cros: Added a new function to quick unlock api for checking unfinished pins.

chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc

Index: chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc
diff --git a/chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc b/chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc
index 50bdfb92b393bb1028d07ee2ed4c58c2058f0e0c..39ef0378003f6e81a185d4ec3497d1173a018c23 100644
--- a/chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc
+++ b/chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc
@@ -7,8 +7,10 @@
 #include "chrome/browser/chromeos/login/quick_unlock/pin_storage.h"
 #include "chrome/browser/chromeos/login/quick_unlock/pin_storage_factory.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/common/pref_names.h"
 #include "chromeos/login/auth/extended_authenticator.h"
 #include "chromeos/login/auth/user_context.h"
+#include "components/prefs/pref_service.h"
 #include "extensions/browser/event_router.h"
 
 namespace extensions {
@@ -16,8 +18,11 @@ namespace extensions {
 namespace quick_unlock_private = api::quick_unlock_private;
 namespace SetModes = quick_unlock_private::SetModes;
 namespace GetActiveModes = quick_unlock_private::GetActiveModes;
+namespace CheckCredential = quick_unlock_private::CheckCredential;
 namespace GetAvailableModes = quick_unlock_private::GetAvailableModes;
 namespace OnActiveModesChanged = quick_unlock_private::OnActiveModesChanged;
+using CredentialProblem = quick_unlock_private::CredentialProblem;
+using CredentialCheck = quick_unlock_private::CredentialCheck;
 using QuickUnlockMode = quick_unlock_private::QuickUnlockMode;
 using QuickUnlockModeList = std::vector<QuickUnlockMode>;
 
@@ -27,6 +32,9 @@ const char kModesAndCredentialsLengthMismatch[] =
     "|modes| and |credentials| must have the same number of elements";
 const char kMultipleModesNotSupported[] =
     "At most one quick unlock mode can be active.";
+// Pins greater in length than |kPinCheckWeakThreshold| will be checked for

[jdufault, 2016/11/02 19:22:59]

nit: Pins => PINs

[sammiequon, 2016/11/03 16:54:12]

Done.

+// weakness.
+const int kPinCheckWeakThreshold = 2;

[jdufault, 2016/11/02 19:22:59]

Using Threshold as a name is a bit confusing here. It could mean any number of
things, like some threshold heuristic?

I'd go with something more explicit, ie, kMinPinLengthForWeakCheck,
kMinWeakPinLength, or kMinLengthForWeakPin.

[sammiequon, 2016/11/03 16:54:12]

Done.

 
 // Returns the active set of quick unlock modes.
 QuickUnlockModeList ComputeActiveModes(Profile* profile) {
@@ -56,6 +64,92 @@ bool AreModesEqual(const QuickUnlockModeList& a, const QuickUnlockModeList& b) {
   return true;
 }
 
+std::vector<CredentialProblem> IsPinNumeric(const std::string& pin) {
+  std::vector<CredentialProblem> problems;
+  if (!std::all_of(pin.begin(), pin.end(), ::isdigit))
+    problems.push_back(CredentialProblem::CREDENTIAL_PROBLEM_CONTAINS_NONDIGIT);
+  return problems;
+}
+
+// Returns a list of length related problems (if any) for a given |pin|
+// given the PIN min/max policies in |profile|. If |out_min_length| and/or
+// |out_max_length| are valid pointers, return the profile min/max length as
+// well.
+std::vector<CredentialProblem> IsPinLengthValid(const std::string& pin,
+                                                Profile* profile,
+                                                int* out_min_length,
+                                                int* out_max_length) {
+  PrefService* pref_service = profile->GetPrefs();
+  int min_length = pref_service->GetInteger(prefs::kPinUnlockMinimumLength);
+  int max_length = pref_service->GetInteger(prefs::kPinUnlockMaximumLength);
+  // If the maximum length is nonzero and shorter than the minimum length, the
+  // maximum length is the minimum length.
+  if (max_length != 0 && max_length < min_length)

[jdufault, 2016/11/02 19:22:59]

This should happen after the sanitization check.

