Update the page info bubble for saved passwords.

Update the page info bubble of the phishing site
on a saved password password reuse for password
protection. Also create new safe browsing threat
types and security states.

Screenshot:
https://screenshot.googleplex.com/v9wOv7bCd5T

Bug: 1010764
Change-Id: I04a4ee566e5c791c17ff7cb3fbe608dd0266a1ea
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1839251
Commit-Queue: Bettina Dea <bdea@chromium.org>
Reviewed-by: Varun Khaneja <vakh@chromium.org>
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Daniel Rubery <drubery@chromium.org>
Reviewed-by: Christopher Thompson <cthomp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#703941}

chrome/browser/interstitials/enterprise_util.cc

@@ -81,6 +81,7 @@ std::string GetThreatTypeStringForInterstitial(
     case safe_browsing::SB_THREAT_TYPE_CSD_WHITELIST:
     case safe_browsing::
         DEPRECATED_SB_THREAT_TYPE_URL_PASSWORD_PROTECTION_PHISHING:
+    case safe_browsing::SB_THREAT_TYPE_SAVED_PASSWORD_REUSE:
     case safe_browsing::SB_THREAT_TYPE_SIGNED_IN_SYNC_PASSWORD_REUSE:
     case safe_browsing::SB_THREAT_TYPE_SIGNED_IN_NON_SYNC_PASSWORD_REUSE:
     case safe_browsing::SB_THREAT_TYPE_AD_SAMPLE:

chrome/browser/safe_browsing/chrome_password_protection_service.cc

@@ -380,22 +380,41 @@ void ChromePasswordProtectionService::ShowModalWarning(
                      outcome, verdict_type, verdict_token,
                      WarningUIType::MODAL_DIALOG));
 
-  if (password_type.account_type() == ReusedPasswordAccountType::GMAIL ||
-      password_type.account_type() == ReusedPasswordAccountType::GSUITE)
-    OnModalWarningShownForGaiaPassword(web_contents, password_type,
-                                       verdict_token);
-  else
-    OnModalWarningShownForEnterprisePassword(web_contents, password_type,
-                                             verdict_token);
+  LogWarningAction(WarningUIType::MODAL_DIALOG, WarningAction::SHOWN,
+                   password_type);
+  switch (password_type.account_type()) {
+    case ReusedPasswordAccountType::SAVED_PASSWORD:
+      OnModalWarningShownForSavedPassword(web_contents, password_type,
+                                          verdict_token);
+      break;
+    case ReusedPasswordAccountType::GMAIL:
+    case ReusedPasswordAccountType::GSUITE:
+      OnModalWarningShownForGaiaPassword(web_contents, password_type,
+                                         verdict_token);
+      break;
+    case ReusedPasswordAccountType::NON_GAIA_ENTERPRISE:
+      OnModalWarningShownForEnterprisePassword(web_contents, password_type,
+                                               verdict_token);
+      break;
+    default:
+      return;
+  }
 }
 
-void ChromePasswordProtectionService::OnModalWarningShownForGaiaPassword(
+void ChromePasswordProtectionService::OnModalWarningShownForSavedPassword(
     content::WebContents* web_contents,
     ReusedPasswordAccountType password_type,
     const std::string& verdict_token) {
-  LogWarningAction(WarningUIType::MODAL_DIALOG, WarningAction::SHOWN,
-                   password_type);
+  UpdateSecurityState(SB_THREAT_TYPE_SAVED_PASSWORD_REUSE, password_type,
+                      web_contents);
+  // Starts preparing post-warning report.
+  MaybeStartThreatDetailsCollection(web_contents, verdict_token, password_type);
+}
 
+void ChromePasswordProtectionService::OnModalWarningShownForGaiaPassword(
+    content::WebContents* web_contents,
+    ReusedPasswordAccountType password_type,
+    const std::string& verdict_token) {
   if (!IsIncognito()) {
     DictionaryPrefUpdate update(
         profile_->GetPrefs(), prefs::kSafeBrowsingUnhandledGaiaPasswordReuses);
@@ -406,10 +425,13 @@ void ChromePasswordProtectionService::OnModalWarningShownForGaiaPassword(
         base::Value(
             base::NumberToString(GetLastCommittedNavigationID(web_contents))));
   }
-  UpdateSecurityState(password_type.is_account_syncing()
-                          ? SB_THREAT_TYPE_SIGNED_IN_SYNC_PASSWORD_REUSE
-                          : SB_THREAT_TYPE_SIGNED_IN_NON_SYNC_PASSWORD_REUSE,
-                      password_type, web_contents);
+  SBThreatType threat_type;
+  if (password_type.is_account_syncing()) {
+    threat_type = SB_THREAT_TYPE_SIGNED_IN_SYNC_PASSWORD_REUSE;
+  } else {
+    threat_type = SB_THREAT_TYPE_SIGNED_IN_NON_SYNC_PASSWORD_REUSE;
+  }
+  UpdateSecurityState(threat_type, password_type, web_contents);
 
