Add a static chrome://reset-password page

Chrome will open a tab with chrome://reset-password if the user reuses
their protected enterprise password on other sites that are not allowed
by enterprise policy.
chrome://reset-password will only show if password protection related
enterprise policy settings are properly set. Otherwise, user will see
ERR_INVALID_URL.

The new icon in ui/webui/resources/cr_elements/icons.html is copied from
/chrome/browser/resources/settings/icons.html

Bug: 824501
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I8d648f0484e0c569ddbed048114a90471e4eea25
Reviewed-on: https://chromium-review.googlesource.com/996565
Commit-Queue: Jialiu Lin <jialiul@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Reviewed-by: Nathan Parker <nparker@chromium.org>
Reviewed-by: Varun Khaneja <vakh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551195}

chrome/browser/browser_resources.grd

@@ -657,6 +657,10 @@
       <if expr="chromeos">
         <include name="IDR_ASSISTANT_LOGO_PNG" file="resources\chromeos\assistant_optin\assistant_logo.png" type="BINDATA" />
       </if>
+      <if expr="safe_browsing_mode == 1">
+        <include name="IDR_RESET_PASSWORD_HTML" file="resources\reset_password\reset_password.html" type="BINDATA" compress="gzip" />
+        <include name="IDR_RESET_PASSWORD_JS" file="resources\reset_password\reset_password.js" type="BINDATA" compress="gzip" />
+      </if>
     </includes>
   </release>
 </grit>

chrome/browser/resources/reset_password/OWNERS

+file://components/safe_browsing/OWNERS
+
+# COMPONENT: Services>Safebrowsing

chrome/browser/resources/reset_password/reset_password.html

+<!doctype html>
+<html dir="$i18n{textdirection}" lang="$i18n{language}">
+  <head>
+    <meta charset="utf-8">
+    <title>$i18n{title}</title>
+    <link rel="stylesheet" href="chrome://resources/css/md_colors.css">
+    <link rel="stylesheet" href="chrome://resources/css/text_defaults_md.css">
+    <link rel="import" href="chrome://resources/html/polymer.html">
+    <link rel="import" href="chrome://resources/cr_elements/icons.html">
+    <link rel="import" href="chrome://resources/polymer/v1_0/iron-icon/iron-icon.html">
+    <link rel="import" href="chrome://resources/polymer/v1_0/paper-button/paper-button.html">
+    <link rel="import" href="chrome://resources/polymer/v1_0/paper-styles/color.html">
+    <script src="reset_password.js"></script>
+    <style>
+      body {
+        background-color: var(--md-background-color);
+        color: var(--google-grey-700);
+        word-wrap: break-word;
+      }
+
+      .primary-button {
+        background: var(--google-blue-500);
+        color: white;
+        margin: 51px auto 0;
+        padding: 4px 24px;
+      }
+
+      .icon {
+        height: 72px;
+        margin: 0 0 40px -8px;
+        width: 72px;
+      }
+
+      .heading {
+        color: var(--paper-grey-900);
+        font-size: 1.6rem;
+        font-weight: normal;
+        line-height: 1.25rem;
+        margin-bottom: 16px;
+      }
+
+      .page-wrapper {
+        line-height: 1.6rem;
+        margin: 14vh auto 0;
+        max-width: 600px;
+        width: 100%;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="page-wrapper">
+      <iron-icon class="icon" icon="cr:security"></iron-icon>
+      <div class="heading">$i18n{heading}</div>
+      <p>$i18n{primaryParagraph}</p>
+      <paper-button class="primary-button">
+        $i18n{primaryButtonText}
+      </paper-button>
+  </div>
+</html>

chrome/browser/resources/reset_password/reset_password.js

+/* Copyright 2018 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file. */
+
+// TODO(jialiul): Add functions to handle button clicking.

chrome/browser/safe_browsing/chrome_password_protection_service.cc

@@ -228,6 +228,16 @@ bool ChromePasswordProtectionService::ShouldShowChangePasswordSettingUI(
          !unhandled_sync_password_reuses->empty();
 }
 
