PageRenderTime 61ms CodeModel.GetById 30ms app.highlight 25ms RepoModel.GetById 2ms app.codeStats 0ms

/extensions/auth/nsHttpNegotiateAuth.cpp

http://github.com/zpao/v8monkey
C++ | 442 lines | 251 code | 68 blank | 123 comment | 60 complexity | 5f69a96e7ccea8d7842947dcd9c68972 MD5 | raw file
  1/* vim:set ts=4 sw=4 sts=4 et cindent: */
  2/* ***** BEGIN LICENSE BLOCK *****
  3 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  4 *
  5 * The contents of this file are subject to the Mozilla Public License Version
  6 * 1.1 (the "License"); you may not use this file except in compliance with
  7 * the License. You may obtain a copy of the License at
  8 * http://www.mozilla.org/MPL/
  9 *
 10 * Software distributed under the License is distributed on an "AS IS" basis,
 11 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 12 * for the specific language governing rights and limitations under the
 13 * License.
 14 *
 15 * The Original Code is the Negotiateauth
 16 *
 17 * The Initial Developer of the Original Code is Daniel Kouril.
 18 * Portions created by the Initial Developer are Copyright (C) 2003
 19 * the Initial Developer. All Rights Reserved.
 20 *
 21 * Contributor(s):
 22 *   Daniel Kouril <kouril@ics.muni.cz> (original author)
 23 *   Wyllys Ingersoll <wyllys.ingersoll@sun.com>
 24 *   Christopher Nebergall <cneberg@sandia.gov>
 25 *   Darin Fisher <darin@meer.net>
 26 *
 27 * Alternatively, the contents of this file may be used under the terms of
 28 * either the GNU General Public License Version 2 or later (the "GPL"), or
 29 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 30 * in which case the provisions of the GPL or the LGPL are applicable instead
 31 * of those above. If you wish to allow use of your version of this file only
 32 * under the terms of either the GPL or the LGPL, and not to allow others to
 33 * use your version of this file under the terms of the MPL, indicate your
 34 * decision by deleting the provisions above and replace them with the notice
 35 * and other provisions required by the GPL or the LGPL. If you do not delete
 36 * the provisions above, a recipient may use your version of this file under
 37 * the terms of any one of the MPL, the GPL or the LGPL.
 38 *
 39 * ***** END LICENSE BLOCK ***** */
 40
 41//
 42// HTTP Negotiate Authentication Support Module
 43//
 44// Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
 45// (formerly draft-brezak-spnego-http-04.txt)
 46//
 47// Also described here:
 48// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
 49//
 50
 51#include <string.h>
 52#include <stdlib.h>
 53
 54#include "nsAuth.h"
 55#include "nsHttpNegotiateAuth.h"
 56
 57#include "nsIHttpAuthenticableChannel.h"
 58#include "nsIProxiedChannel.h"
 59#include "nsIAuthModule.h"
 60#include "nsIServiceManager.h"
 61#include "nsIPrefService.h"
 62#include "nsIPrefBranch.h"
 63#include "nsIProxyInfo.h"
 64#include "nsIURI.h"
 65#include "nsCOMPtr.h"
 66#include "nsString.h"
 67#include "nsNetCID.h"
 68#include "plbase64.h"
 69#include "plstr.h"
 70#include "prprf.h"
 71#include "prlog.h"
 72#include "prmem.h"
 73
 74//-----------------------------------------------------------------------------
 75
 76static const char kNegotiate[] = "Negotiate";
 77static const char kNegotiateAuthTrustedURIs[] = "network.negotiate-auth.trusted-uris";
 78static const char kNegotiateAuthDelegationURIs[] = "network.negotiate-auth.delegation-uris";
 79static const char kNegotiateAuthAllowProxies[] = "network.negotiate-auth.allow-proxies";
 80static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi";
 81
 82#define kNegotiateLen  (sizeof(kNegotiate)-1)
 83
 84//-----------------------------------------------------------------------------
 85
 86NS_IMETHODIMP
 87nsHttpNegotiateAuth::GetAuthFlags(PRUint32 *flags)
 88{
 89    //
 90    // Negotiate Auth creds should not be reused across multiple requests.
