fb824131ae
Currently, prompting for the username on the login screen is done "out-of-band". This leads to subtle bugs where we're trying to integrate two different state machines, or interpret results from one state machine as part of another. It also complicates the logic, as the ability to know whether we need or want a username is currently in the UI layer rather than the logic layer. Move this into the verifier proper.
573 lines
20 KiB
JavaScript
573 lines
20 KiB
JavaScript
// -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
|
|
|
|
const Clutter = imports.gi.Clutter;
|
|
const Gio = imports.gi.Gio;
|
|
const GLib = imports.gi.GLib;
|
|
const Lang = imports.lang;
|
|
const Mainloop = imports.mainloop;
|
|
const Signals = imports.signals;
|
|
const St = imports.gi.St;
|
|
|
|
const Batch = imports.gdm.batch;
|
|
const Fprint = imports.gdm.fingerprint;
|
|
const OVirt = imports.gdm.oVirt;
|
|
const Main = imports.ui.main;
|
|
const Params = imports.misc.params;
|
|
const ShellEntry = imports.ui.shellEntry;
|
|
const SmartcardManager = imports.misc.smartcardManager;
|
|
const Tweener = imports.ui.tweener;
|
|
|
|
const PASSWORD_SERVICE_NAME = 'gdm-password';
|
|
const FINGERPRINT_SERVICE_NAME = 'gdm-fingerprint';
|
|
const SMARTCARD_SERVICE_NAME = 'gdm-smartcard';
|
|
const OVIRT_SERVICE_NAME = 'gdm-ovirtcred';
|
|
const FADE_ANIMATION_TIME = 0.16;
|
|
const CLONE_FADE_ANIMATION_TIME = 0.25;
|
|
|
|
const LOGIN_SCREEN_SCHEMA = 'org.gnome.login-screen';
|
|
const PASSWORD_AUTHENTICATION_KEY = 'enable-password-authentication';
|
|
const FINGERPRINT_AUTHENTICATION_KEY = 'enable-fingerprint-authentication';
|
|
const SMARTCARD_AUTHENTICATION_KEY = 'enable-smartcard-authentication';
|
|
const BANNER_MESSAGE_KEY = 'banner-message-enable';
|
|
const BANNER_MESSAGE_TEXT_KEY = 'banner-message-text';
|
|
const ALLOWED_FAILURES_KEY = 'allowed-failures';
|
|
|
|
const LOGO_KEY = 'logo';
|
|
const DISABLE_USER_LIST_KEY = 'disable-user-list';
|
|
|
|
// Give user 16ms to read each character of a PAM message
|
|
const USER_READ_TIME = 16
|
|
|
|
const MessageType = {
|
|
NONE: 0,
|
|
ERROR: 1,
|
|
INFO: 2,
|
|
HINT: 3
|
|
};
|
|
|
|
function fadeInActor(actor) {
|
|
if (actor.opacity == 255 && actor.visible)
|
|
return null;
|
|
|
|
let hold = new Batch.Hold();
|
|
actor.show();
|
|
let [minHeight, naturalHeight] = actor.get_preferred_height(-1);
|
|
|
|
actor.opacity = 0;
|
|
actor.set_height(0);
|
|
Tweener.addTween(actor,
|
|
{ opacity: 255,
|
|
height: naturalHeight,
|
|
time: FADE_ANIMATION_TIME,
|
|
transition: 'easeOutQuad',
|
|
onComplete: function() {
|
|
this.set_height(-1);
|
|
hold.release();
|
|
},
|
|
});
|
|
|
|
return hold;
|
|
}
|
|
|
|
function fadeOutActor(actor) {
|
|
if (!actor.visible || actor.opacity == 0) {
|
|
actor.opacity = 0;
|
|
actor.hide();
|
|
return null;
|
|
}
|
|
|
|
let hold = new Batch.Hold();
|
|
Tweener.addTween(actor,
|
|
{ opacity: 0,
|
|
height: 0,
|
|
time: FADE_ANIMATION_TIME,
|
|
transition: 'easeOutQuad',
|
|
onComplete: function() {
|
|
this.hide();
|
|
this.set_height(-1);
|
|
hold.release();
|
|
},
|
|
});
|
|
return hold;
|
|
}
|
|
|
|
function cloneAndFadeOutActor(actor) {
|
|
// Immediately hide actor so its sibling can have its space
|
|
// and position, but leave a non-reactive clone on-screen,
|
|
// so from the user's point of view it smoothly fades away
|
|
// and reveals its sibling.
