UI for lock screen online re-authentication

The saml user will be forced to re-authenticate through online flow in the lockscreen. This feature is enable by setting kDefaultSamlLockScreenReauthenticationEnabled to true. Bug: 1113295 Change-Id: I7f89408aca31de9137006d5cbb96cfc91ee708d8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339359 Reviewed-by: Denis Kuznetsov [CET] <antrim@chromium.org> Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Commit-Queue: Mohammed Abdon <mohammedabdon@chromium.org> Cr-Commit-Position: refs/heads/master@{#811655}
marcosholgado · Sep 29, 2020 · 63db7d5 · 63db7d5
1 parent 85f072c
commit 63db7d5
Show file tree

Hide file tree

Showing 26 changed files with 601 additions and 7 deletions.
diff --git a/chrome/app/chromeos_strings.grdp b/chrome/app/chromeos_strings.grdp
@@ -2597,6 +2597,27 @@
   <message name="IDS_ENTERPRISE_LOGIN_ERROR_ALLOWLIST" desc="Couldn't sign in because user is not authorized by the administrator.">
     You are not authorized to use this device. Please contact the administrator for sign-in permission.
   </message>
+  <message name="IDS_LOCK_SCREEN_VERIFY_ACCOUNT" desc="Title of online account verification on the lock screen">
+    Verify account
+  </message>
+  <message name="IDS_LOCK_SCREEN_VERIFY_BUTTON" desc="Next button for online account verification on the lock screen">
+    Verify
+  </message>
+  <message name="IDS_LOCK_SCREEN_VERIFY_AGAIN_BUTTON" desc="Next button for 2nd online account verification on the lock screen">
+    Verify again
+  </message>
+  <message name="IDS_LOCK_SCREEN_CANCEL_BUTTON" desc="Cancel button for online account verification on the lock screen">
+    Cancel
+  </message>
+  <message name="IDS_LOCK_SCREEN_VERIFICATION_FAILED" desc="Title of incorrect user online reauthentication on the lock screen">
+    Verification was not successful
+  </message>
+  <message name="IDS_LOCK_SCREEN_WRONG_USER" desc="User that was not logged in tries to unlock the device">
+    The account you verified is not authorized to access this device. Please make sure you are verifying <ph name="ACCOUNT">$1<ex>test@example.com</ex></ph> to unlock the session.
+  </message>
+  <message name="IDS_LOCK_SCREEN_REAUTH_SUBTITLE" desc="Subtitle for lock screen user re-auth dialog">
+    Sign in to <ph name="ACCOUNT">$1<ex>test@example.com</ex></ph> again to verify this account
+  </message>
   <message name="IDS_LOGIN_ERROR_GOOGLE_ACCOUNT_NOT_ALLOWED" desc="Couldn't sign into Google account on the Active Directory managed device.">
     Sorry, Google accounts are not allowed on this device.
   </message>

