Merge r25564 and r26588 from the trunk....

net/http/http_network_transaction.cc

 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include "base/scoped_ptr.h"
 #include "base/compiler_specific.h"
 #include "base/field_trial.h"
 #include "base/string_util.h"
@@ skipping 126 matching lines @@
       session_(session),
       request_(NULL),
       pac_request_(NULL),
       socket_factory_(csf),
       connection_(session->connection_pool()),
       reused_socket_(false),
       using_ssl_(false),
       proxy_mode_(kDirectConnection),
       establishing_tunnel_(false),
       reading_body_from_socket_(false),
+      embedded_identity_used_(false),
       request_headers_(new RequestHeaders()),
       request_headers_bytes_sent_(0),
       header_buf_(new ResponseHeaders()),
       header_buf_capacity_(0),
       header_buf_len_(0),
       header_buf_body_offset_(-1),
       header_buf_http_offset_(-1),
       response_body_length_(-1),  // -1 means unspecified.
       response_body_read_(0),
       read_buf_len_(0),
@@ skipping 90 matching lines @@
   DCHECK(auth_identity_[target].source != HttpAuth::IDENT_SRC_PATH_LOOKUP);
 
   // Add the auth entry to the cache before restarting. We don't know whether
   // the identity is valid yet, but if it is valid we want other transactions
   // to know about it. If an entry for (origin, handler->realm()) already
   // exists, we update it.
   //
   // If auth_identity_[target].source is HttpAuth::IDENT_SRC_NONE,
   // auth_identity_[target] contains no identity because identity is not
   // required yet.
+  //
+  // TODO(wtc): For NTLM_SSPI, we add the same auth entry to the cache in
+  // round 1 and round 2, which is redundant but correct.  It would be nice
+  // to add an auth entry to the cache only once, preferrably in round 1.
+  // See http://crbug.com/21015.
   bool has_auth_identity =
       auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE;
   if (has_auth_identity) {
     session_->auth_cache()->Add(AuthOrigin(target), auth_handler_[target],
         auth_identity_[target].username, auth_identity_[target].password,
         AuthPath(target));
   }
 
   bool keep_alive = false;
   if (response_.headers->IsKeepAlive()) {
     // If there is a response body of known length, we need to drain it first.
     if (response_body_length_ > 0 || chunked_decoder_.get()) {
       next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
       read_buf_ = new IOBuffer(kDrainBodyBufferSize);  // A bit bucket
       read_buf_len_ = kDrainBodyBufferSize;
       return;
     }
     if (response_body_length_ == 0)  // No response body to drain.
       keep_alive = true;
     // response_body_length_ is -1 and we're not using chunked encoding. We
     // don't know the length of the response body, so we can't reuse this
     // connection even though the server says it's keep-alive.
   }
 
-  // If the auth scheme is connection-based but the proxy/server mistakenly
-  // marks the connection as non-keep-alive, the auth is going to fail, so log
-  // an error message.
-  if (!keep_alive && auth_handler_[target]->is_connection_based() &&
-      has_auth_identity) {
-    LOG(ERROR) << "Can't perform " << auth_handler_[target]->scheme()
-               << " auth to the " << AuthTargetString(target) << " "
-               << AuthOrigin(target) << " over a non-keep-alive connection";
-
-    HttpVersion http_version = response_.headers->GetHttpVersion();
-    LOG(ERROR) << "  HTTP version is " << http_version.major_value() << "."
-               << http_version.minor_value();
-
-    std::string header_val;
-    void* iter = NULL;
-    while (response_.headers->EnumerateHeader(&iter, "connection",
-                                              &header_val)) {
-      LOG(ERROR) << "  Has header Connection: " << header_val;
-    }
-
-    iter = NULL;
-    while (response_.headers->EnumerateHeader(&iter, "proxy-connection",
-                                              &header_val)) {
-      LOG(ERROR) << "  Has header Proxy-Connection: " << header_val;
-    }
-
-    // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
-    // authentication with a "Proxy-Support: Session-Based-Authentication"
-    // response header.
-    iter = NULL;
-    while (response_.headers->EnumerateHeader(&iter, "proxy-support",
-                                              &header_val)) {
-      LOG(ERROR) << "  Has header Proxy-Support: " << header_val;
-    }
-  }
-
   // We don't need to drain the response body, so we act as if we had drained
   // the response body.
   DidDrainBodyForAuthRestart(keep_alive);
 }
 
 void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) {
   if (keep_alive) {
     next_state_ = STATE_WRITE_HEADERS;
     reused_socket_ = true;
   } else {
@@ skipping 399 matching lines @@
         ShouldApplyProxyAuth() &&
         (HaveAuth(HttpAuth::AUTH_PROXY) ||
          SelectPreemptiveAuth(HttpAuth::AUTH_PROXY));
     bool have_server_auth =
         ShouldApplyServerAuth() &&
         (HaveAuth(HttpAuth::AUTH_SERVER) ||
          SelectPreemptiveAuth(HttpAuth::AUTH_SERVER));
 
     std::string authorization_headers;
 
+    // TODO(wtc): If BuildAuthorizationHeader fails (returns an authorization
+    // header with no credentials), we should return an error to prevent
+    // entering an infinite auth restart loop.  See http://crbug.com/21050.
     if (have_proxy_auth)
       authorization_headers.append(
           BuildAuthorizationHeader(HttpAuth::AUTH_PROXY));
     if (have_server_auth)
       authorization_headers.append(
           BuildAuthorizationHeader(HttpAuth::AUTH_SERVER));
 
     if (establishing_tunnel_) {
       BuildTunnelRequest(request_, authorization_headers,
                          &request_headers_->headers_);
@@ skipping 864 matching lines @@
   }
   return false;
 }
 
 bool HttpNetworkTransaction::SelectNextAuthIdentityToTry(
     HttpAuth::Target target) {
   DCHECK(auth_handler_[target]);
   DCHECK(auth_identity_[target].invalid);
 
