Implement Mac Keychain migration algorithm.

chrome/browser/password_manager/password_store_mac_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/password_manager/password_store_mac.h"
 
 #include "base/basictypes.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/scoped_observer.h"
 #include "base/stl_util.h"
@@ skipping 1155 matching lines @@
 }
 
 #pragma mark -
 
 class PasswordStoreMacTest : public testing::Test {
  public:
   PasswordStoreMacTest() : ui_thread_(BrowserThread::UI, &message_loop_) {}
 
   void SetUp() override {
     ASSERT_TRUE(db_dir_.CreateUniqueTempDir());
+    histogram_tester_.reset(new base::HistogramTester);
 
     // Ensure that LoginDatabase will use the mock keychain if it needs to
     // encrypt/decrypt a password.
     OSCrypt::UseMockKeychain(true);
     login_db_.reset(
         new password_manager::LoginDatabase(test_login_db_file_path()));
     thread_.reset(new base::Thread("Chrome_PasswordStore_Thread"));
     ASSERT_TRUE(thread_->Start());
     ASSERT_TRUE(thread_->task_runner()->PostTask(
         FROM_HERE, base::Bind(&PasswordStoreMacTest::InitLoginDatabase,
                               base::Unretained(login_db_.get()))));
     CreateAndInitPasswordStore(login_db_.get());
     // Make sure deferred initialization is performed before some tests start
     // accessing the |login_db| directly.
     FinishAsyncProcessing();
   }
 
   void TearDown() override {
     ClosePasswordStore();
     thread_.reset();
     login_db_.reset();
     // Whatever a test did, PasswordStoreMac stores only empty password values
     // in LoginDatabase. The empty valus do not require encryption and therefore
     // OSCrypt shouldn't call the Keychain. The histogram doesn't cover the
     // internet passwords.
-    EXPECT_FALSE(histogram_tester_.GetHistogramSamplesSinceCreation(
-        "OSX.Keychain.Access"));
+    if (histogram_tester_) {
+      scoped_ptr<base::HistogramSamples> samples =
+          histogram_tester_->GetHistogramSamplesSinceCreation(
+              "OSX.Keychain.Access");
+      EXPECT_TRUE(!samples || samples->TotalCount() == 0);
+    }
   }
 
   static void InitLoginDatabase(password_manager::LoginDatabase* login_db) {
     ASSERT_TRUE(login_db->Init());
   }
 
   void CreateAndInitPasswordStore(password_manager::LoginDatabase* login_db) {
     store_ = new PasswordStoreMac(
         base::ThreadTaskRunnerHandle::Get(), nullptr,
         make_scoped_ptr<AppleKeychain>(new MockAppleKeychain), login_db);
@@ skipping 84 matching lines @@
 
  protected:
   base::MessageLoopForUI message_loop_;
   content::TestBrowserThread ui_thread_;
   // Thread that the synchronous methods are run on.
   scoped_ptr<base::Thread> thread_;
 
   base::ScopedTempDir db_dir_;
   scoped_ptr<password_manager::LoginDatabase> login_db_;
   scoped_refptr<PasswordStoreMac> store_;
-  base::HistogramTester histogram_tester_;
+  scoped_ptr<base::HistogramTester> histogram_tester_;
 };
 
 TEST_F(PasswordStoreMacTest, TestStoreUpdate) {
   // Insert a password into both the database and the keychain.
   // This is done manually, rather than through store_->AddLogin, because the
   // Mock Keychain isn't smart enough to be able to support update generically,
   // so some.domain.com triggers special handling to test it that make inserting
   // fail.
   PasswordFormData joint_data = {
     PasswordForm::SCHEME_HTML, "http://some.domain.com/",
@@ skipping 433 matching lines @@
 // Verify that federated credentials can be stored, retrieved and deleted.
 TEST_F(PasswordStoreMacTest, StoringAndRetrievingFederatedCredentials) {
   PasswordForm form;
   form.signon_realm = "android://7x7IDboo8u9YKraUsbmVkuf1@net.rateflix.app/";
   form.federation_url = GURL(password_manager::kTestingFederationUrlSpec);
   form.username_value = base::UTF8ToUTF16("randomusername");
   form.password_value = base::UTF8ToUTF16("");  // No password.
 
