Fix password change for signed-in non-sync pwd.

Fix password change events for sign-in non-syncing passwords.
Previously, we were double counting password-change events where
if the user first signs into an account, a password change event
would trigger. This checks to see if a password hash already
exists for the username first before triggering.

Bug: 1015515
Change-Id: Ic8027f7c68fe1803a295a730812569dc0d4faf2b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1866911Reviewed-by: Vadym Doroshenko <dvadym@chromium.org>
Reviewed-by: Bettina Dea <bdea@chromium.org>
Reviewed-by: Varun Khaneja <vakh@chromium.org>
Reviewed-by: Daniel Rubery <drubery@chromium.org>
Commit-Queue: Bettina Dea <bdea@chromium.org>
Cr-Commit-Position: refs/heads/master@{#707437}

chrome/browser/safe_browsing/chrome_password_protection_service.cc

@@ -806,13 +806,14 @@ void ChromePasswordProtectionService::
   }
 
   // For non sync password changes, we have to loop through all the password
-  // hashes and find the hash associated with the username. Right now this
-  // double counts when a password is first saved which is inaccurate.
+  // hashes and find the hash associated with the username.
   password_manager::HashPasswordManager hash_password_manager;
   hash_password_manager.set_prefs(profile_->GetPrefs());
   for (const auto& hash_data :
        hash_password_manager.RetrieveAllPasswordHashes()) {
-    if (hash_data.username == username) {
+    if (password_manager::AreUsernamesSame(
+            hash_data.username, /*is_username1_gaia_account=*/true, username,
+            /*is_username2_gaia_account=*/true)) {
       OnGaiaPasswordChanged(username, /*is_other_gaia_password=*/true);
       break;
     }

chrome/browser/safe_browsing/chrome_password_protection_service.h

@@ -149,7 +149,8 @@ class ChromePasswordProtectionService : public PasswordProtectionService {
   // Check if Gaia password hash has changed. If it is changed, it will call
   // |OnGaiaPasswordChanged|. |username| is used to get the appropriate account
   // to check if the account is a Gmail account as no reporting is done for
-  // those accounts.
+  // those accounts. This method is only called if there was already an existing
+  // password hash in the hash password manager reused password.
   void CheckGaiaPasswordChangeForAllSignedInUsers(const std::string& username);
 
   // Called when user's GAIA password changed. |username| is used to get

components/password_manager/core/browser/hash_password_manager.cc

@@ -170,9 +170,18 @@ bool HashPasswordManager::SavePasswordHash(const std::string username,
       }
     }
   }
+  // A password hash does not exist when it is first sign-in.
+  bool is_first_sign_in = !HasPasswordHash(username, is_gaia_password);
   bool is_saved = SavePasswordHash(
       PasswordHashData(username, password, true, is_gaia_password));
-  state_callback_list_.Notify(username);
+  // Currently, the only callback in this list is
+  // CheckGaiaPasswordChangeForAllSignedInUsers which is in
+  // ChromePasswordProtectionService. We only want to notify ChromePPS only when
+  // a user has changed their password. This means that an existing password
+  // hash has to already exist in the password store and the SavePasswordHash
+  // has to succeed.
+  if (!is_first_sign_in && is_saved)
+    state_callback_list_.Notify(username);
   return is_saved;
 }