1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_HTTP_HTTP_AUTH_H_
6 #define NET_HTTP_HTTP_AUTH_H_
11 #include "base/memory/scoped_ptr.h"
12 #include "net/base/auth.h"
13 #include "net/base/net_export.h"
14 #include "net/http/http_util.h"
16 template <class T
> class scoped_refptr
;
21 class HttpAuthHandler
;
22 class HttpAuthHandlerFactory
;
23 class HttpResponseHeaders
;
25 // Utility class for http authentication.
26 class NET_EXPORT_PRIVATE HttpAuth
{
28 // Http authentication can be done the the proxy server, origin server,
29 // or both. This enum tracks who the target is.
32 // We depend on the valid targets (!= AUTH_NONE) being usable as indexes
33 // in an array, so start from 0.
39 // What the HTTP WWW-Authenticate/Proxy-Authenticate headers indicate about
40 // the previous authorization attempt.
41 enum AuthorizationResult
{
42 AUTHORIZATION_RESULT_ACCEPT
, // The authorization attempt was accepted,
43 // although there still may be additional
44 // rounds of challenges.
46 AUTHORIZATION_RESULT_REJECT
, // The authorization attempt was rejected.
48 AUTHORIZATION_RESULT_STALE
, // (Digest) The nonce used in the
49 // authorization attempt is stale, but
50 // otherwise the attempt was valid.
52 AUTHORIZATION_RESULT_INVALID
, // The authentication challenge headers are
53 // poorly formed (the authorization attempt
54 // itself may have been fine).
56 AUTHORIZATION_RESULT_DIFFERENT_REALM
, // The authorization
57 // attempt was rejected,
58 // but the realm associated
59 // with the new challenge
60 // is different from the
64 // Describes where the identity used for authentication came from.
66 // Came from nowhere -- the identity is not initialized.
69 // The identity came from the auth cache, by doing a path-based
70 // lookup (premptive authorization).
71 IDENT_SRC_PATH_LOOKUP
,
73 // The identity was extracted from a URL of the form:
74 // http://<username>:<password>@host:port
77 // The identity was retrieved from the auth cache, by doing a
79 IDENT_SRC_REALM_LOOKUP
,
81 // The identity was provided by RestartWithAuth -- it likely
82 // came from a prompt (or maybe the password manager).
85 // The identity used the default credentials for the computer,
86 // on schemes that support single sign-on.
87 IDENT_SRC_DEFAULT_CREDENTIALS
,
91 AUTH_SCHEME_BASIC
= 0,
94 AUTH_SCHEME_NEGOTIATE
,
95 AUTH_SCHEME_SPDYPROXY
,
100 // Helper structure used by HttpNetworkTransaction to track
101 // the current identity being used for authorization.
105 IdentitySource source
;
107 AuthCredentials credentials
;
110 // Get the name of the header containing the auth challenge
111 // (either WWW-Authenticate or Proxy-Authenticate).
112 static std::string
GetChallengeHeaderName(Target target
);
114 // Get the name of the header where the credentials go
115 // (either Authorization or Proxy-Authorization).
116 static std::string
GetAuthorizationHeaderName(Target target
);
118 // Returns a string representation of a Target value that can be used in log
120 static std::string
GetAuthTargetString(Target target
);
122 // Returns a string representation of an authentication Scheme.
123 static const char* SchemeToString(Scheme scheme
);
125 // Iterate through the challenge headers, and pick the best one that
126 // we support. Obtains the implementation class for handling the challenge,
127 // and passes it back in |*handler|. If no supported challenge was found,
128 // |*handler| is set to NULL.
130 // |disabled_schemes| is the set of schemes that we should not use.
132 // |origin| is used by the NTLM and Negotiation authentication scheme to
133 // construct the service principal name. It is ignored by other schemes.
134 static void ChooseBestChallenge(
135 HttpAuthHandlerFactory
* http_auth_handler_factory
,
136 const HttpResponseHeaders
* headers
,
139 const std::set
<Scheme
>& disabled_schemes
,
140 const BoundNetLog
& net_log
,
141 scoped_ptr
<HttpAuthHandler
>* handler
);
143 // Handle a 401/407 response from a server/proxy after a previous
144 // authentication attempt. For connection-based authentication schemes, the
145 // new response may be another round in a multi-round authentication sequence.
146 // For request-based schemes, a 401/407 response is typically treated like a
147 // rejection of the previous challenge, except in the Digest case when a
148 // "stale" attribute is present.
150 // |handler| must be non-NULL, and is the HttpAuthHandler from the previous
151 // authentication round.
153 // |headers| must be non-NULL and contain the new HTTP response.
155 // |target| specifies whether the authentication challenge response came
156 // from a server or a proxy.
158 // |disabled_schemes| are the authentication schemes to ignore.
160 // |challenge_used| is the text of the authentication challenge used in
161 // support of the returned AuthorizationResult. If no headers were used for
162 // the result (for example, all headers have unknown authentication schemes),
163 // the value is cleared.
164 static AuthorizationResult
HandleChallengeResponse(
165 HttpAuthHandler
* handler
,
166 const HttpResponseHeaders
* headers
,
168 const std::set
<Scheme
>& disabled_schemes
,
169 std::string
* challenge_used
);
171 // Breaks up a challenge string into the the auth scheme and parameter list,
172 // according to RFC 2617 Sec 1.2:
173 // challenge = auth-scheme 1*SP 1#auth-param
175 // Depending on the challenge scheme, it may be appropriate to interpret the
176 // parameters as either a base-64 encoded string or a comma-delimited list
177 // of name-value pairs. param_pairs() and base64_param() methods are provided
178 // to support either usage.
179 class NET_EXPORT_PRIVATE ChallengeTokenizer
{
181 ChallengeTokenizer(std::string::const_iterator begin
,
182 std::string::const_iterator end
);
184 // Get the original text.
185 std::string
challenge_text() const {
186 return std::string(begin_
, end_
);
189 // Get the auth scheme of the challenge.
190 std::string::const_iterator
scheme_begin() const { return scheme_begin_
; }
191 std::string::const_iterator
scheme_end() const { return scheme_end_
; }
192 std::string
scheme() const {
193 return std::string(scheme_begin_
, scheme_end_
);
196 HttpUtil::NameValuePairsIterator
param_pairs() const;
197 std::string
base64_param() const;
200 void Init(std::string::const_iterator begin
,
201 std::string::const_iterator end
);
203 std::string::const_iterator begin_
;
204 std::string::const_iterator end_
;
206 std::string::const_iterator scheme_begin_
;
207 std::string::const_iterator scheme_end_
;
209 std::string::const_iterator params_begin_
;
210 std::string::const_iterator params_end_
;
216 #endif // NET_HTTP_HTTP_AUTH_H_