brl/gnome-shell
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
629b7394f7
gnome-shell/js/gdm/util.js

687 lines
23 KiB
JavaScript
Raw Normal View History

Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
// -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
cleanup: Mark globals used from other modules as exported eslint cannot figure out that those symbols are used from other modules via imports, so they trigger unused-variable errors. To fix, explicitly mark those symbols as exported. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/627
2019-01-31 14:07:06 +00:00
/* exported BANNER_MESSAGE_KEY, BANNER_MESSAGE_TEXT_KEY, LOGO_KEY,
DISABLE_USER_LIST_KEY, fadeInActor, fadeOutActor, cloneAndFadeOutActor */
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
const { Clutter, Gdm, Gio, GLib } = imports.gi;
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
const Signals = imports.signals;
const Batch = imports.gdm.batch;
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
const OVirt = imports.gdm.oVirt;
gdm: Introduce vmware credential manager for pre-authenticated logins The previous commit implemented a new CredentialManager interface to facilitate adding additional providers for pre-authenticating the user at the login screen. This commit implements a new credential manager using that interface for vmware deployments. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-07-01 22:54:55 +00:00
const Vmware = imports.gdm.vmware;
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
const Main = imports.ui.main;
fingerprint: Use makeProxyWrapper for fprintManager The reason this wasn't using the Gio.DBus.makeProxyWrapper() convenience API is that it passes custom flags to the proxy, and that wasn't supported by the wrapper at the time. As this is now possible, this commit migrates us to the new API. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:10:03 +00:00
const { loadInterfaceXML } = imports.misc.fileUtils;
GdmUtil: don't call GetUserVerifier from the user session GetUserVerifier can only be called from the greeter session, and fails with AccessDenied in all other cases. Also, calling it hides the real error from OpenReauthenticationChannel, which instead should be logged. https://bugzilla.gnome.org/show_bug.cgi?id=680750
2012-08-03 15:10:45 +00:00
const Params = imports.misc.params;
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
const SmartcardManager = imports.misc.smartcardManager;
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
fingerprint: Use makeProxyWrapper for fprintManager The reason this wasn't using the Gio.DBus.makeProxyWrapper() convenience API is that it passes custom flags to the proxy, and that wasn't supported by the wrapper at the time. As this is now possible, this commit migrates us to the new API. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:10:03 +00:00
const FprintManagerIface = loadInterfaceXML('net.reactivated.Fprint.Manager');
const FprintManagerProxy = Gio.DBusProxy.makeProxyWrapper(FprintManagerIface);
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
const FprintDeviceIface = loadInterfaceXML('net.reactivated.Fprint.Device');
const FprintDeviceProxy = Gio.DBusProxy.makeProxyWrapper(FprintDeviceIface);
fingerprint: Use makeProxyWrapper for fprintManager The reason this wasn't using the Gio.DBus.makeProxyWrapper() convenience API is that it passes custom flags to the proxy, and that wasn't supported by the wrapper at the time. As this is now possible, this commit migrates us to the new API. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:10:03 +00:00
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
Gio._promisify(Gdm.Client.prototype,
'open_reauthentication_channel', 'open_reauthentication_channel_finish');
Gio._promisify(Gdm.Client.prototype,
'get_user_verifier', 'get_user_verifier_finish');
Gio._promisify(Gdm.UserVerifierProxy.prototype,
'call_begin_verification_for_user', 'call_begin_verification_for_user_finish');
Gio._promisify(Gdm.UserVerifierProxy.prototype,
'call_begin_verification', 'call_begin_verification_finish');
gdmUtils: Define constants with 'var' Most of those are accessed outside the module itself, but commit 033277b6 missed them ... https://bugzilla.gnome.org/show_bug.cgi?id=785556
2017-08-10 16:35:07 +00:00
var PASSWORD_SERVICE_NAME = 'gdm-password';
var FINGERPRINT_SERVICE_NAME = 'gdm-fingerprint';
var SMARTCARD_SERVICE_NAME = 'gdm-smartcard';
cleanup: Use milliseconds for animation times The different units - seconds for Tweener and milliseconds for timeouts - are not a big issue currently, as there is little overlap. However this will change when we start using Clutter's own animation framework (which uses milliseconds as well), in particular where constants are shared between modules. In order to prepare for the transition, define all animation times as milliseconds and adjust them when passing them to Tweener. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/663
2019-08-01 23:13:10 +00:00
var FADE_ANIMATION_TIME = 160;
var CLONE_FADE_ANIMATION_TIME = 250;
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
gdmUtils: Define constants with 'var' Most of those are accessed outside the module itself, but commit 033277b6 missed them ... https://bugzilla.gnome.org/show_bug.cgi?id=785556
2017-08-10 16:35:07 +00:00
var LOGIN_SCREEN_SCHEMA = 'org.gnome.login-screen';
var PASSWORD_AUTHENTICATION_KEY = 'enable-password-authentication';
var FINGERPRINT_AUTHENTICATION_KEY = 'enable-fingerprint-authentication';
var SMARTCARD_AUTHENTICATION_KEY = 'enable-smartcard-authentication';
var BANNER_MESSAGE_KEY = 'banner-message-enable';
var BANNER_MESSAGE_TEXT_KEY = 'banner-message-text';
var ALLOWED_FAILURES_KEY = 'allowed-failures';
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
gdmUtils: Define constants with 'var' Most of those are accessed outside the module itself, but commit 033277b6 missed them ... https://bugzilla.gnome.org/show_bug.cgi?id=785556
2017-08-10 16:35:07 +00:00
var LOGO_KEY = 'logo';
var DISABLE_USER_LIST_KEY = 'disable-user-list';
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
Revert "Revert "Give user 48ms to read each character of a PAM message, earlier it was 16ms"" I mean't to attach that to the bug not revert it. This reverts commit 23a9fb0314428c9e805f3434437d3d3a59a06bbe.
2015-03-27 13:36:05 +00:00
// Give user 48ms to read each character of a PAM message
style: Fix stray/missing semi-colons Spotted by eslint. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/607
2019-01-29 01:18:52 +00:00
var USER_READ_TIME = 48;
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
Define externally accessible contants with 'var' instead of 'const' Just as we did with classes, define other constants that are (or may be) used from other modules with 'var' to cut down on warnings. https://bugzilla.gnome.org/show_bug.cgi?id=785084
2017-07-18 17:47:27 +00:00
var MessageType = {
loginDialog: consolidate message label and login hint label Right now the login hint is showing up just above the the cancel button, instead of just below the text entry field. The mockup here: https://raw.github.com/gnome-design-team/gnome-mockups/master/system-lock-login-boot/login-dissect.png Says it should share a label with the PAM info/error messages. This commit consolidates the two labels. https://bugzilla.gnome.org/show_bug.cgi?id=706324
2013-08-19 16:00:33 +00:00
NONE: 0,
ERROR: 1,
INFO: 2,
cleanup: Require "dangling" commas Since ES5, trailing commas in arrays and object literals are valid. We generally haven't used them so far, but they are actually a good idea, as they make additions and removals in diffs much cleaner. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/805
2019-08-20 21:43:54 +00:00
HINT: 3,
loginDialog: consolidate message label and login hint label Right now the login hint is showing up just above the the cancel button, instead of just below the text entry field. The mockup here: https://raw.github.com/gnome-design-team/gnome-mockups/master/system-lock-login-boot/login-dissect.png Says it should share a label with the PAM info/error messages. This commit consolidates the two labels. https://bugzilla.gnome.org/show_bug.cgi?id=706324
2013-08-19 16:00:33 +00:00
};
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
const FingerprintReaderType = {
NONE: 0,
PRESS: 1,
SWIPE: 2,
};
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
function fadeInActor(actor) {
if (actor.opacity == 255 && actor.visible)
return null;
let hold = new Batch.Hold();
actor.show();
cleanup: Remove some unhelpful unused variables in destructuring We aren't using them, and they don't add much in terms of clarity, so drop them to fix a couple of eslint errors. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/627
2019-02-01 13:41:55 +00:00
let [, naturalHeight] = actor.get_preferred_height(-1);
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
actor.opacity = 0;
actor.set_height(0);
js: Use implicit animations for animatable properties We now have everything in place to replace Tweener for all animatable properties with implicit animations, which has the following benefits: - they run entirely in C, while Tweener requires context switches to JS each frame - they are more reliable, as Tweener only detects when an animation is overwritten with another Tween, while Clutter considers any property change https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/22
2018-07-20 19:46:19 +00:00
actor.ease({
opacity: 255,
height: naturalHeight,
duration: FADE_ANIMATION_TIME,
mode: Clutter.AnimationMode.EASE_OUT_QUAD,
onComplete: () => {
this.set_height(-1);
hold.release();
cleanup: Require "dangling" commas Since ES5, trailing commas in arrays and object literals are valid. We generally haven't used them so far, but they are actually a good idea, as they make additions and removals in diffs much cleaner. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/805
2019-08-20 21:43:54 +00:00
},
js: Use implicit animations for animatable properties We now have everything in place to replace Tweener for all animatable properties with implicit animations, which has the following benefits: - they run entirely in C, while Tweener requires context switches to JS each frame - they are more reliable, as Tweener only detects when an animation is overwritten with another Tween, while Clutter considers any property change https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/22
2018-07-20 19:46:19 +00:00
});
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
return hold;
}
function fadeOutActor(actor) {
if (!actor.visible || actor.opacity == 0) {
actor.opacity = 0;
actor.hide();
return null;
}
let hold = new Batch.Hold();
js: Use implicit animations for animatable properties We now have everything in place to replace Tweener for all animatable properties with implicit animations, which has the following benefits: - they run entirely in C, while Tweener requires context switches to JS each frame - they are more reliable, as Tweener only detects when an animation is overwritten with another Tween, while Clutter considers any property change https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/22
2018-07-20 19:46:19 +00:00
actor.ease({
opacity: 0,
height: 0,
duration: FADE_ANIMATION_TIME,
mode: Clutter.AnimationMode.EASE_OUT_QUAD,
onComplete: () => {
this.hide();
this.set_height(-1);
hold.release();
cleanup: Require "dangling" commas Since ES5, trailing commas in arrays and object literals are valid. We generally haven't used them so far, but they are actually a good idea, as they make additions and removals in diffs much cleaner. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/805
2019-08-20 21:43:54 +00:00
},
js: Use implicit animations for animatable properties We now have everything in place to replace Tweener for all animatable properties with implicit animations, which has the following benefits: - they run entirely in C, while Tweener requires context switches to JS each frame - they are more reliable, as Tweener only detects when an animation is overwritten with another Tween, while Clutter considers any property change https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/22
2018-07-20 19:46:19 +00:00
});
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
return hold;
}
loginDialog: add cross fade animation between states This commit adds a crossfade between the user selection state and the user verification state. https://bugzilla.gnome.org/show_bug.cgi?id=694062
2013-02-06 19:18:26 +00:00
function cloneAndFadeOutActor(actor) {
// Immediately hide actor so its sibling can have its space
// and position, but leave a non-reactive clone on-screen,
// so from the user's point of view it smoothly fades away
// and reveals its sibling.
