1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/password_manager/password_form_manager.h"
6
7 #include <algorithm>
8
9 #include "base/metrics/histogram.h"
10 #include "base/string_split.h"
11 #include "base/string_util.h"
12 #include "chrome/browser/password_manager/password_manager.h"
13 #include "chrome/browser/password_manager/password_store.h"
14 #include "chrome/browser/profiles/profile.h"
15 #include "webkit/glue/password_form_dom_manager.h"
16
17 using base::Time;
18 using webkit_glue::PasswordForm;
19 using webkit_glue::PasswordFormMap;
20
PasswordFormManager(Profile * profile,PasswordManager * password_manager,const PasswordForm & observed_form,bool ssl_valid)21 PasswordFormManager::PasswordFormManager(Profile* profile,
22 PasswordManager* password_manager,
23 const PasswordForm& observed_form,
24 bool ssl_valid)
25 : best_matches_deleter_(&best_matches_),
26 observed_form_(observed_form),
27 is_new_login_(true),
28 password_manager_(password_manager),
29 pending_login_query_(0),
30 preferred_match_(NULL),
31 state_(PRE_MATCHING_PHASE),
32 profile_(profile),
33 manager_action_(kManagerActionNone),
34 user_action_(kUserActionNone),
35 submit_result_(kSubmitResultNotSubmitted) {
36 DCHECK(profile_);
37 if (observed_form_.origin.is_valid())
38 base::SplitString(observed_form_.origin.path(), '/', &form_path_tokens_);
39 observed_form_.ssl_valid = ssl_valid;
40 }
41
~PasswordFormManager()42 PasswordFormManager::~PasswordFormManager() {
43 UMA_HISTOGRAM_ENUMERATION("PasswordManager.ActionsTaken",
44 GetActionsTaken(),
45 kMaxNumActionsTaken);
46 }
47
GetActionsTaken()48 int PasswordFormManager::GetActionsTaken() {
49 return user_action_ + kUserActionMax * (manager_action_ +
50 kManagerActionMax * submit_result_);
51 };
52
53 // TODO(timsteele): use a hash of some sort in the future?
DoesManage(const PasswordForm & form) const54 bool PasswordFormManager::DoesManage(const PasswordForm& form) const {
55 if (form.scheme != PasswordForm::SCHEME_HTML)
56 return observed_form_.signon_realm == form.signon_realm;
57
58 // HTML form case.
59 // At a minimum, username and password element must match.
60 if (!((form.username_element == observed_form_.username_element) &&
61 (form.password_element == observed_form_.password_element))) {
62 return false;
63 }
64
65 // The action URL must also match, but the form is allowed to have an empty
66 // action URL (See bug 1107719).
67 if (form.action.is_valid() && (form.action != observed_form_.action))
68 return false;
69
70 // If this is a replay of the same form in the case a user entered an invalid
71 // password, the origin of the new form may equal the action of the "first"
72 // form.
73 if (!((form.origin == observed_form_.origin) ||
74 (form.origin == observed_form_.action))) {
75 if (form.origin.SchemeIsSecure() &&
76 !observed_form_.origin.SchemeIsSecure()) {
77 // Compare origins, ignoring scheme. There is no easy way to do this
78 // with GURL because clearing the scheme would result in an invalid url.
79 // This is for some sites (such as Hotmail) that begin on an http page and
80 // head to https for the retry when password was invalid.
81 std::string::const_iterator after_scheme1 = form.origin.spec().begin() +
82 form.origin.scheme().length();
83 std::string::const_iterator after_scheme2 =
84 observed_form_.origin.spec().begin() +
85 observed_form_.origin.scheme().length();
86 return std::search(after_scheme1,
87 form.origin.spec().end(),
88 after_scheme2,
89 observed_form_.origin.spec().end())
90 != form.origin.spec().end();
91 }
92 return false;
93 }
94 return true;
95 }
96
IsBlacklisted()97 bool PasswordFormManager::IsBlacklisted() {
98 DCHECK_EQ(state_, POST_MATCHING_PHASE);
99 if (preferred_match_ && preferred_match_->blacklisted_by_user)
100 return true;
101 return false;
102 }
103
PermanentlyBlacklist()104 void PasswordFormManager::PermanentlyBlacklist() {
105 DCHECK_EQ(state_, POST_MATCHING_PHASE);
106
107 // Configure the form about to be saved for blacklist status.
