1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chrome/browser/password_manager/password_form_manager.h" 6 7 #include <algorithm> 8 9 #include "base/metrics/histogram.h" 10 #include "base/string_split.h" 11 #include "base/string_util.h" 12 #include "chrome/browser/password_manager/password_manager.h" 13 #include "chrome/browser/password_manager/password_store.h" 14 #include "chrome/browser/profiles/profile.h" 15 #include "webkit/glue/password_form_dom_manager.h" 16 17 using base::Time; 18 using webkit_glue::PasswordForm; 19 using webkit_glue::PasswordFormMap; 20 21 PasswordFormManager::PasswordFormManager(Profile* profile, 22 PasswordManager* password_manager, 23 const PasswordForm& observed_form, 24 bool ssl_valid) 25 : best_matches_deleter_(&best_matches_), 26 observed_form_(observed_form), 27 is_new_login_(true), 28 password_manager_(password_manager), 29 pending_login_query_(0), 30 preferred_match_(NULL), 31 state_(PRE_MATCHING_PHASE), 32 profile_(profile), 33 manager_action_(kManagerActionNone), 34 user_action_(kUserActionNone), 35 submit_result_(kSubmitResultNotSubmitted) { 36 DCHECK(profile_); 37 if (observed_form_.origin.is_valid()) 38 base::SplitString(observed_form_.origin.path(), '/', &form_path_tokens_); 39 observed_form_.ssl_valid = ssl_valid; 40 } 41 42 PasswordFormManager::~PasswordFormManager() { 43 UMA_HISTOGRAM_ENUMERATION("PasswordManager.ActionsTaken", 44 GetActionsTaken(), 45 kMaxNumActionsTaken); 46 } 47 48 int PasswordFormManager::GetActionsTaken() { 49 return user_action_ + kUserActionMax * (manager_action_ + 50 kManagerActionMax * submit_result_); 51 }; 52 53 // TODO(timsteele): use a hash of some sort in the future? 54 bool PasswordFormManager::DoesManage(const PasswordForm& form) const { 55 if (form.scheme != PasswordForm::SCHEME_HTML) 56 return observed_form_.signon_realm == form.signon_realm; 57 58 // HTML form case. 59 // At a minimum, username and password element must match. 60 if (!((form.username_element == observed_form_.username_element) && 61 (form.password_element == observed_form_.password_element))) { 62 return false; 63 } 64 65 // The action URL must also match, but the form is allowed to have an empty 66 // action URL (See bug 1107719). 67 if (form.action.is_valid() && (form.action != observed_form_.action)) 68 return false; 69 70 // If this is a replay of the same form in the case a user entered an invalid 71 // password, the origin of the new form may equal the action of the "first" 72 // form. 73 if (!((form.origin == observed_form_.origin) || 74 (form.origin == observed_form_.action))) { 75 if (form.origin.SchemeIsSecure() && 76 !observed_form_.origin.SchemeIsSecure()) { 77 // Compare origins, ignoring scheme. There is no easy way to do this 78 // with GURL because clearing the scheme would result in an invalid url. 79 // This is for some sites (such as Hotmail) that begin on an http page and 80 // head to https for the retry when password was invalid. 81 std::string::const_iterator after_scheme1 = form.origin.spec().begin() + 82 form.origin.scheme().length(); 83 std::string::const_iterator after_scheme2 = 84 observed_form_.origin.spec().begin() + 85 observed_form_.origin.scheme().length(); 86 return std::search(after_scheme1, 87 form.origin.spec().end(), 88 after_scheme2, 89 observed_form_.origin.spec().end()) 90 != form.origin.spec().end(); 91 } 92 return false; 93 } 94 return true; 95 } 96 97 bool PasswordFormManager::IsBlacklisted() { 98 DCHECK_EQ(state_, POST_MATCHING_PHASE); 99 if (preferred_match_ && preferred_match_->blacklisted_by_user) 100 return true; 101 return false; 102 } 103 104 void PasswordFormManager::PermanentlyBlacklist() { 105 DCHECK_EQ(state_, POST_MATCHING_PHASE); 106 107 // Configure the form about to be saved for blacklist status. 