gnome-shell/js/gdm/authPrompt.js

584 lines
19 KiB
JavaScript
Raw Normal View History

// -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
/* exported AuthPrompt */
const { Clutter, GObject, Pango, Shell, St } = imports.gi;
const Animation = imports.ui.animation;
const Batch = imports.gdm.batch;
const GdmUtil = imports.gdm.util;
const OVirt = imports.gdm.oVirt;
const Vmware = imports.gdm.vmware;
const Params = imports.misc.params;
const ShellEntry = imports.ui.shellEntry;
const UserWidget = imports.ui.userWidget;
const Util = imports.misc.util;
var DEFAULT_BUTTON_WELL_ICON_SIZE = 16;
var DEFAULT_BUTTON_WELL_ANIMATION_DELAY = 1000;
var DEFAULT_BUTTON_WELL_ANIMATION_TIME = 300;
var MESSAGE_FADE_OUT_ANIMATION_TIME = 500;
var AuthPromptMode = {
UNLOCK_ONLY: 0,
UNLOCK_OR_LOG_IN: 1,
};
var AuthPromptStatus = {
NOT_VERIFYING: 0,
VERIFYING: 1,
VERIFICATION_FAILED: 2,
VERIFICATION_SUCCEEDED: 3,
VERIFICATION_CANCELLED: 4,
VERIFICATION_IN_PROGRESS: 5,
};
var BeginRequestType = {
PROVIDE_USERNAME: 0,
DONT_PROVIDE_USERNAME: 1,
REUSE_USERNAME: 2,
};
var AuthPrompt = GObject.registerClass({
Signals: {
'cancelled': {},
'failed': {},
'next': {},
'prompted': {},
'reset': { param_types: [GObject.TYPE_UINT] },
},
}, class AuthPrompt extends St.BoxLayout {
_init(gdmClient, mode) {
super._init({
style_class: 'login-dialog-prompt-layout',
vertical: true,
x_expand: true,
x_align: Clutter.ActorAlign.CENTER,
});
this.verificationStatus = AuthPromptStatus.NOT_VERIFYING;
this._gdmClient = gdmClient;
this._mode = mode;
this._defaultButtonWellActor = null;
this._cancelledRetries = 0;
let reauthenticationOnly;
if (this._mode == AuthPromptMode.UNLOCK_ONLY)
reauthenticationOnly = true;
else if (this._mode == AuthPromptMode.UNLOCK_OR_LOG_IN)
reauthenticationOnly = false;
this._userVerifier = new GdmUtil.ShellUserVerifier(this._gdmClient, { reauthenticationOnly });
this._userVerifier.connect('ask-question', this._onAskQuestion.bind(this));
this._userVerifier.connect('show-message', this._onShowMessage.bind(this));
this._userVerifier.connect('verification-failed', this._onVerificationFailed.bind(this));
this._userVerifier.connect('verification-complete', this._onVerificationComplete.bind(this));
this._userVerifier.connect('reset', this._onReset.bind(this));
this._userVerifier.connect('smartcard-status-changed', this._onSmartcardStatusChanged.bind(this));
this._userVerifier.connect('credential-manager-authenticated', this._onCredentialManagerAuthenticated.bind(this));
this.smartcardDetected = this._userVerifier.smartcardDetected;
this.connect('destroy', this._onDestroy.bind(this));
this._userWell = new St.Bin({
x_expand: true,
y_expand: true,
});
this.add_child(this._userWell);
this._hasCancelButton = this._mode === AuthPromptMode.UNLOCK_OR_LOG_IN;
this._initEntryRow();
let capsLockPlaceholder = new St.Label();
this.add_child(capsLockPlaceholder);
this._capsLockWarningLabel = new ShellEntry.CapsLockWarning({
x_expand: true,
x_align: Clutter.ActorAlign.CENTER,
});
this.add_child(this._capsLockWarningLabel);
this._capsLockWarningLabel.bind_property('visible',
capsLockPlaceholder, 'visible',
GObject.BindingFlags.SYNC_CREATE | GObject.BindingFlags.INVERT_BOOLEAN);
this._message = new St.Label({
opacity: 0,
styleClass: 'login-dialog-message',
y_expand: true,
x_expand: true,
y_align: Clutter.ActorAlign.START,
x_align: Clutter.ActorAlign.CENTER,
});
this._message.clutter_text.line_wrap = true;
this._message.clutter_text.ellipsize = Pango.EllipsizeMode.NONE;
