1 // Copyright 2010 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/http_auth_handler_factory.h"
6
7 #include <optional>
8 #include <set>
9 #include <string_view>
10
11 #include "base/containers/contains.h"
12 #include "base/memory/ptr_util.h"
13 #include "base/strings/string_util.h"
14 #include "build/build_config.h"
15 #include "net/base/net_errors.h"
16 #include "net/dns/host_resolver.h"
17 #include "net/http/http_auth_challenge_tokenizer.h"
18 #include "net/http/http_auth_filter.h"
19 #include "net/http/http_auth_handler_basic.h"
20 #include "net/http/http_auth_handler_digest.h"
21 #include "net/http/http_auth_handler_ntlm.h"
22 #include "net/http/http_auth_preferences.h"
23 #include "net/http/http_auth_scheme.h"
24 #include "net/log/net_log_values.h"
25 #include "net/net_buildflags.h"
26 #include "net/ssl/ssl_info.h"
27 #include "url/scheme_host_port.h"
28
29 #if BUILDFLAG(USE_KERBEROS)
30 #include "net/http/http_auth_handler_negotiate.h"
31 #endif
32
33 namespace net {
34
35 namespace {
36
NetLogParamsForCreateAuth(std::string_view scheme,std::string_view challenge,const int net_error,const url::SchemeHostPort & scheme_host_port,const std::optional<bool> & allows_default_credentials,NetLogCaptureMode capture_mode)37 base::Value::Dict NetLogParamsForCreateAuth(
38 std::string_view scheme,
39 std::string_view challenge,
40 const int net_error,
41 const url::SchemeHostPort& scheme_host_port,
42 const std::optional<bool>& allows_default_credentials,
43 NetLogCaptureMode capture_mode) {
44 base::Value::Dict dict;
45 dict.Set("scheme", NetLogStringValue(scheme));
46 if (NetLogCaptureIncludesSensitive(capture_mode)) {
47 dict.Set("challenge", NetLogStringValue(challenge));
48 }
49 dict.Set("origin", scheme_host_port.Serialize());
50 if (allows_default_credentials)
51 dict.Set("allows_default_credentials", *allows_default_credentials);
52 if (net_error < 0)
53 dict.Set("net_error", net_error);
54 return dict;
55 }
56
57 } // namespace
58
CreateAuthHandlerFromString(std::string_view challenge,HttpAuth::Target target,const SSLInfo & ssl_info,const NetworkAnonymizationKey & network_anonymization_key,const url::SchemeHostPort & scheme_host_port,const NetLogWithSource & net_log,HostResolver * host_resolver,std::unique_ptr<HttpAuthHandler> * handler)59 int HttpAuthHandlerFactory::CreateAuthHandlerFromString(
60 std::string_view challenge,
61 HttpAuth::Target target,
62 const SSLInfo& ssl_info,
63 const NetworkAnonymizationKey& network_anonymization_key,
64 const url::SchemeHostPort& scheme_host_port,
65 const NetLogWithSource& net_log,
66 HostResolver* host_resolver,
67 std::unique_ptr<HttpAuthHandler>* handler) {
68 HttpAuthChallengeTokenizer props(challenge);
69 return CreateAuthHandler(&props, target, ssl_info, network_anonymization_key,
70 scheme_host_port, CREATE_CHALLENGE, 1, net_log,
71 host_resolver, handler);
72 }
73
CreatePreemptiveAuthHandlerFromString(const std::string & challenge,HttpAuth::Target target,const NetworkAnonymizationKey & network_anonymization_key,const url::SchemeHostPort & scheme_host_port,int digest_nonce_count,const NetLogWithSource & net_log,HostResolver * host_resolver,std::unique_ptr<HttpAuthHandler> * handler)74 int HttpAuthHandlerFactory::CreatePreemptiveAuthHandlerFromString(
75 const std::string& challenge,
76 HttpAuth::Target target,
77 const NetworkAnonymizationKey& network_anonymization_key,
78 const url::SchemeHostPort& scheme_host_port,
79 int digest_nonce_count,
80 const NetLogWithSource& net_log,
81 HostResolver* host_resolver,
82 std::unique_ptr<HttpAuthHandler>* handler) {
83 HttpAuthChallengeTokenizer props(challenge);
84 SSLInfo null_ssl_info;
85 return CreateAuthHandler(&props, target, null_ssl_info,
86 network_anonymization_key, scheme_host_port,
