[net/auth] Remove DLOPEN_KERBEROS preprocessor directive.

DLOPEN_KERBEROS macro controls whether //net dlopen()s a GSSAPI library for supporting Kerberos authentication. When DLOPEN_KERBEROS is not defined, //net links statically to the GSSAPI library. The latter option is only expected to work if //net (and in turn Chromium) is being built on the host on which it is going to run. Code for the case where DLOPEN_KERBEROS is not defined is not compiled let alone tested on any known Chromium configuration. This CL removes the !DLOPEN_KERBEROS logic (i.e. code for using a statically linked GSSAPI library). However //net still needs to distinguish between platforms where an external GSSAPI library is used vs platforms where Negotiate authentication tokens are minted via other mechanisms. As of this CL, the platform variations are: * Windows : Negotiate authentication is supported via Windows' SSPI. //net has a static dependency on SECUR32. * Android : Uses an external authenticator as described in [1]. * macOS, Linux, ChromeOS, Fuschsia: Uses an external RFC 2744 compliant GSSAPI library. Kerberos/Negotiate related GN variables are: * use_kerberos : Set to 1 if Kerberos support is desired. Currently support for HTTP Negotiate authentication scheme is gated on this flag. Note that future CLs will rename this to use_negotiate_auth in order to be consistent with what the flag actually does. None of the authentication logic in //net is Kerberos specific. If set to 0, then none of the negotiate library logic is compiled. * use_external_gssapi : Set to 1 on platforms where an external GSSAPI library needs to be loaded in order to support negotiate authentication. Currently this is set to true on all Posix platforms excluding Android. In addition, it is also set to true on Fuschsia. [1]: https://www.chromium.org/developers/design-documents/http-authentication/writing-a-spnego-authenticator-for-chrome-on-android R=eroman@chromium.org Bug: 980575 Change-Id: If006fcd9d0f2579698737ddfcadbe8f901d98a0f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1685493Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Emily Stark <estark@chromium.org> Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Asanka Herath <asanka@chromium.org> Cr-Commit-Position: refs/heads/master@{#680045}

[net/auth] Remove DLOPEN_KERBEROS preprocessor directive.
DLOPEN_KERBEROS macro controls whether //net dlopen()s a GSSAPI library for supporting Kerberos authentication. When DLOPEN_KERBEROS is not defined, //net links statically to the GSSAPI library. The latter option is only expected to work if //net (and in turn Chromium) is being built on the host on which it is going to run. Code for the case where DLOPEN_KERBEROS is not defined is not compiled let alone tested on any known Chromium configuration. This CL removes the !DLOPEN_KERBEROS logic (i.e. code for using a statically linked GSSAPI library). However //net still needs to distinguish between platforms where an external GSSAPI library is used vs platforms where Negotiate authentication tokens are minted via other mechanisms. As of this CL, the platform variations are: * Windows : Negotiate authentication is supported via Windows' SSPI. //net has a static dependency on SECUR32. * Android : Uses an external authenticator as described in [1]. * macOS, Linux, ChromeOS, Fuschsia: Uses an external RFC 2744 compliant GSSAPI library. Kerberos/Negotiate related GN variables are: * use_kerberos : Set to 1 if Kerberos support is desired. Currently support for HTTP Negotiate authentication scheme is gated on this flag. Note that future CLs will rename this to use_negotiate_auth in order to be consistent with what the flag actually does. None of the authentication logic in //net is Kerberos specific. If set to 0, then none of the negotiate library logic is compiled. * use_external_gssapi : Set to 1 on platforms where an external GSSAPI library needs to be loaded in order to support negotiate authentication. Currently this is set to true on all Posix platforms excluding Android. In addition, it is also set to true on Fuschsia. [1]: https://www.chromium.org/developers/design-documents/http-authentication/writing-a-spnego-authenticator-for-chrome-on-android R=eroman@chromium.org Bug: 980575 Change-Id: If006fcd9d0f2579698737ddfcadbe8f901d98a0f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1685493Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Emily Stark <estark@chromium.org> Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Asanka Herath <asanka@chromium.org> Cr-Commit-Position: refs/heads/master@{#680045}
fbe4a670 · Asanka Herath · Commit Bot · d63d4a9f · fbe4a670 · fbe4a670
Commit fbe4a670 authored Jul 23, 2019 by Asanka Herath Committed by Commit Bot Jul 23, 2019
9 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -80,7 +80,7 @@ buildflag_header("buildflags") {
    "ENABLE_WEBSOCKETS=$enable_websockets",
    "INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST=$include_transport_security_state_preload_list",
    "USE_KERBEROS=$use_kerberos",
-    "DLOPEN_KERBEROS=$use_external_gssapi",
+    "USE_EXTERNAL_GSSAPI=$use_external_gssapi",
    "TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED=$trial_comparison_cert_verifier_supported",
    "BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED=$builtin_cert_verifier_feature_supported",
  ]

