Support Android username-only credentials.

chrome/browser/password_manager/password_store_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/password_manager/password_store_mac.h"
 #include "chrome/browser/password_manager/password_store_mac_internal.h"
 
 #include <CoreServices/CoreServices.h>
 #include <set>
 #include <string>
@@ skipping 220 matching lines @@
     mover(scoped_ptr<autofill::PasswordForm>(form_ptr));
   }
   // We moved the ownership of every form out of |forms|. For performance
   // reasons, we can just weak_clear it, instead of nullptr-ing the respective
   // elements and letting the vector's destructor to go through the list once
   // more. This was tested on a benchmark, and seemed to make a difference on
   // Mac.
   forms->weak_clear();
 }
 
+// True if the form has no password to be stored in Keychain.
+bool IsLoginDatabaseOnlyForm(const autofill::PasswordForm& form) {
+  return form.blacklisted_by_user || !form.federation_url.is_empty() ||
+         form.scheme == autofill::PasswordForm::SCHEME_USERNAME_ONLY;
+}
+
 }  // namespace
 
 #pragma mark -
 
 // TODO(stuartmorgan): Convert most of this to private helpers in
 // MacKeychainPasswordFormAdapter once it has sufficient higher-level public
 // methods to provide test coverage.
 namespace internal_keychain_helpers {
 
 // Returns a URL built from the given components. To create a URL without a
@@ skipping 212 matching lines @@
       break;
     }
   }
   keychain.ItemFreeAttributesAndData(attr_list, nullptr);
   return creator_code && creator_code == base::mac::CreatorCodeForApplication();
 }
 
 bool FormsMatchForMerge(const PasswordForm& form_a,
                         const PasswordForm& form_b,
                         FormMatchStrictness strictness) {
-  // We never merge blacklist entries between our store and the Keychain,
-  // and federated logins should not be stored in the Keychain at all.
-  if (form_a.blacklisted_by_user || form_b.blacklisted_by_user ||
-      !form_a.federation_url.is_empty() || !form_b.federation_url.is_empty()) {
+  if (IsLoginDatabaseOnlyForm(form_a) || IsLoginDatabaseOnlyForm(form_b))
     return false;
-  }
+
   bool equal_realm = form_a.signon_realm == form_b.signon_realm;
   if (strictness == FUZZY_FORM_MATCH) {
     equal_realm |= form_a.is_public_suffix_match;
   }
   return form_a.scheme == form_b.scheme && equal_realm &&
          form_a.username_value == form_b.username_value;
 }
 
 // Moves entries from |forms| that represent either blacklisted or federated
 // logins into |extracted|. These two types are stored only in the LoginDatabase
 // and do not have corresponding Keychain entries.
 void ExtractNonKeychainForms(ScopedVector<autofill::PasswordForm>* forms,
                              ScopedVector<autofill::PasswordForm>* extracted) {
   extracted->reserve(extracted->size() + forms->size());
   ScopedVector<autofill::PasswordForm> remaining;
   MoveAllFormsOut(
       forms, [&remaining, extracted](scoped_ptr<autofill::PasswordForm> form) {
-        if (form->blacklisted_by_user || !form->federation_url.is_empty())
+        if (IsLoginDatabaseOnlyForm(*form))
           extracted->push_back(form.Pass());
         else
           remaining.push_back(form.Pass());
       });
   forms->swap(remaining);
 }
 
 // Takes |keychain_forms| and |database_forms| and moves the following 2 types
 // of forms to |merged_forms|:
 //   (1) |database_forms| that by principle never have a corresponding Keychain
@@ skipping 207 matching lines @@
   SecKeychainItemRef keychain_item = KeychainItemForForm(query_form);
   if (keychain_item) {
     keychain_->Free(keychain_item);
     return true;
   }
   return false;
 }
 
 bool MacKeychainPasswordFormAdapter::HasPasswordsMergeableWithForm(
     const PasswordForm& query_form) {
-  if (!query_form.federation_url.is_empty())
+  if (IsLoginDatabaseOnlyForm(query_form))
     return false;
   std::string username = base::UTF16ToUTF8(query_form.username_value);
   std::vector<SecKeychainItemRef> matches =
       MatchingKeychainItems(query_form.signon_realm, query_form.scheme,
                             NULL, username.c_str());
   for (std::vector<SecKeychainItemRef>::iterator i = matches.begin();
        i != matches.end(); ++i) {
     keychain_->Free(*i);
   }
 
@@ skipping 26 matching lines @@
 }
 
 ScopedVector<autofill::PasswordForm>
 MacKeychainPasswordFormAdapter::GetAllPasswordFormPasswords() {
   std::vector<SecKeychainItemRef> items = GetAllPasswordFormKeychainItems();
   return ConvertKeychainItemsToForms(&items);
 }
 
 bool MacKeychainPasswordFormAdapter::AddPassword(const PasswordForm& form) {
   // We should never be trying to store a blacklist in the keychain.
-  DCHECK(!form.blacklisted_by_user);
+  DCHECK(!IsLoginDatabaseOnlyForm(form));
 
   std::string server;
   std::string security_domain;
   UInt32 port;
   bool is_secure;
   if (!internal_keychain_helpers::ExtractSignonRealmComponents(
            form.signon_realm, &server, &port, &is_secure, &security_domain)) {
     return false;
   }
   std::string path;
@@ skipping 59 matching lines @@
   }
   items->clear();
   return forms.Pass();
 }
 
