Unity 8

debian/control (+1/-0)
plugins/AccountsService/AccountsService.cpp (+21/-1)
plugins/AccountsService/AccountsService.h (+13/-0)
plugins/AccountsService/plugin.cpp (+1/-0)
plugins/LightDM/plugin.cpp (+2/-0)
qml/Components/PassphraseLockscreen.qml (+3/-0)
qml/Shell.qml (+27/-21)
run.sh (+15/-6)
tests/mocks/AccountsService/AccountsService.cpp (+12/-2)
tests/mocks/AccountsService/AccountsService.h (+12/-0)
tests/mocks/AccountsService/CMakeLists.txt (+4/-1)
tests/mocks/AccountsService/plugin.cpp (+1/-0)
tests/mocks/LightDM/GreeterPrivate.h (+2/-0)
tests/mocks/LightDM/demo/CMakeLists.txt (+4/-2)
tests/mocks/LightDM/demo/GreeterPrivate.cpp (+205/-33)
tests/mocks/LightDM/demo/UsersModelPrivate.cpp (+1/-1)
tests/mocks/LightDM/full/GreeterPrivate.cpp (+1/-1)
tests/mocks/LightDM/single-pin/GreeterPrivate.cpp (+1/-1)
tests/mocks/LightDM/single-pin/UsersModelPrivate.cpp (+1/-1)
tests/qmltests/Greeter/tst_Lockscreen.qml (+11/-5)

To merge this branch:

bzr merge lp:~mterry/unity8/locking-hash

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
PS Jenkins bot (community)	continuous-integration		Approve on 2014-07-28
Albert Astals Cid (community)			Abstain on 2014-07-25
Michał Sawicz		2014-07-03	Approve on 2014-07-17
Seth Arnold (community)			Approve on 2014-07-16
Marc Deslauriers		2014-07-03	Pending
Review via email: mp+225538@code.launchpad.net

Commit message

Check user's pin/password using PAM, instead of a plaintext keyfile.

New build dependency: libpam0g-dev for phone unlock with PAM

Description of the change

Check user's pin/password using PAM, instead of a plaintext keyfile.

== Checklist ==

* Are there any related MPs required for this MP to build/function as expected? Please list.
- lp:~mterry/gsettings-ubuntu-touch-schemas/password-hint
- https://code.launchpad.net/~mterry/ubuntu-system-settings/locking-hash/+merge/224346 (wip)
- https://code.launchpad.net/~mterry/livecd-rootfs/no-password/+merge/225560

* Did you perform an exploratory manual test run of your code change and any related functionality?
- Yes

* Did you make sure that your branch does not contain spurious tags?
- Yes

* If you changed the packaging (debian), did you subscribe the ubuntu-unity team to this MP?
- I am in that team

* If you changed the UI, has there been a design review?
- NA

Revision history for this message

Michael Terry (mterry) wrote on 2014-07-03:

Marc, this branch implements PAM password-checking. Most of the interesting-to-you changes are probably in tests/mocks/LightDM/demo/GreeterPrivate.cpp.

Revision history for this message

Stéphane Graber (stgraber) wrote on 2014-07-03:

Why the added build-dep and dep on whois? I fail to see how querying an RFC 3912 online database is even remotely related to unity8 :)

Revision history for this message

Michael Terry (mterry) wrote on 2014-07-03:

> Why the added build-dep and dep on whois?
> I fail to see how querying an RFC 3912 online
> database is even remotely related to unity8 :)

Oh whoops, I forgot to push to the branch again. That's gone now. It was there from the previous incarnation of this branch, which put shadow-style entries into a keyfile in the user's HOME.

Oddly enough, whois contains the mkpasswd executable.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-07-04:

This looks great. I think I found one minor bug, have some large questions about the goals and implementation, and then some further clarifying questions.

First, the minor bug:

- pamStatus isn't updated after pam_setcreds()

Next, I noticed that there's no use of PAM sessions, initgroups(), or set*id() functions; this might be consistent with single-user phones, but it would probably need extending to support multiple users. Are we aiming for multiple user support?