actor.hide();
let clone = new Clutter.Clone({ source: actor,
reactive: false });
Main.uiGroup.add_child(clone);
let [x, y] = actor.get_transformed_position();
clone.set_position(x, y);
let hold = new Batch.Hold();
js: Use implicit animations for animatable properties We now have everything in place to replace Tweener for all animatable properties with implicit animations, which has the following benefits: - they run entirely in C, while Tweener requires context switches to JS each frame - they are more reliable, as Tweener only detects when an animation is overwritten with another Tween, while Clutter considers any property change https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/22
2018-07-20 19:46:19 +00:00
clone.ease({
opacity: 0,
duration: CLONE_FADE_ANIMATION_TIME,
mode: Clutter.AnimationMode.EASE_OUT_QUAD,
onComplete: () => {
clone.destroy();
hold.release();
cleanup: Require "dangling" commas Since ES5, trailing commas in arrays and object literals are valid. We generally haven't used them so far, but they are actually a good idea, as they make additions and removals in diffs much cleaner. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/805
2019-08-20 21:43:54 +00:00
},
js: Use implicit animations for animatable properties We now have everything in place to replace Tweener for all animatable properties with implicit animations, which has the following benefits: - they run entirely in C, while Tweener requires context switches to JS each frame - they are more reliable, as Tweener only detects when an animation is overwritten with another Tween, while Clutter considers any property change https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/22
2018-07-20 19:46:19 +00:00
});
loginDialog: add cross fade animation between states This commit adds a crossfade between the user selection state and the user verification state. https://bugzilla.gnome.org/show_bug.cgi?id=694062
2013-02-06 19:18:26 +00:00
return hold;
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
var ShellUserVerifier = class {
constructor(client, params) {
GdmUtil: don't call GetUserVerifier from the user session GetUserVerifier can only be called from the greeter session, and fails with AccessDenied in all other cases. Also, calling it hides the real error from OpenReauthenticationChannel, which instead should be logged. https://bugzilla.gnome.org/show_bug.cgi?id=680750
2012-08-03 15:10:45 +00:00
params = Params.parse(params, { reauthenticationOnly: false });
this._reauthOnly = params.reauthenticationOnly;
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
this._client = client;
Initialize properties in _init() While we've always considered it good style to initialize JS properties, some code that relies on uninitialized properties having an implicit value of 'undefined' has slipped in over time. The updated SpiderMonkey version used by gjs now warns when accessing those properties, so we should make sure that they are properly initialized to avoid log spam, even though all warnings addressed here occur in conditionals that produce the correct result with 'undefined'. https://bugzilla.gnome.org/show_bug.cgi?id=781471
2017-06-13 02:24:12 +00:00
this._defaultService = null;
this._preemptingService = null;
js: Adapt to GSettings API change The 'schema' property has been deprecated for a long time. Even though this will likely be reverted in glib, let's stop using it.
2014-06-24 19:17:09 +00:00
this._settings = new Gio.Settings({ schema_id: LOGIN_SCREEN_SCHEMA });
gdmUtil: support disabling password authentication This commit skips trying password authentication if it's disallowed, favoring fingerprint login instead. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 18:18:30 +00:00
this._settings.connect('changed',
cleanup: Use Function.prototype.bind() When not using arrow notation with anonymous functions, we use Lang.bind() to bind `this` to named callbacks. However since ES5, this functionality is already provided by Function.prototype.bind() - in fact, Lang.bind() itself uses it when no extra arguments are specified. Just use the built-in function directly where possible, and use arrow notation in the few places where we pass additional arguments. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-12-02 00:27:35 +00:00
this._updateDefaultService.bind(this));
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
this._updateDefaultService();
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
fingerprint: Use makeProxyWrapper for fprintManager The reason this wasn't using the Gio.DBus.makeProxyWrapper() convenience API is that it passes custom flags to the proxy, and that wasn't supported by the wrapper at the time. As this is now possible, this commit migrates us to the new API. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:10:03 +00:00
this._fprintManager = new FprintManagerProxy(Gio.DBus.system,
'net.reactivated.Fprint',
'/net/reactivated/Fprint/Manager',
null,
null,
Gio.DBusProxyFlags.DO_NOT_LOAD_PROPERTIES);
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
this._smartcardManager = SmartcardManager.getSmartcardManager();
// We check for smartcards right away, since an inserted smartcard
// at startup should result in immediately initiating authentication.
Fix a typo
2017-06-26 18:47:19 +00:00
// This is different than fingerprint readers, where we only check them
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
// after a user has been picked.
