teldra
/
vp-build
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
vp-build/srcpkgs/electron9/files/patches/chromium-upstream-0007-Supp...

198 lines
8.2 KiB
Diff
Raw Blame History

From d1383216cbceb10aaa80f357689e85354af6af3c Mon Sep 17 00:00:00 2001
From: Yusuf Sengul <yusufsn@google.com>
Date: Fri, 26 Jun 2020 20:38:33 +0000
Subject: [PATCH 07/12] Support GCPW login to permitted accounts
(cherry picked from commit f414152fa9a664ca5e99d4c0d0a2e261f9846eae)
Bug: 1097386
Change-Id: I2a9e634868fcda6c8acc46e482c2f6dc14bdc064
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2255028
Commit-Queue: Rakesh Soma <rakeshsoma@google.com>
Reviewed-by: Rakesh Soma <rakeshsoma@google.com>
Cr-Original-Commit-Position: refs/heads/master@{#781997}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2268083
Commit-Queue: Yusuf Sengul <yusufsn@google.com>
Cr-Commit-Position: refs/branch-heads/4103@{#730}
Cr-Branched-From: 8ad47e8d21f6866e4a37f47d83a860d41debf514-refs/heads/master@{#756066}
---
.../gaiacp/gaia_credential_base.cc | 30 ++++--
.../gaiacp/gaia_credential_base_unittests.cc | 92 +++++++++++++++++++
2 files changed, 116 insertions(+), 6 deletions(-)
diff --git a/chrome/credential_provider/gaiacp/gaia_credential_base.cc b/chrome/credential_provider/gaiacp/gaia_credential_base.cc
index 30e8011b73d..cc573863991 100644
--- a/chrome/credential_provider/gaiacp/gaia_credential_base.cc
+++ b/chrome/credential_provider/gaiacp/gaia_credential_base.cc
@@ -70,6 +70,8 @@ namespace {
constexpr wchar_t kEmailDomainsKey[] = L"ed"; // deprecated.
constexpr wchar_t kEmailDomainsKeyNew[] = L"domains_allowed_to_login";
+constexpr wchar_t kPermittedAccounts[] = L"permitted_accounts";
+constexpr wchar_t kPermittedAccountsSeparator[] = L",";
constexpr char kGetAccessTokenBodyWithScopeFormat[] =
"client_id=%s&"
"client_secret=%s&"
@@ -95,6 +97,16 @@ constexpr UINT kPasswordErrors[] = {IDS_PASSWORD_COMPLEXITY_ERROR_BASE,
IDS_USER_NOT_FOUND_PASSWORD_ERROR_BASE,
IDS_AD_PASSWORD_CHANGE_DENIED_BASE};
+std::vector<base::string16> GetPermittedAccounts() {
+ base::string16 permitted_accounts_reg =
+ GetGlobalFlagOrDefault(kPermittedAccounts, L"");
+
+ return base::SplitString(base::ToLowerASCII(permitted_accounts_reg),
+ kPermittedAccountsSeparator,
+ base::WhitespaceHandling::TRIM_WHITESPACE,
+ base::SplitResult::SPLIT_WANT_NONEMPTY);
+}
+
base::string16 GetEmailDomains(
const base::string16 restricted_domains_reg_key) {
return GetGlobalFlagOrDefault(restricted_domains_reg_key, L"");
@@ -118,12 +130,9 @@ base::string16 GetEmailDomainsPrintableString() {
base::ASCIIToUTF16(kEmailDomainsSeparator),
base::WhitespaceHandling::TRIM_WHITESPACE,
base::SplitResult::SPLIT_WANT_NONEMPTY);
- base::string16 email_domains_str;
- for (size_t i = 0; i < domains.size(); ++i) {
- email_domains_str += domains[i];
- if (i < domains.size() - 1)
- email_domains_str += L", ";
- }
+ base::string16 email_domains_str =
+ base::JoinString(domains, base::string16(L", "));
+
return email_domains_str;
}
@@ -2403,6 +2412,15 @@ HRESULT CGaiaCredentialBase::OnUserAuthenticated(BSTR authentication_info,
return hr;
}
+ base::string16 email = GetDictString(*properties, kKeyEmail);
+ std::vector<base::string16> permitted_accounts = GetPermittedAccounts();
+ if (!permitted_accounts.empty() &&
+ std::find(permitted_accounts.begin(), permitted_accounts.end(),
+ email) == permitted_accounts.end()) {
+ *status_text = AllocErrorString(IDS_EMAIL_MISMATCH_BASE);
+ return E_FAIL;
+ }
+
// The value in |dict| is now known to contain everything that is needed
// from the GLS. Try to validate the user that wants to sign in and then
// add additional information into |dict| as needed.
