| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_auth_controller.h" | 5 #include "net/http/http_auth_controller.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/metrics/histogram_macros.h" | 9 #include "base/metrics/histogram_macros.h" |
| 10 #include "base/strings/string_util.h" | 10 #include "base/strings/string_util.h" |
| (...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 131 auth_url_(auth_url), | 131 auth_url_(auth_url), |
| 132 auth_origin_(auth_url.GetOrigin()), | 132 auth_origin_(auth_url.GetOrigin()), |
| 133 auth_path_(HttpAuth::AUTH_PROXY ? std::string() : auth_url.path()), | 133 auth_path_(HttpAuth::AUTH_PROXY ? std::string() : auth_url.path()), |
| 134 embedded_identity_used_(false), | 134 embedded_identity_used_(false), |
| 135 default_credentials_used_(false), | 135 default_credentials_used_(false), |
| 136 http_auth_cache_(http_auth_cache), | 136 http_auth_cache_(http_auth_cache), |
| 137 http_auth_handler_factory_(http_auth_handler_factory) { | 137 http_auth_handler_factory_(http_auth_handler_factory) { |
| 138 } | 138 } |
| 139 | 139 |
| 140 HttpAuthController::~HttpAuthController() { | 140 HttpAuthController::~HttpAuthController() { |
| 141 DCHECK(CalledOnValidThread()); | 141 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 142 } | 142 } |
| 143 | 143 |
| 144 int HttpAuthController::MaybeGenerateAuthToken( | 144 int HttpAuthController::MaybeGenerateAuthToken( |
| 145 const HttpRequestInfo* request, | 145 const HttpRequestInfo* request, |
| 146 const CompletionCallback& callback, | 146 const CompletionCallback& callback, |
| 147 const NetLogWithSource& net_log) { | 147 const NetLogWithSource& net_log) { |
| 148 DCHECK(CalledOnValidThread()); | 148 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 149 DCHECK(!auth_info_); | 149 DCHECK(!auth_info_); |
| 150 bool needs_auth = HaveAuth() || SelectPreemptiveAuth(net_log); | 150 bool needs_auth = HaveAuth() || SelectPreemptiveAuth(net_log); |
| 151 if (!needs_auth) | 151 if (!needs_auth) |
| 152 return OK; | 152 return OK; |
| 153 const AuthCredentials* credentials = NULL; | 153 const AuthCredentials* credentials = NULL; |
| 154 if (identity_.source != HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS) | 154 if (identity_.source != HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS) |
| 155 credentials = &identity_.credentials; | 155 credentials = &identity_.credentials; |
| 156 DCHECK(auth_token_.empty()); | 156 DCHECK(auth_token_.empty()); |
| 157 DCHECK(callback_.is_null()); | 157 DCHECK(callback_.is_null()); |
| 158 int rv = handler_->GenerateAuthToken( | 158 int rv = handler_->GenerateAuthToken( |
| 159 credentials, request, | 159 credentials, request, |
| 160 base::Bind(&HttpAuthController::OnGenerateAuthTokenDone, | 160 base::Bind(&HttpAuthController::OnGenerateAuthTokenDone, |
| 161 base::Unretained(this)), | 161 base::Unretained(this)), |
| 162 &auth_token_); | 162 &auth_token_); |
| 163 | 163 |
| 164 if (rv == ERR_IO_PENDING) { | 164 if (rv == ERR_IO_PENDING) { |
| 165 callback_ = callback; | 165 callback_ = callback; |
| 166 return rv; | 166 return rv; |
| 167 } | 167 } |
| 168 | 168 |
| 169 return HandleGenerateTokenResult(rv); | 169 return HandleGenerateTokenResult(rv); |
| 170 } | 170 } |
| 171 | 171 |
| 172 bool HttpAuthController::SelectPreemptiveAuth(const NetLogWithSource& net_log) { | 172 bool HttpAuthController::SelectPreemptiveAuth(const NetLogWithSource& net_log) { |
| 173 DCHECK(CalledOnValidThread()); | 173 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 174 DCHECK(!HaveAuth()); | 174 DCHECK(!HaveAuth()); |
| 175 DCHECK(identity_.invalid); | 175 DCHECK(identity_.invalid); |
| 176 | 176 |
| 177 // Don't do preemptive authorization if the URL contains a username:password, | 177 // Don't do preemptive authorization if the URL contains a username:password, |
