1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/password_manager/password_form_manager.h"
6
7#include <algorithm>
8
9#include "base/metrics/histogram.h"
10#include "base/string_split.h"
11#include "base/string_util.h"
12#include "chrome/browser/password_manager/password_manager.h"
13#include "chrome/browser/password_manager/password_store.h"
14#include "chrome/browser/profiles/profile.h"
15#include "webkit/glue/password_form_dom_manager.h"
16
17using base::Time;
18using webkit_glue::PasswordForm;
19using webkit_glue::PasswordFormMap;
20
21PasswordFormManager::PasswordFormManager(Profile* profile,
22                                         PasswordManager* password_manager,
23                                         const PasswordForm& observed_form,
24                                         bool ssl_valid)
25    : best_matches_deleter_(&best_matches_),
26      observed_form_(observed_form),
27      is_new_login_(true),
28      password_manager_(password_manager),
29      pending_login_query_(0),
30      preferred_match_(NULL),
31      state_(PRE_MATCHING_PHASE),
32      profile_(profile),
33      manager_action_(kManagerActionNone),
34      user_action_(kUserActionNone),
35      submit_result_(kSubmitResultNotSubmitted) {
36  DCHECK(profile_);
37  if (observed_form_.origin.is_valid())
38    base::SplitString(observed_form_.origin.path(), '/', &form_path_tokens_);
39  observed_form_.ssl_valid = ssl_valid;
40}
41
42PasswordFormManager::~PasswordFormManager() {
43  UMA_HISTOGRAM_ENUMERATION("PasswordManager.ActionsTaken",
44                            GetActionsTaken(),
45                            kMaxNumActionsTaken);
46}
47
48int PasswordFormManager::GetActionsTaken() {
49  return user_action_ + kUserActionMax * (manager_action_ +
50         kManagerActionMax * submit_result_);
51};
52
53// TODO(timsteele): use a hash of some sort in the future?
54bool PasswordFormManager::DoesManage(const PasswordForm& form) const {
55  if (form.scheme != PasswordForm::SCHEME_HTML)
56      return observed_form_.signon_realm == form.signon_realm;
57
58  // HTML form case.
59  // At a minimum, username and password element must match.
60  if (!((form.username_element == observed_form_.username_element) &&
61        (form.password_element == observed_form_.password_element))) {
62    return false;
63  }
64
65  // The action URL must also match, but the form is allowed to have an empty
66  // action URL (See bug 1107719).
67  if (form.action.is_valid() && (form.action != observed_form_.action))
68    return false;
69
70  // If this is a replay of the same form in the case a user entered an invalid
71  // password, the origin of the new form may equal the action of the "first"
72  // form.
73  if (!((form.origin == observed_form_.origin) ||
74        (form.origin == observed_form_.action))) {
75    if (form.origin.SchemeIsSecure() &&
76        !observed_form_.origin.SchemeIsSecure()) {
77      // Compare origins, ignoring scheme. There is no easy way to do this
78      // with GURL because clearing the scheme would result in an invalid url.
79      // This is for some sites (such as Hotmail) that begin on an http page and
80      // head to https for the retry when password was invalid.
81      std::string::const_iterator after_scheme1 = form.origin.spec().begin() +
82                                                  form.origin.scheme().length();
83      std::string::const_iterator after_scheme2 =
84          observed_form_.origin.spec().begin() +
85          observed_form_.origin.scheme().length();
86      return std::search(after_scheme1,
87                         form.origin.spec().end(),
88                         after_scheme2,
89                         observed_form_.origin.spec().end())
90                         != form.origin.spec().end();
91    }
92    return false;
93  }
94  return true;
95}
96
97bool PasswordFormManager::IsBlacklisted() {
98  DCHECK_EQ(state_, POST_MATCHING_PHASE);
99  if (preferred_match_ && preferred_match_->blacklisted_by_user)
100    return true;
101  return false;
102}
103
104void PasswordFormManager::PermanentlyBlacklist() {
105  DCHECK_EQ(state_, POST_MATCHING_PHASE);
106
107  // Configure the form about to be saved for blacklist status.
