[net/auth] Treat ERR_INVALID_HANDLE as a identity invalidating error.

net/http/http_auth_controller.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_util.h"
@@ skipping 456 matching lines @@
   auth_info_ = new AuthChallengeInfo;
   auth_info_->is_proxy = (target_ == HttpAuth::AUTH_PROXY);
   auth_info_->challenger = url::Origin(auth_origin_);
   auth_info_->scheme = HttpAuth::SchemeToString(handler_->auth_scheme());
   auth_info_->realm = handler_->realm();
 }
 
 int HttpAuthController::HandleGenerateTokenResult(int result) {
   DCHECK(CalledOnValidThread());
   switch (result) {
+    // Occurs if the credential handle is found to be invalid at the point it is
+    // exercised (i.e. GenerateAuthToken stage). We are going to consider this
+    // to be an error that invalidates the identity but not necessarily the
+    // scheme. Doing so allows a different identity to be used with the same
+    // scheme. See https://crbug.com/648366.
+    case ERR_INVALID_HANDLE:

[mmenke, 2016/11/16 22:44:23]

How do we get an invalid handle in the first place?

I guess this is similar enough to the ERR_INVALID_AUTH_CREDENTIALS case that
testing doesn't get us much, since we mock out the thing that's actually
returning the error.

[asanka, 2016/11/16 23:01:31]

It's possible for us to get a credentials handle, but then the platform deciding
that the handle is not valid for auth target when we get around to generating a
token.

+
+    // If the GenerateAuthToken call fails with this error, this means that the
+    // handler can no longer be used. However, the authentication scheme is
+    // considered still usable. This allows a scheme that attempted and failed
+    // to use default credentials to recover and use explicit credentials.
+    //
+    // The current handler may be tied to external state that is no longer
+    // valid, hence should be discarded. Since the scheme is still valid, a new
+    // handler can be created for the current scheme.
     case ERR_INVALID_AUTH_CREDENTIALS:
-      // If the GenerateAuthToken call fails with this error, this means that
-      // the handler can no longer be used. However, the authentication scheme
-      // is considered still usable. This allows a scheme that attempted and
-      // failed to use default credentials to recover and use explicit
-      // credentials.
-      //
-      // The current handler may be tied to external state that is no longer
-      // valid, hence should be discarded. Since the scheme is still valid, a
-      // new handler can be created for the current scheme.
       InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
       auth_token_.clear();
       return OK;
 
     // Occurs with GSSAPI, if the user has not already logged in.
     case ERR_MISSING_AUTH_CREDENTIALS:
 
     // Can occur with GSSAPI or SSPI if the underlying library reports
     // a permanent error.
     case ERR_UNSUPPORTED_AUTH_SCHEME:
@@ skipping 41 matching lines @@
   DCHECK(CalledOnValidThread());
   disabled_schemes_.insert(scheme);
 }
 
 void HttpAuthController::DisableEmbeddedIdentity() {
   DCHECK(CalledOnValidThread());
   embedded_identity_used_ = true;
 }
 
 }  // namespace net