Chromium Code Reviews Chromium Code Reviews
Issue 2374303002:
cros: Added a new function to quick unlock api for checking unfinished pins. (Closed)
| Index: chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc |
| diff --git a/chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc b/chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc |
| index 50bdfb92b393bb1028d07ee2ed4c58c2058f0e0c..2aa2efe0a5da0786753190ba0287b98a1ef939fc 100644 |
| --- a/chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc |
| +++ b/chrome/browser/chromeos/extensions/quick_unlock_private/quick_unlock_private_api.cc |
| @@ -7,8 +7,10 @@ |
| #include "chrome/browser/chromeos/login/quick_unlock/pin_storage.h" |
| #include "chrome/browser/chromeos/login/quick_unlock/pin_storage_factory.h" |
| #include "chrome/browser/chromeos/profiles/profile_helper.h" |
| +#include "chrome/common/pref_names.h" |
| #include "chromeos/login/auth/extended_authenticator.h" |
| #include "chromeos/login/auth/user_context.h" |
| +#include "components/prefs/pref_service.h" |
| #include "extensions/browser/event_router.h" |
| namespace extensions { |
| @@ -16,8 +18,14 @@ namespace extensions { |
| namespace quick_unlock_private = api::quick_unlock_private; |
| namespace SetModes = quick_unlock_private::SetModes; |
| namespace GetActiveModes = quick_unlock_private::GetActiveModes; |
| +namespace CheckCredential = quick_unlock_private::CheckCredential; |
| +namespace GetCredentialRequirements = |
| + quick_unlock_private::GetCredentialRequirements; |
| namespace GetAvailableModes = quick_unlock_private::GetAvailableModes; |
| namespace OnActiveModesChanged = quick_unlock_private::OnActiveModesChanged; |
| +using CredentialProblem = quick_unlock_private::CredentialProblem; |
| +using CredentialCheck = quick_unlock_private::CredentialCheck; |
| +using CredentialRequirements = quick_unlock_private::CredentialRequirements; |
| using QuickUnlockMode = quick_unlock_private::QuickUnlockMode; |
| using QuickUnlockModeList = std::vector<QuickUnlockMode>; |
| @@ -27,6 +35,14 @@ const char kModesAndCredentialsLengthMismatch[] = |
| "|modes| and |credentials| must have the same number of elements"; |
| const char kMultipleModesNotSupported[] = |
| "At most one quick unlock mode can be active."; |
| +// PINs greater in length than |kMinLengthForWeakPin| will be checked for |
| +// weakness. |
| +const int kMinLengthForNonWeakPin = 2; |
| +// A list of the most commmonly used PINs, whose digits are not all the same, |
| +// increasing or decreasing. This list is taken from |
| +// www.datagenetics.com/blog/september32012/. |
| +const char* kMostCommonPins[] = {"1212", "1004", "2000", "6969", |
| + "1122", "1313", "2001", "1010"}; |
| // Returns the active set of quick unlock modes. |
| QuickUnlockModeList ComputeActiveModes(Profile* profile) { |
| @@ -56,6 +72,98 @@ bool AreModesEqual(const QuickUnlockModeList& a, const QuickUnlockModeList& b) { |
| return true; |
| } |
| +bool IsPinNumeric(const std::string& pin) { |
| + return std::all_of(pin.begin(), pin.end(), ::isdigit); |
| +} |
| + |
| +void GetSanitizedPolicyPinMinMaxLength(PrefService* pref_service, |
| + int* out_min_length, |
| + int* out_max_length) { |
| + int min_length = pref_service->GetInteger(prefs::kPinUnlockMinimumLength); |
| + int max_length = pref_service->GetInteger(prefs::kPinUnlockMaximumLength); |
| + |
| + // Sanitize the policy input. |
| + if (min_length < 1) |
| + min_length = 1; |
| + if (max_length < 0) |
| + max_length = 0; |
| + |
| + if (max_length != 0 && max_length < min_length) |
| + max_length = min_length; |
| + |
| + DCHECK(out_min_length && out_max_length); |
|
stevenjb
2016/12/01 17:32:13
nit: DCHECK input requirements at top of function.
sammiequon
2016/12/01 18:31:30
Done.