|
|
actor.hide();
|
|
|
|
let clone = new Clutter.Clone({ source: actor,
|
|
reactive: false });
|
|
|
|
Main.uiGroup.add_child(clone);
|
|
|
|
let [x, y] = actor.get_transformed_position();
|
|
clone.set_position(x, y);
|
|
|
|
let hold = new Batch.Hold();
|
|
Tweener.addTween(clone,
|
|
{ opacity: 0,
|
|
time: CLONE_FADE_ANIMATION_TIME,
|
|
transition: 'easeOutQuad',
|
|
onComplete: function() {
|
|
clone.destroy();
|
|
hold.release();
|
|
}
|
|
});
|
|
return hold;
|
|
}
|
|
|
|
const VerificationStatus = {
|
|
NOT_VERIFYING: 0,
|
|
ASKING_FOR_USERNAME: 1,
|
|
VERIFYING: 2,
|
|
VERIFICATION_FAILED: 3,
|
|
VERIFICATION_SUCCEEDED: 4,
|
|
};
|
|
|
|
const ShellUserVerifier = new Lang.Class({
|
|
Name: 'ShellUserVerifier',
|
|
|
|
_init: function(client, params) {
|
|
params = Params.parse(params, { reauthenticationOnly: false });
|
|
this._reauthOnly = params.reauthenticationOnly;
|
|
|
|
this._client = client;
|
|
|
|
this._settings = new Gio.Settings({ schema: LOGIN_SCREEN_SCHEMA });
|
|
this._settings.connect('changed',
|
|
Lang.bind(this, this._updateDefaultService));
|
|
|
|
this._fprintManager = new Fprint.FprintManager();
|
|
this._smartcardManager = SmartcardManager.getSmartcardManager();
|
|
|
|
// We check for smartcards right away, since an inserted smartcard
|
|
// at startup should result in immediately initiating authentication.
|
|
// This is different than fingeprint readers, where we only check them
|
|
// after a user has been picked.
|
|
this._checkForSmartcard();
|
|
|
|
this._smartcardManager.connect('smartcard-inserted',
|
|
Lang.bind(this, this._checkForSmartcard));
|
|
this._smartcardManager.connect('smartcard-removed',
|
|
Lang.bind(this, this._checkForSmartcard));
|
|
|
|
this._messageQueue = [];
|
|
this._messageQueueTimeoutId = 0;
|
|
this.hasPendingMessages = false;
|
|
this.reauthenticating = false;
|
|
|
|
this._oVirtCredentialsManager = OVirt.getOVirtCredentialsManager();
|
|
this._oVirtCredentialsManager.connect('user-authenticated', Lang.bind(this, this._oVirtUserAuthenticated));
|
|
if (this._oVirtCredentialsManager.hasToken())
|
|
this._oVirtUserAuthenticated(this._oVirtCredentialsManager.getToken());
|
|
|
|
this._reset();
|
|
},
|
|
|
|
_reset: function() {
|
|
// Clear previous attempts to authenticate
|
|
this.verificationStatus = VerificationStatus.NOT_VERIFYING;
|
|
this._userName = null;
|
|
this._failCounter = 0;
|
|
this._updateDefaultService();
|
|
this.emit('reset');
|
|
},
|
|
|
|
begin: function() {
|
|
if (this._mode == AuthPromptMode.UNLOCK_ONLY) {
|
|
// The user is constant at the unlock screen, so it will immediately
|
|
// respond to the request with the username
|
|
needsUsername = true;
|
|
} else if (this.serviceIsForeground(GdmUtil.OVIRT_SERVICE_NAME) ||
|
|
(this.smartcardDetected &&
|
|
this.serviceIsForeground(GdmUtil.SMARTCARD_SERVICE_NAME))) {
|
|
// We don't need to know the username if the user preempted the login screen
|
|
// with a smartcard or with preauthenticated oVirt credentials
|
|
needsUsername = false;
|
|
} else {
|
|
// In all other cases, we should get the username up front.
