1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ 6 #define CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ 7 #pragma once 8 9 #include <Security/Security.h> 10 11 #include <string> 12 #include <vector> 13 14 #include "base/time.h" 15 #include "chrome/browser/keychain_mac.h" 16 17 // Adapter that wraps a MacKeychain and provides interaction in terms of 18 // PasswordForms instead of Keychain items. 19 class MacKeychainPasswordFormAdapter { 20 public: 21 // Creates an adapter for |keychain|. This class does not take ownership of 22 // |keychain|, so the caller must make sure that the keychain outlives the 23 // created object. 24 explicit MacKeychainPasswordFormAdapter(const MacKeychain* keychain); 25 26 // Returns PasswordForms for each keychain entry that could be used to fill 27 // |form|. Caller is responsible for deleting the returned forms. 28 std::vector<webkit_glue::PasswordForm*> PasswordsFillingForm( 29 const webkit_glue::PasswordForm& query_form); 30 31 // Returns PasswordForms for each keychain entry that could be merged with 32 // |form|. Differs from PasswordsFillingForm in that the username must match. 33 // Caller is responsible for deleting the returned forms. 34 std::vector<webkit_glue::PasswordForm*> PasswordsMergeableWithForm( 35 const webkit_glue::PasswordForm& query_form); 36 37 // Returns the PasswordForm for the Keychain entry that matches |form| on all 38 // of the fields that uniquely identify a Keychain item, or NULL if there is 39 // no such entry. 40 // Caller is responsible for deleting the returned form. 41 webkit_glue::PasswordForm* PasswordExactlyMatchingForm( 42 const webkit_glue::PasswordForm& query_form); 43 44 // Returns true if PasswordsMergeableWithForm would return any items. This is 45 // a separate method because calling PasswordsMergeableWithForm and checking 46 // the return count would require reading the passwords from the keychain, 47 // thus potentially triggering authorizaiton UI, whereas this won't. 48 bool HasPasswordsMergeableWithForm( 49 const webkit_glue::PasswordForm& query_form); 50 51 // Returns all keychain items of types corresponding to password forms. 52 std::vector<webkit_glue::PasswordForm*> GetAllPasswordFormPasswords(); 53 54 // Creates a new keychain entry from |form|, or updates the password of an 55 // existing keychain entry if there is a collision. Returns true if a keychain 56 // entry was successfully added/updated. 57 bool AddPassword(const webkit_glue::PasswordForm& form); 58 59 // Removes the keychain password matching |form| if any. Returns true if a 60 // keychain item was found and successfully removed. 61 bool RemovePassword(const webkit_glue::PasswordForm& form); 62 63 // Controls whether or not Chrome will restrict Keychain searches to items 64 // that it created. Defaults to false. 65 void SetFindsOnlyOwnedItems(bool finds_only_owned); 66 67 private: 68 // Returns PasswordForms constructed from the given Keychain items, calling 69 // MacKeychain::Free on all of the keychain items and clearing the vector. 70 // Caller is responsible for deleting the returned forms. 71 std::vector<webkit_glue::PasswordForm*> ConvertKeychainItemsToForms( 72 std::vector<SecKeychainItemRef>* items); 73 74 // Searches |keychain| for the specific keychain entry that corresponds to the 75 // given form, and returns it (or NULL if no match is found). The caller is 76 // responsible for calling MacKeychain::Free on on the returned item. 77 SecKeychainItemRef KeychainItemForForm( 78 const webkit_glue::PasswordForm& form); 79 80 // Returns the Keychain items matching the given signon_realm, scheme, and 81 // optionally path and username (either of both can be NULL). 82 // The caller is responsible for calling MacKeychain::Free on the 83 // returned items. 84 std::vector<SecKeychainItemRef> MatchingKeychainItems( 85 const std::string& signon_realm, webkit_glue::PasswordForm::Scheme scheme, 86 const char* path, const char* username); 87 88 // Takes a PasswordForm's signon_realm and parses it into its component parts, 89 // which are returned though the appropriate out parameters. 