Changeset 220583 in webkit

Timestamp:

Aug 11, 2017 3:06:12 AM (7 years ago)

Author:

Carlos Garcia Campos

Message:

[Soup] Cannot access HTTPS sites using a HTTP proxy that requires authentication
​https://bugs.webkit.org/show_bug.cgi?id=175378

Reviewed by Sergio Villar Senin.

Source/WebCore:

Bring back part of the code removed in r206732, to keep a reference to the SoupMessage in the
AuthenticationChallenge since it can be different to the resource message.

• platform/network/soup/AuthenticationChallenge.h:

(WebCore::AuthenticationChallenge::AuthenticationChallenge): Deleted.
(WebCore::AuthenticationChallenge::authenticationClient const): Deleted.
(WebCore::AuthenticationChallenge::soupAuth const): Deleted.
(WebCore::AuthenticationChallenge::setProposedCredential): Deleted.

• platform/network/soup/AuthenticationChallengeSoup.cpp:

(WebCore::AuthenticationChallenge::AuthenticationChallenge):
(WebCore::AuthenticationChallenge::platformCompare):

Source/WebKit:

In case of HTTPS resource with a proxy, libsoup uses a tunnel internally, that uses its own SoupMessage during
the proxy authentication. We were ignoring authentication requests for other messages.

• NetworkProcess/soup/NetworkDataTaskSoup.cpp:

(WebKit::NetworkDataTaskSoup::authenticateCallback): Only return early if the message does't match and it's not
HTTPS resource over a proxy.
(WebKit::NetworkDataTaskSoup::authenticate): Use the soup message from the authentication challenge.
(WebKit::NetworkDataTaskSoup::continueAuthenticate): Ditto.

Tools:

Add two test cases to check proxy authentication.

• TestWebKitAPI/Tests/WebKitGLib/TestAuthentication.cpp:

(Tunnel::Tunnel):
(Tunnel::~Tunnel):
(Tunnel::connect):
(Tunnel::connected):
(serverCallback):
(ProxyAuthenticationTest::ProxyAuthenticationTest):
(ProxyAuthenticationTest::~ProxyAuthenticationTest):
(ProxyAuthenticationTest::proxyServerPortAsString):
(testWebViewAuthenticationProxy):
(testWebViewAuthenticationProxyHTTPS):
(beforeAll):

Location:

trunk

Files:

• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/platform/network/soup/AuthenticationChallenge.h (modified) (4 diffs)
• Source/WebCore/platform/network/soup/AuthenticationChallengeSoup.cpp (modified) (2 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp (modified) (3 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitGLib/TestAuthentication.cpp (modified) (5 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-08-11  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [Soup] Cannot access HTTPS sites using a HTTP proxy that requires authentication
+        https://bugs.webkit.org/show_bug.cgi?id=175378
+
+        Reviewed by Sergio Villar Senin.
+
+        Bring back part of the code removed in r206732, to keep a reference to the SoupMessage in the
+        AuthenticationChallenge since it can be different to the resource message.
+
+        * platform/network/soup/AuthenticationChallenge.h:
+        (WebCore::AuthenticationChallenge::AuthenticationChallenge): Deleted.
+        (WebCore::AuthenticationChallenge::authenticationClient const): Deleted.
+        (WebCore::AuthenticationChallenge::soupAuth const): Deleted.
+        (WebCore::AuthenticationChallenge::setProposedCredential): Deleted.
+        * platform/network/soup/AuthenticationChallengeSoup.cpp:
+        (WebCore::AuthenticationChallenge::AuthenticationChallenge):
+        (WebCore::AuthenticationChallenge::platformCompare):
+
 2017-08-10  Dan Bernstein  <mitz@apple.com>
 

trunk/Source/WebCore/platform/network/soup/AuthenticationChallenge.h

@@ -23 +23 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-#ifndef AuthenticationChallenge_h
-#define AuthenticationChallenge_h
+
+#pragma once
 
 #include "AuthenticationChallengeBase.h"
@@ -34 +34 @@
 namespace WebCore {
 
-class AuthenticationChallenge : public AuthenticationChallengeBase {
+class AuthenticationChallenge final : public AuthenticationChallengeBase {
 public:
     AuthenticationChallenge()
@@ -47 +47 @@
     AuthenticationChallenge(SoupMessage*, SoupAuth*, bool retrying, AuthenticationClient* = nullptr);
     AuthenticationClient* authenticationClient() const { return m_authenticationClient.get(); }
+    SoupMessage* soupMessage() const { return m_soupMessage.get(); }
     SoupAuth* soupAuth() const { return m_soupAuth.get(); }
     void setProposedCredential(const Credential& credential) { m_proposedCredential = credential; }
@@ -54 +55 @@
     static bool platformCompare(const AuthenticationChallenge&, const AuthenticationChallenge&);
 