   // Starts preparing post-warning report.
   MaybeStartThreatDetailsCollection(web_contents, verdict_token, password_type);
@@ -419,8 +441,6 @@ void ChromePasswordProtectionService::OnModalWarningShownForEnterprisePassword(
     content::WebContents* web_contents,
     ReusedPasswordAccountType password_type,
     const std::string& verdict_token) {
-  LogWarningAction(WarningUIType::MODAL_DIALOG, WarningAction::SHOWN,
-                   password_type);
   web_contents_with_unhandled_enterprise_reuses_.insert(web_contents);
   UpdateSecurityState(SB_THREAT_TYPE_ENTERPRISE_PASSWORD_REUSE, password_type,
                       web_contents);
@@ -517,6 +537,9 @@ void ChromePasswordProtectionService::MaybeStartThreatDetailsCollection(
   if (password_type.account_type() ==
       ReusedPasswordAccountType::NON_GAIA_ENTERPRISE) {
     resource.threat_type = SB_THREAT_TYPE_ENTERPRISE_PASSWORD_REUSE;
+  } else if (password_type.account_type() ==
+             ReusedPasswordAccountType::SAVED_PASSWORD) {
+    resource.threat_type = SB_THREAT_TYPE_SAVED_PASSWORD_REUSE;
   } else if (password_type.is_account_syncing()) {
     resource.threat_type = SB_THREAT_TYPE_SIGNED_IN_SYNC_PASSWORD_REUSE;
   } else {
@@ -990,13 +1013,25 @@ base::string16 ChromePasswordProtectionService::GetWarningDetailText(
   DCHECK(password_type.account_type() == ReusedPasswordAccountType::GSUITE ||
          password_type.account_type() == ReusedPasswordAccountType::GMAIL ||
          password_type.account_type() ==
-             ReusedPasswordAccountType::NON_GAIA_ENTERPRISE);
+             ReusedPasswordAccountType::NON_GAIA_ENTERPRISE ||
+         (password_type.account_type() ==
+              ReusedPasswordAccountType::SAVED_PASSWORD &&
+          base::FeatureList::IsEnabled(
+              safe_browsing::kPasswordProtectionForSavedPasswords)));
   if (password_type.account_type() ==
       ReusedPasswordAccountType::NON_GAIA_ENTERPRISE) {
     return l10n_util::GetStringUTF16(
         IDS_PAGE_INFO_CHANGE_PASSWORD_DETAILS_ENTERPRISE);
   }
 
+  if (password_type.account_type() ==
+          ReusedPasswordAccountType::SAVED_PASSWORD &&
+      base::FeatureList::IsEnabled(
+          safe_browsing::kPasswordProtectionForSavedPasswords)) {
+    return l10n_util::GetStringUTF16(
+        IDS_PAGE_INFO_CHANGE_PASSWORD_DETAILS_SAVED);
+  }
+
   bool enable_warning_for_non_sync_users = base::FeatureList::IsEnabled(
       safe_browsing::kPasswordProtectionForSignedInUsers);
   if (enable_warning_for_non_sync_users &&

chrome/browser/safe_browsing/chrome_password_protection_service.h

@@ -434,6 +434,11 @@ class ChromePasswordProtectionService : public PasswordProtectionService {
       sync_pb::GaiaPasswordReuse::PasswordReuseDialogInteraction::
           InteractionResult interaction_result);
 
+  void OnModalWarningShownForSavedPassword(
+      content::WebContents* web_contents,
+      ReusedPasswordAccountType password_type,
+      const std::string& verdict_token);
+
   void OnModalWarningShownForGaiaPassword(
       content::WebContents* web_contents,
       ReusedPasswordAccountType password_type,

chrome/browser/safe_browsing/chrome_password_protection_service_unittest.cc

@@ -1138,6 +1138,18 @@ TEST_F(ChromePasswordProtectionServiceTest,
                    OnPolicySpecifiedPasswordReuseDetected::kEventName));
 }
 