90 // Returns true if it can be successfully parsed, in which case all out params 91 // that are non-NULL will be set. If there is no port, port will be 0. 92 // If the return value is false, the state of the out params is undefined. 93 bool ExtractSignonRealmComponents(const std::string& signon_realm, 94 std::string* server, int* port, 95 bool* is_secure, 96 std::string* security_domain); 97 98 // Returns the Keychain SecAuthenticationType type corresponding to |scheme|. 99 SecAuthenticationType AuthTypeForScheme( 100 webkit_glue::PasswordForm::Scheme scheme); 101 102 // Changes the password for keychain_item to |password|; returns true if the 103 // password was successfully changed. 104 bool SetKeychainItemPassword(const SecKeychainItemRef& keychain_item, 105 const std::string& password); 106 107 // Sets the creator code of keychain_item to creator_code; returns true if the 108 // creator code was successfully set. 109 bool SetKeychainItemCreatorCode(const SecKeychainItemRef& keychain_item, 110 OSType creator_code); 111 112 // Returns the creator code to be used for a Keychain search, depending on 113 // whether this object was instructed to search only for items it created. 114 // If searches should be restricted in this way, the application-specific 115 // creator code will be returned. Otherwise, 0 will be returned, indicating 116 // a search of all items, regardless of creator. 117 OSType CreatorCodeForSearch(); 118 119 const MacKeychain* keychain_; 120 121 // If true, Keychain searches are restricted to items created by Chrome. 122 bool finds_only_owned_; 123 124 DISALLOW_COPY_AND_ASSIGN(MacKeychainPasswordFormAdapter); 125 }; 126 127 namespace internal_keychain_helpers { 128 129 // Sets the fields of |form| based on the keychain data from |keychain_item|. 130 // Fields that can't be determined from |keychain_item| will be unchanged. 131 // 132 // IMPORTANT: This function can cause the OS to trigger UI (to allow access to 133 // the keychain item if we aren't trusted for the item), and block until the UI 134 // is dismissed. 135 // 136 // If excessive prompting for access to other applications' keychain items 137 // becomes an issue, the password storage API will need to be refactored to 138 // allow the password to be retrieved later (accessing other fields doesn't 139 // require authorization). 140 bool FillPasswordFormFromKeychainItem(const MacKeychain& keychain, 141 const SecKeychainItemRef& keychain_item, 142 webkit_glue::PasswordForm* form); 143 144 // Returns true if the two given forms match based on signon_reaml, scheme, and 145 // username_value, and are thus suitable for merging (see MergePasswordForms). 146 bool FormsMatchForMerge(const webkit_glue::PasswordForm& form_a, 147 const webkit_glue::PasswordForm& form_b); 148 149 // Populates merged_forms by combining the password data from keychain_forms and 150 // the metadata from database_forms, removing used entries from the two source 151 // lists. 152 // 153 // On return, database_forms and keychain_forms will have only unused 154 // entries; for database_forms that means entries for which no corresponding 155 // password can be found (and which aren't blacklist entries), and for 156 // keychain_forms it's entries that weren't merged into at least one database 157 // form. 158 void MergePasswordForms(std::vector<webkit_glue::PasswordForm*>* keychain_forms, 159 std::vector<webkit_glue::PasswordForm*>* database_forms, 160 std::vector<webkit_glue::PasswordForm*>* merged_forms); 161 162 // Fills in the passwords for as many of the forms in |database_forms| as 163 // possible using entries from |keychain| and returns them. On return, 164 // |database_forms| will contain only the forms for which no password was found. 165 std::vector<webkit_glue::PasswordForm*> GetPasswordsForForms( 166 const MacKeychain& keychain, 167 std::vector<webkit_glue::PasswordForm*>* database_forms); 168 169 } // internal_keychain_helpers 170 171 #endif // CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ 172