2 files changed, 53 insertions, 0 deletions

diff --git a/chrome/browser/mac/keychain_reauthorize.h b/chrome/browser/mac/keychain_reauthorize.h
index 823f47a..8afa695 100644
--- a/chrome/browser/mac/keychain_reauthorize.h
+++ b/chrome/browser/mac/keychain_reauthorize.h
@@ -6,6 +6,12 @@
 #define CHROME_BROWSER_MAC_KEYCHAIN_REAUTHORIZE_H_
 #pragma once
 
+#ifdef __OBJC__
+@class NSString;
+#else
+class NSString;
+#endif
+
 namespace chrome {
 namespace browser {
 namespace mac {
@@ -24,6 +30,25 @@ namespace mac {
 // decrypt those items), but any application can remove a Keychain item.
 void KeychainReauthorize();
 
+// Calls KeychainReauthorize, but only if it's determined that it's necessary.
+// pref_key is looked up in the system's standard user defaults (preferences)
+// and if its integer value is less than max_tries, KeychainReauthorize is
+// attempted. Before the attempt, the preference is incremented, allowing a
+// finite number of incomplete attempts at performing the KeychainReauthorize
+// operation. When the step completes successfully, the preference is set to
+// max_tries to prevent further attempts, and the preference name with the
+// word "Success" appended is also stored with a boolean value of YES,
+// disambiguating between the cases where the step completed successfully and
+// the step completed unsuccessfully while reaching the maximum number of
+// tries.
+//
+// The system's standard user defaults for the application are used
+// (~/Library/Preferences/com.google.Chrome.plist,
+// com.google.Chrome.canary.plist, etc.) instead of Chrome preferences because
+// Keychain access is tied more closely to the bundle identifier and signed
+// product than it is to any specific profile (--user-data-dir).
+void KeychainReauthorizeIfNeeded(NSString* pref_key, int max_tries);
+
 }  // namespace mac
 }  // namespace browser
 }  // namespace chrome
diff --git a/chrome/browser/mac/keychain_reauthorize.cc b/chrome/browser/mac/keychain_reauthorize.mm
index b7617ac..5b94889 100644
--- a/chrome/browser/mac/keychain_reauthorize.cc
+++ b/chrome/browser/mac/keychain_reauthorize.mm
@@ -4,6 +4,7 @@
 
 #include "chrome/browser/mac/keychain_reauthorize.h"
 
+#import <Foundation/Foundation.h>
 #include <Security/Security.h>
 
 #include <algorithm>
@@ -14,6 +15,7 @@
 #include "base/mac/foundation_util.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/metrics/histogram.h"
 #include "base/stringprintf.h"
 #include "base/sys_string_conversions.h"
 #include "chrome/browser/mac/security_wrappers.h"
@@ -119,6 +121,32 @@ void KeychainReauthorize() {
   WriteKCItemsAndReauthorizedAccesses(items_and_reauthorized_accesses);
 }
 
+void KeychainReauthorizeIfNeeded(NSString* pref_key, int max_tries) {
+  NSUserDefaults* user_defaults = [NSUserDefaults standardUserDefaults];
+  int pref_value = [user_defaults integerForKey:pref_key];
+
+  if (pref_value < max_tries) {
+    if (pref_value > 0) {
+      // Logs the number of previous tries that didn't complete.
+      UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeeded", pref_value);
+    }
+
+    ++pref_value;
+    [user_defaults setInteger:pref_value forKey:pref_key];
+    [user_defaults synchronize];
+
+    chrome::browser::mac::KeychainReauthorize();
+
+    [user_defaults setInteger:max_tries forKey:pref_key];
+    NSString* success_pref_key = [pref_key stringByAppendingString:@"Success"];
+    [user_defaults setBool:YES forKey:success_pref_key];
+    [user_defaults synchronize];
+
+    // Logs the try number (1, 2) that succeeded.
+    UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeededSuccess", pref_value);
+  }
+}
+
 namespace {
 
 std::vector<std::string> RequirementMatches() {