| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "components/data_reduction_proxy/browser/http_auth_handler_data_reducti
on_proxy.h" | |
| 6 | |
| 7 #include <algorithm> | |
| 8 #include <string> | |
| 9 #include <vector> | |
| 10 | |
| 11 #include "base/i18n/icu_string_conversions.h" | |
| 12 #include "base/metrics/histogram.h" | |
| 13 #include "base/strings/string_util.h" | |
| 14 #include "base/strings/utf_string_conversions.h" | |
| 15 #include "net/base/net_errors.h" | |
| 16 #include "net/http/http_auth.h" | |
| 17 #include "net/http/http_auth_challenge_tokenizer.h" | |
| 18 #include "net/http/http_request_info.h" | |
| 19 | |
| 20 namespace { | |
| 21 | |
| 22 const char kDataReductionProxyAuthScheme[] = "spdyproxy"; | |
| 23 | |
| 24 } | |
| 25 | |
| 26 namespace data_reduction_proxy { | |
| 27 | |
| 28 using net::AuthCredentials; | |
| 29 using net::BoundNetLog; | |
| 30 using net::CompletionCallback; | |
| 31 using net::HttpAuth; | |
| 32 using net::HttpAuthChallengeTokenizer; | |
| 33 using net::HttpAuthHandler; | |
| 34 using net::HttpAuthHandlerFactory; | |
| 35 using net::HttpRequestInfo; | |
| 36 using net::HttpUtil; | |
| 37 | |
| 38 // static | |
| 39 std::string HttpAuthHandlerDataReductionProxy::Scheme() { | |
| 40 return kDataReductionProxyAuthScheme; | |
| 41 } | |
| 42 | |
| 43 HttpAuthHandlerDataReductionProxy::Factory::Factory( | |
| 44 const std::vector<GURL>& authorized_spdyproxy_origins) { | |
| 45 for (unsigned int i = 0; i < authorized_spdyproxy_origins.size(); ++i) { | |
| 46 if (authorized_spdyproxy_origins[i].possibly_invalid_spec().empty()) { | |
| 47 VLOG(1) << "SpdyProxy auth without configuring authorized origin."; | |
| 48 return; | |
| 49 } | |
| 50 } | |
| 51 authorized_spdyproxy_origins_ = authorized_spdyproxy_origins; | |
| 52 } | |
| 53 | |
| 54 HttpAuthHandlerDataReductionProxy::Factory::~Factory() { | |
| 55 } | |
| 56 | |
| 57 int HttpAuthHandlerDataReductionProxy::Factory::CreateAuthHandler( | |
| 58 HttpAuthChallengeTokenizer* challenge, | |
| 59 HttpAuth::Target target, | |
| 60 const GURL& origin, | |
| 61 CreateReason reason, | |
| 62 int digest_nonce_count, | |
| 63 const BoundNetLog& net_log, | |
| 64 scoped_ptr<HttpAuthHandler>* handler) { | |
| 65 // If a spdyproxy auth proxy has not been set, refuse all requests to use this | |
| 66 // auth handler. | |
| 67 if (authorized_spdyproxy_origins_.empty()) | |
| 68 return net::ERR_UNSUPPORTED_AUTH_SCHEME; | |
| 69 | |
| 70 // We ensure that this authentication handler is used only with an authorized | |
| 71 // SPDY proxy, since otherwise a user's authentication token can be | |
| 72 // sniffed by a malicious proxy that presents an appropriate challenge. | |
| 73 const GURL origin_origin = origin.GetOrigin(); | |
| 74 if (!(std::find(authorized_spdyproxy_origins_.begin(), | |
| 75 authorized_spdyproxy_origins_.end(), | |
| 76 origin_origin) != authorized_spdyproxy_origins_.end())) { | |
| 77 UMA_HISTOGRAM_COUNTS("Net.UnexpectedSpdyProxyAuth", 1); | |
| 78 VLOG(1) << "SpdyProxy auth request with an unexpected config." | |
| 79 << " origin: " << origin_origin.possibly_invalid_spec(); | |
| 80 return net::ERR_UNSUPPORTED_AUTH_SCHEME; | |
| 81 } | |
| 82 | |
| 83 scoped_ptr<HttpAuthHandler> tmp_handler( | |
| 84 new HttpAuthHandlerDataReductionProxy()); | |
| 85 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log)) | |
| 86 return net::ERR_INVALID_RESPONSE; | |
| 87 handler->swap(tmp_handler); | |
| 88 return net::OK; | |
| 89 } | |
| 90 | |
| 91 HttpAuth::AuthorizationResult | |
| 92 HttpAuthHandlerDataReductionProxy::HandleAnotherChallenge( | |