diff --git a/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc b/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc
index 3cc48fa5b26..319f239e4cd 100644
--- a/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc
+++ b/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc
@@ -6,6 +6,8 @@
#include <sddl.h> // For ConvertSidToStringSid()
#include <wrl/client.h>
+#include <algorithm>
+#include <vector>
#include "base/files/scoped_temp_dir.h"
#include "base/strings/string_number_conversions.h"
@@ -738,6 +740,96 @@ INSTANTIATE_TEST_SUITE_P(
::testing::Values(L"acme.com,acme2.com,acme3.com",
L"")));
+class GcpGaiaCredentialBasePermittedAccountTest
+ : public GcpGaiaCredentialBaseTest,
+ public ::testing::WithParamInterface<
+ std::tuple<const wchar_t*, const wchar_t*>> {
+ public:
+ // Get a pretty-printed string of the list of email domains that we can
+ // display to the end-user.
+ base::string16 GetEmailDomainsPrintableString() {
+ base::string16 email_domains_reg_old = GetGlobalFlagOrDefault(L"ed", L"");
+ base::string16 email_domains_reg_new =
+ GetGlobalFlagOrDefault(L"domains_allowed_to_login", L"");
+
+ base::string16 email_domains_reg = email_domains_reg_old.empty()
+ ? email_domains_reg_new
+ : email_domains_reg_old;
+ if (email_domains_reg.empty())
+ return email_domains_reg;
+
+ std::vector<base::string16> domains =
+ base::SplitString(base::ToLowerASCII(email_domains_reg),
+ base::ASCIIToUTF16(kEmailDomainsSeparator),
+ base::WhitespaceHandling::TRIM_WHITESPACE,
+ base::SplitResult::SPLIT_WANT_NONEMPTY);
+ base::string16 email_domains_str;
+ for (size_t i = 0; i < domains.size(); ++i) {
+ email_domains_str += domains[i];
+ if (i < domains.size() - 1)
+ email_domains_str += L", ";
+ }
+ return email_domains_str;
+ }
+};
+
+TEST_P(GcpGaiaCredentialBasePermittedAccountTest, PermittedAccounts) {
+ const base::string16 permitted_acounts = std::get<0>(GetParam());
+ const base::string16 restricted_domains = std::get<1>(GetParam());
+
+ ASSERT_EQ(S_OK,
+ SetGlobalFlagForTesting(L"permitted_accounts", permitted_acounts));
+ ASSERT_EQ(S_OK, SetGlobalFlagForTesting(L"domains_allowed_to_login",
+ restricted_domains));
+
+ // Create provider and start logon.
+ Microsoft::WRL::ComPtr<ICredentialProviderCredential> cred;
+
+ ASSERT_EQ(S_OK, InitializeProviderAndGetCredential(0, &cred));
+ Microsoft::WRL::ComPtr<ITestCredential> test;
+ ASSERT_EQ(S_OK, cred.As(&test));
+
+ base::string16 email = L"user@test.com";
+ base::string16 email_domain = email.substr(email.find(L"@") + 1);
+
+ ASSERT_EQ(S_OK, test->SetGlsEmailAddress(base::UTF16ToUTF8(email)));
+
+ bool allowed_email = permitted_acounts.empty() ||
+ permitted_acounts.find(email) != base::string16::npos;
+ bool found_domain =
+ restricted_domains.find(email_domain) != base::string16::npos;
+
+ if (!found_domain)
+ ASSERT_EQ(S_OK, test->SetDefaultExitCode(kUiecInvalidEmailDomain));
+
+ ASSERT_EQ(S_OK, StartLogonProcessAndWait());
+
+ if (allowed_email && found_domain) {
+ ASSERT_EQ(S_OK, FinishLogonProcess(true, true, 0));
+ } else {
+ base::string16 expected_error_msg;
+ if (!found_domain) {
+ expected_error_msg = base::ReplaceStringPlaceholders(
+ GetStringResource(IDS_INVALID_EMAIL_DOMAIN_BASE),
+ {GetEmailDomainsPrintableString()}, nullptr);
+ } else {
+ expected_error_msg = GetStringResource(IDS_EMAIL_MISMATCH_BASE);
+ }
+ // Logon process should fail with the specified error message.
+ ASSERT_EQ(S_OK, FinishLogonProcess(false, false, expected_error_msg));
+ }
+}
+
+INSTANTIATE_TEST_SUITE_P(
+ All,
+ GcpGaiaCredentialBasePermittedAccountTest,
+ ::testing::Combine(
+ ::testing::Values(L"",
+ L"user@test.com",
+ L"other@test.com",
+ L"other@test.com,user@test.com"),
+ ::testing::Values(L"test.com", L"best.com", L"test.com,best.com")));
+
TEST_F(GcpGaiaCredentialBaseTest, StripEmailTLD) {
USES_CONVERSION;
// Create provider and start logon.
--
2.28.0
Reference in New Issue View Git Blame Copy Permalink