(int result) {
+int HttpAuthController::HandleGenerateTokenResult(int result) {
   DCHECK(CalledOnValidThread());
+  switch (result) {
+    case ERR_INVALID_AUTH_CREDENTIALS:
+      // If the GenerateAuthToken call fails with this error, this means that
+      // the handler can no longer be used. However, the authentication scheme
+      // is considered still usable. This allows a scheme that attempted and
+      // failed to use default credentials to recover and use explicit
+      // credentials.
+      //
+      // If the handler does not support any remaining identity sources, then
+      // the authentication controller will pick another authentication handler.
+      auth_token_.clear();
+      return OK;

[mmenke, 2016/10/04 19:42:14]

So this makes us send a new request, without a token, get a new challenge, and
start the process over from scratch?  What happens if the server hangs up on us
when we retry?

[asanka, 2016/10/06 14:16:35]

Either an error displayed to the user, or depending on when the socket was found
to be disconnected, we'll reconnect and proceed as if we saw a "Connection:
close". Although I think I'm misunderstanding the question?

 
-  switch (result) {
     // Occurs with GSSAPI, if the user has not already logged in.
     case ERR_MISSING_AUTH_CREDENTIALS:

[mmenke, 2016/10/04 19:42:14]

We get ERR_INVALID_AUTH_CREDENTIALS instead of ERR_MISSING_AUTH_CREDENTIALS in
the case you describe, where we get credentials from the system for the first
round, but not for the second?

[asanka, 2016/10/06 14:16:35]

Initially we ask the system whether we can initiate an authentication handshake
with the target server. We'd see a ERR_MISSING_AUTH_CREDENTIALS trickle down the
system if the system believes we don't have credentials that can be used to
authenticate with the target.

ERR_INVALID_AUTH_CREDENTIALS is seen when the system attempts to use
credentials, but discovers that the credentials cannot be used with the target
partway through the handshake. The credentials aren't missing, they just were
not valid for use with the target.

 
     // Can occur with GSSAPI or SSPI if the underlying library reports
     // a permanent error.
     case ERR_UNSUPPORTED_AUTH_SCHEME:
 
     // These two error codes represent failures we aren't handling.
     case ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS:
     case ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS:
 
     // Can be returned by SSPI if the authenticating authority or
     // target is not known.
     case ERR_MISCONFIGURED_AUTH_ENVIRONMENT:
 
       // In these cases, disable the current scheme as it cannot
       // succeed.
       DisableAuthScheme(handler_->auth_scheme());
       auth_token_.clear();
-      return true;
+      return OK;
 
     default:
-      return false;
+      return result;
   }
 }
 
 void HttpAuthController::OnIOComplete(int result) {
   DCHECK(CalledOnValidThread());
-  if (DisableOnAuthHandlerResult(result))
-    result = OK;
+  result = HandleGenerateTokenResult(result);
   if (!callback_.is_null()) {
     CompletionCallback c = callback_;
     callback_.Reset();
     c.Run(result);
   }
 }
 
 scoped_refptr<AuthChallengeInfo> HttpAuthController::auth_info() {
   DCHECK(CalledOnValidThread());
   return auth_info_;
 }
 
 bool HttpAuthController::IsAuthSchemeDisabled(HttpAuth::Scheme scheme) const {
   DCHECK(CalledOnValidThread());
   return disabled_schemes_.find(scheme) != disabled_schemes_.end();
 }
 
 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) {
   DCHECK(CalledOnValidThread());
   disabled_schemes_.insert(scheme);
 }
 
 void HttpAuthController::DisableEmbeddedIdentity() {
   DCHECK(CalledOnValidThread());
   embedded_identity_used_ = true;
 }
 
 }  // namespace net