108 pending_credentials_.preferred = true;
109 pending_credentials_.blacklisted_by_user = true;
110 pending_credentials_.username_value.clear();
111 pending_credentials_.password_value.clear();
112
113 // Retroactively forget existing matches for this form, so we NEVER prompt or
114 // autofill it again.
115 if (!best_matches_.empty()) {
116 PasswordFormMap::const_iterator iter;
117 PasswordStore* password_store =
118 profile_->GetPasswordStore(Profile::EXPLICIT_ACCESS);
119 if (!password_store) {
120 NOTREACHED();
121 return;
122 }
123 for (iter = best_matches_.begin(); iter != best_matches_.end(); ++iter) {
124 // We want to remove existing matches for this form so that the exact
125 // origin match with |blackisted_by_user == true| is the only result that
126 // shows up in the future for this origin URL. However, we don't want to
127 // delete logins that were actually saved on a different page (hence with
128 // different origin URL) and just happened to match this form because of
129 // the scoring algorithm. See bug 1204493.
130 if (iter->second->origin == observed_form_.origin)
131 password_store->RemoveLogin(*iter->second);
132 }
133 }
134
135 // Save the pending_credentials_ entry marked as blacklisted.
136 SaveAsNewLogin(false);
137 }
138
IsNewLogin()139 bool PasswordFormManager::IsNewLogin() {
140 DCHECK_EQ(state_, POST_MATCHING_PHASE);
141 return is_new_login_;
142 }
143
HasValidPasswordForm()144 bool PasswordFormManager::HasValidPasswordForm() {
145 DCHECK_EQ(state_, POST_MATCHING_PHASE);
146 // Non-HTML password forms (primarily HTTP and FTP autentication)
147 // do not contain username_element and password_element values.
148 if (observed_form_.scheme != PasswordForm::SCHEME_HTML)
149 return true;
150 return !observed_form_.username_element.empty() &&
151 !observed_form_.password_element.empty();
152 }
153
ProvisionallySave(const PasswordForm & credentials)154 void PasswordFormManager::ProvisionallySave(const PasswordForm& credentials) {
155 DCHECK_EQ(state_, POST_MATCHING_PHASE);
156 DCHECK(DoesManage(credentials));
157
158 // Make sure the important fields stay the same as the initially observed or
159 // autofilled ones, as they may have changed if the user experienced a login
160 // failure.
161 // Look for these credentials in the list containing auto-fill entries.
162 PasswordFormMap::const_iterator it =
163 best_matches_.find(credentials.username_value);
164 if (it != best_matches_.end()) {
165 // The user signed in with a login we autofilled.
166 pending_credentials_ = *it->second;
167 is_new_login_ = false;
168 // If the user selected credentials we autofilled from a PasswordForm
169 // that contained no action URL (IE6/7 imported passwords, for example),
170 // bless it with the action URL from the observed form. See bug 1107719.
171 if (pending_credentials_.action.is_empty())
172 pending_credentials_.action = observed_form_.action;
173
174 // Check to see if we're using a known username but a new password.
175 if (pending_credentials_.password_value != credentials.password_value)
176 user_action_ = kUserActionOverride;
177 } else {
178 // User typed in a new, unknown username.
