Home | History | Annotate | Download | only in http
      1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_HTTP_HTTP_AUTH_CONTROLLER_H_
      6 #define NET_HTTP_HTTP_AUTH_CONTROLLER_H_
      7 
      8 #include <set>
      9 #include <string>
     10 
     11 #include "base/basictypes.h"
     12 #include "base/memory/ref_counted.h"
     13 #include "base/memory/scoped_ptr.h"
     14 #include "base/threading/non_thread_safe.h"
     15 #include "net/base/completion_callback.h"
     16 #include "net/base/net_export.h"
     17 #include "net/base/net_log.h"
     18 #include "net/http/http_auth.h"
     19 #include "url/gurl.h"
     20 
     21 namespace net {
     22 
     23 class AuthChallengeInfo;
     24 class AuthCredentials;
     25 class HttpAuthHandler;
     26 class HttpAuthHandlerFactory;
     27 class HttpAuthCache;
     28 class HttpRequestHeaders;
     29 struct HttpRequestInfo;
     30 
     31 class NET_EXPORT_PRIVATE HttpAuthController
     32     : public base::RefCounted<HttpAuthController>,
     33       NON_EXPORTED_BASE(public base::NonThreadSafe) {
     34  public:
     35   // The arguments are self explanatory except possibly for |auth_url|, which
     36   // should be both the auth target and auth path in a single url argument.
     37   HttpAuthController(HttpAuth::Target target,
     38                      const GURL& auth_url,
     39                      HttpAuthCache* http_auth_cache,
     40                      HttpAuthHandlerFactory* http_auth_handler_factory);
     41 
     42   // Generate an authentication token for |target| if necessary. The return
     43   // value is a net error code. |OK| will be returned both in the case that
     44   // a token is correctly generated synchronously, as well as when no tokens
     45   // were necessary.
     46   virtual int MaybeGenerateAuthToken(const HttpRequestInfo* request,
     47                                      const CompletionCallback& callback,
     48                                      const BoundNetLog& net_log);
     49 
     50   // Adds either the proxy auth header, or the origin server auth header,
     51   // as specified by |target_|.
     52   virtual void AddAuthorizationHeader(
     53       HttpRequestHeaders* authorization_headers);
     54 
     55   // Checks for and handles HTTP status code 401 or 407.
     56   // |HandleAuthChallenge()| returns OK on success, or a network error code
     57   // otherwise. It may also populate |auth_info_|.
     58   virtual int HandleAuthChallenge(scoped_refptr<HttpResponseHeaders> headers,
     59                                   bool do_not_send_server_auth,
     60                                   bool establishing_tunnel,
     61                                   const BoundNetLog& net_log);
     62 
     63   // Store the supplied credentials and prepare to restart the auth.
     64   virtual void ResetAuth(const AuthCredentials& credentials);
     65 
     66   virtual bool HaveAuthHandler() const;
     67 
     68   virtual bool HaveAuth() const;
     69 
     70   virtual scoped_refptr<AuthChallengeInfo> auth_info();
     71 
     72   virtual bool IsAuthSchemeDisabled(HttpAuth::Scheme scheme) const;
     73   virtual void DisableAuthScheme(HttpAuth::Scheme scheme);
     74   virtual void DisableEmbeddedIdentity();
     75 
     76  private:
     77   // Actions for InvalidateCurrentHandler()
     78   enum InvalidateHandlerAction {
     79     INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS,
     80     INVALIDATE_HANDLER_AND_DISABLE_SCHEME,
     81     INVALIDATE_HANDLER
     82   };
     83 
     84   // So that we can mock this object.
     85   friend class base::RefCounted<HttpAuthController>;
     86 
     87   virtual ~HttpAuthController();
     88 
     89   // Searches the auth cache for an entry that encompasses the request's path.
     90   // If such an entry is found, updates |identity_| and |handler_| with the
     91   // cache entry's data and returns true.
     92   bool SelectPreemptiveAuth(const BoundNetLog& net_log);
     93 
     94   // Invalidates the current handler.  If |action| is
     95   // INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS, then also invalidate
     96   // the cached credentials used by the handler.
     97   void InvalidateCurrentHandler(InvalidateHandlerAction action);
     98 
     99   // Invalidates any auth cache entries after authentication has failed.
    100   // The identity that was rejected is |identity_|.
    101   void InvalidateRejectedAuthFromCache();
    102 
    103   // Sets |identity_| to the next identity that the transaction should try. It
    104   // chooses candidates by searching the auth cache and the URL for a
    105   // username:password. Returns true if an identity was found.
    106   bool SelectNextAuthIdentityToTry();
    107 
    108   // Populates auth_info_ with the challenge information, so that
    109   // URLRequestHttpJob can prompt for credentials.
    110   void PopulateAuthChallenge();
    111 
    112   // If |result| indicates a permanent failure, disables the current
    113   // auth scheme for this controller and returns true.  Returns false
    114   // otherwise.
    115   bool DisableOnAuthHandlerResult(int result);
    116 
    117   void OnIOComplete(int result);
    118 
    119   // Indicates if this handler is for Proxy auth or Server auth.
    120   HttpAuth::Target target_;
    121 
    122   // Holds the {scheme, host, path, port} for the authentication target.
    123   const GURL auth_url_;
    124 
    125   // Holds the {scheme, host, port} for the authentication target.
    126   const GURL auth_origin_;
    127 
    128   // The absolute path of the resource needing authentication.
    129   // For proxy authentication the path is empty.
    130   const std::string auth_path_;
    131 
    132   // |handler_| encapsulates the logic for the particular auth-scheme.
    133   // This includes the challenge's parameters. If NULL, then there is no
    134   // associated auth handler.
    135   scoped_ptr<HttpAuthHandler> handler_;
    136 
    137   // |identity_| holds the credentials that should be used by
    138   // the handler_ to generate challenge responses. This identity can come from
    139   // a number of places (url, cache, prompt).
    140   HttpAuth::Identity identity_;
    141 
    142   // |auth_token_| contains the opaque string to pass to the proxy or
    143   // server to authenticate the client.
    144   std::string auth_token_;
    145 
    146   // Contains information about the auth challenge.
    147   scoped_refptr<AuthChallengeInfo> auth_info_;
    148 
    149   // True if we've used the username:password embedded in the URL.  This
    150   // makes sure we use the embedded identity only once for the transaction,
    151   // preventing an infinite auth restart loop.
    152   bool embedded_identity_used_;
    153 
    154   // True if default credentials have already been tried for this transaction
    155   // in response to an HTTP authentication challenge.
    156   bool default_credentials_used_;
    157 
    158   // These two are owned by the HttpNetworkSession/IOThread, which own the
    159   // objects which reference |this|.  Therefore, these raw pointers are valid
    160   // for the lifetime of this object.
    161   HttpAuthCache* const http_auth_cache_;
    162   HttpAuthHandlerFactory* const http_auth_handler_factory_;
    163 
    164   std::set<HttpAuth::Scheme> disabled_schemes_;
    165 
    166   CompletionCallback callback_;
    167 };
    168 
    169 }  // namespace net
    170 
    171 #endif  // NET_HTTP_HTTP_AUTH_CONTROLLER_H_
    172