Home | History | Annotate | Download | only in password_manager
      1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "chrome/browser/password_manager/password_form_manager.h"
      6 
      7 #include <algorithm>
      8 
      9 #include "base/metrics/histogram.h"
     10 #include "base/string_split.h"
     11 #include "base/string_util.h"
     12 #include "chrome/browser/password_manager/password_manager.h"
     13 #include "chrome/browser/password_manager/password_store.h"
     14 #include "chrome/browser/profiles/profile.h"
     15 #include "webkit/glue/password_form_dom_manager.h"
     16 
     17 using base::Time;
     18 using webkit_glue::PasswordForm;
     19 using webkit_glue::PasswordFormMap;
     20 
     21 PasswordFormManager::PasswordFormManager(Profile* profile,
     22                                          PasswordManager* password_manager,
     23                                          const PasswordForm& observed_form,
     24                                          bool ssl_valid)
     25     : best_matches_deleter_(&best_matches_),
     26       observed_form_(observed_form),
     27       is_new_login_(true),
     28       password_manager_(password_manager),
     29       pending_login_query_(0),
     30       preferred_match_(NULL),
     31       state_(PRE_MATCHING_PHASE),
     32       profile_(profile),
     33       manager_action_(kManagerActionNone),
     34       user_action_(kUserActionNone),
     35       submit_result_(kSubmitResultNotSubmitted) {
     36   DCHECK(profile_);
     37   if (observed_form_.origin.is_valid())
     38     base::SplitString(observed_form_.origin.path(), '/', &form_path_tokens_);
     39   observed_form_.ssl_valid = ssl_valid;
     40 }
     41 
     42 PasswordFormManager::~PasswordFormManager() {
     43   UMA_HISTOGRAM_ENUMERATION("PasswordManager.ActionsTaken",
     44                             GetActionsTaken(),
     45                             kMaxNumActionsTaken);
     46 }
     47 
     48 int PasswordFormManager::GetActionsTaken() {
     49   return user_action_ + kUserActionMax * (manager_action_ +
     50          kManagerActionMax * submit_result_);
     51 };
     52 
     53 // TODO(timsteele): use a hash of some sort in the future?
     54 bool PasswordFormManager::DoesManage(const PasswordForm& form) const {
     55   if (form.scheme != PasswordForm::SCHEME_HTML)
     56       return observed_form_.signon_realm == form.signon_realm;
     57 
     58   // HTML form case.
     59   // At a minimum, username and password element must match.
     60   if (!((form.username_element == observed_form_.username_element) &&
     61         (form.password_element == observed_form_.password_element))) {
     62     return false;
     63   }
     64 
     65   // The action URL must also match, but the form is allowed to have an empty
     66   // action URL (See bug 1107719).
     67   if (form.action.is_valid() && (form.action != observed_form_.action))
     68     return false;
     69 
     70   // If this is a replay of the same form in the case a user entered an invalid
     71   // password, the origin of the new form may equal the action of the "first"
     72   // form.
     73   if (!((form.origin == observed_form_.origin) ||
     74         (form.origin == observed_form_.action))) {
     75     if (form.origin.SchemeIsSecure() &&
     76         !observed_form_.origin.SchemeIsSecure()) {
     77       // Compare origins, ignoring scheme. There is no easy way to do this
     78       // with GURL because clearing the scheme would result in an invalid url.
     79       // This is for some sites (such as Hotmail) that begin on an http page and
     80       // head to https for the retry when password was invalid.
     81       std::string::const_iterator after_scheme1 = form.origin.spec().begin() +
     82                                                   form.origin.scheme().length();
     83       std::string::const_iterator after_scheme2 =
     84           observed_form_.origin.spec().begin() +
     85           observed_form_.origin.scheme().length();
     86       return std::search(after_scheme1,
     87                          form.origin.spec().end(),
     88                          after_scheme2,
     89                          observed_form_.origin.spec().end())
     90                          != form.origin.spec().end();
     91     }
     92     return false;
     93   }
     94   return true;
     95 }
     96 
     97 bool PasswordFormManager::IsBlacklisted() {
     98   DCHECK_EQ(state_, POST_MATCHING_PHASE);
     99   if (preferred_match_ && preferred_match_->blacklisted_by_user)
    100     return true;
    101   return false;
    102 }
    103 
    104 void PasswordFormManager::PermanentlyBlacklist() {
    105   DCHECK_EQ(state_, POST_MATCHING_PHASE);
    106 
    107   // Configure the form about to be saved for blacklist status.
