OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ | |
6 #define CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ | |
7 | |
8 #include <Security/Security.h> | |
9 | |
10 #include <string> | |
11 #include <vector> | |
12 | |
13 #include "base/macros.h" | |
14 #include "components/autofill/core/common/password_form.h" | |
15 #include "crypto/apple_keychain.h" | |
16 | |
17 using crypto::AppleKeychain; | |
18 | |
19 // Adapter that wraps a AppleKeychain and provides interaction in terms of | |
20 // PasswordForms instead of Keychain items. | |
21 class MacKeychainPasswordFormAdapter { | |
22 public: | |
23 // Creates an adapter for |keychain|. This class does not take ownership of | |
24 // |keychain|, so the caller must make sure that the keychain outlives the | |
25 // created object. | |
26 explicit MacKeychainPasswordFormAdapter(const AppleKeychain* keychain); | |
27 | |
28 // Returns all keychain entries matching |signon_realm| and |scheme|. | |
29 std::vector<std::unique_ptr<autofill::PasswordForm>> PasswordsFillingForm( | |
30 const std::string& signon_realm, | |
31 autofill::PasswordForm::Scheme scheme); | |
32 | |
33 // Returns true if there is the Keychain entry that matches |query_form| on | |
34 // all of the fields that uniquely identify a Keychain item. | |
35 bool HasPasswordExactlyMatchingForm(const autofill::PasswordForm& query_form); | |
36 | |
37 // Returns true if the keychain contains any items that are mergeable with | |
38 // |query_form|. This is different from actually extracting the passwords | |
39 // and checking the return count, since doing that would require reading the | |
40 // passwords from the keychain, thus potentially triggering authorizaiton UI, | |
41 // whereas this won't. | |
42 bool HasPasswordsMergeableWithForm( | |
43 const autofill::PasswordForm& query_form); | |
44 | |
45 // Returns all keychain items of types corresponding to password forms. | |
46 std::vector<SecKeychainItemRef> GetAllPasswordFormKeychainItems(); | |
47 | |
48 // Returns all keychain entries corresponding to password forms. | |
49 // TODO(vabr): This is only used in tests, should be moved there. | |
50 std::vector<std::unique_ptr<autofill::PasswordForm>> | |
51 GetAllPasswordFormPasswords(); | |
52 | |
53 // Creates a new keychain entry from |form|, or updates the password of an | |
54 // existing keychain entry if there is a collision. Returns true if a keychain | |
55 // entry was successfully added/updated. | |
56 bool AddPassword(const autofill::PasswordForm& form); | |
57 | |
58 // Removes the keychain password matching |form| if any. Returns true if a | |
59 // keychain item was found and successfully removed. | |
60 bool RemovePassword(const autofill::PasswordForm& form); | |
61 | |
62 // Controls whether or not Chrome will restrict Keychain searches to items | |
63 // that it created. Defaults to false. | |
64 void SetFindsOnlyOwnedItems(bool finds_only_owned); | |
65 | |
66 private: | |
67 // Returns PasswordForm instances transformed from |items|. Also calls | |
68 // AppleKeychain::Free on all of the keychain items and clears |items|. | |
69 std::vector<std::unique_ptr<autofill::PasswordForm>> | |
70 ConvertKeychainItemsToForms(std::vector<SecKeychainItemRef>* items); | |
71 | |
72 // Searches |keychain| for the specific keychain entry that corresponds to the | |
73 // given form, and returns it (or NULL if no match is found). The caller is | |
74 // responsible for calling AppleKeychain::Free on on the returned item. | |
75 SecKeychainItemRef KeychainItemForForm( | |
76 const autofill::PasswordForm& form); | |
77 | |
78 // Returns the Keychain items matching the given signon_realm, scheme, and | |
79 // optionally path and username (either of both can be NULL). | |
80 // The caller is responsible for calling AppleKeychain::Free on the | |
81 // returned items. | |