+// static
+bool ChromePasswordProtectionService::IsPasswordReuseProtectionConfigured(
+    Profile* profile) {
+  ChromePasswordProtectionService* service =
+      ChromePasswordProtectionService::GetPasswordProtectionService(profile);
+  return service &&
+         service->GetPasswordProtectionTriggerPref(
+             prefs::kPasswordProtectionWarningTrigger) == PASSWORD_REUSE;
+}
+
 void ChromePasswordProtectionService::FillReferrerChain(
     const GURL& event_url,
     SessionID event_tab_id,
@@ -929,12 +939,18 @@ base::string16 ChromePasswordProtectionService::GetWarningDetailText() {
 
   std::string enterprise_name =
       profile_->GetPrefs()->GetString(prefs::kPasswordProtectionEnterpriseName);
-  return enterprise_name.empty()
-             ? l10n_util::GetStringUTF16(
-                   IDS_PAGE_INFO_CHANGE_PASSWORD_DETAILS_ENTERPRISE)
-             : l10n_util::GetStringFUTF16(
-                   IDS_PAGE_INFO_CHANGE_PASSWORD_DETAILS_ENTERPRISE_WITH_ORG_NAME,
-                   base::UTF8ToUTF16(enterprise_name));
+  if (!enterprise_name.empty()) {
+    return l10n_util::GetStringFUTF16(
+        IDS_PAGE_INFO_CHANGE_PASSWORD_DETAILS_ENTERPRISE_WITH_ORG_NAME,
+        base::UTF8ToUTF16(enterprise_name));
+  }
+  return l10n_util::GetStringUTF16(
+      IDS_PAGE_INFO_CHANGE_PASSWORD_DETAILS_ENTERPRISE);
+}
+
+std::string ChromePasswordProtectionService::GetOrganizationName() {
+  // TODO(jialiul): Implement this function.
+  return std::string();
 }
 
 }  // namespace safe_browsing

chrome/browser/safe_browsing/chrome_password_protection_service.h

@@ -89,6 +89,10 @@ class ChromePasswordProtectionService : public PasswordProtectionService {
 
   static bool ShouldShowChangePasswordSettingUI(Profile* profile);
 
+  // Called by ChromeWebUIControllerFactory class to determine if Chrome should
+  // show chrome://reset-password page.
+  static bool IsPasswordReuseProtectionConfigured(Profile* profile);
+
   void ShowModalWarning(content::WebContents* web_contents,
                         const std::string& verdict_token) override;
 
@@ -149,6 +153,11 @@ class ChromePasswordProtectionService : public PasswordProtectionService {
   // and page info bubble.
   base::string16 GetWarningDetailText();
 
+  // If password protection trigger is configured via enterprise policy, gets
+  // the name of the organization that owns the enterprise policy. Otherwise,
+  // returns an empty string.
+  std::string GetOrganizationName();
+
  protected:
   // PasswordProtectionService overrides.
   // Obtains referrer chain of |event_url| and |event_tab_id| and add this

chrome/browser/safe_browsing/chrome_password_protection_service_browsertest.cc

@@ -26,6 +26,17 @@
 #include "content/public/test/test_navigation_observer.h"
 #include "testing/gmock/include/gmock/gmock.h"
 
+#if !defined(OS_CHROMEOS)
+#include "chrome/browser/signin/account_fetcher_service_factory.h"
+#include "chrome/browser/signin/account_tracker_service_factory.h"
+#include "chrome/browser/signin/chrome_signin_client_factory.h"
+#include "chrome/browser/signin/fake_account_fetcher_service_builder.h"
+#include "chrome/browser/signin/fake_signin_manager_builder.h"
+#include "chrome/browser/signin/signin_manager_factory.h"
+#include "components/signin/core/browser/account_tracker_service.h"
+#include "components/signin/core/browser/fake_account_fetcher_service.h"
+#endif
+
 namespace {
 
 const char kGaiaPasswordChangeHistogramName[] =
@@ -92,6 +103,27 @@ class ChromePasswordProtectionServiceBrowserTest : public InProcessBrowserTest {
     helper->GetSecurityInfo(out_security_info);
   }
 
