// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_HTTP_HTTP_AUTH_H_ #define NET_HTTP_HTTP_AUTH_H_ #include #include #include #include "base/values.h" #include "net/base/auth.h" #include "net/base/net_export.h" template class scoped_refptr; namespace url { class SchemeHostPort; } namespace net { class HttpAuthHandler; class HttpAuthHandlerFactory; class HttpResponseHeaders; class HostResolver; class NetLogWithSource; class NetworkAnonymizationKey; class SSLInfo; // Utility class for http authentication. class NET_EXPORT_PRIVATE HttpAuth { public: // Http authentication can be done to the proxy server, origin server, // or both. This enum tracks who the target is. enum Target { AUTH_NONE = -1, // We depend on the valid targets (!= AUTH_NONE) being usable as indexes // in an array, so start from 0. AUTH_PROXY = 0, AUTH_SERVER = 1, AUTH_NUM_TARGETS = 2, }; // What the HTTP WWW-Authenticate/Proxy-Authenticate headers indicate about // the previous authorization attempt. enum AuthorizationResult { AUTHORIZATION_RESULT_ACCEPT, // The authorization attempt was accepted, // although there still may be additional // rounds of challenges. AUTHORIZATION_RESULT_REJECT, // The authorization attempt was rejected. AUTHORIZATION_RESULT_STALE, // (Digest) The nonce used in the // authorization attempt is stale, but // otherwise the attempt was valid. AUTHORIZATION_RESULT_INVALID, // The authentication challenge headers are // poorly formed (the authorization attempt // itself may have been fine). AUTHORIZATION_RESULT_DIFFERENT_REALM, // The authorization // attempt was rejected, // but the realm associated // with the new challenge // is different from the // previous attempt. }; // Describes where the identity used for authentication came from. enum IdentitySource { // Came from nowhere -- the identity is not initialized. IDENT_SRC_NONE, // The identity came from the auth cache, by doing a path-based // lookup (premptive authorization). IDENT_SRC_PATH_LOOKUP, // The identity was extracted from a URL of the form: // http://:@host:port IDENT_SRC_URL, // The identity was retrieved from the auth cache, by doing a // realm lookup. IDENT_SRC_REALM_LOOKUP, // The identity was provided by RestartWithAuth -- it likely // came from a prompt (or maybe the password manager). IDENT_SRC_EXTERNAL, // The identity used the default credentials for the computer, // on schemes that support single sign-on. IDENT_SRC_DEFAULT_CREDENTIALS, }; // Identifier for auth scheme. // // The values are used for calculating UMA buckets. Add but don't remove or // reuse. enum Scheme { AUTH_SCHEME_BASIC = 0, AUTH_SCHEME_DIGEST, AUTH_SCHEME_NTLM, AUTH_SCHEME_NEGOTIATE, AUTH_SCHEME_SPDYPROXY, // No longer used. AUTH_SCHEME_MOCK, AUTH_SCHEME_MAX, }; // Type of Kerberos credentials delegation to be performed during // authentication. enum class DelegationType { // Disallow delegation. kNone, // Delegate if approved by KDC policy. Implemented in GSSAPI. kByKdcPolicy, // Unconstrained delegation. On Windows, both kByKdcPolicy and // kUnconstrained will check KDC policy. kUnconstrained, }; // Helper structure used by HttpNetworkTransaction to track // the current identity being used for authorization. struct Identity { Identity(); IdentitySource source = IDENT_SRC_NONE; bool invalid = true; AuthCredentials credentials; }; // Get the name of the header containing the auth challenge // (either WWW-Authenticate or Proxy-Authenticate). static std::string GetChallengeHeaderName(Target target); // Get the name of the header where the credentials go // (either Authorization or Proxy-Authorization). static std::string GetAuthorizationHeaderName(Target target); // Returns a string representation of a Target value that can be used in log // messages. static std::string GetAuthTargetString(Target target); // Returns a string representation of an authentication Scheme. static const char* SchemeToString(Scheme scheme); // Returns an authentication Scheme from a string which was produced by // SchemeToString(). static Scheme StringToScheme(const std::string& str); // Returns a string representation of an authorization result. static const char* AuthorizationResultToString( AuthorizationResult authorization_result); // Returns a value for logging an authorization result to a NetLog. static base::Value::Dict NetLogAuthorizationResultParams( const char* name, AuthorizationResult authorization_result); // Iterate through |response_headers|, and pick the best one that we support. // Obtains the implementation class for handling the challenge, and passes it // back in |*handler|. If no supported challenge was found, |*handler| is set // to nullptr. // // |disabled_schemes| is the set of schemes that we should not use. // // |scheme_host_port| is used by the NTLM and Negotiation authentication // scheme to construct the service principal name. It is ignored by other // schemes. // // |ssl_info| is passed through to the scheme specific authentication handlers // to use as appropriate. static void ChooseBestChallenge( HttpAuthHandlerFactory* http_auth_handler_factory, const HttpResponseHeaders& response_headers, const SSLInfo& ssl_info, const NetworkAnonymizationKey& network_anonymization_key, Target target, const url::SchemeHostPort& scheme_host_port, const std::set& disabled_schemes, const NetLogWithSource& net_log, HostResolver* host_resolver, std::unique_ptr* handler); // Handle a 401/407 response from a server/proxy after a previous // authentication attempt. For connection-based authentication schemes, the // new response may be another round in a multi-round authentication sequence. // For request-based schemes, a 401/407 response is typically treated like a // rejection of the previous challenge, except in the Digest case when a // "stale" attribute is present. // // |handler| must be non-nullptr, and is the HttpAuthHandler from the previous // authentication round. // // |response_headers| must contain the new HTTP response. // // |target| specifies whether the authentication challenge response came // from a server or a proxy. // // |disabled_schemes| are the authentication schemes to ignore. // // |challenge_used| is the text of the authentication challenge used in // support of the returned AuthorizationResult. If no headers were used for // the result (for example, all headers have unknown authentication schemes), // the value is cleared. static AuthorizationResult HandleChallengeResponse( HttpAuthHandler* handler, const HttpResponseHeaders& response_headers, Target target, const std::set& disabled_schemes, std::string* challenge_used); }; } // namespace net #endif // NET_HTTP_HTTP_AUTH_H_