// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/http/http_auth_controller.h" #include #include #include "base/ranges/algorithm.h" #include "base/strings/utf_string_conversions.h" #include "base/test/task_environment.h" #include "net/base/net_errors.h" #include "net/base/test_completion_callback.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_auth_cache.h" #include "net/http/http_auth_challenge_tokenizer.h" #include "net/http/http_auth_handler_mock.h" #include "net/http/http_request_info.h" #include "net/http/http_response_headers.h" #include "net/http/http_util.h" #include "net/log/net_log_event_type.h" #include "net/log/net_log_with_source.h" #include "net/log/test_net_log.h" #include "net/log/test_net_log_util.h" #include "net/ssl/ssl_info.h" #include "testing/gtest/include/gtest/gtest.h" namespace net { namespace { enum HandlerRunMode { RUN_HANDLER_SYNC, RUN_HANDLER_ASYNC }; enum SchemeState { SCHEME_IS_DISABLED, SCHEME_IS_ENABLED }; scoped_refptr HeadersFromString(const char* string) { return base::MakeRefCounted( HttpUtil::AssembleRawHeaders(string)); } // Runs an HttpAuthController with a single round mock auth handler // that returns |handler_rv| on token generation. The handler runs in // async if |run_mode| is RUN_HANDLER_ASYNC. Upon completion, the // return value of the controller is tested against // |expected_controller_rv|. |scheme_state| indicates whether the // auth scheme used should be disabled after this run. void RunSingleRoundAuthTest( HandlerRunMode run_mode, int handler_rv, int expected_controller_rv, SchemeState scheme_state, const NetLogWithSource& net_log = NetLogWithSource()) { HttpAuthCache dummy_auth_cache( false /* key_server_entries_by_network_anonymization_key */); HttpRequestInfo request; request.method = "GET"; request.url = GURL("http://example.com"); scoped_refptr headers(HeadersFromString( "HTTP/1.1 407\r\n" "Proxy-Authenticate: MOCK foo\r\n" "\r\n")); HttpAuthHandlerMock::Factory auth_handler_factory; auto auth_handler = std::make_unique(); auth_handler->SetGenerateExpectation((run_mode == RUN_HANDLER_ASYNC), handler_rv); auth_handler_factory.AddMockHandler(std::move(auth_handler), HttpAuth::AUTH_PROXY); auth_handler_factory.set_do_init_from_challenge(true); auto host_resolver = std::make_unique(); scoped_refptr controller( base::MakeRefCounted( HttpAuth::AUTH_PROXY, GURL("http://example.com"), NetworkAnonymizationKey(), &dummy_auth_cache, &auth_handler_factory, host_resolver.get())); SSLInfo null_ssl_info; ASSERT_EQ(OK, controller->HandleAuthChallenge(headers, null_ssl_info, false, false, net_log)); ASSERT_TRUE(controller->HaveAuthHandler()); controller->ResetAuth(AuthCredentials()); EXPECT_TRUE(controller->HaveAuth()); TestCompletionCallback callback; EXPECT_EQ( (run_mode == RUN_HANDLER_ASYNC) ? ERR_IO_PENDING : expected_controller_rv, controller->MaybeGenerateAuthToken(&request, callback.callback(), net_log)); if (run_mode == RUN_HANDLER_ASYNC) EXPECT_EQ(expected_controller_rv, callback.WaitForResult()); EXPECT_EQ((scheme_state == SCHEME_IS_DISABLED), controller->IsAuthSchemeDisabled(HttpAuth::AUTH_SCHEME_MOCK)); } } // namespace // If an HttpAuthHandler returns an error code that indicates a // permanent error, the HttpAuthController should disable the scheme // used and retry the request. TEST(HttpAuthControllerTest, PermanentErrors) { base::test::TaskEnvironment task_environment; // Run a synchronous handler that returns // ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS. We