Trigger protected password entry request on password reuse event.

components/safe_browsing/password_protection/password_protection_request.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "components/safe_browsing/password_protection/password_protection_request.h"
 
 #include "base/memory/ptr_util.h"
 #include "base/memory/weak_ptr.h"
 #include "base/metrics/histogram_macros.h"
 #include "components/data_use_measurement/core/data_use_user_data.h"
 #include "components/safe_browsing_db/database_manager.h"
 #include "net/base/escape.h"
 #include "net/base/load_flags.h"
 #include "net/base/url_util.h"
 #include "net/http/http_status_code.h"
 
 using content::BrowserThread;
 
 namespace safe_browsing {
 
 PasswordProtectionRequest::PasswordProtectionRequest(
     const GURL& main_frame_url,
     const GURL& password_form_action,
     const GURL& password_form_frame_url,
+    const std::string& legitimate_domain,
     LoginReputationClientRequest::TriggerType type,
     PasswordProtectionService* pps,
     int request_timeout_in_ms)
     : main_frame_url_(main_frame_url),
       password_form_action_(password_form_action),
       password_form_frame_url_(password_form_frame_url),
+      legitimate_domain_(legitimate_domain),
       request_type_(type),
       password_protection_service_(pps),
       database_manager_(password_protection_service_->database_manager()),
       request_timeout_in_ms_(request_timeout_in_ms),
       weakptr_factory_(this) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 }
 
 PasswordProtectionRequest::~PasswordProtectionRequest() {
   weakptr_factory_.InvalidateWeakPtrs();
@@ skipping 35 matching lines @@
   std::unique_ptr<LoginReputationClientResponse> cached_response =
       base::MakeUnique<LoginReputationClientResponse>();
   auto verdict = password_protection_service_->GetCachedVerdict(
       main_frame_url_, cached_response.get());
   if (verdict != LoginReputationClientResponse::VERDICT_TYPE_UNSPECIFIED)
     Finish(RequestOutcome::RESPONSE_ALREADY_CACHED, std::move(cached_response));
   else
     SendRequest();
 }
 
 void PasswordProtectionRequest::FillRequestProto() {

[Nathan Parker, 2017/05/12 22:27:59]

Are there tests for this function?

[Jialiu Lin, 2017/05/13 00:24:12]

Done. Added 2 unit tests to verify request proto.

   request_proto_ = base::MakeUnique<LoginReputationClientRequest>();
   request_proto_->set_page_url(main_frame_url_.spec());
   request_proto_->set_trigger_type(request_type_);
   password_protection_service_->FillUserPopulation(request_type_,
                                                    request_proto_.get());
   request_proto_->set_stored_verdict_cnt(
       password_protection_service_->GetStoredVerdictCount());
   LoginReputationClientRequest::Frame* main_frame =
       request_proto_->add_frames();
   main_frame->set_url(main_frame_url_.spec());
   main_frame->set_frame_index(0 /* main frame */);
   password_protection_service_->FillReferrerChain(
       main_frame_url_, -1 /* tab id not available */, main_frame);
-  LoginReputationClientRequest::Frame::Form* password_form;
-  if (password_form_frame_url_ == main_frame_url_) {
-    main_frame->set_has_password_field(true);
-    password_form = main_frame->add_forms();
-  } else {
-    LoginReputationClientRequest::Frame* password_frame =
-        request_proto_->add_frames();
-    password_frame->set_url(password_form_frame_url_.spec());
-    password_frame->set_has_password_field(true);
-    // TODO(jialiul): Add referrer chain for subframes later.
-    password_form = password_frame->add_forms();
+
+  switch (request_type_) {
+    case LoginReputationClientRequest::UNFAMILIAR_LOGIN_PAGE: {
+      LoginReputationClientRequest::Frame::Form* password_form;
+      if (password_form_frame_url_ == main_frame_url_) {
+        main_frame->set_has_password_field(true);

[Nathan Parker, 2017/05/12 22:27:59]

I think all this form/frame info should be filled for both request types.  So
you could pull it out of the switch.

[Jialiu Lin, 2017/05/13 00:24:12]

This is temporary. password form, password_form_frame_url, and sub frame info is
not available to password reuse ping yet.  I'll refactor this part when there is
more info to fill in.

+        password_form = main_frame->add_forms();
+      } else {
+        LoginReputationClientRequest::Frame* password_frame =
+            request_proto_->add_frames();
+        password_frame->set_url(password_form_frame_url_.spec());
+        password_frame->set_has_password_field(true);

[Nathan Parker, 2017/05/12 22:27:59]

So do we need to set_has_password_field on both the password_frame and the
password_form?  It seems redundant.  Maybe the password_form doesn't need the
field at all, as it could be implied that the form has a password field. That
would work as long as we only collect forms that have password fields.

[Jialiu Lin, 2017/05/13 00:24:12]

Agree. It is redundant. remove the filling of has_password_field on
password_form.
I'll talk to weiningy to make some refine the proto definition. 

+        // TODO(jialiul): Add referrer chain for subframes later.
+        password_form = password_frame->add_forms();
+      }
+      password_form->set_action_url(password_form_action_.spec());
+      password_form->set_has_password_field(true);
+      // TODO(jialiul): Fill more frame specific info when Safe Browsing backend
+      // is ready to handle these pieces of information.
+      break;
+    }
+    case LoginReputationClientRequest::PASSWORD_REUSE_EVENT: {
+      LoginReputationClientRequest::PasswordReuseEvent* password_reuse =
+          request_proto_->mutable_password_reuse_event();
+      password_reuse->add_password_reused_original_origins(legitimate_domain_);

[Nathan Parker, 2017/05/12 22:27:59]

This one should only be filled for SBER.  That's the case now be default, but we
should protect this before we switch the finch config.

[Jialiu Lin, 2017/05/13 00:24:12]

Yes, thanks for catching this. 

+      // TODO(jialiul): Fill more password_reuse information.
+      break;
+    }
+    default:
+      NOTREACHED();
   }
-  password_form->set_action_url(password_form_action_.spec());
-  password_form->set_has_password_field(true);
-  // TODO(jialiul): Fill more frame specific info when Safe Browsing backend
-  // is ready to handle these pieces of information.
 }
 
 void PasswordProtectionRequest::SendRequest() {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   FillRequestProto();
 
   std::string serialized_request;
   if (!request_proto_->SerializeToString(&serialized_request)) {
     Finish(RequestOutcome::REQUEST_MALFORMED, nullptr);
     return;
@@ skipping 92 matching lines @@
 }
 
 void PasswordProtectionRequest::Cancel(bool timed_out) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   fetcher_.reset();
 
   Finish(timed_out ? TIMEDOUT : CANCELED, nullptr);
 }
 
 }  // namespace safe_browsing