1*6777b538SAndroid Build Coastguard Worker // Copyright 2011 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_HTTP_HTTP_AUTH_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_HTTP_HTTP_AUTH_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <memory> 9*6777b538SAndroid Build Coastguard Worker #include <set> 10*6777b538SAndroid Build Coastguard Worker #include <string> 11*6777b538SAndroid Build Coastguard Worker 12*6777b538SAndroid Build Coastguard Worker #include "base/values.h" 13*6777b538SAndroid Build Coastguard Worker #include "net/base/auth.h" 14*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 15*6777b538SAndroid Build Coastguard Worker 16*6777b538SAndroid Build Coastguard Worker template <class T> class scoped_refptr; 17*6777b538SAndroid Build Coastguard Worker 18*6777b538SAndroid Build Coastguard Worker namespace url { 19*6777b538SAndroid Build Coastguard Worker class SchemeHostPort; 20*6777b538SAndroid Build Coastguard Worker } 21*6777b538SAndroid Build Coastguard Worker 22*6777b538SAndroid Build Coastguard Worker namespace net { 23*6777b538SAndroid Build Coastguard Worker 24*6777b538SAndroid Build Coastguard Worker class HttpAuthHandler; 25*6777b538SAndroid Build Coastguard Worker class HttpAuthHandlerFactory; 26*6777b538SAndroid Build Coastguard Worker class HttpResponseHeaders; 27*6777b538SAndroid Build Coastguard Worker class HostResolver; 28*6777b538SAndroid Build Coastguard Worker class NetLogWithSource; 29*6777b538SAndroid Build Coastguard Worker class NetworkAnonymizationKey; 30*6777b538SAndroid Build Coastguard Worker class SSLInfo; 31*6777b538SAndroid Build Coastguard Worker 32*6777b538SAndroid Build Coastguard Worker // Utility class for http authentication. 33*6777b538SAndroid Build Coastguard Worker class NET_EXPORT_PRIVATE HttpAuth { 34*6777b538SAndroid Build Coastguard Worker public: 35*6777b538SAndroid Build Coastguard Worker // Http authentication can be done to the proxy server, origin server, 36*6777b538SAndroid Build Coastguard Worker // or both. This enum tracks who the target is. 37*6777b538SAndroid Build Coastguard Worker enum Target { 38*6777b538SAndroid Build Coastguard Worker AUTH_NONE = -1, 39*6777b538SAndroid Build Coastguard Worker // We depend on the valid targets (!= AUTH_NONE) being usable as indexes 40*6777b538SAndroid Build Coastguard Worker // in an array, so start from 0. 41*6777b538SAndroid Build Coastguard Worker AUTH_PROXY = 0, 42*6777b538SAndroid Build Coastguard Worker AUTH_SERVER = 1, 43*6777b538SAndroid Build Coastguard Worker AUTH_NUM_TARGETS = 2, 44*6777b538SAndroid Build Coastguard Worker }; 45*6777b538SAndroid Build Coastguard Worker 46*6777b538SAndroid Build Coastguard Worker // What the HTTP WWW-Authenticate/Proxy-Authenticate headers indicate about 47*6777b538SAndroid Build Coastguard Worker // the previous authorization attempt. 48*6777b538SAndroid Build Coastguard Worker enum AuthorizationResult { 49*6777b538SAndroid Build Coastguard Worker AUTHORIZATION_RESULT_ACCEPT, // The authorization attempt was accepted, 50*6777b538SAndroid Build Coastguard Worker // although there still may be additional 51*6777b538SAndroid Build Coastguard Worker // rounds of challenges. 52*6777b538SAndroid Build Coastguard Worker 53*6777b538SAndroid Build Coastguard Worker AUTHORIZATION_RESULT_REJECT, // The authorization attempt was rejected. 54*6777b538SAndroid Build Coastguard Worker 55*6777b538SAndroid Build Coastguard Worker AUTHORIZATION_RESULT_STALE, // (Digest) The nonce used in the 56*6777b538SAndroid Build Coastguard Worker // authorization attempt is stale, but 57*6777b538SAndroid Build Coastguard Worker // otherwise the attempt was valid. 58*6777b538SAndroid Build Coastguard Worker 59*6777b538SAndroid Build Coastguard Worker AUTHORIZATION_RESULT_INVALID, // The authentication challenge headers are 60*6777b538SAndroid Build Coastguard Worker // poorly formed (the authorization attempt 61*6777b538SAndroid Build Coastguard Worker // itself may have been fine). 