108 pending_credentials_.preferred = true; 109 pending_credentials_.blacklisted_by_user = true; 110 pending_credentials_.username_value.clear(); 111 pending_credentials_.password_value.clear(); 112 113 // Retroactively forget existing matches for this form, so we NEVER prompt or 114 // autofill it again. 115 if (!best_matches_.empty()) { 116 PasswordFormMap::const_iterator iter; 117 PasswordStore* password_store = 118 profile_->GetPasswordStore(Profile::EXPLICIT_ACCESS); 119 if (!password_store) { 120 NOTREACHED(); 121 return; 122 } 123 for (iter = best_matches_.begin(); iter != best_matches_.end(); ++iter) { 124 // We want to remove existing matches for this form so that the exact 125 // origin match with |blackisted_by_user == true| is the only result that 126 // shows up in the future for this origin URL. However, we don't want to 127 // delete logins that were actually saved on a different page (hence with 128 // different origin URL) and just happened to match this form because of 129 // the scoring algorithm. See bug 1204493. 130 if (iter->second->origin == observed_form_.origin) 131 password_store->RemoveLogin(*iter->second); 132 } 133 } 134 135 // Save the pending_credentials_ entry marked as blacklisted. 136 SaveAsNewLogin(false); 137 } 138 139 bool PasswordFormManager::IsNewLogin() { 140 DCHECK_EQ(state_, POST_MATCHING_PHASE); 141 return is_new_login_; 142 } 143 144 bool PasswordFormManager::HasValidPasswordForm() { 145 DCHECK_EQ(state_, POST_MATCHING_PHASE); 146 // Non-HTML password forms (primarily HTTP and FTP autentication) 147 // do not contain username_element and password_element values. 148 if (observed_form_.scheme != PasswordForm::SCHEME_HTML) 149 return true; 150 return !observed_form_.username_element.empty() && 151 !observed_form_.password_element.empty(); 152 } 153 154 void PasswordFormManager::ProvisionallySave(const PasswordForm& credentials) { 155 DCHECK_EQ(state_, POST_MATCHING_PHASE); 156 DCHECK(DoesManage(credentials)); 157 158 // Make sure the important fields stay the same as the initially observed or 159 // autofilled ones, as they may have changed if the user experienced a login 160 // failure. 161 // Look for these credentials in the list containing auto-fill entries. 162 PasswordFormMap::const_iterator it = 163 best_matches_.find(credentials.username_value); 164 if (it != best_matches_.end()) { 165 // The user signed in with a login we autofilled. 166 pending_credentials_ = *it->second; 167 is_new_login_ = false; 168 // If the user selected credentials we autofilled from a PasswordForm 169 // that contained no action URL (IE6/7 imported passwords, for example), 170 // bless it with the action URL from the observed form. See bug 1107719. 171 if (pending_credentials_.action.is_empty()) 172 pending_credentials_.action = observed_form_.action; 173 174 // Check to see if we're using a known username but a new password. 175 if (pending_credentials_.password_value != credentials.password_value) 176 user_action_ = kUserActionOverride; 177 } else { 178 // User typed in a new, unknown username. 179 user_action_ = kUserActionOverride; 180 pending_credentials_ = observed_form_; 181 pending_credentials_.username_value = credentials.username_value; 182 } 183 184 pending_credentials_.password_value = credentials.password_value; 185 pending_credentials_.preferred = credentials.preferred; 186 } 187 188 void PasswordFormManager::Save() { 189 DCHECK_EQ(state_, POST_MATCHING_PHASE); 190 DCHECK(!profile_->IsOffTheRecord()); 191 192 if (IsNewLogin()) 193 SaveAsNewLogin(true); 194 else 195 UpdateLogin(); 196 } 197 198 void PasswordFormManager::FetchMatchingLoginsFromPasswordStore() { 199 DCHECK_EQ(state_, PRE_MATCHING_PHASE); 200 