|
|
needsUsername = true;
|
|
}
|
|
|
|
if (needsUsername) {
|
|
this.verificationStatus = VerificationStatus.ASKING_FOR_USERNAME;
|
|
this.emit('needs-username');
|
|
} else {
|
|
this._beginAuthentication();
|
|
}
|
|
},
|
|
|
|
gotUserName: function(userName) {
|
|
this._userName = userName;
|
|
this._beginAuthentication();
|
|
},
|
|
|
|
_beginAuthentication: function() {
|
|
this.verificationStatus = VerificationStatus.VERIFYING;
|
|
this._cancellable = new Gio.Cancellable();
|
|
this.reauthenticating = false;
|
|
|
|
this._checkForFingerprintReader();
|
|
|
|
if (this._userName) {
|
|
// If possible, reauthenticate an already running session,
|
|
// so any session specific credentials get updated appropriately
|
|
this._client.open_reauthentication_channel(this._userName, this._cancellable,
|
|
Lang.bind(this, this._reauthenticationChannelOpened));
|
|
} else {
|
|
this._client.get_user_verifier(this._cancellable, Lang.bind(this, this._userVerifierGot));
|
|
}
|
|
},
|
|
|
|
clear: function() {
|
|
if (this._cancellable) {
|
|
this._cancellable.cancel();
|
|
this._cancellable = null;
|
|
}
|
|
|
|
if (this._userVerifier) {
|
|
this._userVerifier.call_cancel_sync(null);
|
|
this._userVerifier.run_dispose();
|
|
this._userVerifier = null;
|
|
}
|
|
|
|
this._clearMessageQueue();
|
|
},
|
|
|
|
_doAfterPendingMessages: function(func) {
|
|
if (this.hasPendingMessages) {
|
|
let signalId = this.connect('no-more-messages', Lang.bind(this, function() {
|
|
this.disconnect(signalId);
|
|
func();
|
|
}));
|
|
} else {
|
|
func();
|
|
}
|
|
},
|
|
|
|
answerQuery: function(serviceName, answer) {
|
|
this._doAfterPendingMessages(Lang.bind(this, function() {
|
|
this._userVerifier.call_answer_query(serviceName, answer, this._cancellable, null);
|
|
}));
|
|
},
|
|
|
|
_getIntervalForMessage: function(message) {
|
|
// We probably could be smarter here
|
|
return message.length * USER_READ_TIME;
|
|
},
|
|
|
|
_finishMessageQueue: function() {
|
|
if (!this.hasPendingMessages)
|
|
return;
|
|
|
|
this._messageQueue = [];
|
|
|
|
this.hasPendingMessages = false;
|
|
this.emit('no-more-messages');
|
|
},
|
|
|
|
_queueMessageTimeout: function() {
|
|
if (this._messageQueue.length == 0) {
|
|
this._finishMessageQueue();
|
|
return;
|
|
}
|
|
|
|
if (this._messageQueueTimeoutId != 0)
|
|
return;
|
|
|
|
let message = this._messageQueue.shift();
|
|
|
|