   // Try to use the username/password encoded into the URL first.
-  // (By checking source == IDENT_SRC_NONE, we make sure that this
-  // is only done once for the transaction.)
   if (target == HttpAuth::AUTH_SERVER && request_->url.has_username() &&
-      auth_identity_[target].source == HttpAuth::IDENT_SRC_NONE) {
+      !embedded_identity_used_) {
     auth_identity_[target].source = HttpAuth::IDENT_SRC_URL;
     auth_identity_[target].invalid = false;
     // TODO(wtc) It may be necessary to unescape the username and password
     // after extracting them from the URL.  We should be careful about
     // embedded nulls in that case.
     auth_identity_[target].username = ASCIIToWide(request_->url.username());
     auth_identity_[target].password = ASCIIToWide(request_->url.password());
+    embedded_identity_used_ = true;
     // TODO(eroman): If the password is blank, should we also try combining
     // with a password from the cache?
     return true;
   }
 
   // Check the auth cache for a realm entry.
   HttpAuthCache::Entry* entry = session_->auth_cache()->LookupByRealm(
       AuthOrigin(target), auth_handler_[target]->realm());
 
   if (entry) {
@@ skipping 63 matching lines @@
       HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
 
   LOG(INFO) << "The " << AuthTargetString(target) << " "
             << AuthOrigin(target) << " requested auth"
             << AuthChallengeLogMessage();
 
   if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct())
     return ERR_UNEXPECTED_PROXY_AUTH;
 
   // The auth we tried just failed, hence it can't be valid. Remove it from
-  // the cache so it won't be used again, unless it's a null identity.
-  if (HaveAuth(target) &&
-      auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE)
+  // the cache so it won't be used again.
+  // TODO(wtc): IsFinalRound is not the right condition.  In a multi-round
+  // auth sequence, the server may fail the auth in round 1 if our first
+  // authorization header is broken.  We should inspect response_.headers to
+  // determine if the server already failed the auth or wants us to continue.
+  // See http://crbug.com/21015.
+  if (HaveAuth(target) && auth_handler_[target]->IsFinalRound()) {
     InvalidateRejectedAuthFromCache(target);
+    auth_handler_[target] = NULL;
+    auth_identity_[target] = HttpAuth::Identity();
+  }
 
   auth_identity_[target].invalid = true;
 
   if (target != HttpAuth::AUTH_SERVER ||
       !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA)) {
     // Find the best authentication challenge that we support.
     HttpAuth::ChooseBestChallenge(response_.headers.get(),
                                   target,
+                                  AuthOrigin(target),
                                   &auth_handler_[target]);
   }
 
   if (!auth_handler_[target]) {
     if (establishing_tunnel_) {
       LOG(ERROR) << "Can't perform auth to the " << AuthTargetString(target)
                  << " " << AuthOrigin(target)
                  << " when establishing a tunnel"
                  << AuthChallengeLogMessage();
 
       // We are establishing a tunnel, we can't show the error page because an
       // active network attacker could control its contents.  Instead, we just
       // fail to establish the tunnel.
       DCHECK(target == HttpAuth::AUTH_PROXY);
       return ERR_PROXY_AUTH_REQUESTED;
     }
     // We found no supported challenge -- let the transaction continue
     // so we end up displaying the error page.
     return OK;
   }
 
   if (auth_handler_[target]->NeedsIdentity()) {
     // Pick a new auth identity to try, by looking to the URL and auth cache.
     // If an identity to try is found, it is saved to auth_identity_[target].
     SelectNextAuthIdentityToTry(target);
   } else {
-    // Proceed with a null identity.
+    // Proceed with the existing identity or a null identity.
     //
     // TODO(wtc): Add a safeguard against infinite transaction restarts, if
     // the server keeps returning "NTLM".
-    auth_identity_[target].source = HttpAuth::IDENT_SRC_NONE;
     auth_identity_[target].invalid = false;
-    auth_identity_[target].username.clear();
-    auth_identity_[target].password.clear();
   }
 
   // Make a note that we are waiting for auth. This variable is inspected
   // when the client calls RestartWithAuth() to pick up where we left off.
   pending_auth_target_ = target;
 
   if (auth_identity_[target].invalid) {
     // We have exhausted all identity possibilities, all we can do now is
     // pass the challenge information back to the client.
     PopulateAuthChallenge(target);
   }
   return OK;
 }
 
 void HttpNetworkTransaction::PopulateAuthChallenge(HttpAuth::Target target) {
   // Populates response_.auth_challenge with the authentication challenge info.
   // This info is consumed by URLRequestHttpJob::GetAuthChallengeInfo().
 
   AuthChallengeInfo* auth_info = new AuthChallengeInfo;
   auth_info->is_proxy = target == HttpAuth::AUTH_PROXY;
+  auth_info->host_and_port = ASCIIToWide(GetHostAndPort(AuthOrigin(target)));
   auth_info->scheme = ASCIIToWide(auth_handler_[target]->scheme());
   // TODO(eroman): decode realm according to RFC 2047.
   auth_info->realm = ASCIIToWide(auth_handler_[target]->realm());
-
-  std::string host_and_port;
-  if (target == HttpAuth::AUTH_PROXY) {
-    host_and_port = proxy_info_.proxy_server().host_and_port();
-  } else {
-    DCHECK(target == HttpAuth::AUTH_SERVER);
-    host_and_port = GetHostAndPort(request_->url);
-  }
-  auth_info->host_and_port = ASCIIToWide(host_and_port);
   response_.auth_challenge = auth_info;
 }
 
 }  // namespace net