+    GRefPtr<SoupMessage> m_soupMessage;
     GRefPtr<SoupAuth> m_soupAuth;
     RefPtr<AuthenticationClient> m_authenticationClient;
 };
 
-}
+} // namespace WebCore
 
-#endif

trunk/Source/WebCore/platform/network/soup/AuthenticationChallengeSoup.cpp

@@ -73 +73 @@
         soupMessage, // failureResponse
         ResourceError::authenticationError(soupMessage))
+    , m_soupMessage(soupMessage)
     , m_soupAuth(soupAuth)
     , m_authenticationClient(client)
@@ -80 +81 @@
 bool AuthenticationChallenge::platformCompare(const AuthenticationChallenge& a, const AuthenticationChallenge& b)
 {
-    return a.soupAuth() == b.soupAuth();
+    return a.soupMessage() == b.soupMessage() && a.soupAuth() == b.soupAuth();
 }
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2017-08-11  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [Soup] Cannot access HTTPS sites using a HTTP proxy that requires authentication
+        https://bugs.webkit.org/show_bug.cgi?id=175378
+
+        Reviewed by Sergio Villar Senin.
+
+        In case of HTTPS resource with a proxy, libsoup uses a tunnel internally, that uses its own SoupMessage during
+        the proxy authentication. We were ignoring authentication requests for other messages.
+
+        * NetworkProcess/soup/NetworkDataTaskSoup.cpp:
+        (WebKit::NetworkDataTaskSoup::authenticateCallback): Only return early if the message does't match and it's not
+        HTTPS resource over a proxy.
+        (WebKit::NetworkDataTaskSoup::authenticate): Use the soup message from the authentication challenge.
+        (WebKit::NetworkDataTaskSoup::continueAuthenticate): Ditto.
+
 2017-08-10  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp

@@ -446 +446 @@
 {
     ASSERT(session == static_cast<NetworkSessionSoup&>(task->m_session.get()).soupSession());
-    if (soupMessage != task->m_soupMessage.get())
+
+    // We don't return early here in case the given soupMessage is different to m_soupMessage when
+    // it's proxy authentication and the request URL is HTTPS, because in that case libsoup uses a
+    // tunnel internally and the SoupMessage used for the authentication is the tunneling one.
+    // See https://bugs.webkit.org/show_bug.cgi?id=175378.
+    if (soupMessage != task->m_soupMessage.get() && (soupMessage->status_code != SOUP_STATUS_PROXY_AUTHENTICATION_REQUIRED || !task->m_currentRequest.url().protocolIs("https")))
         return;
 
@@ -488 +493 @@
     }
 
-    soup_session_pause_message(static_cast<NetworkSessionSoup&>(m_session.get()).soupSession(), m_soupMessage.get());
+    soup_session_pause_message(static_cast<NetworkSessionSoup&>(m_session.get()).soupSession(), challenge.soupMessage());
 
     // We could also do this before we even start the request, but that would be at the expense
@@ -542 +547 @@
         }
 
-        soup_session_unpause_message(static_cast<NetworkSessionSoup&>(m_session.get()).soupSession(), m_soupMessage.get());
+        soup_session_unpause_message(static_cast<NetworkSessionSoup&>(m_session.get()).soupSession(), challenge.soupMessage());
     });
 }

trunk/Tools/ChangeLog

@@ +1 @@
+2017-08-11  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [Soup] Cannot access HTTPS sites using a HTTP proxy that requires authentication
+        https://bugs.webkit.org/show_bug.cgi?id=175378
+
+        Reviewed by Sergio Villar Senin.
+
+        Add two test cases to check proxy authentication.
+
+        * TestWebKitAPI/Tests/WebKitGLib/TestAuthentication.cpp:
+        (Tunnel::Tunnel):
+        (Tunnel::~Tunnel):
+        (Tunnel::connect):
+        (Tunnel::connected):
+        (serverCallback):
+        (ProxyAuthenticationTest::ProxyAuthenticationTest):
+        (ProxyAuthenticationTest::~ProxyAuthenticationTest):
+        (ProxyAuthenticationTest::proxyServerPortAsString):
+        (testWebViewAuthenticationProxy):
+        (testWebViewAuthenticationProxyHTTPS):
+        (beforeAll):
+
 2017-08-11  Xabier Rodriguez Calvar  <calvaris@igalia.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitGLib/TestAuthentication.cpp

