Credential Support in Unix HTTP Handler

This checkin integrates CurlHandler to the credential support of libcurl

Author: kapilash

src/Common/src/Interop/Unix/libcurl/Interop.libcurl.cs

@@ -98,6 +98,12 @@ public static extern int curl_easy_setopt(
             int option,
             long value);
 
+        [DllImport(Interop.Libraries.LibCurl)]
+        public static extern int curl_easy_setopt(
+            SafeCurlHandle curl,
+            int option,
+            ulong value);
+
         [DllImport(Interop.Libraries.LibCurl)]
         public static extern int curl_easy_setopt(
             SafeCurlHandle curl,
@@ -132,6 +138,12 @@ public static extern int curl_easy_getinfo(
             int info,
             out IntPtr value);
 
+        [DllImport(Interop.Libraries.LibCurl)]
+        public static extern int curl_easy_getinfo(
+            SafeCurlHandle handle,
+            int info,
+            out ulong value);
+
         [DllImport(Interop.Libraries.LibCurl, CharSet = CharSet.Ansi)]
         public static extern IntPtr curl_slist_append(
             IntPtr curl_slist,

src/Common/src/Interop/Unix/libcurl/Interop.libcurl_types.cs

@@ -33,6 +33,7 @@ internal static partial class CURLoption
             internal const int CURLOPT_PROXYPORT = CurlOptionLongBase + 59;
             internal const int CURLOPT_MAXREDIRS = CurlOptionLongBase + 68;
             internal const int CURLOPT_PROXYTYPE = CurlOptionLongBase + 101;
+            internal const int CURLOPT_HTTPAUTH = CurlOptionLongBase + 107;
 
             internal const int CURLOPT_WRITEDATA = CurlOptionObjectPointBase + 1;
             internal const int CURLOPT_URL = CurlOptionObjectPointBase + 2;
@@ -45,6 +46,8 @@ internal static partial class CURLoption
             internal const int CURLOPT_ACCEPTENCODING = CurlOptionObjectPointBase + 102;
             internal const int CURLOPT_PRIVATE = CurlOptionObjectPointBase + 103;
             internal const int CURLOPT_IOCTLDATA = CurlOptionObjectPointBase + 131;
+            internal const int CURLOPT_USERNAME = CurlOptionObjectPointBase + 173;
+            internal const int CURLOPT_PASSWORD = CurlOptionObjectPointBase + 174;
 
             internal const int CURLOPT_WRITEFUNCTION = CurlOptionFunctionPointBase + 11;
             internal const int CURLOPT_READFUNCTION = CurlOptionFunctionPointBase + 12;
@@ -70,8 +73,10 @@ internal static partial class CURLINFO
         {
             // Curl info are of the format <type base> + <n>
             private const int CurlInfoStringBase = 0x100000;
+            private const int CurlInfoLongBase   = 0x200000;
 
             internal const int CURLINFO_PRIVATE = CurlInfoStringBase + 21;
+            internal const int CURLINFO_HTTPAUTH_AVAIL = CurlInfoLongBase + 23;
         }
 
         // Class for constants defined for the enum curl_proxytype in curl.h
@@ -125,6 +130,17 @@ internal static partial class CURLMSG
             internal const int CURLMSG_DONE = 1;
         }
 
+        // AUTH related constants
+        internal static partial class CURLAUTH
+        {
+            internal const ulong None = 0;
+            internal const ulong Basic = 1 << 0;
+            internal const ulong Digest = 1 << 1;
+            internal const ulong Negotiate = 1 << 2;
+            internal const ulong DigestIE = 1 << 4;
+            internal const ulong AuthAny = ~DigestIE;
+        }
+
         internal static partial class CURL_VERSION_Features
         {
             internal const int CURL_VERSION_IPV6         = (1<<0);

src/System.Net.Http/src/System/Net/Http/Unix/CurlCallbacks.cs

@@ -17,6 +17,8 @@
 using curl_socket_t = System.Int32;
 using CurlPoll = Interop.libcurl.CurlPoll;
 using CurlSelect = Interop.libcurl.CurlSelect;
+using CURLAUTH = Interop.libcurl.CURLAUTH;
+using CURLoption = Interop.libcurl.CURLoption;
 
 namespace System.Net.Http
 {
@@ -57,7 +59,7 @@ private static size_t CurlReceiveHeadersCallback(
                     HttpResponseMessage response = state.ResponseMessage;
 
