From 3db2daf790b68c02c2a257375b19dff50acc7b15 Mon Sep 17 00:00:00 2001 From: deepak1556 Date: Sat, 21 May 2016 23:38:50 +0530 Subject: [PATCH 1/9] browser: flags to control iwa enabled server whitelist --- atom/browser/api/atom_api_app.cc | 8 -------- atom/browser/api/atom_api_app.h | 1 - atom/browser/atom_browser_context.cc | 13 +------------ atom/browser/atom_browser_context.h | 5 ----- docs/api/chrome-command-line-switches.md | 18 ++++++++++++++++++ 5 files changed, 19 insertions(+), 26 deletions(-) diff --git a/atom/browser/api/atom_api_app.cc b/atom/browser/api/atom_api_app.cc index d74dd671e903..53107738acec 100644 --- a/atom/browser/api/atom_api_app.cc +++ b/atom/browser/api/atom_api_app.cc @@ -375,12 +375,6 @@ void App::SetDesktopName(const std::string& desktop_name) { #endif } -void App::AllowNTLMCredentialsForAllDomains(bool should_allow) { - auto browser_context = static_cast( - AtomBrowserMainParts::Get()->browser_context()); - browser_context->AllowNTLMCredentialsForAllDomains(should_allow); -} - std::string App::GetLocale() { return l10n_util::GetApplicationLocale(""); } @@ -482,8 +476,6 @@ void App::BuildPrototype( .SetMethod("setPath", &App::SetPath) .SetMethod("getPath", &App::GetPath) .SetMethod("setDesktopName", &App::SetDesktopName) - .SetMethod("allowNTLMCredentialsForAllDomains", - &App::AllowNTLMCredentialsForAllDomains) .SetMethod("getLocale", &App::GetLocale) #if defined(USE_NSS_CERTS) .SetMethod("importCertificate", &App::ImportCertificate) diff --git a/atom/browser/api/atom_api_app.h b/atom/browser/api/atom_api_app.h index edfd09c4d289..5dd07054a07b 100644 --- a/atom/browser/api/atom_api_app.h +++ b/atom/browser/api/atom_api_app.h @@ -106,7 +106,6 @@ class App : public AtomBrowserClient::Delegate, const base::FilePath& path); void SetDesktopName(const std::string& desktop_name); - void AllowNTLMCredentialsForAllDomains(bool should_allow); bool MakeSingleInstance( const ProcessSingleton::NotificationCallback& callback); std::string GetLocale(); diff --git a/atom/browser/atom_browser_context.cc b/atom/browser/atom_browser_context.cc index 04d5134a49e9..25aff9dbc87d 100644 --- a/atom/browser/atom_browser_context.cc +++ b/atom/browser/atom_browser_context.cc @@ -67,8 +67,7 @@ AtomBrowserContext::AtomBrowserContext(const std::string& partition, : brightray::BrowserContext(partition, in_memory), cert_verifier_(new AtomCertVerifier), job_factory_(new AtomURLRequestJobFactory), - network_delegate_(new AtomNetworkDelegate), - allow_ntlm_everywhere_(false) { + network_delegate_(new AtomNetworkDelegate) { } AtomBrowserContext::~AtomBrowserContext() { @@ -195,16 +194,6 @@ void AtomBrowserContext::RegisterPrefs(PrefRegistrySimple* pref_registry) { pref_registry->RegisterDictionaryPref(prefs::kDevToolsFileSystemPaths); } -bool AtomBrowserContext::AllowNTLMCredentialsForDomain(const GURL& origin) { - if (allow_ntlm_everywhere_) - return true; - return Delegate::AllowNTLMCredentialsForDomain(origin); -} - -void AtomBrowserContext::AllowNTLMCredentialsForAllDomains(bool should_allow) { - allow_ntlm_everywhere_ = should_allow; -} - } // namespace atom namespace brightray { diff --git a/atom/browser/atom_browser_context.h b/atom/browser/atom_browser_context.h index d959adbc753a..4e206a3f00ea 100644 --- a/atom/browser/atom_browser_context.h +++ b/atom/browser/atom_browser_context.h @@ -33,7 +33,6 @@ class AtomBrowserContext : public brightray::BrowserContext { const base::FilePath& base_path) override; scoped_ptr CreateCertVerifier() override; net::SSLConfigService* CreateSSLConfigService() override; - bool AllowNTLMCredentialsForDomain(const