[libsoup/gnome-3-22] Authentication should success in some cases when gss_init_sec_context() returns error

[Tomas Popela <tpopela src gnome org>]

commit 9f33a39f649e658e2d938f4f7decabc4e47db484
Author: Tomas Popela <tpopela redhat com>
Date:   Mon Jun 19 18:08:16 2017 +0200

    Authentication should success in some cases when gss_init_sec_context() returns error
    
    Unfortunately, so many programs (curl, Firefox) ignore the return token that is
    included in the response, so it is possible that there are servers that send
    back broken stuff.  Try to behave in the right way (pass the token to
    gss_init_sec_context()), show a warning, but don't fail if the server returned
    200.
    
    There is an internal Red Hat site that triggers the described situation
    and the "Invalid token was supplied: Unknown error" is being printed to
    the console.

 libsoup/soup-auth-negotiate.c |   23 +++++++++++++++++++----
 1 files changed, 19 insertions(+), 4 deletions(-)
---
diff --git a/libsoup/soup-auth-negotiate.c b/libsoup/soup-auth-negotiate.c
index 7b4ec69..91cef82 100644
--- a/libsoup/soup-auth-negotiate.c
+++ b/libsoup/soup-auth-negotiate.c
@@ -364,13 +364,28 @@ check_server_response (SoupMessage *msg, gpointer auth)
 
        ret = soup_gss_client_step (conn, auth_headers + 10, &err);
 
-       priv->is_authenticated = ret == AUTH_GSS_COMPLETE;
-
-       if (ret == AUTH_GSS_CONTINUE) {
+       switch (ret) {
+       case AUTH_GSS_COMPLETE:
+               priv->is_authenticated = TRUE;
+               break;
+       case AUTH_GSS_CONTINUE:
                conn->state = SOUP_NEGOTIATE_RECEIVED_CHALLENGE;
-       } else if (ret == AUTH_GSS_ERROR) {
+               break;
+       case AUTH_GSS_ERROR:
                if (err)
                        g_warning ("%s", err->message);
+               /* Unfortunately, so many programs (curl, Firefox, ..) ignore
+                * the return token that is included in the response, so it is
+                * possible that there are servers that send back broken stuff.
+                * Try to behave in the right way (pass the token to
+                * gss_init_sec_context()), show a warning, but don't fail
+                * if the server returned 200. */
+               if (msg->status_code == SOUP_STATUS_OK)
+                       priv->is_authenticated = TRUE;
+               else
+                       conn->state = SOUP_NEGOTIATE_FAILED;
+               break;
+       default:
                conn->state = SOUP_NEGOTIATE_FAILED;
        }
  out: