FR: SAML Sign In - Interstitial page to send users directly to IdP login screen

chrome/browser/resources/chromeos/login/screen_gaia_signin.js

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /**
  * @fileoverview Oobe signin screen implementation.
  */
 
 login.createScreen('GaiaSigninScreen', 'gaia-signin', function() {
   // GAIA animation guard timer. Started when GAIA page is loaded
   // (Authenticator 'ready' event) and is intended to guard against edge cases
   // when 'showView' message is not generated/received.
   /** @const */ var GAIA_ANIMATION_GUARD_MILLISEC = 300;
 
   // Maximum Gaia loading time in seconds.
   /** @const */ var MAX_GAIA_LOADING_TIME_SEC = 60;
 
   // The help topic regarding user not being in the whitelist.
   /** @const */ var HELP_CANT_ACCESS_ACCOUNT = 188036;
 
   // Amount of time the user has to be idle for before showing the online login
   // page.
   /** @const */ var IDLE_TIME_UNTIL_EXIT_OFFLINE_IN_MILLISECONDS = 180 * 1000;
 
   // Approximate amount of time between checks to see if we should go to the
   // online login page when we're in the offline login page and the device is
   // online.
   /** @const */ var IDLE_TIME_CHECK_FREQUENCY = 5 * 1000;
 
+  /**
+   * The modes this screen can be in.
+   * @enum {integer}
+   */
+  var ScreenMode = {
+    DEFAULT: 0,           // Default GAIA login flow.
+    OFFLINE: 1,           // GAIA offline login.
+    SAML_INTERSTITIAL: 2  // Interstitial page before SAML redirection.
+  };
+
   return {
     EXTERNAL_API: [
       'loadAuthExtension',
       'doReload',
       'monitorOfflineIdle',
       'updateControlsState',
       'showWhitelistCheckFailedError',
     ],
 
     /**
      * Saved gaia auth host load params.
      * @type {?string}
      * @private
      */
     gaiaAuthParams_: null,
 
     /**
-     * Whether offline version of Gaia page is used.
-     * @type {boolean}
+     * Current mode of this screen.
+     * @type {integer}
      * @private
      */
-    isOffline_: false,
+    screenMode_: ScreenMode.DEFAULT,
 
     /**
      * Email of the user, which is logging in using offline mode.
      * @type {string}
      */
     email: '',
 
     /**
      * Timer id of pending load.
      * @type {number}
      * @private
      */
     loadingTimer_: undefined,
 
     /**
      * Timer id of a guard timer that is fired in case 'showView' message
      * is not received from GAIA.
      * @type {number}
      * @private
      */
     loadAnimationGuardTimer_: undefined,
 
     /**
      * Whether we've processed 'showView' message - either from GAIA or from
      * guard timer.
      * @type {boolean}
      * @private
      */
-    showViewProcessed_: undefined,
+    showViewProcessed_: false,
 
     /**
      * Whether we've processed 'authCompleted' message.
      * @type {boolean}
      * @private
      */
     authCompleted_: false,
 
     /**
      * Value contained in the last received 'backButton' event.
      * @type {boolean}
      * @private
      */
     lastBackMessageValue_: false,
 
     /**
      * Whether the dialog could be closed.
      * @type {boolean}
      */
     get closable() {
-      return !!$('pod-row').pods.length || this.isOffline;
+      return !!$('pod-row').pods.length || this.isOffline();
     },
 
     /**
      * Returns true if GAIA is at the begging of flow (i.e. the email page).
      * @type {boolean}
      */
     isAtTheBeginning: function() {
       return !this.navigation_.backVisible &&
              !this.isSAML() &&
              !this.classList.contains('whitelist-error') &&
              !this.authCompleted_;
     },
 
