// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_HTTP_HTTP_AUTH_HANDLER_FACTORY_H_ #define NET_HTTP_HTTP_AUTH_HANDLER_FACTORY_H_ #include #include #include #include #include #include "base/memory/raw_ptr.h" #include "build/build_config.h" #include "net/base/net_export.h" #include "net/http/http_auth.h" #include "net/http/http_auth_mechanism.h" #include "net/http/http_auth_scheme.h" #include "net/http/url_security_manager.h" #include "net/net_buildflags.h" #include "third_party/abseil-cpp/absl/types/optional.h" namespace url { class SchemeHostPort; } namespace net { class HostResolver; class HttpAuthChallengeTokenizer; class HttpAuthHandler; class HttpAuthHandlerRegistryFactory; class HttpAuthPreferences; class NetLogWithSource; class NetworkAnonymizationKey; // An HttpAuthHandlerFactory is used to create HttpAuthHandler objects. // The HttpAuthHandlerFactory object _must_ outlive any of the HttpAuthHandler // objects that it creates. class NET_EXPORT HttpAuthHandlerFactory { public: enum CreateReason { CREATE_CHALLENGE, // Create a handler in response to a challenge. CREATE_PREEMPTIVE, // Create a handler preemptively. }; HttpAuthHandlerFactory() = default; HttpAuthHandlerFactory(const HttpAuthHandlerFactory&) = delete; HttpAuthHandlerFactory& operator=(const HttpAuthHandlerFactory&) = delete; virtual ~HttpAuthHandlerFactory() = default; // Sets the source of the HTTP authentication preferences. // HttpAuthHandlerFactory doesn't own the preferences, and the // HttpAuthPreferences object should outlive the factory and any handlers it // creates. void set_http_auth_preferences( const HttpAuthPreferences* http_auth_preferences) { http_auth_preferences_ = http_auth_preferences; } // Retrieves the associated URL security manager. const HttpAuthPreferences* http_auth_preferences() const { return http_auth_preferences_; } // Creates an HttpAuthHandler object based on the authentication challenge // specified by |*challenge|. |challenge| must point to a valid tokenizer. // // If an HttpAuthHandler object is successfully created it is passed back to // the caller through |*handler| and OK is returned. // // If |*challenge| specifies an unsupported authentication scheme, |*handler| // is set to nullptr and ERR_UNSUPPORTED_AUTH_SCHEME is returned. // // If |*challenge| is improperly formed, |*handler| is set to nullptr and // ERR_INVALID_RESPONSE is returned. // // |create_reason| indicates why the handler is being created. This is used // since NTLM and Negotiate schemes do not support preemptive creation. // // |digest_nonce_count| is specifically intended for the Digest authentication // scheme, and indicates the number of handlers generated for a particular // server nonce challenge. // // |ssl_info| is valid if the authentication session is being established over // a secure connection. // // For the NTLM and Negotiate handlers: // If |origin| does not match the authentication method's filters for // the specified |target|, ERR_INVALID_AUTH_CREDENTIALS is returned. // NOTE: This will apply to ALL |origin| values if the filters are empty. // // |*challenge| should not be reused after a call to |CreateAuthHandler()|, // // |host_resolver| is used by the Negotiate authentication handler to perform // CNAME lookups to generate a Kerberos SPN for the server. If the "negotiate" // scheme is used and the factory was created with // |negotiate_disable_cname_lookup| false, |host_resolver| must not be null, // and it must remain valid for the lifetime of the created |handler|. virtual int CreateAuthHandler( HttpAuthChallengeTokenizer* challenge, HttpAuth::Target target, const SSLInfo& ssl_info, const NetworkAnonymizationKey& network_anonymization_key, const url::SchemeHostPort& scheme_host_port, CreateReason create_reason, int digest_nonce_count, const NetLogWithSource& net_log, HostResolver* host_resolver, std::unique_ptr* handler) = 0; // Creates an HTTP authentication handler based on the authentication // challenge string |challenge|. // This is a convenience function which creates a ChallengeTokenizer for // |challenge| and calls |CreateAuthHandler|. See |CreateAuthHandler| for // more details on return values. int CreateAuthHandlerFromString( const std::string& challenge, HttpAuth::Target target, const SSLInfo& ssl_info, const NetworkAnonymizationKey& network_anonymization_key, const url::SchemeHostPort& scheme_host_port, const NetLogWithSource& net_log, HostResolver* host_resolver, std::unique_ptr* handler); // Creates an HTTP authentication handler based on the authentication // challenge string |challenge|. // This is a convenience function which creates a ChallengeTokenizer for // |challenge| and calls |CreateAuthHandler|. See |CreateAuthHandler| for // more details on return values. int CreatePreemptiveAuthHandlerFromString( const std::string& challenge, HttpAuth::Target