| 178 // since we must first be challenged in order to use the URL's identity. | 178 // since we must first be challenged in order to use the URL's identity. |
| 179 if (auth_url_.has_username()) | 179 if (auth_url_.has_username()) |
| 180 return false; | 180 return false; |
| 181 | 181 |
| 182 // SelectPreemptiveAuth() is on the critical path for each request, so it | 182 // SelectPreemptiveAuth() is on the critical path for each request, so it |
| 183 // is expected to be fast. LookupByPath() is fast in the common case, since | 183 // is expected to be fast. LookupByPath() is fast in the common case, since |
| (...skipping 17 matching lines...) Expand all Loading... |
| 201 // Set the state | 201 // Set the state |
| 202 identity_.source = HttpAuth::IDENT_SRC_PATH_LOOKUP; | 202 identity_.source = HttpAuth::IDENT_SRC_PATH_LOOKUP; |
| 203 identity_.invalid = false; | 203 identity_.invalid = false; |
| 204 identity_.credentials = entry->credentials(); | 204 identity_.credentials = entry->credentials(); |
| 205 handler_.swap(handler_preemptive); | 205 handler_.swap(handler_preemptive); |
| 206 return true; | 206 return true; |
| 207 } | 207 } |
| 208 | 208 |
| 209 void HttpAuthController::AddAuthorizationHeader( | 209 void HttpAuthController::AddAuthorizationHeader( |
| 210 HttpRequestHeaders* authorization_headers) { | 210 HttpRequestHeaders* authorization_headers) { |
| 211 DCHECK(CalledOnValidThread()); | 211 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 212 DCHECK(HaveAuth()); | 212 DCHECK(HaveAuth()); |
| 213 // auth_token_ can be empty if we encountered a permanent error with | 213 // auth_token_ can be empty if we encountered a permanent error with |
| 214 // the auth scheme and want to retry. | 214 // the auth scheme and want to retry. |
| 215 if (!auth_token_.empty()) { | 215 if (!auth_token_.empty()) { |
| 216 authorization_headers->SetHeader( | 216 authorization_headers->SetHeader( |
| 217 HttpAuth::GetAuthorizationHeaderName(target_), auth_token_); | 217 HttpAuth::GetAuthorizationHeaderName(target_), auth_token_); |
| 218 auth_token_.clear(); | 218 auth_token_.clear(); |
| 219 } | 219 } |
| 220 } | 220 } |
| 221 | 221 |
| 222 int HttpAuthController::HandleAuthChallenge( | 222 int HttpAuthController::HandleAuthChallenge( |
| 223 scoped_refptr<HttpResponseHeaders> headers, | 223 scoped_refptr<HttpResponseHeaders> headers, |
| 224 const SSLInfo& ssl_info, | 224 const SSLInfo& ssl_info, |
| 225 bool do_not_send_server_auth, | 225 bool do_not_send_server_auth, |
| 226 bool establishing_tunnel, | 226 bool establishing_tunnel, |
| 227 const NetLogWithSource& net_log) { | 227 const NetLogWithSource& net_log) { |
| 228 DCHECK(CalledOnValidThread()); | 228 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 229 DCHECK(headers.get()); | 229 DCHECK(headers.get()); |
| 230 DCHECK(auth_origin_.is_valid()); | 230 DCHECK(auth_origin_.is_valid()); |
| 231 DCHECK(!auth_info_); | 231 DCHECK(!auth_info_); |
| 232 | 232 |
| 233 // Give the existing auth handler first try at the authentication headers. | 233 // Give the existing auth handler first try at the authentication headers. |
| 234 // This will also evict the entry in the HttpAuthCache if the previous | 234 // This will also evict the entry in the HttpAuthCache if the previous |
| 235 // challenge appeared to be rejected, or is using a stale nonce in the Digest | 235 // challenge appeared to be rejected, or is using a stale nonce in the Digest |
| 236 // case. | 236 // case. |
| 237 if (HaveAuth()) { | 237 if (HaveAuth()) { |
| 238 std::string challenge_used; | 238 std::string challenge_used; |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 332 // If we get here and we don't have a handler_, that's because we | 332 // If we get here and we don't have a handler_, that's because we |