62*6777b538SAndroid Build Coastguard Worker 63*6777b538SAndroid Build Coastguard Worker AUTHORIZATION_RESULT_DIFFERENT_REALM, // The authorization 64*6777b538SAndroid Build Coastguard Worker // attempt was rejected, 65*6777b538SAndroid Build Coastguard Worker // but the realm associated 66*6777b538SAndroid Build Coastguard Worker // with the new challenge 67*6777b538SAndroid Build Coastguard Worker // is different from the 68*6777b538SAndroid Build Coastguard Worker // previous attempt. 69*6777b538SAndroid Build Coastguard Worker }; 70*6777b538SAndroid Build Coastguard Worker 71*6777b538SAndroid Build Coastguard Worker // Describes where the identity used for authentication came from. 72*6777b538SAndroid Build Coastguard Worker enum IdentitySource { 73*6777b538SAndroid Build Coastguard Worker // Came from nowhere -- the identity is not initialized. 74*6777b538SAndroid Build Coastguard Worker IDENT_SRC_NONE, 75*6777b538SAndroid Build Coastguard Worker 76*6777b538SAndroid Build Coastguard Worker // The identity came from the auth cache, by doing a path-based 77*6777b538SAndroid Build Coastguard Worker // lookup (premptive authorization). 78*6777b538SAndroid Build Coastguard Worker IDENT_SRC_PATH_LOOKUP, 79*6777b538SAndroid Build Coastguard Worker 80*6777b538SAndroid Build Coastguard Worker // The identity was extracted from a URL of the form: 81*6777b538SAndroid Build Coastguard Worker // http://<username>:<password>@host:port 82*6777b538SAndroid Build Coastguard Worker IDENT_SRC_URL, 83*6777b538SAndroid Build Coastguard Worker 84*6777b538SAndroid Build Coastguard Worker // The identity was retrieved from the auth cache, by doing a 85*6777b538SAndroid Build Coastguard Worker // realm lookup. 86*6777b538SAndroid Build Coastguard Worker IDENT_SRC_REALM_LOOKUP, 87*6777b538SAndroid Build Coastguard Worker 88*6777b538SAndroid Build Coastguard Worker // The identity was provided by RestartWithAuth -- it likely 89*6777b538SAndroid Build Coastguard Worker // came from a prompt (or maybe the password manager). 90*6777b538SAndroid Build Coastguard Worker IDENT_SRC_EXTERNAL, 91*6777b538SAndroid Build Coastguard Worker 92*6777b538SAndroid Build Coastguard Worker // The identity used the default credentials for the computer, 93*6777b538SAndroid Build Coastguard Worker // on schemes that support single sign-on. 94*6777b538SAndroid Build Coastguard Worker IDENT_SRC_DEFAULT_CREDENTIALS, 95*6777b538SAndroid Build Coastguard Worker }; 96*6777b538SAndroid Build Coastguard Worker 97*6777b538SAndroid Build Coastguard Worker // Identifier for auth scheme. 98*6777b538SAndroid Build Coastguard Worker // 99*6777b538SAndroid Build Coastguard Worker // The values are used for calculating UMA buckets. Add but don't remove or 100*6777b538SAndroid Build Coastguard Worker // reuse. 101*6777b538SAndroid Build Coastguard Worker enum Scheme { 102*6777b538SAndroid Build Coastguard Worker AUTH_SCHEME_BASIC = 0, 103*6777b538SAndroid Build Coastguard Worker AUTH_SCHEME_DIGEST, 104*6777b538SAndroid Build Coastguard Worker AUTH_SCHEME_NTLM, 105*6777b538SAndroid Build Coastguard Worker AUTH_SCHEME_NEGOTIATE, 106*6777b538SAndroid Build Coastguard Worker AUTH_SCHEME_SPDYPROXY, // No longer used. 107*6777b538SAndroid Build Coastguard Worker AUTH_SCHEME_MOCK, 108*6777b538SAndroid Build Coastguard Worker AUTH_SCHEME_MAX, 109*6777b538SAndroid Build Coastguard Worker }; 110*6777b538SAndroid Build Coastguard Worker 111*6777b538SAndroid Build Coastguard Worker // Type of Kerberos credentials delegation to be performed during 112*6777b538SAndroid Build Coastguard Worker // authentication. 113*6777b538SAndroid Build Coastguard Worker enum class DelegationType { 114*6777b538SAndroid Build Coastguard Worker // Disallow delegation. 115*6777b538SAndroid Build Coastguard Worker kNone, 116*6777b538SAndroid Build Coastguard Worker // Delegate if approved by KDC policy. Implemented in GSSAPI. 117*6777b538SAndroid Build Coastguard Worker kByKdcPolicy, 118*6777b538SAndroid Build Coastguard Worker // Unconstrained delegation. On Windows, both kByKdcPolicy and 119*6777b538SAndroid Build Coastguard Worker // kUnconstrained will check KDC policy. 