Support specifying the GSSAPI library that will be used.

This preference can be set either via command-line or via group policy. BUG=53625 TEST=unittests: ConfigurationPolicyPrefStore*; net_unittests: HttpAuthHandlerNegotiateTest.*:HttpAuthGSSAPIPOSIXTest.*; manually: start Chrome with command-line switch --gssapi-library-name=XYZ and see if this results in the Chrome process loading /usr/lib/whatever/XYZ as soon as an authenticated HTTP site is encountered. Review URL: http://codereview.chromium.org/4560001 Patch from Jakob Kummerow <jkummerow@google.com>. git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65939 0039d316-1c4b-4281-b951-d872f2087c98
qweri0p · Nov 12, 2010 · ac7f3fd · ac7f3fd
1 parent bb33eb1
commit ac7f3fd
Show file tree

Hide file tree

Showing 26 changed files with 173 additions and 115 deletions.
diff --git a/chrome/app/policy/policy_templates.grd b/chrome/app/policy/policy_templates.grd
@@ -401,6 +401,12 @@ templates and will be translated for each locale. -->
     <message name="IDS_POLICY_AUTHNEGOTIATEDELEGATEWHITELIST_DESC" desc="Description of the 'auth negotiate delegate whitelist' policy.">
       Servers that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may delegate to.
     </message>
+    <message name="IDS_POLICY_GSSAPILIBRARYNAME_CAPTION" desc="Caption of the 'GSSAPI library name' policy">
+      GSSAPI library name
+    </message>
+    <message name="IDS_POLICY_GSSAPILIBRARYNAME_DESC" desc="Description of the 'GSSAPI library name' policy">
+      Specifies which GSSAPI library to use for HTTP Authentication. You can set either just a library name, or a full path. If no setting is provided, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will fall back to using a default library name.
+    </message>
     <!-- End HTTP Authentication Policy messages -->
 
     <message name="IDS_POLICY_METRICSREPORTINGENABLED_CAPTION" desc="Caption of the 'crash reporting' policy.">

diff --git a/chrome/app/policy/policy_templates.json b/chrome/app/policy/policy_templates.json
@@ -358,6 +358,16 @@
             'example_value': 'foobar.example.com',
           }
         },
+        {
+          'name': 'GSSAPILibraryName',
+          'type': 'string',
+          'annotations': {
+            'platforms': ['linux', 'mac'],
+            'products': ['chrome'],
+            'features': {'dynamic_refresh': 0},
+            'example_value': 'libgssapi_krb5.so.2',
+          }
+        },
       ]
     },
     {

diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
@@ -229,6 +229,7 @@ IOThread::IOThread(PrefService* local_state)
   auth_server_whitelist_ = local_state->GetString(prefs::kAuthServerWhitelist);
   auth_delegate_whitelist_ = local_state->GetString(
       prefs::kAuthNegotiateDelegateWhitelist);
+  gssapi_library_name_ = local_state->GetString(prefs::kGSSAPILibraryName);
 }
 
 IOThread::~IOThread() {
@@ -428,6 +429,7 @@ void IOThread::RegisterPrefs(PrefService* local_state) {
   local_state->RegisterBooleanPref(prefs::kEnableAuthNegotiatePort, false);
   local_state->RegisterStringPref(prefs::kAuthServerWhitelist, "");
   local_state->RegisterStringPref(prefs::kAuthNegotiateDelegateWhitelist, "");
+  local_state->RegisterStringPref(prefs::kGSSAPILibraryName, "");
 }
 
 net::HttpAuthHandlerFactory* IOThread::CreateDefaultAuthHandlerFactory(
@@ -447,6 +449,7 @@ net::HttpAuthHandlerFactory* IOThread::CreateDefaultAuthHandlerFactory(
       supported_schemes,
       globals_->url_security_manager.get(),
       resolver,
+      gssapi_library_name_,
       negotiate_disable_cname_lookup_,
       negotiate_enable_port_);
 }

diff --git a/chrome/browser/io_thread.h b/chrome/browser/io_thread.h
@@ -144,6 +144,7 @@ class IOThread : public BrowserProcessSubThread {
   bool negotiate_enable_port_;
   std::string auth_server_whitelist_;
   std::string auth_delegate_whitelist_;
+  std::string gssapi_library_name_;
 