+#if !defined(OS_CHROMEOS)
+  // Makes user signed-in as |email| with |gaia_id| and |hosted_domain|.
+  void PrepareSyncAccount(const std::string& hosted_domain,
+                          const std::string& email,
+                          const std::string& gaia_id) {
+    Profile* profile = browser()->profile();
+    std::string account_id =
+        AccountTrackerServiceFactory::GetForProfile(profile)->SeedAccountInfo(
+            gaia_id, email);
+    SigninManagerFactory::GetForProfile(profile)->SetAuthenticatedAccountInfo(
+        gaia_id, email);
+    FakeAccountFetcherService* account_fetcher_service =
+        static_cast<FakeAccountFetcherService*>(
+            AccountFetcherServiceFactory::GetForProfile(profile));
+
+    account_fetcher_service->FakeUserInfoFetchSuccess(
+        account_id, email, gaia_id, hosted_domain, "full_name", "given_name",
+        "locale", "http://picture.example.com/picture.jpg");
+  }
+#endif
+
  protected:
   base::test::ScopedFeatureList scoped_feature_list_;
   base::HistogramTester histograms_;
@@ -391,6 +423,39 @@ IN_PROC_BROWSER_TEST_F(ChromePasswordProtectionServiceBrowserTest,
           ->empty());
 }
 
-// TODO(jialiul): Add more tests where multiple browser windows are involved.
+// TODO(jialiul): Enable this test for Chrome OS after figuring out how to
+// properly prepare sync account for Chrome OS.
+#if !defined(OS_CHROMEOS)
+IN_PROC_BROWSER_TEST_F(ChromePasswordProtectionServiceBrowserTest,
+                       VerifyIsPasswordReuseProtectionConfigured) {
+  Profile* profile = browser()->profile();
+  ChromePasswordProtectionService* service = GetService(/*is_incognito=*/false);
+  // When kEnterprisePasswordProtectionV1 feature is off.
+  // |IsPasswordReuseProtectionConfigured(..)| returns false.
+  EXPECT_FALSE(
+      ChromePasswordProtectionService::IsPasswordReuseProtectionConfigured(
+          profile));
+
+  base::test::ScopedFeatureList scoped_features;
+  scoped_features.InitAndEnableFeature(kEnterprisePasswordProtectionV1);
+  // If prefs::kPasswordProtectionWarningTrigger isn't set to PASSWORD_REUSE,
+  // |IsPasswordReuseProtectionConfigured(..)| returns false.
+  EXPECT_EQ(PASSWORD_PROTECTION_OFF,
+            service->GetPasswordProtectionTriggerPref(
+                prefs::kPasswordProtectionWarningTrigger));
+  EXPECT_FALSE(
+      ChromePasswordProtectionService::IsPasswordReuseProtectionConfigured(
+          profile));
+
+  PrepareSyncAccount(std::string(AccountTrackerService::kNoHostedDomainFound),
+                     "stub-user@example.com", "gaia_id");
+  profile->GetPrefs()->SetInteger(prefs::kPasswordProtectionWarningTrigger,
+                                  1 /*PASSWORD_REUSE*/);
+  // Otherwise, |IsPasswordReuseProtectionConfigured(..)| returns true.
+  EXPECT_TRUE(
+      ChromePasswordProtectionService::IsPasswordReuseProtectionConfigured(
+          profile));
+}
+#endif
 
 }  // namespace safe_browsing

chrome/browser/ui/BUILD.gn

@@ -889,6 +889,13 @@ split_static_library("ui") {
     "webui/version_ui.h",
   ]
 
+  if (safe_browsing_mode == 1) {
+    sources += [
+      "webui/reset_password/reset_password_ui.cc",
+      "webui/reset_password/reset_password_ui.h",
+    ]
+  }
+
   allow_circular_includes_from = []
   defines = []
   if (is_win) {

chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc

@@ -211,6 +211,12 @@
 #include "extensions/common/manifest.h"
 #endif
 
+#if defined(SAFE_BROWSING_DB_LOCAL)
+#include "chrome/browser/safe_browsing/chrome_password_protection_service.h"
+#include "chrome/browser/ui/webui/reset_password/reset_password_ui.h"
+#include "components/safe_browsing/features.h"
+#endif
+
 using content::WebUI;
 using content::WebUIController;
 using ui::WebDialogUI;
@@ -622,6 +628,18 @@ WebUIFactoryFunction GetWebUIFactoryFunction(WebUI* web_ui,
     return &NewWebUI<MediaEngagementUI>;
   }
 