diff --git a/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_CANCEL_BUTTON.png.sha1 b/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_CANCEL_BUTTON.png.sha1
@@ -0,0 +1 @@
+078b283c6e11478112e9461ae86bf07a0f9aceb7
diff --git a/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_REAUTH_SUBTITLE.png.sha1 b/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_REAUTH_SUBTITLE.png.sha1
@@ -0,0 +1 @@
+078b283c6e11478112e9461ae86bf07a0f9aceb7
diff --git a/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFICATION_FAILED.png.sha1 b/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFICATION_FAILED.png.sha1
@@ -0,0 +1 @@
+9ae3a4fddbcc6f3f1533b1f366ff444fe6da91cb
diff --git a/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_ACCOUNT.png.sha1 b/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_ACCOUNT.png.sha1
@@ -0,0 +1 @@
+078b283c6e11478112e9461ae86bf07a0f9aceb7
diff --git a/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_AGAIN_BUTTON.png.sha1 b/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_AGAIN_BUTTON.png.sha1
@@ -0,0 +1 @@
+9ae3a4fddbcc6f3f1533b1f366ff444fe6da91cb
diff --git a/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_BUTTON.png.sha1 b/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_BUTTON.png.sha1
@@ -0,0 +1 @@
+078b283c6e11478112e9461ae86bf07a0f9aceb7
diff --git a/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_WRONG_USER.png.sha1 b/chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_WRONG_USER.png.sha1
@@ -0,0 +1 @@
+9ae3a4fddbcc6f3f1533b1f366ff444fe6da91cb
diff --git a/chrome/browser/browser_resources.grd b/chrome/browser/browser_resources.grd
@@ -267,7 +267,10 @@
         <include name="IDR_CONFIRM_PASSWORD_CHANGE_JS" file="resources\chromeos\password_change\confirm_password_change.js" type="chrome_html" />
         <include name="IDR_URGENT_PASSWORD_EXPIRY_NOTIFICATION_HTML" file="resources\chromeos\password_change\urgent_password_expiry_notification.html" flattenhtml="true" allowexternalscript="true" type="chrome_html" />
         <include name="IDR_URGENT_PASSWORD_EXPIRY_NOTIFICATION_JS" file="resources\chromeos\password_change\urgent_password_expiry_notification.js" type="chrome_html" />
-
+        <include name="IDR_GAIA_AUTH_AUTHENTICATOR_JS" file="resources\gaia_auth_host\authenticator.js" flattenhtml="true" type="BINDATA" />
+        <include name="IDR_LOCK_SCREEN_REAUTH_HTML" file="resources\chromeos\password_change\lock_screen_reauth.html" flattenhtml="true" type="BINDATA" />
+        <include name="IDR_LOCK_SCREEN_REAUTH_JS" file="resources\chromeos\password_change\lock_screen_reauth.js" type="BINDATA" />
+
         <include name="IDR_CROSTINI_INSTALLER_INDEX_HTML" file="resources\chromeos\crostini_installer\index.html" type="BINDATA" />
         <include name="IDR_CROSTINI_INSTALLER_APP_JS" file="${root_gen_dir}\chrome\browser\resources\chromeos\crostini_installer\app.js" type="BINDATA" use_base_dir="false" />
         <include name="IDR_CROSTINI_INSTALLER_BROWSER_PROXY_JS" file="resources\chromeos\crostini_installer\browser_proxy.js" type="BINDATA" />

diff --git a/chrome/browser/chromeos/login/saml/in_session_password_sync_manager.cc b/chrome/browser/chromeos/login/saml/in_session_password_sync_manager.cc
@@ -26,7 +26,6 @@ InSessionPasswordSyncManager::InSessionPasswordSyncManager(
       clock_(base::DefaultClock::GetInstance()),
       primary_user_(ProfileHelper::Get()->GetUserByProfile(primary_profile)) {
   DCHECK(primary_user_);
-
   auto* session_manager = session_manager::SessionManager::Get();
   // Extra check as SessionManager may be not initialized in some unit
   // tests

diff --git a/chrome/browser/chromeos/login/saml/in_session_password_sync_manager.h b/chrome/browser/chromeos/login/saml/in_session_password_sync_manager.h
@@ -13,6 +13,7 @@
 #include "base/time/time.h"
 #include "chrome/browser/chromeos/login/saml/password_sync_token_fetcher.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.h"
 #include "chromeos/components/proximity_auth/screenlock_bridge.h"
 #include "components/account_id/account_id.h"
 #include "components/keyed_service/core/keyed_service.h"
@@ -81,6 +82,8 @@ class InSessionPasswordSyncManager
   void OnTokenVerified(bool is_valid) override;
   void OnApiCallFailed(PasswordSyncTokenFetcher::ErrorType error_type) override;
 
+  std::unique_ptr<LockScreenStartReauthDialog> lock_screen_start_reauth_dialog;
+
  private:
   void UpdateOnlineAuth();
   // Password sync token API calls.

