Credential core(CFURLCredentialRef cfCredential)
{
if (!cfCredential)
return Credential();
CredentialPersistence persistence = CredentialPersistenceNone;
switch (CFURLCredentialGetPersistence(cfCredential)) {
case kCFURLCredentialPersistenceNone:
break;
case kCFURLCredentialPersistenceForSession:
persistence = CredentialPersistenceForSession;
break;
case kCFURLCredentialPersistencePermanent:
persistence = CredentialPersistencePermanent;
break;
default:
ASSERT_NOT_REACHED();
}
#if CERTIFICATE_CREDENTIALS_SUPPORTED
SecIdentityRef identity = CFURLCredentialGetCertificateIdentity(cfCredential);
if (identity)
return Credential(identity, CFURLCredentialGetCertificateArray(cfCredential), persistence);
#endif
RetainPtr<CFStringRef> password(AdoptCF, CFURLCredentialCopyPassword(cfCredential));
return Credential(CFURLCredentialGetUsername(cfCredential), password.get(), persistence);
}
CredentialTransformData::CredentialTransformData(HTMLFormElement* form)
: m_userNameElement(0)
, m_passwordElement(0)
, m_isValid(false)
{
ASSERT(form);
// Get the document URL
KURL fullOrigin(ParsedURLString, form->document()->documentURI());
// Calculate the canonical action URL
String action = form->action();
if (action.isNull())
action = ""; // missing 'action' attribute implies current URL
KURL fullAction = form->document()->completeURL(action);
if (!fullAction.isValid())
return;
if (!findPasswordFormFields(form))
return;
m_url = stripURL(fullOrigin);
m_action = stripURL(fullAction);
m_protectionSpace = ProtectionSpace(m_url.host(), m_url.port(), ProtectionSpaceServerHTTP, "Form", ProtectionSpaceAuthenticationSchemeHTMLForm);
m_credential = Credential(m_userNameElement->value(), m_passwordElement->value(), CredentialPersistencePermanent);
m_isValid = true;
}
Credential CredentialStorage::get(const KURL& url)
{
PathToDefaultProtectionSpaceMap::iterator iter = findDefaultProtectionSpaceForURL(url);
if (iter == pathToDefaultProtectionSpaceMap().end())
return Credential();
return protectionSpaceToCredentialMap().get(iter->value);
}
Credential CredentialBackingStore::getLogin(const ProtectionSpace& protectionSpace)
{
UNUSED_PARAM(protectionSpace);
notImplemented();
return Credential();
}
bool ResourceHandle::tryHandlePasswordBasedAuthentication(const AuthenticationChallenge& challenge)
{
if (!challenge.protectionSpace().isPasswordBased())
return false;
if (!d->m_user.isNull() && !d->m_pass.isNull()) {
RetainPtr<CFURLCredentialRef> cfCredential = adoptCF(CFURLCredentialCreate(kCFAllocatorDefault, d->m_user.createCFString().get(), d->m_pass.createCFString().get(), 0, kCFURLCredentialPersistenceNone));
#if PLATFORM(COCOA)
Credential credential = Credential(cfCredential.get());
#else
Credential credential = core(cfCredential.get());
#endif
URL urlToStore;
if (challenge.failureResponse().httpStatusCode() == 401)
urlToStore = challenge.failureResponse().url();
d->m_context->storageSession().credentialStorage().set(credential, challenge.protectionSpace(), urlToStore);
CFURLConnectionUseCredential(d->m_connection.get(), cfCredential.get(), challenge.cfURLAuthChallengeRef());
d->m_user = String();
d->m_pass = String();
// FIXME: Per the specification, the user shouldn't be asked for credentials if there were incorrect ones provided explicitly.
return true;
}
if (!client() || client()->shouldUseCredentialStorage(this)) {
if (!d->m_initialCredential.isEmpty() || challenge.previousFailureCount()) {
// The stored credential wasn't accepted, stop using it.