What are we missing by not supporting pam_open_session()? (ecryptfs and auditing at least; what else?)

Would we need to fork() a new process for the session, groups, and user change, so that the parent could still have sufficient privileges to call pam_close_session() at the end?

The PAM application developer guide mentions the PAM_USER, PAM_RUSER, and PAM_RHOST variables; I don't know how important these are for our uses but we might want to set them all the same so we provide the widest amount of compatibility with existing PAM modules.

I think we can merge this after the minor pamStatus = pam_setcreds() fixup regardless of the answers to my questions -- they'll either be bug fixes or new features that we can handle in good time.

Thanks

review: Needs Fixing

Revision history for this message

Michael Terry (mterry) wrote on 2014-07-06:

The pam flow, including not changing pamStatus after pam_setcred and not using session is all stolen from ./lockscreen/UserAuthenticatorPam.cpp in lp:unity.

Specifically about pam_setcred, even sudo ignores the return (from ./plugins/sudoers/auth/pam.c):

     * We don't worry about a failure from pam_setcred() since with
     * stacked PAM auth modules a failure from one module may override
     * PAM_SUCCESS from another. For example, given a non-local user,
     * pam_unix will fail but pam_ldap or pam_sss may succeed, but if
     * pam_unix is first in the stack, pam_setcred() will fail.

> Are we aiming for multiple user support?

Not on this screen, no. This is the equivalent of the unity7 lock screen. (When the user sees this, we've already logged them in and presented the "greeter" as a lock screen.) So no worries about ecryptfs etc either. That isn't in scope unless we have a proper split greeter, for which this branch is an interim alternative.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-07-07:

Michael, thanks for the detailed answers. Very nice.

Thanks!

Revision history for this message

Michał Sawicz (saviq) wrote on 2014-07-15:

In general I'm in favour of bracketing single-line if/else()s, but I won't hold it against you.

Is there any chance of stuff getting out of sync (like response coming to a different future than expected)? Should we pass around an id of the message and expect it back from the prompt?

Is there any chance of futureWatcher.result() never returning, or does pam_end() in start() ensure it will get reset every time you go start()?

I tried to run it with ./run.sh, got the password prompt, but couldn't authenticated, that expected?

Also see inline.

Really like the approach!

review: Needs Fixing

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-15:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3439/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Michael Terry (mterry) wrote on 2014-07-15:

> In general I'm in favour of bracketing single-line if/else()s, but I won't hold it against you.

I added a few more brackets.

> Is there any chance of stuff getting out of sync (like response coming to a different future than expected)? Should we pass around an id of the message and expect it back from the prompt?

Shouldn't be. That's up the to the UI side of things to make sure to give back a response for each prompt in order. Order is important with PAM prompts, so we don't expect a UI component to present them out of order.

> Is there any chance of futureWatcher.result() never returning, or does pam_end() in start() ensure it will get reset every time you go start()?

No, futureWatcher.result() should always return, because it is only called after we get the "finished()" signal from it. And the thread should always finish due to pam_end, yes.

> I tried to run it with ./run.sh, got the password prompt, but couldn't authenticated, that expected?

Fixed. I'm so used to testing on the device, that I didn't notice we still hardcode the phablet user in one place.

> Also see inline.

Replies inline. Except all of a sudden LP wouldn't let me edit or make new comments. So here's a little bit extra:

Regarding whether to call it a mock, I will say that it *is* a mock for liblightdm-qt5. It's just a functional one.

And as for qRegisterMetaType, it only seems to work with that method. Note this section of the documenation for Q_DECLARE_METATYPE:

"Note that if you intend to use the type in queued signal and slot connections or in QObject's property system, you also have to call qRegisterMetaType() since the names are resolved at runtime."

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-15:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3445/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-15:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3447/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-16:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3449/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Michał Sawicz (saviq) wrote on 2014-07-16:

> Replies inline. Except all of a sudden LP wouldn't let me edit or make new
> comments. So here's a little bit extra:

Sounds like you didn't press "save" on one of them, it will then prevent you from doing changes to any other.