this.add_child(this._message);
}
_onDestroy() {
this._userVerifier.destroy();
this._userVerifier = null;
}
vfunc_key_press_event(keyPressEvent) {
if (keyPressEvent.keyval == Clutter.KEY_Escape)
this.cancel();
return super.vfunc_key_press_event(keyPressEvent);
}
_initEntryRow() {
this._mainBox = new St.BoxLayout({
style_class: 'login-dialog-button-box',
vertical: false,
});
this.add_child(this._mainBox);
this.cancelButton = new St.Button({
style_class: 'modal-dialog-button button cancel-button',
accessible_name: _('Cancel'),
button_mask: St.ButtonMask.ONE | St.ButtonMask.THREE,
reactive: this._hasCancelButton,
can_focus: this._hasCancelButton,
x_align: Clutter.ActorAlign.START,
y_align: Clutter.ActorAlign.CENTER,
child: new St.Icon({ icon_name: 'go-previous-symbolic' }),
});
if (this._hasCancelButton)
this.cancelButton.connect('clicked', () => this.cancel());
else
this.cancelButton.opacity = 0;
this._mainBox.add_child(this.cancelButton);
let entryParams = {
style_class: 'login-dialog-prompt-entry',
can_focus: true,
x_expand: true,
};
this._entry = null;
this._textEntry = new St.Entry(entryParams);
ShellEntry.addContextMenu(this._textEntry, { actionMode: Shell.ActionMode.NONE });
this._passwordEntry = new St.PasswordEntry(entryParams);
ShellEntry.addContextMenu(this._passwordEntry, { actionMode: Shell.ActionMode.NONE });
this._entry = this._passwordEntry;
this._mainBox.add_child(this._entry);
this._entry.grab_key_focus();
[this._textEntry, this._passwordEntry].forEach(entry => {
entry.clutter_text.connect('text-changed', () => {
if (!this._userVerifier.hasPendingMessages)
this._fadeOutMessage();
});
entry.clutter_text.connect('activate', () => {
let shouldSpin = entry === this._passwordEntry;
if (entry.reactive)
this._activateNext(shouldSpin);
});
});
this._defaultButtonWell = new St.Widget({
layout_manager: new Clutter.BinLayout(),
x_align: Clutter.ActorAlign.END,
y_align: Clutter.ActorAlign.CENTER,
});
this._defaultButtonWell.add_constraint(new Clutter.BindConstraint({
source: this.cancelButton,
coordinate: Clutter.BindCoordinate.WIDTH,
}));
this._mainBox.add_child(this._defaultButtonWell);
this._spinner = new Animation.Spinner(DEFAULT_BUTTON_WELL_ICON_SIZE);
this._defaultButtonWell.add_child(this._spinner);
}
_activateNext(shouldSpin) {
this.verificationStatus = AuthPromptStatus.VERIFICATION_IN_PROGRESS;
this.updateSensitivity(false);
if (shouldSpin)
this.startSpinning();
if (this._queryingService)
this._userVerifier.answerQuery(this._queryingService, this._entry.text);
else
this._preemptiveAnswer = this._entry.text;
this.emit('next');
}
_updateEntry(secret) {
if (secret && this._entry !== this._passwordEntry) {
this._mainBox.replace_child(this._entry, this._passwordEntry);
this._entry = this._passwordEntry;
} else if (!secret && this._entry !== this._textEntry) {
this._mainBox.replace_child(this._entry, this._textEntry);
this._entry = this._textEntry;
}
this._capsLockWarningLabel.visible = secret;
}
_onAskQuestion(verifier, serviceName, question, secret) {
if (this._queryingService)
this.clear();
this._queryingService = serviceName;
if (this._preemptiveAnswer) {
this._userVerifier.answerQuery(this._queryingService, this._preemptiveAnswer);
this._preemptiveAnswer = null;
return;
}
this._updateEntry(secret);
// Hack: The question string comes directly from PAM, if it's "Password:"
// we replace it with our own to allow localization, if it's something
// else we remove the last colon and any trailing or leading spaces.
