Enable password reuse ping on Android

Password manager is able to capture committed text through
Ime committed text events. Added a finch flag SafeBrowsingSendPasswordReusePing
to control password reuse pings.

Bug: 1004842
Change-Id: I5fd58380da245150953372ce024d5a536eed9f3e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1815050
Commit-Queue: Xinghui Lu <xinghuilu@chromium.org>
Reviewed-by: Daniel Rubery <drubery@chromium.org>
Reviewed-by: Vadym Doroshenko <dvadym@chromium.org>
Cr-Commit-Position: refs/heads/master@{#699086}

chrome/browser/android/chrome_feature_list.cc

@@ -223,7 +223,6 @@ const base::Feature* kFeaturesExposedToJava[] = {
     &password_manager::features::kPasswordManagerOnboardingAndroid,
     &password_manager::features::kLeakDetection,
     &safe_browsing::kCaptureSafetyNetId,
-    &safe_browsing::kSendOnFocusPing,
     &signin::kMiceFeature,
     &switches::kSyncManualStartAndroid,
     &unified_consent::kUnifiedConsent,

chrome/browser/password_manager/chrome_password_manager_client.cc

@@ -201,7 +201,6 @@ ChromePasswordManagerClient::ChromePasswordManagerClient(
       password_feature_manager_(
           ProfileSyncServiceFactory::GetForProfile(profile_)),
       httpauth_manager_(this),
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
       password_reuse_detection_manager_(this),
 #endif
@@ -640,7 +639,6 @@ void ChromePasswordManagerClient::DidFinishNavigation(
   if (!navigation_handle->IsSameDocument())
     content_credential_manager_.DisconnectBinding();
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   password_reuse_detection_manager_.DidNavigateMainFrame(GetMainFrameURL());
 #endif  // defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)

chrome/browser/password_manager/chrome_password_manager_client.h

@@ -250,13 +250,14 @@ class ChromePasswordManagerClient
       content::NavigationHandle* navigation_handle) override;
   void DidFinishNavigation(
       content::NavigationHandle* navigation_handle) override;
+// TODO(crbug.com/1006430): Paste event is not captured on Android.
 #if !defined(OS_ANDROID)
   void OnPaste() override;
 #endif
 
   void RenderFrameCreated(content::RenderFrameHost* render_frame_host) override;
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
+// Key events are triggered by Ime text committed event on Android.
 #if !defined(OS_ANDROID)
   // content::RenderWidgetHost::InputEventObserver overrides.
   void OnInputEvent(const blink::WebInputEvent&) override;
@@ -300,7 +301,6 @@ class ChromePasswordManagerClient
   const password_manager::PasswordFeatureManagerImpl password_feature_manager_;
   password_manager::HttpAuthManagerImpl httpauth_manager_;
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   password_manager::PasswordReuseDetectionManager
       password_reuse_detection_manager_;

components/password_manager/core/browser/BUILD.gn

@@ -10,8 +10,9 @@ if (is_android) {
   import("//build/config/android/config.gni")
 }
 
-# TODO(crbug.com/706392): Fix password reuse detection for Android.
-password_reuse_detection_support = !is_android && !is_ios
+# TODO(crbug.com/1006430): Fix password reuse detection not fully functional on
+# Android.
+password_reuse_detection_support = !is_ios
 password_reuse_warning_support = !is_android && !is_ios
 password_on_focus_ping_support = !is_ios
 

components/password_manager/core/browser/mock_password_store.h

@@ -72,7 +72,7 @@ class MockPasswordStore : public PasswordStore {
   MOCK_METHOD1(AddSiteStatsImpl, void(const InteractionsStats&));
   MOCK_METHOD1(RemoveSiteStatsImpl, void(const GURL&));
   MOCK_CONST_METHOD0(IsAbleToSavePasswords, bool());
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
+
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   MOCK_METHOD3(CheckReuse,
                void(const base::string16&,

components/password_manager/core/browser/password_store.cc

@@ -65,7 +65,6 @@ void FilterLogins(
 
 }  // namespace
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
 PasswordStore::CheckReuseRequest::CheckReuseRequest(
     PasswordReuseDetectorConsumer* consumer)
@@ -397,7 +396,6 @@ PasswordStore::CreateSyncControllerDelegate() {
           base::Unretained(this)));
 }
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
 void PasswordStore::CheckReuse(const base::string16& input,
                                const std::string& domain,
@@ -537,7 +535,7 @@ bool PasswordStore::InitOnBackgroundSequence(
     syncable_service_.reset(new PasswordSyncableService(this));
     syncable_service_->InjectStartSyncFlare(flare);
   }
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
+
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   reuse_detector_ = new PasswordReuseDetector;
 