> And as for qRegisterMetaType, it only seems to work with that method. Note
> this section of the documenation for Q_DECLARE_METATYPE:
>
> "Note that if you intend to use the type in queued signal and slot connections
> or in QObject's property system, you also have to call qRegisterMetaType()
> since the names are resolved at runtime."

Yeah, the thing is they should get registered as you register the singletons, off which you then take the enum values... Basically what I'm saying we barely have this anywhere else, and using singletons and enums everywhere.

Hmm ah-ha! plugins/LightDM/Greeter.h does not have Q_ENUMS for those. Is that by design?

=====

Can we do anything about the fact that now while developing this will generally require a password?

Should we in ./run.sh and ./run_on_device preload a passwordless LightDM mock?

=====

See inline.

review: Needs Information

Revision history for this message

Michael Terry (mterry) wrote on 2014-07-16:

> Should we in ./run.sh and ./run_on_device preload a passwordless LightDM mock?

Isn't that what -f is for?

What might be nice is once I have re-split the greeter again, by default ./run.sh can give you just the dash. But passing -G or some such will give you greeter too.

> Basically what I'm saying we barely have this anywhere else, and using singletons and enums everywhere.

OK, will give this another look.

Revision history for this message

Michael Terry (mterry) wrote on 2014-07-16:

> Hmm ah-ha! plugins/LightDM/Greeter.h does not have Q_ENUMS for those. Is that by design?

The Q_ENUMS definition for those is in tests/mocks/LightDM/Greeter.h. I tried also doing it in plugins/LightDM/Greeter.h, in case QML couldn't see them in the other place, no luck. The error I get without doing qRegisterMetaType is:

"QObject::connect: Cannot queue arguments of type 'QLightDM::Greeter::PromptType'
(Make sure 'QLightDM::Greeter::PromptType' is registered using qRegisterMetaType().)"

Which seems to coincide with the documentation comments about queued connection arguments.

Probably the reason it is necessary here is that we never actually call qmlRegisterSingletonType for the class that contains these enums. That class is not exposed to Qml, but we still use its enums.

Revision history for this message

Michael Terry (mterry) wrote on 2014-07-16:

OK, made it so that even just plain ./run.sh will skip requiring a password.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-07-16:

Sorry, I forgot to mark this "Approve" after an earlier review and feedback from Michael.

review: Approve

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-16:

FAILED: Continuous integration, rev:996
http://jenkins.qa.ubuntu.com/job/unity8-ci/3454/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-utopic-touch/2087
    FAILURE: http://jenkins.qa.ubuntu.com/job/unity-phablet-qmluitests-utopic/455/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-amd64-ci/548
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-armhf-ci/548
        deb: http://jenkins.qa.ubuntu.com/job/unity8-utopic-armhf-ci/548/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-i386-ci/548
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-runner-mako/2316
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/3222
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/3222/artifact/work/output/*zip*/output.zip
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/9952

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3454/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Michał Sawicz (saviq) wrote on 2014-07-17:

* Did you perform an exploratory manual test run of the code change and any related functionality?
Yes.

* Did CI run pass? If not, please explain why.
Jenkins is unhappy today.

review: Approve

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-17:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3472/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Albert Astals Cid (aacid) wrote on 2014-07-24:

Text conflict in debian/control
1 conflicts encountered.

review: Needs Fixing

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-24:

FAILED: Continuous integration, rev:997
http://jenkins.qa.ubuntu.com/job/unity8-ci/3568/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-utopic-touch/2421/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/unity-phablet-qmluitests-utopic/570/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/unity8-utopic-amd64-ci/662/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/unity8-utopic-armhf-ci/662/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/unity8-utopic-i386-ci/662/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/3652/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3568/rebuild

review: Needs Fixing (continuous-integration)

lp:~mterry/unity8/locking-hash updated on 2014-07-24

998. By Michael Terry on 2014-07-24: Merge from trunk

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-24:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3578/rebuild

review: Needs Fixing (continuous-integration)

lp:~mterry/unity8/locking-hash updated on 2014-07-25

999. By Michael Terry on 2014-07-25: Merge from trunk

Revision history for this message

Albert Astals Cid (aacid) wrote on 2014-07-25:

Merges cleanly now

review: Abstain

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-25:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3605/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-07-28:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/3628/rebuild

review: Approve (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Michael Terry

Mohammad Rakibul Hasan

Unity Team

 === modified file 'debian/control'
 --- debian/control	2014-07-24 20:40:44 +0000
 +++ debian/control	2014-07-25 13:39:35 +0000
@@ -19,6 +19,7 @@
                 libgsettings-qt-dev,
                 libhardware-dev,
                 libhud-client2-dev,
++               libpam0g-dev,
                 libpay2-dev,
                 libpulse-dev,
                 libqmenumodel-dev (>= 0.2.8),
 === modified file 'plugins/AccountsService/AccountsService.cpp'
 --- plugins/AccountsService/AccountsService.cpp	2014-06-11 15:36:51 +0000
 +++ plugins/AccountsService/AccountsService.cpp	2014-07-25 13:39:35 +0000
@@ -26,7 +26,8 @@
      m_service(new AccountsServiceDBusAdaptor(this)),
      m_user(qgetenv("USER")),
      m_demoEdges(false),
--    m_statsWelcomeScreen(false)
++    m_statsWelcomeScreen(false),
++    m_passwordDisplayHint(Keyboard)
+ {
      connect(m_service, SIGNAL(propertiesChanged(const QString &, const QString &, const QStringList &)),
              this, SLOT(propertiesChanged(const QString &, const QString &, const QStringList &)));
@@ -47,6 +48,7 @@
      updateDemoEdges();
      updateBackgroundFile();
      updateStatsWelcomeScreen();
++    updatePasswordDisplayHint();
+ }
  bool AccountsService::demoEdges() const
@@ -70,6 +72,11 @@
      return m_statsWelcomeScreen;
+ }
++AccountsService::PasswordDisplayHint AccountsService::passwordDisplayHint() const
++{
++    return m_passwordDisplayHint;
++}
++
  void AccountsService::updateDemoEdges()
+ {
      auto demoEdges = m_service->getUserProperty(m_user, "com.canonical.unity.AccountsService", "demo-edges").toBool();
@@ -97,6 +104,15 @@
+     }
+ }
++void AccountsService::updatePasswordDisplayHint()
++{
++    PasswordDisplayHint passwordDisplayHint = (PasswordDisplayHint)m_service->getUserProperty(m_user, "com.ubuntu.AccountsService.SecurityPrivacy", "PasswordDisplayHint").toInt();
++    if (m_passwordDisplayHint != passwordDisplayHint) {
++        m_passwordDisplayHint = passwordDisplayHint;
++        Q_EMIT passwordDisplayHintChanged();
++    }
++}
++
  void AccountsService::propertiesChanged(const QString &user, const QString &interface, const QStringList &changed)
+ {
      if (m_user != user) {
@@ -111,6 +127,10 @@
          if (changed.contains("StatsWelcomeScreen")) {
              updateStatsWelcomeScreen();
+         }
++    } else if (interface == "com.ubuntu.AccountsService.SecurityPrivacy") {
++        if (changed.contains("PasswordDisplayHint")) {
++            updatePasswordDisplayHint();
++        }
+     }
+ }
 === modified file 'plugins/AccountsService/AccountsService.h'
 --- plugins/AccountsService/AccountsService.h	2014-06-11 15:36:51 +0000
 +++ plugins/AccountsService/AccountsService.h	2014-07-25 13:39:35 +0000
@@ -27,6 +27,7 @@
  class AccountsService: public QObject
+ {
      Q_OBJECT
++    Q_ENUMS(PasswordDisplayHint)
      Q_PROPERTY (QString user
                  READ user
                  WRITE setUser
@@ -41,8 +42,16 @@
      Q_PROPERTY (bool statsWelcomeScreen
                  READ statsWelcomeScreen
                  NOTIFY statsWelcomeScreenChanged)
