Merge pull request #5638 from deepak1556/iwa_patch

browser: flags to control iwa enabled server whitelist

atom/browser/api/atom_api_app.cc

@@ -375,12 +375,6 @@ void App::SetDesktopName(const std::string& desktop_name) {
 #endif
 }
 
-void App::AllowNTLMCredentialsForAllDomains(bool should_allow) {
-  auto browser_context = static_cast<AtomBrowserContext*>(
-        AtomBrowserMainParts::Get()->browser_context());
-  browser_context->AllowNTLMCredentialsForAllDomains(should_allow);
-}
-
 std::string App::GetLocale() {
   return l10n_util::GetApplicationLocale("");
 }
@@ -482,8 +476,6 @@ void App::BuildPrototype(
       .SetMethod("setPath", &App::SetPath)
       .SetMethod("getPath", &App::GetPath)
       .SetMethod("setDesktopName", &App::SetDesktopName)
-      .SetMethod("allowNTLMCredentialsForAllDomains",
-                 &App::AllowNTLMCredentialsForAllDomains)
       .SetMethod("getLocale", &App::GetLocale)
 #if defined(USE_NSS_CERTS)
       .SetMethod("importCertificate", &App::ImportCertificate)

atom/browser/api/atom_api_app.h

@@ -106,7 +106,6 @@ class App : public AtomBrowserClient::Delegate,
                const base::FilePath& path);
 
   void SetDesktopName(const std::string& desktop_name);
-  void AllowNTLMCredentialsForAllDomains(bool should_allow);
   bool MakeSingleInstance(
       const ProcessSingleton::NotificationCallback& callback);
   std::string GetLocale();

atom/browser/api/atom_api_session.cc

@@ -36,6 +36,8 @@
 #include "net/base/load_flags.h"
 #include "net/disk_cache/disk_cache.h"
 #include "net/dns/host_cache.h"
+#include "net/http/http_auth_handler_factory.h"
+#include "net/http/http_auth_preferences.h"
 #include "net/proxy/proxy_service.h"
 #include "net/proxy/proxy_config_service_fixed.h"
 #include "net/url_request/url_request_context.h"
@@ -284,6 +286,19 @@ void ClearHostResolverCacheInIO(
   }
 }
 
+void AllowNTLMCredentialsForDomainsInIO(
+    const scoped_refptr<net::URLRequestContextGetter>& context_getter,
+    const std::string& domains) {
+  auto request_context = context_getter->GetURLRequestContext();
+  auto auth_handler = request_context->http_auth_handler_factory();
+  if (auth_handler) {
+    auto auth_preferences = const_cast<net::HttpAuthPreferences*>(
+        auth_handler->http_auth_preferences());
+    if (auth_preferences)
+      auth_preferences->set_server_whitelist(domains);
+  }
+}
+
 }  // namespace
 
 Session::Session(v8::Isolate* isolate, AtomBrowserContext* browser_context)
@@ -432,6 +447,13 @@ void Session::ClearHostResolverCache(mate::Arguments* args) {
                  callback));
 }
 
+void Session::AllowNTLMCredentialsForDomains(const std::string& domains) {
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+      base::Bind(&AllowNTLMCredentialsForDomainsInIO,
+                 make_scoped_refptr(browser_context_->GetRequestContext()),
+                 domains));
+}
+
 v8::Local<v8::Value> Session::Cookies(v8::Isolate* isolate) {
   if (cookies_.IsEmpty()) {
     auto handle = atom::api::Cookies::Create(isolate, browser_context());
@@ -487,6 +509,8 @@ void Session::BuildPrototype(v8::Isolate* isolate,
       .SetMethod("setPermissionRequestHandler",
                  &Session::SetPermissionRequestHandler)
       .SetMethod("clearHostResolverCache", &Session::ClearHostResolverCache)
+      .SetMethod("allowNTLMCredentialsForDomains",
+                 &Session::AllowNTLMCredentialsForDomains)
       .SetProperty("cookies", &Session::Cookies)
       .SetProperty("webRequest", &Session::WebRequest);
 }

atom/browser/api/atom_api_session.h

@@ -79,6 +79,7 @@ class Session: public mate::TrackableObject<Session>,
   void SetPermissionRequestHandler(v8::Local<v8::Value> val,
                                    mate::Arguments* args);
   void ClearHostResolverCache(mate::Arguments* args);
+  void AllowNTLMCredentialsForDomains(const std::string& domains);
   v8::Local<v8::Value> Cookies(v8::Isolate* isolate);
   v8::Local<v8::Value> WebRequest(v8::Isolate* isolate);
 

atom/browser/atom_browser_context.cc

@@ -67,8 +67,7 @@ AtomBrowserContext::AtomBrowserContext(const std::string& partition,
     : brightray::BrowserContext(partition, in_memory),
       cert_verifier_(new AtomCertVerifier),
       job_factory_(new AtomURLRequestJobFactory),
-      network_delegate_(new AtomNetworkDelegate),
-      allow_ntlm_everywhere_(false) {
+      network_delegate_(new AtomNetworkDelegate) {
 }
 
 AtomBrowserContext::~AtomBrowserContext() {
@@ -195,16 +194,6 @@ void AtomBrowserContext::RegisterPrefs(PrefRegistrySimple* pref_registry) {
   pref_registry->RegisterDictionaryPref(prefs::kDevToolsFileSystemPaths);
 }
 
