src/net/http/http_auth_controller.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/http/http_auth_controller.h"
   6
   7 #include "base/bind.h"
   8 #include "base/bind_helpers.h"
   9 #include "base/metrics/histogram.h"
  10 #include "base/strings/string_util.h"
  11 #include "base/strings/utf_string_conversions.h"
  12 #include "base/threading/platform_thread.h"
  13 #include "net/base/auth.h"
  14 #include "net/base/net_util.h"
  15 #include "net/dns/host_resolver.h"
  16 #include "net/http/http_auth_handler.h"
  17 #include "net/http/http_auth_handler_factory.h"
  18 #include "net/http/http_network_session.h"
  19 #include "net/http/http_request_headers.h"
  20 #include "net/http/http_request_info.h"
  21 #include "net/http/http_response_headers.h"
  22
  23 namespace net {
  24
  25 namespace {
  26
  27 // Returns a log message for all the response headers related to the auth
  28 // challenge.
  29 std::string AuthChallengeLogMessage(HttpResponseHeaders* headers) {
  30   std::string msg;
  31   std::string header_val;
  32   void* iter = NULL;
  33   while (headers->EnumerateHeader(&iter, "proxy-authenticate", &header_val)) {
  34     msg.append("\n  Has header Proxy-Authenticate: ");
  35     msg.append(header_val);
  36   }
  37
  38   iter = NULL;
  39   while (headers->EnumerateHeader(&iter, "www-authenticate", &header_val)) {
  40     msg.append("\n  Has header WWW-Authenticate: ");
  41     msg.append(header_val);
  42   }
  43
  44   // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
  45   // authentication with a "Proxy-Support: Session-Based-Authentication"
  46   // response header.
  47   iter = NULL;
  48   while (headers->EnumerateHeader(&iter, "proxy-support", &header_val)) {
  49     msg.append("\n  Has header Proxy-Support: ");
  50     msg.append(header_val);
  51   }
  52
  53   return msg;
  54 }
  55
  56 enum AuthEvent {
  57   AUTH_EVENT_START = 0,
  58   AUTH_EVENT_REJECT,
  59   AUTH_EVENT_MAX,
  60 };
  61
  62 enum AuthTarget {
  63   AUTH_TARGET_PROXY = 0,
  64   AUTH_TARGET_SECURE_PROXY,
  65   AUTH_TARGET_SERVER,
  66   AUTH_TARGET_SECURE_SERVER,
  67   AUTH_TARGET_MAX,
  68 };
  69
  70 AuthTarget DetermineAuthTarget(const HttpAuthHandler* handler) {
  71   switch (handler->target()) {
  72     case HttpAuth::AUTH_PROXY:
  73       if (handler->origin().SchemeIsSecure())
  74         return AUTH_TARGET_SECURE_PROXY;
  75       else
  76         return AUTH_TARGET_PROXY;
  77     case HttpAuth::AUTH_SERVER:
  78       if (handler->origin().SchemeIsSecure())
  79         return AUTH_TARGET_SECURE_SERVER;
  80       else
  81         return AUTH_TARGET_SERVER;
  82     default:
  83       NOTREACHED();
  84       return AUTH_TARGET_MAX;
  85   }
  86 }
  87
  88 // Records the number of authentication events per authentication scheme.
  89 void HistogramAuthEvent(HttpAuthHandler* handler, AuthEvent auth_event) {
  90 #if !defined(NDEBUG)
  91   // Note: The on-same-thread check is intentionally not using a lock
  92   // to protect access to first_thread. This method is meant to be only
  93   // used on the same thread, in which case there are no race conditions. If
  94   // there are race conditions (say, a read completes during a partial write),
  95   // the DCHECK will correctly fail.
  96   static base::PlatformThreadId first_thread =
  97       base::PlatformThread::CurrentId();
  98   DCHECK_EQ(first_thread, base::PlatformThread::CurrentId());
  99 #endif
 100
 101   HttpAuth::Scheme auth_scheme = handler->auth_scheme();
 102   DCHECK(auth_scheme >= 0 && auth_scheme < HttpAuth::AUTH_SCHEME_MAX);
 103
 104   // Record start and rejection events for authentication.
