// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_HTTP_HTTP_AUTH_HANDLER_H_
#define NET_HTTP_HTTP_AUTH_HANDLER_H_
#pragma once
#include <string>
#include "base/string16.h"
#include "net/base/completion_callback.h"
#include "net/base/net_log.h"
#include "net/http/http_auth.h"
namespace net {
struct HttpRequestInfo;
// HttpAuthHandler is the interface for the authentication schemes
// (basic, digest, NTLM, Negotiate).
// HttpAuthHandler objects are typically created by an HttpAuthHandlerFactory.
class HttpAuthHandler {
public:
HttpAuthHandler();
virtual ~HttpAuthHandler();
// Initializes the handler using a challenge issued by a server.
// |challenge| must be non-NULL and have already tokenized the
// authentication scheme, but none of the tokens occuring after the
// authentication scheme. |target| and |origin| are both stored
// for later use, and are not part of the initial challenge.
bool InitFromChallenge(HttpAuth::ChallengeTokenizer* challenge,
HttpAuth::Target target,
const GURL& origin,
const BoundNetLog& net_log);
// Determines how the previous authorization attempt was received.
//
// This is called when the server/proxy responds with a 401/407 after an
// earlier authorization attempt. Although this normally means that the
// previous attempt was rejected, in multi-round schemes such as
// NTLM+Negotiate it may indicate that another round of challenge+response
// is required. For Digest authentication it may also mean that the previous
// attempt used a stale nonce (and nonce-count) and that a new attempt should
// be made with a different nonce provided in the challenge.
//
// |challenge| must be non-NULL and have already tokenized the
// authentication scheme, but none of the tokens occuring after the
// authentication scheme.
virtual HttpAuth::AuthorizationResult HandleAnotherChallenge(
HttpAuth::ChallengeTokenizer* challenge) = 0;
// Generates an authentication token, potentially asynchronously.
//
// When |username| and |password| are NULL, the default credentials for
// the currently logged in user are used. |AllowsDefaultCredentials()| MUST be
// true in this case.
//
// |request|, |callback|, and |auth_token| must be non-NULL.
//
// The return value is a net error code.
// If |OK| is returned, |*auth_token| is filled in with an authentication
// token which can be inserted in the HTTP request.
// If |ERR_IO_PENDING| is returned, |*auth_token| will be filled in
// asynchronously and |callback| will be invoked. The lifetime of
// |request|, |callback|, and |auth_token| must last until |callback| is
// invoked, but |username| and |password| are only used during the initial
// call.
// Otherwise, there was a problem generating a token synchronously, and the
// value of |*auth_token| is unspecified.
int GenerateAuthToken(const string16* username,
const string16* password,
const HttpRequestInfo* request,
CompletionCallback* callback,
std::string* auth_token);
// The authentication scheme as an enumerated value.
HttpAuth::Scheme auth_scheme() const {
return auth_scheme_;
}
// The realm value that was parsed during Init().
const std::string& realm() const {
return realm_;
}
// The challenge which was issued when creating the handler.
const std::string challenge() const {
return auth_challenge_;
}
// Numeric rank based on the challenge's security level. Higher
// numbers are better. Used by HttpAuth::ChooseBestChallenge().
int score() const {
return score_;
}
HttpAuth::Target target() const {
return target_;
}
// Returns the proxy or server which issued the authentication challenge
// that this HttpAuthHandler is handling. The URL includes scheme, host, and
// port, but does not include path.
const GURL& origin() const {
return origin_;
}
// Returns true if the authentication scheme does not send the username and
// password in the clear.
bool encrypts_identity() const {
return (properties_ & ENCRYPTS_IDENTITY) != 0;
}
// Returns true if the authentication scheme is connection-based, for
// example, NTLM. A connection-based authentication scheme does not support
// preemptive authentication, and must use the same handler object
// throughout the life of an HTTP transaction.
bool is_connection_based() const {
return (properties_ & IS_CONNECTION_BASED) != 0;
}
// Returns true if the response to the current authentication challenge
// requires an identity.
// TODO(wtc): Find a better way to handle a multi-round challenge-response
// sequence used by a connection-based authentication scheme.
virtual bool NeedsIdentity();
// Returns whether the default credentials may be used for the |origin| passed
// into |InitFromChallenge|. If true, the user does not need to be prompted
// for username and password to establish credentials.
// NOTE: SSO is a potential security risk.
// TODO(cbentzel): Add a pointer to Firefox documentation about risk.
virtual bool AllowsDefaultCredentials();
protected:
enum Property {
ENCRYPTS_IDENTITY = 1 << 0,
IS_CONNECTION_BASED = 1 << 1,
};
// Initializes the handler using a challenge issued by a server.
// |challenge| must be non-NULL and have already tokenized the
// authentication scheme, but none of the tokens occuring after the
// authentication scheme.
// Implementations are expcted to initialize the following members:
// scheme_, realm_, score_, properties_
virtual bool Init(HttpAuth::ChallengeTokenizer* challenge) = 0;
// |GenerateAuthTokenImpl()} is the auth-scheme specific implementation
// of generating the next auth token. Callers sohuld use |GenerateAuthToken()|
// which will in turn call |GenerateAuthTokenImpl()|
virtual int GenerateAuthTokenImpl(const string16* username,
const string16* password,
const HttpRequestInfo* request,
CompletionCallback* callback,
std::string* auth_token) = 0;
// The auth-scheme as an enumerated value.
HttpAuth::Scheme auth_scheme_;
// The realm. Used by "basic" and "digest".
std::string realm_;
// The auth challenge.
std::string auth_challenge_;
// The {scheme, host, port} for the authentication target. Used by "ntlm"
// and "negotiate" to construct the service principal name.
GURL origin_;
// The score for this challenge. Higher numbers are better.
int score_;
// Whether this authentication request is for a proxy server, or an
// origin server.
HttpAuth::Target target_;
// A bitmask of the properties of the authentication scheme.
int properties_;
BoundNetLog net_log_;
private:
void OnGenerateAuthTokenComplete(int rv);
void FinishGenerateAuthToken();
CompletionCallback* original_callback_;
CompletionCallbackImpl<HttpAuthHandler> wrapper_callback_;
};
} // namespace net
#endif // NET_HTTP_HTTP_AUTH_HANDLER_H_