+#if defined(SAFE_BROWSING_DB_LOCAL)
+  bool enable_reset_password =
+      base::FeatureList::IsEnabled(
+          safe_browsing::kForceEnableResetPasswordWebUI) ||
+      safe_browsing::ChromePasswordProtectionService::
+          IsPasswordReuseProtectionConfigured(profile);
+  if (url.host_piece() == chrome::kChromeUIResetPasswordHost &&
+      enable_reset_password) {
+    return &NewWebUI<ResetPasswordUI>;
+  }
+#endif
+
   return NULL;
 }
 

chrome/browser/ui/webui/reset_password/reset_password_ui.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ui/webui/reset_password/reset_password_ui.h"
+
+#include "base/strings/utf_string_conversions.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/safe_browsing/chrome_password_protection_service.h"
+#include "chrome/common/url_constants.h"
+#include "chrome/grit/browser_resources.h"
+#include "components/safe_browsing/common/safe_browsing_prefs.h"
+#include "components/strings/grit/components_strings.h"
+#include "components/user_prefs/user_prefs.h"
+#include "content/public/browser/browser_context.h"
+#include "content/public/browser/navigation_entry.h"
+#include "content/public/browser/web_contents.h"
+#include "content/public/browser/web_ui_data_source.h"
+#include "mojo/public/cpp/bindings/binding.h"
+#include "ui/base/l10n/l10n_util.h"
+
+ResetPasswordUI::ResetPasswordUI(content::WebUI* web_ui)
+    : content::WebUIController(web_ui) {
+  base::DictionaryValue load_time_data;
+  PopulateStrings(web_ui->GetWebContents(), &load_time_data);
+  std::unique_ptr<content::WebUIDataSource> html_source(
+      content::WebUIDataSource::Create(chrome::kChromeUIResetPasswordHost));
+  html_source->AddResourcePath("reset_password.js", IDR_RESET_PASSWORD_JS);
+  html_source->SetDefaultResource(IDR_RESET_PASSWORD_HTML);
+  html_source->AddLocalizedStrings(load_time_data);
+  html_source->UseGzip();
+
+  content::WebUIDataSource::Add(web_ui->GetWebContents()->GetBrowserContext(),
+                                html_source.release());
+}
+
+ResetPasswordUI::~ResetPasswordUI() {}
+
+void ResetPasswordUI::PopulateStrings(content::WebContents* web_contents,
+                                      base::DictionaryValue* load_time_data) {
+  content::NavigationEntry* nav_entry =
+      web_contents->GetController().GetPendingEntry();
+  std::string org_name =
+      safe_browsing::ChromePasswordProtectionService::
+          GetPasswordProtectionService(
+              Profile::FromBrowserContext(web_contents->GetBrowserContext()))
+              ->GetOrganizationName();
+  bool has_referrer = nav_entry->GetReferrer().url.is_valid();
+  int heading_string_id = has_referrer ? IDS_RESET_PASSWORD_WARNING_HEADING
+                                       : IDS_RESET_PASSWORD_HEADING;
+  base::string16 explanation_paragraph_string;
+  if (org_name.empty()) {
+    explanation_paragraph_string = l10n_util::GetStringUTF16(
+        has_referrer ? IDS_RESET_PASSWORD_WARNING_EXPLANATION_PARAGRAPH
+                     : IDS_RESET_PASSWORD_EXPLANATION_PARAGRAPH);
+  } else {
+    explanation_paragraph_string = l10n_util::GetStringFUTF16(
+        has_referrer
+            ? IDS_RESET_PASSWORD_WARNING_EXPLANATION_PARAGRAPH_WITH_ORG_NAME
+            : IDS_RESET_PASSWORD_EXPLANATION_PARAGRAPH_WITH_ORG_NAME,
+        base::UTF8ToUTF16(org_name));
+  }
+
+  load_time_data->SetString(
+      "title", l10n_util::GetStringUTF16(IDS_RESET_PASSWORD_TITLE));
+  load_time_data->SetString("heading",
+                            l10n_util::GetStringUTF16(heading_string_id));
+  load_time_data->SetString("primaryParagraph", explanation_paragraph_string);
+  load_time_data->SetString(
+      "primaryButtonText",
+      l10n_util::GetStringUTF16(IDS_RESET_PASSWORD_BUTTON));
+
+  // TODO(jialiul): add UMA recording to track which set of strings are shown.
+}