|
| + |
| + *out_min_length = min_length; |
| + *out_max_length = max_length; |
| +} |
| + |
| +// Checks whether a given |pin| is valid given the PIN min/max policies in |
| +// |pref_service|. If |length_problem| is a valid pointer return the type of |
| +// problem. |
| +bool IsPinLengthValid(const std::string& pin, |
| + PrefService* pref_service, |
| + CredentialProblem* length_problem) { |
| + int min_length, max_length; |
| + GetSanitizedPolicyPinMinMaxLength(pref_service, &min_length, &max_length); |
| + |
| + // Check if the PIN is shorter than the minimum specified length. |
| + if (int{pin.size()} < min_length) { |
| + if (length_problem) |
| + *length_problem = CredentialProblem::CREDENTIAL_PROBLEM_TOO_SHORT; |
| + return false; |
| + } |
| + |
| + // If the maximum specified length is zero, there is no maximum length. |
| + // Otherwise check if the PIN is longer than the maximum specified length. |
| + if (max_length != 0 && int{pin.size()} > max_length) { |
| + if (length_problem) |
| + *length_problem = CredentialProblem::CREDENTIAL_PROBLEM_TOO_LONG; |
| + return false; |
| + } |
| + |
| + return true; |
| +} |
| + |
| +// Checks if a given |pin| is weak or not. A PIN is considered weak if it: |
| +// a) is on this list - www.datagenetics.com/blog/september32012/ |
| +// b) has all the same digits |
| +// c) each digit is one larger than the previous digit |
| +// d) each digit is one smaller than the previous digit |
| +// Note: A 9 followed by a 0 is not considered increasing, and a 0 followed by |
| +// a 9 is not considered decreasing. |
| +bool IsPinDifficultEnough(const std::string& pin) { |
| + // If the pin length is |kMinLengthForNonWeakPin| or less, there is no need to |
| + // check for same character and increasing pin. |
| + if (int{pin.size()} <= kMinLengthForNonWeakPin) |
| + return true; |
| + |
| + // Check if it is on the list of most common PINs. |
| + if (std::find(kMostCommonPins, std::end(kMostCommonPins), pin) != |
| + std::end(kMostCommonPins)) { |
| + return false; |
| + } |
| + |
| + // Check for same digits, increasing and decreasing PIN simultaneously. |
| + bool is_same = true; |
| + // TODO(sammiequon): Should longer PINs (5+) be still subjected to this? |
| + bool is_increasing = true; |
| + bool is_decreasing = true; |
| + for (int i = 1; i < int{pin.length()}; ++i) { |
| + const char previous = pin[i - 1]; |
| + const char current = pin[i]; |
| + |
| + is_same = is_same && (current == previous); |
| + is_increasing = is_increasing && (current == previous + 1); |
| + is_decreasing = is_decreasing && (current == previous - 1); |
| + } |
| + |
| + // PIN is considered weak if any of these conditions is met. |
| + if (is_same || is_increasing || is_decreasing) |
| + return false; |
| + |
| + return true; |
| +} |
| + |
| } // namespace |
| // quickUnlockPrivate.getAvailableModes |
| @@ -93,6 +201,79 @@ QuickUnlockPrivateGetActiveModesFunction::Run() { |
| return RespondNow(ArgumentList(GetActiveModes::Results::Create(modes))); |
| } |
| +// quickUnlockPrivate.checkCredential |
| + |
| +QuickUnlockPrivateCheckCredentialFunction:: |
| + QuickUnlockPrivateCheckCredentialFunction() {} |
| + |
| +QuickUnlockPrivateCheckCredentialFunction:: |
| + ~QuickUnlockPrivateCheckCredentialFunction() {} |
| + |
| +ExtensionFunction::ResponseAction |
| +QuickUnlockPrivateCheckCredentialFunction::Run() { |
| + std::unique_ptr<CheckCredential::Params> params_ = |
| + CheckCredential::Params::Create(*args_); |
| + EXTENSION_FUNCTION_VALIDATE(params_); |
| + |
| + auto result = base::MakeUnique<CredentialCheck>(); |
| + |
| + // Only handles pins for now. |
| + if (params_->mode != QuickUnlockMode::QUICK_UNLOCK_MODE_PIN) |
| + return RespondNow(ArgumentList(CheckCredential::Results::Create(*result))); |
| + |
| + const std::string& credential = params_->credential; |
| + |
| + Profile* profile = Profile::FromBrowserContext(browser_context()); |