++    Q_PROPERTY (PasswordDisplayHint passwordDisplayHint
++                READ passwordDisplayHint
++                NOTIFY passwordDisplayHintChanged)
  public:
++    enum PasswordDisplayHint {
++        Keyboard,
++        Numeric,
++    };
++
      explicit AccountsService(QObject *parent = 0);
      QString user() const;
@@ -51,12 +60,14 @@
      void setDemoEdges(bool demoEdges);
      QString backgroundFile() const;
      bool statsWelcomeScreen() const;
++    PasswordDisplayHint passwordDisplayHint() const;
  Q_SIGNALS:
      void userChanged();
      void demoEdgesChanged();
      void backgroundFileChanged();
      void statsWelcomeScreenChanged();
++    void passwordDisplayHintChanged();
  private Q_SLOTS:
      void propertiesChanged(const QString &user, const QString &interface, const QStringList &changed);
@@ -66,12 +77,14 @@
      void updateDemoEdges();
      void updateBackgroundFile();
      void updateStatsWelcomeScreen();
++    void updatePasswordDisplayHint();
      AccountsServiceDBusAdaptor *m_service;
      QString m_user;
      bool m_demoEdges;
      QString m_backgroundFile;
      bool m_statsWelcomeScreen;
++    PasswordDisplayHint m_passwordDisplayHint;
  };
  #endif
 === modified file 'plugins/AccountsService/plugin.cpp'
 --- plugins/AccountsService/plugin.cpp	2013-11-19 17:01:25 +0000
 +++ plugins/AccountsService/plugin.cpp	2014-07-25 13:39:35 +0000
@@ -33,5 +33,6 @@
+ {
      Q_ASSERT(uri == QLatin1String("AccountsService"));
      qDBusRegisterMetaType<QList<QVariantMap>>();
++    qRegisterMetaType<AccountsService::PasswordDisplayHint>("AccountsService::PasswordDisplayHint");
      qmlRegisterSingletonType<AccountsService>(uri, 0, 1, "AccountsService", service_provider);
+ }
 === modified file 'plugins/LightDM/plugin.cpp'
 --- plugins/LightDM/plugin.cpp	2014-06-18 17:26:30 +0000
 +++ plugins/LightDM/plugin.cpp	2014-07-25 13:39:35 +0000
@@ -69,6 +69,8 @@
      qmlRegisterType<UserMetricsOutput::ColorTheme>();
      Q_ASSERT(uri == QLatin1String("LightDM"));
++    qRegisterMetaType<QLightDM::Greeter::MessageType>("QLightDM::Greeter::MessageType");
++    qRegisterMetaType<QLightDM::Greeter::PromptType>("QLightDM::Greeter::PromptType");
      qmlRegisterSingletonType<Greeter>(uri, 0, 1, "Greeter", greeter_provider);
      qmlRegisterSingletonType<UsersModel>(uri, 0, 1, "Users", users_provider);
      qmlRegisterUncreatableType<QLightDM::UsersModel>(uri, 0, 1, "UserRoles", "Type is not instantiable");
 === modified file 'qml/Components/PassphraseLockscreen.qml'
 --- qml/Components/PassphraseLockscreen.qml	2014-05-28 07:17:08 +0000
 +++ qml/Components/PassphraseLockscreen.qml	2014-07-25 13:39:35 +0000
@@ -31,8 +31,10 @@
      function clear(playAnimation) {
          pinentryField.text = "";
++        pinentryField.enabled = true
          if (playAnimation) {
              wrongPasswordAnimation.start();
++            pinentryField.forceActiveFocus();
          } else {
              pinentryField.focus = false
+         }
@@ -78,6 +80,7 @@
              onAccepted: {
                  if (pinentryField.text) {
++                    pinentryField.enabled = false;
                      root.entered(pinentryField.text);
+                 }
+             }
 === modified file 'qml/Shell.qml'
 --- qml/Shell.qml	2014-07-18 15:13:35 +0000
 +++ qml/Shell.qml	2014-07-25 13:39:35 +0000
@@ -490,6 +490,7 @@
          width: parent.width
          height: parent.height - panel.panelHeight
          background: shell.background