GURL& auth_origin) override; // content::BrowserContext: content::DownloadManagerDelegate* GetDownloadManagerDelegate() override; @@ -43,8 +42,6 @@ class AtomBrowserContext : public brightray::BrowserContext { // brightray::BrowserContext: void RegisterPrefs(PrefRegistrySimple* pref_registry) override; - void AllowNTLMCredentialsForAllDomains(bool should_allow); - AtomCertVerifier* cert_verifier() const { return cert_verifier_; } AtomURLRequestJobFactory* job_factory() const { return job_factory_; } @@ -61,8 +58,6 @@ class AtomBrowserContext : public brightray::BrowserContext { AtomURLRequestJobFactory* job_factory_; AtomNetworkDelegate* network_delegate_; - bool allow_ntlm_everywhere_; - DISALLOW_COPY_AND_ASSIGN(AtomBrowserContext); }; diff --git a/docs/api/chrome-command-line-switches.md b/docs/api/chrome-command-line-switches.md index bd16c00b0976..4fe6d136da2b 100644 --- a/docs/api/chrome-command-line-switches.md +++ b/docs/api/chrome-command-line-switches.md @@ -95,6 +95,24 @@ connection, and the endpoint host in a `SOCKS` proxy connection). Like `--host-rules` but these `rules` only apply to the host resolver. +## --auth-server-whitelist=`url` + +A comma-separated list of servers for which integrated authentication is enabled. + +For example: + +``` +--auth-server-whitelist='*example.com, *foobar.com, *baz' +``` + +then any `url` ending with `example.com`, `foobar.com`, `baz` will be considered +for integrated authentication. Without `*` prefix the url has to match exactly. + +## --auth-negotiate-delegate-whitelist=`url` + +A comma-separated list of servers for which delegation of user credentials is required. +Without `*` prefix the url has to match exactly. + ## --ignore-certificate-errors Ignores certificate related errors. From 62cad610e0dd722d25bb2b563927d97b874587b1 Mon Sep 17 00:00:00 2001 From: deepak1556 Date: Mon, 23 May 2016 01:52:09 +0530 Subject: [PATCH 2/9] bring back app.allowNTLMCredentialsForAllDomains --- docs/api/app.md | 6 +++--- lib/browser/api/app.js | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/api/app.md b/docs/api/app.md index f00b498d30c3..fdc5cc9b72e4 100644 --- a/docs/api/app.md +++ b/docs/api/app.md @@ -443,9 +443,7 @@ Adds `tasks` to the [Tasks][tasks] category of the JumpList on Windows. consists of two or more icons, set this value to identify the icon. If an icon file consists of one icon, this value is 0. -### `app.allowNTLMCredentialsForAllDomains(allow)` - -* `allow` Boolean +### `app.allowNTLMCredentialsForAllDomains()` Dynamically sets whether to always send credentials for HTTP NTLM or Negotiate authentication - normally, Electron will only send NTLM/Kerberos credentials for @@ -453,6 +451,8 @@ URLs that fall under "Local Intranet" sites (i.e. are in the same domain as you) However, this detection often fails when corporate networks are badly configured, so this lets you co-opt this behavior and enable it for all URLs. +**Note:** This method should be called before the `ready` event gets emitted. + ### `app.makeSingleInstance(callback)` * `callback` Function diff --git a/lib/browser/api/app.js b/lib/browser/api/app.js index 66ee0ac1e458..38b465688cfc 100644 --- a/lib/browser/api/app.js +++ b/lib/browser/api/app.js @@ -22,6 +22,9 @@ Object.assign(app, { commandLine: { appendSwitch: bindings.appendSwitch, appendArgument: bindings.appendArgument + }, + allowNTLMCredentialsForAllDomains () { + this.commandLine.appendSwitch('auth-server-whitelist', '*') } }) From 8f7a04f9c3dbc70fa1f8854398fc1aaef1bf52c4 Mon Sep 17 00:00:00 2001 From: leethomas Date: Sun, 22 May 2016 15:43:47 -0700 Subject: [PATCH 3/9] =?UTF-8?q?=F0=9F=8D=8E=20=20let=20Cocoa=20handle=20ke?