expect a return value // of OK from the controller so we can retry the request. RunSingleRoundAuthTest(RUN_HANDLER_SYNC, ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS, OK, SCHEME_IS_DISABLED); // Now try an async handler that returns // ERR_MISSING_AUTH_CREDENTIALS. Async and sync handlers invoke // different code paths in HttpAuthController when generating // tokens. For this particular error the scheme state depends on // the AllowsExplicitCredentials of the handler (which equals true for // the mock handler). If it's true we expect the same behaviour as // for ERR_INVALID_AUTH_CREDENTIALS so we pass SCHEME_IS_ENABLED. RunSingleRoundAuthTest(RUN_HANDLER_ASYNC, ERR_MISSING_AUTH_CREDENTIALS, OK, SCHEME_IS_ENABLED); // If a non-permanent error is returned by the handler, then the // controller should report it unchanged. RunSingleRoundAuthTest(RUN_HANDLER_ASYNC, ERR_UNEXPECTED, ERR_UNEXPECTED, SCHEME_IS_ENABLED); // ERR_INVALID_AUTH_CREDENTIALS is special. It's a non-permanet error, but // the error isn't propagated, nor is the auth scheme disabled. This allows // the scheme to re-attempt the authentication attempt using a different set // of credentials. RunSingleRoundAuthTest(RUN_HANDLER_ASYNC, ERR_INVALID_AUTH_CREDENTIALS, OK, SCHEME_IS_ENABLED); } // Verify that the controller logs appropriate lifetime events. TEST(HttpAuthControllerTest, Logging) { base::test::TaskEnvironment task_environment; RecordingNetLogObserver net_log_observer; RunSingleRoundAuthTest(RUN_HANDLER_SYNC, OK, OK, SCHEME_IS_ENABLED, NetLogWithSource::Make(NetLogSourceType::NONE)); auto entries = net_log_observer.GetEntries(); // There should be at least two events. ASSERT_GE(entries.size(), 2u); auto begin = base::ranges::find_if(entries, [](const NetLogEntry& e) { if (e.type != NetLogEventType::AUTH_CONTROLLER || e.phase != NetLogEventPhase::BEGIN) return false; auto target = GetOptionalStringValueFromParams(e, "target"); auto url = GetOptionalStringValueFromParams(e, "url"); if (!target || !url) return false; EXPECT_EQ("proxy", *target); EXPECT_EQ("http://example.com/", *url); return true; }); EXPECT_TRUE(begin != entries.end()); EXPECT_TRUE(std::any_of(++begin, entries.end(), [](const NetLogEntry& e) { return e.type == NetLogEventType::AUTH_CONTROLLER && e.phase == NetLogEventPhase::END; })); } // If an HttpAuthHandler indicates that it doesn't allow explicit // credentials, don't prompt for credentials. TEST(HttpAuthControllerTest, NoExplicitCredentialsAllowed) { // Modified mock HttpAuthHandler for this test. class MockHandler : public HttpAuthHandlerMock { public: MockHandler(int expected_rv, HttpAuth::Scheme scheme) : expected_scheme_(scheme) { SetGenerateExpectation(false, expected_rv); } protected: bool Init( HttpAuthChallengeTokenizer* challenge, const SSLInfo& ssl_info, const NetworkAnonymizationKey& network_anonymization_key) override { HttpAuthHandlerMock::Init(challenge, ssl_info, network_anonymization_key); set_allows_default_credentials(true); set_allows_explicit_credentials(false); set_connection_based(true); // Pretend to be SCHEME_BASIC so we can test failover logic. if (challenge->auth_scheme() == "basic") { auth_scheme_ = HttpAuth::AUTH_SCHEME_BASIC; --score_; // Reduce score, so we rank below Mock. set_allows_explicit_credentials(true); } EXPECT_EQ(expected_scheme_, auth_scheme_); return true; } int GenerateAuthTokenImpl(const AuthCredentials* credentials, const HttpRequestInfo* request, CompletionOnceCallback