    108   pending_credentials_.preferred = true;
    109   pending_credentials_.blacklisted_by_user = true;
    110   pending_credentials_.username_value.clear();
    111   pending_credentials_.password_value.clear();
    112 
    113   // Retroactively forget existing matches for this form, so we NEVER prompt or
    114   // autofill it again.
    115   if (!best_matches_.empty()) {
    116     PasswordFormMap::const_iterator iter;
    117     PasswordStore* password_store =
    118         profile_->GetPasswordStore(Profile::EXPLICIT_ACCESS);
    119     if (!password_store) {
    120       NOTREACHED();
    121       return;
    122     }
    123     for (iter = best_matches_.begin(); iter != best_matches_.end(); ++iter) {
    124       // We want to remove existing matches for this form so that the exact
    125       // origin match with |blackisted_by_user == true| is the only result that
    126       // shows up in the future for this origin URL. However, we don't want to
    127       // delete logins that were actually saved on a different page (hence with
    128       // different origin URL) and just happened to match this form because of
    129       // the scoring algorithm. See bug 1204493.
    130       if (iter->second->origin == observed_form_.origin)
    131         password_store->RemoveLogin(*iter->second);
    132     }
    133   }
    134 
    135   // Save the pending_credentials_ entry marked as blacklisted.
    136   SaveAsNewLogin(false);
    137 }
    138 
    139 bool PasswordFormManager::IsNewLogin() {
    140   DCHECK_EQ(state_, POST_MATCHING_PHASE);
    141   return is_new_login_;
    142 }
    143 
    144 bool PasswordFormManager::HasValidPasswordForm() {
    145   DCHECK_EQ(state_, POST_MATCHING_PHASE);
    146   // Non-HTML password forms (primarily HTTP and FTP autentication)
    147   // do not contain username_element and password_element values.
    148   if (observed_form_.scheme != PasswordForm::SCHEME_HTML)
    149     return true;
    150   return !observed_form_.username_element.empty() &&
    151       !observed_form_.password_element.empty();
    152 }
    153 
    154 void PasswordFormManager::ProvisionallySave(const PasswordForm& credentials) {
    155   DCHECK_EQ(state_, POST_MATCHING_PHASE);
    156   DCHECK(DoesManage(credentials));
    157 
    158   // Make sure the important fields stay the same as the initially observed or
    159   // autofilled ones, as they may have changed if the user experienced a login
    160   // failure.
    161   // Look for these credentials in the list containing auto-fill entries.
    162   PasswordFormMap::const_iterator it =
    163       best_matches_.find(credentials.username_value);
    164   if (it != best_matches_.end()) {
    165     // The user signed in with a login we autofilled.
    166     pending_credentials_ = *it->second;
    167     is_new_login_ = false;
    168     // If the user selected credentials we autofilled from a PasswordForm
    169     // that contained no action URL (IE6/7 imported passwords, for example),
    170     // bless it with the action URL from the observed form. See bug 1107719.
    171     if (pending_credentials_.action.is_empty())
    172       pending_credentials_.action = observed_form_.action;
    173 
    174     // Check to see if we're using a known username but a new password.
    175     if (pending_credentials_.password_value != credentials.password_value)
    176       user_action_ = kUserActionOverride;
    177   } else {
    178     // User typed in a new, unknown username.