--- a/net/http/http_auth_gssapi_posix.cc
+++ b/net/http/http_auth_gssapi_posix.cc
@@ -333,11 +333,9 @@ bool GSSAPISharedLibrary::Init() {

 bool GSSAPISharedLibrary::InitImpl() {
  DCHECK(!initialized_);
-#if BUILDFLAG(DLOPEN_KERBEROS)
  gssapi_library_ = LoadSharedLibrary();
  if (gssapi_library_ == nullptr)
    return false;
-#endif  // BUILDFLAG(DLOPEN_KERBEROS)
  initialized_ = true;
  return true;
 }
@@ -390,8 +388,6 @@ base::NativeLibrary GSSAPISharedLibrary::LoadSharedLibrary() {
  return nullptr;
 }

-#if BUILDFLAG(DLOPEN_KERBEROS)
-
 namespace {

 template <typename T>
@@ -439,24 +435,6 @@ bool GSSAPISharedLibrary::BindMethods(base::NativeLibrary lib) {
  return false;
 }

-#else  // DLOPEN_KERBEROS
-
-bool GSSAPISharedLibrary::BindMethods(base::NativeLibrary lib) {
-  // When not using dlopen(), statically bind to libgssapi methods.
-  import_name_ = gss_import_name;
-  release_name_ = gss_release_name;
-  release_buffer_ = gss_release_buffer;
-  display_name_ = gss_display_name;
-  display_status_ = gss_display_status;
-  init_sec_context_ = gss_init_sec_context;
-  wrap_size_limit_ = gss_wrap_size_limit;
-  delete_sec_context_ = gss_delete_sec_context;
-  inquire_context_ = gss_inquire_context;
-  return true;
-}
-
-#endif  // DLOPEN_KERBEROS
-
 OM_uint32 GSSAPISharedLibrary::import_name(
    OM_uint32* minor_status,
    const gss_buffer_t input_name_buffer,

--- a/net/http/http_auth_gssapi_posix_unittest.cc
+++ b/net/http/http_auth_gssapi_posix_unittest.cc
@@ -94,7 +94,6 @@ TEST(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup) {
  EXPECT_TRUE(gssapi.get()->Init());
 }

-#if BUILDFLAG(DLOPEN_KERBEROS)
 TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryMissing) {
  std::unique_ptr<GSSAPILibrary> gssapi(
      new GSSAPISharedLibrary("/this/library/does/not/exist"));
@@ -131,7 +130,6 @@ TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryMethodsMissing) {
  // TODO(asanka): Once GSSAPI library loading starts emitting NetLogs verify
  // that the missing method is correctly identified.
 }
-#endif  // DLOPEN_KERBEROS

 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPICycle) {
  std::unique_ptr<test::MockGSSAPILibrary> mock_library(

--- a/net/http/http_auth_handler_factory.cc
+++ b/net/http/http_auth_handler_factory.cc
@@ -103,8 +103,7 @@ HttpAuthHandlerFactory* HttpAuthHandlerRegistryFactory::GetSchemeFactory(
 std::unique_ptr<HttpAuthHandlerRegistryFactory>
 HttpAuthHandlerFactory::CreateDefault(
    const HttpAuthPreferences* prefs
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
    ,
    const std::string& gssapi_library_name
 #endif
@@ -116,7 +115,7 @@ HttpAuthHandlerFactory::CreateDefault(
  std::vector<std::string> auth_types(std::begin(kDefaultAuthSchemes),
                                      std::end(kDefaultAuthSchemes));
  return HttpAuthHandlerRegistryFactory::Create(prefs, auth_types
-#if defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
                                                ,
                                                gssapi_library_name
 #endif
@@ -132,8 +131,7 @@ std::unique_ptr<HttpAuthHandlerRegistryFactory>
 HttpAuthHandlerRegistryFactory::Create(
    const HttpAuthPreferences* prefs,
    const std::vector<std::string>& auth_schemes
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
    ,
    const std::string& gssapi_library_name
 #endif
@@ -172,11 +170,9 @@ HttpAuthHandlerRegistryFactory::Create(
        new HttpAuthHandlerNegotiate::Factory(negotiate_auth_system_factory);
 #if defined(OS_WIN)
    negotiate_factory->set_library(std::make_unique<SSPILibraryDefault>());
-#elif defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
+#elif BUILDFLAG(USE_EXTERNAL_GSSAPI)
    negotiate_factory->set_library(
        std::make_unique<GSSAPISharedLibrary>(gssapi_library_name));
-#elif defined(OS_CHROMEOS)
-    negotiate_factory->set_library(std::make_unique<GSSAPISharedLibrary>(""));
 #endif
    registry_factory->RegisterSchemeFactory(kNegotiateAuthScheme,
                                            negotiate_factory);