if (question === 'Password:' || question === 'Password: ')
this.setQuestion(_('Password'));
else
this.setQuestion(question.replace(/: *$/, '').trim());
this.updateSensitivity(true);
this.emit('prompted');
}
_onCredentialManagerAuthenticated() {
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 04:21:47 -04:00
if (this.verificationStatus != AuthPromptStatus.VERIFICATION_SUCCEEDED)
this.reset();
}
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 04:21:47 -04:00
_onSmartcardStatusChanged() {
this.smartcardDetected = this._userVerifier.smartcardDetected;
// Most of the time we want to reset if the user inserts or removes
// a smartcard. Smartcard insertion "preempts" what the user was
// doing, and smartcard removal aborts the preemption.
// The exceptions are: 1) Don't reset on smartcard insertion if we're already verifying
// with a smartcard
// 2) Don't reset if we've already succeeded at verification and
// the user is getting logged in.
if (this._userVerifier.serviceIsDefault(GdmUtil.SMARTCARD_SERVICE_NAME) &&
this.verificationStatus == AuthPromptStatus.VERIFYING &&
this.smartcardDetected)
return;
if (this.verificationStatus != AuthPromptStatus.VERIFICATION_SUCCEEDED)
this.reset();
}
_onShowMessage(_userVerifier, serviceName, message, type) {
this.setMessage(serviceName, message, type);
this.emit('prompted');
}
_onVerificationFailed(userVerifier, serviceName, canRetry) {
const wasQueryingService = this._queryingService === serviceName;
this._queryingService = null;
this.clear();
this.updateSensitivity(canRetry);
this.setActorInDefaultButtonWell(null);
this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;
if (wasQueryingService)
Util.wiggle(this._entry);
}
_onVerificationComplete() {
this.setActorInDefaultButtonWell(null);
this.verificationStatus = AuthPromptStatus.VERIFICATION_SUCCEEDED;
2017-06-29 19:16:11 -04:00
this.cancelButton.reactive = false;
this.cancelButton.can_focus = false;
}
_onReset() {
this.verificationStatus = AuthPromptStatus.NOT_VERIFYING;
this.reset();
}
setActorInDefaultButtonWell(actor, animate) {
if (!this._defaultButtonWellActor &&
!actor)
return;
let oldActor = this._defaultButtonWellActor;
if (oldActor)
oldActor.remove_all_transitions();
let wasSpinner;
if (oldActor == this._spinner)
wasSpinner = true;
else
wasSpinner = false;
let isSpinner;
if (actor == this._spinner)
isSpinner = true;
else
isSpinner = false;
if (this._defaultButtonWellActor != actor && oldActor) {
if (!animate) {
oldActor.opacity = 0;
if (wasSpinner) {
if (this._spinner)
this._spinner.stop();
}
} else {
oldActor.ease({
opacity: 0,
duration: DEFAULT_BUTTON_WELL_ANIMATION_TIME,
delay: DEFAULT_BUTTON_WELL_ANIMATION_DELAY,
mode: Clutter.AnimationMode.LINEAR,
onComplete: () => {
if (wasSpinner) {
if (this._spinner)
this._spinner.stop();
}
},
});
}
}
if (actor) {
if (isSpinner)
this._spinner.play();
if (!animate) {
actor.opacity = 255;
} else {
actor.ease({
opacity: 255,
duration: DEFAULT_BUTTON_WELL_ANIMATION_TIME,
delay: DEFAULT_BUTTON_WELL_ANIMATION_DELAY,
mode: Clutter.AnimationMode.LINEAR,
});
}
}
this._defaultButtonWellActor = actor;
}
startSpinning() {
this.setActorInDefaultButtonWell(this._spinner, true);
}
stopSpinning() {
this.setActorInDefaultButtonWell(null, false);
}
clear() {
this._entry.text = '';
this.stopSpinning();
}
setQuestion(question) {
this._entry.hint_text = question;
this._entry.show();
this._entry.grab_key_focus();
}
getAnswer() {
let text;
if (this._preemptiveAnswer) {
text = this._preemptiveAnswer;