 105   //
 106   // The results map to:
 107   //   Basic Start: 0
 108   //   Basic Reject: 1
 109   //   Digest Start: 2
 110   //   Digest Reject: 3
 111   //   NTLM Start: 4
 112   //   NTLM Reject: 5
 113   //   Negotiate Start: 6
 114   //   Negotiate Reject: 7
 115   static const int kEventBucketsEnd =
 116       HttpAuth::AUTH_SCHEME_MAX * AUTH_EVENT_MAX;
 117   int event_bucket = auth_scheme * AUTH_EVENT_MAX + auth_event;
 118   DCHECK(event_bucket >= 0 && event_bucket < kEventBucketsEnd);
 119   UMA_HISTOGRAM_ENUMERATION("Net.HttpAuthCount", event_bucket,
 120                             kEventBucketsEnd);
 121
 122   // Record the target of the authentication.
 123   //
 124   // The results map to:
 125   //   Basic Proxy: 0
 126   //   Basic Secure Proxy: 1
 127   //   Basic Server: 2
 128   //   Basic Secure Server: 3
 129   //   Digest Proxy: 4
 130   //   Digest Secure Proxy: 5
 131   //   Digest Server: 6
 132   //   Digest Secure Server: 7
 133   //   NTLM Proxy: 8
 134   //   NTLM Secure Proxy: 9
 135   //   NTLM Server: 10
 136   //   NTLM Secure Server: 11
 137   //   Negotiate Proxy: 12
 138   //   Negotiate Secure Proxy: 13
 139   //   Negotiate Server: 14
 140   //   Negotiate Secure Server: 15
 141   if (auth_event != AUTH_EVENT_START)
 142     return;
 143   static const int kTargetBucketsEnd =
 144       HttpAuth::AUTH_SCHEME_MAX * AUTH_TARGET_MAX;
 145   AuthTarget auth_target = DetermineAuthTarget(handler);
 146   int target_bucket = auth_scheme * AUTH_TARGET_MAX + auth_target;
 147   DCHECK(target_bucket >= 0 && target_bucket < kTargetBucketsEnd);
 148   UMA_HISTOGRAM_ENUMERATION("Net.HttpAuthTarget", target_bucket,
 149                             kTargetBucketsEnd);
 150 }
 151
 152 }  // namespace
 153
 154 HttpAuthController::HttpAuthController(
 155     HttpAuth::Target target,
 156     const GURL& auth_url,
 157     HttpAuthCache* http_auth_cache,
 158     HttpAuthHandlerFactory* http_auth_handler_factory)
 159     : target_(target),
 160       auth_url_(auth_url),
 161       auth_origin_(auth_url.GetOrigin()),
 162       auth_path_(HttpAuth::AUTH_PROXY ? std::string() : auth_url.path()),
 163       embedded_identity_used_(false),
 164       default_credentials_used_(false),
 165       http_auth_cache_(http_auth_cache),
 166       http_auth_handler_factory_(http_auth_handler_factory) {
 167 }
 168
 169 HttpAuthController::~HttpAuthController() {
 170   DCHECK(CalledOnValidThread());
 171 }
 172
 173 int HttpAuthController::MaybeGenerateAuthToken(
 174     const HttpRequestInfo* request, const CompletionCallback& callback,
 175     const BoundNetLog& net_log) {
 176   DCHECK(CalledOnValidThread());
 177   bool needs_auth = HaveAuth() || SelectPreemptiveAuth(net_log);
 178   if (!needs_auth)
 179     return OK;
 180   const AuthCredentials* credentials = NULL;
 181   if (identity_.source != HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS)
 182     credentials = &identity_.credentials;
 183   DCHECK(auth_token_.empty());
 184   DCHECK(callback_.is_null());
 185   int rv = handler_->GenerateAuthToken(
 186       credentials, request,
 187       base::Bind(&HttpAuthController::OnIOComplete, base::Unretained(this)),
 188       &auth_token_);
 189   if (DisableOnAuthHandlerResult(rv))
 190     rv = OK;
 191   if (rv == ERR_IO_PENDING)
 192     callback_ = callback;
 193   else
 194     OnIOComplete(rv);
 195   return rv;
 196 }
 197
 198 bool HttpAuthController::SelectPreemptiveAuth(const BoundNetLog& net_log) {
 199   DCHECK(CalledOnValidThread());
 200   DCHECK(!HaveAuth());
 201   DCHECK(identity_.invalid);
 202
 203   // Don't do preemptive authorization if the URL contains a username:password,
 204   // since we must first be challenged in order to use the URL's identity.