Initialize properties in _init() While we've always considered it good style to initialize JS properties, some code that relies on uninitialized properties having an implicit value of 'undefined' has slipped in over time. The updated SpiderMonkey version used by gjs now warns when accessing those properties, so we should make sure that they are properly initialized to avoid log spam, even though all warnings addressed here occur in conditionals that produce the correct result with 'undefined'. https://bugzilla.gnome.org/show_bug.cgi?id=781471
2017-06-13 02:24:12 +00:00
this.smartcardDetected = false;
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
this._checkForSmartcard();
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
this._smartcardInsertedId = this._smartcardManager.connect('smartcard-inserted',
cleanup: Use Function.prototype.bind() When not using arrow notation with anonymous functions, we use Lang.bind() to bind `this` to named callbacks. However since ES5, this functionality is already provided by Function.prototype.bind() - in fact, Lang.bind() itself uses it when no extra arguments are specified. Just use the built-in function directly where possible, and use arrow notation in the few places where we pass additional arguments. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-12-02 00:27:35 +00:00
this._checkForSmartcard.bind(this));
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
this._smartcardRemovedId = this._smartcardManager.connect('smartcard-removed',
cleanup: Use Function.prototype.bind() When not using arrow notation with anonymous functions, we use Lang.bind() to bind `this` to named callbacks. However since ES5, this functionality is already provided by Function.prototype.bind() - in fact, Lang.bind() itself uses it when no extra arguments are specified. Just use the built-in function directly where possible, and use arrow notation in the few places where we pass additional arguments. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-12-02 00:27:35 +00:00
this._checkForSmartcard.bind(this));
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this._messageQueue = [];
this._messageQueueTimeoutId = 0;
this.hasPendingMessages = false;
authPrompt: Call next button "Unlock" when user switching When a ShellUserVerifier is asked to verify a user at the login screen it will transparently first try to reauthenticate the user against an existing session and then fall back to logging a user into a new session. The former is used for user switching. It's useful to know which type of verification is happening, so the next button can be made to say "Unlock" instead of "Sign In" when a user is already signed in. This commit exports a new "reauthenticating" property on the ShellUserVerifier that the auth prompt checks when deciding which label to use for its next button. https://bugzilla.gnome.org/show_bug.cgi?id=704795
2013-07-22 14:59:57 +00:00
this.reauthenticating = false;
Login/UnlockDialog: don't reset immediately if auth fails Instead of showing a notification, add a small message immediately below the entry, and give the user two more attempts to login, before going back to the welcome or lock screen. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-07 14:49:22 +00:00
this._failCounter = 0;
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
gdm: Refactor oVirt to a generic CredentialManager interface Commit 4cda61a1 added support for pre-authenticated logins in oVirt environments. This feature prevents a user from having to type their password twice (once to the oVirt management machine, and then immediately again in the provisioned guest running gnome-shell). That feature is currently oVirt specific, but a similar feature would be useful in non-oVirt based virt farm environments. Toward that end, this commit generalizes the various aspects of the oVirt integration code, so that it can be reused in a subsequent commit for adding single sign on support in vmware deployments, too. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-01-03 16:31:15 +00:00
this._credentialManagers = {};
this._credentialManagers[OVirt.SERVICE_NAME] = OVirt.getOVirtCredentialsManager();
gdm: Introduce vmware credential manager for pre-authenticated logins The previous commit implemented a new CredentialManager interface to facilitate adding additional providers for pre-authenticating the user at the login screen. This commit implements a new credential manager using that interface for vmware deployments. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-07-01 22:54:55 +00:00
this._credentialManagers[Vmware.SERVICE_NAME] = Vmware.getVmwareCredentialsManager();
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
gdm: Refactor oVirt to a generic CredentialManager interface Commit 4cda61a1 added support for pre-authenticated logins in oVirt environments. This feature prevents a user from having to type their password twice (once to the oVirt management machine, and then immediately again in the provisioned guest running gnome-shell). That feature is currently oVirt specific, but a similar feature would be useful in non-oVirt based virt farm environments. Toward that end, this commit generalizes the various aspects of the oVirt integration code, so that it can be reused in a subsequent commit for adding single sign on support in vmware deployments, too. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-01-03 16:31:15 +00:00
for (let service in this._credentialManagers) {
if (this._credentialManagers[service].token) {
this._onCredentialManagerAuthenticated(this._credentialManagers[service],
this._credentialManagers[service].token);
}
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
gdm: Refactor oVirt to a generic CredentialManager interface Commit 4cda61a1 added support for pre-authenticated logins in oVirt environments. This feature prevents a user from having to type their password twice (once to the oVirt management machine, and then immediately again in the provisioned guest running gnome-shell). That feature is currently oVirt specific, but a similar feature would be useful in non-oVirt based virt farm environments. Toward that end, this commit generalizes the various aspects of the oVirt integration code, so that it can be reused in a subsequent commit for adding single sign on support in vmware deployments, too. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-01-03 16:31:15 +00:00
this._credentialManagers[service]._authenticatedSignalId =
this._credentialManagers[service].connect('user-authenticated',
this._onCredentialManagerAuthenticated.bind(this));
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
gdm: Limit verification cancellations to be conform to allowed-failures As per previous commit the user can cancel an ongoing authentication via Escape key and that will always send the user back to the clock view in lockscreen or user-selection view in login prompt. However, we can be a little more permissive and don't switch view to be able to restart the authentication without further action. To avoid this to be abused though, we consider the user verification cancellation via escape key to be a "soft-failure", so once the configured "allowed-failures" gsettings value has been reached, we'd just act as before, ignoring any further request (until we don't get back to the user auth view). In this way we still make brute-force attacks harder to do, while still giving the well-behaving user some ability to fix mistakes. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 12:10:45 +00:00
get allowedFailures() {
return this._settings.get_int(ALLOWED_FAILURES_KEY);
}
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
begin(userName, hold) {
ShellUserVerifier: fix cancellation Ensure that all async callbacks check and ignore G_IO_ERROR_CANCELLED. Ensure that all runs of authentication have their own GCancellable, so that .begin() can be called multiple times on the same user verifier. Check for fingerprint reader when beginning authentication, and not when reset by GDM. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-26 12:54:02 +00:00
this._cancellable = new Gio.Cancellable();
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
this._hold = hold;
this._userName = userName;
authPrompt: Call next button "Unlock" when user switching When a ShellUserVerifier is asked to verify a user at the login screen it will transparently first try to reauthenticate the user against an existing session and then fall back to logging a user into a new session. The former is used for user switching. It's useful to know which type of verification is happening, so the next button can be made to say "Unlock" instead of "Sign In" when a user is already signed in. This commit exports a new "reauthenticating" property on the ShellUserVerifier that the auth prompt checks when deciding which label to use for its next button. https://bugzilla.gnome.org/show_bug.cgi?id=704795
2013-07-22 14:59:57 +00:00
this.reauthenticating = false;
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
ShellUserVerifier: fix cancellation Ensure that all async callbacks check and ignore G_IO_ERROR_CANCELLED. Ensure that all runs of authentication have their own GCancellable, so that .begin() can be called multiple times on the same user verifier. Check for fingerprint reader when beginning authentication, and not when reset by GDM. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-26 12:54:02 +00:00
this._checkForFingerprintReader();
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
// If possible, reauthenticate an already running session,
// so any session specific credentials get updated appropriately
if (userName)
this._openReauthenticationChannel(userName);
else
this._getUserVerifier();
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
cancel() {
ShellUserVerifier: fix cancellation Ensure that all async callbacks check and ignore G_IO_ERROR_CANCELLED. Ensure that all runs of authentication have their own GCancellable, so that .begin() can be called multiple times on the same user verifier. Check for fingerprint reader when beginning authentication, and not when reset by GDM. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-26 12:54:02 +00:00
if (this._cancellable)
this._cancellable.cancel();
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
util: clear user verifier after cancelling it If we don't clear it, then the connection to gdm will remain open. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 14:52:02 +00:00
if (this._userVerifier) {
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
this._userVerifier.call_cancel_sync(null);
util: clear user verifier after cancelling it If we don't clear it, then the connection to gdm will remain open. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 14:52:02 +00:00
this.clear();
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_clearUserVerifier() {
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
if (this._userVerifier) {
gdm: Disconnect user verifier signals on destruction and verification failed When a verification session has failed we may want to wait for the user to have completed all the waiting queries and to have read all the incoming messages, however during such time an user verifier should not be allowed to queue further messages to the UI, as we're about to completely stop the identification or start a new one. Unfortunately this is not true because we're still connected to the identifier signals, and so we may still show messages. This is particularly true when using the fingerprint PAM module as it may restart the authentication while we're in the process of stopping it. So, keep track of all the signals we've connected to, and disconnect on verification failed and during cancel/clear operations. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-02 14:08:10 +00:00
this._disconnectSignals();
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
this._userVerifier.run_dispose();
this._userVerifier = null;
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
clear() {
ShellUserVerifier: fix cancellation Ensure that all async callbacks check and ignore G_IO_ERROR_CANCELLED. Ensure that all runs of authentication have their own GCancellable, so that .begin() can be called multiple times on the same user verifier. Check for fingerprint reader when beginning authentication, and not when reset by GDM. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-26 12:54:02 +00:00
if (this._cancellable) {
this._cancellable.cancel();
this._cancellable = null;
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
this._clearUserVerifier();
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this._clearMessageQueue();
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
destroy() {
