// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_HTTP_HTTP_AUTH_CONTROLLER_H_ #define NET_HTTP_HTTP_AUTH_CONTROLLER_H_ #include <set> #include <string> #include "base/basictypes.h" #include "base/memory/ref_counted.h" #include "base/memory/scoped_ptr.h" #include "base/threading/non_thread_safe.h" #include "net/base/completion_callback.h" #include "net/base/net_export.h" #include "net/base/net_log.h" #include "net/http/http_auth.h" #include "url/gurl.h" namespace net { class AuthChallengeInfo; class AuthCredentials; class HttpAuthHandler; class HttpAuthHandlerFactory; class HttpAuthCache; class HttpRequestHeaders; struct HttpRequestInfo; class NET_EXPORT_PRIVATE HttpAuthController : public base::RefCounted<HttpAuthController>, NON_EXPORTED_BASE(public base::NonThreadSafe) { public: // The arguments are self explanatory except possibly for |auth_url|, which // should be both the auth target and auth path in a single url argument. HttpAuthController(HttpAuth::Target target, const GURL& auth_url, HttpAuthCache* http_auth_cache, HttpAuthHandlerFactory* http_auth_handler_factory); // Generate an authentication token for |target| if necessary. The return // value is a net error code. |OK| will be returned both in the case that // a token is correctly generated synchronously, as well as when no tokens // were necessary. virtual int MaybeGenerateAuthToken(const HttpRequestInfo* request, const CompletionCallback& callback, const BoundNetLog& net_log); // Adds either the proxy auth header, or the origin server auth header, // as specified by |target_|. virtual void AddAuthorizationHeader( HttpRequestHeaders* authorization_headers); // Checks for and handles HTTP status code 401 or 407. // |HandleAuthChallenge()| returns OK on success, or a network error code // otherwise. It may also populate |auth_info_|. virtual int HandleAuthChallenge(scoped_refptr<HttpResponseHeaders> headers, bool do_not_send_server_auth, bool establishing_tunnel, const BoundNetLog& net_log); // Store the supplied credentials and prepare to restart the auth. virtual void ResetAuth(const AuthCredentials& credentials); virtual bool HaveAuthHandler() const; virtual bool HaveAuth() const; virtual scoped_refptr<AuthChallengeInfo> auth_info(); virtual bool IsAuthSchemeDisabled(HttpAuth::Scheme scheme) const; virtual void DisableAuthScheme(HttpAuth::Scheme scheme); virtual void DisableEmbeddedIdentity(); private: // Actions for InvalidateCurrentHandler() enum InvalidateHandlerAction { INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS, INVALIDATE_HANDLER_AND_DISABLE_SCHEME, INVALIDATE_HANDLER }; // So that we can mock this object. friend class base::RefCounted<HttpAuthController>; virtual ~HttpAuthController(); // Searches the auth cache for an entry that encompasses the request's path. // If such an entry is found, updates |identity_| and |handler_| with the // cache entry's data and returns true. bool SelectPreemptiveAuth(const BoundNetLog& net_log); // Invalidates the current handler. If |action| is // INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS, then also invalidate // the cached credentials used by the handler. void InvalidateCurrentHandler(InvalidateHandlerAction action); // Invalidates any auth cache entries after authentication has failed. // The identity that was rejected is |identity_|. void InvalidateRejectedAuthFromCache(); // Sets |identity_| to the next identity that the transaction should try. It // chooses candidates by searching the auth cache and the URL for a // username:password. Returns true if an identity was found. bool SelectNextAuthIdentityToTry(); // Populates auth_info_ with the challenge information, so that // URLRequestHttpJob can prompt for credentials. void PopulateAuthChallenge(); // If |result| indicates a permanent failure, disables the current // auth scheme for this controller and returns true. Returns false // otherwise. bool DisableOnAuthHandlerResult(int result); void OnIOComplete(int result); // Indicates if this handler is for Proxy auth or Server auth. HttpAuth::Target target_; // Holds the {scheme, host, path, port} for the authentication target. const GURL auth_url_; // Holds the {scheme, host, port} for the authentication target. const GURL auth_origin_; // The absolute path of the resource needing authentication. // For proxy authentication the path is empty. const std::string auth_path_; // |handler_| encapsulates the logic for the particular auth-scheme. // This includes the challenge's parameters. If NULL, then there is no // associated auth handler. scoped_ptr<HttpAuthHandler> handler_; // |identity_| holds the credentials that should be used by // the handler_ to generate challenge responses. This identity can come from // a number of places (url, cache, prompt). HttpAuth::Identity identity_; // |auth_token_| contains the opaque string to pass to the proxy or // server to authenticate the client. std::string auth_token_; // Contains information about the auth challenge. scoped_refptr<AuthChallengeInfo> auth_info_; // True if we've used the username:password embedded in the URL. This // makes sure we use the embedded identity only once for the transaction, // preventing an infinite auth restart loop. bool embedded_identity_used_; // True if default credentials have already been tried for this transaction // in response to an HTTP authentication challenge. bool default_credentials_used_; // These two are owned by the HttpNetworkSession/IOThread, which own the // objects which reference |this|. Therefore, these raw pointers are valid // for the lifetime of this object. HttpAuthCache* const http_auth_cache_; HttpAuthHandlerFactory* const http_auth_handler_factory_; std::set<HttpAuth::Scheme> disabled_schemes_; CompletionCallback callback_; }; } // namespace net #endif // NET_HTTP_HTTP_AUTH_CONTROLLER_H_