Home | History | Annotate | Download | only in password_manager 
      1 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_
      6 #define CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_
      7 #pragma once
      8 
      9 #include <Security/Security.h>
     10 
     11 #include <string>
     12 #include <vector>
     13 
     14 #include "base/time.h"
     15 #include "chrome/browser/keychain_mac.h"
     16 
     17 // Adapter that wraps a MacKeychain and provides interaction in terms of
     18 // PasswordForms instead of Keychain items.
     19 class MacKeychainPasswordFormAdapter {
     20  public:
     21   // Creates an adapter for |keychain|. This class does not take ownership of
     22   // |keychain|, so the caller must make sure that the keychain outlives the
     23   // created object.
     24   explicit MacKeychainPasswordFormAdapter(const MacKeychain* keychain);
     25 
     26   // Returns PasswordForms for each keychain entry that could be used to fill
     27   // |form|. Caller is responsible for deleting the returned forms.
     28   std::vector<webkit_glue::PasswordForm*> PasswordsFillingForm(
     29       const webkit_glue::PasswordForm& query_form);
     30 
     31   // Returns PasswordForms for each keychain entry that could be merged with
     32   // |form|. Differs from PasswordsFillingForm in that the username must match.
     33   // Caller is responsible for deleting the returned forms.
     34   std::vector<webkit_glue::PasswordForm*> PasswordsMergeableWithForm(
     35       const webkit_glue::PasswordForm& query_form);
     36 
     37   // Returns the PasswordForm for the Keychain entry that matches |form| on all
     38   // of the fields that uniquely identify a Keychain item, or NULL if there is
     39   // no such entry.
     40   // Caller is responsible for deleting the returned form.
     41   webkit_glue::PasswordForm* PasswordExactlyMatchingForm(
     42       const webkit_glue::PasswordForm& query_form);
     43 
     44   // Returns true if PasswordsMergeableWithForm would return any items. This is
     45   // a separate method because calling PasswordsMergeableWithForm and checking
     46   // the return count would require reading the passwords from the keychain,
     47   // thus potentially triggering authorizaiton UI, whereas this won't.
     48   bool HasPasswordsMergeableWithForm(
     49       const webkit_glue::PasswordForm& query_form);
     50 
     51   // Returns all keychain items of types corresponding to password forms.
     52   std::vector<webkit_glue::PasswordForm*> GetAllPasswordFormPasswords();
     53 
     54   // Creates a new keychain entry from |form|, or updates the password of an
     55   // existing keychain entry if there is a collision. Returns true if a keychain
     56   // entry was successfully added/updated.
     57   bool AddPassword(const webkit_glue::PasswordForm& form);
     58 
     59   // Removes the keychain password matching |form| if any. Returns true if a
     60   // keychain item was found and successfully removed.
     61   bool RemovePassword(const webkit_glue::PasswordForm& form);
     62 
     63   // Controls whether or not Chrome will restrict Keychain searches to items
     64   // that it created. Defaults to false.
     65   void SetFindsOnlyOwnedItems(bool finds_only_owned);
     66 
     67  private:
     68   // Returns PasswordForms constructed from the given Keychain items, calling
     69   // MacKeychain::Free on all of the keychain items and clearing the vector.
     70   // Caller is responsible for deleting the returned forms.
     71   std::vector<webkit_glue::PasswordForm*> ConvertKeychainItemsToForms(
     72       std::vector<SecKeychainItemRef>* items);
     73 
     74   // Searches |keychain| for the specific keychain entry that corresponds to the
     75   // given form, and returns it (or NULL if no match is found). The caller is
     76   // responsible for calling MacKeychain::Free on on the returned item.
     77   SecKeychainItemRef KeychainItemForForm(
     78       const webkit_glue::PasswordForm& form);
     79 
     80   // Returns the Keychain items matching the given signon_realm, scheme, and
     81   // optionally path and username (either of both can be NULL).
     82   // The caller is responsible for calling MacKeychain::Free on the
     83   // returned items.
     84   std::vector<SecKeychainItemRef> MatchingKeychainItems(
     85       const std::string& signon_realm, webkit_glue::PasswordForm::Scheme scheme,
     86       const char* path, const char* username);
     87 
     88   // Takes a PasswordForm's signon_realm and parses it into its component parts,
     89   // which are returned though the appropriate out parameters.
