OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 // windows.h must be first otherwise Win8 SDK breaks. | |
6 #include <windows.h> | |
7 #include <wincred.h> | |
8 #include <LM.h> | |
9 | |
10 // SECURITY_WIN32 must be defined in order to get | |
11 // EXTENDED_NAME_FORMAT enumeration. | |
12 #define SECURITY_WIN32 1 | |
13 #include <security.h> | |
14 #undef SECURITY_WIN32 | |
15 | |
16 #include "base/prefs/pref_registry_simple.h" | |
17 #include "base/prefs/pref_service.h" | |
18 #include "base/safe_numerics.h" | |
19 #include "base/strings/utf_string_conversions.h" | |
20 #include "base/time/time.h" | |
21 #include "chrome/browser/browser_process.h" | |
22 #include "chrome/browser/password_manager/password_manager.h" | |
23 #include "chrome/browser/password_manager/password_manager_util.h" | |
24 #include "chrome/common/pref_names.h" | |
25 #include "content/public/browser/render_view_host.h" | |
26 #include "content/public/browser/render_widget_host_view.h" | |
27 #include "content/public/browser/web_contents.h" | |
28 #include "grit/chromium_strings.h" | |
29 #include "grit/generated_resources.h" | |
30 #include "ui/base/l10n/l10n_util.h" | |
31 | |
32 #if defined(USE_AURA) | |
33 #include "ui/aura/root_window.h" | |
34 #include "ui/aura/window.h" | |
35 #endif | |
36 | |
37 // static | |
38 void PasswordManager::RegisterLocalPrefs(PrefRegistrySimple* registry) { | |
39 registry->RegisterInt64Pref(prefs::kOsPasswordLastChanged, 0); | |
40 registry->RegisterBooleanPref(prefs::kOsPasswordBlank, false); | |
41 } | |
42 | |
43 namespace password_manager_util { | |
44 | |
45 const unsigned kMaxPasswordRetries = 3; | |
46 | |
47 const unsigned kCredUiDefaultFlags = | |
48 CREDUI_FLAGS_GENERIC_CREDENTIALS | | |
49 CREDUI_FLAGS_EXCLUDE_CERTIFICATES | | |
50 CREDUI_FLAGS_KEEP_USERNAME | | |
51 CREDUI_FLAGS_ALWAYS_SHOW_UI | | |
52 CREDUI_FLAGS_DO_NOT_PERSIST; | |
53 | |
54 static int64 getPasswordLastChanged(WCHAR* username) { | |
Patrick Dubroy
2013/11/12 15:41:39
Nit: Function names should start with a capital le
Will Harris
2013/11/26 22:07:12
Done.
| |
55 LPUSER_INFO_1 user_info = NULL; | |
56 DWORD age = 0; | |
57 | |
58 NET_API_STATUS ret = NetUserGetInfo(NULL, username, 1, (LPBYTE*) &user_info); | |
59 | |
60 if (ret == NERR_Success) { | |
61 // Returns seconds since last password change. | |
62 age = user_info->usri1_password_age; | |
63 NetApiBufferFree(user_info); | |
64 } | |
65 | |
66 base::Time changed = base::Time::Now() - base::TimeDelta::FromSeconds(age); | |
67 | |
68 return changed.ToInternalValue(); | |
69 } | |
70 | |
71 static bool checkBlankPassword(WCHAR* username) { | |
Patrick Dubroy
2013/11/12 15:41:39
Nit: Function names should start with a capital le
Will Harris
2013/11/26 22:07:12
Done.
| |
72 PrefService* local_state = g_browser_process->local_state(); | |
73 int64 last_changed = getPasswordLastChanged(username); | |
74 bool need_recheck = true; | |
75 bool blank_password = false; | |
76 | |
77 if (local_state->HasPrefPath(prefs::kOsPasswordBlank)) { | |
78 blank_password = local_state->GetBoolean(prefs::kOsPasswordBlank); | |
79 if (local_state->HasPrefPath(prefs::kOsPasswordLastChanged)) { | |
80 int64 pref_last_changed = | |
81 local_state->GetInt64(prefs::kOsPasswordLastChanged); | |
82 if (pref_last_changed > 0 && | |
83 last_changed <= pref_last_changed) { | |
84 need_recheck = false; | |
85 } | |
86 } | |
87 } | |
88 | |
89 if (need_recheck) { | |
90 HANDLE handle = INVALID_HANDLE_VALUE; | |
91 | |
92 // Attempt to login using blank password. | |
93 DWORD logon_result = LogonUser(username, | |
94 L".", | |
95 L"", | |
96 LOGON32_LOGON_NETWORK, | |
97 LOGON32_PROVIDER_DEFAULT, | |
98 &handle); | |
99 | |
100 // Win XP and later return ERROR_ACCOUNT_RESTRICTION for blank password. | |
101 if (logon_result) { | |
Patrick Dubroy
2013/11/12 15:41:39
Nit: No braces necessary here.