108  pending_credentials_.preferred = true;
109  pending_credentials_.blacklisted_by_user = true;
110  pending_credentials_.username_value.clear();
111  pending_credentials_.password_value.clear();
112
113  // Retroactively forget existing matches for this form, so we NEVER prompt or
114  // autofill it again.
115  if (!best_matches_.empty()) {
116    PasswordFormMap::const_iterator iter;
117    PasswordStore* password_store =
118        profile_->GetPasswordStore(Profile::EXPLICIT_ACCESS);
119    if (!password_store) {
120      NOTREACHED();
121      return;
122    }
123    for (iter = best_matches_.begin(); iter != best_matches_.end(); ++iter) {
124      // We want to remove existing matches for this form so that the exact
125      // origin match with |blackisted_by_user == true| is the only result that
126      // shows up in the future for this origin URL. However, we don't want to
127      // delete logins that were actually saved on a different page (hence with
128      // different origin URL) and just happened to match this form because of
129      // the scoring algorithm. See bug 1204493.
130      if (iter->second->origin == observed_form_.origin)
131        password_store->RemoveLogin(*iter->second);
132    }
133  }
134
135  // Save the pending_credentials_ entry marked as blacklisted.
136  SaveAsNewLogin(false);
137}
138
139bool PasswordFormManager::IsNewLogin() {
140  DCHECK_EQ(state_, POST_MATCHING_PHASE);
141  return is_new_login_;
142}
143
144bool PasswordFormManager::HasValidPasswordForm() {
145  DCHECK_EQ(state_, POST_MATCHING_PHASE);
146  // Non-HTML password forms (primarily HTTP and FTP autentication)
147  // do not contain username_element and password_element values.
148  if (observed_form_.scheme != PasswordForm::SCHEME_HTML)
149    return true;
150  return !observed_form_.username_element.empty() &&
151      !observed_form_.password_element.empty();
152}
153
154void PasswordFormManager::ProvisionallySave(const PasswordForm& credentials) {
155  DCHECK_EQ(state_, POST_MATCHING_PHASE);
156  DCHECK(DoesManage(credentials));
157
158  // Make sure the important fields stay the same as the initially observed or
159  // autofilled ones, as they may have changed if the user experienced a login
160  // failure.
161  // Look for these credentials in the list containing auto-fill entries.
162  PasswordFormMap::const_iterator it =
163      best_matches_.find(credentials.username_value);
164  if (it != best_matches_.end()) {
165    // The user signed in with a login we autofilled.
166    pending_credentials_ = *it->second;
167    is_new_login_ = false;
168    // If the user selected credentials we autofilled from a PasswordForm
169    // that contained no action URL (IE6/7 imported passwords, for example),
170    // bless it with the action URL from the observed form. See bug 1107719.
171    if (pending_credentials_.action.is_empty())
172      pending_credentials_.action = observed_form_.action;
173
174    // Check to see if we're using a known username but a new password.
175    if (pending_credentials_.password_value != credentials.password_value)
176      user_action_ = kUserActionOverride;
177  } else {
178    // User typed in a new, unknown username.
