--auth-schemes specifies which authentication schemes are supported on the command line.

--auth-schemes should be a command separated list containing one or more of the following schemes: basic, digest, ntlm, or negotiate. This will primarily be used to help triage user-reported bugs. BUG=None TEST=specify --auth-schemes and ensure that only the specified schemes are supported. Also, when unspecified all schemes should be supported. Review URL: http://codereview.chromium.org/3199002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57073 0039d316-1c4b-4281-b951-d872f2087c98

--auth-schemes specifies which authentication schemes are supported on the command line.
--auth-schemes should be a command separated list containing one or more of the following schemes: basic, digest, ntlm, or negotiate. This will primarily be used to help triage user-reported bugs. BUG=None TEST=specify --auth-schemes and ensure that only the specified schemes are supported. Also, when unspecified all schemes should be supported. Review URL: http://codereview.chromium.org/3199002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57073 0039d316-1c4b-4281-b951-d872f2087c98
b7304169 · cbentzel@chromium.org · 7ebccf35 · b7304169 · b7304169 · b7304169
Commit b7304169 authored Aug 23, 2010 by cbentzel@chromium.org
5 changed files
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -24,7 +24,6 @@
 #include "net/base/net_util.h"
 #include "net/http/http_auth_filter.h"
 #include "net/http/http_auth_handler_factory.h"
-#include "net/http/http_auth_handler_negotiate.h"

 namespace {

@@ -245,63 +244,35 @@ void IOThread::CleanUpAfterMessageLoopDestruction() {

 net::HttpAuthHandlerFactory* IOThread::CreateDefaultAuthHandlerFactory(
    net::HostResolver* resolver) {
-  net::HttpAuthFilterWhitelist* auth_filter = NULL;
+  const CommandLine& command_line = *CommandLine::ForCurrentProcess();

  // Get the whitelist information from the command line, create an
  // HttpAuthFilterWhitelist, and attach it to the HttpAuthHandlerFactory.
-  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-
+  net::HttpAuthFilterWhitelist* auth_filter = NULL;
  if (command_line.HasSwitch(switches::kAuthServerWhitelist)) {
    std::string auth_server_whitelist =
        command_line.GetSwitchValueASCII(switches::kAuthServerWhitelist);
-
    // Create a whitelist filter.
    auth_filter = new net::HttpAuthFilterWhitelist();
    auth_filter->SetWhitelist(auth_server_whitelist);
  }
-
-  // Set the flag that enables or disables the Negotiate auth handler.
-  static const bool kNegotiateAuthEnabledDefault = true;
-
-  bool negotiate_auth_enabled = kNegotiateAuthEnabledDefault;
-  if (command_line.HasSwitch(switches::kExperimentalEnableNegotiateAuth)) {
-    std::string enable_negotiate_auth = command_line.GetSwitchValueASCII(
-        switches::kExperimentalEnableNegotiateAuth);
-    // Enabled if no value, or value is 'true'.  Disabled otherwise.
-    negotiate_auth_enabled =
-        enable_negotiate_auth.empty() ||
-        (StringToLowerASCII(enable_negotiate_auth) == "true");
-  }
-
-  net::HttpAuthHandlerRegistryFactory* registry_factory =
-      net::HttpAuthHandlerFactory::CreateDefault();
-
  globals_->url_security_manager.reset(
      net::URLSecurityManager::Create(auth_filter));