 205   if (auth_url_.has_username())
 206     return false;
 207
 208   // SelectPreemptiveAuth() is on the critical path for each request, so it
 209   // is expected to be fast. LookupByPath() is fast in the common case, since
 210   // the number of http auth cache entries is expected to be very small.
 211   // (For most users in fact, it will be 0.)
 212   HttpAuthCache::Entry* entry = http_auth_cache_->LookupByPath(
 213       auth_origin_, auth_path_);
 214   if (!entry)
 215     return false;
 216
 217   // Try to create a handler using the previous auth challenge.
 218   scoped_ptr<HttpAuthHandler> handler_preemptive;
 219   int rv_create = http_auth_handler_factory_->
 220       CreatePreemptiveAuthHandlerFromString(entry->auth_challenge(), target_,
 221                                             auth_origin_,
 222                                             entry->IncrementNonceCount(),
 223                                             net_log, &handler_preemptive);
 224   if (rv_create != OK)
 225     return false;
 226
 227   // Set the state
 228   identity_.source = HttpAuth::IDENT_SRC_PATH_LOOKUP;
 229   identity_.invalid = false;
 230   identity_.credentials = entry->credentials();
 231   handler_.swap(handler_preemptive);
 232   return true;
 233 }
 234
 235 void HttpAuthController::AddAuthorizationHeader(
 236     HttpRequestHeaders* authorization_headers) {
 237   DCHECK(CalledOnValidThread());
 238   DCHECK(HaveAuth());
 239   // auth_token_ can be empty if we encountered a permanent error with
 240   // the auth scheme and want to retry.
 241   if (!auth_token_.empty()) {
 242     authorization_headers->SetHeader(
 243         HttpAuth::GetAuthorizationHeaderName(target_), auth_token_);
 244     auth_token_.clear();
 245   }
 246 }
 247
 248 int HttpAuthController::HandleAuthChallenge(
 249     scoped_refptr<HttpResponseHeaders> headers,
 250     bool do_not_send_server_auth,
 251     bool establishing_tunnel,
 252     const BoundNetLog& net_log) {
 253   DCHECK(CalledOnValidThread());
 254   DCHECK(headers.get());
 255   DCHECK(auth_origin_.is_valid());
 256   VLOG(1) << "The " << HttpAuth::GetAuthTargetString(target_) << " "
 257           << auth_origin_ << " requested auth "
 258           << AuthChallengeLogMessage(headers.get());
 259
 260   // Give the existing auth handler first try at the authentication headers.
 261   // This will also evict the entry in the HttpAuthCache if the previous
 262   // challenge appeared to be rejected, or is using a stale nonce in the Digest
 263   // case.