+TEST_F(ChromePasswordProtectionServiceTest, VerifyGetWarningDetailTextSaved) {
+  base::string16 warning_text =
+      l10n_util::GetStringUTF16(IDS_PAGE_INFO_CHANGE_PASSWORD_DETAILS_SAVED);
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      safe_browsing::kPasswordProtectionForSavedPasswords);
+  ReusedPasswordAccountType reused_password_type;
+  reused_password_type.set_account_type(
+      ReusedPasswordAccountType::SAVED_PASSWORD);
+  EXPECT_EQ(warning_text, service_->GetWarningDetailText(reused_password_type));
+}
+
 TEST_F(ChromePasswordProtectionServiceTest,
        VerifyGetWarningDetailTextEnterprise) {
   base::string16 warning_text_non_sync = l10n_util::GetStringUTF16(

chrome/browser/ssl/security_state_tab_helper.cc

@@ -239,6 +239,10 @@ SecurityStateTabHelper::GetMaliciousContentStatus() const {
         return security_state::MALICIOUS_CONTENT_STATUS_MALWARE;
       case safe_browsing::SB_THREAT_TYPE_URL_UNWANTED:
         return security_state::MALICIOUS_CONTENT_STATUS_UNWANTED_SOFTWARE;
+      case safe_browsing::SB_THREAT_TYPE_SAVED_PASSWORD_REUSE:
+#if BUILDFLAG(FULL_SAFE_BROWSING)
+        return security_state::MALICIOUS_CONTENT_STATUS_SAVED_PASSWORD_REUSE;
+#endif
       case safe_browsing::SB_THREAT_TYPE_SIGNED_IN_SYNC_PASSWORD_REUSE:
 #if BUILDFLAG(FULL_SAFE_BROWSING)
         if (safe_browsing::ChromePasswordProtectionService::

chrome/browser/ui/page_info/page_info.cc

@@ -1068,6 +1068,18 @@ void PageInfo::GetSafeBrowsingStatusByMaliciousContentStatus(
       *details =
           l10n_util::GetStringUTF16(IDS_PAGE_INFO_UNWANTED_SOFTWARE_DETAILS);
       break;
+    case security_state::MALICIOUS_CONTENT_STATUS_SAVED_PASSWORD_REUSE:
+#if BUILDFLAG(FULL_SAFE_BROWSING)
+      *status = PageInfo::SAFE_BROWSING_STATUS_SAVED_PASSWORD_REUSE;
+      // |password_protection_service_| may be null in test.
+      *details =
+          password_protection_service_
+              ? password_protection_service_->GetWarningDetailText(
+                    password_protection_service_
+                        ->reused_password_account_type_for_last_shown_warning())
+              : base::string16();
+#endif
+      break;
     case security_state::MALICIOUS_CONTENT_STATUS_SIGNED_IN_SYNC_PASSWORD_REUSE:
 #if BUILDFLAG(FULL_SAFE_BROWSING)
       *status = PageInfo::SAFE_BROWSING_STATUS_SIGNED_IN_SYNC_PASSWORD_REUSE;

chrome/browser/ui/page_info/page_info.h

@@ -100,6 +100,7 @@ class PageInfo : public TabSpecificContentSettings::SiteDataObserver,
     SAFE_BROWSING_STATUS_MALWARE,
     SAFE_BROWSING_STATUS_SOCIAL_ENGINEERING,
     SAFE_BROWSING_STATUS_UNWANTED_SOFTWARE,
+    SAFE_BROWSING_STATUS_SAVED_PASSWORD_REUSE,
     SAFE_BROWSING_STATUS_SIGNED_IN_SYNC_PASSWORD_REUSE,
     SAFE_BROWSING_STATUS_SIGNED_IN_NON_SYNC_PASSWORD_REUSE,
     SAFE_BROWSING_STATUS_ENTERPRISE_PASSWORD_REUSE,

chrome/browser/ui/page_info/page_info_ui.cc

@@ -264,6 +264,7 @@ PageInfoUI::GetSecurityDescription(const IdentityInfo& identity_info) const {
       return CreateSecurityDescription(SecuritySummaryColor::RED,
                                        IDS_PAGE_INFO_UNWANTED_SOFTWARE_SUMMARY,
                                        IDS_PAGE_INFO_UNWANTED_SOFTWARE_DETAILS);
+    case PageInfo::SAFE_BROWSING_STATUS_SAVED_PASSWORD_REUSE:
     case PageInfo::SAFE_BROWSING_STATUS_SIGNED_IN_SYNC_PASSWORD_REUSE:
     case PageInfo::SAFE_BROWSING_STATUS_SIGNED_IN_NON_SYNC_PASSWORD_REUSE:
     case PageInfo::SAFE_BROWSING_STATUS_ENTERPRISE_PASSWORD_REUSE:

chrome/browser/ui/page_info/page_info_unittest.cc

@@ -487,6 +487,18 @@ TEST_F(PageInfoTest, SignInPasswordReuse) {
             page_info()->safe_browsing_status());
 }
 
