198 lines
8.2 KiB
Diff
198 lines
8.2 KiB
Diff
From d1383216cbceb10aaa80f357689e85354af6af3c Mon Sep 17 00:00:00 2001
|
|
From: Yusuf Sengul <yusufsn@google.com>
|
|
Date: Fri, 26 Jun 2020 20:38:33 +0000
|
|
Subject: [PATCH 07/12] Support GCPW login to permitted accounts
|
|
|
|
(cherry picked from commit f414152fa9a664ca5e99d4c0d0a2e261f9846eae)
|
|
|
|
Bug: 1097386
|
|
Change-Id: I2a9e634868fcda6c8acc46e482c2f6dc14bdc064
|
|
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2255028
|
|
Commit-Queue: Rakesh Soma <rakeshsoma@google.com>
|
|
Reviewed-by: Rakesh Soma <rakeshsoma@google.com>
|
|
Cr-Original-Commit-Position: refs/heads/master@{#781997}
|
|
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2268083
|
|
Commit-Queue: Yusuf Sengul <yusufsn@google.com>
|
|
Cr-Commit-Position: refs/branch-heads/4103@{#730}
|
|
Cr-Branched-From: 8ad47e8d21f6866e4a37f47d83a860d41debf514-refs/heads/master@{#756066}
|
|
---
|
|
.../gaiacp/gaia_credential_base.cc | 30 ++++--
|
|
.../gaiacp/gaia_credential_base_unittests.cc | 92 +++++++++++++++++++
|
|
2 files changed, 116 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/chrome/credential_provider/gaiacp/gaia_credential_base.cc b/chrome/credential_provider/gaiacp/gaia_credential_base.cc
|
|
index 30e8011b73d..cc573863991 100644
|
|
--- a/chrome/credential_provider/gaiacp/gaia_credential_base.cc
|
|
+++ b/chrome/credential_provider/gaiacp/gaia_credential_base.cc
|
|
@@ -70,6 +70,8 @@ namespace {
|
|
|
|
constexpr wchar_t kEmailDomainsKey[] = L"ed"; // deprecated.
|
|
constexpr wchar_t kEmailDomainsKeyNew[] = L"domains_allowed_to_login";
|
|
+constexpr wchar_t kPermittedAccounts[] = L"permitted_accounts";
|
|
+constexpr wchar_t kPermittedAccountsSeparator[] = L",";
|
|
constexpr char kGetAccessTokenBodyWithScopeFormat[] =
|
|
"client_id=%s&"
|
|
"client_secret=%s&"
|
|
@@ -95,6 +97,16 @@ constexpr UINT kPasswordErrors[] = {IDS_PASSWORD_COMPLEXITY_ERROR_BASE,
|
|
IDS_USER_NOT_FOUND_PASSWORD_ERROR_BASE,
|
|
IDS_AD_PASSWORD_CHANGE_DENIED_BASE};
|
|
|
|
+std::vector<base::string16> GetPermittedAccounts() {
|
|
+ base::string16 permitted_accounts_reg =
|
|
+ GetGlobalFlagOrDefault(kPermittedAccounts, L"");
|
|
+
|
|
+ return base::SplitString(base::ToLowerASCII(permitted_accounts_reg),
|
|
+ kPermittedAccountsSeparator,
|
|
+ base::WhitespaceHandling::TRIM_WHITESPACE,
|
|
+ base::SplitResult::SPLIT_WANT_NONEMPTY);
|
|
+}
|
|
+
|
|
base::string16 GetEmailDomains(
|
|
const base::string16 restricted_domains_reg_key) {
|
|
return GetGlobalFlagOrDefault(restricted_domains_reg_key, L"");
|
|
@@ -118,12 +130,9 @@ base::string16 GetEmailDomainsPrintableString() {
|
|
base::ASCIIToUTF16(kEmailDomainsSeparator),
|
|
base::WhitespaceHandling::TRIM_WHITESPACE,
|
|
base::SplitResult::SPLIT_WANT_NONEMPTY);
|
|
- base::string16 email_domains_str;
|
|
- for (size_t i = 0; i < domains.size(); ++i) {
|
|
- email_domains_str += domains[i];
|
|
- if (i < domains.size() - 1)
|
|
- email_domains_str += L", ";
|
|
- }
|
|
+ base::string16 email_domains_str =
|
|
+ base::JoinString(domains, base::string16(L", "));
|
|
+
|
|
return email_domains_str;
|
|
}
|
|
|
|
@@ -2403,6 +2412,15 @@ HRESULT CGaiaCredentialBase::OnUserAuthenticated(BSTR authentication_info,
|
|
return hr;
|
|
}
|
|
|
|
+ base::string16 email = GetDictString(*properties, kKeyEmail);
|
|
+ std::vector<base::string16> permitted_accounts = GetPermittedAccounts();
|
|
+ if (!permitted_accounts.empty() &&
|
|
+ std::find(permitted_accounts.begin(), permitted_accounts.end(),
|
|
+ email) == permitted_accounts.end()) {
|
|
+ *status_text = AllocErrorString(IDS_EMAIL_MISMATCH_BASE);
|
|
+ return E_FAIL;
|
|
+ }
|
|
+
|
|
// The value in |dict| is now known to contain everything that is needed
|
|
// from the GLS. Try to validate the user that wants to sign in and then
|
|
// add additional information into |dict| as needed.