target, const NetworkAnonymizationKey& network_anonymization_key, const url::SchemeHostPort& scheme_host_port, int digest_nonce_count, const NetLogWithSource& net_log, HostResolver* host_resolver, std::unique_ptr* handler); // Creates a standard HttpAuthHandlerRegistryFactory. The caller is // responsible for deleting the factory. // The default factory supports Basic, Digest, NTLM, and Negotiate schemes. // // |negotiate_auth_system_factory| is used to override the default auth system // used by the Negotiate authentication handler. static std::unique_ptr CreateDefault( const HttpAuthPreferences* prefs = nullptr #if BUILDFLAG(USE_EXTERNAL_GSSAPI) , const std::string& gssapi_library_name = "" #endif #if BUILDFLAG(USE_KERBEROS) , HttpAuthMechanismFactory negotiate_auth_system_factory = HttpAuthMechanismFactory() #endif ); private: // The preferences for HTTP authentication. raw_ptr http_auth_preferences_ = nullptr; }; // The HttpAuthHandlerRegistryFactory dispatches create requests out // to other factories based on the auth scheme. class NET_EXPORT HttpAuthHandlerRegistryFactory : public HttpAuthHandlerFactory { public: explicit HttpAuthHandlerRegistryFactory( const HttpAuthPreferences* http_auth_preferences); HttpAuthHandlerRegistryFactory(const HttpAuthHandlerRegistryFactory&) = delete; HttpAuthHandlerRegistryFactory& operator=( const HttpAuthHandlerRegistryFactory&) = delete; ~HttpAuthHandlerRegistryFactory() override; // Sets the preferences into the factory associated with |scheme|. void SetHttpAuthPreferences(const std::string& scheme, const HttpAuthPreferences* prefs); // Registers a |factory| that will be used for a particular HTTP // authentication scheme such as Basic, Digest, or Negotiate. // The |*factory| object is assumed to be new-allocated, and its lifetime // will be managed by this HttpAuthHandlerRegistryFactory object (including // deleting it when it is no longer used. // A nullptr |factory| value means that HttpAuthHandlers's will not be created // for |scheme|. If a factory object used to exist for |scheme|, it will be // deleted. void RegisterSchemeFactory(const std::string& scheme, std::unique_ptr factory); // Creates an HttpAuthHandlerRegistryFactory. // // |prefs| is a pointer to the (single) authentication preferences object. // That object tracks preference, and hence policy, updates relevant to HTTP // authentication, and provides the current values of the preferences. // // |negotiate_auth_system_factory| is used to override the default auth system // used by the Negotiate authentication handler. static std::unique_ptr Create( const HttpAuthPreferences* prefs #if BUILDFLAG(USE_EXTERNAL_GSSAPI) , const std::string& gssapi_library_name = "" #endif #if BUILDFLAG(USE_KERBEROS) , HttpAuthMechanismFactory negotiate_auth_system_factory = HttpAuthMechanismFactory() #endif ); // Creates an auth handler by dispatching out to the registered factories // based on the first token in |challenge|. // // |host_resolver| is used by the Negotiate authentication handler to perform // CNAME lookups to generate a Kerberos SPN for the server. If the "negotiate" // scheme is used and the factory was created with // |negotiate_disable_cname_lookup| false, |host_resolver| must not be null, // and it must remain valid for the lifetime of the created |handler|. int CreateAuthHandler( HttpAuthChallengeTokenizer* challenge, HttpAuth::Target target, const SSLInfo& ssl_info, const NetworkAnonymizationKey& network_anonymization_key, const url::SchemeHostPort& scheme_host_port, CreateReason reason, int digest_nonce_count, const NetLogWithSource& net_log, HostResolver* host_resolver, std::unique_ptr* handler) override; #if BUILDFLAG(USE_KERBEROS) && !BUILDFLAG(IS_ANDROID) && BUILDFLAG(IS_POSIX) absl::optional GetNegotiateLibraryNameForTesting() const; #endif // Returns true if the scheme is allowed to be used for all origins. An auth // handler may still be created for an origin if that origin is allowed by // policy to use all supported auth handlers. bool IsSchemeAllowedForTesting(const std::string& scheme) const; private: bool IsSchemeAllowed(const std::string& scheme) const; // Retrieve the factory for the specified |scheme|. If no factory exists // for the |scheme|, nullptr is returned. The returned factory must not be // deleted by the caller, and it is guaranteed to be valid until either // a new factory is registered for the same scheme, or until this // registry factory is destroyed. HttpAuthHandlerFactory* GetSchemeFactory(const std::string& scheme) const; using FactoryMap = std::map>; std::set default_auth_schemes_ { kBasicAuthScheme, kDigestAuthScheme, #if BUILDFLAG(USE_KERBEROS) && !BUILDFLAG(IS_ANDROID) kNegotiateAuthScheme, #endif kNtlmAuthScheme }; FactoryMap factory_map_; }; } // namespace net #endif // NET_HTTP_HTTP_AUTH_HANDLER_FACTORY_H_