+TEST_F(PageInfoTest, SavedPasswordReuse) {
+  security_level_ = security_state::DANGEROUS;
+  visible_security_state_.malicious_content_status =
+      security_state::MALICIOUS_CONTENT_STATUS_SAVED_PASSWORD_REUSE;
+  SetDefaultUIExpectations(mock_ui());
+
+  EXPECT_EQ(PageInfo::SITE_CONNECTION_STATUS_UNENCRYPTED,
+            page_info()->site_connection_status());
+  EXPECT_EQ(PageInfo::SAFE_BROWSING_STATUS_SAVED_PASSWORD_REUSE,
+            page_info()->safe_browsing_status());
+}
+
 TEST_F(PageInfoTest, EnterprisePasswordReuse) {
   security_level_ = security_state::DANGEROUS;
   visible_security_state_.malicious_content_status =

components/safe_browsing/browser/threat_details.cc

@@ -102,6 +102,7 @@ ClientSafeBrowsingReportRequest::ReportType GetReportTypeFromSBThreatType(
       return ClientSafeBrowsingReportRequest::AD_SAMPLE;
     case SB_THREAT_TYPE_BLOCKED_AD_REDIRECT:
       return ClientSafeBrowsingReportRequest::BLOCKED_AD_REDIRECT;
+    case SB_THREAT_TYPE_SAVED_PASSWORD_REUSE:
     case SB_THREAT_TYPE_SIGNED_IN_SYNC_PASSWORD_REUSE:
     case SB_THREAT_TYPE_SIGNED_IN_NON_SYNC_PASSWORD_REUSE:
     case SB_THREAT_TYPE_ENTERPRISE_PASSWORD_REUSE:

components/safe_browsing/db/v4_protocol_manager_util.h

@@ -142,6 +142,9 @@ enum SBThreatType {
   // DEPRECATED. Url detected by password protection service.
   DEPRECATED_SB_THREAT_TYPE_URL_PASSWORD_PROTECTION_PHISHING,
 
+  // Saved password reuse detected on low reputation page,
+  SB_THREAT_TYPE_SAVED_PASSWORD_REUSE,
+
   // Chrome signed in and syncing gaia password reuse detected on low reputation
   // page,
   SB_THREAT_TYPE_SIGNED_IN_SYNC_PASSWORD_REUSE,

components/security_interstitials/content/unsafe_resource.cc

@@ -50,6 +50,9 @@ bool UnsafeResource::IsMainPageLoadBlocked() const {
     case safe_browsing::SB_THREAT_TYPE_BLOCKED_AD_REDIRECT:
     // Ad sampling happens in the background.
     case safe_browsing::SB_THREAT_TYPE_AD_SAMPLE:
+    // Chrome SAVED password reuse warning happens after the page is finished
+    // loading.
+    case safe_browsing::SB_THREAT_TYPE_SAVED_PASSWORD_REUSE:
     // Chrome GAIA signed in and syncing password reuse warning happens after
     // the page is finished loading.
     case safe_browsing::SB_THREAT_TYPE_SIGNED_IN_SYNC_PASSWORD_REUSE:

components/security_state/core/security_state.h

@@ -98,6 +98,7 @@ enum MaliciousContentStatus {
   MALICIOUS_CONTENT_STATUS_MALWARE,
   MALICIOUS_CONTENT_STATUS_UNWANTED_SOFTWARE,
   MALICIOUS_CONTENT_STATUS_SOCIAL_ENGINEERING,
+  MALICIOUS_CONTENT_STATUS_SAVED_PASSWORD_REUSE,
   MALICIOUS_CONTENT_STATUS_SIGNED_IN_SYNC_PASSWORD_REUSE,
   MALICIOUS_CONTENT_STATUS_SIGNED_IN_NON_SYNC_PASSWORD_REUSE,
   MALICIOUS_CONTENT_STATUS_ENTERPRISE_PASSWORD_REUSE,