     /**
      * Updates visibility of navigation buttons.
      */
     updateControlsState: function() {
       var isWhitelistError = this.classList.contains('whitelist-error');
 
       this.navigation_.backVisible =
         this.lastBackMessageValue_ &&
         !isWhitelistError &&
         !this.authCompleted_ &&
         !this.loading &&
         !this.isSAML();
 
       this.navigation_.refreshVisible =
-        !this.closable && this.isAtTheBeginning();
+        !this.closable && this.isAtTheBeginning() &&
+        this.screenMode_ != ScreenMode.SAML_INTERSTITIAL;
 
       this.navigation_.closeVisible =
         !this.navigation_.refreshVisible &&
         !isWhitelistError &&
-        !this.authCompleted;
+        !this.authCompleted &&
+        this.screenMode_ != ScreenMode.SAML_INTERSTITIAL;
 
       $('login-header-bar').updateUI_();
     },
 
     /**
      * SAML password confirmation attempt count.
      * @type {number}
      */
     samlPasswordConfirmAttempt_: 0,
 
@@ skipping 22 matching lines @@
       this.gaiaAuthHost_ = new cr.login.GaiaAuthHost($('signin-frame'));
       this.gaiaAuthHost_.addEventListener(
           'ready', this.onAuthReady_.bind(this));
 
       var that = this;
       [this.gaiaAuthHost_, $('offline-gaia')].forEach(function(frame) {
         // Ignore events from currently inactive frame.
         var frameFilter = function(callback) {
           return function(e) {
             var isEventOffline = frame === $('offline-gaia');
-            if (isEventOffline === that.isOffline)
+            if (isEventOffline === that.isOffline())
               callback.call(that, e);
           };
         };
 
         frame.addEventListener('authCompleted',
                                frameFilter(that.onAuthCompletedMessage_));
         frame.addEventListener('backButton', frameFilter(that.onBackButton_));
         frame.addEventListener('dialogShown', frameFilter(that.onDialogShown_));
         frame.addEventListener('dialogHidden',
                                frameFilter(that.onDialogHidden_));
@@ skipping 33 matching lines @@
         this.cancel();
       }.bind(this));
 
       $('gaia-whitelist-error').addEventListener('buttonclick', function() {
          this.showWhitelistCheckFailedError(false);
       }.bind(this));
 
       $('gaia-whitelist-error').addEventListener('linkclick', function() {
         chrome.send('launchHelpApp', [HELP_CANT_ACCESS_ACCOUNT]);
       });
+
+      // Register handlers for the saml interstitial page events.
+      $('saml-interstitial').addEventListener('samlPageNextClicked',
+                                              function() {
+        if (this.screenMode_ != ScreenMode.SAML_INTERSTITIAL)

[xiyuan, 2016/03/28 20:58:40]

nit: seem unnecessary since the event could only be dispatched when screenMode
is ScreenMode.SAML_INTERSTITIAL.

[afakhry, 2016/03/28 23:15:32]

I was just being paranoid! :)
Done.

+          return;
+
+        this.screenMode = ScreenMode.DEFAULT;
+        this.loadGaiaAuthHost_(true /* doSamlRedirect */);
+      }.bind(this));
+      $('saml-interstitial').addEventListener('samlPageChangeAccountClicked',
+                                              function() {
+        if (this.screenMode_ != ScreenMode.SAML_INTERSTITIAL)

[xiyuan, 2016/03/28 20:58:40]

nit: ditto

[afakhry, 2016/03/28 23:15:32]

Done.

+          return;
+
+        this.screenMode = ScreenMode.DEFAULT;
+        this.loadGaiaAuthHost_(false /* doSamlRedirect */);
+      }.bind(this));
     },
 
     /**
+     * Loads the authenticator and updates the UI to reflect the loading state.
+     * @param {boolean} doSamlRedirect If the authenticator should do
+     * authentication by automatic redirection to the SAML-based enrollment

[xiyuan, 2016/03/28 20:58:40]

nit: wrong indent

[afakhry, 2016/03/28 23:15:32]

Done.

[xiyuan, 2016/03/29 02:10:49]

What you did in new patch is fine but I meant to indent 4 spaces on 2nd line, :)


i.e.

  * @param {boolean} doSamlRedirect If the authenticator should do
  *     authentication by automatic redirection to the SAML-based

[afakhry, 2016/03/29 03:12:02]

Done.

