OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 // windows.h must be first otherwise Win8 SDK breaks. | |
6 #include <windows.h> | |
7 #include <wincred.h> | |
8 #include <LM.h> | |
9 | |
10 // SECURITY_WIN32 must be defined in order to get | |
11 // EXTENDED_NAME_FORMAT enumeration. | |
12 #define SECURITY_WIN32 1 | |
13 #include <security.h> | |
14 #undef SECURITY_WIN32 | |
15 | |
16 #include "base/prefs/pref_registry_simple.h" | |
17 #include "base/prefs/pref_service.h" | |
18 #include "base/safe_numerics.h" | |
19 #include "base/strings/utf_string_conversions.h" | |
20 #include "base/time/time.h" | |
21 #include "chrome/browser/browser_process.h" | |
22 #include "chrome/browser/password_manager/password_manager.h" | |
23 #include "chrome/browser/password_manager/password_manager_util.h" | |
Bernhard Bauer
2013/11/27 17:04:52
Nit: The header file corresponding to the current
Will Harris
2013/12/02 23:19:27
Done.
| |
24 #include "chrome/common/pref_names.h" | |
25 #include "content/public/browser/render_view_host.h" | |
26 #include "content/public/browser/render_widget_host_view.h" | |
27 #include "content/public/browser/web_contents.h" | |
28 #include "grit/chromium_strings.h" | |
29 #include "grit/generated_resources.h" | |
30 #include "ui/base/l10n/l10n_util.h" | |
31 | |
32 #if defined(USE_AURA) | |
33 #include "ui/aura/root_window.h" | |
34 #include "ui/aura/window.h" | |
35 #endif | |
36 | |
37 // static | |
38 void PasswordManager::RegisterLocalPrefs(PrefRegistrySimple* registry) { | |
39 registry->RegisterInt64Pref(prefs::kOsPasswordLastChanged, 0); | |
40 registry->RegisterBooleanPref(prefs::kOsPasswordBlank, false); | |
41 } | |
42 | |
43 namespace password_manager_util { | |
44 | |
45 const unsigned kMaxPasswordRetries = 3; | |
46 | |
47 const unsigned kCredUiDefaultFlags = | |
48 CREDUI_FLAGS_GENERIC_CREDENTIALS | | |
49 CREDUI_FLAGS_EXCLUDE_CERTIFICATES | | |
50 CREDUI_FLAGS_KEEP_USERNAME | | |
51 CREDUI_FLAGS_ALWAYS_SHOW_UI | | |
52 CREDUI_FLAGS_DO_NOT_PERSIST; | |
53 | |
54 static int64 GetPasswordLastChanged(WCHAR* username) { | |
55 LPUSER_INFO_1 user_info = NULL; | |
56 DWORD age = 0; | |
57 | |
58 NET_API_STATUS ret = NetUserGetInfo(NULL, username, 1, (LPBYTE*) &user_info); | |
59 | |
60 if (ret == NERR_Success) { | |
61 // Returns seconds since last password change. | |
62 age = user_info->usri1_password_age; | |
63 NetApiBufferFree(user_info); | |
64 } | |
65 | |
cpu_(ooo_6.6-7.5)
2013/11/29 18:55:36
apparently my second comment got lost, here it is
Will Harris
2013/12/02 23:19:27
Done.
| |
66 base::Time changed = base::Time::Now() - base::TimeDelta::FromSeconds(age); | |
67 | |
68 return changed.ToInternalValue(); | |
69 } | |
70 | |
71 static bool CheckBlankPassword(WCHAR* username) { | |
72 PrefService* local_state = g_browser_process->local_state(); | |
73 int64 last_changed = GetPasswordLastChanged(username); | |
74 bool need_recheck = true; | |
75 bool blank_password = false; | |
76 | |
77 if (local_state->HasPrefPath(prefs::kOsPasswordBlank)) { | |
78 blank_password = local_state->GetBoolean(prefs::kOsPasswordBlank); | |
79 if (local_state->HasPrefPath(prefs::kOsPasswordLastChanged)) { | |
80 int64 pref_last_changed = | |
81 local_state->GetInt64(prefs::kOsPasswordLastChanged); | |
82 if (pref_last_changed > 0 && | |
83 last_changed <= pref_last_changed) { | |
84 need_recheck = false; | |
85 } | |
86 } | |
87 } | |
88 | |
89 if (need_recheck) { | |
90 HANDLE handle = INVALID_HANDLE_VALUE; | |
91 | |
92 // Attempt to login using blank password. | |
93 DWORD logon_result = LogonUser(username, | |
94 L".", | |
95 L"", | |
96 LOGON32_LOGON_NETWORK, | |
97 LOGON32_PROVIDER_DEFAULT, | |
98 &handle); | |
99 | |
100 // Win XP and later return ERROR_ACCOUNT_RESTRICTION for blank password. | |
101 if (logon_result) | |
102 CloseHandle(handle); | |
103 | |
104 blank_password = (logon_result || | |
105 GetLastError() == ERROR_ACCOUNT_RESTRICTION); | |
cpu_(ooo_6.6-7.5)
2013/11/27 01:06:39
not sure I agree with the logical statement that E
Will Harris
2013/11/27 01:21:03
in the case the password is blank, then LogonUser
cpu_(ooo_6.6-7.5)
2013/11/29 18:51:12
Ok, please add a comment about that, from my readi
Will Harris
2013/12/02 23:19:27
Done.