    179     user_action_ = kUserActionOverride;
    180     pending_credentials_ = observed_form_;
    181     pending_credentials_.username_value = credentials.username_value;
    182   }
    183 
    184   pending_credentials_.password_value = credentials.password_value;
    185   pending_credentials_.preferred = credentials.preferred;
    186 }
    187 
    188 void PasswordFormManager::Save() {
    189   DCHECK_EQ(state_, POST_MATCHING_PHASE);
    190   DCHECK(!profile_->IsOffTheRecord());
    191 
    192   if (IsNewLogin())
    193     SaveAsNewLogin(true);
    194   else
    195     UpdateLogin();
    196 }
    197 
    198 void PasswordFormManager::FetchMatchingLoginsFromPasswordStore() {
    199   DCHECK_EQ(state_, PRE_MATCHING_PHASE);
    200   DCHECK(!pending_login_query_);
    201   state_ = MATCHING_PHASE;
    202   PasswordStore* password_store =
    203       profile_->GetPasswordStore(Profile::EXPLICIT_ACCESS);
    204   if (!password_store) {
    205     NOTREACHED();
    206     return;
    207   }
    208   pending_login_query_ = password_store->GetLogins(observed_form_, this);
    209 }
    210 
    211 bool PasswordFormManager::HasCompletedMatching() {
    212   return state_ == POST_MATCHING_PHASE;
    213 }
    214 
    215 void PasswordFormManager::OnRequestDone(int handle,
    216     const std::vector<PasswordForm*>& logins_result) {
    217   // Note that the result gets deleted after this call completes, but we own
    218   // the PasswordForm objects pointed to by the result vector, thus we keep
    219   // copies to a minimum here.
    220 
    221   int best_score = 0;
    222   std::vector<PasswordForm> empties;  // Empty-path matches in result set.
    223   for (size_t i = 0; i < logins_result.size(); i++) {
    224     if (IgnoreResult(*logins_result[i])) {
    225       delete logins_result[i];
    226       continue;
    227     }
    228     // Score and update best matches.
    229     int current_score = ScoreResult(*logins_result[i]);
    230     // This check is here so we can append empty path matches in the event
    231     // they don't score as high as others and aren't added to best_matches_.
    232     // This is most commonly imported firefox logins. We skip blacklisted
    233     // ones because clearly we don't want to autofill them, and secondly
    234     // because they only mean something when we have no other matches already
    235     // saved in Chrome - in which case they'll make it through the regular
    236     // scoring flow below by design. Note signon_realm == origin implies empty
    237     // path logins_result, since signon_realm is a prefix of origin for HTML
    238     // password forms.
    239     // TODO(timsteele): Bug 1269400. We probably should do something more
    240     // elegant for any shorter-path match instead of explicitly handling empty
    241     // path matches.
    242     if ((observed_form_.scheme == PasswordForm::SCHEME_HTML) &&
    243         (observed_form_.signon_realm == logins_result[i]->origin.spec()) &&
    244         (current_score > 0) && (!logins_result[i]->blacklisted_by_user)) {
    245       empties.push_back(*logins_result[i]);
    246     }
    247 
    248     if (current_score < best_score) {
    249       delete logins_result[i];
    250       continue;
    251     }
    252     if (current_score == best_score) {
    253       best_matches_[logins_result[i]->username_value] = logins_result[i];
    254     } else if (current_score > best_score) {
    255       best_score = current_score;
    256       // This new login has a better score than all those up to this point
    257       // Note 'this' owns all the PasswordForms in best_matches_.
    258       STLDeleteValues(&best_matches_);
    259       best_matches_.clear();
    260       preferred_match_ = NULL;  // Don't delete, its owned by best_matches_.
    261       best_matches_[logins_result[i]->username_value] = logins_result[i];
    262     }
    263     preferred_match_ = logins_result[i]->preferred ? logins_result[i]
    264                                                    : preferred_match_;
    265   }
    266   // We're done matching now.
    267   state_ = POST_MATCHING_PHASE;
    268 
    269   if (best_score <= 0) {
    270     return;
    271   }
    272 
    273   for (std::vector<PasswordForm>::const_iterator it = empties.begin();
    274        it != empties.end(); ++it) {
    275     // If we don't already have a result with the same username, add the
    276     // lower-scored empty-path match (if it had equal score it would already be
    277     // in best_matches_).
    278     if (best_matches_.find(it->username_value) == best_matches_.end())
    279       best_matches_[it->username_value] = new PasswordForm(*it);
    280   }
    281 
    282   // It is possible we have at least one match but have no preferred_match_,
    283   // because a user may have chosen to 'Forget' the preferred match. So we
    284   // just pick the first one and whichever the user selects for submit will
    285   // be saved as preferred.