                     // TODO: Understand scenarios where multiple sets of headers are received
-                    if (!TryParseStatusLine(response, responseHeader))
+                    if (!TryParseStatusLine(response, responseHeader, state))
                     {
                         int colonIndex = responseHeader.IndexOf(':');
 
@@ -198,7 +200,7 @@ private static size_t ExecuteCallback(
             }
         }
 
-        private static bool TryParseStatusLine(HttpResponseMessage response, string responseHeader)
+        private static bool TryParseStatusLine(HttpResponseMessage response, string responseHeader, RequestCompletionSource state)
         {
             if (!responseHeader.StartsWith(s_httpPrefix, StringComparison.OrdinalIgnoreCase))
             {
@@ -250,6 +252,17 @@ private static bool TryParseStatusLine(HttpResponseMessage response, string resp
                 {
                     response.StatusCode = (HttpStatusCode)statusCode;
 
+                    // For security reasons, we drop the server credential if it is a
+                    // NetworkCredential.  But we allow credentials in a CredentialCache
+                    // since they are specifically tied to URI's.
+                    if ((response.StatusCode == HttpStatusCode.Redirect) && !(state.Handler.Credentials is CredentialCache))
+                    {
+                        state.Handler.SetCurlOption(state.RequestHandle, CURLoption.CURLOPT_HTTPAUTH, CURLAUTH.None);
+                        state.Handler.SetCurlOption(state.RequestHandle, CURLoption.CURLOPT_USERNAME, IntPtr.Zero );
+                        state.Handler.SetCurlOption(state.RequestHandle, CURLoption.CURLOPT_PASSWORD, IntPtr.Zero);
+                        state.NetworkCredential = null;
+                    }
+
                     int codeEndIndex = codeStartIndex + StatusCodeLength;
 
                     int reasonPhraseIndex = codeEndIndex + 1;

src/System.Net.Http/src/System/Net/Http/Unix/CurlHandler.cs

@@ -19,6 +19,7 @@
 using CURLcode = Interop.libcurl.CURLcode;
 using CURLMcode = Interop.libcurl.CURLMcode;
 using CURLINFO = Interop.libcurl.CURLINFO;
+using CURLAUTH = Interop.libcurl.CURLAUTH;
 using CurlVersionInfoData = Interop.libcurl.curl_version_info_data;
 using CurlFeatures = Interop.libcurl.CURL_VERSION_Features;
 using CURLProxyType = Interop.libcurl.curl_proxytype;
@@ -36,6 +37,7 @@ internal partial class CurlHandler : HttpMessageHandler
         private const string EncodingNameGzip = "gzip";
         private const string EncodingNameDeflate = "deflate";
         private readonly static string[] AuthenticationSchemes = { "Negotiate", "Digest", "Basic" }; // the order in which libcurl goes over authentication schemes
+        private readonly static ulong[]  AuthSchemePriorityOrder = { CURLAUTH.Negotiate, CURLAUTH.Digest, CURLAUTH.Basic };
         private static readonly string[] s_headerDelimiters = new string[] { "\r\n" };
 
         private const int s_requestBufferSize = 16384; // Default used by libcurl
@@ -58,6 +60,8 @@ internal partial class CurlHandler : HttpMessageHandler
         private DecompressionMethods _automaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;
         private SafeCurlMultiHandle _multiHandle;
         private GCHandle _multiHandlePtr = new GCHandle();
+        private bool _preAuthenticate = false;
+        private CredentialCache _credentialCache = null;
         private CookieContainer _cookieContainer = null;
         private bool _useCookie = false;
         private bool _automaticRedirection = true;
@@ -159,7 +163,6 @@ internal ICredentials Credentials
 
             set
             {
-                CheckDisposedOrStarted();
                 _serverCredentials = value;
             }
         }
@@ -202,6 +205,23 @@ internal DecompressionMethods AutomaticDecompression
             }
         }
 