DCHECK(!pending_login_query_); 201 state_ = MATCHING_PHASE; 202 PasswordStore* password_store = 203 profile_->GetPasswordStore(Profile::EXPLICIT_ACCESS); 204 if (!password_store) { 205 NOTREACHED(); 206 return; 207 } 208 pending_login_query_ = password_store->GetLogins(observed_form_, this); 209 } 210 211 bool PasswordFormManager::HasCompletedMatching() { 212 return state_ == POST_MATCHING_PHASE; 213 } 214 215 void PasswordFormManager::OnRequestDone(int handle, 216 const std::vector<PasswordForm*>& logins_result) { 217 // Note that the result gets deleted after this call completes, but we own 218 // the PasswordForm objects pointed to by the result vector, thus we keep 219 // copies to a minimum here. 220 221 int best_score = 0; 222 std::vector<PasswordForm> empties; // Empty-path matches in result set. 223 for (size_t i = 0; i < logins_result.size(); i++) { 224 if (IgnoreResult(*logins_result[i])) { 225 delete logins_result[i]; 226 continue; 227 } 228 // Score and update best matches. 229 int current_score = ScoreResult(*logins_result[i]); 230 // This check is here so we can append empty path matches in the event 231 // they don't score as high as others and aren't added to best_matches_. 232 // This is most commonly imported firefox logins. We skip blacklisted 233 // ones because clearly we don't want to autofill them, and secondly 234 // because they only mean something when we have no other matches already 235 // saved in Chrome - in which case they'll make it through the regular 236 // scoring flow below by design. Note signon_realm == origin implies empty 237 // path logins_result, since signon_realm is a prefix of origin for HTML 238 // password forms. 239 // TODO(timsteele): Bug 1269400. We probably should do something more 240 // elegant for any shorter-path match instead of explicitly handling empty 241 // path matches. 242 if ((observed_form_.scheme == PasswordForm::SCHEME_HTML) && 243 (observed_form_.signon_realm == logins_result[i]->origin.spec()) && 244 (current_score > 0) && (!logins_result[i]->blacklisted_by_user)) { 245 empties.push_back(*logins_result[i]); 246 } 247 248 if (current_score < best_score) { 249 delete logins_result[i]; 250 continue; 251 } 252 if (current_score == best_score) { 253 best_matches_[logins_result[i]->username_value] = logins_result[i]; 254 } else if (current_score > best_score) { 255 best_score = current_score; 256 // This new login has a better score than all those up to this point 257 // Note 'this' owns all the PasswordForms in best_matches_. 258 STLDeleteValues(&best_matches_); 259 best_matches_.clear(); 260 preferred_match_ = NULL; // Don't delete, its owned by best_matches_. 261 best_matches_[logins_result[i]->username_value] = logins_result[i]; 262 } 263 preferred_match_ = logins_result[i]->preferred ? logins_result[i] 264 : preferred_match_; 265 } 266 // We're done matching now. 267 state_ = POST_MATCHING_PHASE; 268 269 if (best_score <= 0) { 270 return; 271 } 272 273 for (std::vector<PasswordForm>::const_iterator it = empties.begin(); 274 it != empties.end(); ++it) { 275 // If we don't already have a result with the same username, add the 276 // lower-scored empty-path match (if it had equal score it would already be 277 // in best_matches_). 278 if (best_matches_.find(it->username_value) == best_matches_.end()) 279 best_matches_[it->username_value] = new PasswordForm(*it); 280 } 281 282 // It is possible we have at least one match but have no preferred_match_, 283 // because a user may have chosen to 'Forget' the preferred match. So we 284 // just pick the first one and whichever the user selects for submit will 285 // be saved as preferred. 