82 std::vector<SecKeychainItemRef> MatchingKeychainItems( | |
83 const std::string& signon_realm, | |
84 autofill::PasswordForm::Scheme scheme, | |
85 const char* path, | |
86 const char* username); | |
87 | |
88 // Returns the Keychain SecAuthenticationType type corresponding to |scheme|. | |
89 SecAuthenticationType AuthTypeForScheme( | |
90 autofill::PasswordForm::Scheme scheme); | |
91 | |
92 // Changes the password for keychain_item to |password|; returns true if the | |
93 // password was successfully changed. | |
94 bool SetKeychainItemPassword(SecKeychainItemRef keychain_item, | |
95 const std::string& password); | |
96 | |
97 // Sets the creator code of keychain_item to creator_code; returns true if the | |
98 // creator code was successfully set. | |
99 bool SetKeychainItemCreatorCode(SecKeychainItemRef keychain_item, | |
100 OSType creator_code); | |
101 | |
102 // Returns the creator code to be used for a Keychain search, depending on | |
103 // whether this object was instructed to search only for items it created. | |
104 // If searches should be restricted in this way, the application-specific | |
105 // creator code will be returned. Otherwise, 0 will be returned, indicating | |
106 // a search of all items, regardless of creator. | |
107 OSType CreatorCodeForSearch(); | |
108 | |
109 const AppleKeychain* keychain_; | |
110 | |
111 // If true, Keychain searches are restricted to items created by Chrome. | |
112 bool finds_only_owned_; | |
113 | |
114 DISALLOW_COPY_AND_ASSIGN(MacKeychainPasswordFormAdapter); | |
115 }; | |
116 | |
117 namespace internal_keychain_helpers { | |
118 | |
119 // Pair of pointers to a SecKeychainItemRef and a corresponding PasswordForm. | |
120 typedef std::pair<SecKeychainItemRef, std::unique_ptr<autofill::PasswordForm>> | |
121 ItemFormPair; | |
122 | |
123 // Sets the fields of |form| based on the keychain data from |keychain_item|. | |
124 // Fields that can't be determined from |keychain_item| will be unchanged. If | |
125 // |extract_password_data| is true, the password data will be copied from | |
126 // |keychain_item| in addition to its attributes, and the |blacklisted_by_user| | |
127 // field will be set to true for empty passwords ("" or " "). | |
128 // If |extract_password_data| is false, only the password attributes will be | |
129 // copied, and the |blacklisted_by_user| field will always be false. | |
130 // | |
131 // IMPORTANT: If |extract_password_data| is true, this function can cause the OS | |
132 // to trigger UI (to allow access to the keychain item if we aren't trusted for | |
133 // the item), and block until the UI is dismissed. | |
134 // | |
135 // If excessive prompting for access to other applications' keychain items | |
136 // becomes an issue, the password storage API will need to intially call this | |
137 // function with |extract_password_data| set to false, and retrieve the password | |
138 // later (accessing other fields doesn't require authorization). | |
139 bool FillPasswordFormFromKeychainItem(const AppleKeychain& keychain, | |
140 SecKeychainItemRef keychain_item, | |
141 autofill::PasswordForm* form, | |
142 bool extract_password_data); | |
143 | |
144 // Returns true if |keychain_item| has the application-specific creator code in | |
145 // its attributes. | |
146 bool HasCreatorCode(const AppleKeychain& keychain, | |
147 SecKeychainItemRef keychain_item); | |
148 | |
149 // Use FormMatchStrictness to configure which forms are considered a match by | |
150 // FormsMatchForMerge: | |
151 enum FormMatchStrictness { | |
152 STRICT_FORM_MATCH, // Match only forms with the same scheme, signon realm and | |
153 // username value. | |
154 FUZZY_FORM_MATCH, // Also match cases where the first form's | |
155 // original_signon_realm is nonempty and matches the | |
156 // second form's signon_realm. | |
157 }; | |
158 | |
159 // Returns true if the two given forms are suitable for merging (see | |