callback, std::string* auth_token) override { int result = HttpAuthHandlerMock::GenerateAuthTokenImpl( credentials, request, std::move(callback), auth_token); EXPECT_TRUE(result != OK || !AllowsExplicitCredentials() || !credentials->Empty()); return result; } private: HttpAuth::Scheme expected_scheme_; }; NetLogWithSource dummy_log; HttpAuthCache dummy_auth_cache( false /* key_server_entries_by_network_anonymization_key */); HttpRequestInfo request; request.method = "GET"; request.url = GURL("http://example.com"); HttpRequestHeaders request_headers; scoped_refptr headers(HeadersFromString( "HTTP/1.1 401\r\n" "WWW-Authenticate: Mock\r\n" "WWW-Authenticate: Basic\r\n" "\r\n")); HttpAuthHandlerMock::Factory auth_handler_factory; // Handlers for the first attempt at authentication. AUTH_SCHEME_MOCK handler // accepts the default identity and successfully constructs a token. auth_handler_factory.AddMockHandler( std::make_unique(OK, HttpAuth::AUTH_SCHEME_MOCK), HttpAuth::AUTH_SERVER); auth_handler_factory.AddMockHandler( std::make_unique(ERR_UNEXPECTED, HttpAuth::AUTH_SCHEME_BASIC), HttpAuth::AUTH_SERVER); // Handlers for the second attempt. Neither should be used to generate a // token. Instead the controller should realize that there are no viable // identities to use with the AUTH_SCHEME_MOCK handler and fail. auth_handler_factory.AddMockHandler( std::make_unique(ERR_UNEXPECTED, HttpAuth::AUTH_SCHEME_MOCK), HttpAuth::AUTH_SERVER); auth_handler_factory.AddMockHandler( std::make_unique(ERR_UNEXPECTED, HttpAuth::AUTH_SCHEME_BASIC), HttpAuth::AUTH_SERVER); // Fallback handlers for the second attempt. The AUTH_SCHEME_MOCK handler // should be discarded due to the disabled scheme, and the AUTH_SCHEME_BASIC // handler should successfully be used to generate a token. auth_handler_factory.AddMockHandler( std::make_unique(ERR_UNEXPECTED, HttpAuth::AUTH_SCHEME_MOCK), HttpAuth::AUTH_SERVER); auth_handler_factory.AddMockHandler( std::make_unique(OK, HttpAuth::AUTH_SCHEME_BASIC), HttpAuth::AUTH_SERVER); auth_handler_factory.set_do_init_from_challenge(true); auto host_resolver = std::make_unique(); scoped_refptr controller( base::MakeRefCounted( HttpAuth::AUTH_SERVER, GURL("http://example.com"), NetworkAnonymizationKey(), &dummy_auth_cache, &auth_handler_factory, host_resolver.get())); SSLInfo null_ssl_info; ASSERT_EQ(OK, controller->HandleAuthChallenge(headers, null_ssl_info, false, false, dummy_log)); ASSERT_TRUE(controller->HaveAuthHandler()); controller->ResetAuth(AuthCredentials()); EXPECT_TRUE(controller->HaveAuth()); // Should only succeed if we are using the AUTH_SCHEME_MOCK MockHandler. EXPECT_EQ(OK, controller->MaybeGenerateAuthToken( &request, CompletionOnceCallback(), dummy_log)); controller->AddAuthorizationHeader(&request_headers); // Once a token is generated, simulate the receipt of a server response // indicating that the authentication attempt was rejected. ASSERT_EQ(OK, controller->HandleAuthChallenge(headers, null_ssl_info, false, false, dummy_log)); ASSERT_TRUE(controller->HaveAuthHandler()); controller->ResetAuth(AuthCredentials(u"Hello", std::u16string())); EXPECT_TRUE(controller->HaveAuth()); EXPECT_TRUE(controller->IsAuthSchemeDisabled(HttpAuth::AUTH_SCHEME_MOCK)); EXPECT_FALSE(controller->IsAuthSchemeDisabled(HttpAuth::AUTH_SCHEME_BASIC)); // Should only succeed if we are using the AUTH_SCHEME_BASIC MockHandler. EXPECT_EQ(OK, controller->MaybeGenerateAuthToken( &request, CompletionOnceCallback(), dummy_log)); } } // namespace net