++        alphaNumeric: AccountsService.passwordDisplayHint === AccountsService.Keyboard
          minPinLength: 4
          maxPinLength: 4
@@ -504,7 +505,7 @@
          onShownChanged: if (shown) greeter.fakeActiveForApp = ""
          Component.onCompleted: {
--            if (LightDM.Users.count == 1) {
++            if (greeter.narrowMode) {
                  LightDM.Greeter.authenticate(LightDM.Users.data(0, LightDM.UserRoles.NameRole))
+             }
+         }
@@ -516,14 +517,17 @@
          onShowGreeter: greeter.show()
          onShowPrompt: {
--            if (LightDM.Users.count == 1) {
--                // TODO: There's no better way for now to determine if its a PIN or a passphrase.
--                if (text == "PIN") {
--                    lockscreen.alphaNumeric = false
--                } else {
--                    lockscreen.alphaNumeric = true
--                }
--                lockscreen.placeholderText = i18n.tr("Please enter %1").arg(text);
++            if (greeter.narrowMode) {
++                lockscreen.placeholderText = i18n.tr("Please enter %1").arg(text.toLowerCase());
++                lockscreen.show();
++            }
++        }
++
++        onPromptlessChanged: {
++            if (LightDM.Greeter.promptless) {
++                lockscreen.hide()
++            } else {
++                lockscreen.reset();
                  lockscreen.show();
+             }
+         }
@@ -537,6 +541,9 @@
                  greeter.login();
              } else {
                  lockscreen.clear(true);
++                if (greeter.narrowMode) {
++                    LightDM.Greeter.authenticate(LightDM.Users.data(0, LightDM.UserRoles.NameRole))
++                }
+             }
+         }
+     }
@@ -590,24 +597,23 @@
              function login() {
                  enabled = false;
--                LightDM.Greeter.startSessionSync();
--                sessionStarted();
--                greeter.hide();
--                lockscreen.hide();
--                launcher.hide();
++                if (LightDM.Greeter.startSessionSync()) {
++                    sessionStarted();
++                    greeter.hide();
++                    lockscreen.hide();
++                    launcher.hide();
++                }
                  enabled = true;
+             }
              onShownChanged: {
                  if (shown) {
--                    lockscreen.reset();
++                    if (greeter.narrowMode) {
++                        LightDM.Greeter.authenticate(LightDM.Users.data(0, LightDM.UserRoles.NameRole));
++                    }
                      if (!LightDM.Greeter.promptless) {
--                       lockscreen.show();
--                    }
--                    // If there is only one user, we start authenticating with that one here.
--                    // If there are more users, the Greeter will handle that
--                    if (LightDM.Users.count == 1) {
--                        LightDM.Greeter.authenticate(LightDM.Users.data(0, LightDM.UserRoles.NameRole));
++                        lockscreen.reset();
++                        lockscreen.show();
+                     }
                      greeter.fakeActiveForApp = "";
                      greeter.forceActiveFocus();
 === modified file 'run.sh'
 --- run.sh	2014-06-24 17:04:11 +0000
 +++ run.sh	2014-07-25 13:39:35 +0000
@@ -8,6 +8,7 @@
  FAKE=false
  PINLOCK=false
  KEYLOCK=false
++USE_MOCKS=false
  MOUSE_TOUCH=true
  usage() {
@@ -31,9 +32,9 @@
  while [ $# -gt 0 ]