gdm: Cancel user verification on UserVerifier destruction When we cancel an user authentication via Escape key or cancel button on AuthPrompt we reset the view and we emit a 'cancelled' signal that leads to destroying the auth prompt and the user verifier. However, the verifier may still have an operation in progress and its completion may take some time (as in the case of gdm-fingerprint), but we just leave the gdm worker running until its pam module completes (potentially never) clearing and disposing its handle. So, instead of just clearing the verify, actually cancel and clear it. In case the user verifier is set, clearing the relevant data will happen anyway as part of the cancel() call. Ideally this would have been handled by gdm itself, but unfortunately we can't fix it there because the verifier itself is a class generated by gdbus-codegen, so we can't handle this automatically on disposal nor we can automatically monitor when the caller proxy is stopped on our side. Fixes: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3654 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-01-30 00:53:59 +00:00
this.cancel();
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
this._settings.run_dispose();
this._settings = null;
this._smartcardManager.disconnect(this._smartcardInsertedId);
this._smartcardManager.disconnect(this._smartcardRemovedId);
this._smartcardManager = null;
gdm: Refactor oVirt to a generic CredentialManager interface Commit 4cda61a1 added support for pre-authenticated logins in oVirt environments. This feature prevents a user from having to type their password twice (once to the oVirt management machine, and then immediately again in the provisioned guest running gnome-shell). That feature is currently oVirt specific, but a similar feature would be useful in non-oVirt based virt farm environments. Toward that end, this commit generalizes the various aspects of the oVirt integration code, so that it can be reused in a subsequent commit for adding single sign on support in vmware deployments, too. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-01-03 16:31:15 +00:00
for (let service in this._credentialManagers) {
let credentialManager = this._credentialManagers[service];
credentialManager.disconnect(credentialManager._authenticatedSignalId);
credentialManager = null;
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
answerQuery(serviceName, answer) {
util: Fix hasPendingMessages While the UserVerifier does indeed have a _userVerifier inside it, the hasPendingMessages property is on ourselves, not _userVerifier. https://bugzilla.gnome.org/show_bug.cgi?id=704347
2013-07-16 19:48:27 +00:00
if (!this.hasPendingMessages) {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this._userVerifier.call_answer_query(serviceName, answer, this._cancellable, null);
} else {
gdm: Don't try answering query if the user verifier has been deleted Answering a query may be delayed to the moment in which we've not any more messages in the queue, however this case can also happen just after we've cleared the UserVerifier and in such case we'd have nothing to answer, but we currently throw an error: JS ERROR: Exception in callback for signal: no-more-messages: TypeError: this._userVerifier is null answerQuery/signalId<@resource:///org/gnome/shell/gdm/util.js:249:17 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:133:47 finishMessageQueue@resource:///org/gnome/shell/gdm/util.js:266:14 _clearMessageQueue@resource:///org/gnome/shell/gdm/util.js:301:14 clear@resource:///org/gnome/shell/gdm/util.js:223:14 cancel@resource:///org/gnome/shell/gdm/util.js:205:18 reset@resource:///org/gnome/shell/gdm/authPrompt.js:482:32 cancel@resource:///org/gnome/shell/gdm/authPrompt.js:569:14 vfunc_key_press_event@resource:///org/gnome/shell/gdm/authPrompt.js:128 So handle this case more gracefully keeping track of the current cancellable and checking whether it is still valid before trying to answer a query or do a delayed action. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 15:42:21 +00:00
const cancellable = this._cancellable;
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
let signalId = this.connect('no-more-messages', () => {
this.disconnect(signalId);
gdm: Don't try answering query if the user verifier has been deleted Answering a query may be delayed to the moment in which we've not any more messages in the queue, however this case can also happen just after we've cleared the UserVerifier and in such case we'd have nothing to answer, but we currently throw an error: JS ERROR: Exception in callback for signal: no-more-messages: TypeError: this._userVerifier is null answerQuery/signalId<@resource:///org/gnome/shell/gdm/util.js:249:17 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:133:47 finishMessageQueue@resource:///org/gnome/shell/gdm/util.js:266:14 _clearMessageQueue@resource:///org/gnome/shell/gdm/util.js:301:14 clear@resource:///org/gnome/shell/gdm/util.js:223:14 cancel@resource:///org/gnome/shell/gdm/util.js:205:18 reset@resource:///org/gnome/shell/gdm/authPrompt.js:482:32 cancel@resource:///org/gnome/shell/gdm/authPrompt.js:569:14 vfunc_key_press_event@resource:///org/gnome/shell/gdm/authPrompt.js:128 So handle this case more gracefully keeping track of the current cancellable and checking whether it is still valid before trying to answer a query or do a delayed action. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 15:42:21 +00:00
if (!cancellable.is_cancelled())
this._userVerifier.call_answer_query(serviceName, answer, cancellable, null);
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
});
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_getIntervalForMessage(message) {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
// We probably could be smarter here
return message.length * USER_READ_TIME;
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
finishMessageQueue() {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
if (!this.hasPendingMessages)
return;
this._messageQueue = [];
LoginDialog: clear previous auth failed messages when trying again When the user has the entered the password for the second time and clicked OK, clear messages from the previous attempt, so any new failure is shown clearly. https://bugzilla.gnome.org/show_bug.cgi?id=687132
2012-10-29 16:39:00 +00:00
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this.hasPendingMessages = false;
this.emit('no-more-messages');
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
authPrompt: Bump the user verifier timeout when wiggling the message Wiggle may make the error message to be visible for less time so provide the auth prompt an API to increase the timeout to be used for showing a message in some cases. This could be reworked when we'll have a proper asyn wiggle function so that we could just make the user verifier to "freeze", then await for the wiggle transition to complete and eventually release the verifier. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 18:34:09 +00:00
increaseCurrentMessageTimeout(interval) {
if (!this._messageQueueTimeoutId && interval > 0)
this._currentMessageExtraInterval = interval;
}
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_queueMessageTimeout() {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
if (this._messageQueue.length == 0) {
this.finishMessageQueue();
return;
}
if (this._messageQueueTimeoutId != 0)
return;
let message = this._messageQueue.shift();
loginDialog: consolidate message label and login hint label Right now the login hint is showing up just above the the cancel button, instead of just below the text entry field. The mockup here: https://raw.github.com/gnome-design-team/gnome-mockups/master/system-lock-login-boot/login-dissect.png Says it should share a label with the PAM info/error messages. This commit consolidates the two labels. https://bugzilla.gnome.org/show_bug.cgi?id=706324
2013-08-19 16:00:33 +00:00
authPrompt: Bump the user verifier timeout when wiggling the message Wiggle may make the error message to be visible for less time so provide the auth prompt an API to increase the timeout to be used for showing a message in some cases. This could be reworked when we'll have a proper asyn wiggle function so that we could just make the user verifier to "freeze", then await for the wiggle transition to complete and eventually release the verifier. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 18:34:09 +00:00
delete this._currentMessageExtraInterval;
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this.emit('show-message', message.serviceName, message.text, message.type);
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this._messageQueueTimeoutId = GLib.timeout_add(GLib.PRIORITY_DEFAULT,
authPrompt: Bump the user verifier timeout when wiggling the message Wiggle may make the error message to be visible for less time so provide the auth prompt an API to increase the timeout to be used for showing a message in some cases. This could be reworked when we'll have a proper asyn wiggle function so that we could just make the user verifier to "freeze", then await for the wiggle transition to complete and eventually release the verifier. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 18:34:09 +00:00
message.interval + (this._currentMessageExtraInterval | 0),
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
() => {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this._messageQueueTimeoutId = 0;
this._queueMessageTimeout();
js: Use SOURCE_CONTINUE/SOURCE_REMOVE constants in source functions With support for boolean constants in g-i, we can finally use the more readable constants instead of true/false. https://bugzilla.gnome.org/show_bug.cgi?id=719567
2013-11-29 00:45:39 +00:00
return GLib.SOURCE_REMOVE;
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
});
js: Name all the timeouts and idles With very uninventive names. Names now, good names later. https://bugzilla.gnome.org/show_bug.cgi?id=727983
2014-04-10 17:26:52 +00:00
GLib.Source.set_name_by_id(this._messageQueueTimeoutId, '[gnome-shell] this._queueMessageTimeout');
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
_queueMessage(serviceName, message, messageType) {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
let interval = this._getIntervalForMessage(message);
this.hasPendingMessages = true;
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this._messageQueue.push({ serviceName, text: message, type: messageType, interval });
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this._queueMessageTimeout();
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_clearMessageQueue() {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this.finishMessageQueue();
if (this._messageQueueTimeoutId != 0) {
GLib.source_remove(this._messageQueueTimeoutId);
this._messageQueueTimeoutId = 0;
}
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this.emit('show-message', null, null, MessageType.NONE);
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_checkForFingerprintReader() {
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
this._fingerprintReaderType = FingerprintReaderType.NONE;
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
gdm: Handle absence of Fprint.Manager service We rely on the service to detect whether a fingerprint reader is present. It is fine to not support fingerprint authentication when the service is missing, but currently we don't handle this case at all and end up with a non-functional login screen. https://bugzilla.gnome.org/show_bug.cgi?id=780063
2017-03-14 20:02:51 +00:00
if (!this._settings.get_boolean(FINGERPRINT_AUTHENTICATION_KEY) ||
this._fprintManager == null) {
gdmUtil: support disabling password authentication This commit skips trying password authentication if it's disallowed, favoring fingerprint login instead. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 18:18:30 +00:00
this._updateDefaultService();
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
return;
gdmUtil: support disabling password authentication This commit skips trying password authentication if it's disallowed, favoring fingerprint login instead. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 18:18:30 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
this._fprintManager.GetDefaultDeviceRemote(Gio.DBusCallFlags.NONE, this._cancellable,
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
(params, error) => {
if (!error && params) {
const [device] = params;
const fprintDeviceProxy = new FprintDeviceProxy(Gio.DBus.system,
'net.reactivated.Fprint',
device);
const fprintDeviceType = fprintDeviceProxy['scan-type'];
this._fingerprintReaderType = fprintDeviceType === 'swipe'
? FingerprintReaderType.SWIPE
: FingerprintReaderType.PRESS;
gdmUtil: support disabling password authentication This commit skips trying password authentication if it's disallowed, favoring fingerprint login instead. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 18:18:30 +00:00
this._updateDefaultService();
gdm: fix missing braces Incorrect braces meant that if the ShellUserVerifier was destroyed before the call to fprintManager.GetDefaultDeviceRemote(), the reply would result in an error. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:25:48 +00:00
}
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
});
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