 91    // Only perform the negotiation when it is explicitly requested by the
 92    // server.  Thus, do *NOT* use the "REUSABLE_CREDENTIALS" flag here.
 93    //
 94    // CONNECTION_BASED is specified instead of REQUEST_BASED since we need
 95    // to complete a sequence of transactions with the server over the same
 96    // connection.
 97    //
 98    *flags = CONNECTION_BASED | IDENTITY_IGNORED; 
 99    return NS_OK;
100}
101
102//
103// Always set *identityInvalid == FALSE here.  This 
104// will prevent the browser from popping up the authentication
105// prompt window.  Because GSSAPI does not have an API
106// for fetching initial credentials (ex: A Kerberos TGT),
107// there is no correct way to get the users credentials.
108// 
109NS_IMETHODIMP
110nsHttpNegotiateAuth::ChallengeReceived(nsIHttpAuthenticableChannel *authChannel,
111                                       const char *challenge,
112                                       bool isProxyAuth,
113                                       nsISupports **sessionState,
114                                       nsISupports **continuationState,
115                                       bool *identityInvalid)
116{
117    nsIAuthModule *module = (nsIAuthModule *) *continuationState;
118
119    *identityInvalid = false;
120    if (module)
121        return NS_OK;
122
123    nsresult rv;
124
125    nsCOMPtr<nsIURI> uri;
126    rv = authChannel->GetURI(getter_AddRefs(uri));
127    if (NS_FAILED(rv))
128        return rv;
129
130    PRUint32 req_flags = nsIAuthModule::REQ_DEFAULT;
131    nsCAutoString service;
132
133    if (isProxyAuth) {
134        if (!TestBoolPref(kNegotiateAuthAllowProxies)) {
135            LOG(("nsHttpNegotiateAuth::ChallengeReceived proxy auth blocked\n"));
136            return NS_ERROR_ABORT;
137        }
138
139        nsCOMPtr<nsIProxyInfo> proxyInfo;
140        authChannel->GetProxyInfo(getter_AddRefs(proxyInfo));
141        NS_ENSURE_STATE(proxyInfo);
142
143        proxyInfo->GetHost(service);
144    }
145    else {
146        bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs);
147        if (!allowed) {
148            LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
149            return NS_ERROR_ABORT;
150        }
151
152        bool delegation = TestPref(uri, kNegotiateAuthDelegationURIs);
153        if (delegation) {
154            LOG(("  using REQ_DELEGATE\n"));
155            req_flags |= nsIAuthModule::REQ_DELEGATE;
156        }
157
158        rv = uri->GetAsciiHost(service);
159        if (NS_FAILED(rv))
160            return rv;
161    }
162
163    LOG(("  service = %s\n", service.get()));
164
165    //
166    // The correct service name for IIS servers is "HTTP/f.q.d.n", so
167    // construct the proper service name for passing to "gss_import_name".
168    //
169    // TODO: Possibly make this a configurable service name for use
170    // with non-standard servers that use stuff like "khttp/f.q.d.n" 
171    // instead.
172    //
173    service.Insert("HTTP@", 0);
174
175    const char *contractID;
176    if (TestBoolPref(kNegotiateAuthSSPI)) {
177	   LOG(("  using negotiate-sspi\n"));
178	   contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "negotiate-sspi";
179    }
180    else {
181	   LOG(("  using negotiate-gss\n"));
182	   contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "negotiate-gss";
183    }
184
185    rv = CallCreateInstance(contractID, &module);
186
187    if (NS_FAILED(rv)) {
188        LOG(("  Failed to load Negotiate Module \n"));
189        return rv;
190    }
191
192    rv = module->Init(service.get(), req_flags, nsnull, nsnull, nsnull);
193
194    if (NS_FAILED(rv)) {
195        NS_RELEASE(module);
196        return rv;
197    }
198
199    *continuationState = module;
200    return NS_OK;
201}
202
203NS_IMPL_ISUPPORTS1(nsHttpNegotiateAuth, nsIHttpAuthenticator)
204   
205//
206// GenerateCredentials
207//
208// This routine is responsible for creating the correct authentication
209// blob to pass to the server that requested "Negotiate" authentication.