   // These member variables are initialized by a task posted to the IO thread,
   // which gets posted by calling certain member functions of IOThread.

diff --git a/chrome/browser/policy/configuration_policy_pref_store.cc b/chrome/browser/policy/configuration_policy_pref_store.cc
@@ -165,6 +165,8 @@ const ConfigurationPolicyPrefStore::PolicyToPreferenceMapEntry
     prefs::kAuthServerWhitelist },
   { Value::TYPE_STRING, kPolicyAuthNegotiateDelegateWhitelist,
     prefs::kAuthNegotiateDelegateWhitelist },
+  { Value::TYPE_STRING, kPolicyGSSAPILibraryName,
+    prefs::kGSSAPILibraryName },
 
 #if defined(OS_CHROMEOS)
   { Value::TYPE_BOOLEAN, kPolicyChromeOsLockOnIdleSuspend,
@@ -269,6 +271,9 @@ ConfigurationPolicyPrefStore::GetChromePolicyDefinitionList() {
       key::kAuthServerWhitelist },
     { kPolicyAuthNegotiateDelegateWhitelist, Value::TYPE_STRING,
       key::kAuthNegotiateDelegateWhitelist },
+    { kPolicyGSSAPILibraryName, Value::TYPE_STRING,
+      key::kGSSAPILibraryName },
+
 
 #if defined(OS_CHROMEOS)
     { kPolicyChromeOsLockOnIdleSuspend, Value::TYPE_BOOLEAN,

diff --git a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
@@ -114,7 +114,9 @@ INSTANTIATE_TEST_CASE_P(
         TypeAndName(kPolicyAuthServerWhitelist,
                     prefs::kAuthServerWhitelist),
         TypeAndName(kPolicyAuthNegotiateDelegateWhitelist,
-                    prefs::kAuthNegotiateDelegateWhitelist)));
+                    prefs::kAuthNegotiateDelegateWhitelist),
+        TypeAndName(kPolicyGSSAPILibraryName,
+                    prefs::kGSSAPILibraryName)));
 
 // Test cases for boolean-valued policy settings.
 class ConfigurationPolicyPrefStoreBooleanTest

diff --git a/chrome/browser/policy/configuration_policy_store_interface.h b/chrome/browser/policy/configuration_policy_store_interface.h
@@ -58,7 +58,7 @@ enum ConfigurationPolicyType {
   kPolicyEnableAuthNegotiatePort,
   kPolicyAuthServerWhitelist,
   kPolicyAuthNegotiateDelegateWhitelist,
-
+  kPolicyGSSAPILibraryName,
 };
 
 static const int kPolicyNoProxyServerMode = 0;

diff --git a/chrome/browser/prefs/command_line_pref_store.cc b/chrome/browser/prefs/command_line_pref_store.cc
@@ -20,6 +20,7 @@ const CommandLinePrefStore::StringSwitchToPreferenceMapEntry
       { switches::kAuthServerWhitelist, prefs::kAuthServerWhitelist },
       { switches::kAuthNegotiateDelegateWhitelist,
           prefs::kAuthNegotiateDelegateWhitelist },
+      { switches::kGSSAPILibraryName, prefs::kGSSAPILibraryName },
 };
 
 const CommandLinePrefStore::BooleanSwitchToPreferenceMapEntry

diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
@@ -639,6 +639,9 @@ const char kGpuProcess[]                    = "gpu-process";
 // Causes the GPU process to display a dialog on launch.
 const char kGpuStartupDialog[]              = "gpu-startup-dialog";
 