// There is a race condition here, since a different credential might have already been stored by another ResourceHandle,
// but the observable effect should be very minor, if any.
d->m_context->storageSession().credentialStorage().remove(challenge.protectionSpace());
}
if (!challenge.previousFailureCount()) {
Credential credential = d->m_context->storageSession().credentialStorage().get(challenge.protectionSpace());
if (!credential.isEmpty() && credential != d->m_initialCredential) {
ASSERT(credential.persistence() == CredentialPersistenceNone);
if (challenge.failureResponse().httpStatusCode() == 401) {
// Store the credential back, possibly adding it as a default for this directory.
d->m_context->storageSession().credentialStorage().set(credential, challenge.protectionSpace(), challenge.failureResponse().url());
}
#if PLATFORM(COCOA)
CFURLConnectionUseCredential(d->m_connection.get(), credential.cfCredential(), challenge.cfURLAuthChallengeRef());
#else
RetainPtr<CFURLCredentialRef> cfCredential = adoptCF(createCF(credential));
CFURLConnectionUseCredential(d->m_connection.get(), cfCredential.get(), challenge.cfURLAuthChallengeRef());
#endif
return true;
}
}
}
return false;
}
AuthenticationChallenge::AuthenticationChallenge(SoupSession* soupSession, SoupMessage* soupMessage, SoupAuth* soupAuth, bool retrying, AuthenticationClient* client)
: AuthenticationChallengeBase(protectionSpaceFromSoupAuthAndMessage(soupAuth, soupMessage),
Credential(), // proposedCredentials
retrying ? 1 : 0, // previousFailureCount
soupMessage, // failureResponse
ResourceError::authenticationError(soupMessage))
, m_soupSession(soupSession)
, m_soupMessage(soupMessage)
, m_soupAuth(soupAuth)
, m_authenticationClient(client)
{
}
Credential core(CFURLCredentialRef cfCredential)
{
if (!cfCredential)
return Credential();
CredentialPersistence persistence = CredentialPersistenceNone;
switch (CFURLCredentialGetPersistence(cfCredential)) {
case kCFURLCredentialPersistenceNone:
break;
case kCFURLCredentialPersistenceForSession:
persistence = CredentialPersistenceForSession;
break;
case kCFURLCredentialPersistencePermanent:
persistence = CredentialPersistencePermanent;
break;
default:
ASSERT_NOT_REACHED();
}
return Credential(CFURLCredentialGetUsername(cfCredential), CFURLCredentialCopyPassword(cfCredential), persistence);
}
bool ArgumentCoder<Credential>::decode(ArgumentDecoder& decoder, Credential& credential)
{
String user;
if (!decoder.decode(user))
return false;
String password;
if (!decoder.decode(password))
return false;
CredentialPersistence persistence;
if (!decoder.decodeEnum(persistence))
return false;
credential = Credential(user, password, persistence);
return true;
}
void AuthenticationManager::cancelSingleChallenge(uint64_t challengeID)
{
auto challenge = m_challenges.take(challengeID);
ASSERT(!challenge.challenge.isNull());
AuthenticationClient* coreClient = challenge.challenge.authenticationClient();
#if USE(NETWORK_SESSION)
if (challenge.completionHandler) {
ASSERT(!coreClient);
challenge.completionHandler(AuthenticationChallengeDisposition::Cancel, Credential());
return;
}
#endif
if (coreClient)
coreClient->receivedCancellation(challenge.challenge);
else
receivedCancellation(challenge.challenge);
}
void ResourceHandle::createCFURLConnection(bool shouldUseCredentialStorage, bool shouldContentSniff, CFDictionaryRef clientProperties)
{
if ((!d->m_user.isEmpty() || !d->m_pass.isEmpty()) && !firstRequest().url().protocolInHTTPFamily()) {
// Credentials for ftp can only be passed in URL, the didReceiveAuthenticationChallenge delegate call won't be made.
KURL urlWithCredentials(firstRequest().url());
urlWithCredentials.setUser(d->m_user);
urlWithCredentials.setPass(d->m_pass);
firstRequest().setURL(urlWithCredentials);
}
// <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication,
// try and reuse the credential preemptively, as allowed by RFC 2617.
if (shouldUseCredentialStorage && firstRequest().url().protocolInHTTPFamily()) {
if (d->m_user.isEmpty() && d->m_pass.isEmpty()) {
// <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication,
// try and reuse the credential preemptively, as allowed by RFC 2617.
d->m_initialCredential = CredentialStorage::get(firstRequest().url());
} else {
// If there is already a protection space known for the URL, update stored credentials before sending a request.