@@ -253 +253 @@
 }
 
-static void serverCallback(SoupServer*, SoupMessage* message, const char* path, GHashTable*, SoupClientContext*, void*)
-{
+class Tunnel {
+public:
+    Tunnel(SoupServer* server, SoupMessage* message)
+        : m_server(server)
+        , m_message(message)
+    {
+        soup_server_pause_message(m_server.get(), m_message.get());
+    }
+
+    ~Tunnel()
+    {
+        soup_server_unpause_message(m_server.get(), m_message.get());
+    }
+
+    void connect(Function<void (const char*)>&& completionHandler)
+    {
+        m_completionHandler = WTFMove(completionHandler);
+        GRefPtr<GSocketClient> client = adoptGRef(g_socket_client_new());
+        auto* uri = soup_message_get_uri(m_message.get());
+        g_socket_client_connect_to_host_async(client.get(), uri->host, uri->port, nullptr, [](GObject* source, GAsyncResult* result, gpointer userData) {
+            auto* tunnel = static_cast<Tunnel*>(userData);
+            GUniqueOutPtr<GError> error;
+            GRefPtr<GSocketConnection> connection = adoptGRef(g_socket_client_connect_to_host_finish(G_SOCKET_CLIENT(source), result, &error.outPtr()));
+            tunnel->connected(!connection ? error->message : nullptr);
+        }, this);
+    }
+
+    void connected(const char* errorMessage)
+    {
+        auto completionHandler = std::exchange(m_completionHandler, nullptr);
+        completionHandler(errorMessage);
+    }
+
+    GRefPtr<SoupServer> m_server;
+    GRefPtr<SoupMessage> m_message;
+    Function<void (const char*)> m_completionHandler;
+};
+
+unsigned gProxyServerPort;
+
+static void serverCallback(SoupServer* server, SoupMessage* message, const char* path, GHashTable*, SoupClientContext* context, void*)
+{
+    if (message->method == SOUP_METHOD_CONNECT) {
+        g_assert_cmpuint(soup_server_get_port(server), ==, gProxyServerPort);
+        auto tunnel = std::make_unique<Tunnel>(server, message);
+        auto* tunnelPtr = tunnel.get();
+        tunnelPtr->connect([tunnel = WTFMove(tunnel)](const char* errorMessage) {
+            if (errorMessage) {
+                soup_message_set_status(tunnel->m_message.get(), SOUP_STATUS_BAD_GATEWAY);
+                soup_message_set_response(tunnel->m_message.get(), "text/plain", SOUP_MEMORY_COPY, errorMessage, strlen(errorMessage));
+            } else {
+                soup_message_headers_append(tunnel->m_message->response_headers, "Proxy-Authenticate", "Basic realm=\"Proxy realm\"");
+                soup_message_set_status(tunnel->m_message.get(), SOUP_STATUS_PROXY_AUTHENTICATION_REQUIRED);
+            }
+        });
+        return;
+    }
+
     if (message->method != SOUP_METHOD_GET) {
         soup_message_set_status(message, SOUP_STATUS_NOT_IMPLEMENTED);
@@ -260 +316 @@
     }
 
-    if (!strcmp(path, "/auth-test.html") || !strcmp(path, "/empty-realm.html")) {
+    if (g_str_has_suffix(path, "/auth-test.html") || g_str_has_suffix(path, "/empty-realm.html")) {
+        bool isProxy = g_str_has_prefix(path, "/proxy");
+        if (isProxy)
+            g_assert_cmpuint(soup_server_get_port(server), ==, gProxyServerPort);
+
         const char* authorization = soup_message_headers_get_one(message->request_headers, "Authorization");
         // Require authentication.
@@ -270 +330 @@
         } else if (++AuthenticationTest::authenticationRetries < 3) {
             // No or invalid authorization header provided by the client, request authentication twice then fail.
-            soup_message_set_status(message, SOUP_STATUS_UNAUTHORIZED);
+            soup_message_set_status(message, isProxy ? SOUP_STATUS_PROXY_AUTHENTICATION_REQUIRED : SOUP_STATUS_UNAUTHORIZED);
             if (!strcmp(path, "/empty-realm.html"))
                 soup_message_headers_append(message->response_headers, "WWW-Authenticate", "Basic");
             else
-                soup_message_headers_append(message->response_headers, "WWW-Authenticate", "Basic realm=\"my realm\"");
+                soup_message_headers_append(message->response_headers, isProxy ? "Proxy-Authenticate" : "WWW-Authenticate", isProxy ? "Basic realm=\"Proxy realm\"" : "Basic realm=\"my realm\"");
             // Include a failure message in case the user attempts to proceed without authentication.
             soup_message_body_append(message->response_body, SOUP_MEMORY_STATIC, authFailureHTMLString, strlen(authFailureHTMLString));
@@ -288 +348 @@
 }
 