+     * enterprise domain IdP.
+     */
+    loadGaiaAuthHost_: function(doSamlRedirect) {
+      this.loading = true;
+      this.startLoadingTimer_();
+
+      this.gaiaAuthParams_.doSamlRedirect = doSamlRedirect;
+      this.gaiaAuthHost_.load(cr.login.GaiaAuthHost.AuthMode.DEFAULT,
+                              this.gaiaAuthParams_);
+    },
+
+    /**
      * Header text of the screen.
      * @type {string}
      */
     get header() {
       return loadTimeData.getString('signinScreenTitle');
     },
 
     /**
      * Returns true if offline version of Gaia is used.
      * @type {boolean}
      */
-    get isOffline() {
-      return this.isOffline_;
+    isOffline: function() {
+      return this.screenMode_ == ScreenMode.OFFLINE;
     },
 
     /**
-     * Sets whether offline version of Gaia is used.
-     * @param {boolean} value Whether offline version of Gaia is used.
+     * Sets the current screen mode and updates the visible elements
+     * accordingly.
+     * @param {integer} value The screen mode.
      */
-    set isOffline(value) {
-      this.isOffline_ = !!value;
-      $('signin-frame').hidden = this.isOffline_;
-      $('offline-gaia').hidden = !this.isOffline_;
-      chrome.send('updateOfflineLogin', [value]);
+    set screenMode(value) {
+      this.screenMode_ = value;
+      switch (this.screenMode_) {
+        case ScreenMode.DEFAULT:
+          $('signin-frame').hidden = false;
+          $('offline-gaia').hidden = true;
+          $('saml-interstitial').hidden = true;
+          break;
+        case ScreenMode.OFFLINE:
+          $('signin-frame').hidden = true;
+          $('offline-gaia').hidden = false;
+          $('saml-interstitial').hidden = true;
+          break;
+        case ScreenMode.SAML_INTERSTITIAL:
+          $('signin-frame').hidden = true;
+          $('offline-gaia').hidden = true;
+          $('saml-interstitial').hidden = false;
+          break;
+      }
+

[xiyuan, 2016/03/28 20:58:40]

Should we call this.updateControlsState() since |screenMode_| is relevant to
control states?

[afakhry, 2016/03/28 23:15:32]

Done.

+      chrome.send('updateOfflineLogin', [this.isOffline()]);
     },
 
     /**
      * This enables or disables trying to go back to the online login page
      * after the user is idle for a few minutes, assuming that we're currently
      * in the offline one. This is only applicable when the offline page is
      * currently active. It is intended that when the device goes online, this
      * gets called with true; when it goes offline, this gets called with
      * false.
      */
@@ skipping 12 matching lines @@
       if (!self.updateActivityTime_) {
         self.updateActivityTime_ = function() {
           self.mostRecentUserActivity_ = Date.now();
         };
       }
 
       // Begin monitoring.
       if (shouldMonitor) {
         // If we're not using the offline login page or we're already
         // monitoring, then we don't need to do anything.
-        if (!self.isOffline || self.tryToGoToOnlineLoginPageCallbackId_ !== -1)
+        if (!self.isOffline() ||
+            self.tryToGoToOnlineLoginPageCallbackId_ !== -1) {
           return;
+        }
 
         self.mostRecentUserActivity_ = Date.now();
         ACTIVITY_EVENTS.forEach(function(event) {
           document.addEventListener(event, self.updateActivityTime_);
         });
 
         self.tryToGoToOnlineLoginPageCallbackId_ = setInterval(function() {
           // If we're not in the offline page or the signin page, then we want
           // to terminate monitoring.
-          if (!self.isOffline ||
+          if (!self.isOffline() ||
               Oobe.getInstance().currentScreen.id != 'gaia-signin') {
             self.monitorOfflineIdle(false);
             return;
           }
 
           var idleDuration = Date.now() - self.mostRecentUserActivity_;
           if (idleDuration > IDLE_TIME_UNTIL_EXIT_OFFLINE_IN_MILLISECONDS) {
             self.monitorOfflineIdle(false);
             Oobe.resetSigninUI(true);
           }
@@ skipping 14 matching lines @@
       }
     },
 