// This makes it possible to implement logout by sending an XMLHttpRequest with known incorrect credentials, and aborting it immediately
// (so that an authentication dialog doesn't pop up).
CredentialStorage::set(Credential(d->m_user, d->m_pass, CredentialPersistenceNone), firstRequest().url());
}
}
if (!d->m_initialCredential.isEmpty()) {
// FIXME: Support Digest authentication, and Proxy-Authorization.
applyBasicAuthorizationHeader(firstRequest(), d->m_initialCredential);
}
RetainPtr<CFURLRequestRef> request(AdoptCF, makeFinalRequest(firstRequest(), shouldContentSniff));
#if HAVE(CFNETWORK_DATA_ARRAY_CALLBACK) && USE(PROTECTION_SPACE_AUTH_CALLBACK)
CFURLConnectionClient_V6 client = { 6, this, 0, 0, 0, WebCore::willSendRequest, didReceiveResponse, didReceiveData, 0, didFinishLoading, didFail, willCacheResponse, didReceiveChallenge, didSendBodyData, shouldUseCredentialStorageCallback, 0, canRespondToProtectionSpace, 0, didReceiveDataArray};
#else
CFURLConnectionClient_V3 client = { 3, this, 0, 0, 0, WebCore::willSendRequest, didReceiveResponse, didReceiveData, 0, didFinishLoading, didFail, willCacheResponse, didReceiveChallenge, didSendBodyData, shouldUseCredentialStorageCallback, 0};
#endif
RetainPtr<CFDictionaryRef> connectionProperties(AdoptCF, createConnectionProperties(shouldUseCredentialStorage, clientProperties));
CFURLRequestSetShouldStartSynchronously(request.get(), 1);
d->m_connection.adoptCF(CFURLConnectionCreateWithProperties(0, request.get(), reinterpret_cast<CFURLConnectionClient*>(&client), connectionProperties.get()));
}
void AuthenticationManager::cancelSingleChallenge(uint64_t challengeID)
{
auto challenge = m_challenges.take(challengeID);
ASSERT(!challenge.challenge.isNull());
AuthenticationClient* coreClient = challenge.challenge.authenticationClient();
#if USE(NETWORK_SESSION)
if (challenge.completionHandler) {
ASSERT(!coreClient);
challenge.completionHandler(AuthenticationChallengeDisposition::Cancel, Credential());
return;
}
#else
if (!coreClient) {
// FIXME: The authentication client is null for downloads, but it can also be null for canceled loads.
// We should not call Download::receivedCredential in the latter case.
Download::receivedCancellation(challenge.challenge);
return;
}
#endif
ASSERT(coreClient);
coreClient->receivedCancellation(challenge.challenge);
}
void AuthenticationManager::performDefaultHandlingForSingleChallenge(uint64_t challengeID)
{
auto challenge = m_challenges.take(challengeID);
ASSERT(!challenge.challenge.isNull());
AuthenticationClient* coreClient = challenge.challenge.authenticationClient();
#if USE(NETWORK_SESSION)
if (challenge.completionHandler) {
ASSERT(!coreClient);
challenge.completionHandler(AuthenticationChallengeDisposition::PerformDefaultHandling, Credential());
return;
}
#endif
if (coreClient)
coreClient->receivedRequestToPerformDefaultHandling(challenge.challenge);
else
receivedRequestToPerformDefaultHandling(challenge.challenge);
}
void ResourceHandle::createCFURLConnection(bool shouldUseCredentialStorage, bool shouldContentSniff, SchedulingBehavior schedulingBehavior, CFDictionaryRef clientProperties)
{
if ((!d->m_user.isEmpty() || !d->m_pass.isEmpty()) && !firstRequest().url().protocolIsInHTTPFamily()) {
// Credentials for ftp can only be passed in URL, the didReceiveAuthenticationChallenge delegate call won't be made.
