Encrypt password values in LoginDatabase on Mac.

components/password_manager/core/browser/login_database_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/password_manager/core/browser/login_database.h"
 
 #include "base/basictypes.h"
 #include "base/files/file_util.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/scoped_vector.h"
 #include "base/path_service.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/histogram_tester.h"
 #include "base/time/time.h"
 #include "components/autofill/core/common/password_form.h"
 #include "components/password_manager/core/browser/psl_matching_helper.h"
 #include "sql/connection.h"
 #include "sql/statement.h"
 #include "sql/test/test_helpers.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+#if defined(OS_MACOSX)
+#include "components/os_crypt/os_crypt.h"
+#endif
+
 using autofill::PasswordForm;
 using base::ASCIIToUTF16;
 using ::testing::Eq;
 
 namespace password_manager {
 namespace {
 PasswordStoreChangeList AddChangeForForm(const PasswordForm& form) {
   return PasswordStoreChangeList(
       1, PasswordStoreChange(PasswordStoreChange::ADD, form));
 }
 
 PasswordStoreChangeList UpdateChangeForForm(const PasswordForm& form) {
   return PasswordStoreChangeList(
       1, PasswordStoreChange(PasswordStoreChange::UPDATE, form));
 }
 
-void FormsAreEqual(const PasswordForm& expected, const PasswordForm& actual) {
-  PasswordForm expected_copy(expected);
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-  // On the Mac we should never be storing passwords in the database.
-  expected_copy.password_value = ASCIIToUTF16("");
-#endif
-  EXPECT_EQ(expected_copy, actual);
-}
-
 void GenerateExamplePasswordForm(PasswordForm* form) {
   form->origin = GURL("http://accounts.google.com/LoginAuth");
   form->action = GURL("http://accounts.google.com/Login");
   form->username_element = ASCIIToUTF16("Email");
   form->username_value = ASCIIToUTF16("test@gmail.com");
   form->password_element = ASCIIToUTF16("Passwd");
   form->password_value = ASCIIToUTF16("test");
   form->submit_element = ASCIIToUTF16("signIn");
   form->signon_realm = "http://www.google.com/";
   form->ssl_valid = false;
@@ skipping 12 matching lines @@
 
 // Serialization routines for vectors implemented in login_database.cc.
 base::Pickle SerializeVector(const std::vector<base::string16>& vec);
 std::vector<base::string16> DeserializeVector(const base::Pickle& pickle);
 
 class LoginDatabaseTest : public testing::Test {
  protected:
   void SetUp() override {
     ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
     file_ = temp_dir_.path().AppendASCII("TestMetadataStoreMacDatabase");
+#if defined(OS_MACOSX)
+    OSCrypt::UseMockKeychain(true);
+#endif  // defined(OS_MACOSX)
 
     db_.reset(new LoginDatabase(file_));
     ASSERT_TRUE(db_->Init());
   }
 
   LoginDatabase& db() { return *db_; }
 
   void TestNonHTMLFormPSLMatching(const PasswordForm::Scheme& scheme) {
     ScopedVector<autofill::PasswordForm> result;
 
@@ skipping 83 matching lines @@
 
   // Example password form.
   PasswordForm form;
   GenerateExamplePasswordForm(&form);
 
   // Add it and make sure it is there and that all the fields were retrieved
   // correctly.
   EXPECT_EQ(AddChangeForForm(form), db().AddLogin(form));
   EXPECT_TRUE(db().GetAutofillableLogins(&result));
   ASSERT_EQ(1U, result.size());
-  FormsAreEqual(form, *result[0]);
+  EXPECT_EQ(form, *result[0]);
   result.clear();
 
   // Match against an exact copy.
   EXPECT_TRUE(db().GetLogins(form, &result));
   ASSERT_EQ(1U, result.size());
-  FormsAreEqual(form, *result[0]);
+  EXPECT_EQ(form, *result[0]);
   result.clear();
 
   // The example site changes...
   PasswordForm form2(form);
   form2.origin = GURL("http://www.google.com/new/accounts/LoginAuth");
   form2.submit_element = ASCIIToUTF16("reallySignIn");
 