    286   DCHECK(!best_matches_.empty());
    287   if (!preferred_match_)
    288     preferred_match_ = best_matches_.begin()->second;
    289 
    290   // Check to see if the user told us to ignore this site in the past.
    291   if (preferred_match_->blacklisted_by_user) {
    292     manager_action_ = kManagerActionBlacklisted;
    293     return;
    294   }
    295 
    296   // Proceed to autofill (note that we provide the choices but don't
    297   // actually prefill a value if the ACTION paths don't match).
    298   bool wait_for_username = observed_form_.action.GetWithEmptyPath() !=
    299                            preferred_match_->action.GetWithEmptyPath();
    300   if (wait_for_username)
    301     manager_action_ = kManagerActionNone;
    302   else
    303     manager_action_ = kManagerActionAutofilled;
    304   password_manager_->Autofill(observed_form_, best_matches_,
    305                               preferred_match_, wait_for_username);
    306 }
    307 
    308 void PasswordFormManager::OnPasswordStoreRequestDone(
    309     CancelableRequestProvider::Handle handle,
    310     const std::vector<PasswordForm*>& result) {
    311   DCHECK_EQ(state_, MATCHING_PHASE);
    312   DCHECK_EQ(pending_login_query_, handle);
    313 
    314   if (result.empty()) {
    315     state_ = POST_MATCHING_PHASE;
    316     return;
    317   }
    318 
    319   OnRequestDone(handle, result);
    320   pending_login_query_ = 0;
    321 }
    322 
    323 bool PasswordFormManager::IgnoreResult(const PasswordForm& form) const {
    324   // Ignore change password forms until we have some change password
    325   // functionality
    326   if (observed_form_.old_password_element.length() != 0) {
    327     return true;
    328   }
    329   // Don't match an invalid SSL form with one saved under secure
    330   // circumstances.
    331   if (form.ssl_valid && !observed_form_.ssl_valid) {
    332     return true;
    333   }
    334   return false;
    335 }
    336 
    337 void PasswordFormManager::SaveAsNewLogin(bool reset_preferred_login) {
    338   DCHECK_EQ(state_, POST_MATCHING_PHASE);
    339   DCHECK(IsNewLogin());
    340   // The new_form is being used to sign in, so it is preferred.
    341   DCHECK(pending_credentials_.preferred);
    342   // new_form contains the same basic data as observed_form_ (because its the
    343   // same form), but with the newly added credentials.
    344 
    345   DCHECK(!profile_->IsOffTheRecord());
    346 
    347   PasswordStore* password_store =
    348       profile_->GetPasswordStore(Profile::IMPLICIT_ACCESS);
    349   if (!password_store) {
    350     NOTREACHED();
    351     return;
    352   }
    353 
    354   pending_credentials_.date_created = Time::Now();
    355   password_store->AddLogin(pending_credentials_);
    356 
    357   if (reset_preferred_login) {
    358     UpdatePreferredLoginState(password_store);
    359   }
    360 }
    361 
    362 void PasswordFormManager::UpdatePreferredLoginState(
    363     PasswordStore* password_store) {
    364   DCHECK(password_store);
    365   PasswordFormMap::iterator iter;
    366   for (iter = best_matches_.begin(); iter != best_matches_.end(); iter++) {
    367     if (iter->second->username_value != pending_credentials_.username_value &&
    368         iter->second->preferred) {
    369       // This wasn't the selected login but it used to be preferred.
    370       iter->second->preferred = false;
    371       if (user_action_ == kUserActionNone)
    372         user_action_ = kUserActionChoose;
    373       password_store->UpdateLogin(*iter->second);
    374     }
    375   }
    376 }
    377 
    378 void PasswordFormManager::UpdateLogin() {
    379   DCHECK_EQ(state_, POST_MATCHING_PHASE);
    380   DCHECK(preferred_match_);
    381   // If we're doing an Update, we either autofilled correctly and need to
    382   // update the stats, or the user typed in a new password for autofilled
    383   // username, or the user selected one of the non-preferred matches,
    384   // thus requiring a swap of preferred bits.