179    user_action_ = kUserActionOverride;
180    pending_credentials_ = observed_form_;
181    pending_credentials_.username_value = credentials.username_value;
182  }
183
184  pending_credentials_.password_value = credentials.password_value;
185  pending_credentials_.preferred = credentials.preferred;
186}
187
188void PasswordFormManager::Save() {
189  DCHECK_EQ(state_, POST_MATCHING_PHASE);
190  DCHECK(!profile_->IsOffTheRecord());
191
192  if (IsNewLogin())
193    SaveAsNewLogin(true);
194  else
195    UpdateLogin();
196}
197
198void PasswordFormManager::FetchMatchingLoginsFromPasswordStore() {
199  DCHECK_EQ(state_, PRE_MATCHING_PHASE);
200  DCHECK(!pending_login_query_);
201  state_ = MATCHING_PHASE;
202  PasswordStore* password_store =
203      profile_->GetPasswordStore(Profile::EXPLICIT_ACCESS);
204  if (!password_store) {
205    NOTREACHED();
206    return;
207  }
208  pending_login_query_ = password_store->GetLogins(observed_form_, this);
209}
210
211bool PasswordFormManager::HasCompletedMatching() {
212  return state_ == POST_MATCHING_PHASE;
213}
214
215void PasswordFormManager::OnRequestDone(int handle,
216    const std::vector<PasswordForm*>& logins_result) {
217  // Note that the result gets deleted after this call completes, but we own
218  // the PasswordForm objects pointed to by the result vector, thus we keep
219  // copies to a minimum here.
220
221  int best_score = 0;
222  std::vector<PasswordForm> empties;  // Empty-path matches in result set.
223  for (size_t i = 0; i < logins_result.size(); i++) {
224    if (IgnoreResult(*logins_result[i])) {
225      delete logins_result[i];
226      continue;
227    }
228    // Score and update best matches.
229    int current_score = ScoreResult(*logins_result[i]);
230    // This check is here so we can append empty path matches in the event
231    // they don't score as high as others and aren't added to best_matches_.
232    // This is most commonly imported firefox logins. We skip blacklisted
233    // ones because clearly we don't want to autofill them, and secondly
234    // because they only mean something when we have no other matches already
235    // saved in Chrome - in which case they'll make it through the regular
236    // scoring flow below by design. Note signon_realm == origin implies empty
237    // path logins_result, since signon_realm is a prefix of origin for HTML
238    // password forms.
239    // TODO(timsteele): Bug 1269400. We probably should do something more
240    // elegant for any shorter-path match instead of explicitly handling empty
241    // path matches.
242    if ((observed_form_.scheme == PasswordForm::SCHEME_HTML) &&
243        (observed_form_.signon_realm == logins_result[i]->origin.spec()) &&
244        (current_score > 0) && (!logins_result[i]->blacklisted_by_user)) {
245      empties.push_back(*logins_result[i]);
246    }
247
248    if (current_score < best_score) {
249      delete logins_result[i];
250      continue;
251    }
252    if (current_score == best_score) {
253      best_matches_[logins_result[i]->username_value] = logins_result[i];
254    } else if (current_score > best_score) {
255      best_score = current_score;
256      // This new login has a better score than all those up to this point
257      // Note 'this' owns all the PasswordForms in best_matches_.
258      STLDeleteValues(&best_matches_);
259      best_matches_.clear();
260      preferred_match_ = NULL;  // Don't delete, its owned by best_matches_.
261      best_matches_[logins_result[i]->username_value] = logins_result[i];
262    }
263    preferred_match_ = logins_result[i]->preferred ? logins_result[i]
264                                                   : preferred_match_;
265  }
266  // We're done matching now.
267  state_ = POST_MATCHING_PHASE;
268
269  if (best_score <= 0) {
270    return;
271  }
272
273  for (std::vector<PasswordForm>::const_iterator it = empties.begin();
274       it != empties.end(); ++it) {
275    // If we don't already have a result with the same username, add the
276    // lower-scored empty-path match (if it had equal score it would already be
277    // in best_matches_).
278    if (best_matches_.find(it->username_value) == best_matches_.end())
279      best_matches_[it->username_value] = new PasswordForm(*it);
280  }
281
282  // It is possible we have at least one match but have no preferred_match_,
283  // because a user may have chosen to 'Forget' the preferred match. So we
284  // just pick the first one and whichever the user selects for submit will
285  // be saved as preferred.
286  DCHECK(!best_matches_.empty());
287  if (!preferred_match_)
288    preferred_match_ = best_matches_.begin()->second;
289
290  // Check to see if the user told us to ignore this site in the past.