+class ProxyAuthenticationTest : public AuthenticationTest {
+public:
+    MAKE_GLIB_TEST_FIXTURE(ProxyAuthenticationTest);
+
+    ProxyAuthenticationTest()
+    {
+        m_proxyServer.run(serverCallback);
+        g_assert(m_proxyServer.baseURI());
+        gProxyServerPort = soup_uri_get_port(m_proxyServer.baseURI());
+        GUniquePtr<char> proxyURI(soup_uri_to_string(m_proxyServer.baseURI(), FALSE));
+        WebKitNetworkProxySettings* settings = webkit_network_proxy_settings_new(proxyURI.get(), nullptr);
+        webkit_web_context_set_network_proxy_settings(m_webContext.get(), WEBKIT_NETWORK_PROXY_MODE_CUSTOM, settings);
+        webkit_network_proxy_settings_free(settings);
+    }
+
+    ~ProxyAuthenticationTest()
+    {
+        gProxyServerPort = 0;
+    }
+
+    GUniquePtr<char> proxyServerPortAsString()
+    {
+        GUniquePtr<char> port(g_strdup_printf("%u", soup_uri_get_port(m_proxyServer.baseURI())));
+        return port;
+    }
+
+    WebKitTestServer m_proxyServer;
+};
+
+static void testWebViewAuthenticationProxy(ProxyAuthenticationTest* test, gconstpointer)
+{
+    test->loadURI(kServer->getURIForPath("/proxy/auth-test.html").data());
+    WebKitAuthenticationRequest* request = test->waitForAuthenticationRequest();
+    // FIXME: the uri and host should the proxy ones, not the requested ones.
+    g_assert_cmpstr(webkit_authentication_request_get_host(request), ==, soup_uri_get_host(kServer->baseURI()));
+    g_assert_cmpuint(webkit_authentication_request_get_port(request), ==, soup_uri_get_port(kServer->baseURI()));
+    g_assert_cmpstr(webkit_authentication_request_get_realm(request), ==, "Proxy realm");
+    g_assert(webkit_authentication_request_get_scheme(request) == WEBKIT_AUTHENTICATION_SCHEME_HTTP_BASIC);
+    g_assert(webkit_authentication_request_is_for_proxy(request));
+    g_assert(!webkit_authentication_request_is_retry(request));
+}
+
+static void testWebViewAuthenticationProxyHTTPS(ProxyAuthenticationTest* test, gconstpointer)
+{
+    auto httpsServer = std::make_unique<WebKitTestServer>(WebKitTestServer::ServerHTTPS);
+    httpsServer->run(serverCallback);
+
+    test->loadURI(httpsServer->getURIForPath("/proxy/auth-test.html").data());
+    WebKitAuthenticationRequest* request = test->waitForAuthenticationRequest();
+    // FIXME: the uri and host should the proxy ones, not the requested ones.
+    g_assert_cmpstr(webkit_authentication_request_get_host(request), ==, soup_uri_get_host(httpsServer->baseURI()));
+    g_assert_cmpuint(webkit_authentication_request_get_port(request), ==, soup_uri_get_port(httpsServer->baseURI()));
+    g_assert_cmpstr(webkit_authentication_request_get_realm(request), ==, "Proxy realm");
+    g_assert(webkit_authentication_request_get_scheme(request) == WEBKIT_AUTHENTICATION_SCHEME_HTTP_BASIC);
+    g_assert(webkit_authentication_request_is_for_proxy(request));
+    g_assert(!webkit_authentication_request_is_retry(request));
+}
+
 void beforeAll()
 {
@@ -301 +419 @@
     AuthenticationTest::add("WebKitWebView", "authentication-storage", testWebViewAuthenticationStorage);
     AuthenticationTest::add("WebKitWebView", "authentication-empty-realm", testWebViewAuthenticationEmptyRealm);
+    ProxyAuthenticationTest::add("WebKitWebView", "authentication-proxy", testWebViewAuthenticationProxy);
+    ProxyAuthenticationTest::add("WebKitWebView", "authentication-proxy-https", testWebViewAuthenticationProxyHTTPS);
 }