--- a/net/http/http_auth_handler_factory.h
+++ b/net/http/http_auth_handler_factory.h
@@ -141,8 +141,7 @@ class NET_EXPORT HttpAuthHandlerFactory {
  // used by the Negotiate authentication handler.
  static std::unique_ptr<HttpAuthHandlerRegistryFactory> CreateDefault(
      const HttpAuthPreferences* prefs = nullptr
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
      ,
      const std::string& gssapi_library_name = ""
 #endif
@@ -204,8 +203,7 @@ class NET_EXPORT HttpAuthHandlerRegistryFactory
  static std::unique_ptr<HttpAuthHandlerRegistryFactory> Create(
      const HttpAuthPreferences* prefs,
      const std::vector<std::string>& auth_schemes
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
      ,
      const std::string& gssapi_library_name = ""
 #endif

--- a/net/http/http_auth_handler_negotiate_unittest.cc
+++ b/net/http/http_auth_handler_negotiate_unittest.cc
@@ -26,11 +26,15 @@
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"

+#if !BUILDFLAG(USE_KERBEROS)
+#error "use_kerberos should be true to use Negotiate authentication scheme."
+#endif
+
 #if defined(OS_ANDROID)
 #include "net/android/dummy_spnego_authenticator.h"
 #elif defined(OS_WIN)
 #include "net/http/mock_sspi_library_win.h"
-#elif defined(OS_POSIX)
+#elif BUILDFLAG(USE_EXTERNAL_GSSAPI)
 #include "net/http/mock_gssapi_library_posix.h"
 #endif

@@ -42,11 +46,13 @@ namespace net {
 constexpr char kFakeToken[] = "FakeToken";

 #if defined(OS_ANDROID)
-typedef net::android::DummySpnegoAuthenticator MockAuthLibrary;
+using MockAuthLibrary = net::android::DummySpnegoAuthenticator;
 #elif defined(OS_WIN)
-typedef MockSSPILibrary MockAuthLibrary;
-#elif defined(OS_POSIX)
-typedef test::MockGSSAPILibrary MockAuthLibrary;
+using MockAuthLibrary = MockSSPILibrary;
+#elif BUILDFLAG(USE_EXTERNAL_GSSAPI)
+using MockAuthLibrary = test::MockGSSAPILibrary;
+#else
+#error "use_kerberos is true, but no Kerberos implementation available."
 #endif

 class HttpAuthHandlerNegotiateTest : public PlatformTest,
@@ -66,10 +72,9 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
    http_auth_preferences_->set_auth_android_negotiate_account_type(
        "org.chromium.test.DummySpnegoAuthenticator");
    MockAuthLibrary::EnsureTestAccountExists();
-#endif
-#if defined(OS_WIN) || (defined(OS_POSIX) && !defined(OS_ANDROID))
+#else
    factory_->set_library(base::WrapUnique(auth_library_));
-#endif
+#endif  // !OS_ANDROID
  }

 #if defined(OS_ANDROID)
@@ -83,7 +88,7 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
    security_package_->cbMaxToken = 1337;
    mock_library->ExpectQuerySecurityPackageInfo(
        L"Negotiate", SEC_E_OK, security_package_.get());
-#elif defined(OS_POSIX)
+#else
    // Copied from an actual transaction!
    static const char kAuthResponse[] =
        "\x60\x82\x02\xCA\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01"
@@ -172,7 +177,7 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
                                          queries[i].expected_input_token,
                                          queries[i].output_token);
    }
-#endif  // defined(OS_POSIX)
+#endif  // !OS_WIN
  }

 #if defined(OS_POSIX)
@@ -203,7 +208,6 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
                                        query.expected_input_token,
                                        query.output_token);
  }
-
 #endif  // defined(OS_POSIX)