gdm: Refactor oVirt to a generic CredentialManager interface Commit 4cda61a1 added support for pre-authenticated logins in oVirt environments. This feature prevents a user from having to type their password twice (once to the oVirt management machine, and then immediately again in the provisioned guest running gnome-shell). That feature is currently oVirt specific, but a similar feature would be useful in non-oVirt based virt farm environments. Toward that end, this commit generalizes the various aspects of the oVirt integration code, so that it can be reused in a subsequent commit for adding single sign on support in vmware deployments, too. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-01-03 16:31:15 +00:00
_onCredentialManagerAuthenticated(credentialManager, _token) {
this._preemptingService = credentialManager.service;
this.emit('credential-manager-authenticated');
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_checkForSmartcard() {
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
let smartcardDetected;
if (!this._settings.get_boolean(SMARTCARD_AUTHENTICATION_KEY))
smartcardDetected = false;
util: fix "login card" smartcard detection on unlock screen We only want to react to the card the user logged in with, at the unlock screen. We check "at the unlock screen" by checking the "reauthenticating" state variable. That variable is the wrong one, though. It gets set too late, and in some cases, gets set at the login screen, too. We should be checking this._reauthOnly instead. This commit fixes that. https://bugzilla.gnome.org/show_bug.cgi?id=726262
2014-03-13 17:47:50 +00:00
else if (this._reauthOnly)
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
smartcardDetected = this._smartcardManager.hasInsertedLoginToken();
else
smartcardDetected = this._smartcardManager.hasInsertedTokens();
if (smartcardDetected != this.smartcardDetected) {
this.smartcardDetected = smartcardDetected;
if (this.smartcardDetected)
this._preemptingService = SMARTCARD_SERVICE_NAME;
else if (this._preemptingService == SMARTCARD_SERVICE_NAME)
this._preemptingService = null;
this.emit('smartcard-status-changed');
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
gdm: Pass source serviceName to verification failures Depending on the service name we got the failure from we could react differently, so let's pass the value to the verification failure handler. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 18:36:49 +00:00
_reportInitError(where, error, serviceName) {
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
logError(error, where);
ShellUserVerifier: fix typo in function name, caught on auth error https://bugzilla.gnome.org/show_bug.cgi?id=685434
2012-10-03 19:25:49 +00:00
this._hold.release();
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this._queueMessage(serviceName, _('Authentication error'), MessageType.ERROR);
gdm: Increase the verification failed counter once we've a failure Decouple the verification failure count increase from _verificationFailed as there are some cases in which we may want to increase it without emitting a verification-failed signal. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 17:43:16 +00:00
this._failCounter++;
gdm: Pass source serviceName to verification failures Depending on the service name we got the failure from we could react differently, so let's pass the value to the verification failure handler. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 18:36:49 +00:00
this._verificationFailed(serviceName, false);
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
async _openReauthenticationChannel(userName) {
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
try {
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
this._clearUserVerifier();
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
this._userVerifier = await this._client.open_reauthentication_channel(
userName, this._cancellable);
style: Use space after catch We are currently inconsistent with whether or not to put a space after catch clauses. While the predominant style is to omit it, that's inconsistent with the style we use for any other statement. There's not really a good reason to stick with it, so switch to the style gjs/eslint default to. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/607
2019-01-29 01:26:39 +00:00
} catch (e) {
Stop using conditional catch statements It is a mozilla extension that is going away in SpiderMonkey 60. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/151
2018-07-15 01:17:42 +00:00
if (e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED))
return;
if (e.matches(Gio.DBusError, Gio.DBusError.ACCESS_DENIED) &&
!this._reauthOnly) {
// Gdm emits org.freedesktop.DBus.Error.AccessDenied when there
// is no session to reauthenticate. Fall back to performing
// verification from this login session
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
this._getUserVerifier();
Stop using conditional catch statements It is a mozilla extension that is going away in SpiderMonkey 60. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/151
2018-07-15 01:17:42 +00:00
return;
}
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
this._reportInitError('Failed to open reauthentication channel', e);
return;
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
}
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
authPrompt: Call next button "Unlock" when user switching When a ShellUserVerifier is asked to verify a user at the login screen it will transparently first try to reauthenticate the user against an existing session and then fall back to logging a user into a new session. The former is used for user switching. It's useful to know which type of verification is happening, so the next button can be made to say "Unlock" instead of "Sign In" when a user is already signed in. This commit exports a new "reauthenticating" property on the ShellUserVerifier that the auth prompt checks when deciding which label to use for its next button. https://bugzilla.gnome.org/show_bug.cgi?id=704795
2013-07-22 14:59:57 +00:00
this.reauthenticating = true;
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
this._connectSignals();
this._beginVerification();
this._hold.release();
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
async _getUserVerifier() {
ShellUserVerifier: fix cancellation Ensure that all async callbacks check and ignore G_IO_ERROR_CANCELLED. Ensure that all runs of authentication have their own GCancellable, so that .begin() can be called multiple times on the same user verifier. Check for fingerprint reader when beginning authentication, and not when reset by GDM. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-26 12:54:02 +00:00
try {
gdm: disconnect signals Many signal connections on global objects and on non-widgets were not disconnected when the unlock screen was destroyed, causing leaks. https://bugzilla.gnome.org/show_bug.cgi?id=738256
2014-10-09 18:10:12 +00:00
this._clearUserVerifier();
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
this._userVerifier =
await this._client.get_user_verifier(this._cancellable);
style: Use space after catch We are currently inconsistent with whether or not to put a space after catch clauses. While the predominant style is to omit it, that's inconsistent with the style we use for any other statement. There's not really a good reason to stick with it, so switch to the style gjs/eslint default to. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/607
2019-01-29 01:26:39 +00:00
} catch (e) {
Stop using conditional catch statements It is a mozilla extension that is going away in SpiderMonkey 60. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/151
2018-07-15 01:17:42 +00:00
if (e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED))
return;
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
this._reportInitError('Failed to obtain user verifier', e);
ShellUserVerifier: fix cancellation Ensure that all async callbacks check and ignore G_IO_ERROR_CANCELLED. Ensure that all runs of authentication have their own GCancellable, so that .begin() can be called multiple times on the same user verifier. Check for fingerprint reader when beginning authentication, and not when reset by GDM. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-26 12:54:02 +00:00
return;
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
this._connectSignals();
this._beginVerification();
this._hold.release();
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_connectSignals() {
gdm: Disconnect user verifier signals on destruction and verification failed When a verification session has failed we may want to wait for the user to have completed all the waiting queries and to have read all the incoming messages, however during such time an user verifier should not be allowed to queue further messages to the UI, as we're about to completely stop the identification or start a new one. Unfortunately this is not true because we're still connected to the identifier signals, and so we may still show messages. This is particularly true when using the fingerprint PAM module as it may restart the authentication while we're in the process of stopping it. So, keep track of all the signals we've connected to, and disconnect on verification failed and during cancel/clear operations. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-02 14:08:10 +00:00
this._disconnectSignals();
this._signalIds = [];
let id = this._userVerifier.connect('info', this._onInfo.bind(this));
this._signalIds.push(id);
id = this._userVerifier.connect('problem', this._onProblem.bind(this));
this._signalIds.push(id);
id = this._userVerifier.connect('info-query', this._onInfoQuery.bind(this));
this._signalIds.push(id);
id = this._userVerifier.connect('secret-info-query', this._onSecretInfoQuery.bind(this));
this._signalIds.push(id);
id = this._userVerifier.connect('conversation-stopped', this._onConversationStopped.bind(this));
this._signalIds.push(id);
id = this._userVerifier.connect('reset', this._onReset.bind(this));
this._signalIds.push(id);
id = this._userVerifier.connect('verification-complete', this._onVerificationComplete.bind(this));
this._signalIds.push(id);
}
_disconnectSignals() {
if (!this._signalIds || !this._userVerifier)
return;
this._signalIds.forEach(s => this._userVerifier.disconnect(s));
this._signalIds = [];
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_getForegroundService() {
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
if (this._preemptingService)
return this._preemptingService;
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
return this._defaultService;
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
serviceIsForeground(serviceName) {
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
return serviceName == this._getForegroundService();
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
serviceIsDefault(serviceName) {
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
return serviceName == this._defaultService;
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
ShellUserVerifier: Add method to check if the service name is fingerprint We have multiple places where we check if we're handling a fingerprint event, so let's add a common public function so that it can be used also by the authPrompt. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 16:07:45 +00:00
serviceIsFingerprint(serviceName) {
return this._fingerprintReaderType !== FingerprintReaderType.NONE &&
serviceName === FINGERPRINT_SERVICE_NAME;
}
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_updateDefaultService() {
gdmUtil: support disabling password authentication This commit skips trying password authentication if it's disallowed, favoring fingerprint login instead. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 18:18:30 +00:00
if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY))
this._defaultService = PASSWORD_SERVICE_NAME;
gdm: fix handling of removed smartcard at startup If a smartcard is missing from the reader when we start up, and the system is configured to disable password authentication, then we need to ask the user to insert their smartcard. This commit fixes that. https://bugzilla.gnome.org/show_bug.cgi?id=740143
2014-11-14 20:57:16 +00:00
else if (this._settings.get_boolean(SMARTCARD_AUTHENTICATION_KEY))
authPrompt: support smartcard authentication This commit detects when a user inserts a smartcard, and then initiates user verification using the gdm-smartcard PAM service. Likewise, if a user removes their smartcard, password verification (or the user list depending on auth mode and configuration) are initiated https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-06-27 12:54:19 +00:00
this._defaultService = SMARTCARD_SERVICE_NAME;
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
else if (this._fingerprintReaderType !== FingerprintReaderType.NONE)
gdmUtil: support disabling password authentication This commit skips trying password authentication if it's disallowed, favoring fingerprint login instead. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 18:18:30 +00:00
this._defaultService = FINGERPRINT_SERVICE_NAME;
gdm: use password authentication if all schemes are disabled This prevents a traceback, at least.
