diff options
Diffstat (limited to 'chromium/net/http/http_auth.h')
-rw-r--r-- | chromium/net/http/http_auth.h | 216 |
1 files changed, 216 insertions, 0 deletions
diff --git a/chromium/net/http/http_auth.h b/chromium/net/http/http_auth.h new file mode 100644 index 00000000000..1a03bb1fe1f --- /dev/null +++ b/chromium/net/http/http_auth.h @@ -0,0 +1,216 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_HTTP_HTTP_AUTH_H_ +#define NET_HTTP_HTTP_AUTH_H_ + +#include <set> +#include <string> + +#include "base/memory/scoped_ptr.h" +#include "net/base/auth.h" +#include "net/base/net_export.h" +#include "net/http/http_util.h" + +template <class T> class scoped_refptr; + +namespace net { + +class BoundNetLog; +class HttpAuthHandler; +class HttpAuthHandlerFactory; +class HttpResponseHeaders; + +// Utility class for http authentication. +class NET_EXPORT_PRIVATE HttpAuth { + public: + // Http authentication can be done the the proxy server, origin server, + // or both. This enum tracks who the target is. + enum Target { + AUTH_NONE = -1, + // We depend on the valid targets (!= AUTH_NONE) being usable as indexes + // in an array, so start from 0. + AUTH_PROXY = 0, + AUTH_SERVER = 1, + AUTH_NUM_TARGETS = 2, + }; + + // What the HTTP WWW-Authenticate/Proxy-Authenticate headers indicate about + // the previous authorization attempt. + enum AuthorizationResult { + AUTHORIZATION_RESULT_ACCEPT, // The authorization attempt was accepted, + // although there still may be additional + // rounds of challenges. + + AUTHORIZATION_RESULT_REJECT, // The authorization attempt was rejected. + + AUTHORIZATION_RESULT_STALE, // (Digest) The nonce used in the + // authorization attempt is stale, but + // otherwise the attempt was valid. + + AUTHORIZATION_RESULT_INVALID, // The authentication challenge headers are + // poorly formed (the authorization attempt + // itself may have been fine). + + AUTHORIZATION_RESULT_DIFFERENT_REALM, // The authorization + // attempt was rejected, + // but the realm associated + // with the new challenge + // is different from the + // previous attempt. + }; + + // Describes where the identity used for authentication came from. + enum IdentitySource { + // Came from nowhere -- the identity is not initialized. + IDENT_SRC_NONE, + + // The identity came from the auth cache, by doing a path-based + // lookup (premptive authorization). + IDENT_SRC_PATH_LOOKUP, + + // The identity was extracted from a URL of the form: + // http://<username>:<password>@host:port + IDENT_SRC_URL, + + // The identity was retrieved from the auth cache, by doing a + // realm lookup. + IDENT_SRC_REALM_LOOKUP, + + // The identity was provided by RestartWithAuth -- it likely + // came from a prompt (or maybe the password manager). + IDENT_SRC_EXTERNAL, + + // The identity used the default credentials for the computer, + // on schemes that support single sign-on. + IDENT_SRC_DEFAULT_CREDENTIALS, + }; + + enum Scheme { + AUTH_SCHEME_BASIC = 0, + AUTH_SCHEME_DIGEST, + AUTH_SCHEME_NTLM, + AUTH_SCHEME_NEGOTIATE, + AUTH_SCHEME_SPDYPROXY, + AUTH_SCHEME_MOCK, + AUTH_SCHEME_MAX, + }; + + // Helper structure used by HttpNetworkTransaction to track + // the current identity being used for authorization. + struct Identity { + Identity(); + + IdentitySource source; + bool invalid; + AuthCredentials credentials; + }; + + // Get the name of the header containing the auth challenge + // (either WWW-Authenticate or Proxy-Authenticate). + static std::string GetChallengeHeaderName(Target target); + + // Get the name of the header where the credentials go + // (either Authorization or Proxy-Authorization). + static std::string GetAuthorizationHeaderName(Target target); + + // Returns a string representation of a Target value that can be used in log + // messages. + static std::string GetAuthTargetString(Target target); + + // Returns a string representation of an authentication Scheme. + static const char* SchemeToString(Scheme scheme); + + // Iterate through the challenge headers, and pick the best one that + // we support. Obtains the implementation class for handling the challenge, + // and passes it back in |*handler|. If no supported challenge was found, + // |*handler| is set to NULL. + // + // |disabled_schemes| is the set of schemes that we should not use. + // + // |origin| is used by the NTLM and Negotiation authentication scheme to + // construct the service principal name. It is ignored by other schemes. + static void ChooseBestChallenge( + HttpAuthHandlerFactory* http_auth_handler_factory, + const HttpResponseHeaders* headers, + Target target, + const GURL& origin, + const std::set<Scheme>& disabled_schemes, + const BoundNetLog& net_log, + scoped_ptr<HttpAuthHandler>* handler); + + // Handle a 401/407 response from a server/proxy after a previous + // authentication attempt. For connection-based authentication schemes, the + // new response may be another round in a multi-round authentication sequence. + // For request-based schemes, a 401/407 response is typically treated like a + // rejection of the previous challenge, except in the Digest case when a + // "stale" attribute is present. + // + // |handler| must be non-NULL, and is the HttpAuthHandler from the previous + // authentication round. + // + // |headers| must be non-NULL and contain the new HTTP response. + // + // |target| specifies whether the authentication challenge response came + // from a server or a proxy. + // + // |disabled_schemes| are the authentication schemes to ignore. + // + // |challenge_used| is the text of the authentication challenge used in + // support of the returned AuthorizationResult. If no headers were used for + // the result (for example, all headers have unknown authentication schemes), + // the value is cleared. + static AuthorizationResult HandleChallengeResponse( + HttpAuthHandler* handler, + const HttpResponseHeaders* headers, + Target target, + const std::set<Scheme>& disabled_schemes, + std::string* challenge_used); + + // Breaks up a challenge string into the the auth scheme and parameter list, + // according to RFC 2617 Sec 1.2: + // challenge = auth-scheme 1*SP 1#auth-param + // + // Depending on the challenge scheme, it may be appropriate to interpret the + // parameters as either a base-64 encoded string or a comma-delimited list + // of name-value pairs. param_pairs() and base64_param() methods are provided + // to support either usage. + class NET_EXPORT_PRIVATE ChallengeTokenizer { + public: + ChallengeTokenizer(std::string::const_iterator begin, + std::string::const_iterator end); + + // Get the original text. + std::string challenge_text() const { + return std::string(begin_, end_); + } + + // Get the auth scheme of the challenge. + std::string::const_iterator scheme_begin() const { return scheme_begin_; } + std::string::const_iterator scheme_end() const { return scheme_end_; } + std::string scheme() const { + return std::string(scheme_begin_, scheme_end_); + } + + HttpUtil::NameValuePairsIterator param_pairs() const; + std::string base64_param() const; + + private: + void Init(std::string::const_iterator begin, + std::string::const_iterator end); + + std::string::const_iterator begin_; + std::string::const_iterator end_; + + std::string::const_iterator scheme_begin_; + std::string::const_iterator scheme_end_; + + std::string::const_iterator params_begin_; + std::string::const_iterator params_end_; + }; +}; + +} // namespace net + +#endif // NET_HTTP_HTTP_AUTH_H_ |