210//
211NS_IMETHODIMP
212nsHttpNegotiateAuth::GenerateCredentials(nsIHttpAuthenticableChannel *authChannel,
213                                         const char *challenge,
214                                         bool isProxyAuth,
215                                         const PRUnichar *domain,
216                                         const PRUnichar *username,
217                                         const PRUnichar *password,
218                                         nsISupports **sessionState,
219                                         nsISupports **continuationState,
220                                         PRUint32 *flags,
221                                         char **creds)
222{
223    // ChallengeReceived must have been called previously.
224    nsIAuthModule *module = (nsIAuthModule *) *continuationState;
225    NS_ENSURE_TRUE(module, NS_ERROR_NOT_INITIALIZED);
226
227    *flags = USING_INTERNAL_IDENTITY;
228
229    LOG(("nsHttpNegotiateAuth::GenerateCredentials() [challenge=%s]\n", challenge));
230
231    NS_ASSERTION(creds, "null param");
232
233#ifdef DEBUG
234    bool isGssapiAuth =
235        !PL_strncasecmp(challenge, kNegotiate, kNegotiateLen);
236    NS_ASSERTION(isGssapiAuth, "Unexpected challenge");
237#endif
238
239    //
240    // If the "Negotiate:" header had some data associated with it,
241    // that data should be used as the input to this call.  This may
242    // be a continuation of an earlier call because GSSAPI authentication
243    // often takes multiple round-trips to complete depending on the
244    // context flags given.  We want to use MUTUAL_AUTHENTICATION which
245    // generally *does* require multiple round-trips.  Don't assume
246    // auth can be completed in just 1 call.
247    //
248    unsigned int len = strlen(challenge);
249
250    void *inToken, *outToken;
251    PRUint32 inTokenLen, outTokenLen;
252
253    if (len > kNegotiateLen) {
254        challenge += kNegotiateLen;
255        while (*challenge == ' ')
256            challenge++;
257        len = strlen(challenge);
258
259        // strip off any padding (see bug 230351)
260        while (challenge[len - 1] == '=')
261            len--;
262
263        inTokenLen = (len * 3)/4;
264        inToken = malloc(inTokenLen);
265        if (!inToken)
266            return (NS_ERROR_OUT_OF_MEMORY);
267
268        //
269        // Decode the response that followed the "Negotiate" token
270        //
271        if (PL_Base64Decode(challenge, len, (char *) inToken) == NULL) {
272            free(inToken);
273            return(NS_ERROR_UNEXPECTED);
274        }
275    }
276    else {
277        //
278        // Initializing, don't use an input token.
279        //
280        inToken = nsnull;
281        inTokenLen = 0;
282    }
283
284    nsresult rv = module->GetNextToken(inToken, inTokenLen, &outToken, &outTokenLen);
285
286    free(inToken);
287
288    if (NS_FAILED(rv))
289        return rv;
290
291    if (outTokenLen == 0) {
292        LOG(("  No output token to send, exiting"));
293        return NS_ERROR_FAILURE;
294    }
295
296    //
297    // base64 encode the output token.