  int CreateHandler(bool disable_cname_lookup,
@@ -268,7 +272,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, DisableCname) {
                    nullptr, &request_info, callback.callback(), &token)));
 #if defined(OS_WIN)
  EXPECT_EQ("HTTP/alias", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
  EXPECT_EQ("HTTP@alias", auth_handler->spn_for_testing());
 #endif
 }
@@ -286,7 +290,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, DisableCnameStandardPort) {
                    nullptr, &request_info, callback.callback(), &token)));
 #if defined(OS_WIN)
  EXPECT_EQ("HTTP/alias", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
  EXPECT_EQ("HTTP@alias", auth_handler->spn_for_testing());
 #endif
 }
@@ -304,7 +308,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, DisableCnameNonstandardPort) {
                    nullptr, &request_info, callback.callback(), &token)));
 #if defined(OS_WIN)
  EXPECT_EQ("HTTP/alias:500", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
  EXPECT_EQ("HTTP@alias:500", auth_handler->spn_for_testing());
 #endif
 }
@@ -322,7 +326,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, CnameSync) {
                    nullptr, &request_info, callback.callback(), &token)));
 #if defined(OS_WIN)
  EXPECT_EQ("HTTP/canonical.example.com", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
  EXPECT_EQ("HTTP@canonical.example.com", auth_handler->spn_for_testing());
 #endif
 }
@@ -342,7 +346,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, CnameAsync) {
  EXPECT_THAT(callback.WaitForResult(), IsOk());
 #if defined(OS_WIN)
  EXPECT_EQ("HTTP/canonical.example.com", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
  EXPECT_EQ("HTTP@canonical.example.com", auth_handler->spn_for_testing());
 #endif
 }
@@ -383,7 +387,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, NoKerberosCredentials) {
  EXPECT_THAT(callback.WaitForResult(), IsError(ERR_MISSING_AUTH_CREDENTIALS));
 }

-#if BUILDFLAG(DLOPEN_KERBEROS)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
 TEST_F(HttpAuthHandlerNegotiateTest, MissingGSSAPI) {
  MockAllowHttpAuthPreferences http_auth_preferences;
  std::unique_ptr<HttpAuthHandlerNegotiate::Factory> negotiate_factory(
@@ -401,7 +405,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, MissingGSSAPI) {
  EXPECT_THAT(rv, IsError(ERR_UNSUPPORTED_AUTH_SCHEME));
  EXPECT_TRUE(generic_handler.get() == nullptr);
 }
-#endif  // BUILDFLAG(DLOPEN_KERBEROS)
+#endif  // BUILDFLAG(USE_EXTERNAL_GSSAPI)

 // AllowGssapiLibraryLoad() is only supported on Chrome OS.
 #if defined(OS_CHROMEOS)

--- a/services/network/network_service.cc
+++ b/services/network/network_service.cc
@@ -491,8 +491,7 @@ void NetworkService::SetUpHttpAuth(

  http_auth_handler_factory_ = net::HttpAuthHandlerRegistryFactory::Create(
      &http_auth_preferences_, http_auth_static_params->supported_schemes
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
      ,
      http_auth_static_params->gssapi_library_name
 #endif

--- a/services/network/network_service_unittest.cc
+++ b/services/network/network_service_unittest.cc
@@ -230,9 +230,7 @@ TEST_F(NetworkServiceTest, AuthSchemesNone) {
  EXPECT_FALSE(auth_handler_factory->GetSchemeFactory(net::kNtlmAuthScheme));
 }

-// |gssapi_library_name| is only supported on certain POSIX platforms.
-#if BUILDFLAG(USE_KERBEROS) && defined(OS_POSIX) && !defined(OS_ANDROID) && \
-    !defined(OS_CHROMEOS)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
 TEST_F(NetworkServiceTest, AuthGssapiLibraryName) {
  const std::string kGssapiLibraryName = "Jim";
  mojom::HttpAuthStaticParamsPtr auth_params =
@@ -249,7 +247,7 @@ TEST_F(NetworkServiceTest, AuthGssapiLibraryName) {
  EXPECT_EQ(kGssapiLibraryName,
            GetNegotiateFactory(&network_context)->GetLibraryNameForTesting());
 }
-#endif
+#endif  // BUILDFLAG(USE_EXTERNAL_GSSAPI)

 TEST_F(NetworkServiceTest, AuthServerWhitelist) {
  // Add one server to the whitelist before creating any NetworkContexts.

--- a/services/network/public/mojom/network_service.mojom
+++ b/services/network/public/mojom/network_service.mojom
@@ -180,8 +180,10 @@ struct HttpAuthStaticParams {
  // behavior of NetworkService when no HttpAuthStaticParams is specified.
  array<string> supported_schemes;

-  // File name the GSSAPI library to load. Only supported on
-  // (OS_POSIX && !OS_ANDROID && !OS_CHROMEOS && OS_IOS) platforms.
+  // File name the GSSAPI library to load. Only supported on platforms where an
+  // external GSSAPI library is necessary for Kerberos/SPNEGO support. See the
+  // |use_external_gssapi| variable definition in //net/BUILD.gn for details on
+  // platforms where this setting is applicable.
  string gssapi_library_name;
 };