| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ |
| #define CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ |
| |
| #include <Security/Security.h> |
| |
| #include <string> |
| #include <vector> |
| |
| #include "components/autofill/core/common/password_form.h" |
| #include "crypto/apple_keychain.h" |
| |
| using crypto::AppleKeychain; |
| |
| // Adapter that wraps a AppleKeychain and provides interaction in terms of |
| // PasswordForms instead of Keychain items. |
| class MacKeychainPasswordFormAdapter { |
| public: |
| // Creates an adapter for |keychain|. This class does not take ownership of |
| // |keychain|, so the caller must make sure that the keychain outlives the |
| // created object. |
| explicit MacKeychainPasswordFormAdapter(const AppleKeychain* keychain); |
| |
| // Returns PasswordForms for each keychain entry that could be used to fill |
| // |form|. Caller is responsible for deleting the returned forms. |
| std::vector<autofill::PasswordForm*> PasswordsFillingForm( |
| const std::string& signon_realm, |
| autofill::PasswordForm::Scheme scheme); |
| |
| // Returns the PasswordForm for the Keychain entry that matches |form| on all |
| // of the fields that uniquely identify a Keychain item, or NULL if there is |
| // no such entry. |
| // Caller is responsible for deleting the returned form. |
| autofill::PasswordForm* PasswordExactlyMatchingForm( |
| const autofill::PasswordForm& query_form); |
| |
| // Returns true if the keychain contains any items that are mergeable with |
| // |query_form|. This is different from actually extracting the passwords |
| // and checking the return count, since doing that would require reading the |
| // passwords from the keychain, thus potentially triggering authorizaiton UI, |
| // whereas this won't. |
| bool HasPasswordsMergeableWithForm( |
| const autofill::PasswordForm& query_form); |
| |
| // Returns all keychain items of types corresponding to password forms. |
| std::vector<SecKeychainItemRef> GetAllPasswordFormKeychainItems(); |
| |
| // Returns password data from all keychain items of types corresponding to |
| // password forms. Caller is responsible for deleting the returned forms. |
| std::vector<autofill::PasswordForm*> GetAllPasswordFormPasswords(); |
| |
| // Creates a new keychain entry from |form|, or updates the password of an |
| // existing keychain entry if there is a collision. Returns true if a keychain |
| // entry was successfully added/updated. |
| bool AddPassword(const autofill::PasswordForm& form); |
| |
| // Removes the keychain password matching |form| if any. Returns true if a |
| // keychain item was found and successfully removed. |
| bool RemovePassword(const autofill::PasswordForm& form); |
| |
| // Controls whether or not Chrome will restrict Keychain searches to items |
| // that it created. Defaults to false. |
| void SetFindsOnlyOwnedItems(bool finds_only_owned); |
| |
| private: |
| // Returns PasswordForms constructed from the given Keychain items, calling |
| // AppleKeychain::Free on all of the keychain items and clearing the vector. |
| // Caller is responsible for deleting the returned forms. |
| std::vector<autofill::PasswordForm*> ConvertKeychainItemsToForms( |
| std::vector<SecKeychainItemRef>* items); |
| |
| // Searches |keychain| for the specific keychain entry that corresponds to the |
| // given form, and returns it (or NULL if no match is found). The caller is |
| // responsible for calling AppleKeychain::Free on on the returned item. |
| SecKeychainItemRef KeychainItemForForm( |
| const autofill::PasswordForm& form); |
| |
| // Returns the Keychain items matching the given signon_realm, scheme, and |
| // optionally path and username (either of both can be NULL). |
| // The caller is responsible for calling AppleKeychain::Free on the |
| // returned items. |
| std::vector<SecKeychainItemRef> MatchingKeychainItems( |
| const std::string& signon_realm, |
| autofill::PasswordForm::Scheme scheme, |
| const char* path, |
| const char* username); |
| |
| // Returns the Keychain SecAuthenticationType type corresponding to |scheme|. |
| SecAuthenticationType AuthTypeForScheme( |
| autofill::PasswordForm::Scheme scheme); |
| |
| // Changes the password for keychain_item to |password|; returns true if the |
| // password was successfully changed. |
| bool SetKeychainItemPassword(const SecKeychainItemRef& keychain_item, |
| const std::string& password); |
| |
| // Sets the creator code of keychain_item to creator_code; returns true if the |
| // creator code was successfully set. |
| bool SetKeychainItemCreatorCode(const SecKeychainItemRef& keychain_item, |
| OSType creator_code); |
| |
| // Returns the creator code to be used for a Keychain search, depending on |
| // whether this object was instructed to search only for items it created. |
| // If searches should be restricted in this way, the application-specific |
| // creator code will be returned. Otherwise, 0 will be returned, indicating |
| // a search of all items, regardless of creator. |
| OSType CreatorCodeForSearch(); |
| |
| const AppleKeychain* keychain_; |
| |
| // If true, Keychain searches are restricted to items created by Chrome. |
| bool finds_only_owned_; |
| |
| DISALLOW_COPY_AND_ASSIGN(MacKeychainPasswordFormAdapter); |
| }; |
| |
| namespace internal_keychain_helpers { |
| |
| // Pair of pointers to a SecKeychainItemRef and a corresponding PasswordForm. |