+// Specifies a custom name for the GSSAPI library to load.
+const char kGSSAPILibraryName[]             = "gssapi-library-name";
+
 // These flags show the man page on Linux. They are equivalent to each
 // other.
 const char kHelp[]                          = "help";

diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
@@ -188,6 +188,7 @@ extern const char kForceRendererAccessibility[];
 extern const char kGpuLauncher[];
 extern const char kGpuProcess[];
 extern const char kGpuStartupDialog[];
+extern const char kGSSAPILibraryName[];
 extern const char kHelp[];
 extern const char kHelpShort[];
 extern const char kHideIcons[];

diff --git a/chrome/common/policy_constants.cc b/chrome/common/policy_constants.cc
@@ -63,6 +63,7 @@ const char kDisableAuthNegotiateCnameLookup[] =
 const char kEnableAuthNegotiatePort[] = "EnableAuthNegotiatePort";
 const char kAuthServerWhitelist[] = "AuthServerWhitelist";
 const char kAuthNegotiateDelegateWhitelist[] = "AuthNegotiateDelegateWhitelist";
+const char kGSSAPILibraryName[] = "GSSAPILibraryName";
 
 // Chrome Frame specific policy constants
 const char kChromeFrameRendererSettings[] = "ChromeFrameRendererSettings";

diff --git a/chrome/common/policy_constants.h b/chrome/common/policy_constants.h
@@ -59,6 +59,7 @@ extern const char kDisableAuthNegotiateCnameLookup[];
 extern const char kEnableAuthNegotiatePort[];
 extern const char kAuthServerWhitelist[];
 extern const char kAuthNegotiateDelegateWhitelist[];
+extern const char kGSSAPILibraryName[];
 
 // Chrome Frame specific policy constants
 extern const char kChromeFrameRendererSettings[];

diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc
@@ -1041,6 +1041,8 @@ const char kAuthServerWhitelist[] = "auth.server_whitelist";
 // with.
 const char kAuthNegotiateDelegateWhitelist[] =
     "auth.negotiate_delegate_whitelist";
+// String that specifies the name of a custom GSSAPI library to load.
+const char kGSSAPILibraryName[] = "auth.gssapi_library_name";
 
 #if defined(OS_CHROMEOS)
 // Dictionary for transient storage of settings that should go into signed

diff --git a/chrome/common/pref_names.h b/chrome/common/pref_names.h
@@ -405,6 +405,7 @@ extern const char kDisableAuthNegotiateCnameLookup[];
 extern const char kEnableAuthNegotiatePort[];
 extern const char kAuthServerWhitelist[];
 extern const char kAuthNegotiateDelegateWhitelist[];
+extern const char kGSSAPILibraryName[];
 
 }  // namespace prefs
 

diff --git a/chrome_frame/metrics_service.cc b/chrome_frame/metrics_service.cc
@@ -42,8 +42,10 @@
 
 #include <atlbase.h>
 #include <atlwin.h>
-#include <windows.h>
 #include <objbase.h>
+#include <windows.h>
+
+#include <vector>
 
 #if defined(USE_SYSTEM_LIBBZ2)
 #include <bzlib.h>
@@ -168,8 +170,8 @@ class ChromeFrameUploadRequestContext : public URLRequestContext {
     base::SplitString(csv_auth_schemes, ',', &supported_schemes);
 
     http_auth_handler_factory_ = net::HttpAuthHandlerRegistryFactory::Create(
-        supported_schemes, url_security_manager_.get(), host_resolver_, false,
-        false);
+        supported_schemes, url_security_manager_.get(), host_resolver_,
+        std::string(), false, false);
 
     http_transaction_factory_ = new net::HttpCache(
         net::HttpNetworkLayer::CreateFactory(host_resolver_,

diff --git a/net/http/http_auth_gssapi_posix.cc b/net/http/http_auth_gssapi_posix.cc
@@ -11,7 +11,6 @@
 #include "base/file_path.h"
 #include "base/format_macros.h"
 #include "base/logging.h"
-#include "base/singleton.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "net/base/net_errors.h"
@@ -385,8 +384,9 @@ std::string DescribeContext(GSSAPILibrary* gssapi_lib,
 