  do
      case "$1" in
--       -f|--fake)  FAKE=true;;
--       -p|--pinlock)  PINLOCK=true;;
--       -k|--keylock)  KEYLOCK=true;;
++       -f|--fake)  FAKE=true; USE_MOCKS=true;;
++       -p|--pinlock)  PINLOCK=true; USE_MOCKS=true;;
++       -k|--keylock)  KEYLOCK=true; USE_MOCKS=true;;
         -g|--gdb)   GDB=true;;
         -h|--help)  usage;;
         -m|--nomousetouch)  MOUSE_TOUCH=false;;
@@ -43,20 +44,28 @@
  done
  if $FAKE; then
--  export QML2_IMPORT_PATH=$QML2_IMPORT_PATH:$PWD/builddir/tests/mocks:$PWD/builddir/plugins:$PWD/builddir/modules
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/builddir/tests/mocks/libusermetrics:$PWD/builddir/tests/mocks/LightDM/single
  fi
  if $PINLOCK; then
--  export QML2_IMPORT_PATH=$QML2_IMPORT_PATH:$PWD/builddir/tests/mocks:$PWD/builddir/plugins:$PWD/builddir/modules
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/builddir/tests/mocks/libusermetrics:$PWD/builddir/tests/mocks/LightDM/single-pin
  fi
  if $KEYLOCK; then
--  export QML2_IMPORT_PATH=$QML2_IMPORT_PATH:$PWD/builddir/tests/mocks:$PWD/builddir/plugins:$PWD/builddir/modules
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/builddir/tests/mocks/libusermetrics:$PWD/builddir/tests/mocks/LightDM/single-passphrase
  fi
++if $USE_MOCKS; then
++  rm -f $PWD/builddir/nonmirplugins/LightDM # undo symlink (from below) for cleanliness
++  export QML2_IMPORT_PATH=$QML2_IMPORT_PATH:$PWD/builddir/tests/mocks:$PWD/builddir/plugins:$PWD/builddir/modules
++else
++  # Still fake no-login user for convenience (it's annoying to be prompted for your password when testing)
++  # And in particular, just link our LightDM mock into the nonmirplugins folder.  We don't want the rest of
++  # our plugins to be used.
++  ln -s $PWD/builddir/tests/mocks/LightDM $PWD/builddir/nonmirplugins/
++  export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/builddir/tests/mocks/LightDM/single
++fi
++
  QML_PHONE_SHELL_ARGS=""
  if $MOUSE_TOUCH; then
    QML_PHONE_SHELL_ARGS="$QML_PHONE_SHELL_ARGS -mousetouch"
 === modified file 'tests/mocks/AccountsService/AccountsService.cpp'
 --- tests/mocks/AccountsService/AccountsService.cpp	2014-06-17 18:23:44 +0000
 +++ tests/mocks/AccountsService/AccountsService.cpp	2014-07-25 13:39:35 +0000
@@ -29,12 +29,14 @@
  QString AccountsService::user() const
+ {
--    return "testuser";
++    return m_user;
+ }
  void AccountsService::setUser(const QString &user)
+ {
--    Q_UNUSED(user)
++    m_user = user;
++    Q_EMIT userChanged();
++    Q_EMIT passwordDisplayHintChanged();
+ }
  bool AccountsService::demoEdges() const
@@ -68,3 +70,11 @@
      m_statsWelcomeScreen = statsWelcomeScreen;
      statsWelcomeScreenChanged();
+ }
++
++AccountsService::PasswordDisplayHint AccountsService::passwordDisplayHint() const
++{
++    if (m_user == "has-pin")
++        return PasswordDisplayHint::Numeric;
++    else
++        return PasswordDisplayHint::Keyboard;
++}
 === modified file 'tests/mocks/AccountsService/AccountsService.h'
 --- tests/mocks/AccountsService/AccountsService.h	2014-06-11 15:36:51 +0000
 +++ tests/mocks/AccountsService/AccountsService.h	2014-07-25 13:39:35 +0000
@@ -27,6 +27,7 @@
  class AccountsService: public QObject
+ {
      Q_OBJECT
++    Q_ENUMS(PasswordDisplayHint)
      Q_PROPERTY (QString user
                  READ user
                  WRITE setUser
@@ -43,8 +44,16 @@
                  READ statsWelcomeScreen
                  WRITE setStatsWelcomeScreen // only available in mock
                  NOTIFY statsWelcomeScreenChanged)