2015-07-01 15:18:44 +00:00
if (!this._defaultService) {
log("no authentication service is enabled, using password authentication");
this._defaultService = PASSWORD_SERVICE_NAME;
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
async _startService(serviceName) {
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
this._hold.acquire();
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
try {
if (this._userName) {
await this._userVerifier.call_begin_verification_for_user(
serviceName, this._userName, this._cancellable);
} else {
await this._userVerifier.call_begin_verification(
serviceName, this._cancellable);
}
} catch (e) {
if (e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED))
return;
gdm: Do not fail the whole authentication if a background service failed In case a background service such as the fingerprint authentication fails to start we'd just mark the whole authentication process as failed. Currently this may happen by just putting a wrong password when an user has some fingerprints enrolled, the fingerprint gdm authentication worker may take some time to restart leading to a failure and this is currently also making the password authentication to fail: JS ERROR: Failed to start gdm-fingerprint for u: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.Spawn.Failed: Could not create authentication helper process _promisify/proto[asyncFunc]/</<@resource:///org/gnome/gjs/modules/core/overrides/Gio.js:435:45 ### Promise created here: ### _startService@resource:///org/gnome/shell/gdm/util.js:470:42 _beginVerification@resource:///org/gnome/shell/gdm/util.js:495:18 _getUserVerifier@resource:///org/gnome/shell/gdm/util.js:405:14 async*_openReauthenticationChannel@resource:///org/gnome/shell/gdm/util.js:378:22 async*begin@resource:///org/gnome/shell/gdm/util.js:194:18 _retry@resource:///org/gnome/shell/gdm/util.js:561:14 _verificationFailed/signalId<@resource:///org/gnome/shell/gdm/util.js:584:30 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:133:47 finishMessageQueue@resource:///org/gnome/shell/gdm/util.js:268:14 _queueMessageTimeout@resource:///org/gnome/shell/gdm/util.js:273:18 _queueMessageTimeout/this._messageQueueTimeoutId<@resource:///org/gnome/shell/gdm/util.js:288:65 Given that background services are ignored even for queries or any kind of message, we should not fail the authentication request unless the default service fails. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-02 15:30:11 +00:00
if (!this.serviceIsForeground(serviceName)) {
logError(e, 'Failed to start %s for %s'.format(serviceName, this._userName));
this._hold.release();
return;
}
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
this._reportInitError(this._userName
gdm: Include the failed service name when in reporting errors Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-02 15:40:24 +00:00
? 'Failed to start %s verification for user'.format(serviceName)
gdm: Pass source serviceName to verification failures Depending on the service name we got the failure from we could react differently, so let's pass the value to the verification failure handler. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 18:36:49 +00:00
: 'Failed to start %s verification'.format(serviceName), e,
serviceName);
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
return;
gdmUtil: make _startService support no username commit fd11ad95f61b904d6f7014f8d56c1c27d88af65c factored out duplicated code, but unintentionally dropped support for beginning verification without a username. This commit brings it back. https://bugzilla.gnome.org/show_bug.cgi?id=706542
2013-08-21 22:05:55 +00:00
}
js: Promisify async operations Promises make asynchronous operations easier to manage, in particular when used through the async/await syntax that allows for asynchronous code to closely resemble synchronous one. gjs has included a Gio._promisify() helper for a while now, which monkey-patches methods that follow GIO's async pattern to return a Promise when called without a callback argument. Use that to get rid of all those GAsyncReadyCallbacks! https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1126
2019-12-19 19:50:37 +00:00
this._hold.release();
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_beginVerification() {
gdmUtil: factor out some duplicated code in beginVerification The duplication makes the function look a lot more complicated than it actually is. This commit moves the common code to a new _startService function. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-08-16 14:29:26 +00:00
this._startService(this._getForegroundService());
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
if (this._userName &&
this._fingerprintReaderType !== FingerprintReaderType.NONE &&
!this.serviceIsForeground(FINGERPRINT_SERVICE_NAME))
gdmUtil: factor out some duplicated code in beginVerification The duplication makes the function look a lot more complicated than it actually is. This commit moves the common code to a new _startService function. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-08-16 14:29:26 +00:00
this._startService(FINGERPRINT_SERVICE_NAME);
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_onInfo(client, serviceName, info) {
gdmUtil: pave way for fingeprint to optionally be default auth service Currently, fingerprint authentication is always a secondary thing. If a user wants to swipe their finger when the computer is asking for a password, so be it. This commit paves the way for making fingerprint auth optionally be the main way to authenticate. Currently there's no way to enable this, but in a future commit will honor enable-password-authentication=false in gsettings. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 18:23:45 +00:00
if (this.serviceIsForeground(serviceName)) {
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this._queueMessage(serviceName, info, MessageType.INFO);
ShellUserVerifier: Add method to check if the service name is fingerprint We have multiple places where we check if we're handling a fingerprint event, so let's add a common public function so that it can be used also by the authPrompt. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 16:07:45 +00:00
} else if (this.serviceIsFingerprint(serviceName)) {
gdmUtil: pave way for fingeprint to optionally be default auth service Currently, fingerprint authentication is always a secondary thing. If a user wants to swipe their finger when the computer is asking for a password, so be it. This commit paves the way for making fingerprint auth optionally be the main way to authenticate. Currently there's no way to enable this, but in a future commit will honor enable-password-authentication=false in gsettings. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-29 18:23:45 +00:00
// We don't show fingerprint messages directly since it's
// not the main auth service. Instead we use the messages
// as a cue to display our own message.
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
if (this._fingerprintReaderType === FingerprintReaderType.SWIPE) {
// Translators: this message is shown below the password entry field
// to indicate the user can swipe their finger on the fingerprint reader
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this._queueMessage(serviceName, _('(or swipe finger across reader)'),
MessageType.HINT);
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
} else {
// Translators: this message is shown below the password entry field
// to indicate the user can place their finger on the fingerprint reader instead
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this._queueMessage(serviceName, _('(or place finger on reader)'),
MessageType.HINT);
fingerprint: Show different strings depending on type Fprintd knows if the fingerprint reader is of the swipe or press type. We now show different labels depending on that. Closes https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2011 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1572>
2021-01-30 19:14:04 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_onProblem(client, serviceName, problem) {
gdm: Always show fingerprint error messages When the login/lock screen is shown the error messages for background services are always ignored. However, in case the service is the fingerprint authentication method we still want to be able to show error messages to inform the user about what failed, and eventually that the max retries (that may be different from the login screen configuration) has been reached. This handles partially the design issue [1] related to the login/lock screen fingerprint authentication. Eventually we want to use pam extensions to use clearer and parse-able messages, however in the case of the fingerprint service we can be sure that the fprint PAM module will only send errors on auth failures. [1] https://gitlab.gnome.org/Teams/Design/os-mockups/-/issues/56 Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2020-11-24 18:19:22 +00:00
const isFingerprint = this.serviceIsFingerprint(serviceName);
if (!this.serviceIsForeground(serviceName) && !isFingerprint)
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
return;
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this._queueMessage(serviceName, problem, MessageType.ERROR);
gdm: Count fingerprint authentication failures in fail counter Fingerprint PAM module can have multiple failures during a runtime and we rely on the pam module configuration for the maximum allowed retries. However, while that setting should be always followed, we should never ignore the login-screen's allowed-failures setting that can provide a lower value. So, once we have a fingerprint failure let's count it to increase our internal fail counter, and when we've reached the limit we can emit a verification-failed signal to our clients. As per this we need also to ignore any further 'info' messages that we could receive from the fingerprint service, as it may be configured to handle more retries than us and they might arrive before we have cancelled the verification session. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 17:40:03 +00:00
if (isFingerprint) {
this._failCounter++;
if (!this._canRetry())
this._verificationFailed(serviceName, false);
}
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_onInfoQuery(client, serviceName, question) {
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
if (!this.serviceIsForeground(serviceName))
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
return;
js: Use StPasswordEntry for password entry fields Use the new StPasswordEntry for password entry fields and remove all direct handling of clutter text of the entry via clutter_text_set_password_char to show/hide the password text. StPasswordEntry will provides a peek-password-icon which will allow to show/hide the password present in the field to the user in subsequent commits. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/619
2019-12-12 09:32:53 +00:00
this.emit('ask-question', serviceName, question, false);
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_onSecretInfoQuery(client, serviceName, secretQuestion) {
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
if (!this.serviceIsForeground(serviceName))
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
return;
gdm: Refactor oVirt to a generic CredentialManager interface Commit 4cda61a1 added support for pre-authenticated logins in oVirt environments. This feature prevents a user from having to type their password twice (once to the oVirt management machine, and then immediately again in the provisioned guest running gnome-shell). That feature is currently oVirt specific, but a similar feature would be useful in non-oVirt based virt farm environments. Toward that end, this commit generalizes the various aspects of the oVirt integration code, so that it can be reused in a subsequent commit for adding single sign on support in vmware deployments, too. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-01-03 16:31:15 +00:00
