Popular sites on the NTP: check that experiment group StartsWith (rather than IS...
[chromium-blink-merge.git] / chrome / browser / password_manager / password_store_mac_internal.h
blob47ec33c5d5187c2b2c28ec1c11fb9e78ed1406f4
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_
6 #define CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_
8 #include <Security/Security.h>
10 #include <string>
11 #include <vector>
13 #include "base/memory/scoped_vector.h"
14 #include "components/autofill/core/common/password_form.h"
15 #include "crypto/apple_keychain.h"
17 using crypto::AppleKeychain;
19 // Adapter that wraps a AppleKeychain and provides interaction in terms of
20 // PasswordForms instead of Keychain items.
21 class MacKeychainPasswordFormAdapter {
22 public:
23 // Creates an adapter for |keychain|. This class does not take ownership of
24 // |keychain|, so the caller must make sure that the keychain outlives the
25 // created object.
26 explicit MacKeychainPasswordFormAdapter(const AppleKeychain* keychain);
28 // Returns all keychain entries matching |signon_realm| and |scheme|.
29 ScopedVector<autofill::PasswordForm> PasswordsFillingForm(
30 const std::string& signon_realm,
31 autofill::PasswordForm::Scheme scheme);
33 // Returns true if there is the Keychain entry that matches |query_form| on
34 // all of the fields that uniquely identify a Keychain item.
35 bool HasPasswordExactlyMatchingForm(const autofill::PasswordForm& query_form);
37 // Returns true if the keychain contains any items that are mergeable with
38 // |query_form|. This is different from actually extracting the passwords
39 // and checking the return count, since doing that would require reading the
40 // passwords from the keychain, thus potentially triggering authorizaiton UI,
41 // whereas this won't.
42 bool HasPasswordsMergeableWithForm(
43 const autofill::PasswordForm& query_form);
45 // Returns all keychain items of types corresponding to password forms.
46 std::vector<SecKeychainItemRef> GetAllPasswordFormKeychainItems();
48 // Returns all keychain entries corresponding to password forms.
49 // TODO(vabr): This is only used in tests, should be moved there.
50 ScopedVector<autofill::PasswordForm> GetAllPasswordFormPasswords();
52 // Creates a new keychain entry from |form|, or updates the password of an
53 // existing keychain entry if there is a collision. Returns true if a keychain
54 // entry was successfully added/updated.
55 bool AddPassword(const autofill::PasswordForm& form);
57 // Removes the keychain password matching |form| if any. Returns true if a
58 // keychain item was found and successfully removed.
59 bool RemovePassword(const autofill::PasswordForm& form);
61 // Controls whether or not Chrome will restrict Keychain searches to items
62 // that it created. Defaults to false.
63 void SetFindsOnlyOwnedItems(bool finds_only_owned);
65 private:
66 // Returns PasswordForm instances transformed from |items|. Also calls
67 // AppleKeychain::Free on all of the keychain items and clears |items|.
68 ScopedVector<autofill::PasswordForm> ConvertKeychainItemsToForms(
69 std::vector<SecKeychainItemRef>* items);
71 // Searches |keychain| for the specific keychain entry that corresponds to the
72 // given form, and returns it (or NULL if no match is found). The caller is
73 // responsible for calling AppleKeychain::Free on on the returned item.
74 SecKeychainItemRef KeychainItemForForm(
75 const autofill::PasswordForm& form);
77 // Returns the Keychain items matching the given signon_realm, scheme, and
78 // optionally path and username (either of both can be NULL).
79 // The caller is responsible for calling AppleKeychain::Free on the
80 // returned items.
81 std::vector<SecKeychainItemRef> MatchingKeychainItems(
82 const std::string& signon_realm,
83 autofill::PasswordForm::Scheme scheme,
84 const char* path,
85 const char* username);
87 // Returns the Keychain SecAuthenticationType type corresponding to |scheme|.
88 SecAuthenticationType AuthTypeForScheme(
89 autofill::PasswordForm::Scheme scheme);
91 // Changes the password for keychain_item to |password|; returns true if the
92 // password was successfully changed.
93 bool SetKeychainItemPassword(const SecKeychainItemRef& keychain_item,
94 const std::string& password);
96 // Sets the creator code of keychain_item to creator_code; returns true if the
97 // creator code was successfully set.
98 bool SetKeychainItemCreatorCode(const SecKeychainItemRef& keychain_item,
99 OSType creator_code);
101 // Returns the creator code to be used for a Keychain search, depending on
102 // whether this object was instructed to search only for items it created.
103 // If searches should be restricted in this way, the application-specific
104 // creator code will be returned. Otherwise, 0 will be returned, indicating
105 // a search of all items, regardless of creator.
106 OSType CreatorCodeForSearch();
108 const AppleKeychain* keychain_;
110 // If true, Keychain searches are restricted to items created by Chrome.
111 bool finds_only_owned_;
113 DISALLOW_COPY_AND_ASSIGN(MacKeychainPasswordFormAdapter);
116 namespace internal_keychain_helpers {
118 // Pair of pointers to a SecKeychainItemRef and a corresponding PasswordForm.
