[libsoup/mcatanzaro/#184] Improve negotiate error message when server is broken

[Michael Catanzaro <mcatanzaro src gnome org>]

commit 0257e3cce1708a2d7552809e9893f8340f67eb93
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Tue May 3 16:32:51 2022 -0500

    Improve negotiate error message when server is broken
    
    Multiple prominent servers (notably Microsoft Azure, and Red Hat employee SSO)
    are failing to authenticate themselves properly to the client by
    omitting the WWW-Authenticate header. This is braindead, but apparently
    all other important clients just ignore this and pretend it's not a
    problem. La la la.
    
    After discussion with Simo Sorce, we decided to continue to authenticate
    servers that do send WWW-Authenticate, even though this is pointless,
    because a naughty server would simply not send the header and we would
    treat it as valid authentication. Whatever.
    
    I'm honestly uncertain what the practical impact of this change will be,
    other than the improved error message that makes it more clear this is
    not a libsoup bug. Previously we entered the error state
    SOUP_NEGOTIATE_FAILED, but everything was fine anyway. Now we won't
    enter the fail state. Whatever.
    
    Fixes #184

 libsoup/auth/soup-auth-negotiate.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)
---
diff --git a/libsoup/auth/soup-auth-negotiate.c b/libsoup/auth/soup-auth-negotiate.c
index a5624a3d..90d45610 100644
--- a/libsoup/auth/soup-auth-negotiate.c
+++ b/libsoup/auth/soup-auth-negotiate.c
@@ -361,13 +361,18 @@ check_server_response (SoupMessage *msg, gpointer auth)
        auth_headers = soup_message_headers_get_one_common (soup_message_get_response_headers (msg),
                                                             SOUP_HEADER_WWW_AUTHENTICATE);
        if (!auth_headers || g_ascii_strncasecmp (auth_headers, "Negotiate ", 10) != 0) {
-               g_warning ("Failed to parse auth header");
-               conn->state = SOUP_NEGOTIATE_FAILED;
-               goto out;
+               /* The server is broken. But we have to pretend that it has
+                * authenticated anyway, because this is what other clients do.
+                * Yes, this means server authentication is pointless because a
+                * naughty server would simply not send this header. Yes, it is
+                * awful. Oh well. See libsoup#184 and comment below.
+                */
+               ret = AUTH_GSS_ERROR;
+               g_warning ("Server bug: missing or invalid WWW-Authenticate header: %s", auth_headers);
+       } else {
+               ret = soup_gss_client_step (conn, auth_headers + 10, &error_message);
        }
 
-       ret = soup_gss_client_step (conn, auth_headers + 10, &error_message);
-
        switch (ret) {
        case AUTH_GSS_COMPLETE:
                priv->is_authenticated = TRUE;
@@ -382,9 +387,8 @@ check_server_response (SoupMessage *msg, gpointer auth)
                /* Unfortunately, so many programs (curl, Firefox, ..) ignore
                 * the return token that is included in the response, so it is
                 * possible that there are servers that send back broken stuff.
-                * Try to behave in the right way (pass the token to
-                * gss_init_sec_context()), show a warning, but don't fail
-                * if the server returned 200. */
+                * Show a warning, but don't fail if the server returned 200.
+                */
                if (soup_message_get_status (msg) == SOUP_STATUS_OK)
                        priv->is_authenticated = TRUE;
                else
@@ -393,7 +397,7 @@ check_server_response (SoupMessage *msg, gpointer auth)
        default:
                conn->state = SOUP_NEGOTIATE_FAILED;
        }
- out:
+
        g_clear_pointer (&error_message, g_free);
 }