120*6777b538SAndroid Build Coastguard Worker kUnconstrained, 121*6777b538SAndroid Build Coastguard Worker }; 122*6777b538SAndroid Build Coastguard Worker 123*6777b538SAndroid Build Coastguard Worker // Helper structure used by HttpNetworkTransaction to track 124*6777b538SAndroid Build Coastguard Worker // the current identity being used for authorization. 125*6777b538SAndroid Build Coastguard Worker struct Identity { 126*6777b538SAndroid Build Coastguard Worker Identity(); 127*6777b538SAndroid Build Coastguard Worker 128*6777b538SAndroid Build Coastguard Worker IdentitySource source = IDENT_SRC_NONE; 129*6777b538SAndroid Build Coastguard Worker bool invalid = true; 130*6777b538SAndroid Build Coastguard Worker AuthCredentials credentials; 131*6777b538SAndroid Build Coastguard Worker }; 132*6777b538SAndroid Build Coastguard Worker 133*6777b538SAndroid Build Coastguard Worker // Get the name of the header containing the auth challenge 134*6777b538SAndroid Build Coastguard Worker // (either WWW-Authenticate or Proxy-Authenticate). 135*6777b538SAndroid Build Coastguard Worker static std::string GetChallengeHeaderName(Target target); 136*6777b538SAndroid Build Coastguard Worker 137*6777b538SAndroid Build Coastguard Worker // Get the name of the header where the credentials go 138*6777b538SAndroid Build Coastguard Worker // (either Authorization or Proxy-Authorization). 139*6777b538SAndroid Build Coastguard Worker static std::string GetAuthorizationHeaderName(Target target); 140*6777b538SAndroid Build Coastguard Worker 141*6777b538SAndroid Build Coastguard Worker // Returns a string representation of a Target value that can be used in log 142*6777b538SAndroid Build Coastguard Worker // messages. 143*6777b538SAndroid Build Coastguard Worker static std::string GetAuthTargetString(Target target); 144*6777b538SAndroid Build Coastguard Worker 145*6777b538SAndroid Build Coastguard Worker // Returns a string representation of an authentication Scheme. 146*6777b538SAndroid Build Coastguard Worker static const char* SchemeToString(Scheme scheme); 147*6777b538SAndroid Build Coastguard Worker 148*6777b538SAndroid Build Coastguard Worker // Returns an authentication Scheme from a string which was produced by 149*6777b538SAndroid Build Coastguard Worker // SchemeToString(). 150*6777b538SAndroid Build Coastguard Worker static Scheme StringToScheme(const std::string& str); 151*6777b538SAndroid Build Coastguard Worker 152*6777b538SAndroid Build Coastguard Worker // Returns a string representation of an authorization result. 153*6777b538SAndroid Build Coastguard Worker static const char* AuthorizationResultToString( 154*6777b538SAndroid Build Coastguard Worker AuthorizationResult authorization_result); 155*6777b538SAndroid Build Coastguard Worker 156*6777b538SAndroid Build Coastguard Worker // Returns a value for logging an authorization result to a NetLog. 157*6777b538SAndroid Build Coastguard Worker static base::Value::Dict NetLogAuthorizationResultParams( 158*6777b538SAndroid Build Coastguard Worker const char* name, 159*6777b538SAndroid Build Coastguard Worker AuthorizationResult authorization_result); 160*6777b538SAndroid Build Coastguard Worker 161*6777b538SAndroid Build Coastguard Worker // Iterate through |response_headers|, and pick the best one that we support. 162*6777b538SAndroid Build Coastguard Worker // Obtains the implementation class for handling the challenge, and passes it 163*6777b538SAndroid Build Coastguard Worker // back in |*handler|. If no supported challenge was found, |*handler| is set 164*6777b538SAndroid Build Coastguard Worker // to nullptr. 165*6777b538SAndroid Build Coastguard Worker // 166*6777b538SAndroid Build Coastguard Worker // |disabled_schemes| is the set of schemes that we should not use. 167*6777b538SAndroid Build Coastguard Worker // 168*6777b538SAndroid Build Coastguard Worker // |scheme_host_port| is used by the NTLM and Negotiation authentication 169*6777b538SAndroid Build Coastguard Worker // scheme to construct the service principal name. It is ignored by other 170*6777b538SAndroid Build Coastguard Worker // schemes. 