1 // Copyright 2011 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_HTTP_HTTP_AUTH_H_ 6 #define NET_HTTP_HTTP_AUTH_H_ 7 8 #include <memory> 9 #include <set> 10 #include <string> 11 12 #include "base/values.h" 13 #include "net/base/auth.h" 14 #include "net/base/net_export.h" 15 16 template <class T> class scoped_refptr; 17 18 namespace url { 19 class SchemeHostPort; 20 } 21 22 namespace net { 23 24 class HttpAuthHandler; 25 class HttpAuthHandlerFactory; 26 class HttpResponseHeaders; 27 class HostResolver; 28 class NetLogWithSource; 29 class NetworkAnonymizationKey; 30 class SSLInfo; 31 32 // Utility class for http authentication. 33 class NET_EXPORT_PRIVATE HttpAuth { 34 public: 35 // Http authentication can be done to the proxy server, origin server, 36 // or both. This enum tracks who the target is. 37 enum Target { 38 AUTH_NONE = -1, 39 // We depend on the valid targets (!= AUTH_NONE) being usable as indexes 40 // in an array, so start from 0. 41 AUTH_PROXY = 0, 42 AUTH_SERVER = 1, 43 AUTH_NUM_TARGETS = 2, 44 }; 45 46 // What the HTTP WWW-Authenticate/Proxy-Authenticate headers indicate about 47 // the previous authorization attempt. 48 enum AuthorizationResult { 49 AUTHORIZATION_RESULT_ACCEPT, // The authorization attempt was accepted, 50 // although there still may be additional 51 // rounds of challenges. 52 53 AUTHORIZATION_RESULT_REJECT, // The authorization attempt was rejected. 54 55 AUTHORIZATION_RESULT_STALE, // (Digest) The nonce used in the 56 // authorization attempt is stale, but 57 // otherwise the attempt was valid. 58 59 AUTHORIZATION_RESULT_INVALID, // The authentication challenge headers are 60 // poorly formed (the authorization attempt 61 // itself may have been fine). 62 63 AUTHORIZATION_RESULT_DIFFERENT_REALM, // The authorization 64 // attempt was rejected, 65 // but the realm associated 66 // with the new challenge 67 // is different from the 68 // previous attempt. 69 }; 70 71 // Describes where the identity used for authentication came from. 72 enum IdentitySource { 73 // Came from nowhere -- the identity is not initialized. 74 IDENT_SRC_NONE, 75 76 // The identity came from the auth cache, by doing a path-based 77 // lookup (premptive authorization). 78 IDENT_SRC_PATH_LOOKUP, 79 80 // The identity was extracted from a URL of the form: 81 // http://<username>:<password>@host:port 82 IDENT_SRC_URL, 83 84 // The identity was retrieved from the auth cache, by doing a 85 // realm lookup. 86 IDENT_SRC_REALM_LOOKUP, 87 88 // The identity was provided by RestartWithAuth -- it likely 89 // came from a prompt (or maybe the password manager). 90 IDENT_SRC_EXTERNAL, 91 92 // The identity used the default credentials for the computer, 93 // on schemes that support single sign-on. 94 IDENT_SRC_DEFAULT_CREDENTIALS, 95 }; 96 97 // Identifier for auth scheme. 98 // 99 // The values are used for calculating UMA buckets. Add but don't remove or 100 // reuse. 101 enum Scheme { 102 AUTH_SCHEME_BASIC = 0, 103 AUTH_SCHEME_DIGEST, 104 AUTH_SCHEME_NTLM, 105 AUTH_SCHEME_NEGOTIATE, 106 AUTH_SCHEME_SPDYPROXY, // No longer used. 107 AUTH_SCHEME_MOCK, 108 AUTH_SCHEME_MAX, 109 }; 110 111 // Type of Kerberos credentials delegation to be performed during 112 // authentication. 113 enum class DelegationType { 114 // Disallow delegation. 115 kNone, 116 // Delegate if approved by KDC policy. Implemented in GSSAPI. 117 kByKdcPolicy, 118 // Unconstrained delegation. On Windows, both kByKdcPolicy and 119 // kUnconstrained will check KDC policy. 120 kUnconstrained, 121 }; 122 123 // Helper structure used by HttpNetworkTransaction to track 124 // the current identity being used for authorization. 