+        internal bool PreAuthenticate
+        {
+            get
+            {
+                return _preAuthenticate;
+            }
+            set
+            {
+                CheckDisposedOrStarted();
+                _preAuthenticate = value;
+                if (value)
+                {
+                    _credentialCache = new CredentialCache();
+                }
+            }
+        }
+
         internal bool UseCookie
         {
             get
@@ -306,14 +326,13 @@ protected internal override Task<HttpResponseMessage> SendAsync(
             }
 
             // Create RequestCompletionSource object and save current values of handler settings.
-            RequestCompletionSource state = new RequestCompletionSource
+            RequestCompletionSource state = new RequestCompletionSource(this)
             {
                 CancellationToken = cancellationToken,
                 RequestMessage = request,
             };
 
             BeginRequest(state);
-
             return state.Task;
         }
 
@@ -398,6 +417,17 @@ private static void EndRequest(SafeCurlMultiHandle multiHandle, IntPtr statePtr,
                     state.TrySetException(new HttpRequestException(SR.net_http_client_execution_error,
                         GetCurlException(result)));
                 }
+
+                if (state.ResponseMessage.StatusCode != HttpStatusCode.Unauthorized && state.Handler.PreAuthenticate)
+                {
+                    ulong availedAuth;
+                    if (Interop.libcurl.curl_easy_getinfo(state.RequestHandle, CURLINFO.CURLINFO_HTTPAUTH_AVAIL, out availedAuth) == CURLcode.CURLE_OK)
+                    {
+                        state.Handler.AddCredentialToCache(state.RequestMessage.RequestUri, availedAuth, state.NetworkCredential);
+                    }
+                    // ignoring the exception in this case.
+                    // There is no point in killing the request for the sake of putting the credentials into the cache
+                }
             }
             catch (Exception ex)
             {
@@ -455,6 +485,8 @@ private SafeCurlHandle CreateRequestHandle(RequestCompletionSource state, GCHand
 
             SetProxyOptions(requestHandle, state.RequestMessage.RequestUri);
 
+            SetRequestHandleCredentialsOptions(requestHandle, state);
+
             SetCookieOption(requestHandle, state.RequestMessage.RequestUri);
 
             state.RequestHeaderHandle = SetRequestHeaders(requestHandle, state.RequestMessage);
@@ -528,6 +560,44 @@ private void SetProxyOptions(SafeCurlHandle requestHandle, Uri requestUri)
             }
         }
 
+        private void SetRequestHandleCredentialsOptions(SafeCurlHandle requestHandle, RequestCompletionSource state)
+        {
+            NetworkCredential credentials = GetNetworkCredentials(state.Handler._serverCredentials, state.RequestMessage.RequestUri);
+            if (credentials != null)
+            {
+                string userName = string.IsNullOrEmpty(credentials.Domain) ?
+                    credentials.UserName :
+                    string.Format("{0}\\{1}", credentials.Domain, credentials.UserName);
+
+                SetCurlOption(requestHandle, CURLoption.CURLOPT_USERNAME, userName);
+                SetCurlOption(requestHandle, CURLoption.CURLOPT_HTTPAUTH, CURLAUTH.AuthAny);
+                if (credentials.Password != null)
+                {
+                    SetCurlOption(requestHandle, CURLoption.CURLOPT_PASSWORD, credentials.Password);
+                }
+
+                state.NetworkCredential = credentials;
+            }
+        }
+
+        private NetworkCredential GetNetworkCredentials(ICredentials credentials, Uri requestUri)
+        {
+            if (_preAuthenticate)
+            {
+                NetworkCredential nc = null;
+                lock (_multiHandle)
+                {
+                    nc = GetCredentials(_credentialCache, requestUri);
+                }
+                if (nc != null)
+                {
+                    return nc;
+                }
+            }
+
+            return GetCredentials(credentials, requestUri);
+        }
+
         private void SetCookieOption(SafeCurlHandle requestHandle, Uri requestUri)
         {
             if (!_useCookie)
@@ -547,22 +617,35 @@ private void SetCookieOption(SafeCurlHandle requestHandle, Uri requestUri)
             }           
         }
 