   // Match against an inexact copy
   EXPECT_TRUE(db().GetLogins(form2, &result));
   EXPECT_EQ(1U, result.size());
@@ skipping 57 matching lines @@
   // old form, and there is only one record.
   EXPECT_EQ(UpdateChangeForForm(form6), db().UpdateLogin(form6));
   // matches
   EXPECT_TRUE(db().GetLogins(form5, &result));
   EXPECT_EQ(1U, result.size());
   result.clear();
   // Only one record.
   EXPECT_TRUE(db().GetAutofillableLogins(&result));
   EXPECT_EQ(1U, result.size());
   // Password element was updated.
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-  // On the Mac we should never be storing passwords in the database.
-  EXPECT_EQ(base::string16(), result[0]->password_value);
-#else
   EXPECT_EQ(form6.password_value, result[0]->password_value);
-#endif
   // Preferred login.
   EXPECT_TRUE(form6.preferred);
   result.clear();
 
   // Make sure everything can disappear.
   EXPECT_TRUE(db().RemoveLogin(form4));
   EXPECT_TRUE(db().GetAutofillableLogins(&result));
   EXPECT_EQ(0U, result.size());
 }
 
@@ skipping 459 matching lines @@
   form.skip_zero_click = true;
   EXPECT_EQ(AddChangeForForm(form), db().AddLogin(form));
 
   // Get all non-blacklisted logins (should be none).
   EXPECT_TRUE(db().GetAutofillableLogins(&result));
   ASSERT_EQ(0U, result.size());
 
   // GetLogins should give the blacklisted result.
   EXPECT_TRUE(db().GetLogins(form, &result));
   ASSERT_EQ(1U, result.size());
-  FormsAreEqual(form, *result[0]);
+  EXPECT_EQ(form, *result[0]);
   result.clear();
 
   // So should GetAllBlacklistedLogins.
   EXPECT_TRUE(db().GetBlacklistLogins(&result));
   ASSERT_EQ(1U, result.size());
-  FormsAreEqual(form, *result[0]);
+  EXPECT_EQ(form, *result[0]);
   result.clear();
 }
 
 TEST_F(LoginDatabaseTest, VectorSerialization) {
   // Empty vector.
   std::vector<base::string16> vec;
   base::Pickle temp = SerializeVector(vec);
   std::vector<base::string16> output = DeserializeVector(temp);
   EXPECT_THAT(output, Eq(vec));
 
@@ skipping 36 matching lines @@
   encountered_form.username_element = ASCIIToUTF16("Email");
   encountered_form.password_element = ASCIIToUTF16("Passwd");
   encountered_form.submit_element = ASCIIToUTF16("signIn");
 
   // Get matches for encountered_form.
   EXPECT_TRUE(db().GetLogins(encountered_form, &result));
   ASSERT_EQ(1U, result.size());
   EXPECT_EQ(incomplete_form.origin, result[0]->origin);
   EXPECT_EQ(incomplete_form.signon_realm, result[0]->signon_realm);
   EXPECT_EQ(incomplete_form.username_value, result[0]->username_value);
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-  // On Mac, passwords are not stored in login database, instead they're in
-  // the keychain.
-  EXPECT_TRUE(result[0]->password_value.empty());
-#else
   EXPECT_EQ(incomplete_form.password_value, result[0]->password_value);
-#endif  // OS_MACOSX && !OS_IOS
   EXPECT_TRUE(result[0]->preferred);
   EXPECT_FALSE(result[0]->ssl_valid);
 
   // We should return empty 'action', 'username_element', 'password_element'
   // and 'submit_element' as we can't be sure if the credentials were entered
   // in this particular form on the page.
   EXPECT_EQ(GURL(), result[0]->action);
   EXPECT_TRUE(result[0]->username_element.empty());
   EXPECT_TRUE(result[0]->password_element.empty());
   EXPECT_TRUE(result[0]->submit_element.empty());
   result.clear();
 
   // Let's say this login form worked. Now update the stored credentials with
   // 'action', 'username_element', 'password_element' and 'submit_element' from
   // the encountered form.
   PasswordForm completed_form(incomplete_form);
   completed_form.action = encountered_form.action;
   completed_form.username_element = encountered_form.username_element;
   completed_form.password_element = encountered_form.password_element;
   completed_form.submit_element = encountered_form.submit_element;
   EXPECT_EQ(AddChangeForForm(completed_form), db().AddLogin(completed_form));
   EXPECT_TRUE(db().RemoveLogin(incomplete_form));
 