179 user_action_ = kUserActionOverride;
180 pending_credentials_ = observed_form_;
181 pending_credentials_.username_value = credentials.username_value;
182 }
183
184 pending_credentials_.password_value = credentials.password_value;
185 pending_credentials_.preferred = credentials.preferred;
186 }
187
Save()188 void PasswordFormManager::Save() {
189 DCHECK_EQ(state_, POST_MATCHING_PHASE);
190 DCHECK(!profile_->IsOffTheRecord());
191
192 if (IsNewLogin())
193 SaveAsNewLogin(true);
194 else
195 UpdateLogin();
196 }
197
FetchMatchingLoginsFromPasswordStore()198 void PasswordFormManager::FetchMatchingLoginsFromPasswordStore() {
199 DCHECK_EQ(state_, PRE_MATCHING_PHASE);
200 DCHECK(!pending_login_query_);
201 state_ = MATCHING_PHASE;
202 PasswordStore* password_store =
203 profile_->GetPasswordStore(Profile::EXPLICIT_ACCESS);
204 if (!password_store) {
205 NOTREACHED();
206 return;
207 }
208 pending_login_query_ = password_store->GetLogins(observed_form_, this);
209 }
210
HasCompletedMatching()211 bool PasswordFormManager::HasCompletedMatching() {
212 return state_ == POST_MATCHING_PHASE;
213 }
214
OnRequestDone(int handle,const std::vector<PasswordForm * > & logins_result)215 void PasswordFormManager::OnRequestDone(int handle,
216 const std::vector<PasswordForm*>& logins_result) {
217 // Note that the result gets deleted after this call completes, but we own
218 // the PasswordForm objects pointed to by the result vector, thus we keep
219 // copies to a minimum here.
220
221 int best_score = 0;
222 std::vector<PasswordForm> empties; // Empty-path matches in result set.
223 for (size_t i = 0; i < logins_result.size(); i++) {
224 if (IgnoreResult(*logins_result[i])) {
225 delete logins_result[i];
226 continue;
227 }
228 // Score and update best matches.
229 int current_score = ScoreResult(*logins_result[i]);
230 // This check is here so we can append empty path matches in the event
231 // they don't score as high as others and aren't added to best_matches_.
232 // This is most commonly imported firefox logins. We skip blacklisted
233 // ones because clearly we don't want to autofill them, and secondly
234 // because they only mean something when we have no other matches already
235 // saved in Chrome - in which case they'll make it through the regular
236 // scoring flow below by design. Note signon_realm == origin implies empty
237 // path logins_result, since signon_realm is a prefix of origin for HTML
238 // password forms.
239 // TODO(timsteele): Bug 1269400. We probably should do something more
240 // elegant for any shorter-path match instead of explicitly handling empty
241 // path matches.
242 if ((observed_form_.scheme == PasswordForm::SCHEME_HTML) &&
243 (observed_form_.signon_realm == logins_result[i]->origin.spec()) &&
244 (current_score > 0) && (!logins_result[i]->blacklisted_by_user)) {
245 empties.push_back(*logins_result[i]);
246 }
247
248 if (current_score < best_score) {
249 delete logins_result[i];
250 continue;
251 }
252 if (current_score == best_score) {
253 best_matches_[logins_result[i]->username_value] = logins_result[i];
254 } else if (current_score > best_score) {
255 best_score = current_score;
256 // This new login has a better score than all those up to this point
257 // Note 'this' owns all the PasswordForms in best_matches_.
258 STLDeleteValues(&best_matches_);
259 best_matches_.clear();
260 preferred_match_ = NULL; // Don't delete, its owned by best_matches_.
261 best_matches_[logins_result[i]->username_value] = logins_result[i];
262 }
263 preferred_match_ = logins_result[i]->preferred ? logins_result[i]
264 : preferred_match_;
265 }
266 // We're done matching now.
267 state_ = POST_MATCHING_PHASE;
268
269 if (best_score <= 0) {
270 return;
271 }
272
273 for (std::vector<PasswordForm>::const_iterator it = empties.begin();
274 it != empties.end(); ++it) {
275 // If we don't already have a result with the same username, add the
276 // lower-scored empty-path match (if it had equal score it would already be
277 // in best_matches_).
278 if (best_matches_.find(it->username_value) == best_matches_.end())
279 best_matches_[it->username_value] = new PasswordForm(*it);
280 }
281
282 // It is possible we have at least one match but have no preferred_match_,
283 // because a user may have chosen to 'Forget' the preferred match. So we
284 // just pick the first one and whichever the user selects for submit will
285 // be saved as preferred.
286 DCHECK(!best_matches_.empty());
287 if (!preferred_match_)
288 preferred_match_ = best_matches_.begin()->second;
289
290 // Check to see if the user told us to ignore this site in the past.