@@ -593,7 +591,7 @@ void PasswordStore::NotifyLoginsChanged(
       syncable_service_->ActOnPasswordStoreChanges(changes);
     if (sync_bridge_)
       sync_bridge_->ActOnPasswordStoreChanges(changes);
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
+
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
     if (reuse_detector_)
       reuse_detector_->OnLoginsChanged(changes);
@@ -601,7 +599,6 @@ void PasswordStore::NotifyLoginsChanged(
   }
 }
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
 void PasswordStore::CheckReuseImpl(std::unique_ptr<CheckReuseRequest> request,
                                    const base::string16& input,
@@ -1060,7 +1057,7 @@ void PasswordStore::DestroyOnBackgroundSequence() {
   DCHECK(background_task_runner_->RunsTasksInCurrentSequence());
   syncable_service_.reset();
   sync_bridge_.reset();
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
+
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   delete reuse_detector_;
   reuse_detector_ = nullptr;

components/password_manager/core/browser/password_store.h

@@ -23,7 +23,6 @@
 #include "components/password_manager/core/browser/password_store_sync.h"
 #include "components/sync/model/syncable_service.h"
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
 #include "components/password_manager/core/browser/hash_password_manager.h"
 #include "components/password_manager/core/browser/password_manager_metrics_util.h"
@@ -264,7 +263,6 @@ class PasswordStore : protected PasswordStoreSync,
   std::unique_ptr<syncer::ProxyModelTypeControllerDelegate>
   CreateSyncControllerDelegate();
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   // Immediately called after |Init()| to retrieve password hash data for
   // reuse detection.
@@ -330,7 +328,6 @@ class PasswordStore : protected PasswordStoreSync,
  protected:
   friend class base::RefCountedThreadSafe<PasswordStore>;
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   // Represents a single CheckReuse() request. Implements functionality to
   // listen to reuse events and propagate them to |consumer| on the sequence on
@@ -453,7 +450,6 @@ class PasswordStore : protected PasswordStoreSync,
   // been changed.
   void NotifyLoginsChanged(const PasswordStoreChangeList& changes) override;
 
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   // Saves |username| and a hash of |password| for password reuse checking.
   // |is_gaia_password| indicates if it is a Gaia account. |event| is used for
@@ -675,7 +671,7 @@ class PasswordStore : protected PasswordStoreSync,
   std::unique_ptr<PasswordSyncBridge> sync_bridge_;
 
   std::unique_ptr<AffiliatedMatchHelper> affiliated_match_helper_;
-// TODO(crbug.com/706392): Fix password reuse detection for Android.
+
 #if defined(SYNC_PASSWORD_REUSE_DETECTION_ENABLED)
   PrefService* prefs_ = nullptr;
   // PasswordReuseDetector can be only destroyed on the background sequence. It

components/safe_browsing/features.cc

@@ -65,6 +65,16 @@ const base::Feature kSendOnFocusPing {
 };
 #endif
 
+const base::Feature kSendPasswordReusePing {
+  "SafeBrowsingSendPasswordReusePing",
+#if BUILDFLAG(FULL_SAFE_BROWSING)
+      base::FEATURE_ENABLED_BY_DEFAULT
+};
+#else
+      base::FEATURE_DISABLED_BY_DEFAULT
+};
+#endif
+
 const base::Feature kSendSampledPingsForAllowlistDomains{
     "SafeBrowsingSendSampledPingsForAllowlistDomain",
     base::FEATURE_DISABLED_BY_DEFAULT};
@@ -108,6 +118,7 @@ constexpr struct {
     {&kRealTimeUrlLookupEnabled, true},
     {&kRealTimeUrlLookupFetchAllowlist, true},
     {&kSendOnFocusPing, true},
+    {&kSendPasswordReusePing, true},
     {&kSendSampledPingsForAllowlistDomains, false},
     {&kSuspiciousSiteTriggerQuotaFeature, true},
     {&kThreatDomDetailsTagAndAttributeFeature, false},

components/safe_browsing/features.h

@@ -57,6 +57,9 @@ extern const base::Feature kPasswordProtectionForSignedInUsers;
 // Controls whether Chrome sends on focus ping.
 extern const base::Feature kSendOnFocusPing;
 
+// Controls whether Chrome sends password reuse ping.
+extern const base::Feature kSendPasswordReusePing;
+
 // Controls the daily quota for the suspicious site trigger.
 extern const base::Feature kSuspiciousSiteTriggerQuotaFeature;
 

components/safe_browsing/password_protection/password_protection_service.cc

@@ -117,6 +117,9 @@ void PasswordProtectionService::MaybeStartProtectedPasswordEntryRequest(
     const std::vector<std::string>& matching_domains,
     bool password_field_exists) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
+  if (!base::FeatureList::IsEnabled(safe_browsing::kSendPasswordReusePing)) {
+    return;
+  }
   ReusedPasswordAccountType reused_password_account_type =
       GetPasswordProtectionReusedPasswordAccountType(password_type, username);
   RequestOutcome reason;