mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-11-26 07:16:10 +03:00
250 lines
9.5 KiB
C++
250 lines
9.5 KiB
C++
// Copyright 2011 The Chromium Authors
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#ifndef NET_HTTP_HTTP_AUTH_HANDLER_H_
|
|
#define NET_HTTP_HTTP_AUTH_HANDLER_H_
|
|
|
|
#include <string>
|
|
|
|
#include "net/base/completion_once_callback.h"
|
|
#include "net/base/net_export.h"
|
|
#include "net/http/http_auth.h"
|
|
#include "net/log/net_log_with_source.h"
|
|
#include "url/scheme_host_port.h"
|
|
|
|
namespace net {
|
|
|
|
class NetworkAnonymizationKey;
|
|
class HttpAuthChallengeTokenizer;
|
|
struct HttpRequestInfo;
|
|
class SSLInfo;
|
|
|
|
// HttpAuthHandler is the interface for the authentication schemes
|
|
// (basic, digest, NTLM, Negotiate).
|
|
// HttpAuthHandler objects are typically created by an HttpAuthHandlerFactory.
|
|
//
|
|
// HttpAuthHandlers and generally created and managed by an HttpAuthController,
|
|
// which is the interaction point between the rest of net and the HTTP auth
|
|
// code.
|
|
//
|
|
// For connection-based authentication, an HttpAuthHandler handles all rounds
|
|
// related to using a single identity. If the identity is rejected, a new
|
|
// HttpAuthHandler must be created.
|
|
class NET_EXPORT_PRIVATE HttpAuthHandler {
|
|
public:
|
|
HttpAuthHandler();
|
|
|
|
HttpAuthHandler(const HttpAuthHandler&) = delete;
|
|
HttpAuthHandler& operator=(const HttpAuthHandler&) = delete;
|
|
|
|
virtual ~HttpAuthHandler();
|
|
|
|
// Initializes the handler using a challenge issued by a server.
|
|
//
|
|
// |challenge| must be non-nullptr and have already tokenized the
|
|
// authentication scheme, but none of the tokens occurring after the
|
|
// authentication scheme.
|
|
// |target| and |scheme_host_port| are both stored for later use, and are not
|
|
// part of the initial challenge.
|
|
// |ssl_info| must be valid if the underlying connection used a certificate.
|
|
// |network_anonymization_key| the NetworkAnonymizationKey associated with the
|
|
// challenge. Used for host resolutions, if any are needed.
|
|
// |net_log| to be used for logging.
|
|
bool InitFromChallenge(
|
|
HttpAuthChallengeTokenizer* challenge,
|
|
HttpAuth::Target target,
|
|
const SSLInfo& ssl_info,
|
|
const NetworkAnonymizationKey& network_anonymization_key,
|
|
const url::SchemeHostPort& scheme_host_port,
|
|
const NetLogWithSource& net_log);
|
|
|
|
// Determines how the previous authorization attempt was received.
|
|
//
|
|
// This is called when the server/proxy responds with a 401/407 after an
|
|
// earlier authorization attempt. Although this normally means that the
|
|
// previous attempt was rejected, in multi-round schemes such as
|
|
// NTLM+Negotiate it may indicate that another round of challenge+response
|
|
// is required. For Digest authentication it may also mean that the previous
|
|
// attempt used a stale nonce (and nonce-count) and that a new attempt should
|
|
// be made with a different nonce provided in the challenge.
|
|
//
|
|
// |challenge| must be non-nullptr and have already tokenized the
|
|
// authentication scheme, but none of the tokens occurring after the
|
|
// authentication scheme.
|
|
HttpAuth::AuthorizationResult HandleAnotherChallenge(
|
|
HttpAuthChallengeTokenizer* challenge);
|
|
|
|
// Generates an authentication token, potentially asynchronously.
|
|
//
|
|
// When |credentials| is nullptr, the default credentials for the currently
|
|
// logged in user are used. |AllowsDefaultCredentials()| MUST be true in this
|
|
// case.
|
|
//
|
|
// |request|, |callback|, and |auth_token| must be non-nullptr.
|
|
//
|
|
// The return value is a net error code.
|
|
//
|
|
// If |OK| is returned, |*auth_token| is filled in with an authentication
|
|
// token which can be inserted in the HTTP request.
|
|
//
|
|
// If |ERR_IO_PENDING| is returned, |*auth_token| will be filled in
|
|
// asynchronously and |callback| will be invoked. The lifetime of
|
|
// |request|, |callback|, and |auth_token| must last until |callback| is
|
|
// invoked, but |credentials| is only used during the initial call.
|
|
//
|
|
// All other return codes indicate that there was a problem generating a
|
|
// token, and the value of |*auth_token| is unspecified.
|
|
int GenerateAuthToken(const AuthCredentials* credentials,
|
|
const HttpRequestInfo* request,
|
|
CompletionOnceCallback callback,
|
|
std::string* auth_token);
|
|
|
|
// The authentication scheme as an enumerated value.
|
|
HttpAuth::Scheme auth_scheme() const {
|
|
return auth_scheme_;
|
|
}
|
|
|
|
// The realm, encoded as UTF-8. This may be empty.
|
|
const std::string& realm() const {
|
|
return realm_;
|
|
}
|
|
|
|
// The challenge which was issued when creating the handler.
|
|
const std::string& challenge() const { return auth_challenge_; }
|
|
|
|
// Numeric rank based on the challenge's security level. Higher
|
|
// numbers are better. Used by HttpAuth::ChooseBestChallenge().
|
|
int score() const {
|
|
return score_;
|
|
}
|
|
|
|
HttpAuth::Target target() const {
|
|
return target_;
|
|
}
|
|
|
|
// Returns the proxy or server which issued the authentication challenge
|
|
// that this HttpAuthHandler is handling.