 264   if (HaveAuth()) {
 265     std::string challenge_used;
 266     HttpAuth::AuthorizationResult result =
 267         HttpAuth::HandleChallengeResponse(handler_.get(),
 268                                           headers.get(),
 269                                           target_,
 270                                           disabled_schemes_,
 271                                           &challenge_used);
 272     switch (result) {
 273       case HttpAuth::AUTHORIZATION_RESULT_ACCEPT:
 274         break;
 275       case HttpAuth::AUTHORIZATION_RESULT_INVALID:
 276         InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
 277         break;
 278       case HttpAuth::AUTHORIZATION_RESULT_REJECT:
 279         HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
 280         InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
 281         break;
 282       case HttpAuth::AUTHORIZATION_RESULT_STALE:
 283         if (http_auth_cache_->UpdateStaleChallenge(auth_origin_,
 284                                                    handler_->realm(),
 285                                                    handler_->auth_scheme(),
 286                                                    challenge_used)) {
 287           InvalidateCurrentHandler(INVALIDATE_HANDLER);
 288         } else {
 289           // It's possible that a server could incorrectly issue a stale
 290           // response when the entry is not in the cache. Just evict the
 291           // current value from the cache.
 292           InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
 293         }
 294         break;
 295       case HttpAuth::AUTHORIZATION_RESULT_DIFFERENT_REALM:
 296         // If the server changes the authentication realm in a
 297         // subsequent challenge, invalidate cached credentials for the
 298         // previous realm.  If the server rejects a preemptive
 299         // authorization and requests credentials for a different
 300         // realm, we keep the cached credentials.
 301         InvalidateCurrentHandler(
 302             (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP) ?
 303             INVALIDATE_HANDLER :
 304             INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
 305         break;
 306       default:
 307         NOTREACHED();
 308         break;
 309     }
 310   }
 311
 312   identity_.invalid = true;
 313
 314   bool can_send_auth = (target_ != HttpAuth::AUTH_SERVER ||
 315                         !do_not_send_server_auth);
 316
 317   do {
 318     if (!handler_.get() && can_send_auth) {
 319       // Find the best authentication challenge that we support.
 320       HttpAuth::ChooseBestChallenge(http_auth_handler_factory_,
 321                                     headers.get(),
 322                                     target_,
 323                                     auth_origin_,
 324                                     disabled_schemes_,
 325                                     net_log,
 326                                     &handler_);
 327       if (handler_.get())
 328         HistogramAuthEvent(handler_.get(), AUTH_EVENT_START);
 329     }
 330
 331     if (!handler_.get()) {
 332       if (establishing_tunnel) {
 333         LOG(ERROR) << "Can't perform auth to the "
 334                    << HttpAuth::GetAuthTargetString(target_) << " "
 335                    << auth_origin_ << " when establishing a tunnel"
 336                    << AuthChallengeLogMessage(headers.get());
 337
 338         // We are establishing a tunnel, we can't show the error page because an
 339         // active network attacker could control its contents.  Instead, we just
 340         // fail to establish the tunnel.
 341         DCHECK(target_ == HttpAuth::AUTH_PROXY);
 342         return ERR_PROXY_AUTH_UNSUPPORTED;
 343       }
 344       // We found no supported challenge -- let the transaction continue so we
 345       // end up displaying the error page.
 346       return OK;
 347     }
 348
 349     if (handler_->NeedsIdentity()) {
 350       // Pick a new auth identity to try, by looking to the URL and auth cache.
 351       // If an identity to try is found, it is saved to identity_.
 352       SelectNextAuthIdentityToTry();
 353     } else {
 354       // Proceed with the existing identity or a null identity.
 355       identity_.invalid = false;
 356     }
 357
 358     // From this point on, we are restartable.
 359
 360     if (identity_.invalid) {
 361       // We have exhausted all identity possibilities.
 362       if (!handler_->AllowsExplicitCredentials()) {
 363         // If the handler doesn't accept explicit credentials, then we need to
 364         // choose a different auth scheme.
 365         HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
 366         InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_DISABLE_SCHEME);
 367       } else {
 368         // Pass the challenge information back to the client.
 369         PopulateAuthChallenge();
 370       }
 371     } else {
 372       auth_info_ = NULL;
 373     }
 374
 375     // If we get here and we don't have a handler_, that's because we
 376     // invalidated it due to not having any viable identities to use with it. Go
 377     // back and try again.