125 struct Identity { 126 Identity(); 127 128 IdentitySource source = IDENT_SRC_NONE; 129 bool invalid = true; 130 AuthCredentials credentials; 131 }; 132 133 // Get the name of the header containing the auth challenge 134 // (either WWW-Authenticate or Proxy-Authenticate). 135 static std::string GetChallengeHeaderName(Target target); 136 137 // Get the name of the header where the credentials go 138 // (either Authorization or Proxy-Authorization). 139 static std::string GetAuthorizationHeaderName(Target target); 140 141 // Returns a string representation of a Target value that can be used in log 142 // messages. 143 static std::string GetAuthTargetString(Target target); 144 145 // Returns a string representation of an authentication Scheme. 146 static const char* SchemeToString(Scheme scheme); 147 148 // Returns an authentication Scheme from a string which was produced by 149 // SchemeToString(). 150 static Scheme StringToScheme(const std::string& str); 151 152 // Returns a string representation of an authorization result. 153 static const char* AuthorizationResultToString( 154 AuthorizationResult authorization_result); 155 156 // Returns a value for logging an authorization result to a NetLog. 157 static base::Value::Dict NetLogAuthorizationResultParams( 158 const char* name, 159 AuthorizationResult authorization_result); 160 161 // Iterate through |response_headers|, and pick the best one that we support. 162 // Obtains the implementation class for handling the challenge, and passes it 163 // back in |*handler|. If no supported challenge was found, |*handler| is set 164 // to nullptr. 165 // 166 // |disabled_schemes| is the set of schemes that we should not use. 167 // 168 // |scheme_host_port| is used by the NTLM and Negotiation authentication 169 // scheme to construct the service principal name. It is ignored by other 170 // schemes. 171 // 172 // |ssl_info| is passed through to the scheme specific authentication handlers 173 // to use as appropriate. 174 static void ChooseBestChallenge( 175 HttpAuthHandlerFactory* http_auth_handler_factory, 176 const HttpResponseHeaders& response_headers, 177 const SSLInfo& ssl_info, 178 const NetworkAnonymizationKey& network_anonymization_key, 179 Target target, 180 const url::SchemeHostPort& scheme_host_port, 181 const std::set<Scheme>& disabled_schemes, 182 const NetLogWithSource& net_log, 183 HostResolver* host_resolver, 184 std::unique_ptr<HttpAuthHandler>* handler); 185 186 // Handle a 401/407 response from a server/proxy after a previous 187 // authentication attempt. For connection-based authentication schemes, the 188 // new response may be another round in a multi-round authentication sequence. 189 // For request-based schemes, a 401/407 response is typically treated like a 190 // rejection of the previous challenge, except in the Digest case when a 191 // "stale" attribute is present. 192 // 193 // |handler| must be non-nullptr, and is the HttpAuthHandler from the previous 194 // authentication round. 195 // 196 // |response_headers| must contain the new HTTP response. 197 // 198 // |target| specifies whether the authentication challenge response came 199 // from a server or a proxy. 200 // 201 // |disabled_schemes| are the authentication schemes to ignore. 202 // 203 // |challenge_used| is the text of the authentication challenge used in 204 // support of the returned AuthorizationResult. If no headers were used for 205 // the result (for example, all headers have unknown authentication schemes), 206 // the value is cleared. 207 static AuthorizationResult HandleChallengeResponse( 208 HttpAuthHandler* handler, 209 const HttpResponseHeaders& response_headers, 210 Target target, 211 const std::set<Scheme>& disabled_schemes, 212 std::string* challenge_used); 213 }; 214 215 } // namespace net 216 217 #endif // NET_HTTP_HTTP_AUTH_H_ 218