chrome/browser/ui/webui/reset_password/reset_password_ui.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_UI_WEBUI_RESET_PASSWORD_RESET_PASSWORD_UI_H_
+#define CHROME_BROWSER_UI_WEBUI_RESET_PASSWORD_RESET_PASSWORD_UI_H_
+
+#include "base/macros.h"
+#include "content/public/browser/web_ui_controller.h"
+
+namespace base {
+class DictionaryValue;
+}
+
+namespace content {
+class WebContents;
+}
+
+// The WebUI for chrome://reset-password/.
+class ResetPasswordUI : public content::WebUIController {
+ public:
+  explicit ResetPasswordUI(content::WebUI* web_ui);
+  ~ResetPasswordUI() override;
+
+ private:
+  void PopulateStrings(content::WebContents* web_content,
+                       base::DictionaryValue* load_time_data);
+
+  DISALLOW_COPY_AND_ASSIGN(ResetPasswordUI);
+};
+
+#endif  // CHROME_BROWSER_UI_WEBUI_RESET_PASSWORD_RESET_PASSWORD_UI_H_

chrome/common/webui_url_constants.cc

@@ -116,6 +116,7 @@ const char kChromeUIPrintURL[] = "chrome://print/";
 const char kChromeUIQuitHost[] = "quit";
 const char kChromeUIQuitURL[] = "chrome://quit/";
 const char kChromeUIQuotaInternalsHost[] = "quota-internals";
+const char kChromeUIResetPasswordHost[] = "reset-password";
 const char kChromeUIRestartHost[] = "restart";
 const char kChromeUIRestartURL[] = "chrome://restart/";
 const char kChromeUISettingsHost[] = "settings";

chrome/common/webui_url_constants.h

@@ -120,6 +120,7 @@ extern const char kChromeUIPrintURL[];
 extern const char kChromeUIQuitHost[];
 extern const char kChromeUIQuitURL[];
 extern const char kChromeUIQuotaInternalsHost[];
+extern const char kChromeUIResetPasswordHost[];
 extern const char kChromeUIRestartHost[];
 extern const char kChromeUIRestartURL[];
 extern const char kChromeUISettingsHost[];