| 333 // invalidated it due to not having any viable identities to use with it. Go | 333 // invalidated it due to not having any viable identities to use with it. Go |
| 334 // back and try again. | 334 // back and try again. |
| 335 // TODO(asanka): Instead we should create a priority list of | 335 // TODO(asanka): Instead we should create a priority list of |
| 336 // <handler,identity> and iterate through that. | 336 // <handler,identity> and iterate through that. |
| 337 } while(!handler_.get()); | 337 } while(!handler_.get()); |
| 338 return OK; | 338 return OK; |
| 339 } | 339 } |
| 340 | 340 |
| 341 void HttpAuthController::ResetAuth(const AuthCredentials& credentials) { | 341 void HttpAuthController::ResetAuth(const AuthCredentials& credentials) { |
| 342 DCHECK(CalledOnValidThread()); | 342 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 343 DCHECK(identity_.invalid || credentials.Empty()); | 343 DCHECK(identity_.invalid || credentials.Empty()); |
| 344 | 344 |
| 345 if (identity_.invalid) { | 345 if (identity_.invalid) { |
| 346 // Update the credentials. | 346 // Update the credentials. |
| 347 identity_.source = HttpAuth::IDENT_SRC_EXTERNAL; | 347 identity_.source = HttpAuth::IDENT_SRC_EXTERNAL; |
| 348 identity_.invalid = false; | 348 identity_.invalid = false; |
| 349 identity_.credentials = credentials; | 349 identity_.credentials = credentials; |
| 350 | 350 |
| 351 // auth_info_ is no longer necessary. | 351 // auth_info_ is no longer necessary. |
| 352 auth_info_ = nullptr; | 352 auth_info_ = nullptr; |
| (...skipping 30 matching lines...) Expand all Loading... |
| 383 bool HttpAuthController::HaveAuthHandler() const { | 383 bool HttpAuthController::HaveAuthHandler() const { |
| 384 return handler_.get() != NULL; | 384 return handler_.get() != NULL; |
| 385 } | 385 } |
| 386 | 386 |
| 387 bool HttpAuthController::HaveAuth() const { | 387 bool HttpAuthController::HaveAuth() const { |
| 388 return handler_.get() && !identity_.invalid; | 388 return handler_.get() && !identity_.invalid; |
| 389 } | 389 } |
| 390 | 390 |
| 391 void HttpAuthController::InvalidateCurrentHandler( | 391 void HttpAuthController::InvalidateCurrentHandler( |
| 392 InvalidateHandlerAction action) { | 392 InvalidateHandlerAction action) { |
| 393 DCHECK(CalledOnValidThread()); | 393 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 394 DCHECK(handler_.get()); | 394 DCHECK(handler_.get()); |
| 395 | 395 |
| 396 if (action == INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS) | 396 if (action == INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS) |
| 397 InvalidateRejectedAuthFromCache(); | 397 InvalidateRejectedAuthFromCache(); |
| 398 if (action == INVALIDATE_HANDLER_AND_DISABLE_SCHEME) | 398 if (action == INVALIDATE_HANDLER_AND_DISABLE_SCHEME) |
| 399 DisableAuthScheme(handler_->auth_scheme()); | 399 DisableAuthScheme(handler_->auth_scheme()); |
| 400 handler_.reset(); | 400 handler_.reset(); |
| 401 identity_ = HttpAuth::Identity(); | 401 identity_ = HttpAuth::Identity(); |
| 402 } | 402 } |
| 403 | 403 |
| 404 void HttpAuthController::InvalidateRejectedAuthFromCache() { | 404 void HttpAuthController::InvalidateRejectedAuthFromCache() { |
| 405 DCHECK(CalledOnValidThread()); | 405 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 406 DCHECK(HaveAuth()); | 406 DCHECK(HaveAuth()); |
| 407 | 407 |
| 408 // Clear the cache entry for the identity we just failed on. | 408 // Clear the cache entry for the identity we just failed on. |
| 409 // Note: we require the credentials to match before invalidating | 409 // Note: we require the credentials to match before invalidating |