119 typedef std::pair<SecKeychainItemRef*, autofill::PasswordForm*> ItemFormPair;
121 // Sets the fields of |form| based on the keychain data from |keychain_item|.
122 // Fields that can't be determined from |keychain_item| will be unchanged. If
123 // |extract_password_data| is true, the password data will be copied from
124 // |keychain_item| in addition to its attributes, and the |blacklisted_by_user|
125 // field will be set to true for empty passwords ("" or " ").
126 // If |extract_password_data| is false, only the password attributes will be
127 // copied, and the |blacklisted_by_user| field will always be false.
129 // IMPORTANT: If |extract_password_data| is true, this function can cause the OS
130 // to trigger UI (to allow access to the keychain item if we aren't trusted for
131 // the item), and block until the UI is dismissed.
133 // If excessive prompting for access to other applications' keychain items
134 // becomes an issue, the password storage API will need to intially call this
135 // function with |extract_password_data| set to false, and retrieve the password
136 // later (accessing other fields doesn't require authorization).
137 bool FillPasswordFormFromKeychainItem(const AppleKeychain& keychain,
138 const SecKeychainItemRef& keychain_item,
139 autofill::PasswordForm* form,
140 bool extract_password_data);
142 // Returns true if |keychain_item| has the application-specific creator code in
143 // its attributes.
144 bool HasCreatorCode(const AppleKeychain& keychain,
145 const SecKeychainItemRef& keychain_item);
147 // Use FormMatchStrictness to configure which forms are considered a match by
148 // FormsMatchForMerge:
149 enum FormMatchStrictness {
150 STRICT_FORM_MATCH, // Match only forms with the same scheme, signon realm and
151 // username value.
152 FUZZY_FORM_MATCH, // Also match cases where the first form's
153 // original_signon_realm is nonempty and matches the
154 // second form's signon_realm.
157 // Returns true if the two given forms are suitable for merging (see
158 // MergePasswordForms).
159 bool FormsMatchForMerge(const autofill::PasswordForm& form_a,
160 const autofill::PasswordForm& form_b,
161 FormMatchStrictness strictness);
163 // Populates merged_forms by combining the password data from keychain_forms and
164 // the metadata from database_forms, removing used entries from the two source
165 // lists.
167 // On return, database_forms and keychain_forms will have only unused
168 // entries; for database_forms that means entries for which no corresponding
169 // password can be found (and which aren't blacklist entries), and for
170 // keychain_forms its entries that weren't merged into at least one database
171 // form.
172 void MergePasswordForms(ScopedVector<autofill::PasswordForm>* keychain_forms,
173 ScopedVector<autofill::PasswordForm>* database_forms,
174 ScopedVector<autofill::PasswordForm>* merged_forms);
176 // For every form in |database_forms|, if such a form has a corresponding entry
177 // in |keychain|, this adds the password from the entry and moves that form from
178 // |database_forms| into |passwords|.
179 void GetPasswordsForForms(const AppleKeychain& keychain,
180 ScopedVector<autofill::PasswordForm>* database_forms,
181 ScopedVector<autofill::PasswordForm>* passwords);
183 // Loads all items in the system keychain into |keychain_items|, creates for
184 // each keychain item a corresponding PasswordForm that doesn't contain any
185 // password data, and returns the two collections as a vector of ItemFormPairs.
186 // Used by GetPasswordsForForms for optimized matching of keychain items with
187 // PasswordForms in the database.
188 // Note: Since no password data is loaded here, the resulting PasswordForms
189 // will include blacklist entries, which will have to be filtered out later.
190 // Caller owns the SecKeychainItemRefs and PasswordForms that are returned.
191 // This operation does not require OS authorization.
192 std::vector<ItemFormPair> ExtractAllKeychainItemAttributesIntoPasswordForms(
193 std::vector<SecKeychainItemRef>* keychain_items,
194 const AppleKeychain& keychain);
196 // Takes a PasswordForm's signon_realm and parses it into its component parts,
197 // which are returned though the appropriate out parameters.
198 // Returns true if it can be successfully parsed, in which case all out params
199 // that are non-NULL will be set. If there is no port, port will be 0.
200 // If the return value is false, the state of the out params is undefined.
201 bool ExtractSignonRealmComponents(const std::string& signon_realm,
202 std::string* server,
203 UInt32* port,
204 bool* is_secure,
205 std::string* security_domain);
207 // Returns true if the signon_realm of |query_form| can be successfully parsed
208 // by ExtractSignonRealmComponents, and if |query_form| matches |other_form|.
209 bool FormIsValidAndMatchesOtherForm(const autofill::PasswordForm& query_form,
210 const autofill::PasswordForm& other_form);
212 // Returns PasswordForm instances populated with password data for each keychain
213 // entry in |item_form_pairs| that could be merged with |query_form|.
214 ScopedVector<autofill::PasswordForm> ExtractPasswordsMergeableWithForm(
215 const AppleKeychain& keychain,
216 const std::vector<ItemFormPair>& item_form_pairs,
217 const autofill::PasswordForm& query_form);
219 } // namespace internal_keychain_helpers
221 #endif // CHROME_BROWSER_PASSWORD_MANAGER_PASSWORD_STORE_MAC_INTERNAL_H_