-  // Add the security manager to the auth factories that need it.
-  registry_factory->SetURLSecurityManager("ntlm",
-                                          globals_->url_security_manager.get());
-  registry_factory->SetURLSecurityManager("negotiate",
-                                          globals_->url_security_manager.get());
-  if (negotiate_auth_enabled) {
-    // Configure the Negotiate settings for the Kerberos SPN.
-    // TODO(cbentzel): Read the related IE registry settings on Windows builds.
-    // TODO(cbentzel): Ugly use of static_cast here.
-    net::HttpAuthHandlerNegotiate::Factory* negotiate_factory =
-        static_cast<net::HttpAuthHandlerNegotiate::Factory*>(
-            registry_factory->GetSchemeFactory("negotiate"));
-    DCHECK(negotiate_factory);
-    negotiate_factory->set_host_resolver(resolver);
-    if (command_line.HasSwitch(switches::kDisableAuthNegotiateCnameLookup))
-      negotiate_factory->set_disable_cname_lookup(true);
-    if (command_line.HasSwitch(switches::kEnableAuthNegotiatePort))
-      negotiate_factory->set_use_port(true);
-  } else {
-    // Disable the Negotiate authentication handler.
-    registry_factory->RegisterSchemeFactory("negotiate", NULL);
-  }
-  return registry_factory;
+  // Determine which schemes are supported.
+  std::string csv_auth_schemes = "basic,digest,ntlm,negotiate";
+  if (command_line.HasSwitch(switches::kAuthSchemes))
+    csv_auth_schemes = StringToLowerASCII(
+        command_line.GetSwitchValueASCII(switches::kAuthSchemes));
+  std::vector<std::string> supported_schemes;
+  SplitString(csv_auth_schemes, ',', &supported_schemes);
+
+  return net::HttpAuthHandlerRegistryFactory::Create(
+      supported_schemes,
+      globals_->url_security_manager.get(),
+      resolver,
+      command_line.HasSwitch(switches::kDisableAuthNegotiateCnameLookup),
+      command_line.HasSwitch(switches::kEnableAuthNegotiatePort));
 }

 void IOThread::InitNetworkPredictorOnIOThread(

--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -63,7 +63,13 @@ const char kAppsNoThrob[]                   = "apps-no-throb";
 // Whether to display the "Debug" link for app launch behavior.
 const char kAppsDebug[]      = "apps-debug";

-// Authentication white list for servers
+// HTTP authentication schemes to enable. This is a comma separated list
+// of authentication schemes (basic, digest, ntlm, and negotiate). By default
+// all schemes are enabled. The primary use of this command line flag is to help
+// triage autentication-related issues reported by end-users.
+const char kAuthSchemes[]                   = "auth-schemes";
+
+// Authentication white list for servers.
 const char kAuthServerWhitelist[]           = "auth-server-whitelist";

 // The value of this switch tells the app to listen for and broadcast
@@ -504,10 +510,6 @@ const char kEnableWin7Location[]            = "enable-win7-location";
 // Disable WebKit's XSSAuditor.  The XSSAuditor mitigates reflective XSS.
 const char kEnableXSSAuditor[]              = "enable-xss-auditor";

-// Enables the experimental Negotiate authentication protocol.
-const char kExperimentalEnableNegotiateAuth[] =
-    "experimental-enable-negotiate-auth";
-
 // Enables experimental features for Spellchecker. Right now, the first
 // experimental feature is auto spell correct, which corrects words which are
 // misppelled by typing the word with two consecutive letters swapped. The

--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -33,6 +33,7 @@ extern const char kAppsDebug[];
 extern const char kAppsPanel[];
 extern const char kAppsGalleryURL[];
 extern const char kAppsNoThrob[];
+extern const char kAuthSchemes[];
 extern const char kAuthServerWhitelist[];
 extern const char kAutomationClientChannelID[];
 extern const char kBlockNonSandboxedPlugins[];
@@ -159,7 +160,6 @@ extern const char kEnableWatchdog[];
 extern const char kEnableWin7Location[];
 extern const char kEnableXSSAuditor[];
 // Experimental features.
-extern const char kExperimentalEnableNegotiateAuth[];
 extern const char kExperimentalSpellcheckerFeatures[];
 // End experimental features.
 extern const char kExplicitlyAllowedPorts[];

--- a/net/http/http_auth_handler_factory.cc
+++ b/net/http/http_auth_handler_factory.cc
@@ -53,6 +53,52 @@ HttpAuthHandlerRegistryFactory* HttpAuthHandlerFactory::CreateDefault() {
  return registry_factory;
 }