-bool AtomBrowserContext::AllowNTLMCredentialsForDomain(const GURL& origin) {
-  if (allow_ntlm_everywhere_)
-    return true;
-  return Delegate::AllowNTLMCredentialsForDomain(origin);
-}
-
-void AtomBrowserContext::AllowNTLMCredentialsForAllDomains(bool should_allow) {
-  allow_ntlm_everywhere_ = should_allow;
-}
-
 }  // namespace atom
 
 namespace brightray {

atom/browser/atom_browser_context.h

@@ -33,7 +33,6 @@ class AtomBrowserContext : public brightray::BrowserContext {
       const base::FilePath& base_path) override;
   scoped_ptr<net::CertVerifier> CreateCertVerifier() override;
   net::SSLConfigService* CreateSSLConfigService() override;
-  bool AllowNTLMCredentialsForDomain(const GURL& auth_origin) override;
 
   // content::BrowserContext:
   content::DownloadManagerDelegate* GetDownloadManagerDelegate() override;
@@ -43,8 +42,6 @@ class AtomBrowserContext : public brightray::BrowserContext {
   // brightray::BrowserContext:
   void RegisterPrefs(PrefRegistrySimple* pref_registry) override;
 
-  void AllowNTLMCredentialsForAllDomains(bool should_allow);
-
   AtomCertVerifier* cert_verifier() const { return cert_verifier_; }
 
   AtomURLRequestJobFactory* job_factory() const { return job_factory_; }
@@ -61,8 +58,6 @@ class AtomBrowserContext : public brightray::BrowserContext {
   AtomURLRequestJobFactory* job_factory_;
   AtomNetworkDelegate* network_delegate_;
 
-  bool allow_ntlm_everywhere_;
-
   DISALLOW_COPY_AND_ASSIGN(AtomBrowserContext);
 };
 

docs/api/app.md

@@ -443,16 +443,6 @@ Adds `tasks` to the [Tasks][tasks] category of the JumpList on Windows.
   consists of two or more icons, set this value to identify the icon. If an
   icon file consists of one icon, this value is 0.
 
-### `app.allowNTLMCredentialsForAllDomains(allow)`
-
-* `allow` Boolean
-
-Dynamically sets whether to always send credentials for HTTP NTLM or Negotiate
-authentication - normally, Electron will only send NTLM/Kerberos credentials for
-URLs that fall under "Local Intranet" sites (i.e. are in the same domain as you).
-However, this detection often fails when corporate networks are badly configured,
-so this lets you co-opt this behavior and enable it for all URLs.
-
 ### `app.makeSingleInstance(callback)`
 
 * `callback` Function

docs/api/chrome-command-line-switches.md

@@ -95,6 +95,24 @@ connection, and the endpoint host in a `SOCKS` proxy connection).
 
 Like `--host-rules` but these `rules` only apply to the host resolver.
 
+## --auth-server-whitelist=`url`
+
+A comma-separated list of servers for which integrated authentication is enabled.
+
+For example:
+
+```
+--auth-server-whitelist='*example.com, *foobar.com, *baz'
+```
+
+then any `url` ending with `example.com`, `foobar.com`, `baz` will be considered
+for integrated authentication. Without `*` prefix the url has to match exactly.
+
+## --auth-negotiate-delegate-whitelist=`url`
+
+A comma-separated list of servers for which delegation of user credentials is required.
+Without `*` prefix the url has to match exactly.
+
 ## --ignore-certificate-errors
 
 Ignores certificate related errors.

docs/api/session.md

@@ -323,6 +323,23 @@ session.fromPartition(partition).setPermissionRequestHandler((webContents, permi
 
 Clears the host resolver cache.
 
+#### `ses.allowNTLMCredentialsForDomains(domains)`
+
+* `domains` String - A comma-seperated list of servers for which
+  integrated authentication is enabled.
+
+Dynamically sets whether to always send credentials for HTTP NTLM or Negotiate
+authentication.
+
+```javascript
+// consider any url ending with `example.com`, `foobar.com`, `baz`
+// for integrated authentication.
+session.defaultSession.allowNTLMCredentialsForDomains('*example.com, *foobar.com, *baz')
+
+// consider all urls for integrated authentication.
+session.defaultSession.allowNTLMCredentialsForDomains('*')
+```
+
 #### `ses.webRequest`
 
 The `webRequest` API set allows to intercept and modify contents of a request at

lib/browser/api/app.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const {Menu} = require('electron')
+const {deprecate, Menu, session} = require('electron')
 const {EventEmitter} = require('events')
 
 const bindings = process.atomBinding('app')
@@ -41,6 +41,18 @@ if (process.platform === 'darwin') {
   }
 }
 
+app.allowNTLMCredentialsForAllDomains = function (allow) {
+  if (!process.noDeprecations) {
+    deprecate.warn('app.allowNTLMCredentialsForAllDomains', 'session.allowNTLMCredentialsForDomains')
+  }
+  let domains = allow ? '*' : ''
+  if (!this.isReady()) {
+    this.commandLine.appendSwitch('auth-server-whitelist', domains)
+  } else {
+    session.defaultSession.allowNTLMCredentialsForDomains(domains)
+  }
+}
+
 // Routes the events to webContents.
 const events = ['login', 'certificate-error', 'select-client-certificate']
 for (let name of events) {