291 if (preferred_match_->blacklisted_by_user) {
292 manager_action_ = kManagerActionBlacklisted;
293 return;
294 }
295
296 // Proceed to autofill (note that we provide the choices but don't
297 // actually prefill a value if the ACTION paths don't match).
298 bool wait_for_username = observed_form_.action.GetWithEmptyPath() !=
299 preferred_match_->action.GetWithEmptyPath();
300 if (wait_for_username)
301 manager_action_ = kManagerActionNone;
302 else
303 manager_action_ = kManagerActionAutofilled;
304 password_manager_->Autofill(observed_form_, best_matches_,
305 preferred_match_, wait_for_username);
306 }
307
OnPasswordStoreRequestDone(CancelableRequestProvider::Handle handle,const std::vector<PasswordForm * > & result)308 void PasswordFormManager::OnPasswordStoreRequestDone(
309 CancelableRequestProvider::Handle handle,
310 const std::vector<PasswordForm*>& result) {
311 DCHECK_EQ(state_, MATCHING_PHASE);
312 DCHECK_EQ(pending_login_query_, handle);
313
314 if (result.empty()) {
315 state_ = POST_MATCHING_PHASE;
316 return;
317 }
318
319 OnRequestDone(handle, result);
320 pending_login_query_ = 0;
321 }
322
IgnoreResult(const PasswordForm & form) const323 bool PasswordFormManager::IgnoreResult(const PasswordForm& form) const {
324 // Ignore change password forms until we have some change password
325 // functionality
326 if (observed_form_.old_password_element.length() != 0) {
327 return true;
328 }
329 // Don't match an invalid SSL form with one saved under secure
330 // circumstances.
331 if (form.ssl_valid && !observed_form_.ssl_valid) {
332 return true;
333 }
334 return false;
335 }
336
SaveAsNewLogin(bool reset_preferred_login)337 void PasswordFormManager::SaveAsNewLogin(bool reset_preferred_login) {
338 DCHECK_EQ(state_, POST_MATCHING_PHASE);
339 DCHECK(IsNewLogin());
340 // The new_form is being used to sign in, so it is preferred.
341 DCHECK(pending_credentials_.preferred);
342 // new_form contains the same basic data as observed_form_ (because its the
343 // same form), but with the newly added credentials.
344
345 DCHECK(!profile_->IsOffTheRecord());
346
347 PasswordStore* password_store =
348 profile_->GetPasswordStore(Profile::IMPLICIT_ACCESS);
349 if (!password_store) {
350 NOTREACHED();
351 return;
352 }
353
354 pending_credentials_.date_created = Time::Now();
355 password_store->AddLogin(pending_credentials_);
356
357 if (reset_preferred_login) {
358 UpdatePreferredLoginState(password_store);
359 }
360 }
361
UpdatePreferredLoginState(PasswordStore * password_store)362 void PasswordFormManager::UpdatePreferredLoginState(
363 PasswordStore* password_store) {
364 DCHECK(password_store);
365 PasswordFormMap::iterator iter;
366 for (iter = best_matches_.begin(); iter != best_matches_.end(); iter++) {
367 if (iter->second->username_value != pending_credentials_.username_value &&
368 iter->second->preferred) {
369 // This wasn't the selected login but it used to be preferred.
370 iter->second->preferred = false;
371 if (user_action_ == kUserActionNone)
372 user_action_ = kUserActionChoose;
373 password_store->UpdateLogin(*iter->second);
374 }
375 }
376 }
377
UpdateLogin()378 void PasswordFormManager::UpdateLogin() {
379 DCHECK_EQ(state_, POST_MATCHING_PHASE);
380 DCHECK(preferred_match_);
381 // If we're doing an Update, we either autofilled correctly and need to
382 // update the stats, or the user typed in a new password for autofilled
383 // username, or the user selected one of the non-preferred matches,
384 // thus requiring a swap of preferred bits.