Will Harris
2013/11/26 22:07:12
Done.
| |
102 CloseHandle(handle); | |
103 } | |
104 | |
105 blank_password = (logon_result || | |
106 GetLastError() == ERROR_ACCOUNT_RESTRICTION); | |
107 } | |
108 | |
109 // Account for clock skew between pulling the password age and | |
110 // writing to the preferences by adding a small skew factor here. | |
111 last_changed += base::Time::kMicrosecondsPerSecond; | |
112 | |
113 // Save the blank password status for later. | |
114 local_state->SetBoolean(prefs::kOsPasswordBlank, blank_password); | |
115 local_state->SetInt64(prefs::kOsPasswordLastChanged, last_changed); | |
116 | |
117 return blank_password; | |
118 } | |
119 | |
120 bool AuthenticateUser(content::WebContents* web_contents) { | |
121 bool retval = false; | |
122 CREDUI_INFO cui = {}; | |
123 WCHAR username[CREDUI_MAX_USERNAME_LENGTH+1] = {}; | |
124 WCHAR displayname[CREDUI_MAX_USERNAME_LENGTH+1] = {}; | |
125 WCHAR password[CREDUI_MAX_PASSWORD_LENGTH+1] = {}; | |
126 DWORD username_length = CREDUI_MAX_USERNAME_LENGTH; | |
127 std::wstring product_name = | |
128 UTF16ToWide(l10n_util::GetStringUTF16(IDS_PRODUCT_NAME)); | |
129 std::wstring password_prompt = | |
130 UTF16ToWide(l10n_util::GetStringUTF16( | |
131 IDS_PASSWORDS_PAGE_AUTHENTICATION_PROMPT)); | |
132 HANDLE handle = INVALID_HANDLE_VALUE; | |
133 int tries = 0; | |
134 bool use_displayname = false; | |
135 bool use_principalname = false; | |
136 DWORD logon_result = 0; | |
137 | |
138 // On a domain, we obtain the User Principal Name | |
139 // for domain authentication. | |
140 if (GetUserNameEx(NameUserPrincipal, username, &username_length)) { | |
141 use_principalname = true; | |
142 } else { | |
143 username_length = CREDUI_MAX_USERNAME_LENGTH; | |
144 // Otherwise, we're a workstation, use the plain local username. | |
145 if (!GetUserName(username, &username_length)) { | |
146 DLOG(ERROR) << "Unable to obtain username " << GetLastError(); | |
147 return false; | |
148 } else { | |
149 // As we are on a workstation, it's possible the user | |
150 // has no password, so check here. | |
151 if (checkBlankPassword(username)) { | |
Patrick Dubroy
2013/11/12 15:41:39
Nit: No braces necessary here.
Will Harris
2013/11/26 22:07:12
Done.
| |
152 return true; | |
153 } | |
154 } | |
155 } | |
156 | |
157 // Try and obtain a friendly display name. | |
158 username_length = CREDUI_MAX_USERNAME_LENGTH; | |
159 if (GetUserNameEx(NameDisplay, displayname, &username_length)) { | |
Patrick Dubroy
2013/11/12 15:41:39
Nit: No braces necessary here.
Will Harris
2013/11/26 22:07:12
Done.
| |
160 use_displayname = true; | |
161 } | |
162 | |
163 cui.cbSize = sizeof(CREDUI_INFO); | |
164 cui.hwndParent = NULL; | |
165 | |
166 gfx::NativeView view = web_contents->GetRenderViewHost()-> | |
167 GetView()->GetNativeView(); | |
168 #if defined(USE_AURA) | |
169 cui.hwndParent = view->GetDispatcher()->GetAcceleratedWidget(); | |
170 #else | |
171 cui.hwndParent = view; | |
172 #endif | |
173 | |
174 cui.pszMessageText = password_prompt.c_str(); | |
175 cui.pszCaptionText = product_name.c_str(); | |
176 | |
177 cui.hbmBanner = NULL; | |
178 BOOL save_password = FALSE; | |
179 DWORD credErr = NO_ERROR; | |
180 | |
181 do { | |
182 tries++; | |
183 | |
184 // TODO(wfh) Make sure we support smart cards here. | |
185 credErr = CredUIPromptForCredentials( | |
186 &cui, | |
Patrick Dubroy
2013/11/12 15:41:39
This column of args should be indented 4 spaces pa
Will Harris
2013/11/26 22:07:12
Done.
| |
187 product_name.c_str(), | |
188 NULL, | |
189 0, | |
190 use_displayname ? displayname : username, | |
191 CREDUI_MAX_USERNAME_LENGTH+1, | |
192 password, | |
193 CREDUI_MAX_PASSWORD_LENGTH+1, | |
194 &save_password, | |
195 kCredUiDefaultFlags | | |
196 (tries > 1 ? CREDUI_FLAGS_INCORRECT_PASSWORD : 0)); | |
197 | |
198 if (credErr == NO_ERROR) { | |
199 logon_result = LogonUser(username, | |
200 use_principalname ? NULL : L".", | |
201 password, | |
202 LOGON32_LOGON_NETWORK, | |
203 LOGON32_PROVIDER_DEFAULT, | |
204 &handle); | |
205 if (logon_result) { | |
206 retval = true; | |
207 CloseHandle(handle); | |
208 } else { | |
209 if (GetLastError() == ERROR_ACCOUNT_RESTRICTION && | |
210 wcslen(password) == 0) { | |
211 // Password is blank, so permit. | |
212 retval = true; | |
213 } else { | |
214 DLOG(WARNING) << "Unable to authenticate " << GetLastError(); | |
215 } | |
216 } | |
217 SecureZeroMemory(password, sizeof(password)); | |
218 } | |
219 } while (credErr == NO_ERROR && | |
220 (retval == false && tries < kMaxPasswordRetries)); | |
221 return retval; | |
222 } | |
223 | |
224 } // namespace password_manager_util | |
OLD | NEW |