URL urlWithCredentials(firstRequest().url());
urlWithCredentials.setUser(d->m_user);
urlWithCredentials.setPass(d->m_pass);
firstRequest().setURL(urlWithCredentials);
}
// <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication,
// try and reuse the credential preemptively, as allowed by RFC 2617.
if (shouldUseCredentialStorage && firstRequest().url().protocolIsInHTTPFamily()) {
if (d->m_user.isEmpty() && d->m_pass.isEmpty()) {
// <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication,
// try and reuse the credential preemptively, as allowed by RFC 2617.
d->m_initialCredential = CredentialStorage::get(firstRequest().url());
} else {
// If there is already a protection space known for the URL, update stored credentials before sending a request.
// This makes it possible to implement logout by sending an XMLHttpRequest with known incorrect credentials, and aborting it immediately
// (so that an authentication dialog doesn't pop up).
CredentialStorage::set(Credential(d->m_user, d->m_pass, CredentialPersistenceNone), firstRequest().url());
}
}
if (!d->m_initialCredential.isEmpty()) {
// FIXME: Support Digest authentication, and Proxy-Authorization.
applyBasicAuthorizationHeader(firstRequest(), d->m_initialCredential);
}
RetainPtr<CFMutableURLRequestRef> request = adoptCF(CFURLRequestCreateMutableCopy(kCFAllocatorDefault, firstRequest().cfURLRequest(UpdateHTTPBody)));
wkSetRequestStorageSession(d->m_storageSession.get(), request.get());
if (!shouldContentSniff)
wkSetCFURLRequestShouldContentSniff(request.get(), false);
RetainPtr<CFMutableDictionaryRef> sslProps;
#if PLATFORM(IOS)
sslProps = adoptCF(ResourceHandle::createSSLPropertiesFromNSURLRequest(firstRequest()));
#else
if (allowsAnyHTTPSCertificateHosts().contains(firstRequest().url().host().lower())) {
sslProps = adoptCF(CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
CFDictionaryAddValue(sslProps.get(), kCFStreamSSLAllowsAnyRoot, kCFBooleanTrue);
CFDictionaryAddValue(sslProps.get(), kCFStreamSSLAllowsExpiredRoots, kCFBooleanTrue);
CFDictionaryAddValue(sslProps.get(), kCFStreamSSLAllowsExpiredCertificates, kCFBooleanTrue);
CFDictionaryAddValue(sslProps.get(), kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);
}
HashMap<String, RetainPtr<CFDataRef>>::iterator clientCert = clientCerts().find(firstRequest().url().host().lower());
if (clientCert != clientCerts().end()) {
if (!sslProps)
sslProps = adoptCF(CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
#if PLATFORM(WIN)
wkSetClientCertificateInSSLProperties(sslProps.get(), (clientCert->value).get());
#endif
}
#endif // PLATFORM(IOS)
if (sslProps)
CFURLRequestSetSSLProperties(request.get(), sslProps.get());
#if PLATFORM(WIN)
if (CFHTTPCookieStorageRef cookieStorage = overridenCookieStorage()) {
// Overridden cookie storage doesn't come from a session, so the request does not have it yet.
CFURLRequestSetHTTPCookieStorage(request.get(), cookieStorage);
}
#endif
CFMutableDictionaryRef streamProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (!shouldUseCredentialStorage) {
// Avoid using existing connections, because they may be already authenticated.
CFDictionarySetValue(streamProperties, CFSTR("_kCFURLConnectionSessionID"), CFSTR("WebKitPrivateSession"));
}
if (schedulingBehavior == SchedulingBehavior::Synchronous) {
// Synchronous requests should not be subject to regular connection count limit to avoid deadlocks.
// If we are using all available connections for async requests, and make a sync request, then prior
// requests may get stuck waiting for delegate calls while we are in nested run loop, and the sync
// request won't start because there are no available connections.
// Connections are grouped by their socket stream properties, with each group having a separate count.
CFDictionarySetValue(streamProperties, CFSTR("_WebKitSynchronousRequest"), kCFBooleanTrue);
}
#if PLATFORM(IOS) || (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090)
RetainPtr<CFDataRef> sourceApplicationAuditData = d->m_context->sourceApplicationAuditData();
if (sourceApplicationAuditData)
CFDictionarySetValue(streamProperties, CFSTR("kCFStreamPropertySourceApplication"), sourceApplicationAuditData.get());
#endif
static const CFStringRef kCFURLConnectionSocketStreamProperties = CFSTR("kCFURLConnectionSocketStreamProperties");
RetainPtr<CFMutableDictionaryRef> propertiesDictionary;
if (clientProperties)
propertiesDictionary = adoptCF(CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, clientProperties));
else
propertiesDictionary = adoptCF(CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
// FIXME: This code is different from iOS code in ResourceHandleMac.mm in that here we ignore stream properties that were present in client properties.
CFDictionaryAddValue(propertiesDictionary.get(), kCFURLConnectionSocketStreamProperties, streamProperties);
CFRelease(streamProperties);
#if PLATFORM(COCOA)
if (client() && client()->usesAsyncCallbacks())
d->m_connectionDelegate = adoptRef(new ResourceHandleCFURLConnectionDelegateWithOperationQueue(this));
else
d->m_connectionDelegate = adoptRef(new SynchronousResourceHandleCFURLConnectionDelegate(this));
#else
d->m_connectionDelegate = adoptRef(new SynchronousResourceHandleCFURLConnectionDelegate(this));
#endif
d->m_connectionDelegate->setupRequest(request.get());
CFURLConnectionClient_V6 client = d->m_connectionDelegate->makeConnectionClient();
d->m_connection = adoptCF(CFURLConnectionCreateWithProperties(0, request.get(), reinterpret_cast<CFURLConnectionClient*>(&client), propertiesDictionary.get()));
}
Credential CredentialTransformData::credential() const
{
if (m_credential.isEmpty() && m_userNameElement && m_passwordElement)
return m_credential = Credential(m_userNameElement->value(), m_passwordElement->value(), CredentialPersistencePermanent);
return m_credential;
}
void ResourceHandle::createCFURLConnection(bool shouldUseCredentialStorage, bool shouldRelaxThirdPartyCookiePolicy, bool shouldContentSniff)
{
if ((!d->m_user.isEmpty() || !d->m_pass.isEmpty()) && !firstRequest().url().protocolIsInHTTPFamily()) {
// Credentials for ftp can only be passed in URL, the didReceiveAuthenticationChallenge delegate call won't be made.
KURL urlWithCredentials(firstRequest().url());
urlWithCredentials.setUser(d->m_user);
urlWithCredentials.setPass(d->m_pass);
firstRequest().setURL(urlWithCredentials);
}
if (shouldRelaxThirdPartyCookiePolicy)
firstRequest().setFirstPartyForCookies(firstRequest().url());
// <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication,
// try and reuse the credential preemptively, as allowed by RFC 2617.
if (shouldUseCredentialStorage && firstRequest().url().protocolIsInHTTPFamily()) {
if (d->m_user.isEmpty() && d->m_pass.isEmpty()) {
// <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication,
// try and reuse the credential preemptively, as allowed by RFC 2617.
d->m_initialCredential = CredentialStorage::get(firstRequest().url());
} else {
// If there is already a protection space known for the URL, update stored credentials before sending a request.
// This makes it possible to implement logout by sending an XMLHttpRequest with known incorrect credentials, and aborting it immediately
// (so that an authentication dialog doesn't pop up).
CredentialStorage::set(Credential(d->m_user, d->m_pass, CredentialPersistenceNone), firstRequest().url());
}
}
if (!d->m_initialCredential.isEmpty()) {
// FIXME: Support Digest authentication, and Proxy-Authorization.