|
|
diff --git a/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc b/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc
|
|
index 3cc48fa5b26..319f239e4cd 100644
|
|
--- a/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc
|
|
+++ b/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc
|
|
@@ -6,6 +6,8 @@
|
|
|
|
#include <sddl.h> // For ConvertSidToStringSid()
|
|
#include <wrl/client.h>
|
|
+#include <algorithm>
|
|
+#include <vector>
|
|
|
|
#include "base/files/scoped_temp_dir.h"
|
|
#include "base/strings/string_number_conversions.h"
|
|
@@ -738,6 +740,96 @@ INSTANTIATE_TEST_SUITE_P(
|
|
::testing::Values(L"acme.com,acme2.com,acme3.com",
|
|
L"")));
|
|
|
|
+class GcpGaiaCredentialBasePermittedAccountTest
|
|
+ : public GcpGaiaCredentialBaseTest,
|
|
+ public ::testing::WithParamInterface<
|
|
+ std::tuple<const wchar_t*, const wchar_t*>> {
|
|
+ public:
|
|
+ // Get a pretty-printed string of the list of email domains that we can
|
|
+ // display to the end-user.
|
|
+ base::string16 GetEmailDomainsPrintableString() {
|
|
+ base::string16 email_domains_reg_old = GetGlobalFlagOrDefault(L"ed", L"");
|
|
+ base::string16 email_domains_reg_new =
|
|
+ GetGlobalFlagOrDefault(L"domains_allowed_to_login", L"");
|
|
+
|
|
+ base::string16 email_domains_reg = email_domains_reg_old.empty()
|
|
+ ? email_domains_reg_new
|
|
+ : email_domains_reg_old;
|
|
+ if (email_domains_reg.empty())
|
|
+ return email_domains_reg;
|
|
+
|
|
+ std::vector<base::string16> domains =
|
|
+ base::SplitString(base::ToLowerASCII(email_domains_reg),
|
|
+ base::ASCIIToUTF16(kEmailDomainsSeparator),
|
|
+ base::WhitespaceHandling::TRIM_WHITESPACE,
|
|
+ base::SplitResult::SPLIT_WANT_NONEMPTY);
|
|
+ base::string16 email_domains_str;
|
|
+ for (size_t i = 0; i < domains.size(); ++i) {
|
|
+ email_domains_str += domains[i];
|
|
+ if (i < domains.size() - 1)
|
|
+ email_domains_str += L", ";
|
|
+ }
|
|
+ return email_domains_str;
|
|
+ }
|
|
+};
|
|
+
|
|
+TEST_P(GcpGaiaCredentialBasePermittedAccountTest, PermittedAccounts) {
|
|
+ const base::string16 permitted_acounts = std::get<0>(GetParam());
|
|
+ const base::string16 restricted_domains = std::get<1>(GetParam());
|
|
+
|
|
+ ASSERT_EQ(S_OK,
|
|
+ SetGlobalFlagForTesting(L"permitted_accounts", permitted_acounts));
|
|
+ ASSERT_EQ(S_OK, SetGlobalFlagForTesting(L"domains_allowed_to_login",
|
|
+ restricted_domains));
|
|
+
|
|
+ // Create provider and start logon.
|
|
+ Microsoft::WRL::ComPtr<ICredentialProviderCredential> cred;
|
|
+
|
|
+ ASSERT_EQ(S_OK, InitializeProviderAndGetCredential(0, &cred));
|
|
+ Microsoft::WRL::ComPtr<ITestCredential> test;
|
|
+ ASSERT_EQ(S_OK, cred.As(&test));
|
|
+
|
|
+ base::string16 email = L"user@test.com";
|
|
+ base::string16 email_domain = email.substr(email.find(L"@") + 1);
|
|
+
|
|
+ ASSERT_EQ(S_OK, test->SetGlsEmailAddress(base::UTF16ToUTF8(email)));
|
|
+
|
|
+ bool allowed_email = permitted_acounts.empty() ||
|
|
+ permitted_acounts.find(email) != base::string16::npos;
|
|
+ bool found_domain =
|
|
+ restricted_domains.find(email_domain) != base::string16::npos;
|
|
+
|
|
+ if (!found_domain)
|
|
+ ASSERT_EQ(S_OK, test->SetDefaultExitCode(kUiecInvalidEmailDomain));
|
|
+
|
|
+ ASSERT_EQ(S_OK, StartLogonProcessAndWait());
|
|
+
|
|
+ if (allowed_email && found_domain) {
|
|
+ ASSERT_EQ(S_OK, FinishLogonProcess(true, true, 0));
|
|
+ } else {
|
|
+ base::string16 expected_error_msg;
|
|
+ if (!found_domain) {
|
|
+ expected_error_msg = base::ReplaceStringPlaceholders(
|
|
+ GetStringResource(IDS_INVALID_EMAIL_DOMAIN_BASE),
|
|
+ {GetEmailDomainsPrintableString()}, nullptr);
|
|
+ } else {
|
|
+ expected_error_msg = GetStringResource(IDS_EMAIL_MISMATCH_BASE);
|
|
+ }
|
|
+ // Logon process should fail with the specified error message.
|
|
+ ASSERT_EQ(S_OK, FinishLogonProcess(false, false, expected_error_msg));
|
|
+ }
|
|
+}
|
|
+
|
|
+INSTANTIATE_TEST_SUITE_P(
|
|
+ All,
|
|
+ GcpGaiaCredentialBasePermittedAccountTest,
|
|
+ ::testing::Combine(
|
|
+ ::testing::Values(L"",
|
|
+ L"user@test.com",
|
|
+ L"other@test.com",
|
|
+ L"other@test.com,user@test.com"),
|
|
+ ::testing::Values(L"test.com", L"best.com", L"test.com,best.com")));
|
|
+
|
|
TEST_F(GcpGaiaCredentialBaseTest, StripEmailTLD) {
|
|
USES_CONVERSION;
|
|
// Create provider and start logon.
|
|
--
|
|
2.28.0
|
|
|