160 // MergePasswordForms). | |
161 bool FormsMatchForMerge(const autofill::PasswordForm& form_a, | |
162 const autofill::PasswordForm& form_b, | |
163 FormMatchStrictness strictness); | |
164 | |
165 // Populates merged_forms by combining the password data from keychain_forms and | |
166 // the metadata from database_forms, removing used entries from the two source | |
167 // lists. | |
168 // | |
169 // On return, database_forms and keychain_forms will have only unused | |
170 // entries; for database_forms that means entries for which no corresponding | |
171 // password can be found (and which aren't blacklist entries), and for | |
172 // keychain_forms its entries that weren't merged into at least one database | |
173 // form. | |
174 void MergePasswordForms( | |
175 std::vector<std::unique_ptr<autofill::PasswordForm>>* keychain_forms, | |
176 std::vector<std::unique_ptr<autofill::PasswordForm>>* database_forms, | |
177 std::vector<std::unique_ptr<autofill::PasswordForm>>* merged_forms); | |
178 | |
179 // For every form in |database_forms|, if such a form has a corresponding entry | |
180 // in |keychain|, this adds the password from the entry and moves that form from | |
181 // |database_forms| into |passwords|. | |
182 void GetPasswordsForForms( | |
183 const AppleKeychain& keychain, | |
184 std::vector<std::unique_ptr<autofill::PasswordForm>>* database_forms, | |
185 std::vector<std::unique_ptr<autofill::PasswordForm>>* passwords); | |
186 | |
187 // Loads all items in the system keychain into |keychain_items|, creates for | |
188 // each keychain item a corresponding PasswordForm that doesn't contain any | |
189 // password data, and returns the two collections as a vector of ItemFormPairs. | |
190 // Used by GetPasswordsForForms for optimized matching of keychain items with | |
191 // PasswordForms in the database. | |
192 // Note: Since no password data is loaded here, the resulting PasswordForms | |
193 // will include blacklist entries, which will have to be filtered out later. | |
194 // Caller owns the SecKeychainItemRefs and PasswordForms that are returned. | |
195 // This operation does not require OS authorization. | |
196 std::vector<ItemFormPair> ExtractAllKeychainItemAttributesIntoPasswordForms( | |
197 std::vector<SecKeychainItemRef>* keychain_items, | |
198 const AppleKeychain& keychain); | |
199 | |
200 // Takes a PasswordForm's signon_realm and parses it into its component parts, | |
201 // which are returned though the appropriate out parameters. | |
202 // Returns true if it can be successfully parsed, in which case all out params | |
203 // that are non-NULL will be set. If there is no port, port will be 0. | |
204 // If the return value is false, the state of the out params is undefined. | |
205 bool ExtractSignonRealmComponents(const std::string& signon_realm, | |
206 std::string* server, | |
207 UInt32* port, | |
208 bool* is_secure, | |
209 std::string* security_domain); | |
210 | |
211 // Returns true if the signon_realm of |query_form| can be successfully parsed | |
212 // by ExtractSignonRealmComponents, and if |query_form| matches |other_form|. | |
213 bool FormIsValidAndMatchesOtherForm(const autofill::PasswordForm& query_form, | |
214 const autofill::PasswordForm& other_form); | |
215 | |
216 // Returns PasswordForm instances populated with password data for each keychain | |
217 // entry in |item_form_pairs| that could be merged with |query_form|. | |
218 std::vector<std::unique_ptr<autofill::PasswordForm>> | |
219 ExtractPasswordsMergeableWithForm( | |
220 const AppleKeychain& keychain, | |
221 const std::vector<ItemFormPair>& item_form_pairs, | |
222 const autofill::PasswordForm& query_form); | |
223 | |
224 } // namespace internal_keychain_helpers | |
225 | |
226 #endif // CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ | |
OLD | NEW |