From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Jeremy Apthorp Date: Tue, 12 Nov 2019 11:50:16 -0800 Subject: add TrustedAuthClient to URLLoaderFactory This allows intercepting authentication requests for the 'net' module. Without this, the 'login' event for electron.net.ClientRequest can't be implemented, because the existing path checks for the presence of a WebContents, and cancels the authentication if there's no WebContents available, which there isn't in the case of the 'net' module. diff --git a/services/network/public/mojom/network_context.mojom b/services/network/public/mojom/network_context.mojom index 2001e6202cf61d1c70bf81334b62d0502ea8c9ba..9dad884c877ae77d1a2460361112903c06023021 100644 --- a/services/network/public/mojom/network_context.mojom +++ b/services/network/public/mojom/network_context.mojom @@ -198,6 +198,25 @@ struct CTPolicy { array excluded_legacy_spkis; }; +interface TrustedAuthClient { + OnAuthRequired( + mojo_base.mojom.UnguessableToken? window_id, + uint32 process_id, + uint32 routing_id, + uint32 request_id, + url.mojom.Url url, + bool first_auth_attempt, + AuthChallengeInfo auth_info, + URLResponseHead? head, + pending_remote auth_challenge_responder); +}; +interface TrustedURLLoaderAuthClient { + // When a new URLLoader is created, this will be called to pass a + // corresponding |auth_client|. + OnLoaderCreated(int32 request_id, + pending_receiver auth_client); +}; + interface CertVerifierClient { Verify( int32 default_error, @@ -627,6 +646,8 @@ struct URLLoaderFactoryParams { // impact because of the extra process hops, so use should be minimized. pending_remote? header_client; + pending_remote? auth_client; + // |factory_bound_access_patterns| are used for CORS checks in addition to // the per-context allow patterns that is managed via NetworkContext // interface. This still respects the per-context block lists. diff --git a/services/network/url_loader.cc b/services/network/url_loader.cc index 5d984482a2e5e18216bfc2229a18a513558dbcf4..1662f0878df16639ad585694be428058ab5a6c92 100644 --- a/services/network/url_loader.cc +++ b/services/network/url_loader.cc @@ -437,6 +437,7 @@ URLLoader::URLLoader( base::WeakPtr keepalive_statistics_recorder, base::WeakPtr network_usage_accumulator, mojom::TrustedURLLoaderHeaderClient* url_loader_header_client, + mojom::TrustedURLLoaderAuthClient* url_loader_auth_client, mojom::OriginPolicyManager* origin_policy_manager, std::unique_ptr trust_token_helper_factory, mojo::PendingRemote cookie_observer) @@ -496,6 +497,11 @@ URLLoader::URLLoader( header_client_.set_disconnect_handler( base::BindOnce(&URLLoader::OnMojoDisconnect, base::Unretained(this))); } + if (url_loader_auth_client) { + url_loader_auth_client->OnLoaderCreated(request_id_, auth_client_.BindNewPipeAndPassReceiver()); + auth_client_.set_disconnect_handler( + base::BindOnce(&URLLoader::OnMojoDisconnect, base::Unretained(this))); + } if (want_raw_headers_) { options_ |= mojom::kURLLoadOptionSendSSLInfoWithResponse | mojom::kURLLoadOptionSendSSLInfoForCertificateError; @@ -994,7 +1000,7 @@ void URLLoader::OnReceivedRedirect(net::URLRequest* url_request, void URLLoader::OnAuthRequired(net::URLRequest* url_request, const net::AuthChallengeInfo& auth_info) { - if (!network_context_client_) { + if (!network_context_client_ && !auth_client_) { OnAuthCredentials(base::nullopt); return; } @@ -1010,11 +1016,20 @@ void URLLoader::OnAuthRequired(net::URLRequest* url_request, if (url_request->response_headers()) head->headers = url_request->response_headers(); head->auth_challenge_info = auth_info; - network_context_client_->OnAuthRequired( - fetch_window_id_, factory_params_->process_id, render_frame_id_, - request_id_, url_request_->url(), first_auth_attempt_, auth_info, - std::move(head), - auth_challenge_responder_receiver_.BindNewPipeAndPassRemote()); + + if (auth_client_) { + auth_client_->OnAuthRequired( + fetch_window_id_, factory_params_->process_id, render_frame_id_, + request_id_, url_request_->url(), first_auth_attempt_, auth_info, + std::move(head), + auth_challenge_responder_receiver_.BindNewPipeAndPassRemote()); + } else { + network_context_client_->OnAuthRequired( + fetch_window_id_, factory_params_->process_id, render_frame_id_, + request_id_, url_request_->url(), first_auth_attempt_, auth_info, + std::move(head), + auth_challenge_responder_receiver_.BindNewPipeAndPassRemote()); + } auth_challenge_responder_receiver_.set_disconnect_handler( base::BindOnce(&URLLoader::DeleteSelf, base::Unretained(this))); diff --git a/services/network/url_loader.h b/services/network/url_loader.h index 077344d12f001b00590598bccbba2d614c8c1af2..d9c8a41c9c4fe11277392dd428c71f022f22063b 100644 --- a/services/network/url_loader.h +++ b/services/network/url_loader.h @@ -115,6 +115,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) URLLoader base::WeakPtr keepalive_statistics_recorder, base::WeakPtr network_usage_accumulator, mojom::TrustedURLLoaderHeaderClient* url_loader_header_client, + mojom::TrustedURLLoaderAuthClient* url_loader_auth_client, mojom::OriginPolicyManager* origin_policy_manager, std::unique_ptr trust_token_helper_factory, @@ -454,6 +455,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) URLLoader base::Optional fetch_window_id_; mojo::Remote header_client_; + mojo::Remote auth_client_; std::unique_ptr file_opener_for_upload_; diff --git a/services/network/url_loader_factory.cc b/services/network/url_loader_factory.cc index c8f02a3760f938c772c9e81afff8b37e49a73cbd..7e5bb5d1384488de2dee3672f933eba643dc14f7 100644 --- a/services/network/url_loader_factory.cc +++ b/services/network/url_loader_factory.cc @@ -75,6 +75,7 @@ URLLoaderFactory::URLLoaderFactory( resource_scheduler_client_(std::move(resource_scheduler_client)), header_client_(std::move(params_->header_client)), coep_reporter_(std::move(params_->coep_reporter)), + auth_client_(std::move(params_->auth_client)), cors_url_loader_factory_(cors_url_loader_factory), cookie_observer_(std::move(params_->cookie_observer)) { DCHECK(context); @@ -270,6 +271,7 @@ void URLLoaderFactory::CreateLoaderAndStart( std::move(keepalive_statistics_recorder), std::move(network_usage_accumulator), header_client_.is_bound() ? header_client_.get() : nullptr, + auth_client_.is_bound() ? auth_client_.get() : nullptr, context_->origin_policy_manager(), std::move(trust_token_factory), std::move(cookie_observer)); diff --git a/services/network/url_loader_factory.h b/services/network/url_loader_factory.h index 8b29b67a5b0663778df3169e09bf818e6bbcec3f..e504fa3d41066907a3fbc41e69daac968415dfa6 100644 --- a/services/network/url_loader_factory.h +++ b/services/network/url_loader_factory.h @@ -75,6 +75,7 @@ class URLLoaderFactory : public mojom::URLLoaderFactory { scoped_refptr resource_scheduler_client_; mojo::Remote header_client_; mojo::Remote coep_reporter_; + mojo::Remote auth_client_; // |cors_url_loader_factory_| owns this. cors::CorsURLLoaderFactory* cors_url_loader_factory_;