= =?UTF-8?q?eping=20the=20aspect=20ratio=20whenever=20the=20edges=20are=20d?= =?UTF-8?q?ragged?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- atom/browser/native_window_mac.mm | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/atom/browser/native_window_mac.mm b/atom/browser/native_window_mac.mm index bfffc7a08d64..434919dde117 100644 --- a/atom/browser/native_window_mac.mm +++ b/atom/browser/native_window_mac.mm @@ -141,22 +141,11 @@ bool ScopedDisableResize::disable_resize_ = false; newSize.width = roundf((frameSize.height - extraHeightPlusFrame) * aspectRatio + extraWidthPlusFrame); + newSize.height = + roundf((newSize.width - extraWidthPlusFrame) / aspectRatio + + extraHeightPlusFrame); - // If the new width is less than the frame size use it as the primary - // constraint. This ensures that the value returned by this method will - // never be larger than the users requested window size. - if (newSize.width <= frameSize.width) { - newSize.height = - roundf((newSize.width - extraWidthPlusFrame) / aspectRatio + - extraHeightPlusFrame); - } else { - newSize.height = - roundf((frameSize.width - extraWidthPlusFrame) / aspectRatio + - extraHeightPlusFrame); - newSize.width = - roundf((newSize.height - extraHeightPlusFrame) * aspectRatio + - extraWidthPlusFrame); - } + [sender setAspectRatio:NSMakeSize(newSize.width, newSize.height)]; } return newSize; From 7aaf97436218fb93988e658d83dd6394bfad52ab Mon Sep 17 00:00:00 2001 From: leethomas Date: Sun, 22 May 2016 16:50:50 -0700 Subject: [PATCH 4/9] override SetAspectRatio for NativeWindowMac --- atom/browser/native_window.h | 2 +- atom/browser/native_window_mac.h | 2 ++ atom/browser/native_window_mac.mm | 23 +++++++++++++++++++++-- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/atom/browser/native_window.h b/atom/browser/native_window.h index 7317a7ba6f76..8776e3d00652 100644 --- a/atom/browser/native_window.h +++ b/atom/browser/native_window.h @@ -190,7 +190,7 @@ class NativeWindow : public base::SupportsUserData, // Set the aspect ratio when resizing window. double GetAspectRatio(); gfx::Size GetAspectRatioExtraSize(); - void SetAspectRatio(double aspect_ratio, const gfx::Size& extra_size); + virtual void SetAspectRatio(double aspect_ratio, const gfx::Size& extra_size); base::WeakPtr GetWeakPtr() { return weak_factory_.GetWeakPtr(); diff --git a/atom/browser/native_window_mac.h b/atom/browser/native_window_mac.h index cfb3141ede66..c1694c3c784a 100644 --- a/atom/browser/native_window_mac.h +++ b/atom/browser/native_window_mac.h @@ -49,6 +49,8 @@ class NativeWindowMac : public NativeWindow { void SetResizable(bool resizable) override; bool IsResizable() override; void SetMovable(bool movable) override; + void SetAspectRatio(double aspect_ratio, const gfx::Size& extra_size) + override; bool IsMovable() override; void SetMinimizable(bool minimizable) override; bool IsMinimizable() override; diff --git a/atom/browser/native_window_mac.mm b/atom/browser/native_window_mac.mm index 434919dde117..f7cd4d42281e 100644 --- a/atom/browser/native_window_mac.mm +++ b/atom/browser/native_window_mac.mm @@ -144,8 +144,6 @@ bool ScopedDisableResize::disable_resize_ = false; newSize.height = roundf((newSize.width - extraWidthPlusFrame) / aspectRatio + extraHeightPlusFrame); - - [sender setAspectRatio:NSMakeSize(newSize.width, newSize.height)]; } return newSize; @@ -708,6 +706,27 @@ bool NativeWindowMac::IsResizable() { return [window_ styleMask] & NSResizableWindowMask; } +void NativeWindowMac::SetAspectRatio(double aspect_ratio, + const gfx::Size& extra_size) { + + gfx::Size windowSize = this->GetSize(); + gfx::Size