385 DCHECK(!IsNewLogin() && pending_credentials_.preferred);
386 DCHECK(!profile_->IsOffTheRecord());
387
388 PasswordStore* password_store =
389 profile_->GetPasswordStore(Profile::IMPLICIT_ACCESS);
390 if (!password_store) {
391 NOTREACHED();
392 return;
393 }
394
395 UpdatePreferredLoginState(password_store);
396
397 // Update the new preferred login.
398 // Note origin.spec().length > signon_realm.length implies the origin has a
399 // path, since signon_realm is a prefix of origin for HTML password forms.
400 if ((observed_form_.scheme == PasswordForm::SCHEME_HTML) &&
401 (observed_form_.origin.spec().length() >
402 observed_form_.signon_realm.length()) &&
403 (observed_form_.signon_realm == pending_credentials_.origin.spec())) {
404 // The user logged in successfully with one of our autofilled logins on a
405 // page with non-empty path, but the autofilled entry was initially saved/
406 // imported with an empty path. Rather than just mark this entry preferred,
407 // we create a more specific copy for this exact page and leave the "master"
408 // unchanged. This is to prevent the case where that master login is used
409 // on several sites (e.g site.com/a and site.com/b) but the user actually
410 // has a different preference on each site. For example, on /a, he wants the
411 // general empty-path login so it is flagged as preferred, but on /b he logs
412 // in with a different saved entry - we don't want to remove the preferred
413 // status of the former because upon return to /a it won't be the default-
414 // fill match.
415 // TODO(timsteele): Bug 1188626 - expire the master copies.
416 PasswordForm copy(pending_credentials_);
417 copy.origin = observed_form_.origin;
418 copy.action = observed_form_.action;
419 password_store->AddLogin(copy);
420 } else {
421 password_store->UpdateLogin(pending_credentials_);
422 }
423 }
424
ScoreResult(const PasswordForm & candidate) const425 int PasswordFormManager::ScoreResult(const PasswordForm& candidate) const {
426 DCHECK_EQ(state_, MATCHING_PHASE);
427 // For scoring of candidate login data:
428 // The most important element that should match is the origin, followed by
429 // the action, the password name, the submit button name, and finally the
430 // username input field name.
431 // Exact origin match gives an addition of 32 (1 << 5) + # of matching url
432 // dirs.
433 // Partial match gives an addition of 16 (1 << 4) + # matching url dirs
434 // That way, a partial match cannot trump an exact match even if
435 // the partial one matches all other attributes (action, elements) (and
436 // regardless of the matching depth in the URL path).
437 int score = 0;
438 if (candidate.origin == observed_form_.origin) {
439 // This check is here for the most common case which
440 // is we have a single match in the db for the given host,
441 // so we don't generally need to walk the entire URL path (the else
442 // clause).
443 score += (1 << 5) + static_cast<int>(form_path_tokens_.size());
444 } else {
445 // Walk the origin URL paths one directory at a time to see how
446 // deep the two match.
447 std::vector<std::string> candidate_path_tokens;
448 base::SplitString(candidate.origin.path(), '/', &candidate_path_tokens);
449 size_t depth = 0;
450 size_t max_dirs = std::min(form_path_tokens_.size(),
451 candidate_path_tokens.size());
452 while ((depth < max_dirs) && (form_path_tokens_[depth] ==
453 candidate_path_tokens[depth])) {
454 depth++;
455 score++;
456 }
457 // do we have a partial match?
458 score += (depth > 0) ? 1 << 4 : 0;
459 }
460 if (observed_form_.scheme == PasswordForm::SCHEME_HTML) {
461 if (candidate.action == observed_form_.action)
462 score += 1 << 3;
463 if (candidate.password_element == observed_form_.password_element)
464 score += 1 << 2;
465 if (candidate.submit_element == observed_form_.submit_element)
466 score += 1 << 1;
467 if (candidate.username_element == observed_form_.username_element)
468 score += 1 << 0;
469 }
470
471 return score;
472 }
473
SubmitPassed()474 void PasswordFormManager::SubmitPassed() {
475 submit_result_ = kSubmitResultPassed;
476 }
477
SubmitFailed()478 void PasswordFormManager::SubmitFailed() {
479 submit_result_ = kSubmitResultFailed;
480 }
481