87 CREATE_PREEMPTIVE, digest_nonce_count, net_log,
88 host_resolver, handler);
89 }
90
HttpAuthHandlerRegistryFactory(const HttpAuthPreferences * http_auth_preferences)91 HttpAuthHandlerRegistryFactory::HttpAuthHandlerRegistryFactory(
92 const HttpAuthPreferences* http_auth_preferences) {
93 set_http_auth_preferences(http_auth_preferences);
94 }
95
96 HttpAuthHandlerRegistryFactory::~HttpAuthHandlerRegistryFactory() = default;
97
SetHttpAuthPreferences(const std::string & scheme,const HttpAuthPreferences * prefs)98 void HttpAuthHandlerRegistryFactory::SetHttpAuthPreferences(
99 const std::string& scheme,
100 const HttpAuthPreferences* prefs) {
101 HttpAuthHandlerFactory* factory = GetSchemeFactory(scheme);
102 if (factory)
103 factory->set_http_auth_preferences(prefs);
104 }
105
RegisterSchemeFactory(const std::string & scheme,std::unique_ptr<HttpAuthHandlerFactory> factory)106 void HttpAuthHandlerRegistryFactory::RegisterSchemeFactory(
107 const std::string& scheme,
108 std::unique_ptr<HttpAuthHandlerFactory> factory) {
109 std::string lower_scheme = base::ToLowerASCII(scheme);
110 if (factory) {
111 factory->set_http_auth_preferences(http_auth_preferences());
112 factory_map_[lower_scheme] = std::move(factory);
113 } else {
114 factory_map_.erase(lower_scheme);
115 }
116 }
117
118 // static
119 std::unique_ptr<HttpAuthHandlerRegistryFactory>
CreateDefault(const HttpAuthPreferences * prefs,const std::string & gssapi_library_name,HttpAuthMechanismFactory negotiate_auth_system_factory)120 HttpAuthHandlerFactory::CreateDefault(
121 const HttpAuthPreferences* prefs
122 #if BUILDFLAG(USE_EXTERNAL_GSSAPI)
123 ,
124 const std::string& gssapi_library_name
125 #endif
126 #if BUILDFLAG(USE_KERBEROS)
127 ,
128 HttpAuthMechanismFactory negotiate_auth_system_factory
129 #endif
130 ) {
131 return HttpAuthHandlerRegistryFactory::Create(prefs
132 #if BUILDFLAG(USE_EXTERNAL_GSSAPI)
133 ,
134 gssapi_library_name
135 #endif
136 #if BUILDFLAG(USE_KERBEROS)
137 ,
138 negotiate_auth_system_factory
139 #endif
140 );
141 }
142
143 // static
144 std::unique_ptr<HttpAuthHandlerRegistryFactory>
Create(const HttpAuthPreferences * prefs,const std::string & gssapi_library_name,HttpAuthMechanismFactory negotiate_auth_system_factory)145 HttpAuthHandlerRegistryFactory::Create(
146 const HttpAuthPreferences* prefs
147 #if BUILDFLAG(USE_EXTERNAL_GSSAPI)
148 ,
149 const std::string& gssapi_library_name
150 #endif
151 #if BUILDFLAG(USE_KERBEROS)
152 ,
153 HttpAuthMechanismFactory negotiate_auth_system_factory
154 #endif
155 ) {
156 auto registry_factory =
157 std::make_unique<HttpAuthHandlerRegistryFactory>(prefs);
158
159 registry_factory->RegisterSchemeFactory(
160 kBasicAuthScheme, std::make_unique<HttpAuthHandlerBasic::Factory>());
161
162 registry_factory->RegisterSchemeFactory(
163 kDigestAuthScheme, std::make_unique<HttpAuthHandlerDigest::Factory>());
164
165 auto ntlm_factory = std::make_unique<HttpAuthHandlerNTLM::Factory>();
166 #if BUILDFLAG(IS_WIN)
167 ntlm_factory->set_sspi_library(
168 std::make_unique<SSPILibraryDefault>(NTLMSP_NAME));
169 #endif // BUILDFLAG(IS_WIN)
170 registry_factory->RegisterSchemeFactory(kNtlmAuthScheme,
171 std::move(ntlm_factory));
172
173 #if BUILDFLAG(USE_KERBEROS)
174 auto negotiate_factory = std::make_unique<HttpAuthHandlerNegotiate::Factory>(
175 negotiate_auth_system_factory);
176 #if BUILDFLAG(IS_WIN)
177 negotiate_factory->set_library(
178 std::make_unique<SSPILibraryDefault>(NEGOSSP_NAME));
179 #elif BUILDFLAG(USE_EXTERNAL_GSSAPI)
180 negotiate_factory->set_library(
181 std::make_unique<GSSAPISharedLibrary>(gssapi_library_name));
182 #endif
183 registry_factory->RegisterSchemeFactory(kNegotiateAuthScheme,
184 std::move(negotiate_factory));
185 #endif // BUILDFLAG(USE_KERBEROS)