| 410 // since the entry in the cache may be newer than what we used last time. | 410 // since the entry in the cache may be newer than what we used last time. |
| 411 http_auth_cache_->Remove(auth_origin_, handler_->realm(), | 411 http_auth_cache_->Remove(auth_origin_, handler_->realm(), |
| 412 handler_->auth_scheme(), identity_.credentials); | 412 handler_->auth_scheme(), identity_.credentials); |
| 413 } | 413 } |
| 414 | 414 |
| 415 bool HttpAuthController::SelectNextAuthIdentityToTry() { | 415 bool HttpAuthController::SelectNextAuthIdentityToTry() { |
| 416 DCHECK(CalledOnValidThread()); | 416 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 417 DCHECK(handler_.get()); | 417 DCHECK(handler_.get()); |
| 418 DCHECK(identity_.invalid); | 418 DCHECK(identity_.invalid); |
| 419 | 419 |
| 420 // Try to use the username:password encoded into the URL first. | 420 // Try to use the username:password encoded into the URL first. |
| 421 if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() && | 421 if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() && |
| 422 !embedded_identity_used_) { | 422 !embedded_identity_used_) { |
| 423 identity_.source = HttpAuth::IDENT_SRC_URL; | 423 identity_.source = HttpAuth::IDENT_SRC_URL; |
| 424 identity_.invalid = false; | 424 identity_.invalid = false; |
| 425 // Extract the username:password from the URL. | 425 // Extract the username:password from the URL. |
| 426 base::string16 username; | 426 base::string16 username; |
| (...skipping 28 matching lines...) Expand all Loading... |
| 455 identity_.source = HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS; | 455 identity_.source = HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS; |
| 456 identity_.invalid = false; | 456 identity_.invalid = false; |
| 457 default_credentials_used_ = true; | 457 default_credentials_used_ = true; |
| 458 return true; | 458 return true; |
| 459 } | 459 } |
| 460 | 460 |
| 461 return false; | 461 return false; |
| 462 } | 462 } |
| 463 | 463 |
| 464 void HttpAuthController::PopulateAuthChallenge() { | 464 void HttpAuthController::PopulateAuthChallenge() { |
| 465 DCHECK(CalledOnValidThread()); | 465 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 466 | 466 |
| 467 // Populates response_.auth_challenge with the authentication challenge info. | 467 // Populates response_.auth_challenge with the authentication challenge info. |
| 468 // This info is consumed by URLRequestHttpJob::GetAuthChallengeInfo(). | 468 // This info is consumed by URLRequestHttpJob::GetAuthChallengeInfo(). |
| 469 | 469 |
| 470 auth_info_ = new AuthChallengeInfo; | 470 auth_info_ = new AuthChallengeInfo; |
| 471 auth_info_->is_proxy = (target_ == HttpAuth::AUTH_PROXY); | 471 auth_info_->is_proxy = (target_ == HttpAuth::AUTH_PROXY); |
| 472 auth_info_->challenger = url::Origin(auth_origin_); | 472 auth_info_->challenger = url::Origin(auth_origin_); |
| 473 auth_info_->scheme = HttpAuth::SchemeToString(handler_->auth_scheme()); | 473 auth_info_->scheme = HttpAuth::SchemeToString(handler_->auth_scheme()); |
| 474 auth_info_->realm = handler_->realm(); | 474 auth_info_->realm = handler_->realm(); |
| 475 } | 475 } |
| 476 | 476 |
| 477 int HttpAuthController::HandleGenerateTokenResult(int result) { | 477 int HttpAuthController::HandleGenerateTokenResult(int result) { |
| 478 DCHECK(CalledOnValidThread()); | 478 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 479 switch (result) { | 479 switch (result) { |
| 480 // Occurs if the credential handle is found to be invalid at the point it is | 480 // Occurs if the credential handle is found to be invalid at the point it is |
| 481 // exercised (i.e. GenerateAuthToken stage). We are going to consider this | 481 // exercised (i.e. GenerateAuthToken stage). We are going to consider this |