171*6777b538SAndroid Build Coastguard Worker // 172*6777b538SAndroid Build Coastguard Worker // |ssl_info| is passed through to the scheme specific authentication handlers 173*6777b538SAndroid Build Coastguard Worker // to use as appropriate. 174*6777b538SAndroid Build Coastguard Worker static void ChooseBestChallenge( 175*6777b538SAndroid Build Coastguard Worker HttpAuthHandlerFactory* http_auth_handler_factory, 176*6777b538SAndroid Build Coastguard Worker const HttpResponseHeaders& response_headers, 177*6777b538SAndroid Build Coastguard Worker const SSLInfo& ssl_info, 178*6777b538SAndroid Build Coastguard Worker const NetworkAnonymizationKey& network_anonymization_key, 179*6777b538SAndroid Build Coastguard Worker Target target, 180*6777b538SAndroid Build Coastguard Worker const url::SchemeHostPort& scheme_host_port, 181*6777b538SAndroid Build Coastguard Worker const std::set<Scheme>& disabled_schemes, 182*6777b538SAndroid Build Coastguard Worker const NetLogWithSource& net_log, 183*6777b538SAndroid Build Coastguard Worker HostResolver* host_resolver, 184*6777b538SAndroid Build Coastguard Worker std::unique_ptr<HttpAuthHandler>* handler); 185*6777b538SAndroid Build Coastguard Worker 186*6777b538SAndroid Build Coastguard Worker // Handle a 401/407 response from a server/proxy after a previous 187*6777b538SAndroid Build Coastguard Worker // authentication attempt. For connection-based authentication schemes, the 188*6777b538SAndroid Build Coastguard Worker // new response may be another round in a multi-round authentication sequence. 189*6777b538SAndroid Build Coastguard Worker // For request-based schemes, a 401/407 response is typically treated like a 190*6777b538SAndroid Build Coastguard Worker // rejection of the previous challenge, except in the Digest case when a 191*6777b538SAndroid Build Coastguard Worker // "stale" attribute is present. 192*6777b538SAndroid Build Coastguard Worker // 193*6777b538SAndroid Build Coastguard Worker // |handler| must be non-nullptr, and is the HttpAuthHandler from the previous 194*6777b538SAndroid Build Coastguard Worker // authentication round. 195*6777b538SAndroid Build Coastguard Worker // 196*6777b538SAndroid Build Coastguard Worker // |response_headers| must contain the new HTTP response. 197*6777b538SAndroid Build Coastguard Worker // 198*6777b538SAndroid Build Coastguard Worker // |target| specifies whether the authentication challenge response came 199*6777b538SAndroid Build Coastguard Worker // from a server or a proxy. 200*6777b538SAndroid Build Coastguard Worker // 201*6777b538SAndroid Build Coastguard Worker // |disabled_schemes| are the authentication schemes to ignore. 202*6777b538SAndroid Build Coastguard Worker // 203*6777b538SAndroid Build Coastguard Worker // |challenge_used| is the text of the authentication challenge used in 204*6777b538SAndroid Build Coastguard Worker // support of the returned AuthorizationResult. If no headers were used for 205*6777b538SAndroid Build Coastguard Worker // the result (for example, all headers have unknown authentication schemes), 206*6777b538SAndroid Build Coastguard Worker // the value is cleared. 207*6777b538SAndroid Build Coastguard Worker static AuthorizationResult HandleChallengeResponse( 208*6777b538SAndroid Build Coastguard Worker HttpAuthHandler* handler, 209*6777b538SAndroid Build Coastguard Worker const HttpResponseHeaders& response_headers, 210*6777b538SAndroid Build Coastguard Worker Target target, 211*6777b538SAndroid Build Coastguard Worker const std::set<Scheme>& disabled_schemes, 212*6777b538SAndroid Build Coastguard Worker std::string* challenge_used); 213*6777b538SAndroid Build Coastguard Worker }; 214*6777b538SAndroid Build Coastguard Worker 215*6777b538SAndroid Build Coastguard Worker } // namespace net 216*6777b538SAndroid Build Coastguard Worker 217*6777b538SAndroid Build Coastguard Worker #endif // NET_HTTP_HTTP_AUTH_H_ 218