this.emit('show-message', message.text, message.type);
|
|
|
|
this._messageQueueTimeoutId = GLib.timeout_add(GLib.PRIORITY_DEFAULT,
|
|
message.interval,
|
|
Lang.bind(this, function() {
|
|
this._messageQueueTimeoutId = 0;
|
|
this._queueMessageTimeout();
|
|
return GLib.SOURCE_REMOVE;
|
|
}));
|
|
},
|
|
|
|
_queueMessage: function(message, messageType) {
|
|
let interval = this._getIntervalForMessage(message);
|
|
|
|
this.hasPendingMessages = true;
|
|
this._messageQueue.push({ text: message, type: messageType, interval: interval });
|
|
this._queueMessageTimeout();
|
|
},
|
|
|
|
_clearMessageQueue: function() {
|
|
this._finishMessageQueue();
|
|
|
|
if (this._messageQueueTimeoutId != 0) {
|
|
GLib.source_remove(this._messageQueueTimeoutId);
|
|
this._messageQueueTimeoutId = 0;
|
|
}
|
|
this.emit('show-message', null, MessageType.NONE);
|
|
},
|
|
|
|
_checkForFingerprintReader: function() {
|
|
this._haveFingerprintReader = false;
|
|
|
|
if (!this._settings.get_boolean(FINGERPRINT_AUTHENTICATION_KEY)) {
|
|
this._updateDefaultService();
|
|
return;
|
|
}
|
|
|
|
this._fprintManager.GetDefaultDeviceRemote(Gio.DBusCallFlags.NONE, this._cancellable, Lang.bind(this,
|
|
function(device, error) {
|
|
if (!error && device)
|
|
this._haveFingerprintReader = true;
|
|
this._updateDefaultService();
|
|
}));
|
|
},
|
|
|
|
_oVirtUserAuthenticated: function() {
|
|
if (this.verificationStatus != GdmUtil.VerificationStatus.VERIFICATION_SUCCEEDED)
|
|
this._reset();
|
|
},
|
|
|
|
_checkForSmartcard: function() {
|
|
let smartcardDetected;
|
|
|
|
if (!this._settings.get_boolean(SMARTCARD_AUTHENTICATION_KEY))
|
|
smartcardDetected = false;
|
|
else if (this.reauthenticating)
|
|
smartcardDetected = this._smartcardManager.hasInsertedLoginToken();
|
|
else
|
|
smartcardDetected = this._smartcardManager.hasInsertedTokens();
|
|
|
|
if (this.smartcardDetected == smartcardDetected)
|
|
return;
|
|
|
|
this.smartcardDetected = smartcardDetected;
|
|
|
|
// Most of the time we want to reset if the user inserts or removes
|
|
// a smartcard. Smartcard insertion "preempts" what the user was
|
|
// doing, and smartcard removal aborts the preemption.
|
|
// The exceptions are: 1) Don't reset on smartcard insertion if we're already verifying
|
|
// with a smartcard
|
|
// 2) Don't reset if we've already succeeded at verification and
|
|
// the user is getting logged in.