| 482 // to be an error that invalidates the identity but not necessarily the | 482 // to be an error that invalidates the identity but not necessarily the |
| 483 // scheme. Doing so allows a different identity to be used with the same | 483 // scheme. Doing so allows a different identity to be used with the same |
| 484 // scheme. See https://crbug.com/648366. | 484 // scheme. See https://crbug.com/648366. |
| 485 case ERR_INVALID_HANDLE: | 485 case ERR_INVALID_HANDLE: |
| 486 | 486 |
| 487 // If the GenerateAuthToken call fails with this error, this means that the | 487 // If the GenerateAuthToken call fails with this error, this means that the |
| 488 // handler can no longer be used. However, the authentication scheme is | 488 // handler can no longer be used. However, the authentication scheme is |
| (...skipping 28 matching lines...) Expand all Loading... |
| 517 InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_DISABLE_SCHEME); | 517 InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_DISABLE_SCHEME); |
| 518 auth_token_.clear(); | 518 auth_token_.clear(); |
| 519 return OK; | 519 return OK; |
| 520 | 520 |
| 521 default: | 521 default: |
| 522 return result; | 522 return result; |
| 523 } | 523 } |
| 524 } | 524 } |
| 525 | 525 |
| 526 void HttpAuthController::OnGenerateAuthTokenDone(int result) { | 526 void HttpAuthController::OnGenerateAuthTokenDone(int result) { |
| 527 DCHECK(CalledOnValidThread()); | 527 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 528 result = HandleGenerateTokenResult(result); | 528 result = HandleGenerateTokenResult(result); |
| 529 if (!callback_.is_null()) { | 529 if (!callback_.is_null()) { |
| 530 CompletionCallback c = callback_; | 530 CompletionCallback c = callback_; |
| 531 callback_.Reset(); | 531 callback_.Reset(); |
| 532 c.Run(result); | 532 c.Run(result); |
| 533 } | 533 } |
| 534 } | 534 } |
| 535 | 535 |
| 536 scoped_refptr<AuthChallengeInfo> HttpAuthController::auth_info() { | 536 scoped_refptr<AuthChallengeInfo> HttpAuthController::auth_info() { |
| 537 DCHECK(CalledOnValidThread()); | 537 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 538 return auth_info_; | 538 return auth_info_; |
| 539 } | 539 } |
| 540 | 540 |
| 541 bool HttpAuthController::IsAuthSchemeDisabled(HttpAuth::Scheme scheme) const { | 541 bool HttpAuthController::IsAuthSchemeDisabled(HttpAuth::Scheme scheme) const { |
| 542 DCHECK(CalledOnValidThread()); | 542 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 543 return disabled_schemes_.find(scheme) != disabled_schemes_.end(); | 543 return disabled_schemes_.find(scheme) != disabled_schemes_.end(); |
| 544 } | 544 } |
| 545 | 545 |
| 546 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) { | 546 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) { |
| 547 DCHECK(CalledOnValidThread()); | 547 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 548 disabled_schemes_.insert(scheme); | 548 disabled_schemes_.insert(scheme); |
| 549 } | 549 } |
| 550 | 550 |
| 551 void HttpAuthController::DisableEmbeddedIdentity() { | 551 void HttpAuthController::DisableEmbeddedIdentity() { |
| 552 DCHECK(CalledOnValidThread()); | 552 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 553 embedded_identity_used_ = true; | 553 embedded_identity_used_ = true; |
| 554 } | 554 } |
| 555 | 555 |
| 556 void HttpAuthController::OnConnectionClosed() { | 556 void HttpAuthController::OnConnectionClosed() { |
| 557 DCHECK(CalledOnValidThread()); | 557 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| 558 InvalidateCurrentHandler(INVALIDATE_HANDLER); | 558 InvalidateCurrentHandler(INVALIDATE_HANDLER); |
| 559 } | 559 } |
| 560 | 560 |
| 561 } // namespace net | 561 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2910473005:
Deprecate NonThreadSafe in net/ in favor of SequenceChecker/ThreadChecker. (Closed)