let token = null;
if (this._credentialManagers[serviceName])
token = this._credentialManagers[serviceName].token;
if (token) {
this.answerQuery(serviceName, token);
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
return;
}
js: Use StPasswordEntry for password entry fields Use the new StPasswordEntry for password entry fields and remove all direct handling of clutter text of the entry via clutter_text_set_password_char to show/hide the password text. StPasswordEntry will provides a peek-password-icon which will allow to show/hide the password present in the field to the user in subsequent commits. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/619
2019-12-12 09:32:53 +00:00
this.emit('ask-question', serviceName, secretQuestion, true);
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_onReset() {
Login/UnlockDialog: don't reset immediately if auth fails Instead of showing a notification, add a small message immediately below the entry, and give the user two more attempts to login, before going back to the welcome or lock screen. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-07 14:49:22 +00:00
// Clear previous attempts to authenticate
this._failCounter = 0;
util: abstract out default auth service in code Right now, the primary way a user logs in is with a password. They can also swipe their finger, if their fingerprint is enrolled, but it's expected the fingerprint auth service won't ask questions the user has to respond to by typing. As such, we ignore questions that comes from anything but the main auth service: gdm-password. In the future, if a user inserts a smartcard, we'll want to treat the gdm-smartcard service as the main auth service, and let any questions from it get to the user. This commit tries to prepare for that eventuality by storing the name of the default auth service away in a _defaultService variable before verification has begun, and then later checking incoming queries against that service instead of checking against string 'gdm-password' directly. Of course, right now, _defaultService is always gdm-password. https://bugzilla.gnome.org/show_bug.cgi?id=683437
2013-07-28 23:42:26 +00:00
this._updateDefaultService();
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
this.emit('reset');
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_onVerificationComplete() {
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
this.emit('verification-complete');
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_cancelAndReset() {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this.cancel();
this._onReset();
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
gdm: Restart only the service that failed at verification-failure When verification failed using a specific authentication service we're currently restarting the whole user authentication system, which leads to lots of unneeded operations (reinitializing a new user verifier proxy, restarting all the gdm workers with the relative PAM modules and so on). And this makes also debugging of login problems more complicated, given we're cluttering the journal with repeated data. However, at reauthentication failure GDM has already set up for us an user verifier that we can use reuse to start only the service that had a failure. So when possible, just start a new service instead of rebooting the whole authorization process. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-02 16:57:45 +00:00
_retry(serviceName) {
this._hold = new Batch.Hold();
this._connectSignals();
this._startService(serviceName);
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
gdm: Count fingerprint authentication failures in fail counter Fingerprint PAM module can have multiple failures during a runtime and we rely on the pam module configuration for the maximum allowed retries. However, while that setting should be always followed, we should never ignore the login-screen's allowed-failures setting that can provide a lower value. So, once we have a fingerprint failure let's count it to increase our internal fail counter, and when we've reached the limit we can emit a verification-failed signal to our clients. As per this we need also to ignore any further 'info' messages that we could receive from the fingerprint service, as it may be configured to handle more retries than us and they might arrive before we have cancelled the verification session. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 17:40:03 +00:00
_canRetry() {
return this._userName &&
(this._reauthOnly || this._failCounter < this.allowedFailures);
}
gdm: Pass source serviceName to verification failures Depending on the service name we got the failure from we could react differently, so let's pass the value to the verification failure handler. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 18:36:49 +00:00
_verificationFailed(serviceName, retry) {
Login/UnlockDialog: don't reset immediately if auth fails Instead of showing a notification, add a small message immediately below the entry, and give the user two more attempts to login, before going back to the welcome or lock screen. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-07 14:49:22 +00:00
// For Not Listed / enterprise logins, immediately reset
// the dialog
gdm, util: Always allow to retry login in unlock mode When in lockscreen mode there's no point of resetting the auth login as there's no welcome screen, and that would just cause the UI to freeze, with no reason. This could have been useful if we were stopping the user to login for a given time after ALLOWED_FAILURES attempts, but this is not the case yet.
2018-05-29 00:10:09 +00:00
// Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.
// After that, we go back to the welcome screen.
Login/UnlockDialog: don't reset immediately if auth fails Instead of showing a notification, add a small message immediately below the entry, and give the user two more attempts to login, before going back to the welcome or lock screen. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-07 14:49:22 +00:00
gdm: Count fingerprint authentication failures in fail counter Fingerprint PAM module can have multiple failures during a runtime and we rely on the pam module configuration for the maximum allowed retries. However, while that setting should be always followed, we should never ignore the login-screen's allowed-failures setting that can provide a lower value. So, once we have a fingerprint failure let's count it to increase our internal fail counter, and when we've reached the limit we can emit a verification-failed signal to our clients. As per this we need also to ignore any further 'info' messages that we could receive from the fingerprint service, as it may be configured to handle more retries than us and they might arrive before we have cancelled the verification session. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 17:40:03 +00:00
const canRetry = retry && this._canRetry();
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
gdm: Disconnect user verifier signals on destruction and verification failed When a verification session has failed we may want to wait for the user to have completed all the waiting queries and to have read all the incoming messages, however during such time an user verifier should not be allowed to queue further messages to the UI, as we're about to completely stop the identification or start a new one. Unfortunately this is not true because we're still connected to the identifier signals, and so we may still show messages. This is particularly true when using the fingerprint PAM module as it may restart the authentication while we're in the process of stopping it. So, keep track of all the signals we've connected to, and disconnect on verification failed and during cancel/clear operations. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-02 14:08:10 +00:00
this._disconnectSignals();
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
if (canRetry) {
util: Fix hasPendingMessages While the UserVerifier does indeed have a _userVerifier inside it, the hasPendingMessages property is on ourselves, not _userVerifier. https://bugzilla.gnome.org/show_bug.cgi?id=704347
2013-07-16 19:48:27 +00:00
if (!this.hasPendingMessages) {
gdm: Restart only the service that failed at verification-failure When verification failed using a specific authentication service we're currently restarting the whole user authentication system, which leads to lots of unneeded operations (reinitializing a new user verifier proxy, restarting all the gdm workers with the relative PAM modules and so on). And this makes also debugging of login problems more complicated, given we're cluttering the journal with repeated data. However, at reauthentication failure GDM has already set up for us an user verifier that we can use reuse to start only the service that had a failure. So when possible, just start a new service instead of rebooting the whole authorization process. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-02 16:57:45 +00:00
this._retry(serviceName);
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
} else {
gdm: Don't try answering query if the user verifier has been deleted Answering a query may be delayed to the moment in which we've not any more messages in the queue, however this case can also happen just after we've cleared the UserVerifier and in such case we'd have nothing to answer, but we currently throw an error: JS ERROR: Exception in callback for signal: no-more-messages: TypeError: this._userVerifier is null answerQuery/signalId<@resource:///org/gnome/shell/gdm/util.js:249:17 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:133:47 finishMessageQueue@resource:///org/gnome/shell/gdm/util.js:266:14 _clearMessageQueue@resource:///org/gnome/shell/gdm/util.js:301:14 clear@resource:///org/gnome/shell/gdm/util.js:223:14 cancel@resource:///org/gnome/shell/gdm/util.js:205:18 reset@resource:///org/gnome/shell/gdm/authPrompt.js:482:32 cancel@resource:///org/gnome/shell/gdm/authPrompt.js:569:14 vfunc_key_press_event@resource:///org/gnome/shell/gdm/authPrompt.js:128 So handle this case more gracefully keeping track of the current cancellable and checking whether it is still valid before trying to answer a query or do a delayed action. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 15:42:21 +00:00
const cancellable = this._cancellable;
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
let signalId = this.connect('no-more-messages', () => {
this.disconnect(signalId);
gdm: Don't try answering query if the user verifier has been deleted Answering a query may be delayed to the moment in which we've not any more messages in the queue, however this case can also happen just after we've cleared the UserVerifier and in such case we'd have nothing to answer, but we currently throw an error: JS ERROR: Exception in callback for signal: no-more-messages: TypeError: this._userVerifier is null answerQuery/signalId<@resource:///org/gnome/shell/gdm/util.js:249:17 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:133:47 finishMessageQueue@resource:///org/gnome/shell/gdm/util.js:266:14 _clearMessageQueue@resource:///org/gnome/shell/gdm/util.js:301:14 clear@resource:///org/gnome/shell/gdm/util.js:223:14 cancel@resource:///org/gnome/shell/gdm/util.js:205:18 reset@resource:///org/gnome/shell/gdm/authPrompt.js:482:32 cancel@resource:///org/gnome/shell/gdm/authPrompt.js:569:14 vfunc_key_press_event@resource:///org/gnome/shell/gdm/authPrompt.js:128 So handle this case more gracefully keeping track of the current cancellable and checking whether it is still valid before trying to answer a query or do a delayed action. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 15:42:21 +00:00