186
187 if (prefs) {
188 registry_factory->set_http_auth_preferences(prefs);
189 for (auto& factory_entry : registry_factory->factory_map_) {
190 factory_entry.second->set_http_auth_preferences(prefs);
191 }
192 }
193 return registry_factory;
194 }
195
CreateAuthHandler(HttpAuthChallengeTokenizer * challenge,HttpAuth::Target target,const SSLInfo & ssl_info,const NetworkAnonymizationKey & network_anonymization_key,const url::SchemeHostPort & scheme_host_port,CreateReason reason,int digest_nonce_count,const NetLogWithSource & net_log,HostResolver * host_resolver,std::unique_ptr<HttpAuthHandler> * handler)196 int HttpAuthHandlerRegistryFactory::CreateAuthHandler(
197 HttpAuthChallengeTokenizer* challenge,
198 HttpAuth::Target target,
199 const SSLInfo& ssl_info,
200 const NetworkAnonymizationKey& network_anonymization_key,
201 const url::SchemeHostPort& scheme_host_port,
202 CreateReason reason,
203 int digest_nonce_count,
204 const NetLogWithSource& net_log,
205 HostResolver* host_resolver,
206 std::unique_ptr<HttpAuthHandler>* handler) {
207 auto scheme = challenge->auth_scheme();
208
209 int net_error;
210 if (scheme.empty()) {
211 handler->reset();
212 net_error = ERR_INVALID_RESPONSE;
213 } else {
214 bool all_schemes_allowed_for_origin =
215 http_auth_preferences() &&
216 http_auth_preferences()->IsAllowedToUseAllHttpAuthSchemes(
217 scheme_host_port);
218 auto* factory = all_schemes_allowed_for_origin || IsSchemeAllowed(scheme)
219 ? GetSchemeFactory(scheme)
220 : nullptr;
221 if (!factory) {
222 handler->reset();
223 net_error = ERR_UNSUPPORTED_AUTH_SCHEME;
224 } else {
225 net_error = factory->CreateAuthHandler(
226 challenge, target, ssl_info, network_anonymization_key,
227 scheme_host_port, reason, digest_nonce_count, net_log, host_resolver,
228 handler);
229 }
230 }
231
232 net_log.AddEvent(
233 NetLogEventType::AUTH_HANDLER_CREATE_RESULT,
234 [&](NetLogCaptureMode capture_mode) {
235 return NetLogParamsForCreateAuth(
236 scheme, challenge->challenge_text(), net_error, scheme_host_port,
237 *handler
238 ? std::make_optional((*handler)->AllowsDefaultCredentials())
239 : std::nullopt,
240 capture_mode);
241 });
242 return net_error;
243 }
244
IsSchemeAllowedForTesting(const std::string & scheme) const245 bool HttpAuthHandlerRegistryFactory::IsSchemeAllowedForTesting(
246 const std::string& scheme) const {
247 return IsSchemeAllowed(scheme);
248 }
249
IsSchemeAllowed(const std::string & scheme) const250 bool HttpAuthHandlerRegistryFactory::IsSchemeAllowed(
251 const std::string& scheme) const {
252 const std::set<std::string>& allowed_schemes =
253 http_auth_preferences() && http_auth_preferences()->allowed_schemes()
254 ? *http_auth_preferences()->allowed_schemes()
255 : default_auth_schemes_;
256 return allowed_schemes.find(scheme) != allowed_schemes.end();
257 }
258
259 #if BUILDFLAG(USE_KERBEROS) && !BUILDFLAG(IS_ANDROID) && BUILDFLAG(IS_POSIX)
260 std::optional<std::string>
GetNegotiateLibraryNameForTesting() const261 HttpAuthHandlerRegistryFactory::GetNegotiateLibraryNameForTesting() const {
262 if (!IsSchemeAllowed(kNegotiateAuthScheme))
263 return std::nullopt;
264
265 return reinterpret_cast<HttpAuthHandlerNegotiate::Factory*>(
266 GetSchemeFactory(kNegotiateAuthScheme))
267 ->GetLibraryNameForTesting(); // IN-TEST
268 }
269 #endif
270
GetSchemeFactory(const std::string & scheme) const271 HttpAuthHandlerFactory* HttpAuthHandlerRegistryFactory::GetSchemeFactory(
272 const std::string& scheme) const {
273 std::string lower_scheme = base::ToLowerASCII(scheme);
274 auto it = factory_map_.find(lower_scheme);
275 if (it == factory_map_.end()) {
276 return nullptr; // |scheme| is not registered.
277 }
278 return it->second.get();
279 }
280
281 } // namespace net
282