286 DCHECK(!best_matches_.empty()); 287 if (!preferred_match_) 288 preferred_match_ = best_matches_.begin()->second; 289 290 // Check to see if the user told us to ignore this site in the past. 291 if (preferred_match_->blacklisted_by_user) { 292 manager_action_ = kManagerActionBlacklisted; 293 return; 294 } 295 296 // Proceed to autofill (note that we provide the choices but don't 297 // actually prefill a value if the ACTION paths don't match). 298 bool wait_for_username = observed_form_.action.GetWithEmptyPath() != 299 preferred_match_->action.GetWithEmptyPath(); 300 if (wait_for_username) 301 manager_action_ = kManagerActionNone; 302 else 303 manager_action_ = kManagerActionAutofilled; 304 password_manager_->Autofill(observed_form_, best_matches_, 305 preferred_match_, wait_for_username); 306 } 307 308 void PasswordFormManager::OnPasswordStoreRequestDone( 309 CancelableRequestProvider::Handle handle, 310 const std::vector<PasswordForm*>& result) { 311 DCHECK_EQ(state_, MATCHING_PHASE); 312 DCHECK_EQ(pending_login_query_, handle); 313 314 if (result.empty()) { 315 state_ = POST_MATCHING_PHASE; 316 return; 317 } 318 319 OnRequestDone(handle, result); 320 pending_login_query_ = 0; 321 } 322 323 bool PasswordFormManager::IgnoreResult(const PasswordForm& form) const { 324 // Ignore change password forms until we have some change password 325 // functionality 326 if (observed_form_.old_password_element.length() != 0) { 327 return true; 328 } 329 // Don't match an invalid SSL form with one saved under secure 330 // circumstances. 331 if (form.ssl_valid && !observed_form_.ssl_valid) { 332 return true; 333 } 334 return false; 335 } 336 337 void PasswordFormManager::SaveAsNewLogin(bool reset_preferred_login) { 338 DCHECK_EQ(state_, POST_MATCHING_PHASE); 339 DCHECK(IsNewLogin()); 340 // The new_form is being used to sign in, so it is preferred. 341 DCHECK(pending_credentials_.preferred); 342 // new_form contains the same basic data as observed_form_ (because its the 343 // same form), but with the newly added credentials. 344 345 DCHECK(!profile_->IsOffTheRecord()); 346 347 PasswordStore* password_store = 348 profile_->GetPasswordStore(Profile::IMPLICIT_ACCESS); 349 if (!password_store) { 350 NOTREACHED(); 351 return; 352 } 353 354 pending_credentials_.date_created = Time::Now(); 355 password_store->AddLogin(pending_credentials_); 356 357 if (reset_preferred_login) { 358 UpdatePreferredLoginState(password_store); 359 } 360 } 361 362 void PasswordFormManager::UpdatePreferredLoginState( 363 PasswordStore* password_store) { 364 DCHECK(password_store); 365 PasswordFormMap::iterator iter; 366 for (iter = best_matches_.begin(); iter != best_matches_.end(); iter++) { 367 if (iter->second->username_value != pending_credentials_.username_value && 368 iter->second->preferred) { 369 // This wasn't the selected login but it used to be preferred. 370 iter->second->preferred = false; 371 if (user_action_ == kUserActionNone) 372 user_action_ = kUserActionChoose; 373 password_store->UpdateLogin(*iter->second); 374 } 375 } 376 } 377 378 void PasswordFormManager::UpdateLogin() { 379 DCHECK_EQ(state_, POST_MATCHING_PHASE); 380 DCHECK(preferred_match_); 381 // If we're doing an Update, we either autofilled correctly and need to 382 // update the stats, or the user typed in a new password for autofilled 383 // username, or the user selected one of the non-preferred matches, 384 // thus requiring a swap of preferred bits. 385 DCHECK(!IsNewLogin() && pending_credentials_.preferred); 386 DCHECK(!profile_->IsOffTheRecord()); 387 388 PasswordStore* password_store = 389 profile_->GetPasswordStore(Profile::IMPLICIT_ACCESS); 390 if (!password_store) { 391 NOTREACHED(); 392 return; 393 } 394 395 UpdatePreferredLoginState(password_store); 396 397 // Update the new preferred login. 