components/reset_password_strings.grdp

 <?xml version="1.0" encoding="utf-8"?>
 <grit-part>
-  <message name="IDS_RESET_PASSWORD_WARNING_HEADING" desc="Title of the reset password page.">
+  <message name="IDS_RESET_PASSWORD_TITLE" desc="Title in the reset password page header.">
+    Reset Password
+  </message>
+  <message name="IDS_RESET_PASSWORD_WARNING_HEADING" desc="Heading of the reset password page.">
     Reset your password now
   </message>
-  <message name="IDS_RESET_PASSWORD_HEADING" desc="Title of the reset password page when the user manually navigates to this page.">
+  <message name="IDS_RESET_PASSWORD_HEADING" desc="Heading of the reset password page when the user manually navigates to this page.">
     Reset password?
   </message>
   <message name="IDS_RESET_PASSWORD_WARNING_EXPLANATION_PARAGRAPH" desc="The primary explanatory paragraph for the reset password page.">
+    You entered your password on a site that’s not managed by your organization. To protect your account, don’t reuse your password on other apps and sites.
+  </message>
+  <message name="IDS_RESET_PASSWORD_WARNING_EXPLANATION_PARAGRAPH_WITH_ORG_NAME" desc="The primary explanatory paragraph for the reset password page.">
     You entered your password on a site that’s not managed by <ph name="ORG_NAME">$1<ex>Google</ex></ph>. To protect your account, don’t reuse your password on other apps and sites.
   </message>
   <message name="IDS_RESET_PASSWORD_BUTTON" desc="The text for the button that takes the user to reset their password.">
@@ -14,12 +20,18 @@
   </message>
   <if expr="_google_chrome">
     <message name="IDS_RESET_PASSWORD_EXPLANATION_PARAGRAPH" desc="The primary explanatory paragraph for the reset password page when the user manually navigates to this page.">
-      Chrome recommends resetting your <ph name="ORG_NAME">$1<ex>Google</ex></ph> password if you reused it on other sites.
+      Chrome recommends resetting your password if you reused it on other sites.
+    </message>
+    <message name="IDS_RESET_PASSWORD_EXPLANATION_PARAGRAPH_WITH_ORG_NAME" desc="The primary explanatory paragraph for the reset password page when the user manually navigates to this page.">
+      Chrome recommends resetting your <ph name="BEGIN_BOLD">&lt;strong&gt;</ph><ph name="ORG_NAME">$1<ex>Google</ex></ph><ph name="END_BOLD">&lt;/strong&gt;</ph> password if you reused it on other sites.
     </message>
   </if>
   <if expr="not _google_chrome">
-    <message name="IDS_RESET_PASSWORD_EXPLANATION_PARAGRAPH" desc="The primary explanatory paragraph for the reset password page when the user manually navigates to this page.">
-      Chromium recommends resetting your <ph name="ORG_NAME">$1<ex>Google</ex></ph> password if you reused it on other sites.
+     <message name="IDS_RESET_PASSWORD_EXPLANATION_PARAGRAPH" desc="The primary explanatory paragraph for the reset password page when the user manually navigates to this page.">
+      Chromium recommends resetting your password if you reused it on other sites.
+    </message>
+    <message name="IDS_RESET_PASSWORD_EXPLANATION_PARAGRAPH_WITH_ORG_NAME" desc="The primary explanatory paragraph for the reset password page when the user manually navigates to this page.">
+      Chromium recommends resetting your <ph name="BEGIN_BOLD">&lt;strong&gt;</ph><ph name="ORG_NAME">$1<ex>Google</ex></ph><ph name="END_BOLD">&lt;/strong&gt;</ph> password if you reused it on other sites.
     </message>
   </if>
 </grit-part>

components/safe_browsing/features.cc

@@ -68,6 +68,9 @@ const base::Feature kInspectDownloadedRarFiles{
 const base::Feature kEnterprisePasswordProtectionV1{
     "EnterprisePasswordProtectionV1", base::FEATURE_DISABLED_BY_DEFAULT};
 
+const base::Feature kForceEnableResetPasswordWebUI{
+    "ForceEnableResetPasswordWebUI", base::FEATURE_DISABLED_BY_DEFAULT};
+
 namespace {
 // List of experimental features. Boolean value for each list member should be
 // set to true if the experiment is currently running at a probability other
@@ -83,6 +86,7 @@ constexpr struct {
     {&kCheckByURLLoaderThrottle, true},
     {&kDispatchSafetyNetCheckOffThread, false},
     {&kEnterprisePasswordProtectionV1, true},
+    {&kForceEnableResetPasswordWebUI, false},
     {&kGaiaPasswordReuseReporting, true},
     {&kGoogleBrandedPhishingWarning, false},
     {&kInspectDownloadedRarFiles, true},

components/safe_browsing/features.h

@@ -52,9 +52,13 @@ extern const base::Feature kAppendRecentNavigationEvents;
 // unsafe.
 extern const base::Feature kInspectDownloadedRarFiles;
 
-// Control the Password Protection for Enterprise V1 feature;
+// Controls the Password Protection for Enterprise V1 feature;
 extern const base::Feature kEnterprisePasswordProtectionV1;
 
+// Forces the chrome://reset-password page to be shown for review or testing
+// purpose.
+extern const base::Feature kForceEnableResetPasswordWebUI;
+
 base::ListValue GetFeatureStatusList();
 
 }  // namespace safe_browsing