   // Get matches for encountered_form again.
   EXPECT_TRUE(db().GetLogins(encountered_form, &result));
   ASSERT_EQ(1U, result.size());
 
   // This time we should have all the info available.
   PasswordForm expected_form(completed_form);
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-  expected_form.password_value.clear();
-#endif  // OS_MACOSX && !OS_IOS
   EXPECT_EQ(expected_form, *result[0]);
   result.clear();
 }
 
 TEST_F(LoginDatabaseTest, UpdateOverlappingCredentials) {
   // Save an incomplete form. Note that it only has a few fields set, ex. it's
   // missing 'action', 'username_element' and 'password_element'. Such forms
   // are sometimes inserted during import from other browsers (which may not
   // store this info).
   PasswordForm incomplete_form;
@@ skipping 29 matching lines @@
   // Simulate the user changing their password.
   complete_form.password_value = ASCIIToUTF16("new_password");
   complete_form.date_synced = base::Time::Now();
   EXPECT_EQ(UpdateChangeForForm(complete_form),
             db().UpdateLogin(complete_form));
 
   // Both still exist now.
   EXPECT_TRUE(db().GetAutofillableLogins(&result));
   ASSERT_EQ(2U, result.size());
 
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-  // On Mac, passwords are not stored in login database, instead they're in
-  // the keychain.
-  complete_form.password_value.clear();
-  incomplete_form.password_value.clear();
-#endif  // OS_MACOSX && !OS_IOS
   if (result[0]->username_element.empty())
     std::swap(result[0], result[1]);
   EXPECT_EQ(complete_form, *result[0]);
   EXPECT_EQ(incomplete_form, *result[1]);
 }
 
 TEST_F(LoginDatabaseTest, DoubleAdd) {
   PasswordForm form;
   form.origin = GURL("http://accounts.google.com/LoginAuth");
   form.signon_realm = "http://accounts.google.com/";
@@ skipping 58 matching lines @@
   form.type = PasswordForm::TYPE_GENERATED;
   form.display_name = ASCIIToUTF16("Mr. Smith");
   form.avatar_url = GURL("https://accounts.google.com/Avatar");
   form.federation_url = GURL("https://accounts.google.com/federation");
   form.skip_zero_click = true;
   EXPECT_EQ(UpdateChangeForForm(form), db().UpdateLogin(form));
 
   ScopedVector<autofill::PasswordForm> result;
   EXPECT_TRUE(db().GetLogins(form, &result));
   ASSERT_EQ(1U, result.size());
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-  // On Mac, passwords are not stored in login database, instead they're in
-  // the keychain.
-  form.password_value.clear();
-#endif  // OS_MACOSX && !OS_IOS
   EXPECT_EQ(form, *result[0]);
 }
 
 TEST_F(LoginDatabaseTest, RemoveWrongForm) {
   PasswordForm form;
   // |origin| shouldn't be empty.
   form.origin = GURL("http://accounts.google.com/LoginAuth");
   form.signon_realm = "http://accounts.google.com/";
   form.username_value = ASCIIToUTF16("my_username");
   form.password_value = ASCIIToUTF16("my_password");
@@ skipping 109 matching lines @@
   histogram_tester.ExpectUniqueSample(
       "PasswordManager.EmptyUsernames.CountInDatabase",
       3,
       1);
   histogram_tester.ExpectUniqueSample(
       "PasswordManager.EmptyUsernames.WithoutCorrespondingNonempty",
       1,
       1);
 }
 