applyBasicAuthorizationHeader(firstRequest(), d->m_initialCredential);
}
RetainPtr<CFMutableURLRequestRef> request = adoptCF(CFURLRequestCreateMutableCopy(kCFAllocatorDefault, firstRequest().cfURLRequest()));
wkSetRequestStorageSession(d->m_storageSession.get(), request.get());
if (!shouldContentSniff)
wkSetCFURLRequestShouldContentSniff(request.get(), false);
RetainPtr<CFMutableDictionaryRef> sslProps;
if (allowsAnyHTTPSCertificateHosts().contains(firstRequest().url().host().lower())) {
sslProps.adoptCF(CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
CFDictionaryAddValue(sslProps.get(), kCFStreamSSLAllowsAnyRoot, kCFBooleanTrue);
CFDictionaryAddValue(sslProps.get(), kCFStreamSSLAllowsExpiredRoots, kCFBooleanTrue);
CFDictionaryAddValue(sslProps.get(), kCFStreamSSLAllowsExpiredCertificates, kCFBooleanTrue);
CFDictionaryAddValue(sslProps.get(), kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);
}
HashMap<String, RetainPtr<CFDataRef> >::iterator clientCert = clientCerts().find(firstRequest().url().host().lower());
if (clientCert != clientCerts().end()) {
if (!sslProps)
sslProps.adoptCF(CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
#if PLATFORM(WIN)
wkSetClientCertificateInSSLProperties(sslProps.get(), (clientCert->value).get());
#endif
}
if (sslProps)
CFURLRequestSetSSLProperties(request.get(), sslProps.get());
#if PLATFORM(WIN)
if (CFHTTPCookieStorageRef cookieStorage = overridenCookieStorage()) {
// Overridden cookie storage doesn't come from a session, so the request does not have it yet.
CFURLRequestSetHTTPCookieStorage(request.get(), cookieStorage);
}
#endif
CFURLConnectionClient_V6 client = { 6, this, 0, 0, 0, WebCore::willSendRequest, didReceiveResponse, didReceiveData, 0, didFinishLoading, didFail, willCacheResponse, didReceiveChallenge, didSendBodyData, shouldUseCredentialStorageCallback, 0,
#if USE(PROTECTION_SPACE_AUTH_CALLBACK)
canRespondToProtectionSpace,
#else
0,
#endif
0,
#if USE(NETWORK_CFDATA_ARRAY_CALLBACK)
didReceiveDataArray
#else
0
#endif
};
RetainPtr<CFDictionaryRef> connectionProperties(AdoptCF, createConnectionProperties(shouldUseCredentialStorage));
d->m_connection.adoptCF(CFURLConnectionCreateWithProperties(0, request.get(), reinterpret_cast<CFURLConnectionClient*>(&client), connectionProperties.get()));
}
void ResourceHandle::didReceiveAuthenticationChallenge(const AuthenticationChallenge& challenge)
{
LOG(Network, "CFNet - didReceiveAuthenticationChallenge()");
ASSERT(d->m_currentWebChallenge.isNull());
// Since CFURLConnection networking relies on keeping a reference to the original CFURLAuthChallengeRef,
// we make sure that is actually present
ASSERT(challenge.cfURLAuthChallengeRef());
ASSERT(challenge.authenticationClient() == this); // Should be already set.
#if !PLATFORM(WIN)
// Proxy authentication is handled by CFNetwork internally. We can get here if the user cancels
// CFNetwork authentication dialog, and we shouldn't ask the client to display another one in that case.
if (challenge.protectionSpace().isProxy()) {
// Cannot use receivedRequestToContinueWithoutCredential(), because current challenge is not yet set.
CFURLConnectionUseCredential(d->m_connection.get(), 0, challenge.cfURLAuthChallengeRef());
return;
}
#endif
if (!d->m_user.isNull() && !d->m_pass.isNull()) {
RetainPtr<CFURLCredentialRef> cfCredential = adoptCF(CFURLCredentialCreate(kCFAllocatorDefault, d->m_user.createCFString().get(), d->m_pass.createCFString().get(), 0, kCFURLCredentialPersistenceNone));
#if PLATFORM(COCOA)
Credential credential = Credential(cfCredential.get());
#else
Credential credential = core(cfCredential.get());
#endif
URL urlToStore;
if (challenge.failureResponse().httpStatusCode() == 401)
urlToStore = challenge.failureResponse().url();
CredentialStorage::set(credential, challenge.protectionSpace(), urlToStore);
CFURLConnectionUseCredential(d->m_connection.get(), cfCredential.get(), challenge.cfURLAuthChallengeRef());
d->m_user = String();
d->m_pass = String();
// FIXME: Per the specification, the user shouldn't be asked for credentials if there were incorrect ones provided explicitly.
return;
}
if (!client() || client()->shouldUseCredentialStorage(this)) {
if (!d->m_initialCredential.isEmpty() || challenge.previousFailureCount()) {
// The stored credential wasn't accepted, stop using it.
