mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-11-22 21:36:12 +03:00
218 lines
7.6 KiB
C++
218 lines
7.6 KiB
C++
// Copyright 2011 The Chromium Authors
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#ifndef NET_HTTP_HTTP_AUTH_H_
|
|
#define NET_HTTP_HTTP_AUTH_H_
|
|
|
|
#include <memory>
|
|
#include <set>
|
|
#include <string>
|
|
|
|
#include "base/values.h"
|
|
#include "net/base/auth.h"
|
|
#include "net/base/net_export.h"
|
|
|
|
template <class T> class scoped_refptr;
|
|
|
|
namespace url {
|
|
class SchemeHostPort;
|
|
}
|
|
|
|
namespace net {
|
|
|
|
class HttpAuthHandler;
|
|
class HttpAuthHandlerFactory;
|
|
class HttpResponseHeaders;
|
|
class HostResolver;
|
|
class NetLogWithSource;
|
|
class NetworkAnonymizationKey;
|
|
class SSLInfo;
|
|
|
|
// Utility class for http authentication.
|
|
class NET_EXPORT_PRIVATE HttpAuth {
|
|
public:
|
|
// Http authentication can be done to the proxy server, origin server,
|
|
// or both. This enum tracks who the target is.
|
|
enum Target {
|
|
AUTH_NONE = -1,
|
|
// We depend on the valid targets (!= AUTH_NONE) being usable as indexes
|
|
// in an array, so start from 0.
|
|
AUTH_PROXY = 0,
|
|
AUTH_SERVER = 1,
|
|
AUTH_NUM_TARGETS = 2,
|
|
};
|
|
|
|
// What the HTTP WWW-Authenticate/Proxy-Authenticate headers indicate about
|
|
// the previous authorization attempt.
|
|
enum AuthorizationResult {
|
|
AUTHORIZATION_RESULT_ACCEPT, // The authorization attempt was accepted,
|
|
// although there still may be additional
|
|
// rounds of challenges.
|
|
|
|
AUTHORIZATION_RESULT_REJECT, // The authorization attempt was rejected.
|
|
|
|
AUTHORIZATION_RESULT_STALE, // (Digest) The nonce used in the
|
|
// authorization attempt is stale, but
|
|
// otherwise the attempt was valid.
|
|
|
|
AUTHORIZATION_RESULT_INVALID, // The authentication challenge headers are
|
|
// poorly formed (the authorization attempt
|
|
// itself may have been fine).
|
|
|
|
AUTHORIZATION_RESULT_DIFFERENT_REALM, // The authorization
|
|
// attempt was rejected,
|
|
// but the realm associated
|
|
// with the new challenge
|
|
// is different from the
|
|
// previous attempt.
|
|
};
|
|
|
|
// Describes where the identity used for authentication came from.
|
|
enum IdentitySource {
|
|
// Came from nowhere -- the identity is not initialized.
|
|
IDENT_SRC_NONE,
|
|
|
|
// The identity came from the auth cache, by doing a path-based
|
|
// lookup (premptive authorization).
|
|
IDENT_SRC_PATH_LOOKUP,
|
|
|
|
// The identity was extracted from a URL of the form:
|
|
// http://<username>:<password>@host:port
|
|
IDENT_SRC_URL,
|
|
|
|
// The identity was retrieved from the auth cache, by doing a
|
|
// realm lookup.
|
|
IDENT_SRC_REALM_LOOKUP,
|
|
|
|
// The identity was provided by RestartWithAuth -- it likely
|
|
// came from a prompt (or maybe the password manager).
|
|
IDENT_SRC_EXTERNAL,
|
|
|
|
// The identity used the default credentials for the computer,
|
|
// on schemes that support single sign-on.
|
|
IDENT_SRC_DEFAULT_CREDENTIALS,
|
|
};
|
|
|
|
// Identifier for auth scheme.
|
|
//
|
|
// The values are used for calculating UMA buckets. Add but don't remove or
|
|
// reuse.
|
|
enum Scheme {
|
|
AUTH_SCHEME_BASIC = 0,
|
|
AUTH_SCHEME_DIGEST,
|
|
AUTH_SCHEME_NTLM,
|
|
AUTH_SCHEME_NEGOTIATE,
|
|
AUTH_SCHEME_SPDYPROXY, // No longer used.
|
|
AUTH_SCHEME_MOCK,
|
|
AUTH_SCHEME_MAX,
|
|
};
|
|
|
|
// Type of Kerberos credentials delegation to be performed during
|
|
// authentication.
|
|
enum class DelegationType {
|
|
// Disallow delegation.