| |
106 } | |
107 | |
108 // Account for clock skew between pulling the password age and | |
109 // writing to the preferences by adding a small skew factor here. | |
110 last_changed += base::Time::kMicrosecondsPerSecond; | |
111 | |
112 // Save the blank password status for later. | |
113 local_state->SetBoolean(prefs::kOsPasswordBlank, blank_password); | |
114 local_state->SetInt64(prefs::kOsPasswordLastChanged, last_changed); | |
115 | |
116 return blank_password; | |
117 } | |
118 | |
119 bool AuthenticateUser(content::WebContents* web_contents) { | |
120 bool retval = false; | |
121 CREDUI_INFO cui = {}; | |
122 WCHAR username[CREDUI_MAX_USERNAME_LENGTH+1] = {}; | |
123 WCHAR displayname[CREDUI_MAX_USERNAME_LENGTH+1] = {}; | |
124 WCHAR password[CREDUI_MAX_PASSWORD_LENGTH+1] = {}; | |
125 DWORD username_length = CREDUI_MAX_USERNAME_LENGTH; | |
126 std::wstring product_name = | |
127 UTF16ToWide(l10n_util::GetStringUTF16(IDS_PRODUCT_NAME)); | |
128 std::wstring password_prompt = | |
129 UTF16ToWide(l10n_util::GetStringUTF16( | |
130 IDS_PASSWORDS_PAGE_AUTHENTICATION_PROMPT)); | |
131 HANDLE handle = INVALID_HANDLE_VALUE; | |
132 int tries = 0; | |
133 bool use_displayname = false; | |
134 bool use_principalname = false; | |
135 DWORD logon_result = 0; | |
136 | |
137 // On a domain, we obtain the User Principal Name | |
138 // for domain authentication. | |
139 if (GetUserNameEx(NameUserPrincipal, username, &username_length)) { | |
140 use_principalname = true; | |
141 } else { | |
142 username_length = CREDUI_MAX_USERNAME_LENGTH; | |
143 // Otherwise, we're a workstation, use the plain local username. | |
144 if (!GetUserName(username, &username_length)) { | |
145 DLOG(ERROR) << "Unable to obtain username " << GetLastError(); | |
146 return false; | |
147 } else { | |
148 // As we are on a workstation, it's possible the user | |
149 // has no password, so check here. | |
150 if (CheckBlankPassword(username)) | |
151 return true; | |
152 } | |
153 } | |
154 | |
155 // Try and obtain a friendly display name. | |
156 username_length = CREDUI_MAX_USERNAME_LENGTH; | |
157 if (GetUserNameEx(NameDisplay, displayname, &username_length)) | |
158 use_displayname = true; | |
159 | |
160 cui.cbSize = sizeof(CREDUI_INFO); | |
161 cui.hwndParent = NULL; | |
162 | |
163 gfx::NativeView view = web_contents->GetRenderViewHost()-> | |
164 GetView()->GetNativeView(); | |
165 #if defined(USE_AURA) | |
166 cui.hwndParent = view->GetDispatcher()->host()->GetAcceleratedWidget(); | |
167 #else | |
168 cui.hwndParent = view; | |
169 #endif | |
170 | |
171 cui.pszMessageText = password_prompt.c_str(); | |
172 cui.pszCaptionText = product_name.c_str(); | |
173 | |
174 cui.hbmBanner = NULL; | |
175 BOOL save_password = FALSE; | |
176 DWORD credErr = NO_ERROR; | |
177 | |
178 do { | |
179 tries++; | |
180 | |
181 // TODO(wfh) Make sure we support smart cards here. | |
182 credErr = CredUIPromptForCredentials( | |
183 &cui, | |
184 product_name.c_str(), | |
185 NULL, | |
186 0, | |
187 use_displayname ? displayname : username, | |
188 CREDUI_MAX_USERNAME_LENGTH+1, | |
189 password, | |
190 CREDUI_MAX_PASSWORD_LENGTH+1, | |
191 &save_password, | |
192 kCredUiDefaultFlags | | |
193 (tries > 1 ? CREDUI_FLAGS_INCORRECT_PASSWORD : 0)); | |
194 | |
195 if (credErr == NO_ERROR) { | |
196 logon_result = LogonUser(username, | |
197 use_principalname ? NULL : L".", | |
198 password, | |
199 LOGON32_LOGON_NETWORK, | |
200 LOGON32_PROVIDER_DEFAULT, | |
201 &handle); | |
202 if (logon_result) { | |
203 retval = true; | |
204 CloseHandle(handle); | |
205 } else { | |
206 if (GetLastError() == ERROR_ACCOUNT_RESTRICTION && | |
207 wcslen(password) == 0) { | |
208 // Password is blank, so permit. | |
209 retval = true; | |
210 } else { | |
211 DLOG(WARNING) << "Unable to authenticate " << GetLastError(); | |
212 } | |
213 } | |
214 SecureZeroMemory(password, sizeof(password)); | |
215 } | |
216 } while (credErr == NO_ERROR && | |
217 (retval == false && tries < kMaxPasswordRetries)); | |
218 return retval; | |
219 } | |
220 | |
221 } // namespace password_manager_util | |
OLD | NEW |