    385   DCHECK(!IsNewLogin() && pending_credentials_.preferred);
    386   DCHECK(!profile_->IsOffTheRecord());
    387 
    388   PasswordStore* password_store =
    389       profile_->GetPasswordStore(Profile::IMPLICIT_ACCESS);
    390   if (!password_store) {
    391     NOTREACHED();
    392     return;
    393   }
    394 
    395   UpdatePreferredLoginState(password_store);
    396 
    397   // Update the new preferred login.
    398   // Note origin.spec().length > signon_realm.length implies the origin has a
    399   // path, since signon_realm is a prefix of origin for HTML password forms.
    400   if ((observed_form_.scheme == PasswordForm::SCHEME_HTML) &&
    401       (observed_form_.origin.spec().length() >
    402        observed_form_.signon_realm.length()) &&
    403       (observed_form_.signon_realm == pending_credentials_.origin.spec())) {
    404     // The user logged in successfully with one of our autofilled logins on a
    405     // page with non-empty path, but the autofilled entry was initially saved/
    406     // imported with an empty path. Rather than just mark this entry preferred,
    407     // we create a more specific copy for this exact page and leave the "master"
    408     // unchanged. This is to prevent the case where that master login is used
    409     // on several sites (e.g site.com/a and site.com/b) but the user actually
    410     // has a different preference on each site. For example, on /a, he wants the
    411     // general empty-path login so it is flagged as preferred, but on /b he logs
    412     // in with a different saved entry - we don't want to remove the preferred
    413     // status of the former because upon return to /a it won't be the default-
    414     // fill match.
    415     // TODO(timsteele): Bug 1188626 - expire the master copies.
    416     PasswordForm copy(pending_credentials_);
    417     copy.origin = observed_form_.origin;
    418     copy.action = observed_form_.action;
    419     password_store->AddLogin(copy);
    420   } else {
    421     password_store->UpdateLogin(pending_credentials_);
    422   }
    423 }
    424 
    425 int PasswordFormManager::ScoreResult(const PasswordForm& candidate) const {
    426   DCHECK_EQ(state_, MATCHING_PHASE);
    427   // For scoring of candidate login data:
    428   // The most important element that should match is the origin, followed by
    429   // the action, the password name, the submit button name, and finally the
    430   // username input field name.
    431   // Exact origin match gives an addition of 32 (1 << 5) + # of matching url
    432   // dirs.
    433   // Partial match gives an addition of 16 (1 << 4) + # matching url dirs
    434   // That way, a partial match cannot trump an exact match even if
    435   // the partial one matches all other attributes (action, elements) (and
    436   // regardless of the matching depth in the URL path).
    437   int score = 0;
    438   if (candidate.origin == observed_form_.origin) {
    439     // This check is here for the most common case which
    440     // is we have a single match in the db for the given host,
    441     // so we don't generally need to walk the entire URL path (the else
    442     // clause).
    443     score += (1 << 5) + static_cast<int>(form_path_tokens_.size());
    444   } else {
    445     // Walk the origin URL paths one directory at a time to see how
    446     // deep the two match.
    447     std::vector<std::string> candidate_path_tokens;
    448     base::SplitString(candidate.origin.path(), '/', &candidate_path_tokens);
    449     size_t depth = 0;
    450     size_t max_dirs = std::min(form_path_tokens_.size(),
    451                                candidate_path_tokens.size());
    452     while ((depth < max_dirs) && (form_path_tokens_[depth] ==
    453                                   candidate_path_tokens[depth])) {
    454       depth++;
    455       score++;
    456     }
    457     // do we have a partial match?
    458     score += (depth > 0) ? 1 << 4 : 0;
    459   }
    460   if (observed_form_.scheme == PasswordForm::SCHEME_HTML) {
    461     if (candidate.action == observed_form_.action)
    462       score += 1 << 3;
    463     if (candidate.password_element == observed_form_.password_element)
    464       score += 1 << 2;
    465     if (candidate.submit_element == observed_form_.submit_element)
    466       score += 1 << 1;
    467     if (candidate.username_element == observed_form_.username_element)
    468       score += 1 << 0;
    469   }
    470 
    471   return score;
    472 }
    473 
    474 void PasswordFormManager::SubmitPassed() {
    475   submit_result_ = kSubmitResultPassed;
    476 }
    477 
    478 void PasswordFormManager::SubmitFailed() {
    479   submit_result_ = kSubmitResultFailed;
    480 }
    481