| // Copyright 2020 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| #ifndef SYSTEM_PROXY_PROXY_CONNECT_JOB_H_ |
| #define SYSTEM_PROXY_PROXY_CONNECT_JOB_H_ |
| |
| #include <list> |
| #include <memory> |
| #include <string> |
| #include <string_view> |
| #include <vector> |
| |
| #include <curl/curl.h> |
| |
| #include <base/callback_forward.h> |
| #include <base/cancelable_callback.h> |
| #include <base/files/file_descriptor_watcher_posix.h> |
| #include <gtest/gtest_prod.h> // for FRIEND_TEST |
| |
| namespace patchpanel { |
| class SocketForwarder; |
| class Socket; |
| } // namespace patchpanel |
| |
| namespace system_proxy { |
| // ProxyConnectJob asynchronously sets up a connection to a remote target on |
| // behalf of a client using the following steps: |
| // 1. Gets the target url from the client request; |
| // 2. Asks the parent to resolve the proxy for the target url via |
| // |resolve_proxy_callback_|; |
| // 3. Connects to the target url trough the remote proxy server returned by the |
| // parent. |
| // 3. 1. On success, it will return a SocketForwarder to the parent, which |
| // forwards data between the Chrome OS client and the remote server. |
| // 3. 2. On error, it will check the HTTP status code from the server's reply. |
| // 3. 2. 1. If the status code means credentials are required, it asks the |
| // parent for authentication credentials via |auth_required_callback|. |
| // - If the parent returns credentials for the proxy server challenge, |
| // it attempts to reconnect (step 3); |
| // - Otherwise it will forward the status code to the client. |
| // 3.2.1.2. Other status codes are forwarded to the Chrome OS clients and the |
| // connection is closed. |
| // Note: Reconnecting to the server with credentials (step 3. 2. 1.) will create |
| // a new connection to the remote server, while the connection to the local |
| // client is still open and in a waiting state during the authentication |
| // process. |
| // TODO(acostinas,crbug.com/1098200): Cancel the proxy connect job if the |
| // request for credentials is not resolved after a certain time. |
| class ProxyConnectJob { |
| public: |
| using OnConnectionSetupFinishedCallback = base::OnceCallback<void( |
| std::unique_ptr<patchpanel::SocketForwarder>, ProxyConnectJob*)>; |
| |
| // Will be invoked by ProxyConnectJob to resolve the proxy for |target_url_|. |
| // The passed |callback| is expected to be called with the list of proxy |
| // servers, which will always contain at least one entry, the default proxy. |
| using ResolveProxyCallback = base::OnceCallback<void( |
| const std::string& url, |
| base::OnceCallback<void(const std::list<std::string>&)> |
| on_proxy_resolution_callback)>; |
| // Will be invoked by ProxyConnectJob to request the credentials for requests |
| // that fail with code 407. |
| using AuthenticationRequiredCallback = base::OnceCallback<void( |
| const std::string& proxy_url, |
| const std::string& scheme, |
| const std::string& realm, |
| base::OnceCallback<void(const std::string& credentials)> |
| on_auth_acquired_callback)>; |
| |
| ProxyConnectJob(std::unique_ptr<patchpanel::Socket> socket, |
| const std::string& credentials, |
| ResolveProxyCallback resolve_proxy_callback, |
| AuthenticationRequiredCallback auth_required_callback, |
| OnConnectionSetupFinishedCallback setup_finished_callback); |
| ProxyConnectJob(const ProxyConnectJob&) = delete; |
| ProxyConnectJob& operator=(const ProxyConnectJob&) = delete; |
| virtual ~ProxyConnectJob(); |
| |
| // Marks |client_socket_| as non-blocking and adds a watcher that calls |
| // |OnClientReadReady| when the socket is read ready. |
| virtual bool Start(); |
| void OnProxyResolution(const std::list<std::string>& proxy_servers); |
| |
| friend std::ostream& operator<<(std::ostream& stream, |
| const ProxyConnectJob& job); |
| |
| private: |
| friend class ServerProxyTest; |
| friend class ProxyConnectJobTest; |
| FRIEND_TEST(ServerProxyTest, HandlePendingJobs); |
| FRIEND_TEST(ServerProxyTest, HandleConnectRequest); |
| FRIEND_TEST(ProxyConnectJobTest, SuccessfulConnection); |
| FRIEND_TEST(ProxyConnectJobTest, SuccessfulConnectionAltEnding); |
| FRIEND_TEST(ProxyConnectJobTest, BadHttpRequestWrongMethod); |
| FRIEND_TEST(ProxyConnectJobTest, BadHttpRequestNoEmptyLine); |
| FRIEND_TEST(ProxyConnectJobTest, ResendWithCredentials); |
| FRIEND_TEST(ProxyConnectJobTest, NoCredentials); |
| FRIEND_TEST(ProxyConnectJobTest, KerberosAuth); |
| |
| // Reads data from the socket into |raw_request| until the first empty line, |
| // which would mark the end of the HTTP request header. |
| // This method does not validate the headers. |
| bool TryReadHttpHeader(std::vector<char>* raw_request); |
| |
| // Called when the client socket is ready for reading. |
| void OnClientReadReady(); |
| |
| // Called from |OnProxyResolution|, after the proxy for |target_url_| is |
| // resolved. |
| void DoCurlServerConnection(); |
| |
| void OnError(const std::string_view& http_error_message); |
| |
| void OnClientConnectTimeout(); |
| |
| // Requests the credentials to authenticate to the remote proxy server. The |
| // credentials are bound to the protection space extracted from the challenge |
| // sent by the remote server. |
| void AuthenticationRequired(const std::vector<char>& http_response_headers); |
| void OnAuthCredentialsProvided(const std::string& credentials); |
| // Checks if the HTTP CONNECT request has failed because of missing proxy |
| // authentication credentials. |
| bool AreAuthCredentialsRequired(CURL* easyhandle); |
| |
| // Sends the server response to the client. Returns true if the headers and |
| // body were sent successfully, false otherwise. In case of failure, calls |
| // |OnError|. The response headers and body can be empty if the libcurl |
| // connection fails. In this case, this will send the client an error message |
| // based on the HTTP status code |http_response_code_|. |
| bool SendHttpResponseToClient(const std::vector<char>& http_response_headers, |
| const std::vector<char>& http_response_body); |
| |
| std::string target_url_; |
| // HTTP proxy response code to the CONNECT request. |
| int64_t http_response_code_ = 0; |
| |
| std::string credentials_; |
| // Keep track on whether this is the first connect attempt or not. If a proxy |
| // connection attempt fails because of missing or invalid credentials, the |
| // code will attempt to reconnect with credentials fetched from the parent |
| // process. We should only reconnect after the first failed try otherwise |
| // the code will go into an infinite loop when fetched credentials are |
| // invalid. |
| bool first_http_connect_attempt_; |
| std::list<std::string> proxy_servers_; |
| ResolveProxyCallback resolve_proxy_callback_; |
| AuthenticationRequiredCallback auth_required_callback_; |
| OnConnectionSetupFinishedCallback setup_finished_callback_; |
| base::CancelableClosure client_connect_timeout_callback_; |
| |
| std::unique_ptr<patchpanel::Socket> client_socket_; |
| std::unique_ptr<base::FileDescriptorWatcher::Controller> read_watcher_; |
| base::WeakPtrFactory<ProxyConnectJob> weak_ptr_factory_{this}; |
| }; |
| } // namespace system_proxy |
| |
| #endif // SYSTEM_PROXY_PROXY_CONNECT_JOB_H_ |