this._preemptiveAnswer = null;
} else {
text = this._entry.get_text();
}
return text;
}
_fadeOutMessage() {
if (this._message.opacity == 0)
return;
this._message.remove_all_transitions();
this._message.ease({
opacity: 0,
duration: MESSAGE_FADE_OUT_ANIMATION_TIME,
mode: Clutter.AnimationMode.EASE_OUT_QUAD,
});
}
setMessage(serviceName, message, type) {
if (type == GdmUtil.MessageType.ERROR)
this._message.add_style_class_name('login-dialog-message-warning');
else
this._message.remove_style_class_name('login-dialog-message-warning');
if (type == GdmUtil.MessageType.HINT)
this._message.add_style_class_name('login-dialog-message-hint');
else
this._message.remove_style_class_name('login-dialog-message-hint');
if (message) {
this._message.remove_all_transitions();
this._message.text = message;
this._message.opacity = 255;
} else {
this._message.opacity = 0;
}
if (type === GdmUtil.MessageType.ERROR &&
this._userVerifier.serviceIsFingerprint(serviceName)) {
// TODO: Use Await for wiggle to be over before unfreezing the user verifier queue
const wiggleParameters = {
duration: 65,
wiggleCount: 3,
};
this._userVerifier.increaseCurrentMessageTimeout(
wiggleParameters.duration * (wiggleParameters.wiggleCount + 2));
Util.wiggle(this._message, wiggleParameters);
}
}
updateSensitivity(sensitive) {
if (this._entry.reactive === sensitive)
return;
this._entry.reactive = sensitive;
if (sensitive) {
this._entry.grab_key_focus();
} else {
this.grab_key_focus();
if (this._entry === this._passwordEntry)
this._entry.password_visible = false;
}
}
vfunc_hide() {
this.setActorInDefaultButtonWell(null, true);
super.vfunc_hide();
this._message.opacity = 0;
this.setUser(null);
this.updateSensitivity(true);
this._entry.set_text('');
}
setUser(user) {
let oldChild = this._userWell.get_child();
if (oldChild)
oldChild.destroy();
let userWidget = new UserWidget.UserWidget(user, Clutter.Orientation.VERTICAL);
this._userWell.set_child(userWidget);
if (!user)
this._updateEntry(false);
}
reset() {
let oldStatus = this.verificationStatus;
this.verificationStatus = AuthPromptStatus.NOT_VERIFYING;
this.cancelButton.reactive = this._hasCancelButton;
this.cancelButton.can_focus = this._hasCancelButton;
this._preemptiveAnswer = null;
if (this._userVerifier)
this._userVerifier.cancel();
this._queryingService = null;
this.clear();
this._message.opacity = 0;
this.setUser(null);
this._updateEntry(true);
this.stopSpinning();
if (oldStatus == AuthPromptStatus.VERIFICATION_FAILED)
this.emit('failed');
else if (oldStatus === AuthPromptStatus.VERIFICATION_CANCELLED)
this.emit('cancelled');
let beginRequestType;
if (this._mode == AuthPromptMode.UNLOCK_ONLY) {
// The user is constant at the unlock screen, so it will immediately
// respond to the request with the username
if (oldStatus === AuthPromptStatus.VERIFICATION_CANCELLED)
return;
beginRequestType = BeginRequestType.PROVIDE_USERNAME;
} else if (this._userVerifier.serviceIsForeground(OVirt.SERVICE_NAME) ||
this._userVerifier.serviceIsForeground(Vmware.SERVICE_NAME) ||
this._userVerifier.serviceIsForeground(GdmUtil.SMARTCARD_SERVICE_NAME)) {
// We don't need to know the username if the user preempted the login screen