| typedef std::pair<SecKeychainItemRef*, autofill::PasswordForm*> ItemFormPair; |
| |
| // Sets the fields of |form| based on the keychain data from |keychain_item|. |
| // Fields that can't be determined from |keychain_item| will be unchanged. If |
| // |extract_password_data| is true, the password data will be copied from |
| // |keychain_item| in addition to its attributes, and the |blacklisted_by_user| |
| // field will be set to true for empty passwords ("" or " "). |
| // If |extract_password_data| is false, only the password attributes will be |
| // copied, and the |blacklisted_by_user| field will always be false. |
| // |
| // IMPORTANT: If |extract_password_data| is true, this function can cause the OS |
| // to trigger UI (to allow access to the keychain item if we aren't trusted for |
| // the item), and block until the UI is dismissed. |
| // |
| // If excessive prompting for access to other applications' keychain items |
| // becomes an issue, the password storage API will need to intially call this |
| // function with |extract_password_data| set to false, and retrieve the password |
| // later (accessing other fields doesn't require authorization). |
| bool FillPasswordFormFromKeychainItem(const AppleKeychain& keychain, |
| const SecKeychainItemRef& keychain_item, |
| autofill::PasswordForm* form, |
| bool extract_password_data); |
| |
| // Use FormMatchStrictness to configure which forms are considered a match by |
| // FormsMatchForMerge: |
| enum FormMatchStrictness { |
| STRICT_FORM_MATCH, // Match only forms with the same scheme, signon realm and |
| // username value. |
| FUZZY_FORM_MATCH, // Also match cases where the first form's |
| // original_signon_realm is nonempty and matches the |
| // second form's signon_realm. |
| }; |
| |
| // Returns true if the two given forms are suitable for merging (see |
| // MergePasswordForms). |
| bool FormsMatchForMerge(const autofill::PasswordForm& form_a, |
| const autofill::PasswordForm& form_b, |
| FormMatchStrictness strictness); |
| |
| // Populates merged_forms by combining the password data from keychain_forms and |
| // the metadata from database_forms, removing used entries from the two source |
| // lists. |
| // |
| // On return, database_forms and keychain_forms will have only unused |
| // entries; for database_forms that means entries for which no corresponding |
| // password can be found (and which aren't blacklist entries), and for |
| // keychain_forms its entries that weren't merged into at least one database |
| // form. |
| void MergePasswordForms( |
| std::vector<autofill::PasswordForm*>* keychain_forms, |
| std::vector<autofill::PasswordForm*>* database_forms, |
| std::vector<autofill::PasswordForm*>* merged_forms); |
| |
| // Fills in the passwords for as many of the forms in |database_forms| as |
| // possible using entries from |keychain| and returns them. On return, |
| // |database_forms| will contain only the forms for which no password was found. |
| std::vector<autofill::PasswordForm*> GetPasswordsForForms( |
| const AppleKeychain& keychain, |
| std::vector<autofill::PasswordForm*>* database_forms); |
| |
| // Loads all items in the system keychain into |keychain_items|, creates for |
| // each keychain item a corresponding PasswordForm that doesn't contain any |
| // password data, and returns the two collections as a vector of ItemFormPairs. |
| // Used by GetPasswordsForForms for optimized matching of keychain items with |
| // PasswordForms in the database. |
| // Note: Since no password data is loaded here, the resulting PasswordForms |
| // will include blacklist entries, which will have to be filtered out later. |
| // Caller owns the SecKeychainItemRefs and PasswordForms that are returned. |
| // This operation does not require OS authorization. |
| std::vector<ItemFormPair> ExtractAllKeychainItemAttributesIntoPasswordForms( |
| std::vector<SecKeychainItemRef>* keychain_items, |
| const AppleKeychain& keychain); |
| |
| // Takes a PasswordForm's signon_realm and parses it into its component parts, |
| // which are returned though the appropriate out parameters. |
| // Returns true if it can be successfully parsed, in which case all out params |
| // that are non-NULL will be set. If there is no port, port will be 0. |
| // If the return value is false, the state of the out params is undefined. |
| bool ExtractSignonRealmComponents(const std::string& signon_realm, |
| std::string* server, int* port, |
| bool* is_secure, |
| std::string* security_domain); |
| |
| // Returns true if the signon_realm of |query_form| can be successfully parsed |
| // by ExtractSignonRealmComponents, and if |query_form| matches |other_form|. |
| bool FormIsValidAndMatchesOtherForm(const autofill::PasswordForm& query_form, |
| const autofill::PasswordForm& other_form); |
| |
| // Returns PasswordForms populated with password data for each keychain entry |
| // in |item_form_pairs| that could be merged with |query_form|. |
| // Caller is responsible for deleting the returned forms. |
| std::vector<autofill::PasswordForm*> ExtractPasswordsMergeableWithForm( |
| const AppleKeychain& keychain, |
| const std::vector<ItemFormPair>& item_form_pairs, |
| const autofill::PasswordForm& query_form); |
| |
| } // namespace internal_keychain_helpers |
| |
| #endif // CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_ |