diff --git a/chrome/browser/resources/chromeos/password_change/lock_screen_reauth.html b/chrome/browser/resources/chromeos/password_change/lock_screen_reauth.html
@@ -0,0 +1,129 @@
+<!doctype html>
+<html dir="$i18n{textdirection}" lang="$i18n{language}">
+
+<head>
+  <include src="../login/components/oobe_icons.html">
+  <link rel="stylesheet" href="chrome://resources/css/text_defaults.css">
+
+  <script src="chrome://resources/js/cr.js"></script>
+  <script src="chrome://resources/js/cr/event_target.js"></script>
+  <script src="chrome://resources/js/load_time_data.js"></script>
+  <script src="chrome://resources/js/util.js"></script>
+  <script src="chrome://lock-reauth/authenticator.js"></script>
+
+  <script type="module" src="chrome://lock-reauth/lock_screen_reauth.js"></script>
+
+  <dom-module id="lock-reauth">
+    <template>
+      <style>
+        ::part(dialog) {
+          /* The HTML dialog should fill the entire system dialog. */
+          height: 100%;
+          width: 100%;
+          display: flex;
+        }
+
+        ::part(wrapper) {
+          height: 100%;
+          width: 100%;
+          display: flex;
+        }
+
+        #saml-close-button {
+          --cr-icon-button-margin-end: 0;
+          --cr-icon-button-margin-start: 0;
+        }
+
+        [slot='body'],
+        #signin-frame {
+          width: 100%;
+          height: 100%;
+        }
+
+        #title-icon {
+          --iron-icon-height: 32px;
+          --iron-icon-width: 32px;
+          /* #1a73e8 */
+          --iron-icon-fill-color: rgb(26, 115, 232);
+        }
+
+        [slot='header'] {
+          background: white;
+          padding-bottom: 0;
+          padding-inline-end: 64px;
+          padding-inline-start: 64px;
+          padding-top: 64px;
+          flex: 1;
+        }
+
+        [slot='header'],
+        #title {
+          /* #202124 */
+          color: rgb(32, 33, 36);
+          font-size: 28px;
+          font-weight: 400;
+          padding-top: 20px;
+          margin: 0;
+        }
+
+        [slot='header'],
+        #subtitle {
+          /* #5f6368 */
+          color: rgb(95, 99, 104);
+          font-size: 13px;
+          font-weight: 400;
+          padding-top: 8px;
+          margin: 0;
+        }
+
+        [slot="button-container"] {
+          padding: 40px;
+        }
+      </style>
+      <cr-dialog id="dialog" exportparts="dialog">
+        <div slot="header">
+          <iron-icon id="title-icon" icon="oobe-64:alert"></iron-icon>
+          <div id="title" hidden="[[isErrorDisplayed_]]">
+            $i18n{loginWelcomeMessage}
+          </div>
+          <div id="title" hidden="[[!isErrorDisplayed_]]">
+            $i18n{loginWelcomeMessageWithError}
+          </div>
+          <div id="subtitle" hidden="[[isErrorDisplayed_]]">
+            $i18n{lockScreenReauthSubtitile}
+          </div>
+          <div id="subtitle" hidden="[[!isErrorDisplayed_]]">
+            $i18n{lockScreenReauthSubtitileWithError}
+          </div>
+        </div>
+        <div slot="body" hidden="[[isButtonsEnabled_]]">
+          <cr-icon-button id="saml-close-button" iron-icon="cr:close" on-click="onCloseTap_">
+          </cr-icon-button>
+          <webview id="signin-frame" name="signin-frame" class="flex">
+          </webview>
+        </div>
+        <div slot="button-container" class="flex layout horizontal">
+          <cr-button id="cancelButton" class="cancel-button" on-click="onCloseTap_"
+              hidden="[[!isButtonsEnabled_]]">
+            $i18n{lockScreenCancelButton}
+          </cr-button>
+          <cr-button id="nextButton" class="action-button" on-click="onNext_"
+              hidden="[[!isVerifyButtonEnabled_]]">