   VerifyCredentialLifecycle(form);
 }
+
+void CheckMigrationResult(PasswordStoreMac::MigrationResult expected_result,
+                          PasswordStoreMac::MigrationResult result) {
+  EXPECT_EQ(expected_result, result);
+  QuitUIMessageLoop();
+}
+
+// Import the passwords from the Keychain to LoginDatabase.
+TEST_F(PasswordStoreMacTest, ImportFromKeychain) {
+  PasswordForm form1;
+  form1.origin = GURL("http://accounts.google.com/LoginAuth");
+  form1.signon_realm = "http://accounts.google.com/";
+  form1.username_value = ASCIIToUTF16("my_username");
+  form1.password_value = ASCIIToUTF16("my_password");
+
+  PasswordForm form2;
+  form2.origin = GURL("http://facebook.com/Login");
+  form2.signon_realm = "http://facebook.com/";
+  form2.username_value = ASCIIToUTF16("my_username");
+  form2.password_value = ASCIIToUTF16("my_password");
+
+  PasswordForm blacklisted_form;
+  blacklisted_form.origin = GURL("http://badsite.com/Login");
+  blacklisted_form.signon_realm = "http://badsite.com/";
+  blacklisted_form.blacklisted_by_user = true;
+
+  store()->AddLogin(form1);
+  store()->AddLogin(form2);
+  store()->AddLogin(blacklisted_form);
+  FinishAsyncProcessing();
+
+  ASSERT_TRUE(base::PostTaskAndReplyWithResult(
+      thread_->task_runner().get(), FROM_HERE,
+      base::Bind(&PasswordStoreMac::ImportFromKeychain, store()),
+      base::Bind(&CheckMigrationResult, PasswordStoreMac::MIGRATION_OK)));
+  FinishAsyncProcessing();
+
+  // The password should be stored in the database by now.
+  ScopedVector<PasswordForm> matching_items;
+  EXPECT_TRUE(login_db()->GetLogins(form1, &matching_items));
+  ASSERT_EQ(1u, matching_items.size());
+  EXPECT_EQ(form1, *matching_items[0]);
+
+  EXPECT_TRUE(login_db()->GetLogins(form2, &matching_items));
+  ASSERT_EQ(1u, matching_items.size());
+  EXPECT_EQ(form2, *matching_items[0]);
+
+  EXPECT_TRUE(login_db()->GetLogins(blacklisted_form, &matching_items));
+  ASSERT_EQ(1u, matching_items.size());
+  EXPECT_EQ(blacklisted_form, *matching_items[0]);
+
+  // The passwords are encrypted using a key from the Keychain.
+  EXPECT_TRUE(histogram_tester_->GetHistogramSamplesSinceCreation(
+                                     "OSX.Keychain.Access")->TotalCount());
+  histogram_tester_.reset();
+}
+
+// Import a federated credential while the Keychain is locked.
+TEST_F(PasswordStoreMacTest, ImportFederatedFromLockedKeychain) {
+  keychain()->set_locked(true);
+  PasswordForm form1;
+  form1.origin = GURL("http://example.com/Login");
+  form1.signon_realm = "http://example.com/";
+  form1.username_value = ASCIIToUTF16("my_username");
+  form1.federation_url = GURL("https://accounts.google.com/");
+
+  store()->AddLogin(form1);
+  FinishAsyncProcessing();
+  ASSERT_TRUE(base::PostTaskAndReplyWithResult(
+      thread_->task_runner().get(), FROM_HERE,
+      base::Bind(&PasswordStoreMac::ImportFromKeychain, store()),
+      base::Bind(&CheckMigrationResult, PasswordStoreMac::MIGRATION_OK)));
+  FinishAsyncProcessing();
+
+  ScopedVector<PasswordForm> matching_items;
+  EXPECT_TRUE(login_db()->GetLogins(form1, &matching_items));
+  ASSERT_EQ(1u, matching_items.size());
+  EXPECT_EQ(form1, *matching_items[0]);
+}
+
+// Try to import while the Keychain is locked but the encryption key had been
+// read earlier.
+TEST_F(PasswordStoreMacTest, ImportFromLockedKeychainError) {
+  PasswordForm form1;
+  form1.origin = GURL("http://accounts.google.com/LoginAuth");
+  form1.signon_realm = "http://accounts.google.com/";
+  form1.username_value = ASCIIToUTF16("my_username");
+  form1.password_value = ASCIIToUTF16("my_password");
+  store()->AddLogin(form1);
+  FinishAsyncProcessing();
+
+  // Add a second keychain item matching the Database entry.
+  PasswordForm form2 = form1;
+  form2.origin = GURL("http://accounts.google.com/Login");
+  form2.password_value = ASCIIToUTF16("1234");
+  MacKeychainPasswordFormAdapter adapter(keychain());
+  EXPECT_TRUE(adapter.AddPassword(form2));
+
+  keychain()->set_locked(true);
+  ASSERT_TRUE(base::PostTaskAndReplyWithResult(
+      thread_->task_runner().get(), FROM_HERE,
+      base::Bind(&PasswordStoreMac::ImportFromKeychain, store()),
+      base::Bind(&CheckMigrationResult, PasswordStoreMac::KEYCHAIN_BLOCKED)));
+  FinishAsyncProcessing();
+
+  ScopedVector<PasswordForm> matching_items;
+  EXPECT_TRUE(login_db()->GetLogins(form1, &matching_items));
+  ASSERT_EQ(1u, matching_items.size());
+  EXPECT_EQ(base::string16(), matching_items[0]->password_value);
+
+  histogram_tester_->ExpectUniqueSample(
+      "PasswordManager.KeychainMigration.NumPasswordsOnFailure", 1, 1);
+  histogram_tester_->ExpectUniqueSample(
+      "PasswordManager.KeychainMigration.NumFailedPasswords", 1, 1);
+  histogram_tester_->ExpectUniqueSample(
+      "PasswordManager.KeychainMigration.NumChromeOwnedFailedPasswords", 2, 1);
+  // Don't test the encryption key access.
+  histogram_tester_.reset();
+}