     90   // Returns true if it can be successfully parsed, in which case all out params
     91   // that are non-NULL will be set. If there is no port, port will be 0.
     92   // If the return value is false, the state of the out params is undefined.
     93   bool ExtractSignonRealmComponents(const std::string& signon_realm,
     94                                     std::string* server, int* port,
     95                                     bool* is_secure,
     96                                     std::string* security_domain);
     97 
     98   // Returns the Keychain SecAuthenticationType type corresponding to |scheme|.
     99   SecAuthenticationType AuthTypeForScheme(
    100       webkit_glue::PasswordForm::Scheme scheme);
    101 
    102   // Changes the password for keychain_item to |password|; returns true if the
    103   // password was successfully changed.
    104   bool SetKeychainItemPassword(const SecKeychainItemRef& keychain_item,
    105                                const std::string& password);
    106 
    107   // Sets the creator code of keychain_item to creator_code; returns true if the
    108   // creator code was successfully set.
    109   bool SetKeychainItemCreatorCode(const SecKeychainItemRef& keychain_item,
    110                                   OSType creator_code);
    111 
    112   // Returns the creator code to be used for a Keychain search, depending on
    113   // whether this object was instructed to search only for items it created.
    114   // If searches should be restricted in this way, the application-specific
    115   // creator code will be returned. Otherwise, 0 will be returned, indicating
    116   // a search of all items, regardless of creator.
    117   OSType CreatorCodeForSearch();
    118 
    119   const MacKeychain* keychain_;
    120 
    121   // If true, Keychain searches are restricted to items created by Chrome.
    122   bool finds_only_owned_;
    123 
    124   DISALLOW_COPY_AND_ASSIGN(MacKeychainPasswordFormAdapter);
    125 };
    126 
    127 namespace internal_keychain_helpers {
    128 
    129 // Sets the fields of |form| based on the keychain data from |keychain_item|.
    130 // Fields that can't be determined from |keychain_item| will be unchanged.
    131 //
    132 // IMPORTANT: This function can cause the OS to trigger UI (to allow access to
    133 // the keychain item if we aren't trusted for the item), and block until the UI
    134 // is dismissed.
    135 //
    136 // If excessive prompting for access to other applications' keychain items
    137 // becomes an issue, the password storage API will need to be refactored to
    138 // allow the password to be retrieved later (accessing other fields doesn't
    139 // require authorization).
    140 bool FillPasswordFormFromKeychainItem(const MacKeychain& keychain,
    141                                       const SecKeychainItemRef& keychain_item,
    142                                       webkit_glue::PasswordForm* form);
    143 
    144 // Returns true if the two given forms match based on signon_reaml, scheme, and
    145 // username_value, and are thus suitable for merging (see MergePasswordForms).
    146 bool FormsMatchForMerge(const webkit_glue::PasswordForm& form_a,
    147                         const webkit_glue::PasswordForm& form_b);
    148 
    149 // Populates merged_forms by combining the password data from keychain_forms and
    150 // the metadata from database_forms, removing used entries from the two source
    151 // lists.
    152 //
    153 // On return, database_forms and keychain_forms will have only unused
    154 // entries; for database_forms that means entries for which no corresponding
    155 // password can be found (and which aren't blacklist entries), and for
    156 // keychain_forms it's entries that weren't merged into at least one database
    157 // form.
    158 void MergePasswordForms(std::vector<webkit_glue::PasswordForm*>* keychain_forms,
    159                         std::vector<webkit_glue::PasswordForm*>* database_forms,
    160                         std::vector<webkit_glue::PasswordForm*>* merged_forms);
    161 
    162 // Fills in the passwords for as many of the forms in |database_forms| as
    163 // possible using entries from |keychain| and returns them. On return,
    164 // |database_forms| will contain only the forms for which no password was found.
    165 std::vector<webkit_glue::PasswordForm*> GetPasswordsForForms(
    166     const MacKeychain& keychain,
    167     std::vector<webkit_glue::PasswordForm*>* database_forms);
    168 
    169 }  // internal_keychain_helpers
    170 
    171 #endif  // CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_
    172