contentSize = this->GetContentSize(); + + double extraWidthPlusFrame = + windowSize.width() - contentSize.width() + extra_size.width(); + double extraHeightPlusFrame = + windowSize.height() - contentSize.height() + extra_size.height(); + + double width = + roundf(([window_ frame].size.height - extraHeightPlusFrame) * + aspect_ratio + extraWidthPlusFrame); + double height = + roundf((width - extraWidthPlusFrame) / + aspect_ratio + extraHeightPlusFrame); + + [window_ setAspectRatio:NSMakeSize(width, height)]; +} + void NativeWindowMac::SetMovable(bool movable) { [window_ setMovable:movable]; } From ac6e4aff5e4dbb2b91ed8c6e17c4a3c5bd9165a7 Mon Sep 17 00:00:00 2001 From: leethomas Date: Sun, 22 May 2016 17:00:14 -0700 Subject: [PATCH 5/9] comments --- atom/browser/native_window_mac.mm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/atom/browser/native_window_mac.mm b/atom/browser/native_window_mac.mm index f7cd4d42281e..264cab5fe739 100644 --- a/atom/browser/native_window_mac.mm +++ b/atom/browser/native_window_mac.mm @@ -709,6 +709,11 @@ bool NativeWindowMac::IsResizable() { void NativeWindowMac::SetAspectRatio(double aspect_ratio, const gfx::Size& extra_size) { + // We can't just pass the aspect ratio to Cocoa, since our API receives + // it as a float, and Cocoa expects an NSRect with explicit width & height + // arguments. Instead we derive those args ourselves from the given aspect + // ratio. + gfx::Size windowSize = this->GetSize(); gfx::Size contentSize = this->GetContentSize(); From 09de0c2766b3c8e4340f1f6f14bfb4e80faf866a Mon Sep 17 00:00:00 2001 From: leethomas Date: Sun, 22 May 2016 17:22:57 -0700 Subject: [PATCH 6/9] call base SetAspectRatio in NativeWindowMac implementation --- atom/browser/native_window_mac.mm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/atom/browser/native_window_mac.mm b/atom/browser/native_window_mac.mm index 264cab5fe739..3bd3ed1b995a 100644 --- a/atom/browser/native_window_mac.mm +++ b/atom/browser/native_window_mac.mm @@ -708,12 +708,13 @@ bool NativeWindowMac::IsResizable() { void NativeWindowMac::SetAspectRatio(double aspect_ratio, const gfx::Size& extra_size) { + NativeWindow::SetAspectRatio(aspect_ratio, extra_size); // We can't just pass the aspect ratio to Cocoa, since our API receives // it as a float, and Cocoa expects an NSRect with explicit width & height // arguments. Instead we derive those args ourselves from the given aspect // ratio. - + gfx::Size windowSize = this->GetSize(); gfx::Size contentSize = this->GetContentSize(); From 1d61f987cb694232ec4c12190da4530f7aec9baf Mon Sep 17 00:00:00 2001 From: leethomas Date: Sun, 22 May 2016 18:36:05 -0700 Subject: [PATCH 7/9] code styling --- atom/browser/native_window_mac.mm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atom/browser/native_window_mac.mm b/atom/browser/native_window_mac.mm index 3bd3ed1b995a..0f52adf30b6d 100644 --- a/atom/browser/native_window_mac.mm +++ b/atom/browser/native_window_mac.mm @@ -707,7 +707,7 @@ bool NativeWindowMac::IsResizable() { } void NativeWindowMac::SetAspectRatio(double aspect_ratio, - const gfx::Size& extra_size) { + const gfx::Size& extra_size) { NativeWindow::SetAspectRatio(aspect_ratio, extra_size); // We can't just pass the aspect ratio to Cocoa, since our API receives From de27b34891818e4a01913e62bacafd9a853cbe1a Mon Sep 17 00:00:00 2001 From: leethomas Date: Sun, 22 May 2016 19:09:21 -0700 Subject: [PATCH 8/9] disregard extraSize when initially setting the aspect ratio --- atom/browser/native_window_mac.mm | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/atom/browser/native_window_mac.mm b/atom/browser/native_window_mac.mm