Add NTLM single-sign-on support via Samba's ntlm_auth helper

net/http/http_auth_handler_ntlm_portable.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_handler_ntlm.h"
 
 #include <stdlib.h>
 // For gethostname
 #if defined(OS_POSIX)
 #include <unistd.h>
 #elif defined(OS_WIN)
 #include <winsock2.h>
 #endif
 
+#include "base/base64.h"
 #include "base/md5.h"
+#include "base/process/kill.h"
+#include "base/process/launch.h"
 #include "base/rand_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/zap.h"
 #include "net/http/des.h"
 #include "net/http/md4.h"
 
@@ skipping 598 matching lines @@
 // [MS-NTHT].
 
 // static
 HttpAuthHandlerNTLM::GenerateRandomProc
 HttpAuthHandlerNTLM::generate_random_proc_ = GenerateRandom;
 
 // static
 HttpAuthHandlerNTLM::HostNameProc
 HttpAuthHandlerNTLM::get_host_name_proc_ = GetHostName;
 
-HttpAuthHandlerNTLM::HttpAuthHandlerNTLM() {
+HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(
+    URLSecurityManager* url_security_manager)
+    : url_security_manager_(url_security_manager) {
+  helpername_ = getenv("CHROME_NTLM_USER_HELPER");
+  if (!helpername_)
+    helpername_ = "/usr/bin/ntlm_auth";
+  try_winbind_ = !access(helpername_, X_OK);
+  ntlm_write_pipe_ = -1;
+  ntlm_read_pipe_ = -1;
+  ntlm_auth_handle_ = -1;
 }
 
 bool HttpAuthHandlerNTLM::NeedsIdentity() {
-  // This gets called for each round-trip.  Only require identity on
-  // the first call (when auth_data_ is empty).  On subsequent calls,
-  // we use the initially established identity.
-  return auth_data_.empty();
+  // If we think winbind might be available, return true on the first phase
+  // (when auth_data_ is empty) so that the default identity gets selected.
+  // If it's *not* available, then only return true on the second phase.
+  // This works even for the case where winbind *might* be available, but
+  // turns out not to be when we actually get round to checking for it.
+  // In that case, we'll send the portable challenge in the first phase
+  // after we realise winbind can't help us, and then get a real identity
+  // in time for the second phase.
+ return !try_winbind_ ^ auth_data_.empty();
+}
+
+bool HttpAuthHandlerNTLM::start_ntlm_helper_() {
+  /* fork_ntlm_auth_with_pipes(); */
+  int writepipe[2] = {-1, -1}; /* parent -> child */
+  int readpipe [2] = {-1, -1}; /* child -> parent */
+
+  if ( pipe(readpipe) < 0 || pipe(writepipe) < 0 )
+    {
+      VLOG(1) << "Failed to open pipes for ntlm_auth helper";
+      return false;
+    }
+  char *username = getenv("NTLMUSER");
+  if (!username)
+    username = getenv("USER");
+  if (!username) {
+    VLOG(1) << "No username. No automatic NTLM";
+    return false;
+  }
+
+  std::vector<std::string> args;
+  base::LaunchOptions options;
+  base::FileHandleMappingVector fds_to_remap;
+
+  args.push_back(helpername_);
+  args.push_back("--helper-protocol");
+  args.push_back("ntlmssp-client-1");
+  args.push_back("--use-cached-creds");
+  args.push_back("--username");
+  args.push_back(username);
+
+  fds_to_remap.push_back(std::make_pair(readpipe[1], 1));
+  fds_to_remap.push_back(std::make_pair(writepipe[0], 0));
+
+
+  options.wait = false;
+  options.fds_to_remap = &fds_to_remap;
+
+  if (base::LaunchProcess(args, options, &ntlm_auth_handle_) == false) {
+    VLOG(1) << "Failed to launch ntlm_auth helper";
+    close(writepipe[0]);
+    close(writepipe[1]);
+    close(readpipe[0]);
+    close(readpipe[1]);
+    return false;
+  }
+  ntlm_write_pipe_ = writepipe[1];
+  close(writepipe[0]);
+
+  ntlm_read_pipe_ = readpipe[0];
+  close(readpipe[1]);
+
+  if (write(ntlm_write_pipe_, "YR\n", 3) != 3) {
+    VLOG(1) << "Failed to send YR to ntlm_auth: " << strerror(errno);
+    return false;
+  }
+  return true;
+}
+
+void HttpAuthHandlerNTLM::OnFileCanWriteWithoutBlocking(int fd) {
+  NOTREACHED();
+}
+
+static bool read_line(int fd, char *buf, int len) {
+
+  while (len) {
+    int result = read(fd, buf, len);
+    if (result <= 0)
+      return false;
+    else {
+      if (buf[result - 1] == '\n') {
+        buf[result - 1] = 0;
+        return true;
+      }
+      buf += result;
+      len -= result;
+    }
+  }
+  return false;
+}
+
+void HttpAuthHandlerNTLM::OnFileCanReadWithoutBlocking(int fd) {
+
+  char buf[1024];
+  if (!read_line(ntlm_read_pipe_, buf, sizeof(buf))) {
+    VLOG(1) << "Read initial response from ntlm_auth failed";
+  fall_back_to_portable:
+    void *out_buf;
+    uint32 out_buf_len;
+
+    int rv = GenerateType1Msg(&out_buf, &out_buf_len);
+    if (rv != OK) {
+      token_callback_.Run(rv);
+      return;
+    }
+
+    // Base64 encode data in output buffer and prepend "NTLM ".
+    std::string encode_input(static_cast<char*>(out_buf), out_buf_len);
+    std::string encode_output;
+    base::Base64Encode(encode_input, &encode_output);
+    // OK, we are done with |out_buf|
+    free(out_buf);
+    *callback_auth_token_ = std::string("NTLM ") + encode_output;
+
+    token_callback_.Run(OK);
+    ntlm_read_watcher_.StopWatchingFileDescriptor();
+    try_winbind_ = false;
+    return;
+  }
+  if (!strcmp(buf, "PW")) {
+    VLOG(1) << "ntlm_auth asks for password";
+    goto fall_back_to_portable;
+  }
+  if (strncmp(buf, "YR ", 3) && strncmp(buf, "KK ", 3) &&
+      strncmp(buf, "AF ", 3)) {
+    VLOG(1) << "Unknown response from ntlm_auth: " << buf;
+    goto fall_back_to_portable;
+  }
+
+  VLOG(1) << "Yay, ntlm_auth gives challenge: " << buf;
+  *callback_auth_token_ = std::string("NTLM ") + std::string(buf + 3);
+  return token_callback_.Run(OK);
 }
 
 bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() {
-  // Default credentials are not supported in the portable implementation of
-  // NTLM, but are supported in the SSPI implementation.
-  return false;
+  // Always return true (assuning the UrlSecurityManager permits it) if
+  // it looks like the winbind helper even might be available; we can't
+  // check properly yet because we need to do that asynchronously.
+  if (!try_winbind_)
+    return false;
+  if (target_ == HttpAuth::AUTH_PROXY)
+    return true;
+  if (!url_security_manager_)
+    return false;
+  return url_security_manager_->CanUseDefaultCredentials(origin_);
 }
 
 int HttpAuthHandlerNTLM::InitializeBeforeFirstChallenge() {
   return OK;
 }
 
 HttpAuthHandlerNTLM::~HttpAuthHandlerNTLM() {
   credentials_.Zap();
+  if (ntlm_write_pipe_ != -1)
+    close(ntlm_write_pipe_);
+  if (ntlm_read_pipe_ != -1)
+    close(ntlm_read_pipe_);
+  if (ntlm_auth_handle_ != -1)
+    base::KillProcess(ntlm_auth_handle_, 1, true);
 }
 
 // static
 HttpAuthHandlerNTLM::GenerateRandomProc
 HttpAuthHandlerNTLM::SetGenerateRandomProc(
     GenerateRandomProc proc) {
   GenerateRandomProc old_proc = generate_random_proc_;
   generate_random_proc_ = proc;
   return old_proc;
 }
@@ skipping 47 matching lines @@
     CreateReason reason,
     int digest_nonce_count,
     const BoundNetLog& net_log,
     scoped_ptr<HttpAuthHandler>* handler) {
   if (reason == CREATE_PREEMPTIVE)
     return ERR_UNSUPPORTED_AUTH_SCHEME;
   // TODO(cbentzel): Move towards model of parsing in the factory
   //                 method and only constructing when valid.
   // NOTE: Default credentials are not supported for the portable implementation
   // of NTLM.
-  scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNTLM);
+  scoped_ptr<HttpAuthHandler> tmp_handler(
+      new HttpAuthHandlerNTLM(url_security_manager()));
   if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log))
     return ERR_INVALID_RESPONSE;
   handler->swap(tmp_handler);
   return OK;
 }
 
 }  // namespace net