Linux: make externally-stored passwords (e.g. GNOME Keyring) profile-specific.

This is accomplished by associating a randomly generated id with each profile,
and storing the profile id with the passwords. The ids are chosen such that they
are obviously not unique ids (there are more users than ids), yet within one
machine they should be unique with high probability.

Although profiles have names, it turns out that using these names as the
identifiers is not preferable for two reasons. First, the names are actually the
account email addresses, and not user-provided strings. The default profile, if
not using sync, has the empty string for its name. This means that we still have
to worry about migration in this case, and can't cleanly assume that existing
passwords "belong" to the default profile, because we can't always tell which
profile is the default. Second, the sync code seems to be rather non-robust and
fails frequently when passwords change underneath it. Using the profile name
would mean that the same account synced within different user data dirs would
share passwords, which the sync code won't really like. (Of course, this is the
current situation as well, with different user data dirs.)

Speaking of migration: this change leaves the original, shared passwords alone,
and they will be migrated (copied, really) into each profile the first time it
is used. After a while, we can add code to delete these shared passwords so they
don't persist forever without being visible in the UI. Eventually, we can remove
the migration and deletion code.

BUG=77022
Review URL: http://codereview.chromium.org/7212031

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@92615 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 56 insertions, 12 deletions

diff --git a/chrome/browser/profiles/profile.cc b/chrome/browser/profiles/profile.cc
index f9d095e..763bf86 100644
--- a/chrome/browser/profiles/profile.cc
+++ b/chrome/browser/profiles/profile.cc
@@ -60,16 +60,7 @@
 #include "chrome/browser/ui/gtk/gtk_theme_service.h"
 #endif
 
-#if defined(OS_WIN)
-#include "chrome/browser/password_manager/password_store_win.h"
-#elif defined(OS_MACOSX)
-#include "chrome/browser/keychain_mac.h"
-#include "chrome/browser/password_manager/password_store_mac.h"
-#elif defined(OS_POSIX) && !defined(OS_CHROMEOS)
-#include "chrome/browser/password_manager/native_backend_gnome_x.h"
-#include "chrome/browser/password_manager/native_backend_kwallet_x.h"
-#include "chrome/browser/password_manager/password_store_x.h"
-#elif defined(OS_CHROMEOS)
+#if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/preferences.h"
 #endif
 
@@ -104,6 +95,12 @@ Profile::Profile()
 // static
 const char* Profile::kProfileKey = "__PROFILE__";
 
+#if !defined(OS_MACOSX) && !defined(OS_CHROMEOS) && defined(OS_POSIX)
+// static
+const LocalProfileId Profile::kInvalidLocalProfileId =
+    static_cast<LocalProfileId>(0);
+#endif
+
 // static
 void Profile::RegisterUserPrefs(PrefService* prefs) {
   prefs->RegisterBooleanPref(prefs::kSearchSuggestEnabled,
diff --git a/chrome/browser/profiles/profile.h b/chrome/browser/profiles/profile.h
index 45423d1..af40235 100644
--- a/chrome/browser/profiles/profile.h
+++ b/chrome/browser/profiles/profile.h
@@ -102,6 +102,14 @@ namespace net {
 class URLRequestContextGetter;
 }
 
+#if !defined(OS_MACOSX) && !defined(OS_CHROMEOS) && defined(OS_POSIX)
+// Local profile ids are used to associate resources stored outside the profile
+// directory, like saved passwords in GNOME Keyring / KWallet, with a profile.
+// With high probability, they are unique on the local machine. They are almost
+// certainly not unique globally, by design. Do not send them over the network.
+typedef int LocalProfileId;
+#endif
+
 class Profile {
  public:
   // Profile services are accessed with the following parameter. This parameter
@@ -138,6 +146,11 @@ class Profile {
   // Key used to bind profile to the widget with which it is associated.
   static const char* kProfileKey;
 