if (!cancellable.is_cancelled())
gdm: Restart only the service that failed at verification-failure When verification failed using a specific authentication service we're currently restarting the whole user authentication system, which leads to lots of unneeded operations (reinitializing a new user verifier proxy, restarting all the gdm workers with the relative PAM modules and so on). And this makes also debugging of login problems more complicated, given we're cluttering the journal with repeated data. However, at reauthentication failure GDM has already set up for us an user verifier that we can use reuse to start only the service that had a failure. So when possible, just start a new service instead of rebooting the whole authorization process. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-02 16:57:45 +00:00
this._retry(serviceName);
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
});
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
}
ShellUserVerifier: catch DBus errors and report them to the user Instead of leaving the login or unlock dialogs in an inconsistent state, catch DBus errors and show an Authentication Error message. The error details are logged in the session logs. https://bugzilla.gnome.org/show_bug.cgi?id=683060
2012-09-06 14:40:13 +00:00
} else {
style: Allow lonely ifs where appropriate We now have a lint rule to disallow lonely ifs, however there are cases where the "lonely" part mirrors code from the preceding if clause. Opt out of the lint rule in those cases. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/818
2019-08-20 02:24:37 +00:00
// eslint-disable-next-line no-lonely-if
util: Fix hasPendingMessages While the UserVerifier does indeed have a _userVerifier inside it, the hasPendingMessages property is on ourselves, not _userVerifier. https://bugzilla.gnome.org/show_bug.cgi?id=704347
2013-07-16 19:48:27 +00:00
if (!this.hasPendingMessages) {
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
this._cancelAndReset();
} else {
gdm: Don't try answering query if the user verifier has been deleted Answering a query may be delayed to the moment in which we've not any more messages in the queue, however this case can also happen just after we've cleared the UserVerifier and in such case we'd have nothing to answer, but we currently throw an error: JS ERROR: Exception in callback for signal: no-more-messages: TypeError: this._userVerifier is null answerQuery/signalId<@resource:///org/gnome/shell/gdm/util.js:249:17 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:133:47 finishMessageQueue@resource:///org/gnome/shell/gdm/util.js:266:14 _clearMessageQueue@resource:///org/gnome/shell/gdm/util.js:301:14 clear@resource:///org/gnome/shell/gdm/util.js:223:14 cancel@resource:///org/gnome/shell/gdm/util.js:205:18 reset@resource:///org/gnome/shell/gdm/authPrompt.js:482:32 cancel@resource:///org/gnome/shell/gdm/authPrompt.js:569:14 vfunc_key_press_event@resource:///org/gnome/shell/gdm/authPrompt.js:128 So handle this case more gracefully keeping track of the current cancellable and checking whether it is still valid before trying to answer a query or do a delayed action. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 15:42:21 +00:00
const cancellable = this._cancellable;
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
let signalId = this.connect('no-more-messages', () => {
this.disconnect(signalId);
gdm: Don't try answering query if the user verifier has been deleted Answering a query may be delayed to the moment in which we've not any more messages in the queue, however this case can also happen just after we've cleared the UserVerifier and in such case we'd have nothing to answer, but we currently throw an error: JS ERROR: Exception in callback for signal: no-more-messages: TypeError: this._userVerifier is null answerQuery/signalId<@resource:///org/gnome/shell/gdm/util.js:249:17 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:133:47 finishMessageQueue@resource:///org/gnome/shell/gdm/util.js:266:14 _clearMessageQueue@resource:///org/gnome/shell/gdm/util.js:301:14 clear@resource:///org/gnome/shell/gdm/util.js:223:14 cancel@resource:///org/gnome/shell/gdm/util.js:205:18 reset@resource:///org/gnome/shell/gdm/authPrompt.js:482:32 cancel@resource:///org/gnome/shell/gdm/authPrompt.js:569:14 vfunc_key_press_event@resource:///org/gnome/shell/gdm/authPrompt.js:128 So handle this case more gracefully keeping track of the current cancellable and checking whether it is still valid before trying to answer a query or do a delayed action. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 15:42:21 +00:00
if (!cancellable.is_cancelled())
this._cancelAndReset();
cleanup: Use arrow notation for anonymous functions Arrow notation is great, use it consistently through-out the code base to bind `this` to anonymous functions, replacing the more overbose Lang.bind(this, function() {}). https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:38:18 +00:00
});
loginDialog,unlockDialog: Give user time to read messages Right now, if multiple messages come in, they just sort of clobber each other. This commit sets up a message queue, and introduces pauses long enough for the user to hopefully be able to read those messages. https://bugzilla.gnome.org/show_bug.cgi?id=694688
2013-03-18 04:59:56 +00:00
}
Login/UnlockDialog: don't reset immediately if auth fails Instead of showing a notification, add a small message immediately below the entry, and give the user two more attempts to login, before going back to the welcome or lock screen. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-07 14:49:22 +00:00
}
gdm: Expose the source serviceName for messages and verification failures By giving to the AuthPrompt information regarding the source service name (and so the ability to know whether it's a foreground service) can give it the ability to behave differently. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-01 18:36:49 +00:00
this.emit('verification-failed', serviceName, canRetry);
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
Login/UnlockDialog: don't reset immediately if auth fails Instead of showing a notification, add a small message immediately below the entry, and give the user two more attempts to login, before going back to the welcome or lock screen. https://bugzilla.gnome.org/show_bug.cgi?id=682544
2012-08-07 14:49:22 +00:00
cleanup: Use method syntax Modern javascript has a short-hand for function properties, embrace it for better readability and to prepare for an eventual port to ES6 classes. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/23
2017-10-31 00:03:21 +00:00
_onConversationStopped(client, serviceName) {
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
// If the login failed with the preauthenticated oVirt credentials
// then discard the credentials and revert to default authentication
// mechanism.
gdm: Refactor oVirt to a generic CredentialManager interface Commit 4cda61a1 added support for pre-authenticated logins in oVirt environments. This feature prevents a user from having to type their password twice (once to the oVirt management machine, and then immediately again in the provisioned guest running gnome-shell). That feature is currently oVirt specific, but a similar feature would be useful in non-oVirt based virt farm environments. Toward that end, this commit generalizes the various aspects of the oVirt integration code, so that it can be reused in a subsequent commit for adding single sign on support in vmware deployments, too. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983
2020-01-03 16:31:15 +00:00
let foregroundService = Object.keys(this._credentialManagers).find(service =>
this.serviceIsForeground(service));
if (foregroundService) {
this._credentialManagers[foregroundService].token = null;
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
this._preemptingService = null;
gdm: Pass source serviceName to verification failures Depending on the service name we got the failure from we could react differently, so let's pass the value to the verification failure handler. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1622>
2021-02-01 18:36:49 +00:00
this._verificationFailed(serviceName, false);
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 08:21:47 +00:00
return;
}
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
// if the password service fails, then cancel everything.
// But if, e.g., fingerprint fails, still give
// password authentication a chance to succeed
gdm: Fail and restart verification on conversation stopped for all services Currently when the foreground service conversation stops we increase the verification failed count and try to start it again, while if a background service has been stopped we just ignore it. This is causing a various number of issues, for example in the case of the fingerprint authentication service, it is normally configured to die after a timeout, and we end up never restarting it (while the UI still keeps showing to the user the message about swipe/touch the device). So, in such case let's just consider it a "soft" verification failure that doesn't increase the failures count but will cause us to reset the UI and try to restart the authentication (and so the affected service). Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 17:57:06 +00:00
if (this.serviceIsForeground(serviceName))
gdm: Increase the verification failed counter once we've a failure Decouple the verification failure count increase from _verificationFailed as there are some cases in which we may want to increase it without emitting a verification-failed signal. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 17:43:16 +00:00
this._failCounter++;
gdm: Fail and restart verification on conversation stopped for all services Currently when the foreground service conversation stops we increase the verification failed count and try to start it again, while if a background service has been stopped we just ignore it. This is causing a various number of issues, for example in the case of the fingerprint authentication service, it is normally configured to die after a timeout, and we end up never restarting it (while the UI still keeps showing to the user the message about swipe/touch the device). So, in such case let's just consider it a "soft" verification failure that doesn't increase the failures count but will cause us to reset the UI and try to restart the authentication (and so the affected service). Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1652>
2021-02-08 17:57:06 +00:00
this._verificationFailed(serviceName, true);
cleanup: Port non-GObject classes to JS6 classes ES6 finally adds standard class syntax to the language, so we can replace our custom Lang.Class framework with the new syntax. Any classes that inherit from GObject will need special treatment, so limit the port to regular javascript classes for now. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/361
2017-10-31 01:19:44 +00:00
}
};
Split some common code out of gdm/loginDialog This will be reused by session unlocking. https://bugzilla.gnome.org/show_bug.cgi?id=619955
2012-07-17 18:54:07 +00:00
Signals.addSignalMethods(ShellUserVerifier.prototype);
Reference in New Issue Copy Permalink