+namespace {
+
+bool IsSupportedScheme(const std::vector<std::string>& supported_schemes,
+                       const std::string& scheme) {
+  std::vector<std::string>::const_iterator it = std::find(
+      supported_schemes.begin(), supported_schemes.end(), scheme);
+  return it != supported_schemes.end();
+}
+
+}
+
+// static
+HttpAuthHandlerRegistryFactory* HttpAuthHandlerRegistryFactory::Create(
+    const std::vector<std::string>& supported_schemes,
+    URLSecurityManager* security_manager,
+    HostResolver* host_resolver,
+    bool negotiate_disable_cname_lookup,
+    bool negotiate_enable_port) {
+  HttpAuthHandlerRegistryFactory* registry_factory =
+      new HttpAuthHandlerRegistryFactory();
+  if (IsSupportedScheme(supported_schemes, "basic"))
+    registry_factory->RegisterSchemeFactory(
+        "basic", new HttpAuthHandlerBasic::Factory());
+  if (IsSupportedScheme(supported_schemes, "digest"))
+    registry_factory->RegisterSchemeFactory(
+        "digest", new HttpAuthHandlerDigest::Factory());
+  if (IsSupportedScheme(supported_schemes, "ntlm")) {
+    HttpAuthHandlerNTLM::Factory* ntlm_factory =
+        new HttpAuthHandlerNTLM::Factory();
+    ntlm_factory->set_url_security_manager(security_manager);
+    registry_factory->RegisterSchemeFactory("ntlm", ntlm_factory);
+  }
+  if (IsSupportedScheme(supported_schemes, "negotiate")) {
+    HttpAuthHandlerNegotiate::Factory* negotiate_factory =
+        new HttpAuthHandlerNegotiate::Factory();
+    negotiate_factory->set_url_security_manager(security_manager);
+    DCHECK(host_resolver != NULL || negotiate_disable_cname_lookup);
+    negotiate_factory->set_host_resolver(host_resolver);
+    negotiate_factory->set_disable_cname_lookup(negotiate_disable_cname_lookup);
+    negotiate_factory->set_use_port(negotiate_enable_port);
+    registry_factory->RegisterSchemeFactory("negotiate", negotiate_factory);
+  }
+
+  return registry_factory;
+}
+
 HttpAuthHandlerRegistryFactory::HttpAuthHandlerRegistryFactory() {
 }


--- a/net/http/http_auth_handler_factory.h
+++ b/net/http/http_auth_handler_factory.h
@@ -8,6 +8,7 @@

 #include <map>
 #include <string>
+#include <vector>

 #include "base/scoped_ptr.h"
 #include "net/http/http_auth.h"
@@ -18,6 +19,7 @@ class GURL;
 namespace net {

 class BoundNetLog;
+class HostResolver;
 class HttpAuthHandler;
 class HttpAuthHandlerRegistryFactory;

@@ -152,6 +154,29 @@ class HttpAuthHandlerRegistryFactory : public HttpAuthHandlerFactory {
                                const BoundNetLog& net_log,
                                scoped_ptr<HttpAuthHandler>* handler);

+  // Creates an HttpAuthHandlerRegistryFactory.
+  //
+  // |supported_schemes| is a list of authentication schemes. Valid values
+  // include "basic", "digest", "ntlm", and "negotiate", where case matters.
+  //
+  // |security_manager| is used by the NTLM and Negotiate authenticators
+  // to determine which servers Integrated Authentication can be used with. If
+  // NULL, Integrated Authentication will not be used with any server.
+  //
+  // |host_resolver| is used by the Negotiate authentication handler to perform
+  // CNAME lookups to generate a Kerberos SPN for the server. If the "negotiate"
+  // scheme is used and |negotiate_disable_cname_lookup| is false,
+  // |host_resolver| must not be NULL.
+  //
+  // |negotiate_disable_cname_lookup| and |negotiate_enable_port| both control
+  // how Negotiate does SPN generation, by default these should be false.
+  static HttpAuthHandlerRegistryFactory* Create(
+      const std::vector<std::string>& supported_schemes,
+      URLSecurityManager* security_manager,
+      HostResolver* host_resolver,
+      bool negotiate_disable_cname_lookup,
+      bool negotiate_enable_port);
+
 private:
  typedef std::map<std::string, HttpAuthHandlerFactory*> FactoryMap;