[sammiequon, 2016/11/03 16:54:12]

Done.

+    max_length = min_length;
+
+  // Sanitize the policy input.
+  if (min_length < 1)
+    min_length = 1;
+  if (max_length < 0)
+    max_length = 0;
+
+  if (out_min_length)
+    *out_min_length = min_length;
+  if (out_max_length)
+    *out_max_length = max_length;
+
+  std::vector<CredentialProblem> problems;
+
+  // Check if the pin is shorter than the minimum specified length.
+  if (int{pin.size()} < min_length)
+    problems.push_back(CredentialProblem::CREDENTIAL_PROBLEM_TOO_SHORT);
+
+  // If the maximum specified length is zero, there is no maximum length.
+  // Otherwise check if the pin is longer than the maximum specified length.
+  if (max_length != 0 && int{pin.size()} > max_length)
+    problems.push_back(CredentialProblem::CREDENTIAL_PROBLEM_TOO_LONG);
+
+  return problems;
+}
+
+// Returns a list of problems regarding the difficulty of the pin (if any) for
+// a given |pin|.
+std::vector<CredentialProblem> IsPinDifficultEnough(const std::string& pin) {
+  std::vector<CredentialProblem> problems;
+  // TODO(sammiequon): Add a check for the top 10 used pins. See
+  // crbug.com/661649.

[jdufault, 2016/11/02 19:22:59]

I don't think adding the check will be much work, can you do it in this CL?

[sammiequon, 2016/11/03 16:54:12]

Done.

+
+  // If the pin length is |kPinCheckWeakThreshold| or less, there is no need to
+  // check for same character and increasing pin.
+  if (int{pin.size()} <= kPinCheckWeakThreshold)
+    return problems;
+
+  // Check for same digits, increasing pin simutaneously.
+  bool is_same = true;
+  bool is_increasing = true;
+  bool is_decreasing = true;
+  for (int i = 1; i < int{pin.length()}; ++i) {
+    const char previous = pin[i - 1];
+    const char current = pin[i];
+
+    is_same = is_same && (current == previous);
+    is_increasing = is_increasing && (current == previous + 1);
+    is_decreasing = is_decreasing && (current == previous - 1);
+  }
+
+  // Pin is considered weak if either of these is met.

[jdufault, 2016/11/02 19:22:59]

nit: either => any
nit: Pin => PIN

[sammiequon, 2016/11/03 16:54:13]

Done.

+  if (is_same || is_increasing || is_decreasing)
+    problems.push_back(CredentialProblem::CREDENTIAL_PROBLEM_TOO_WEAK);
+
+  return problems;
+}
+
+void AppendToProblemList(std::vector<CredentialProblem>& list_to_append_to,

[jdufault, 2016/11/02 19:22:59]

What about a standard src/dest name?

AppendToProblemList(vector dest, vector src)

src first feels more natural to me, but I'm not sure if we have standardized
upon anything so up to you.

[sammiequon, 2016/11/03 16:54:12]

Done.

+                         const std::vector<CredentialProblem>& list_to_append) {
+  list_to_append_to.insert(list_to_append_to.end(), list_to_append.begin(),
+                           list_to_append.end());
+}
+
 }  // namespace
 
 // quickUnlockPrivate.getAvailableModes
@@ -93,6 +187,53 @@ QuickUnlockPrivateGetActiveModesFunction::Run() {
   return RespondNow(ArgumentList(GetActiveModes::Results::Create(modes)));
 }
 