 SecKeychainItemRef MacKeychainPasswordFormAdapter::KeychainItemForForm(
     const PasswordForm& form) {
   // We don't store blacklist entries in the keychain, so the answer to "what
   // Keychain item goes with this form" is always "nothing" for blacklists.
   // Same goes for federated logins.
-  if (form.blacklisted_by_user || !form.federation_url.is_empty()) {
+  if (IsLoginDatabaseOnlyForm(form))
     return NULL;
-  }
 
   std::string path;
   // Path doesn't make sense for Android app credentials.
   if (!password_manager::IsValidAndroidFacetURI(form.signon_realm))
     path = form.origin.path();
   std::string username = base::UTF16ToUTF8(form.username_value);
   std::vector<SecKeychainItemRef> matches = MatchingKeychainItems(
       form.signon_realm, form.scheme, path.c_str(), username.c_str());
 
   if (matches.empty()) {
@@ skipping 45 matching lines @@
 }
 
 // Returns the Keychain SecAuthenticationType type corresponding to |scheme|.
 SecAuthenticationType MacKeychainPasswordFormAdapter::AuthTypeForScheme(
     PasswordForm::Scheme scheme) {
   switch (scheme) {
     case PasswordForm::SCHEME_HTML:   return kSecAuthenticationTypeHTMLForm;
     case PasswordForm::SCHEME_BASIC:  return kSecAuthenticationTypeHTTPBasic;
     case PasswordForm::SCHEME_DIGEST: return kSecAuthenticationTypeHTTPDigest;
     case PasswordForm::SCHEME_OTHER:  return kSecAuthenticationTypeDefault;
+    case PasswordForm::SCHEME_USERNAME_ONLY:
+      NOTREACHED();
+      break;
   }
   NOTREACHED();
   return kSecAuthenticationTypeDefault;
 }
 
 bool MacKeychainPasswordFormAdapter::SetKeychainItemPassword(
     const SecKeychainItemRef& keychain_item, const std::string& password) {
   OSStatus result = keychain_->ItemModifyAttributesAndData(keychain_item, NULL,
                                                            password.size(),
                                                            password.c_str());
@@ skipping 246 matching lines @@
   }
 
   // Let's gather all signon realms we want to match with keychain entries.
   std::set<std::string> realm_set;
   realm_set.insert(form.signon_realm);
   for (const autofill::PasswordForm* db_form : database_forms) {
     // TODO(vabr): We should not be getting different schemes here.
     // http://crbug.com/340112
     if (form.scheme != db_form->scheme)
       continue;  // Forms with different schemes never match.
     if (db_form->is_public_suffix_match)

[engedy, 2015/10/13 12:11:33]

We need to take |is_affiliation_based_match| into account here as well. Or
instead, check if |form.signon_realm != db_form.signon_realm|, so that it's more
robust.

[vasilii, 2015/10/13 18:05:26]

That's unrelated to the current CL. Please follow up with Vadym about it.

       realm_set.insert(db_form->signon_realm);
   }
   ScopedVector<autofill::PasswordForm> keychain_forms;
   for (std::set<std::string>::const_iterator realm = realm_set.begin();
        realm != realm_set.end(); ++realm) {
     MacKeychainPasswordFormAdapter keychain_adapter(keychain_.get());
     ScopedVector<autofill::PasswordForm> temp_keychain_forms =
         keychain_adapter.PasswordsFillingForm(*realm, form.scheme);
     AppendSecondToFirst(&keychain_forms, &temp_keychain_forms);
   }
@@ skipping 58 matching lines @@
 
 scoped_ptr<password_manager::InteractionsStats>
 PasswordStoreMac::GetSiteStatsImpl(const GURL& origin_domain) {
   DCHECK(GetBackgroundTaskRunner()->BelongsToCurrentThread());
   return login_metadata_db_
              ? login_metadata_db_->stats_table().GetRow(origin_domain)
              : scoped_ptr<password_manager::InteractionsStats>();
 }
 
 bool PasswordStoreMac::AddToKeychainIfNecessary(const PasswordForm& form) {
-  if (form.blacklisted_by_user || !form.federation_url.is_empty())
+  if (IsLoginDatabaseOnlyForm(form))
     return true;
   MacKeychainPasswordFormAdapter keychainAdapter(keychain_.get());
   return keychainAdapter.AddPassword(form);
 }
 
 bool PasswordStoreMac::DatabaseHasFormMatchingKeychainForm(
     const autofill::PasswordForm& form) {
   DCHECK(login_metadata_db_);
   bool has_match = false;
   ScopedVector<autofill::PasswordForm> database_forms;
@@ skipping 48 matching lines @@
   ScopedVector<PasswordForm> forms_with_keychain_entry;
   internal_keychain_helpers::GetPasswordsForForms(*keychain_, &database_forms,
                                                   &forms_with_keychain_entry);
 
   // Clean up any orphaned database entries.
   RemoveDatabaseForms(&database_forms);
 
   // Move the orphaned DB forms to the output parameter.
   AppendSecondToFirst(orphaned_forms, &database_forms);
 }