|
|
const url::SchemeHostPort& scheme_host_port() const {
|
|
return scheme_host_port_;
|
|
}
|
|
|
|
// Returns true if the authentication scheme does not send the username and
|
|
// password in the clear.
|
|
bool encrypts_identity() const {
|
|
return (properties_ & ENCRYPTS_IDENTITY) != 0;
|
|
}
|
|
|
|
// Returns true if the authentication scheme is connection-based, for
|
|
// example, NTLM. A connection-based authentication scheme does not support
|
|
// preemptive authentication, and must use the same handler object
|
|
// throughout the life of an HTTP transaction.
|
|
bool is_connection_based() const {
|
|
return (properties_ & IS_CONNECTION_BASED) != 0;
|
|
}
|
|
|
|
// This HttpAuthHandler's bound NetLog.
|
|
const NetLogWithSource& net_log() const { return net_log_; }
|
|
|
|
// If NeedsIdentity() returns true, then a subsequent call to
|
|
// GenerateAuthToken() must indicate which identity to use. This can be done
|
|
// either by passing in a non-empty set of credentials, or an empty set to
|
|
// force the handler to use the default credentials. The latter is only an
|
|
// option if AllowsDefaultCredentials() returns true.
|
|
//
|
|
// If NeedsIdentity() returns false, then the handler is already bound to an
|
|
// identity and GenerateAuthToken() will ignore any credentials that are
|
|
// passed in.
|
|
//
|
|
// TODO(wtc): Find a better way to handle a multi-round challenge-response
|
|
// sequence used by a connection-based authentication scheme.
|
|
virtual bool NeedsIdentity();
|
|
|
|
// Returns whether the default credentials may be used for the |origin| passed
|
|
// into |InitFromChallenge|. If true, the user does not need to be prompted
|
|
// for username and password to establish credentials.
|
|
// NOTE: SSO is a potential security risk.
|
|
// TODO(cbentzel): Add a pointer to Firefox documentation about risk.
|
|
virtual bool AllowsDefaultCredentials();
|
|
|
|
// Returns whether explicit credentials can be used with this handler. If
|
|
// true the user may be prompted for credentials if an implicit identity
|
|
// cannot be determined.
|
|
virtual bool AllowsExplicitCredentials();
|
|
|
|
protected:
|
|
enum Property {
|
|
ENCRYPTS_IDENTITY = 1 << 0,
|
|
IS_CONNECTION_BASED = 1 << 1,
|
|
};
|
|
|
|
// Initializes the handler using a challenge issued by a server.
|
|
// |challenge| must be non-nullptr and have already tokenized the
|
|
// authentication scheme, but none of the tokens occurring after the
|
|
// authentication scheme.
|
|
//
|
|
// If the request was sent over an encrypted connection, |ssl_info| is valid
|
|
// and describes the connection.
|
|
//
|
|
// NetworkAnonymizationKey is the NetworkAnonymizationKey associated with the
|
|
// request.
|
|
//
|
|
// Implementations are expected to initialize the following members:
|
|
// scheme_, realm_, score_, properties_
|
|
virtual bool Init(
|
|
HttpAuthChallengeTokenizer* challenge,
|
|
const SSLInfo& ssl_info,
|
|
const NetworkAnonymizationKey& network_anonymization_key) = 0;
|
|
|
|
// |GenerateAuthTokenImpl()} is the auth-scheme specific implementation
|
|
// of generating the next auth token. Callers should use |GenerateAuthToken()|
|
|
// which will in turn call |GenerateAuthTokenImpl()|
|
|
virtual int GenerateAuthTokenImpl(const AuthCredentials* credentials,
|
|
const HttpRequestInfo* request,
|
|
CompletionOnceCallback callback,
|
|
std::string* auth_token) = 0;
|
|
|
|
// See HandleAnotherChallenge() above. HandleAuthChallengeImpl is the
|
|
// scheme-specific implementation. Callers should use HandleAnotherChallenge()
|
|
// instead.
|
|
virtual HttpAuth::AuthorizationResult HandleAnotherChallengeImpl(
|
|
HttpAuthChallengeTokenizer* challenge) = 0;
|
|
|
|
// The auth-scheme as an enumerated value.
|
|
HttpAuth::Scheme auth_scheme_ = HttpAuth::AUTH_SCHEME_MAX;
|
|
|
|
// The realm, encoded as UTF-8. Used by "basic" and "digest".
|
|
std::string realm_;
|
|
|
|
// The auth challenge.
|
|
std::string auth_challenge_;
|
|
|
|
// The {scheme, host, port} for the authentication target. Used by "ntlm"
|
|
// and "negotiate" to construct the service principal name.
|
|
url::SchemeHostPort scheme_host_port_;
|
|
|
|
// The score for this challenge. Higher numbers are better.
|
|
int score_ = -1;
|
|
|
|
// Whether this authentication request is for a proxy server, or an
|
|
// origin server.
|
|
HttpAuth::Target target_ = HttpAuth::AUTH_NONE;
|
|
|
|
// A bitmask of the properties of the authentication scheme.
|
|
int properties_ = -1;
|
|
|
|
private:
|
|
void OnGenerateAuthTokenComplete(int rv);
|
|
void FinishGenerateAuthToken(int rv);
|
|
|
|
// NetLog that should be used for logging events generated by this
|
|
// HttpAuthHandler.
|
|
NetLogWithSource net_log_;
|
|
|
|
CompletionOnceCallback callback_;
|
|
};
|
|
|
|
} // namespace net
|
|
|
|
#endif // NET_HTTP_HTTP_AUTH_HANDLER_H_
|