 378     // TODO(asanka): Instead we should create a priority list of
 379     //     <handler,identity> and iterate through that.
 380   } while(!handler_.get());
 381   return OK;
 382 }
 383
 384 void HttpAuthController::ResetAuth(const AuthCredentials& credentials) {
 385   DCHECK(CalledOnValidThread());
 386   DCHECK(identity_.invalid || credentials.Empty());
 387
 388   if (identity_.invalid) {
 389     // Update the credentials.
 390     identity_.source = HttpAuth::IDENT_SRC_EXTERNAL;
 391     identity_.invalid = false;
 392     identity_.credentials = credentials;
 393   }
 394
 395   DCHECK(identity_.source != HttpAuth::IDENT_SRC_PATH_LOOKUP);
 396
 397   // Add the auth entry to the cache before restarting. We don't know whether
 398   // the identity is valid yet, but if it is valid we want other transactions
 399   // to know about it. If an entry for (origin, handler->realm()) already
 400   // exists, we update it.
 401   //
 402   // If identity_.source is HttpAuth::IDENT_SRC_NONE or
 403   // HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS, identity_ contains no
 404   // identity because identity is not required yet or we're using default
 405   // credentials.
 406   //
 407   // TODO(wtc): For NTLM_SSPI, we add the same auth entry to the cache in
 408   // round 1 and round 2, which is redundant but correct.  It would be nice
 409   // to add an auth entry to the cache only once, preferrably in round 1.
 410   // See http://crbug.com/21015.
 411   switch (identity_.source) {
 412     case HttpAuth::IDENT_SRC_NONE:
 413     case HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS:
 414       break;
 415     default:
 416       http_auth_cache_->Add(auth_origin_, handler_->realm(),
 417                             handler_->auth_scheme(), handler_->challenge(),
 418                             identity_.credentials, auth_path_);
 419       break;
 420   }
 421 }
 422
 423 bool HttpAuthController::HaveAuthHandler() const {
 424   return handler_.get() != NULL;
 425 }
 426
 427 bool HttpAuthController::HaveAuth() const {
 428   return handler_.get() && !identity_.invalid;
 429 }
 430
 431 void HttpAuthController::InvalidateCurrentHandler(
 432     InvalidateHandlerAction action) {
 433   DCHECK(CalledOnValidThread());
 434   DCHECK(handler_.get());
 435
 436   if (action == INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS)
 437     InvalidateRejectedAuthFromCache();
 438   if (action == INVALIDATE_HANDLER_AND_DISABLE_SCHEME)
 439     DisableAuthScheme(handler_->auth_scheme());
 440   handler_.reset();
 441   identity_ = HttpAuth::Identity();
 442 }
 443
 444 void HttpAuthController::InvalidateRejectedAuthFromCache() {
 445   DCHECK(CalledOnValidThread());
 446   DCHECK(HaveAuth());
 447
 448   // Clear the cache entry for the identity we just failed on.
 449   // Note: we require the credentials to match before invalidating
 450   // since the entry in the cache may be newer than what we used last time.
 451   http_auth_cache_->Remove(auth_origin_, handler_->realm(),
 452                            handler_->auth_scheme(), identity_.credentials);
 453 }
 454
 455 bool HttpAuthController::SelectNextAuthIdentityToTry() {
 456   DCHECK(CalledOnValidThread());
 457   DCHECK(handler_.get());
 458   DCHECK(identity_.invalid);
 459
 460   // Try to use the username:password encoded into the URL first.
 461   if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() &&
 462       !embedded_identity_used_) {
 463     identity_.source = HttpAuth::IDENT_SRC_URL;
 464     identity_.invalid = false;
 465     // Extract the username:password from the URL.
 466     base::string16 username;
 467     base::string16 password;
 468     GetIdentityFromURL(auth_url_, &username, &password);
 469     identity_.credentials.Set(username, password);
 470     embedded_identity_used_ = true;
 471     // TODO(eroman): If the password is blank, should we also try combining
 472     // with a password from the cache?