-        private NetworkCredential GetCredentials(ICredentials proxyCredentials, Uri requestUri)
+        private void AddCredentialToCache(Uri serverUri, ulong authAvail, NetworkCredential nc)
+        {
+            lock (_multiHandle)
+            {
+                for (int i=0; i < AuthSchemePriorityOrder.Length; i++)
+                {
+                    if ((authAvail & AuthSchemePriorityOrder[i]) != 0 )
+                    {
+                        _credentialCache.Add(serverUri, AuthenticationSchemes[i], nc);
+                    }
+                }
+            }
+        }
+
+		private static NetworkCredential GetCredentials(ICredentials credentials, Uri requestUri)
         {
-            if (proxyCredentials == null)
+            if (credentials == null)
             {
                 return null;
             }
 
             foreach (var authScheme in AuthenticationSchemes)
             {
-                NetworkCredential proxyCreds = proxyCredentials.GetCredential(requestUri, authScheme);
-                if (proxyCreds != null)
+                NetworkCredential networkCredential = credentials.GetCredential(requestUri, authScheme);
+                if (networkCredential != null)
                 {
-                    return proxyCreds;
+                    return networkCredential;
                 }
             }
-
             return null;
         }
 
@@ -660,6 +743,15 @@ private void SetCurlOption(SafeCurlHandle handle, int option, long value)
             }
         }
 
+        private void SetCurlOption(SafeCurlHandle handle, int option, ulong value)
+        {
+            int result = Interop.libcurl.curl_easy_setopt(handle, option, value);
+            if (result != CURLcode.CURLE_OK)
+            {
+                throw new HttpRequestException(SR.net_http_client_execution_error, GetCurlException(result));
+            }
+        }
+
         private void SetCurlOption(SafeCurlHandle handle, int option, Interop.libcurl.curl_readwrite_callback value)
         {
             int result = Interop.libcurl.curl_easy_setopt(handle, option, value);
@@ -868,6 +960,13 @@ private static void RemoveEasyHandle(SafeCurlMultiHandle multiHandle, GCHandle s
 
         private sealed class RequestCompletionSource : TaskCompletionSource<HttpResponseMessage>
         {
+            private readonly CurlHandler _handler;
+
+            public RequestCompletionSource(CurlHandler handler)
+            {
+                this._handler = handler;
+            }
+
             public CancellationToken CancellationToken { get; set; }
 
             public HttpRequestMessage RequestMessage { get; set; }
@@ -883,6 +982,16 @@ private sealed class RequestCompletionSource : TaskCompletionSource<HttpResponse
             public Stream RequestContentStream { get; set; }
 
             public byte[] RequestContentBuffer { get; set; }
+
+            public NetworkCredential NetworkCredential {get; set;}
+
+            public CurlHandler Handler
+            {
+                get
+                {
+                    return _handler;
+                }
+            }
         }
 
         private enum ProxyUsePolicy

src/System.Net.Http/src/System/Net/Http/Unix/HttpClientHandler.Unix.cs

@@ -84,8 +84,8 @@ public IWebProxy Proxy
 
         public bool PreAuthenticate
         {
-            get { throw NotImplemented.ByDesignWithMessage("HTTP stack not implemented"); }
-            set { throw NotImplemented.ByDesignWithMessage("HTTP stack not implemented"); }
+            get { return _curlHandler.PreAuthenticate; }
+            set { _curlHandler.PreAuthenticate = value;} 
         }
 
         public bool UseDefaultCredentials