commit db2cbee27f99623e350c9fbe80122130a89fe57c
author Andreea Costinas <acostinas@google.com> Mon Jun 15 11:43:44 2020 +0200
committer Commit Bot <commit-bot@chromium.org> Wed Jul 01 14:29:10 2020 +0000
tree 80dbd7b3c96ead4250712083010cbc47a0af306f
parent 22529c13e487f1c5d6f5dc769820debed8e52e33

system-proxy: Request credentials from browser

When a ProxyConnectJob fails with "proxy auth required", the job will
ask for credentials from the ServerProxy object which owns it.

If the credentials are in the ServerProxy auth cache, the request will
be resolved with those credentials.

If not, the request will be forwarded to the parent process which will
send a dbus call to the browser to notify that it needs credentials for
a specific protection space (proxy_url, scheme, realm).

The browser will then send credentials along with the protection space
via dbus, with empty username and password if the user hasn't entered
them yet.

The dbus response is then forwarded to the ProxyConnectJob which made
the original request.

BUG=chromium:1042642
TEST=unittest

Change-Id: I1f5d43971d18df98aeb7c0b25642ceb29c761915
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2245699
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Tested-by: Andreea-Elena Costinas <acostinas@google.com>
Commit-Queue: Andreea-Elena Costinas <acostinas@google.com>

system-proxy/system_proxy_adaptor.cc

diff --git a/system-proxy/system_proxy_adaptor.cc b/system-proxy/system_proxy_adaptor.cc
index 46f88b7..839cb31 100644
--- a/system-proxy/system_proxy_adaptor.cc
+++ b/system-proxy/system_proxy_adaptor.cc
@@ -82,11 +82,6 @@
     return SerializeProto(response);
   }
 
-  if (!request.has_credentials() && !request.has_kerberos_enabled()) {
-    response.set_error_message(kNoCredentialsSpecifiedError);
-    return SerializeProto(response);
-  }
-
   if (request.traffic_type() != TrafficOrigin::SYSTEM) {
     response.set_error_message(kOnlySystemTrafficSupportedError);
     return SerializeProto(response);
@@ -98,17 +93,28 @@
   }
 
   if (request.has_credentials()) {
-    if (!request.credentials().has_username() ||
-        !request.credentials().has_password()) {
+    if (!((request.credentials().has_username() &&
+           request.credentials().has_password()) ||
+          request.has_protection_space())) {
       response.set_error_message(kNoCredentialsSpecifiedError);
       return SerializeProto(response);
     }
+    worker::Credentials credentials;
+    if (request.has_protection_space()) {
+      worker::ProtectionSpace protection_space;
+      protection_space.set_origin(request.protection_space().origin());
+      protection_space.set_scheme(request.protection_space().scheme());
+      protection_space.set_realm(request.protection_space().realm());
+      *credentials.mutable_protection_space() = protection_space;
+    }
+    if (request.credentials().has_username()) {
+      credentials.set_username(request.credentials().username());
+      credentials.set_password(request.credentials().password());
+    }
     brillo::MessageLoop::current()->PostTask(
         FROM_HERE, base::Bind(&SystemProxyAdaptor::SetCredentialsTask,
                               weak_ptr_factory_.GetWeakPtr(),
-                              system_services_worker_.get(),
-                              request.credentials().username(),
-                              request.credentials().password()));
+                              system_services_worker_.get(), credentials));
   }
 
   if (request.has_kerberos_enabled()) {
@@ -128,35 +134,8 @@
 
 std::vector<uint8_t> SystemProxyAdaptor::SetSystemTrafficCredentials(
     const std::vector<uint8_t>& request_blob) {
-  LOG(INFO) << "Received set credentials request.";
-
-  SetSystemTrafficCredentialsRequest request;
-  const std::string error_message =
-      DeserializeProto(FROM_HERE, &request, request_blob);
-
   SetSystemTrafficCredentialsResponse response;
-  if (!error_message.empty()) {
-    response.set_error_message(error_message);
-    return SerializeProto(response);
-  }
-
-  if (!request.has_system_services_username() ||
-      !request.has_system_services_password()) {
-    response.set_error_message(kNoCredentialsSpecifiedError);
-    return SerializeProto(response);
-  }
-
-  if (!CreateWorkerIfNeeded(/* user_traffic */ false)) {
-    response.set_error_message(kFailedToStartWorkerError);
-    return SerializeProto(response);
-  }
-
-  brillo::MessageLoop::current()->PostTask(
-      FROM_HERE,
-      base::Bind(&SystemProxyAdaptor::SetCredentialsTask,
-                 weak_ptr_factory_.GetWeakPtr(), system_services_worker_.get(),
-                 request.system_services_username(),
-                 request.system_services_password()));
+  response.set_error_message("Deprecated. Please use SetAuthenticationDetails");
 
   return SerializeProto(response);
 }
@@ -223,11 +202,10 @@
   return true;
 }
 
-void SystemProxyAdaptor::SetCredentialsTask(SandboxedWorker* worker,
-                                            const std::string& username,
-                                            const std::string& password) {
+void SystemProxyAdaptor::SetCredentialsTask(
+    SandboxedWorker* worker, const worker::Credentials& credentials) {
   DCHECK(worker);
-  worker->SetUsernameAndPassword(username, password);
+  worker->SetCredentials(credentials);
 }
 
 void SystemProxyAdaptor::SetKerberosEnabledTask(
@@ -303,4 +281,15 @@
   SendWorkerActiveSignal(SerializeProto(details));
 }
 
+void SystemProxyAdaptor::RequestAuthenticationCredentials(
+    const worker::ProtectionSpace& protection_space) {
+  AuthenticationRequiredDetails details;
+  ProtectionSpace proxy_protection_space;
+  proxy_protection_space.set_origin(protection_space.origin());
+  proxy_protection_space.set_realm(protection_space.realm());
+  proxy_protection_space.set_scheme(protection_space.scheme());
+  *details.mutable_proxy_protection_space() = proxy_protection_space;
+  SendAuthenticationRequiredSignal(SerializeProto(details));
+}
+
 }  // namespace system_proxy