| + PrefService* pref_service = profile->GetPrefs(); |
| + bool allow_weak = pref_service->GetBoolean(prefs::kPinUnlockAllowWeakPins); |
| + |
| + // Check and return the problems. |
| + if (!IsPinNumeric(credential)) { |
| + result->errors.push_back( |
| + CredentialProblem::CREDENTIAL_PROBLEM_CONTAINS_NONDIGIT); |
| + } |
| + |
| + CredentialProblem length_problem = CredentialProblem::CREDENTIAL_PROBLEM_NONE; |
| + // Note: This function call writes values |length_problem|. |
| + if (!IsPinLengthValid(credential, pref_service, &length_problem)) { |
| + DCHECK_NE(length_problem, CredentialProblem::CREDENTIAL_PROBLEM_NONE); |
| + result->errors.push_back(length_problem); |
| + } |
| + |
| + if (!IsPinDifficultEnough(credential)) { |
| + if (allow_weak) { |
| + result->warnings.push_back( |
| + CredentialProblem::CREDENTIAL_PROBLEM_TOO_WEAK); |
| + } else { |
| + result->errors.push_back(CredentialProblem::CREDENTIAL_PROBLEM_TOO_WEAK); |
| + } |
| + } |
| + |
| + return RespondNow(ArgumentList(CheckCredential::Results::Create(*result))); |
| +} |
| + |
| +QuickUnlockPrivateGetCredentialRequirementsFunction:: |
| + QuickUnlockPrivateGetCredentialRequirementsFunction() {} |
| + |
| +QuickUnlockPrivateGetCredentialRequirementsFunction:: |
| + ~QuickUnlockPrivateGetCredentialRequirementsFunction() {} |
| + |
| +ExtensionFunction::ResponseAction |
| +QuickUnlockPrivateGetCredentialRequirementsFunction::Run() { |
| + std::unique_ptr<GetCredentialRequirements::Params> params_ = |
| + GetCredentialRequirements::Params::Create(*args_); |
| + EXTENSION_FUNCTION_VALIDATE(params_); |
| + |
| + auto result = base::MakeUnique<CredentialRequirements>(); |
| + |
| + GetSanitizedPolicyPinMinMaxLength( |
| + Profile::FromBrowserContext(browser_context())->GetPrefs(), |
| + &result->min_length, &result->max_length); |
| + |
| + return RespondNow( |
| + ArgumentList(GetCredentialRequirements::Results::Create(*result))); |
| +} |
| + |
| // quickUnlockPrivate.setModes |
| QuickUnlockPrivateSetModesFunction::QuickUnlockPrivateSetModesFunction() |
| @@ -113,7 +294,7 @@ void QuickUnlockPrivateSetModesFunction::SetModesChangedEventHandlerForTesting( |
| ExtensionFunction::ResponseAction QuickUnlockPrivateSetModesFunction::Run() { |
| params_ = SetModes::Params::Create(*args_); |
| - EXTENSION_FUNCTION_VALIDATE(params_.get()); |
| + EXTENSION_FUNCTION_VALIDATE(params_); |
| if (params_->modes.size() != params_->credentials.size()) |
| return RespondNow(Error(kModesAndCredentialsLengthMismatch)); |
| @@ -121,10 +302,28 @@ ExtensionFunction::ResponseAction QuickUnlockPrivateSetModesFunction::Run() { |
| if (params_->modes.size() > 1) |
| return RespondNow(Error(kMultipleModesNotSupported)); |
| - // Verify every credential is numeric. |
| - for (const std::string& credential : params_->credentials) { |
| - if (!std::all_of(credential.begin(), credential.end(), ::isdigit)) |
| + // Verify every credential is valid based on policies. |
| + Profile::Profile* profile = Profile::FromBrowserContext(browser_context()); |
| + bool allow_weak = |
| + profile->GetPrefs()->GetBoolean(prefs::kPinUnlockAllowWeakPins); |
| + |
| + for (size_t j = 0; j < params_->modes.size(); ++j) { |
| + if (params_->credentials[j].empty()) |
| + continue; |
| + |
| + if (params_->modes[j] != QuickUnlockMode::QUICK_UNLOCK_MODE_PIN) |
| + continue; |
| + |
| + if (!IsPinNumeric(params_->credentials[j])) |
| + return RespondNow(ArgumentList(SetModes::Results::Create(false))); |
| + |
| + if (!IsPinLengthValid(params_->credentials[j], profile->GetPrefs(), |
| + nullptr)) { |
| return RespondNow(ArgumentList(SetModes::Results::Create(false))); |
| + } |
| + if (!allow_weak && !IsPinDifficultEnough(params_->credentials[j])) { |
| + return RespondNow(ArgumentList(SetModes::Results::Create(false))); |
| + } |
| } |
| user_manager::User* user = chromeos::ProfileHelper::Get()->GetUserByProfile( |