     /**
      * Shows/hides loading UI.
      * @param {boolean} show True to show loading UI.
      * @private
      */
     showLoadingUI_: function(show) {
       $('gaia-loading').hidden = !show;
-      this.getSigninFrame_().hidden = show;
+      if (this.screenMode_ != ScreenMode.DEFAULT)
+        this.getSigninFrame_().hidden = show;
+      this.getSigninFrame_().classList.toggle('show', !show);
       this.classList.toggle('loading', show);
-      $('signin-frame').classList.remove('show');
       this.updateControlsState();
     },
 
     /**
      * Handler for Gaia loading timeout.
      * @private
      */
     onLoadingTimeOut_: function() {
       if (this != Oobe.getInstance().currentScreen)
         return;
@@ skipping 66 matching lines @@
 
       this.showLoadingUI_(loading);
     },
 
     /**
      * Event handler that is invoked just before the frame is shown.
      * @param {string} data Screen init payload. Url of auth extension start
      *                      page.
      */
     onBeforeShow: function(data) {
+      this.screenMode = ScreenMode.DEFAULT;
+      this.loading = true;
       chrome.send('loginUIStateChanged', ['gaia-signin', true]);
       $('progress-dots').hidden = true;
       $('login-header-bar').signinUIState = SIGNIN_UI_STATE.GAIA_SIGNIN;
 
       // Ensure that GAIA signin (or loading UI) is actually visible.
       window.requestAnimationFrame(function() {
         chrome.send('loginVisible', ['gaia-loading']);
       });
 
-      this.classList.toggle('loading', this.loading);
-
       // Button header is always visible when sign in is presented.
       // Header is hidden once GAIA reports on successful sign in.
       Oobe.getInstance().headerHidden = false;
 
       this.lastBackMessageValue_ = false;
       this.updateControlsState();
     },
 
     getSigninFrame_: function() {
-      return this.isOffline ? $('offline-gaia') : $('signin-frame');
+      switch (this.screenMode_) {
+        case ScreenMode.DEFAULT:
+          return $('signin-frame');
+        case ScreenMode.OFFLINE:
+          return $('offline-gaia');
+        case ScreenMode.SAML_INTERSTITIAL:
+          return $('saml-interstitial');
+      }
     },
 
     focusSigninFrame: function() {
       this.getSigninFrame_().focus();
     },
 
     onAfterShow: function() {
       if (!this.loading)
         this.focusSigninFrame();
     },
 
     /**
      * Event handler that is invoked just before the screen is hidden.
      */
     onBeforeHide: function() {
       chrome.send('loginUIStateChanged', ['gaia-signin', false]);
       $('login-header-bar').signinUIState = SIGNIN_UI_STATE.HIDDEN;
       $('offline-gaia').switchToEmailCard(false /* animated */);
     },
 
     /**
      * Loads the authentication extension into the iframe.
      * @param {Object} data Extension parameters bag.
      * @private
      */
     loadAuthExtension: function(data) {
-      this.isOffline = data.useOffline;
+      this.screenMode = data.screenMode;
       this.email = '';
       this.authCompleted_ = false;
       this.lastBackMessageValue_ = false;
-
-      // Reset SAML
-      this.classList.toggle('full-width', false);
-      this.samlPasswordConfirmAttempt_ = 0;
+      $('saml-interstitial').domain = data.enterpriseDomain;

[xiyuan, 2016/03/28 20:58:40]

nit: Move this into "case ScreenMode.SAML_INTERSTITIAL:" switch case?

[afakhry, 2016/03/28 23:15:32]

Done.

 
       this.updateAuthExtension_(data);
 
       var params = {};
       for (var i in cr.login.GaiaAuthHost.SUPPORTED_PARAMS) {
         var name = cr.login.GaiaAuthHost.SUPPORTED_PARAMS[i];
         if (data[name])
           params[name] = data[name];
       }
 
-      if (data.enterpriseInfoMessage)
-        params.enterpriseInfoMessage = data.enterpriseInfoMessage;
-
       params.isNewGaiaFlow = true;
+      params.doSamlRedirect =
+        (this.screenMode_ == ScreenMode.SAML_INTERSTITIAL);

[xiyuan, 2016/03/28 20:58:40]

nit: wrong indent?