298    //
299    char *encoded_token = PL_Base64Encode((char *)outToken, outTokenLen, nsnull);
300
301    nsMemory::Free(outToken);
302
303    if (!encoded_token)
304        return NS_ERROR_OUT_OF_MEMORY;
305
306    LOG(("  Sending a token of length %d\n", outTokenLen));
307
308    // allocate a buffer sizeof("Negotiate" + " " + b64output_token + "\0")
309    *creds = (char *) nsMemory::Alloc(kNegotiateLen + 1 + strlen(encoded_token) + 1);
310    if (NS_UNLIKELY(!*creds))
311        rv = NS_ERROR_OUT_OF_MEMORY;
312    else
313        sprintf(*creds, "%s %s", kNegotiate, encoded_token);
314
315    PR_Free(encoded_token);
316    return rv;
317}
318
319bool
320nsHttpNegotiateAuth::TestBoolPref(const char *pref)
321{
322    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
323    if (!prefs)
324        return false;
325
326    bool val;
327    nsresult rv = prefs->GetBoolPref(pref, &val);
328    if (NS_FAILED(rv))
329        return false;
330
331    return val;
332}
333
334bool
335nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref)
336{
337    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
338    if (!prefs)
339        return false;
340
341    nsCAutoString scheme, host;
342    PRInt32 port;
343
344    if (NS_FAILED(uri->GetScheme(scheme)))
345        return false;
346    if (NS_FAILED(uri->GetAsciiHost(host)))
347        return false;
348    if (NS_FAILED(uri->GetPort(&port)))
349        return false;
350
351    char *hostList;
352    if (NS_FAILED(prefs->GetCharPref(pref, &hostList)) || !hostList)
353        return false;
354
355    // pseudo-BNF
356    // ----------
357    //
358    // url-list       base-url ( base-url "," LWS )*
359    // base-url       ( scheme-part | host-part | scheme-part host-part )
360    // scheme-part    scheme "://"
361    // host-part      host [":" port]
362    //
363    // for example:
364    //   "https://, http://office.foo.com"
365    //
366
367    char *start = hostList, *end;
368    for (;;) {
369        // skip past any whitespace
370        while (*start == ' ' || *start == '\t')
371            ++start;
372        end = strchr(start, ',');
373        if (!end)
374            end = start + strlen(start);
375        if (start == end)
376            break;
377        if (MatchesBaseURI(scheme, host, port, start, end))
378            return true;
379        if (*end == '\0')
380            break;
381        start = end + 1;
382    }
383    
384    nsMemory::Free(hostList);
385    return false;
386}
387
388bool
389nsHttpNegotiateAuth::MatchesBaseURI(const nsCSubstring &matchScheme,
390                                    const nsCSubstring &matchHost,
391                                    PRInt32             matchPort,
392                                    const char         *baseStart,
393                                    const char         *baseEnd)
394{
395    // check if scheme://host:port matches baseURI
396
397    // parse the base URI
398    const char *hostStart, *schemeEnd = strstr(baseStart, "://");
399    if (schemeEnd) {
400        // the given scheme must match the parsed scheme exactly
401        if (!matchScheme.Equals(Substring(baseStart, schemeEnd)))
402            return false;
403        hostStart = schemeEnd + 3;
404    }
405    else
406        hostStart = baseStart;
407
408    // XXX this does not work for IPv6-literals
409    const char *hostEnd = strchr(hostStart, ':');
410    if (hostEnd && hostEnd < baseEnd) {
411        // the given port must match the parsed port exactly
412        int port = atoi(hostEnd + 1);
413        if (matchPort != (PRInt32) port)
414            return false;
415    }
416    else
417        hostEnd = baseEnd;
418
419
420    // if we didn't parse out a host, then assume we got a match.
421    if (hostStart == hostEnd)
422        return true;
423
424    PRUint32 hostLen = hostEnd - hostStart;
425
426    // matchHost must either equal host or be a subdomain of host
427    if (matchHost.Length() < hostLen)
428        return false;
429
430    const char *end = matchHost.EndReading();
431    if (PL_strncasecmp(end - hostLen, hostStart, hostLen) == 0) {
432        // if matchHost ends with host from the base URI, then make sure it is
433        // either an exact match, or prefixed with a dot.  we don't want
434        // "foobar.com" to match "bar.com"
435        if (matchHost.Length() == hostLen ||
436            *(end - hostLen) == '.' ||
437            *(end - hostLen - 1) == '.')
438            return true;
439    }
440
441    return false;
442}