398 // Note origin.spec().length > signon_realm.length implies the origin has a 399 // path, since signon_realm is a prefix of origin for HTML password forms. 400 if ((observed_form_.scheme == PasswordForm::SCHEME_HTML) && 401 (observed_form_.origin.spec().length() > 402 observed_form_.signon_realm.length()) && 403 (observed_form_.signon_realm == pending_credentials_.origin.spec())) { 404 // The user logged in successfully with one of our autofilled logins on a 405 // page with non-empty path, but the autofilled entry was initially saved/ 406 // imported with an empty path. Rather than just mark this entry preferred, 407 // we create a more specific copy for this exact page and leave the "master" 408 // unchanged. This is to prevent the case where that master login is used 409 // on several sites (e.g site.com/a and site.com/b) but the user actually 410 // has a different preference on each site. For example, on /a, he wants the 411 // general empty-path login so it is flagged as preferred, but on /b he logs 412 // in with a different saved entry - we don't want to remove the preferred 413 // status of the former because upon return to /a it won't be the default- 414 // fill match. 415 // TODO(timsteele): Bug 1188626 - expire the master copies. 416 PasswordForm copy(pending_credentials_); 417 copy.origin = observed_form_.origin; 418 copy.action = observed_form_.action; 419 password_store->AddLogin(copy); 420 } else { 421 password_store->UpdateLogin(pending_credentials_); 422 } 423 } 424 425 int PasswordFormManager::ScoreResult(const PasswordForm& candidate) const { 426 DCHECK_EQ(state_, MATCHING_PHASE); 427 // For scoring of candidate login data: 428 // The most important element that should match is the origin, followed by 429 // the action, the password name, the submit button name, and finally the 430 // username input field name. 431 // Exact origin match gives an addition of 32 (1 << 5) + # of matching url 432 // dirs. 433 // Partial match gives an addition of 16 (1 << 4) + # matching url dirs 434 // That way, a partial match cannot trump an exact match even if 435 // the partial one matches all other attributes (action, elements) (and 436 // regardless of the matching depth in the URL path). 437 int score = 0; 438 if (candidate.origin == observed_form_.origin) { 439 // This check is here for the most common case which 440 // is we have a single match in the db for the given host, 441 // so we don't generally need to walk the entire URL path (the else 442 // clause). 443 score += (1 << 5) + static_cast<int>(form_path_tokens_.size()); 444 } else { 445 // Walk the origin URL paths one directory at a time to see how 446 // deep the two match. 447 std::vector<std::string> candidate_path_tokens; 448 base::SplitString(candidate.origin.path(), '/', &candidate_path_tokens); 449 size_t depth = 0; 450 size_t max_dirs = std::min(form_path_tokens_.size(), 451 candidate_path_tokens.size()); 452 while ((depth < max_dirs) && (form_path_tokens_[depth] == 453 candidate_path_tokens[depth])) { 454 depth++; 455 score++; 456 } 457 // do we have a partial match? 458 score += (depth > 0) ? 1 << 4 : 0; 459 } 460 if (observed_form_.scheme == PasswordForm::SCHEME_HTML) { 461 if (candidate.action == observed_form_.action) 462 score += 1 << 3; 463 if (candidate.password_element == observed_form_.password_element) 464 score += 1 << 2; 465 if (candidate.submit_element == observed_form_.submit_element) 466 score += 1 << 1; 467 if (candidate.username_element == observed_form_.username_element) 468 score += 1 << 0; 469 } 470 471 return score; 472 } 473 474 void PasswordFormManager::SubmitPassed() { 475 submit_result_ = kSubmitResultPassed; 476 } 477 478 void PasswordFormManager::SubmitFailed() { 479 submit_result_ = kSubmitResultFailed; 480 } 481