|
|
if (this._serviceIsDefault(SMARTCARD_SERVICE_NAME) &&
|
|
this.verificationStatus == VerificationStatus.VERIFYING &&
|
|
this.smartcardDetected)
|
|
return;
|
|
|
|
if (this.verificationStatus != VerificationStatus.VERIFICATION_SUCCEEDED)
|
|
this._reset();
|
|
|
|
this.emit('smartcard-status-changed');
|
|
},
|
|
|
|
_reportInitError: function(where, error) {
|
|
logError(error, where);
|
|
|
|
this._queueMessage(_("Authentication error"), MessageType.ERROR);
|
|
this._verificationFailed(false);
|
|
},
|
|
|
|
_reauthenticationChannelOpened: function(client, result) {
|
|
try {
|
|
this._userVerifier = client.open_reauthentication_channel_finish(result);
|
|
} catch(e if e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED)) {
|
|
return;
|
|
} catch(e if e.matches(Gio.DBusError, Gio.DBusError.ACCESS_DENIED) &&
|
|
!this._reauthOnly) {
|
|
// Gdm emits org.freedesktop.DBus.Error.AccessDenied when there is
|
|
// no session to reauthenticate. Fall back to performing verification
|
|
// from this login session
|
|
client.get_user_verifier(this._cancellable, Lang.bind(this, this._userVerifierGot));
|
|
return;
|
|
} catch(e) {
|
|
this._reportInitError('Failed to open reauthentication channel', e);
|
|
return;
|
|
}
|
|
|
|
this.reauthenticating = true;
|
|
this._connectSignals();
|
|
this._beginVerification();
|
|
},
|
|
|
|
_userVerifierGot: function(client, result) {
|
|
try {
|
|
this._userVerifier = client.get_user_verifier_finish(result);
|
|
} catch(e if e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED)) {
|
|
return;
|
|
} catch(e) {
|
|
this._reportInitError('Failed to obtain user verifier', e);
|
|
return;
|
|
}
|
|
|
|
this._connectSignals();
|
|
this._beginVerification();
|
|
},
|
|
|
|
_connectSignals: function() {
|
|
this._userVerifier.connect('info', Lang.bind(this, this._onInfo));
|
|
this._userVerifier.connect('problem', Lang.bind(this, this._onProblem));
|
|
this._userVerifier.connect('info-query', Lang.bind(this, this._onInfoQuery));
|
|
this._userVerifier.connect('secret-info-query', Lang.bind(this, this._onSecretInfoQuery));
|
|
this._userVerifier.connect('conversation-stopped', Lang.bind(this, this._onConversationStopped));
|
|
this._userVerifier.connect('reset', Lang.bind(this, this._onReset));
|
|
this._userVerifier.connect('verification-complete', Lang.bind(this, this._onVerificationComplete));
|
|
},
|
|
|
|
_getForegroundService: function() {
|
|
if (this._oVirtCredentialsManager.hasToken())
|
|
return OVIRT_SERVICE_NAME;
|
|
if (this.smartcardDetected)
|
|
return SMARTCARD_SERVICE_NAME;
|
|
|
|
return this._defaultService;
|
|
},
|
|
|
|
serviceIsForeground: function(serviceName) {
|
|
return serviceName == this._getForegroundService();
|
|
},
|
|
|
|
serviceIsDefault: function(serviceName) {
|
|
return serviceName == this._defaultService;
|
|
},
|
|
|
|
_updateDefaultService: function() {
|
|
if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY))
|
|
this._defaultService = PASSWORD_SERVICE_NAME;
|
|
else if (this.smartcardDetected)
|
|
this._defaultService = SMARTCARD_SERVICE_NAME;
|
|
else if (this._haveFingerprintReader)
|
|
this._defaultService = FINGERPRINT_SERVICE_NAME;
|
|
},
|
|
|
|
_startService: function(serviceName) {
|
|
if (this._userName) {
|
|
this._userVerifier.call_begin_verification_for_user(serviceName,
|
|
this._userName,
|
|
this._cancellable,
|
|
Lang.bind(this, function(obj, result) {
|
|
try {
|
|
obj.call_begin_verification_for_user_finish(result);
|
|
} catch(e if e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED)) {
|
|
return;
|
|
} catch(e) {
|
|
this._reportInitError('Failed to start verification for user', e);
|
|
return;
|
|
}
|
|
}));
|
|
} else {
|
|
this._userVerifier.call_begin_verification(serviceName,
|
|
this._cancellable,
|
|
Lang.bind(this, function(obj, result) {
|
|
try {
|
|
obj.call_begin_verification_finish(result);
|
|
} catch(e if e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED)) {
|
|
return;
|
|
} catch(e) {
|
|
this._reportInitError('Failed to start verification', e);
|
|
return;
|
|
}
|
|
}));
|
|
}
|
|
},
|
|
|
|
_beginVerification: function() {
|
|
this._startService(this._getForegroundService());
|
|
|
|
if (this._userName && this._haveFingerprintReader && !this.serviceIsForeground(FINGERPRINT_SERVICE_NAME))
|
|
this._startService(FINGERPRINT_SERVICE_NAME);
|
|
},
|
|
|
|
_onInfo: function(client, serviceName, info) {
|
|
if (this.serviceIsForeground(serviceName)) {
|
|
this._queueMessage(info, MessageType.INFO);
|
|
} else if (serviceName == FINGERPRINT_SERVICE_NAME &&
|
|
this._haveFingerprintReader) {
|
|
// We don't show fingerprint messages directly since it's
|
|
// not the main auth service. Instead we use the messages
|
|
// as a cue to display our own message.