 }  // namespace
 
-GSSAPISharedLibrary::GSSAPISharedLibrary()
+GSSAPISharedLibrary::GSSAPISharedLibrary(const std::string& gssapi_library_name)
     : initialized_(false),
+      gssapi_library_name_(gssapi_library_name),
       gssapi_library_(NULL),
       import_name_(NULL),
       release_name_(NULL),
@@ -422,19 +422,29 @@ bool GSSAPISharedLibrary::InitImpl() {
 }
 
 base::NativeLibrary GSSAPISharedLibrary::LoadSharedLibrary() {
-  static const char* kLibraryNames[] = {
+  const char** library_names;
+  size_t num_lib_names;
+  const char* user_specified_library[1];
+  if (!gssapi_library_name_.empty()) {
+    user_specified_library[0] = gssapi_library_name_.c_str();
+    library_names = user_specified_library;
+    num_lib_names = 1;
+  } else {
+    static const char* kDefaultLibraryNames[] = {
 #if defined(OS_MACOSX)
-    "libgssapi_krb5.dylib"  // MIT Kerberos
+      "libgssapi_krb5.dylib"  // MIT Kerberos
 #else
-    "libgssapi_krb5.so.2",  // MIT Kerberos - FC, Suse10, Debian
-    "libgssapi.so.4",       // Heimdal - Suse10, MDK
-    "libgssapi.so.1"        // Heimdal - Suse9, CITI - FC, MDK, Suse10
+      "libgssapi_krb5.so.2",  // MIT Kerberos - FC, Suse10, Debian
+      "libgssapi.so.4",       // Heimdal - Suse10, MDK
+      "libgssapi.so.1"        // Heimdal - Suse9, CITI - FC, MDK, Suse10
 #endif
-  };
-  static size_t num_lib_names = arraysize(kLibraryNames);
+    };
+    library_names = kDefaultLibraryNames;
+    num_lib_names = arraysize(kDefaultLibraryNames);
+  }
 
   for (size_t i = 0; i < num_lib_names; ++i) {
-    const char* library_name = kLibraryNames[i];
+    const char* library_name = library_names[i];
     FilePath file_path(library_name);
     base::NativeLibrary lib = base::LoadNativeLibrary(file_path);
     if (lib) {
@@ -613,9 +623,6 @@ OM_uint32 GSSAPISharedLibrary::inquire_context(
                           locally_initiated,
                           open);
 }
-GSSAPILibrary* GSSAPILibrary::GetDefault() {
-  return Singleton<GSSAPISharedLibrary>::get();
-}
 
 ScopedSecurityContext::ScopedSecurityContext(GSSAPILibrary* gssapi_lib)
     : security_context_(GSS_C_NO_CONTEXT),

diff --git a/net/http/http_auth_gssapi_posix.h b/net/http/http_auth_gssapi_posix.h
@@ -95,15 +95,14 @@ class GSSAPILibrary {
       int* locally_initiated,
       int* open) = 0;
 
-  // Get the default GSSPILibrary instance. The object returned is a singleton
-  // instance, and the caller should not delete it.
-  static GSSAPILibrary* GetDefault();
 };
 
 // GSSAPISharedLibrary class is defined here so that unit tests can access it.
 class GSSAPISharedLibrary : public GSSAPILibrary {
  public:
-  GSSAPISharedLibrary();
+  // If |gssapi_library_name| is empty, hard-coded default library names are
+  // used.
+  explicit GSSAPISharedLibrary(const std::string& gssapi_library_name);
   virtual ~GSSAPISharedLibrary();
 
   // GSSAPILibrary methods:
@@ -179,6 +178,7 @@ class GSSAPISharedLibrary : public GSSAPILibrary {
 
   bool initialized_;
 
+  std::string gssapi_library_name_;
   // Need some way to invalidate the library.
   base::NativeLibrary gssapi_library_;
 

diff --git a/net/http/http_auth_gssapi_posix_unittest.cc b/net/http/http_auth_gssapi_posix_unittest.cc
@@ -76,9 +76,15 @@ TEST(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup) {
   // TODO(ahendrickson): Manipulate the libraries and paths to test each of the
   // libraries we expect, and also whether or not they have the interface
   // functions we want.
-  GSSAPILibrary* gssapi = GSSAPILibrary::GetDefault();
-  DCHECK(gssapi);
-  gssapi->Init();
+  scoped_ptr<GSSAPILibrary> gssapi(new GSSAPISharedLibrary(""));
+  DCHECK(gssapi.get());
+  DCHECK(gssapi.get()->Init());
+}
+
+TEST(HttpAuthGSSAPIPOSIXTest, GSSAPILoadCustomLibrary) {
+  scoped_ptr<GSSAPILibrary> gssapi(
+      new GSSAPISharedLibrary("/this/library/does/not/exist"));
+  DCHECK(!gssapi.get()->Init());
 }
 