[afakhry, 2016/03/28 23:15:32]

Done.

 
       // Screen size could have been changed because of 'full-width' classes.
       if (Oobe.getInstance().currentScreen === this)
         Oobe.getInstance().updateScreenSize(this);
 
       if (data.forceReload ||
           JSON.stringify(this.gaiaAuthParams_) != JSON.stringify(params)) {
         this.gaiaAuthParams_ = params;
-        this.loading = true;
-        this.startLoadingTimer_();
 
-        if (this.isOffline) {
-          this.loadOffline(params);
-        } else {
-          this.gaiaAuthHost_.load(cr.login.GaiaAuthHost.AuthMode.DEFAULT,
-                                  params);
+        switch (this.screenMode_) {
+          case ScreenMode.DEFAULT:
+            this.loadGaiaAuthHost_(false /* doSamlRedirect */);
+            break;
+
+          case ScreenMode.OFFLINE:
+            this.loadOffline(params);
+            break;
+
+          case ScreenMode.SAML_INTERSTITIAL:
+            if (this.loading)
+              this.loading = false;
+            break;
         }
       }
       this.updateControlsState();
     },
 
     /**
      * Updates the authentication extension with new parameters, if needed.
      * @param {Object} data New extension parameters bag.
      * @private
      */
     updateAuthExtension_: function(data) {
       $('login-header-bar').showCreateSupervisedButton =
           data.supervisedUsersCanCreate;
       $('login-header-bar').showGuestButton = data.guestSignin;
 
       this.updateControlsState();
 
+      // Reset SAML
       this.classList.toggle('full-width', false);
+      this.samlPasswordConfirmAttempt_ = 0;
       if (Oobe.getInstance().currentScreen === this)
         Oobe.getInstance().updateScreenSize(this);
     },
 
     /**
      * Whether the current auth flow is SAML.
      */
     isSAML: function() {
        return this.gaiaAuthHost_.authFlow ==
            cr.login.GaiaAuthHost.AuthFlow.SAML;
     },
 
     /**
      * Invoked when the authDomain property is changed on the GAIA host.
      */
     onAuthDomainChange_: function() {
       $('saml-notice-message').textContent = loadTimeData.getStringF(
           'samlNotice',
           this.gaiaAuthHost_.authDomain);
     },
 
     /**
      * Invoked when the authFlow property is changed on the GAIA host.
      */
     onAuthFlowChange_: function() {
       var isSAML = this.isSAML();
 
+      if (isSAML && this.loading)

[xiyuan, 2016/03/28 20:58:40]

Think we should fix this in authenticator.js. That is, if 'ready' is not
dispatched when Authenticator.prototype.onAuthPageLoaded_ is called, dispatch it
there.

[afakhry, 2016/03/28 23:15:32]

Done.

+        this.onAuthReady_();
+
       this.classList.toggle('full-width', isSAML);
       $('saml-notice-container').hidden = !isSAML;
 
       if (Oobe.getInstance().currentScreen === this) {
         Oobe.getInstance().updateScreenSize(this);
       }
 
       this.updateControlsState();
     },
 
     /**
      * Invoked when the auth host emits 'ready' event.
      * @private
      */
     onAuthReady_: function() {
-      showViewProcessed_ = false;
+      this.showViewProcessed_ = false;
       this.startLoadAnimationGuardTimer_();
       this.clearLoadingTimer_();
       this.loading = false;
 
       // Warm up the user images screen.
       Oobe.getInstance().preloadScreen({id: SCREEN_USER_IMAGE_PICKER});
     },
 
     /**
      * Invoked when the auth host emits 'dialogShown' event.
@@ skipping 20 matching lines @@
       this.lastBackMessageValue_ = !!e.detail;
       this.updateControlsState();
     },
 
