[Merge M55] [net/auth] Deal better with ERR_INVALID_AUTH_CREDENTIALS error.

net/http/http_auth_controller.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_util.h"
@@ skipping 138 matching lines @@
   bool needs_auth = HaveAuth() || SelectPreemptiveAuth(net_log);
   if (!needs_auth)
     return OK;
   const AuthCredentials* credentials = NULL;
   if (identity_.source != HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS)
     credentials = &identity_.credentials;
   DCHECK(auth_token_.empty());
   DCHECK(callback_.is_null());
   int rv = handler_->GenerateAuthToken(
       credentials, request,
-      base::Bind(&HttpAuthController::OnIOComplete, base::Unretained(this)),
+      base::Bind(&HttpAuthController::OnGenerateAuthTokenDone,
+                 base::Unretained(this)),
       &auth_token_);
-  if (DisableOnAuthHandlerResult(rv))
-    rv = OK;
-  if (rv == ERR_IO_PENDING)
+
+  if (rv == ERR_IO_PENDING) {
     callback_ = callback;
-  else
-    OnIOComplete(rv);
-  return rv;
+    return rv;
+  }
+
+  return HandleGenerateTokenResult(rv);
 }
 
 bool HttpAuthController::SelectPreemptiveAuth(const NetLogWithSource& net_log) {
   DCHECK(CalledOnValidThread());
   DCHECK(!HaveAuth());
   DCHECK(identity_.invalid);
 
   // Don't do preemptive authorization if the URL contains a username:password,
   // since we must first be challenged in order to use the URL's identity.
   if (auth_url_.has_username())
@@ skipping 286 matching lines @@
   // Populates response_.auth_challenge with the authentication challenge info.
   // This info is consumed by URLRequestHttpJob::GetAuthChallengeInfo().
 
   auth_info_ = new AuthChallengeInfo;
   auth_info_->is_proxy = (target_ == HttpAuth::AUTH_PROXY);
   auth_info_->challenger = url::Origin(auth_origin_);
   auth_info_->scheme = HttpAuth::SchemeToString(handler_->auth_scheme());
   auth_info_->realm = handler_->realm();
 }
 
-bool HttpAuthController::DisableOnAuthHandlerResult(int result) {
+int HttpAuthController::HandleGenerateTokenResult(int result) {
   DCHECK(CalledOnValidThread());
+  switch (result) {
+    // Occurs if the credential handle is found to be invalid at the point it is
+    // exercised (i.e. GenerateAuthToken stage). We are going to consider this
+    // to be an error that invalidates the identity but not necessarily the
+    // scheme. Doing so allows a different identity to be used with the same
+    // scheme. See https://crbug.com/648366.
+    case ERR_INVALID_HANDLE:
 
-  switch (result) {
+    // If the GenerateAuthToken call fails with this error, this means that the
+    // handler can no longer be used. However, the authentication scheme is
+    // considered still usable. This allows a scheme that attempted and failed
+    // to use default credentials to recover and use explicit credentials.
+    //
+    // The current handler may be tied to external state that is no longer
+    // valid, hence should be discarded. Since the scheme is still valid, a new
+    // handler can be created for the current scheme.
+    case ERR_INVALID_AUTH_CREDENTIALS:
+      InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
+      auth_token_.clear();
+      return OK;
+
     // Occurs with GSSAPI, if the user has not already logged in.
     case ERR_MISSING_AUTH_CREDENTIALS:
 
     // Can occur with GSSAPI or SSPI if the underlying library reports
     // a permanent error.
     case ERR_UNSUPPORTED_AUTH_SCHEME:
 
     // These two error codes represent failures we aren't handling.
     case ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS:
     case ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS:
 
     // Can be returned by SSPI if the authenticating authority or
     // target is not known.
     case ERR_MISCONFIGURED_AUTH_ENVIRONMENT:
 
       // In these cases, disable the current scheme as it cannot
       // succeed.
-      DisableAuthScheme(handler_->auth_scheme());
+      InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_DISABLE_SCHEME);
       auth_token_.clear();
-      return true;
+      return OK;
 
     default:
-      return false;
+      return result;
   }
 }
 
-void HttpAuthController::OnIOComplete(int result) {
+void HttpAuthController::OnGenerateAuthTokenDone(int result) {
   DCHECK(CalledOnValidThread());
-  if (DisableOnAuthHandlerResult(result))
-    result = OK;
+  result = HandleGenerateTokenResult(result);
   if (!callback_.is_null()) {
     CompletionCallback c = callback_;
     callback_.Reset();
     c.Run(result);
   }
 }
 
 scoped_refptr<AuthChallengeInfo> HttpAuthController::auth_info() {
   DCHECK(CalledOnValidThread());
   return auth_info_;
 }
 
 bool HttpAuthController::IsAuthSchemeDisabled(HttpAuth::Scheme scheme) const {
   DCHECK(CalledOnValidThread());
   return disabled_schemes_.find(scheme) != disabled_schemes_.end();
 }
 
 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) {
   DCHECK(CalledOnValidThread());
   disabled_schemes_.insert(scheme);
 }
 
 void HttpAuthController::DisableEmbeddedIdentity() {
   DCHECK(CalledOnValidThread());
   embedded_identity_used_ = true;
 }
 
 }  // namespace net