+            $i18n{lockScreenVerifyButton}
+          </cr-button>
+          <cr-button id="nextButton" class="action-button" on-click="onNext_"
+              hidden="[[!isVerifyAgainButtonEnabled_]]">
+            $i18n{lockScreenVerifyAgainButton}
+          </cr-button>
+        </div>
+      </cr-dialog>
+    </template>
+  </dom-module>
+</head>
+
+<body>
+  <lock-reauth id="main-element">
+  </lock-reauth>
+</body>
+
+</html>
diff --git a/chrome/browser/resources/chromeos/password_change/lock_screen_reauth.js b/chrome/browser/resources/chromeos/password_change/lock_screen_reauth.js
@@ -0,0 +1,106 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+/**
+ * @fileoverview An UI component to let user init online re-auth flow on
+ * the lock screen.
+ */
+
+
+import {assert} from 'chrome://resources/js/assert.m.js';
+import {I18nBehavior} from 'chrome://resources/js/i18n_behavior.m.js';
+import {loadTimeData} from 'chrome://resources/js/load_time_data.m.js';
+import {Polymer} from 'chrome://resources/polymer/v3_0/polymer/polymer_bundled.min.js';
+import 'chrome://resources/cr_elements/cr_button/cr_button.m.js';
+import 'chrome://resources/cr_elements/cr_dialog/cr_dialog.m.js';
+import 'chrome://resources/cr_elements/icons.m.js';
+
+
+Polymer({
+  is: 'lock-reauth',
+  behaviors: [I18nBehavior],
+
+  properties: {
+    isErrorDisplayed_: {
+      type: Boolean,
+      value: false,
+    },
+
+    isButtonsEnabled_: {
+      type: Boolean,
+      value: true,
+    },
+
+    isVerifyButtonEnabled_: {
+      type: Boolean,
+      computed:
+          'computeVerifyButtonEnabled_(isErrorDisplayed_,isButtonsEnabled_)',
+    },
+
+    isVerifyAgainButtonEnabled_: {
+      type: Boolean,
+      computed:
+          'computeVerifyAgainButtonEnabled_(isErrorDisplayed_,isButtonsEnabled_)',
+    },
+  },
+
+  /**
+   * The UI component that hosts IdP pages.
+   * @type {!cr.login.Authenticator|undefined}
+   */
+  authenticator_: undefined,
+
+  /**
+   * Webview that view IdP page
+   * @type {!webview|undefined}
+   * @private
+   */
+  signinFrame_: undefined,
+
+  /** @override */
+  attached() {
+    this.$.dialog.showModal();
+  },
+
+  /** @override */
+  ready() {
+    this.signinFrame_ = this.getSigninFrame_();
+    this.authenticator_ = new cr.login.Authenticator(this.signinFrame_);
+    chrome.send('initialize');
+  },
+
+  /**
+   * @return {!Element}
+   * @private
+   */
+  getSigninFrame_() {
+    // Note: Can't use |this.$|, since it returns cached references to elements
+    // originally present in DOM, while the signin-frame is dynamically
+    // recreated (see Authenticator.setWebviewPartition()).
+    const signinFrame = this.shadowRoot.getElementById('signin-frame');
+    assert(signinFrame);
+    return signinFrame;
+  },
+
+  /** @private */
+  computeVerifyButtonEnabled_(isErrorDisplayed, isButtonsEnabled) {
+    return !isErrorDisplayed && isButtonsEnabled;
+  },
+
+  /** @private */
+  computeVerifyAgainButtonEnabled_(isErrorDisplayed, isButtonsEnabled) {
+    return isErrorDisplayed && isButtonsEnabled;
+  },
+
+  /** @private */
+  onNext_() {
+    this.isButtonsEnabled_ = false;
+  },
+
+  /** @private */
+  onCloseTap_() {
+    chrome.send('dialogClose');
+  },
+
+});
diff --git a/chrome/browser/resources/gaia_auth_host/post_message_channel.js b/chrome/browser/resources/gaia_auth_host/post_message_channel.js
@@ -20,8 +20,12 @@
    * Allowed origins of the hosting page.
    * @type {Array<string>}
    */
-  const ALLOWED_ORIGINS =
-      ['chrome://oobe', 'chrome://chrome-signin', 'chrome://password-change'];
+  const ALLOWED_ORIGINS = [
+    'chrome://oobe',
+    'chrome://chrome-signin',
+    'chrome://password-change',
+    'chrome://lock-reauth'
+  ];
 