     /**
      * Invoked when the auth host emits 'showView' event or when corresponding
      * guard time fires.
      * @private
      */
     onShowView_: function(e) {
-      if (showViewProcessed_)
+      if (this.showViewProcessed_)
         return;
 
-      showViewProcessed_ = true;
+      this.showViewProcessed_ = true;
       this.clearLoadAnimationGuardTimer_();
-      $('signin-frame').classList.add('show');
+      this.getSigninFrame_().classList.toggle('show', true);
       this.onLoginUIVisible_();
     },
 
     /**
      * Called when UI is shown.
      * @private
      */
     onLoginUIVisible_: function() {
       // Show deferred error bubble.
       if (this.errorBubble_) {
@@ skipping 170 matching lines @@
 
     /**
      * Clears input fields and switches to input mode.
      * @param {boolean} takeFocus True to take focus.
      * @param {boolean} forceOnline Whether online sign-in should be forced.
      * If |forceOnline| is false previously used sign-in type will be used.
      */
     reset: function(takeFocus, forceOnline) {
       // Reload and show the sign-in UI if needed.
       if (takeFocus) {
-        if (!forceOnline && this.isOffline) {
+        if (!forceOnline && this.isOffline()) {
           // Show 'Cancel' button to allow user to return to the main screen
           // (e.g. this makes sense when connection is back).
           Oobe.getInstance().headerHidden = false;
           $('login-header-bar').signinUIState = SIGNIN_UI_STATE.GAIA_SIGNIN;
           // Do nothing, since offline version is reloaded after an error comes.
         } else {
           Oobe.showSigninUI();
         }
       }
     },
 
     /**
      * Reloads extension frame.
      */
     doReload: function() {
-      if (this.isOffline)
+      if (this.isOffline())
         return;
       this.gaiaAuthHost_.reload();
       this.loading = true;
       this.startLoadingTimer_();
       this.lastBackMessageValue_ = false;
       this.authCompleted_ = false;
       this.updateControlsState();
     },
 
     /**
      * Shows sign-in error bubble.
      * @param {number} loginAttempts Number of login attemps tried.
      * @param {HTMLElement} content Content to show in bubble.
      */
     showErrorBubble: function(loginAttempts, error) {
-      if (this.isOffline) {
+      if (this.isOffline()) {
         $('add-user-button').hidden = true;
         // Reload offline version of the sign-in extension, which will show
         // error itself.
         chrome.send('offlineLogin', [this.email]);
       } else if (!this.loading) {
         // TODO(dzhioev): investigate if this branch ever get hit.
         $('bubble').showContentForElement($('gaia-signin-form-container'),
                                           cr.ui.Bubble.Attachment.LEFT,
                                           error);
       } else {
@@ skipping 33 matching lines @@
     onIdentifierEntered: function(data) {
       chrome.send('identifierEntered', [data.accountIdentifier]);
     },
 
     /**
      * Sets enterprise info strings for offline gaia.
      * Also sets callback and sends message whether we already have email and
      * should switch to the password screen with error.
      */
     loadOffline: function(params) {
+      this.loading = true;
+      this.startLoadingTimer_();
       var offlineLogin = $('offline-gaia');
-      if ('enterpriseInfoMessage' in params)
-        offlineLogin.enterpriseInfo = params['enterpriseInfoMessage'];
+      offlineLogin.showEnterpriseMessage = !!('enterpriseDomain' in params);
       if ('emailDomain' in params)
         offlineLogin.emailDomain = '@' + params['emailDomain'];
       offlineLogin.setEmail(params.email);
       this.onAuthReady_();
     },
 
     /**
      * Show/Hide error when user is not in whitelist. When UI is hidden
      * GAIA is reloaded.
      * @param {boolean} show Show/hide error UI.
@@ skipping 10 matching lines @@
       this.classList.toggle('whitelist-error', show);
       this.loading = !show;
 
       if (!show)
         Oobe.showSigninUI();
 
       this.updateControlsState();
     }
   };
 });