+#if !defined(OS_MACOSX) && !defined(OS_CHROMEOS) && defined(OS_POSIX)
+  // Value that represents no local profile id.
+  static const LocalProfileId kInvalidLocalProfileId;
+#endif
+
   Profile();
   virtual ~Profile() {}
 
diff --git a/chrome/browser/profiles/profile_impl.cc b/chrome/browser/profiles/profile_impl.cc
index 0cbc653..8f333f3 100644
--- a/chrome/browser/profiles/profile_impl.cc
+++ b/chrome/browser/profiles/profile_impl.cc
@@ -270,6 +270,14 @@ void ProfileImpl::RegisterUserPrefs(PrefService* prefs) {
   prefs->RegisterBooleanPref(prefs::kClearSiteDataOnExit,
                              false,
                              PrefService::SYNCABLE_PREF);
+#if !defined(OS_MACOSX) && !defined(OS_CHROMEOS) && defined(OS_POSIX)
+  prefs->RegisterIntegerPref(prefs::kLocalProfileId,
+                             kInvalidLocalProfileId,
+                             PrefService::UNSYNCABLE_PREF);
+  // Notice that the preprocessor conditions above are exactly those that will
+  // result in using PasswordStoreX in CreatePasswordStore() below.
+  PasswordStoreX::RegisterUserPrefs(prefs);
+#endif
 }
 
 ProfileImpl::ProfileImpl(const FilePath& path,
@@ -1072,6 +1080,28 @@ PasswordStore* ProfileImpl::GetPasswordStore(ServiceAccessType sat) {
   return password_store_.get();
 }
 
+#if !defined(OS_MACOSX) && !defined(OS_CHROMEOS) && defined(OS_POSIX)
+LocalProfileId ProfileImpl::GetLocalProfileId() {
+  PrefService* prefs = GetPrefs();
+  LocalProfileId id = prefs->GetInteger(prefs::kLocalProfileId);
+  if (id == kInvalidLocalProfileId) {
+    // Note that there are many more users than this. Thus, by design, this is
+    // not a unique id. However, it is large enough that it is very unlikely
+    // that it would be repeated twice on a single machine. It is still possible
+    // for that to occur though, so the potential results of it actually
+    // happening should be considered when using this value.
+    static const LocalProfileId kLocalProfileIdMask =
+        static_cast<LocalProfileId>((1 << 24) - 1);
+    do {
+      id = rand() & kLocalProfileIdMask;
+      // TODO(mdm): scan other profiles to make sure they are not using this id?
+    } while (id == kInvalidLocalProfileId);
+    prefs->SetInteger(prefs::kLocalProfileId, id);
+  }
+  return id;
+}
+#endif  // !defined(OS_MACOSX) && !defined(OS_CHROMEOS) && defined(OS_POSIX)
+
 void ProfileImpl::CreatePasswordStore() {
   DCHECK(!created_password_store_ && password_store_.get() == NULL);
   created_password_store_ = true;
@@ -1121,7 +1151,7 @@ void ProfileImpl::CreatePasswordStore() {
   if (desktop_env == base::nix::DESKTOP_ENVIRONMENT_KDE4) {
     // KDE3 didn't use DBus, which our KWallet store uses.
     VLOG(1) << "Trying KWallet for password storage.";
-    backend.reset(new NativeBackendKWallet());
+    backend.reset(new NativeBackendKWallet(GetLocalProfileId(), GetPrefs()));
     if (backend->Init())
       VLOG(1) << "Using KWallet for password storage.";
     else
@@ -1130,7 +1160,7 @@ void ProfileImpl::CreatePasswordStore() {
              desktop_env == base::nix::DESKTOP_ENVIRONMENT_XFCE) {
 #if defined(USE_GNOME_KEYRING)
     VLOG(1) << "Trying GNOME keyring for password storage.";
-    backend.reset(new NativeBackendGnome());
+    backend.reset(new NativeBackendGnome(GetLocalProfileId(), GetPrefs()));
     if (backend->Init())
       VLOG(1) << "Using GNOME keyring for password storage.";
     else
diff --git a/chrome/browser/profiles/profile_impl.h b/chrome/browser/profiles/profile_impl.h
index 8c4da34..7c405fc 100644
--- a/chrome/browser/profiles/profile_impl.h
+++ b/chrome/browser/profiles/profile_impl.h
@@ -160,6 +160,10 @@ class ProfileImpl : public Profile,
   void CreateWebDataService();
   FilePath GetPrefFilePath();
 
+#if !defined(OS_MACOSX) && !defined(OS_CHROMEOS) && defined(OS_POSIX)
+  LocalProfileId GetLocalProfileId();
+#endif
+
   void CreatePasswordStore();
 
   void StopCreateSessionServiceTimer();