   /** @const */
   const PORT_MESSAGE = 'post-message-port-message';

diff --git a/chrome/browser/ui/BUILD.gn b/chrome/browser/ui/BUILD.gn
@@ -2181,6 +2181,12 @@ static_library("ui") {
       "webui/chromeos/image_source.h",
       "webui/chromeos/in_session_password_change/confirm_password_change_handler.cc",
       "webui/chromeos/in_session_password_change/confirm_password_change_handler.h",
+      "webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.cc",
+      "webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.h",
+      "webui/chromeos/in_session_password_change/lock_screen_reauth_handler.cc",
+      "webui/chromeos/in_session_password_change/lock_screen_reauth_handler.h",
+      "webui/chromeos/in_session_password_change/lock_screen_start_reauth_ui.cc",
+      "webui/chromeos/in_session_password_change/lock_screen_start_reauth_ui.h",
       "webui/chromeos/in_session_password_change/password_change_dialogs.cc",
       "webui/chromeos/in_session_password_change/password_change_dialogs.h",
       "webui/chromeos/in_session_password_change/password_change_handler.cc",

diff --git a/chrome/browser/ui/ash/login_screen_client.cc b/chrome/browser/ui/ash/login_screen_client.cc
@@ -15,16 +15,22 @@
 #include "chrome/browser/chromeos/login/help_app_launcher.h"
 #include "chrome/browser/chromeos/login/lock/screen_locker.h"
 #include "chrome/browser/chromeos/login/login_auth_recorder.h"
+#include "chrome/browser/chromeos/login/login_pref_names.h"
 #include "chrome/browser/chromeos/login/reauth_stats.h"
+#include "chrome/browser/chromeos/login/saml/in_session_password_sync_manager.h"
+#include "chrome/browser/chromeos/login/saml/in_session_password_sync_manager_factory.h"
 #include "chrome/browser/chromeos/login/ui/login_display_host.h"
 #include "chrome/browser/chromeos/login/ui/user_adding_screen.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/profiles/profile_metrics.h"
 #include "chrome/browser/ui/ash/wallpaper_controller_client.h"
 #include "chrome/browser/ui/settings_window_manager_chromeos.h"
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.h"
 #include "chrome/browser/ui/webui/chromeos/login/l10n_util.h"
 #include "chrome/browser/ui/webui/settings/chromeos/constants/routes.mojom.h"
 #include "chrome/common/webui_url_constants.h"
+#include "components/session_manager/core/session_manager.h"
 #include "components/user_manager/remove_user_delegate.h"
 #include "components/user_manager/user_names.h"
 
@@ -329,5 +335,21 @@ void LoginScreenClient::ShowGaiaSigninInternal(
   if (chromeos::LoginDisplayHost::default_host()) {
     chromeos::LoginDisplayHost::default_host()->ShowGaiaDialog(
         prefilled_account);
+  } else {
+    const user_manager::User* user =
+        user_manager::UserManager::Get()->FindUser(prefilled_account);
+    Profile* profile = chromeos::ProfileHelper::Get()->GetProfileByUser(user);
+    if (profile->GetPrefs()->GetBoolean(
+            chromeos::prefs::kSamlLockScreenReauthenticationEnabled)) {
+      DCHECK(session_manager::SessionManager::Get()->IsScreenLocked());
+      chromeos::InSessionPasswordSyncManager* password_sync_manager =
+          chromeos::InSessionPasswordSyncManagerFactory::GetForProfile(profile);
+      if (!password_sync_manager->lock_screen_start_reauth_dialog) {
+        password_sync_manager->lock_screen_start_reauth_dialog =
+            std::unique_ptr<chromeos::LockScreenStartReauthDialog>(
+                new chromeos::LockScreenStartReauthDialog());
+      }
+      password_sync_manager->lock_screen_start_reauth_dialog->Show();
+    }
   }
 }