NSURLProtectionSpace: improve authentication method handling

Improve handling of NSURL authentication methods. Make "HTMLForm"
authentication a no-op as it should be instead of making it fall back to
Basic authentication.

Add stubs for NTLM and Negotiate IIS methods. They should be easily
implementable given the current framework for authentication methods.

Add stubs for ClientCertificate and ServerTrust authentication methods.
A blocker for supporting them is the lack of a Security.framework
implementation (since they rely on SecTrustRef). They would also require
additions to the current SSL handling code for GNUstep https requests.
Also stub the -distinguishedNames property of NSURLProtectionSpace,
which also deals with certificate-related authentication methods.

Headers/Foundation/NSURLProtectionSpace.h

@@ -41,7 +41,7 @@ extern NSString * const NSURLProtectionSpaceHTTPProxy;	/** An HTTP proxy */
 extern NSString * const NSURLProtectionSpaceHTTPSProxy;	/** An HTTPS proxy */
 extern NSString * const NSURLProtectionSpaceSOCKSProxy;	/** A SOCKS proxy */
 
-/** Default authentication */
+/** Default authentication (Basic) */
 extern NSString * const NSURLAuthenticationMethodDefault;
 
 /** HTML form authentication */
@@ -53,6 +53,15 @@ extern NSString * const NSURLAuthenticationMethodHTTPBasic;
 /** HTTP Digest authentication */
 extern NSString * const NSURLAuthenticationMethodHTTPDigest;
 
+#if OS_API_VERSION(MAC_OS_X_VERSION_10_5,GS_API_LATEST) && GS_API_VERSION( 11300,GS_API_LATEST)
+extern NSString * const NSURLAuthenticationMethodNTLM;
+extern NSString * const NSURLAuthenticationMethodNegotiate;
+#endif
+
+#if OS_API_VERSION(MAC_OS_X_VERSION_10_6,GS_API_LATEST) && GS_API_VERSION( 11300,GS_API_LATEST)
+extern NSString * const NSURLAuthenticationMethodClientCertificate;
+extern NSString * const NSURLAuthenticationMethodServerTrust;
+#endif
 
 /**
  * Class to encapsulate a protection space ... where authentication is
@@ -129,6 +138,14 @@ authenticationMethod: (NSString *)authenticationMethod;
  */
 - (BOOL) receivesCredentialSecurely;
 
+#if OS_API_VERSION(MAC_OS_X_VERSION_10_6,GS_API_LATEST) && GS_API_VERSION( 11300,GS_API_LATEST)
+#if GS_HAS_DECLARED_PROPERTIES
+@property (readonly, copy) NSArray *distinguishedNames;
+#else
+- (NSArray *) distinguishedNames;
+#endif
+#endif
+
 @end
 
 #if	defined(__cplusplus)

Source/GSHTTPAuthentication.m

@@ -179,6 +179,14 @@ static GSMimeParser		*mimeParser = nil;
         {
 	  method = NSURLAuthenticationMethodHTTPDigest;
 	}
+      else if ([key caseInsensitiveCompare: @"NTLM"] == NSOrderedSame)
+        {
+	  method = NSURLAuthenticationMethodNTLM;
+	}
+      else if ([key caseInsensitiveCompare: @"Negotiate"] == NSOrderedSame)
+        {
+	  method = NSURLAuthenticationMethodNegotiate;
+	}
       else
 	{
 	  return nil;	// Unknown authentication
@@ -541,11 +549,31 @@ static GSMimeParser		*mimeParser = nil;
 
       [self->_lock unlock];
     }
-  else
+  else if ([self->_space authenticationMethod]
+    == NSURLAuthenticationMethodHTMLForm)
+    {
+      // This should not generate any authentication header.
+      return nil;
+    }
+  else if ([self->_space authenticationMethod]
+    == NSURLAuthenticationMethodNTLM)
+    {
+      // FIXME: this needs to be implemented
+      return nil;
+    }
+  else if ([self->_space authenticationMethod]
+    == NSURLAuthenticationMethodNegotiate)
+    {
+      // FIXME: this needs to be implemented
+      return nil;
+    }
+  else if ([self->_space authenticationMethod]
+    == NSURLAuthenticationMethodDefault
+    || [self->_space authenticationMethod]
+    == NSURLAuthenticationMethodHTTPBasic)
     {
       NSString	*toEncode;
 
-// FIXME ... should support other methods
       if (authentication != nil)
 	{
 	  NSScanner		*sc;
@@ -572,6 +600,14 @@ static GSMimeParser		*mimeParser = nil;
       [authorisation appendFormat: @"Basic %@",
 	[GSMimeDocument encodeBase64String: toEncode]];
     }
+  else
+    {
+      // FIXME: Currently, ClientCertificate and ServerTrust authentication
+      // methods are NOT implemented and will end up here. They should, in fact,
+      // be handled in the SSL connection layer (in GSHTTPURLHandle) rather than
+      // in this method.
+      return nil;
+    }
   return authorisation;
 }
 

Source/NSURLProtectionSpace.m

@@ -41,6 +41,16 @@ NSString * const NSURLAuthenticationMethodHTTPBasic
 NSString * const NSURLAuthenticationMethodHTTPDigest
   = @"NSURLAuthenticationMethodHTTPDigest";
 
+NSString * const NSURLAuthenticationMethodNTLM
+  = @"NSURLAuthenticationMethodNTLM";
+
+NSString * const NSURLAuthenticationMethodNegotiate
+  = @"NSURLAuthenticationMethodNegotiate";
+NSString * const NSURLAuthenticationMethodClientCertificate
+  = @"NSURLAuthenticationMethodClientCertificate";
+NSString * const NSURLAuthenticationMethodServerTrust
+  = @"NSURLAuthenticationMethodServerTrust";
+
 // Internal data storage
 typedef struct {
   NSString	*host;
@@ -147,6 +157,26 @@ authenticationMethod: (NSString *)authenticationMethod
 	{
 	  this->authenticationMethod = NSURLAuthenticationMethodHTTPDigest;
 	}
+      else if ([authenticationMethod isEqualToString: 
+	NSURLAuthenticationMethodNTLM] == YES)
+	{
+	  this->authenticationMethod = NSURLAuthenticationMethodNTLM;
+	}
+      else if ([authenticationMethod isEqualToString: 
+	NSURLAuthenticationMethodNegotiate] == YES)
+	{
+	  this->authenticationMethod = NSURLAuthenticationMethodNegotiate;
+	}
+      else if ([authenticationMethod isEqualToString: 
+	NSURLAuthenticationMethodClientCertificate] == YES)
+	{
+	  this->authenticationMethod = NSURLAuthenticationMethodClientCertificate;
+	}
+      else if ([authenticationMethod isEqualToString: 
+	NSURLAuthenticationMethodServerTrust] == YES)
+	{
+	  this->authenticationMethod = NSURLAuthenticationMethodServerTrust;
+	}
       else
         {
 	  this->authenticationMethod = NSURLAuthenticationMethodDefault;
@@ -294,5 +324,10 @@ authenticationMethod: (NSString *)authenticationMethod
   return NO;
 }
 
+- (NSArray *) distinguishedNames
+{
+  return nil;
+}
+
 @end