 473     UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true);
 474     return true;
 475   }
 476
 477   // Check the auth cache for a realm entry.
 478   HttpAuthCache::Entry* entry =
 479       http_auth_cache_->Lookup(auth_origin_, handler_->realm(),
 480                                handler_->auth_scheme());
 481
 482   if (entry) {
 483     identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
 484     identity_.invalid = false;
 485     identity_.credentials = entry->credentials();
 486     return true;
 487   }
 488
 489   // Use default credentials (single sign on) if this is the first attempt
 490   // at identity.  Do not allow multiple times as it will infinite loop.
 491   // We use default credentials after checking the auth cache so that if
 492   // single sign-on doesn't work, we won't try default credentials for future
 493   // transactions.
 494   if (!default_credentials_used_ && handler_->AllowsDefaultCredentials()) {
 495     identity_.source = HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS;
 496     identity_.invalid = false;
 497     default_credentials_used_ = true;
 498     return true;
 499   }
 500
 501   return false;
 502 }
 503
 504 void HttpAuthController::PopulateAuthChallenge() {
 505   DCHECK(CalledOnValidThread());
 506
 507   // Populates response_.auth_challenge with the authentication challenge info.
 508   // This info is consumed by URLRequestHttpJob::GetAuthChallengeInfo().
 509
 510   auth_info_ = new AuthChallengeInfo;
 511   auth_info_->is_proxy = (target_ == HttpAuth::AUTH_PROXY);
 512   auth_info_->challenger = HostPortPair::FromURL(auth_origin_);
 513   auth_info_->scheme = HttpAuth::SchemeToString(handler_->auth_scheme());
 514   auth_info_->realm = handler_->realm();
 515 }
 516
 517 bool HttpAuthController::DisableOnAuthHandlerResult(int result) {
 518   DCHECK(CalledOnValidThread());
 519
 520   switch (result) {
 521     // Occurs with GSSAPI, if the user has not already logged in.
 522     case ERR_MISSING_AUTH_CREDENTIALS:
 523
 524     // Can occur with GSSAPI or SSPI if the underlying library reports
 525     // a permanent error.
 526     case ERR_UNSUPPORTED_AUTH_SCHEME:
 527
 528     // These two error codes represent failures we aren't handling.
 529     case ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS:
 530     case ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS:
 531
 532     // Can be returned by SSPI if the authenticating authority or
 533     // target is not known.
 534     case ERR_MISCONFIGURED_AUTH_ENVIRONMENT:
 535
 536       // In these cases, disable the current scheme as it cannot
 537       // succeed.
 538       DisableAuthScheme(handler_->auth_scheme());
 539       auth_token_.clear();
 540       return true;
 541
 542     default:
 543       return false;
 544   }
 545 }
 546
 547 void HttpAuthController::OnIOComplete(int result) {
 548   DCHECK(CalledOnValidThread());
 549   if (DisableOnAuthHandlerResult(result))
 550     result = OK;
 551   if (!callback_.is_null()) {
 552     CompletionCallback c = callback_;
 553     callback_.Reset();
 554     c.Run(result);
 555   }
 556 }
 557
 558 scoped_refptr<AuthChallengeInfo> HttpAuthController::auth_info() {
 559   DCHECK(CalledOnValidThread());
 560   return auth_info_;
 561 }
 562
 563 bool HttpAuthController::IsAuthSchemeDisabled(HttpAuth::Scheme scheme) const {
 564   DCHECK(CalledOnValidThread());
 565   return disabled_schemes_.find(scheme) != disabled_schemes_.end();
 566 }
 567
 568 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) {
 569   DCHECK(CalledOnValidThread());
 570   disabled_schemes_.insert(scheme);
 571 }
 572
 573 void HttpAuthController::DisableEmbeddedIdentity() {
 574   DCHECK(CalledOnValidThread());
 575   embedded_identity_used_ = true;
 576 }
 577
 578 }  // namespace net