[Merge M55] [net/auth] Deal better with ERR_INVALID_AUTH_CREDENTIALS error.

net/http/http_auth_controller.cc

Index: net/http/http_auth_controller.cc
diff --git a/net/http/http_auth_controller.cc b/net/http/http_auth_controller.cc
index 15725b44b9f0dd8cf480d6fd0454c65194333cb5..d7d5f0608f92148e18bebc0bc60b01c753fe91c2 100644
--- a/net/http/http_auth_controller.cc
+++ b/net/http/http_auth_controller.cc
@@ -156,15 +156,16 @@ int HttpAuthController::MaybeGenerateAuthToken(
   DCHECK(callback_.is_null());
   int rv = handler_->GenerateAuthToken(
       credentials, request,
-      base::Bind(&HttpAuthController::OnIOComplete, base::Unretained(this)),
+      base::Bind(&HttpAuthController::OnGenerateAuthTokenDone,
+                 base::Unretained(this)),
       &auth_token_);
-  if (DisableOnAuthHandlerResult(rv))
-    rv = OK;
-  if (rv == ERR_IO_PENDING)
+
+  if (rv == ERR_IO_PENDING) {
     callback_ = callback;
-  else
-    OnIOComplete(rv);
-  return rv;
+    return rv;
+  }
+
+  return HandleGenerateTokenResult(rv);
 }
 
 bool HttpAuthController::SelectPreemptiveAuth(const NetLogWithSource& net_log) {
@@ -471,10 +472,29 @@ void HttpAuthController::PopulateAuthChallenge() {
   auth_info_->realm = handler_->realm();
 }
 
-bool HttpAuthController::DisableOnAuthHandlerResult(int result) {
+int HttpAuthController::HandleGenerateTokenResult(int result) {
   DCHECK(CalledOnValidThread());
-
   switch (result) {
+    // Occurs if the credential handle is found to be invalid at the point it is
+    // exercised (i.e. GenerateAuthToken stage). We are going to consider this
+    // to be an error that invalidates the identity but not necessarily the
+    // scheme. Doing so allows a different identity to be used with the same
+    // scheme. See https://crbug.com/648366.
+    case ERR_INVALID_HANDLE:
+
+    // If the GenerateAuthToken call fails with this error, this means that the
+    // handler can no longer be used. However, the authentication scheme is
+    // considered still usable. This allows a scheme that attempted and failed
+    // to use default credentials to recover and use explicit credentials.
+    //
+    // The current handler may be tied to external state that is no longer
+    // valid, hence should be discarded. Since the scheme is still valid, a new
+    // handler can be created for the current scheme.
+    case ERR_INVALID_AUTH_CREDENTIALS:
+      InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
+      auth_token_.clear();
+      return OK;
+
     // Occurs with GSSAPI, if the user has not already logged in.
     case ERR_MISSING_AUTH_CREDENTIALS:
 
@@ -492,19 +512,18 @@ bool HttpAuthController::DisableOnAuthHandlerResult(int result) {
 
       // In these cases, disable the current scheme as it cannot
       // succeed.
-      DisableAuthScheme(handler_->auth_scheme());
+      InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_DISABLE_SCHEME);
       auth_token_.clear();
-      return true;
+      return OK;
 
     default:
-      return false;
+      return result;
   }
 }
 
-void HttpAuthController::OnIOComplete(int result) {
+void HttpAuthController::OnGenerateAuthTokenDone(int result) {
   DCHECK(CalledOnValidThread());
-  if (DisableOnAuthHandlerResult(result))
-    result = OK;
+  result = HandleGenerateTokenResult(result);
   if (!callback_.is_null()) {
     CompletionCallback c = callback_;
     callback_.Reset();