// There is a race condition here, since a different credential might have already been stored by another ResourceHandle,
// but the observable effect should be very minor, if any.
CredentialStorage::remove(challenge.protectionSpace());
}
if (!challenge.previousFailureCount()) {
Credential credential = CredentialStorage::get(challenge.protectionSpace());
if (!credential.isEmpty() && credential != d->m_initialCredential) {
ASSERT(credential.persistence() == CredentialPersistenceNone);
if (challenge.failureResponse().httpStatusCode() == 401) {
// Store the credential back, possibly adding it as a default for this directory.
CredentialStorage::set(credential, challenge.protectionSpace(), challenge.failureResponse().url());
}
#if PLATFORM(COCOA)
CFURLConnectionUseCredential(d->m_connection.get(), credential.cfCredential(), challenge.cfURLAuthChallengeRef());
#else
RetainPtr<CFURLCredentialRef> cfCredential = adoptCF(createCF(credential));
CFURLConnectionUseCredential(d->m_connection.get(), cfCredential.get(), challenge.cfURLAuthChallengeRef());
#endif
return;
}
}
}
d->m_currentWebChallenge = challenge;
if (client())
client()->didReceiveAuthenticationChallenge(this, d->m_currentWebChallenge);
}
void NetworkStorageSession::getCredentialFromPersistentStorage(const ProtectionSpace& protectionSpace, Function<void (Credential&&)> completionHandler)
{
#if USE(LIBSECRET)
if (m_sessionID.isEphemeral()) {
completionHandler({ });
return;
}
const String& realm = protectionSpace.realm();
if (realm.isEmpty()) {
completionHandler({ });
return;
}
GRefPtr<GHashTable> attributes = adoptGRef(secret_attributes_build(SECRET_SCHEMA_COMPAT_NETWORK,
"domain", realm.utf8().data(),
"server", protectionSpace.host().utf8().data(),
"port", protectionSpace.port(),
"protocol", schemeFromProtectionSpaceServerType(protectionSpace.serverType()),
"authtype", authTypeFromProtectionSpaceAuthenticationScheme(protectionSpace.authenticationScheme()),
nullptr));
if (!attributes) {
completionHandler({ });
return;
}
m_persisentStorageCancellable = adoptGRef(g_cancellable_new());
m_persisentStorageCompletionHandler = WTFMove(completionHandler);
secret_service_search(nullptr, SECRET_SCHEMA_COMPAT_NETWORK, attributes.get(),
static_cast<SecretSearchFlags>(SECRET_SEARCH_UNLOCK | SECRET_SEARCH_LOAD_SECRETS), m_persisentStorageCancellable.get(),
[](GObject* source, GAsyncResult* result, gpointer userData) {
GUniqueOutPtr<GError> error;
GUniquePtr<GList> elements(secret_service_search_finish(SECRET_SERVICE(source), result, &error.outPtr()));
if (g_error_matches (error.get(), G_IO_ERROR, G_IO_ERROR_CANCELLED))
return;
NetworkStorageSession* session = static_cast<NetworkStorageSession*>(userData);
auto completionHandler = std::exchange(session->m_persisentStorageCompletionHandler, nullptr);
if (error || !elements || !elements->data) {
completionHandler({ });
return;
}
GRefPtr<SecretItem> secretItem = adoptGRef(static_cast<SecretItem*>(elements->data));
GRefPtr<GHashTable> attributes = adoptGRef(secret_item_get_attributes(secretItem.get()));
String user = String::fromUTF8(static_cast<const char*>(g_hash_table_lookup(attributes.get(), "user")));
if (user.isEmpty()) {
completionHandler({ });
return;
}
size_t length;
GRefPtr<SecretValue> secretValue = adoptGRef(secret_item_get_secret(secretItem.get()));
const char* passwordData = secret_value_get(secretValue.get(), &length);
completionHandler(Credential(user, String::fromUTF8(passwordData, length), CredentialPersistencePermanent));
}, this);
#else
UNUSED_PARAM(protectionSpace);
completionHandler({ });
#endif
}