|
|
kNone,
|
|
// Delegate if approved by KDC policy. Implemented in GSSAPI.
|
|
kByKdcPolicy,
|
|
// Unconstrained delegation. On Windows, both kByKdcPolicy and
|
|
// kUnconstrained will check KDC policy.
|
|
kUnconstrained,
|
|
};
|
|
|
|
// Helper structure used by HttpNetworkTransaction to track
|
|
// the current identity being used for authorization.
|
|
struct Identity {
|
|
Identity();
|
|
|
|
IdentitySource source = IDENT_SRC_NONE;
|
|
bool invalid = true;
|
|
AuthCredentials credentials;
|
|
};
|
|
|
|
// Get the name of the header containing the auth challenge
|
|
// (either WWW-Authenticate or Proxy-Authenticate).
|
|
static std::string GetChallengeHeaderName(Target target);
|
|
|
|
// Get the name of the header where the credentials go
|
|
// (either Authorization or Proxy-Authorization).
|
|
static std::string GetAuthorizationHeaderName(Target target);
|
|
|
|
// Returns a string representation of a Target value that can be used in log
|
|
// messages.
|
|
static std::string GetAuthTargetString(Target target);
|
|
|
|
// Returns a string representation of an authentication Scheme.
|
|
static const char* SchemeToString(Scheme scheme);
|
|
|
|
// Returns an authentication Scheme from a string which was produced by
|
|
// SchemeToString().
|
|
static Scheme StringToScheme(const std::string& str);
|
|
|
|
// Returns a string representation of an authorization result.
|
|
static const char* AuthorizationResultToString(
|
|
AuthorizationResult authorization_result);
|
|
|
|
// Returns a value for logging an authorization result to a NetLog.
|
|
static base::Value::Dict NetLogAuthorizationResultParams(
|
|
const char* name,
|
|
AuthorizationResult authorization_result);
|
|
|
|
// Iterate through |response_headers|, and pick the best one that we support.
|
|
// Obtains the implementation class for handling the challenge, and passes it
|
|
// back in |*handler|. If no supported challenge was found, |*handler| is set
|
|
// to nullptr.
|
|
//
|
|
// |disabled_schemes| is the set of schemes that we should not use.
|
|
//
|
|
// |scheme_host_port| is used by the NTLM and Negotiation authentication
|
|
// scheme to construct the service principal name. It is ignored by other
|
|
// schemes.
|
|
//
|
|
// |ssl_info| is passed through to the scheme specific authentication handlers
|
|
// to use as appropriate.
|
|
static void ChooseBestChallenge(
|
|
HttpAuthHandlerFactory* http_auth_handler_factory,
|
|
const HttpResponseHeaders& response_headers,
|
|
const SSLInfo& ssl_info,
|
|
const NetworkAnonymizationKey& network_anonymization_key,
|
|
Target target,
|
|
const url::SchemeHostPort& scheme_host_port,
|
|
const std::set<Scheme>& disabled_schemes,
|
|
const NetLogWithSource& net_log,
|
|
HostResolver* host_resolver,
|
|
std::unique_ptr<HttpAuthHandler>* handler);
|
|
|
|
// Handle a 401/407 response from a server/proxy after a previous
|
|
// authentication attempt. For connection-based authentication schemes, the
|
|
// new response may be another round in a multi-round authentication sequence.
|
|
// For request-based schemes, a 401/407 response is typically treated like a
|
|
// rejection of the previous challenge, except in the Digest case when a
|
|
// "stale" attribute is present.
|
|
//
|
|
// |handler| must be non-nullptr, and is the HttpAuthHandler from the previous
|
|
// authentication round.
|
|
//
|
|
// |response_headers| must contain the new HTTP response.
|
|
//
|
|
// |target| specifies whether the authentication challenge response came
|
|
// from a server or a proxy.
|
|
//
|
|
// |disabled_schemes| are the authentication schemes to ignore.
|
|
//
|
|
// |challenge_used| is the text of the authentication challenge used in
|
|
// support of the returned AuthorizationResult. If no headers were used for
|
|
// the result (for example, all headers have unknown authentication schemes),
|
|
// the value is cleared.
|
|
static AuthorizationResult HandleChallengeResponse(
|
|
HttpAuthHandler* handler,
|
|
const HttpResponseHeaders& response_headers,
|
|
Target target,
|
|
const std::set<Scheme>& disabled_schemes,
|
|
std::string* challenge_used);
|
|
};
|
|
|
|
} // namespace net
|
|
|
|
#endif // NET_HTTP_HTTP_AUTH_H_
|