291  if (preferred_match_->blacklisted_by_user) {
292    manager_action_ = kManagerActionBlacklisted;
293    return;
294  }
295
296  // Proceed to autofill (note that we provide the choices but don't
297  // actually prefill a value if the ACTION paths don't match).
298  bool wait_for_username = observed_form_.action.GetWithEmptyPath() !=
299                           preferred_match_->action.GetWithEmptyPath();
300  if (wait_for_username)
301    manager_action_ = kManagerActionNone;
302  else
303    manager_action_ = kManagerActionAutofilled;
304  password_manager_->Autofill(observed_form_, best_matches_,
305                              preferred_match_, wait_for_username);
306}
307
308void PasswordFormManager::OnPasswordStoreRequestDone(
309    CancelableRequestProvider::Handle handle,
310    const std::vector<PasswordForm*>& result) {
311  DCHECK_EQ(state_, MATCHING_PHASE);
312  DCHECK_EQ(pending_login_query_, handle);
313
314  if (result.empty()) {
315    state_ = POST_MATCHING_PHASE;
316    return;
317  }
318
319  OnRequestDone(handle, result);
320  pending_login_query_ = 0;
321}
322
323bool PasswordFormManager::IgnoreResult(const PasswordForm& form) const {
324  // Ignore change password forms until we have some change password
325  // functionality
326  if (observed_form_.old_password_element.length() != 0) {
327    return true;
328  }
329  // Don't match an invalid SSL form with one saved under secure
330  // circumstances.
331  if (form.ssl_valid && !observed_form_.ssl_valid) {
332    return true;
333  }
334  return false;
335}
336
337void PasswordFormManager::SaveAsNewLogin(bool reset_preferred_login) {
338  DCHECK_EQ(state_, POST_MATCHING_PHASE);
339  DCHECK(IsNewLogin());
340  // The new_form is being used to sign in, so it is preferred.
341  DCHECK(pending_credentials_.preferred);
342  // new_form contains the same basic data as observed_form_ (because its the
343  // same form), but with the newly added credentials.
344
345  DCHECK(!profile_->IsOffTheRecord());
346
347  PasswordStore* password_store =
348      profile_->GetPasswordStore(Profile::IMPLICIT_ACCESS);
349  if (!password_store) {
350    NOTREACHED();
351    return;
352  }
353
354  pending_credentials_.date_created = Time::Now();
355  password_store->AddLogin(pending_credentials_);
356
357  if (reset_preferred_login) {
358    UpdatePreferredLoginState(password_store);
359  }
360}
361
362void PasswordFormManager::UpdatePreferredLoginState(
363    PasswordStore* password_store) {
364  DCHECK(password_store);
365  PasswordFormMap::iterator iter;
366  for (iter = best_matches_.begin(); iter != best_matches_.end(); iter++) {
367    if (iter->second->username_value != pending_credentials_.username_value &&
368        iter->second->preferred) {
369      // This wasn't the selected login but it used to be preferred.
370      iter->second->preferred = false;
371      if (user_action_ == kUserActionNone)
372        user_action_ = kUserActionChoose;
373      password_store->UpdateLogin(*iter->second);
374    }
375  }
376}
377
378void PasswordFormManager::UpdateLogin() {
379  DCHECK_EQ(state_, POST_MATCHING_PHASE);
380  DCHECK(preferred_match_);
381  // If we're doing an Update, we either autofilled correctly and need to
382  // update the stats, or the user typed in a new password for autofilled
383  // username, or the user selected one of the non-preferred matches,
384  // thus requiring a swap of preferred bits.
385  DCHECK(!IsNewLogin() && pending_credentials_.preferred);
386  DCHECK(!profile_->IsOffTheRecord());
387
388  PasswordStore* password_store =
389      profile_->GetPasswordStore(Profile::IMPLICIT_ACCESS);
390  if (!password_store) {
391    NOTREACHED();
392    return;
393  }
394
395  UpdatePreferredLoginState(password_store);
396
397  // Update the new preferred login.
398  // Note origin.spec().length > signon_realm.length implies the origin has a
399  // path, since signon_realm is a prefix of origin for HTML password forms.
400  if ((observed_form_.scheme == PasswordForm::SCHEME_HTML) &&
401      (observed_form_.origin.spec().length() >
402       observed_form_.signon_realm.length()) &&
403      (observed_form_.signon_realm == pending_credentials_.origin.spec())) {
404    // The user logged in successfully with one of our autofilled logins on a
405    // page with non-empty path, but the autofilled entry was initially saved/
406    // imported with an empty path. Rather than just mark this entry preferred,
407    // we create a more specific copy for this exact page and leave the "master"
408    // unchanged. This is to prevent the case where that master login is used
409    // on several sites (e.g site.com/a and site.com/b) but the user actually
410    // has a different preference on each site. For example, on /a, he wants the
411    // general empty-path login so it is flagged as preferred, but on /b he logs
412    // in with a different saved entry - we don't want to remove the preferred
413    // status of the former because upon return to /a it won't be the default-
414    // fill match.
415    // TODO(timsteele): Bug 1188626 - expire the master copies.
416    PasswordForm copy(pending_credentials_);
417    copy.origin = observed_form_.origin;
418    copy.action = observed_form_.action;
419    password_store->AddLogin(copy);
420  } else {
421    password_store->UpdateLogin(pending_credentials_);
422  }
423}
424
425int PasswordFormManager::ScoreResult(const PasswordForm& candidate) const {
426  DCHECK_EQ(state_, MATCHING_PHASE);
427  // For scoring of candidate login data:
428  // The most important element that should match is the origin, followed by
429  // the action, the password name, the submit button name, and finally the
430  // username input field name.
431  // Exact origin match gives an addition of 32 (1 << 5) + # of matching url
432  // dirs.
433  // Partial match gives an addition of 16 (1 << 4) + # matching url dirs
434  // That way, a partial match cannot trump an exact match even if
435  // the partial one matches all other attributes (action, elements) (and
436  // regardless of the matching depth in the URL path).
437  int score = 0;
438  if (candidate.origin == observed_form_.origin) {
439    // This check is here for the most common case which
440    // is we have a single match in the db for the given host,
441    // so we don't generally need to walk the entire URL path (the else
442    // clause).
443    score += (1 << 5) + static_cast<int>(form_path_tokens_.size());
444  } else {
445    // Walk the origin URL paths one directory at a time to see how
446    // deep the two match.
447    std::vector<std::string> candidate_path_tokens;
448    base::SplitString(candidate.origin.path(), '/', &candidate_path_tokens);
449    size_t depth = 0;
450    size_t max_dirs = std::min(form_path_tokens_.size(),
451                               candidate_path_tokens.size());
452    while ((depth < max_dirs) && (form_path_tokens_[depth] ==
453                                  candidate_path_tokens[depth])) {
454      depth++;
455      score++;
456    }
457    // do we have a partial match?
458    score += (depth > 0) ? 1 << 4 : 0;
459  }
460  if (observed_form_.scheme == PasswordForm::SCHEME_HTML) {
461    if (candidate.action == observed_form_.action)
462      score += 1 << 3;
463    if (candidate.password_element == observed_form_.password_element)
464      score += 1 << 2;
465    if (candidate.submit_element == observed_form_.submit_element)
466      score += 1 << 1;
467    if (candidate.username_element == observed_form_.username_element)
468      score += 1 << 0;
469  }
470
471  return score;
472}
473
474void PasswordFormManager::SubmitPassed() {
475  submit_result_ = kSubmitResultPassed;
476}
477
478void PasswordFormManager::SubmitFailed() {
479  submit_result_ = kSubmitResultFailed;
480}
481