+TEST_F(LoginDatabaseTest, ClearPasswordValues) {
+  db().set_clear_password_values(true);
+
+  // Add a PasswordForm, the password should be cleared.
+  base::HistogramTester histogram_tester;
+  PasswordForm form;
+  form.origin = GURL("http://accounts.google.com/LoginAuth");
+  form.signon_realm = "http://accounts.google.com/";
+  form.username_value = ASCIIToUTF16("my_username");
+  form.password_value = ASCIIToUTF16("12345");
+  EXPECT_EQ(AddChangeForForm(form), db().AddLogin(form));
+
+  ScopedVector<autofill::PasswordForm> result;
+  EXPECT_TRUE(db().GetLogins(form, &result));
+  ASSERT_EQ(1U, result.size());
+  PasswordForm expected_form = form;
+  expected_form.password_value.clear();
+  EXPECT_EQ(expected_form, *result[0]);
+
+  // Update the password, it should stay empty.
+  form.password_value = ASCIIToUTF16("password");
+  EXPECT_EQ(UpdateChangeForForm(form), db().UpdateLogin(form));
+  EXPECT_TRUE(db().GetLogins(form, &result));
+  ASSERT_EQ(1U, result.size());
+  EXPECT_EQ(expected_form, *result[0]);
+
+  // Encrypting/decrypting shouldn't happen. Thus there should be no keychain
+  // access on Mac.
+  scoped_ptr<base::HistogramSamples> samples =
+      histogram_tester.GetHistogramSamplesSinceCreation("OSX.Keychain.Access");
+  EXPECT_TRUE(!samples || samples->TotalCount() == 0);
+}
+
 #if defined(OS_POSIX)
 // Only the current user has permission to read the database.
 //
 // Only POSIX because GetPosixFilePermissions() only exists on POSIX.
 // This tests that sql::Connection::set_restrict_to_user() was called,
 // and that function is a noop on non-POSIX platforms in any case.
 TEST_F(LoginDatabaseTest, FilePermissions) {
   int mode = base::FILE_PERMISSION_MASK;
   EXPECT_TRUE(base::GetPosixFilePermissions(file_, &mode));
   EXPECT_EQ((mode & base::FILE_PERMISSION_USER_MASK), mode);
 }
 #endif  // defined(OS_POSIX)
 
 // Test the migration from GetParam() version to kCurrentVersionNumber.
 class LoginDatabaseMigrationTest : public testing::TestWithParam<int> {
  protected:
   void SetUp() override {
     ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
     database_dump_location_ = database_dump_location_.AppendASCII("components")
                                   .AppendASCII("test")
                                   .AppendASCII("data")
                                   .AppendASCII("password_manager");
     database_path_ = temp_dir_.path().AppendASCII("test.db");
+#if defined(OS_MACOSX)
+    OSCrypt::UseMockKeychain(true);
+#endif  // defined(OS_MACOSX)
   }
 
   // Creates the databse from |sql_file|.
   void CreateDatabase(base::StringPiece sql_file) {
     base::FilePath database_dump;
     ASSERT_TRUE(PathService::Get(base::DIR_SOURCE_ROOT, &database_dump));
     database_dump =
         database_dump.Append(database_dump_location_).AppendASCII(sql_file);
     ASSERT_TRUE(
         sql::test::CreateDatabaseFromSQL(database_path_, database_dump));
@@ skipping 71 matching lines @@
     // Add the same form twice to test the constraints in the database.
     EXPECT_EQ(AddChangeForForm(form), db.AddLogin(form));
     PasswordStoreChangeList list;
     list.push_back(PasswordStoreChange(PasswordStoreChange::REMOVE, form));
     list.push_back(PasswordStoreChange(PasswordStoreChange::ADD, form));
     EXPECT_EQ(list, db.AddLogin(form));
 
     ScopedVector<autofill::PasswordForm> result;
     EXPECT_TRUE(db.GetLogins(form, &result));
     ASSERT_EQ(1U, result.size());
-    FormsAreEqual(form, *result[0]);
+    EXPECT_EQ(form, *result[0]);
     EXPECT_TRUE(db.RemoveLogin(form));
   }
   // New date, in microseconds since platform independent epoch.
   std::vector<int64_t> new_date_created(GetDateCreated());
   if (version() <= 8) {
     ASSERT_EQ(2U, new_date_created.size());
     // Check that the two dates match up.
     for (size_t i = 0; i < date_created.size(); ++i) {
       EXPECT_EQ(base::Time::FromInternalValue(new_date_created[i]),
                 base::Time::FromTimeT(date_created[i]));
@@ skipping 25 matching lines @@
 }
 
 INSTANTIATE_TEST_CASE_P(MigrationToVCurrent,
                         LoginDatabaseMigrationTest,
                         testing::Range(1, kCurrentVersionNumber));
 INSTANTIATE_TEST_CASE_P(MigrationToVCurrent,
                         LoginDatabaseMigrationTestV9,
                         testing::Values(9));
 
 }  // namespace password_manager