index 0f52adf30b6d..d6571be826d1 100644 --- a/atom/browser/native_window_mac.mm +++ b/atom/browser/native_window_mac.mm @@ -714,21 +714,8 @@ void NativeWindowMac::SetAspectRatio(double aspect_ratio, // it as a float, and Cocoa expects an NSRect with explicit width & height // arguments. Instead we derive those args ourselves from the given aspect // ratio. - - gfx::Size windowSize = this->GetSize(); - gfx::Size contentSize = this->GetContentSize(); - - double extraWidthPlusFrame = - windowSize.width() - contentSize.width() + extra_size.width(); - double extraHeightPlusFrame = - windowSize.height() - contentSize.height() + extra_size.height(); - - double width = - roundf(([window_ frame].size.height - extraHeightPlusFrame) * - aspect_ratio + extraWidthPlusFrame); - double height = - roundf((width - extraWidthPlusFrame) / - aspect_ratio + extraHeightPlusFrame); + double width = roundf([window_ frame].size.height * aspect_ratio); + double height = roundf(width / aspect_ratio); [window_ setAspectRatio:NSMakeSize(width, height)]; } From f68d0f324f3b5d3ad2f04574ed50a6b7885997ac Mon Sep 17 00:00:00 2001 From: deepak1556 Date: Mon, 23 May 2016 10:59:55 +0530 Subject: [PATCH 9/9] deprecate app.allowNTLMCredentialsForAllDomains --- atom/browser/api/atom_api_session.cc | 24 ++++++++++++++++++++++++ atom/browser/api/atom_api_session.h | 1 + docs/api/app.md | 10 ---------- docs/api/session.md | 17 +++++++++++++++++ lib/browser/api/app.js | 17 +++++++++++++---- 5 files changed, 55 insertions(+), 14 deletions(-) diff --git a/atom/browser/api/atom_api_session.cc b/atom/browser/api/atom_api_session.cc index 58fd358ca971..6cc5ffe7f66a 100644 --- a/atom/browser/api/atom_api_session.cc +++ b/atom/browser/api/atom_api_session.cc @@ -36,6 +36,8 @@ #include "net/base/load_flags.h" #include "net/disk_cache/disk_cache.h" #include "net/dns/host_cache.h" +#include "net/http/http_auth_handler_factory.h" +#include "net/http/http_auth_preferences.h" #include "net/proxy/proxy_service.h" #include "net/proxy/proxy_config_service_fixed.h" #include "net/url_request/url_request_context.h" @@ -284,6 +286,19 @@ void ClearHostResolverCacheInIO( } } +void AllowNTLMCredentialsForDomainsInIO( + const scoped_refptr& context_getter, + const std::string& domains) { + auto request_context = context_getter->GetURLRequestContext(); + auto auth_handler = request_context->http_auth_handler_factory(); + if (auth_handler) { + auto auth_preferences = const_cast( + auth_handler->http_auth_preferences()); + if (auth_preferences) + auth_preferences->set_server_whitelist(domains); + } +} + } // namespace Session::Session(v8::Isolate* isolate, AtomBrowserContext* browser_context) @@ -432,6 +447,13 @@ void Session::ClearHostResolverCache(mate::Arguments* args) { callback)); } +void Session::AllowNTLMCredentialsForDomains(const std::string& domains) { + BrowserThread::PostTask(BrowserThread::IO, FROM_HERE, + base::Bind(&AllowNTLMCredentialsForDomainsInIO, + make_scoped_refptr(browser_context_->GetRequestContext()), + domains)); +} + v8::Local Session::Cookies(v8::Isolate* isolate) { if (cookies_.IsEmpty()) { auto handle = atom::api::Cookies::Create(isolate, browser_context()); @@ -487,6 +509,8 @@ void Session::BuildPrototype(v8::Isolate* isolate, .SetMethod("setPermissionRequestHandler", &Session::SetPermissionRequestHandler) .SetMethod("clearHostResolverCache", &Session::ClearHostResolverCache) + .SetMethod("allowNTLMCredentialsForDomains", + &Session::AllowNTLMCredentialsForDomains) .SetProperty("cookies", &Session::Cookies) .SetProperty("webRequest", &Session::WebRequest); } diff --git a/atom/browser/api/atom_api_session.h b/atom/browser/api/atom_api_session.h index 5e08a85aa7d1..0cebf09ea1f3 100644 --- a/atom/browser/api/atom_api_session.h +++ b/atom/browser/api/atom_api_session.h @@ -79,6 +79,7 @@ class Session: public mate::TrackableObject, void SetPermissionRequestHandler(v8::Local val, mate::Arguments* args); void ClearHostResolverCache(mate::Arguments* args); + void AllowNTLMCredentialsForDomains(const std::string& domains); v8::Local Cookies(v8::Isolate* isolate); v8::Local WebRequest(v8::Isolate* isolate); diff --git a/docs/api/app.md b/docs/api/app.md index fdc5cc9b72e4..eddd4147db9d 100644 --- a/docs/api/app.md +++ b/docs/api/app.md @@ -443,16 +443,6 @@ Adds `tasks` to the [Tasks][tasks] category of the JumpList on Windows. consists of two or more icons, set this value to identify the icon. If an icon file consists of one icon, this value is 0. -### `app.allowNTLMCredentialsForAllDomains()` - -Dynamically sets whether to always send credentials for HTTP NTLM or Negotiate -authentication - normally, Electron will only send NTLM/Kerberos credentials for -URLs that fall under "Local Intranet" sites (i.e. are in the same domain as you). -However, this detection often fails when corporate networks are badly configured, -so this lets you co-opt this behavior and enable it for all URLs. - -**Note:** This method should be called before the `ready` event gets emitted. - ### `app.makeSingleInstance(callback)` * `callback` Function diff --git a/docs/api/session.md b/docs/api/session.md index 33a53df5844e..2d950ddd474a 100644 --- a/docs/api/session.md +++ b/docs/api/session.md @@ -323,6 +323,23 @@ session.fromPartition(partition).setPermissionRequestHandler((webContents, permi Clears the host resolver cache. +#### `ses.allowNTLMCredentialsForDomains(domains)` + +* `domains` String - A comma-seperated list of servers for which + integrated authentication is enabled. + +Dynamically sets whether to always send credentials for HTTP NTLM or Negotiate +authentication. + +```javascript +// consider any url ending with `example.com`, `foobar.com`, `baz` +// for integrated authentication. +session.defaultSession.allowNTLMCredentialsForDomains('*example.com, *foobar.com, *baz') + +// consider all urls for integrated authentication. +session.defaultSession.allowNTLMCredentialsForDomains('*') +``` + #### `ses.webRequest` The `webRequest` API set allows to intercept and modify contents of a request at diff --git a/lib/browser/api/app.js b/lib/browser/api/app.js index 38b465688cfc..f8a531626bf7 100644 --- a/lib/browser/api/app.js +++ b/lib/browser/api/app.js @@ -1,6 +1,6 @@ 'use strict' -const {Menu} = require('electron') +const {deprecate, Menu, session} = require('electron') const {EventEmitter} = require('events') const bindings = process.atomBinding('app') @@ -22,9 +22,6 @@ Object.assign(app, { commandLine: { appendSwitch: bindings.appendSwitch, appendArgument: bindings.appendArgument - }, - allowNTLMCredentialsForAllDomains () { - this.commandLine.appendSwitch('auth-server-whitelist', '*') } }) @@ -44,6 +41,18 @@ if (process.platform === 'darwin') { } } +app.allowNTLMCredentialsForAllDomains = function (allow) { + if (!process.noDeprecations) { + deprecate.warn('app.allowNTLMCredentialsForAllDomains', 'session.allowNTLMCredentialsForDomains') + } + let domains = allow ? '*' : '' + if (!this.isReady()) { + this.commandLine.appendSwitch('auth-server-whitelist', domains) + } else { + session.defaultSession.allowNTLMCredentialsForDomains(domains) + } +} + // Routes the events to webContents. const events = ['login', 'certificate-error', 'select-client-certificate'] for (let name of events) {