| 93 HttpAuthChallengeTokenizer* challenge) { | |
| 94 // SpdyProxy authentication is always a single round, so any responses | |
| 95 // should be treated as a rejection. | |
| 96 return HttpAuth::AUTHORIZATION_RESULT_REJECT; | |
| 97 } | |
| 98 | |
| 99 bool HttpAuthHandlerDataReductionProxy::NeedsIdentity() { | |
| 100 return true; | |
| 101 } | |
| 102 | |
| 103 bool HttpAuthHandlerDataReductionProxy::AllowsDefaultCredentials() { | |
| 104 return false; | |
| 105 } | |
| 106 | |
| 107 bool HttpAuthHandlerDataReductionProxy::AllowsExplicitCredentials() { | |
| 108 return true; | |
| 109 } | |
| 110 | |
| 111 HttpAuthHandlerDataReductionProxy::~HttpAuthHandlerDataReductionProxy() {} | |
| 112 | |
| 113 bool HttpAuthHandlerDataReductionProxy::Init( | |
| 114 HttpAuthChallengeTokenizer* challenge) { | |
| 115 auth_scheme_ = HttpAuth::AUTH_SCHEME_SPDYPROXY; | |
| 116 score_ = 5; | |
| 117 properties_ = ENCRYPTS_IDENTITY; | |
| 118 return ParseChallenge(challenge); | |
| 119 } | |
| 120 | |
| 121 int HttpAuthHandlerDataReductionProxy::GenerateAuthTokenImpl( | |
| 122 const AuthCredentials* credentials, const HttpRequestInfo* request, | |
| 123 const CompletionCallback&, std::string* auth_token) { | |
| 124 DCHECK(credentials); | |
| 125 if (credentials->password().length() == 0) { | |
| 126 DVLOG(1) << "Received a SpdyProxy auth token request without an " | |
| 127 << "available token."; | |
| 128 return -1; | |
| 129 } | |
| 130 *auth_token = "SpdyProxy ps=\"" + ps_token_ + "\", sid=\"" + | |
| 131 base::UTF16ToUTF8(credentials->password()) + "\""; | |
| 132 return net::OK; | |
| 133 } | |
| 134 | |
| 135 bool HttpAuthHandlerDataReductionProxy::ParseChallenge( | |
| 136 HttpAuthChallengeTokenizer* challenge) { | |
| 137 | |
| 138 // Verify the challenge's auth-scheme. | |
| 139 if (!LowerCaseEqualsASCII(challenge->scheme(), | |
| 140 kDataReductionProxyAuthScheme)) { | |
| 141 VLOG(1) << "Parsed challenge without SpdyProxy type"; | |
| 142 return false; | |
| 143 } | |
| 144 | |
| 145 HttpUtil::NameValuePairsIterator parameters = challenge->param_pairs(); | |
| 146 | |
| 147 // Loop through all the properties. | |
| 148 while (parameters.GetNext()) { | |
| 149 // FAIL -- couldn't parse a property. | |
| 150 if (!ParseChallengeProperty(parameters.name(), | |
| 151 parameters.value())) | |
| 152 return false; | |
| 153 } | |
| 154 // Check if tokenizer failed. | |
| 155 if (!parameters.valid()) | |
| 156 return false; | |
| 157 | |
| 158 // Check that the required properties were provided. | |
| 159 if (realm_.empty()) | |
| 160 return false; | |
| 161 | |
| 162 if (ps_token_.empty()) | |
| 163 return false; | |
| 164 | |
| 165 return true; | |
| 166 } | |
| 167 | |
| 168 bool HttpAuthHandlerDataReductionProxy::ParseChallengeProperty( | |
| 169 const std::string& name, const std::string& value) { | |
| 170 if (LowerCaseEqualsASCII(name, "realm")) { | |
| 171 std::string realm; | |
| 172 if (!base::ConvertToUtf8AndNormalize(value, base::kCodepageLatin1, &realm)) | |
| 173 return false; | |
| 174 realm_ = realm; | |
| 175 } else if (LowerCaseEqualsASCII(name, "ps")) { | |
| 176 ps_token_ = value; | |
| 177 } else { | |
| 178 VLOG(1) << "Skipping unrecognized SpdyProxy auth property, " << name; | |
| 179 } | |
| 180 return true; | |
| 181 } | |
| 182 | |
| 183 } // namespace data_reduction_proxy | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 333113002:
Move data reduction proxy to Chrome-Proxy header for authentication (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@flywheel-refactor-net-fake-a-redirect-response-headers-chrome-proxy-auth