+// quickUnlockPrivate.checkCredential
+
+QuickUnlockPrivateCheckCredentialFunction::
+    QuickUnlockPrivateCheckCredentialFunction()
+    : chrome_details_(this) {}
+
+QuickUnlockPrivateCheckCredentialFunction::
+    ~QuickUnlockPrivateCheckCredentialFunction() {}
+
+ExtensionFunction::ResponseAction
+QuickUnlockPrivateCheckCredentialFunction::Run() {
+  params_ = CheckCredential::Params::Create(*args_);
+  EXTENSION_FUNCTION_VALIDATE(params_.get());
+
+  auto result = base::MakeUnique<CredentialCheck>();
+
+  // Only handles pins for now.
+  if (params_->mode != QuickUnlockMode::QUICK_UNLOCK_MODE_PIN) {
+    return RespondNow(ArgumentList(CheckCredential::Results::Create(*result)));

[jdufault, 2016/11/02 19:22:59]

nit: drop {}

[sammiequon, 2016/11/03 16:54:13]

Done.

+  }
+
+  std::string credential = params_->credential;
+
+  Profile* profile = chrome_details_.GetProfile();
+  PrefService* pref_service = profile->GetPrefs();
+  bool allow_weak = pref_service->GetBoolean(prefs::kPinUnlockAllowWeakPins);
+
+  // Check and return the problems.
+  // Note: This function call writes values to |result->min_length| and

[jdufault, 2016/11/02 19:22:59]

This comment should be above the IsPinLengthValid function call.

[sammiequon, 2016/11/03 16:54:12]

Done.

+  // |result->max_length|.
+  std::vector<CredentialProblem> validity_problems = IsPinNumeric(credential);
+  std::vector<CredentialProblem> length_problems = IsPinLengthValid(
+      credential, profile, &result->min_length, &result->max_length);
+  std::vector<CredentialProblem> weak_problems =
+      IsPinDifficultEnough(credential);
+
+  // Append the results from various checks to the appropriate list in |result|.
+  // |validity_problems| and |length_problems| are always errors, while
+  // |weak_problems| are errors or warnings depending on the policy.
+  AppendToProblemList(result->errors, validity_problems);
+  AppendToProblemList(result->errors, length_problems);
+  AppendToProblemList(allow_weak ? result->warnings : result->errors,
+                      weak_problems);
+
+  return RespondNow(ArgumentList(CheckCredential::Results::Create(*result)));
+}
+
 // quickUnlockPrivate.setModes
 
 QuickUnlockPrivateSetModesFunction::QuickUnlockPrivateSetModesFunction()
@@ -121,10 +262,27 @@ ExtensionFunction::ResponseAction QuickUnlockPrivateSetModesFunction::Run() {
   if (params_->modes.size() > 1)
     return RespondNow(Error(kMultipleModesNotSupported));
 
-  // Verify every credential is numeric.
-  for (const std::string& credential : params_->credentials) {
-    if (!std::all_of(credential.begin(), credential.end(), ::isdigit))
-      return RespondNow(ArgumentList(SetModes::Results::Create(false)));
+  // Verify every credential is valid based on policies.
+  bool allow_weak = chrome_details_.GetProfile()->GetPrefs()->GetBoolean(
+      prefs::kPinUnlockAllowWeakPins);
+  for (size_t j = 0; j < params_->modes.size(); ++j) {
+    if (params_->credentials[j].empty())
+      continue;
+
+    if (params_->modes[j] == QuickUnlockMode::QUICK_UNLOCK_MODE_PIN) {
+      if (!IsPinNumeric(params_->credentials[j]).empty())
+        return RespondNow(ArgumentList(SetModes::Results::Create(false)));
+
+      if (!IsPinLengthValid(params_->credentials[j],
+                            chrome_details_.GetProfile(), nullptr, nullptr)
+               .empty()) {
+        return RespondNow(ArgumentList(SetModes::Results::Create(false)));
+      }
+      if (!allow_weak &&
+          !IsPinDifficultEnough(params_->credentials[j]).empty()) {
+        return RespondNow(ArgumentList(SetModes::Results::Create(false)));
+      }
+    }
   }
 
   user_manager::User* user = chromeos::ProfileHelper::Get()->GetUserByProfile(