 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPICycle) {

diff --git a/net/http/http_auth_handler_factory.cc b/net/http/http_auth_handler_factory.cc
@@ -48,12 +48,23 @@ HttpAuthHandlerRegistryFactory* HttpAuthHandlerFactory::CreateDefault(
       "basic", new HttpAuthHandlerBasic::Factory());
   registry_factory->RegisterSchemeFactory(
       "digest", new HttpAuthHandlerDigest::Factory());
+
   HttpAuthHandlerNegotiate::Factory* negotiate_factory =
       new HttpAuthHandlerNegotiate::Factory();
+#if defined(OS_POSIX)
+  negotiate_factory->set_library(new GSSAPISharedLibrary(std::string()));
+#elif defined(OS_WIN)
+  negotiate_factory->set_library(new SSPILibraryDefault());
+#endif
   negotiate_factory->set_host_resolver(host_resolver);
   registry_factory->RegisterSchemeFactory("negotiate", negotiate_factory);
-  registry_factory->RegisterSchemeFactory(
-      "ntlm", new HttpAuthHandlerNTLM::Factory());
+
+  HttpAuthHandlerNTLM::Factory* ntlm_factory =
+      new HttpAuthHandlerNTLM::Factory();
+#if defined(OS_WIN)
+  ntlm_factory->set_sspi_library(new SSPILibraryDefault());
+#endif
+  registry_factory->RegisterSchemeFactory("ntlm", ntlm_factory);
   return registry_factory;
 }
 
@@ -73,6 +84,7 @@ HttpAuthHandlerRegistryFactory* HttpAuthHandlerRegistryFactory::Create(
     const std::vector<std::string>& supported_schemes,
     URLSecurityManager* security_manager,
     HostResolver* host_resolver,
+    const std::string& gssapi_library_name,
     bool negotiate_disable_cname_lookup,
     bool negotiate_enable_port) {
   HttpAuthHandlerRegistryFactory* registry_factory =
@@ -87,11 +99,20 @@ HttpAuthHandlerRegistryFactory* HttpAuthHandlerRegistryFactory::Create(
     HttpAuthHandlerNTLM::Factory* ntlm_factory =
         new HttpAuthHandlerNTLM::Factory();
     ntlm_factory->set_url_security_manager(security_manager);
+#if defined(OS_WIN)
+    ntlm_factory->set_sspi_library(new SSPILibraryDefault());
+#endif
     registry_factory->RegisterSchemeFactory("ntlm", ntlm_factory);
   }
   if (IsSupportedScheme(supported_schemes, "negotiate")) {
     HttpAuthHandlerNegotiate::Factory* negotiate_factory =
         new HttpAuthHandlerNegotiate::Factory();
+#if defined(OS_POSIX)
+    negotiate_factory->set_library(
+        new GSSAPISharedLibrary(gssapi_library_name));
+#elif defined(OS_WIN)
+    negotiate_factory->set_library(new SSPILibraryDefault());
+#endif
     negotiate_factory->set_url_security_manager(security_manager);
     DCHECK(host_resolver || negotiate_disable_cname_lookup);
     negotiate_factory->set_host_resolver(host_resolver);

diff --git a/net/http/http_auth_handler_factory.h b/net/http/http_auth_handler_factory.h
@@ -174,12 +174,16 @@ class HttpAuthHandlerRegistryFactory : public HttpAuthHandlerFactory {
   // scheme is used and |negotiate_disable_cname_lookup| is false,
   // |host_resolver| must not be NULL.
   //
+  // |gssapi_library_name| specifies the name of the GSSAPI library that will
+  // be loaded on all platforms except Windows.
+  //
   // |negotiate_disable_cname_lookup| and |negotiate_enable_port| both control
   // how Negotiate does SPN generation, by default these should be false.
   static HttpAuthHandlerRegistryFactory* Create(
       const std::vector<std::string>& supported_schemes,
       URLSecurityManager* security_manager,
       HostResolver* host_resolver,
+      const std::string& gssapi_library_name,
       bool negotiate_disable_cname_lookup,
       bool negotiate_enable_port);