gdm: support pre-authenticated logins from oVirt oVirt is software for managing medium-to-large scale deployments of virtual machine guests across multiple hosts. It supports a feature where users can authenticate with a central server and get transparently connected to a guest system and then automatically get logged into that guest to an associated user session. Guests using old versions of GDM support this single-sign-on capability by means of a greeter plugin, using the old greeter's extension API. This commit adds similar support to the gnome-shell based login screen. How it works: * The OVirtCredentialsManager singleton listens for 'org.ovirt.vdsm.Credentials.UserAuthenticated' D-Bus signal on the system bus from the 'org.ovirt.vdsm.Credentials' bus name. The service that provides that bus name is called the oVirt guest agent. It is also responsible for interacting with the the central server to get user credentials. * This UserAuthenticated signal passes, as a parameter, the a token which needs to be passed through to the PAM service that is specifically set up to integrate with the oVirt authentication architecture. The singleton object keeps the token internally so it can be queried later on. * The OVirtCredentialsManager emits a signal 'user-authenticated' on it's object once the dbus signal is triggered * When the 'user-authenticated' signal is emitted, the login screen tells GDM to start user verification using the PAM service. The authentication stack of the service includes a PAM module provided by oVirt that securely retrieves user credentials from the oVirt guest agent. The PAM module then forwards those credentials on to other modules in the stack so, e.g., the user's gnome keyring can be automatically unlocked. * In case of the screen shield being visible, it also will react on that 'user-authenticated' signal and lift the shield. In that case the login screen will check on construction time if the signal has already been triggered, and a token is available. If a token is available it will immediately trigger the functionality as described above. Signed-off-by: Vinzenz Feenstra <evilissimo@redhat.com> https://bugzilla.gnome.org/show_bug.cgi?id=702162
2013-10-10 04:21:47 -04:00
// with a smartcard or with preauthenticated oVirt credentials
beginRequestType = BeginRequestType.DONT_PROVIDE_USERNAME;
} else if (oldStatus === AuthPromptStatus.VERIFICATION_IN_PROGRESS) {
// We're going back to retry with current user
beginRequestType = BeginRequestType.REUSE_USERNAME;
} else {
// In all other cases, we should get the username up front.
beginRequestType = BeginRequestType.PROVIDE_USERNAME;
}
this.emit('reset', beginRequestType);
}
addCharacter(unichar) {
if (!this._entry.visible)
return;
this._entry.grab_key_focus();
this._entry.clutter_text.insert_unichar(unichar);
}
begin(params) {
params = Params.parse(params, { userName: null,
hold: null });
this.updateSensitivity(false);
let hold = params.hold;
if (!hold)
hold = new Batch.Hold();
this._userVerifier.begin(params.userName, hold);
this.verificationStatus = AuthPromptStatus.VERIFYING;
}
finish(onComplete) {
if (!this._userVerifier.hasPendingMessages) {
this._userVerifier.clear();
onComplete();
return;
}
let signalId = this._userVerifier.connect('no-more-messages', () => {
this._userVerifier.disconnect(signalId);
this._userVerifier.clear();
onComplete();
});
}
cancel() {
if (this.verificationStatus == AuthPromptStatus.VERIFICATION_SUCCEEDED)
return;
if (this.verificationStatus === AuthPromptStatus.VERIFICATION_IN_PROGRESS) {
this._cancelledRetries++;
if (this._cancelledRetries > this._userVerifier.allowedFailures)
this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;
} else {
this.verificationStatus = AuthPromptStatus.VERIFICATION_CANCELLED;
}
this.reset();
}
});