|
|
|
|
// Translators: this message is shown below the password entry field
|
|
// to indicate the user can swipe their finger instead
|
|
this._queueMessage(_("(or swipe finger)"), MessageType.HINT);
|
|
}
|
|
},
|
|
|
|
_onProblem: function(client, serviceName, problem) {
|
|
if (!this.serviceIsForeground(serviceName))
|
|
return;
|
|
|
|
this._queueMessage(problem, MessageType.ERROR);
|
|
},
|
|
|
|
_onInfoQuery: function(client, serviceName, question) {
|
|
if (!this.serviceIsForeground(serviceName))
|
|
return;
|
|
|
|
this.emit('ask-question', serviceName, question, '');
|
|
},
|
|
|
|
_onSecretInfoQuery: function(client, serviceName, secretQuestion) {
|
|
if (!this.serviceIsForeground(serviceName))
|
|
return;
|
|
|
|
if (serviceName == OVIRT_SERVICE_NAME) {
|
|
// The only question asked by this service is "Token?"
|
|
this.answerQuery(serviceName, this._oVirtCredentialsManager.getToken());
|
|
return;
|
|
}
|
|
|
|
this.emit('ask-question', serviceName, secretQuestion, '\u25cf');
|
|
},
|
|
|
|
_onReset: function() {
|
|
this._reset();
|
|
},
|
|
|
|
_onVerificationComplete: function() {
|
|
this.verificationStatus = VerificationStatus.VERIFICATION_SUCCEEDED;
|
|
},
|
|
|
|
_verificationFailed: function(retry) {
|
|
// For Not Listed / enterprise logins, immediately reset
|
|
// the dialog
|
|
// Otherwise, we allow ALLOWED_FAILURES attempts. After that, we
|
|
// go back to the welcome screen.
|
|
|
|
this._failCounter++;
|
|
let canRetry = retry && this._userName &&
|
|
this._failCounter < this._settings.get_int(ALLOWED_FAILURES_KEY);
|
|
|
|
this.verificationStatus = VerificationStatus.VERIFICATION_FAILED;
|
|
this.emit('verification-failed');
|
|
|
|
this._doAfterPendingMessages(Lang.bind(this, function() {
|
|
if (canRetry)
|
|
this._beginAuthentication();
|
|
else
|
|
this.clear();
|
|
}));
|
|
},
|
|
|
|
_onConversationStopped: function(client, serviceName) {
|
|
// If the login failed with the preauthenticated oVirt credentials
|
|
// then discard the credentials and revert to default authentication
|
|
// mechanism.
|
|
if (this.serviceIsForeground(OVIRT_SERVICE_NAME)) {
|
|
this._oVirtCredentialsManager.resetToken();
|
|
this._verificationFailed(false);
|
|
return;
|
|
}
|
|
|
|
// if the password service fails, then cancel everything.
|
|
// But if, e.g., fingerprint fails, still give
|
|
// password authentication a chance to succeed
|
|
if (this.serviceIsForeground(serviceName)) {
|
|
this._verificationFailed(true);
|
|
}
|
|
},
|
|
});
|
|
Signals.addSignalMethods(ShellUserVerifier.prototype);
|