++    Q_PROPERTY (PasswordDisplayHint passwordDisplayHint
++                READ passwordDisplayHint
++                NOTIFY passwordDisplayHintChanged)
  public:
++    enum PasswordDisplayHint {
++        Keyboard,
++        Numeric,
++    };
++
      explicit AccountsService(QObject *parent = 0);
      QString user() const;
@@ -55,15 +64,18 @@
      void setBackgroundFile(const QString &backgroundFile);
      bool statsWelcomeScreen() const;
      void setStatsWelcomeScreen(bool statsWelcomeScreen);
++    PasswordDisplayHint passwordDisplayHint() const;
  Q_SIGNALS:
      void userChanged();
      void demoEdgesChanged();
      void backgroundFileChanged();
      void statsWelcomeScreenChanged();
++    void passwordDisplayHintChanged();
  private:
      QString m_backgroundFile;
++    QString m_user;
      bool m_statsWelcomeScreen;
  };
 === modified file 'tests/mocks/AccountsService/CMakeLists.txt'
 --- tests/mocks/AccountsService/CMakeLists.txt	2014-06-17 18:23:44 +0000
 +++ tests/mocks/AccountsService/CMakeLists.txt	2014-07-25 13:39:35 +0000
@@ -5,4 +5,7 @@
  qt5_use_modules(MockAccountsService-qml DBus Qml)
--add_unity8_mock(AccountsService 0.1 AccountsService TARGETS MockAccountsService-qml)
++add_unity8_mock(AccountsService 0.1 AccountsService
++    PREFIX mocks
++    TARGETS MockAccountsService-qml
++    )
 === modified file 'tests/mocks/AccountsService/plugin.cpp'
 --- tests/mocks/AccountsService/plugin.cpp	2013-11-19 17:01:25 +0000
 +++ tests/mocks/AccountsService/plugin.cpp	2014-07-25 13:39:35 +0000
@@ -32,5 +32,6 @@
  void AccountsServicePlugin::registerTypes(const char *uri)
+ {
      Q_ASSERT(uri == QLatin1String("AccountsService"));
++    qRegisterMetaType<AccountsService::PasswordDisplayHint>("AccountsService::PasswordDisplayHint");
      qmlRegisterSingletonType<AccountsService>(uri, 0, 1, "AccountsService", service_provider);
+ }
 === modified file 'tests/mocks/LightDM/GreeterPrivate.h'
 --- tests/mocks/LightDM/GreeterPrivate.h	2013-06-05 22:03:08 +0000
 +++ tests/mocks/LightDM/GreeterPrivate.h	2014-07-25 13:39:35 +0000
@@ -24,6 +24,7 @@
  namespace QLightDM
+ {
  class Greeter;
++class GreeterImpl;
  class GreeterPrivate
+ {
@@ -40,6 +41,7 @@
      void handleRespond(const QString &response);
  protected:
++    GreeterImpl *m_impl; // if the backend needs more private data
      Greeter * const q_ptr;
  private:
 === modified file 'tests/mocks/LightDM/demo/CMakeLists.txt'
 --- tests/mocks/LightDM/demo/CMakeLists.txt	2014-06-11 15:36:51 +0000
 +++ tests/mocks/LightDM/demo/CMakeLists.txt	2014-07-25 13:39:35 +0000
@@ -11,11 +11,13 @@
  add_library(MockLightDM-demo STATIC ${LibLightDM_SOURCES})
  include_directories(
++    ${CMAKE_CURRENT_BINARY_DIR}
      ${LIBUSERMETRICSOUTPUT_INCLUDE_DIRS}
+ )
  target_link_libraries(MockLightDM-demo
      ${LIBUSERMETRICSOUTPUT_LDFLAGS}
--    )
++    -lpam
++)
--qt5_use_modules(MockLightDM-demo Gui)
++qt5_use_modules(MockLightDM-demo Concurrent Gui)
 === modified file 'tests/mocks/LightDM/demo/GreeterPrivate.cpp'
 --- tests/mocks/LightDM/demo/GreeterPrivate.cpp	2014-06-11 15:36:51 +0000
 +++ tests/mocks/LightDM/demo/GreeterPrivate.cpp	2014-07-25 13:39:35 +0000
@@ -18,53 +18,225 @@
  #include "../Greeter.h"
  #include "../GreeterPrivate.h"
--#include <QtCore/QDir>
--#include <QtCore/QSettings>
++#include <QFuture>
++#include <QFutureInterface>
++#include <QFutureWatcher>
++#include <QQueue>
++#include <QtConcurrent>
++#include <QVector>
++#include <security/pam_appl.h>
  namespace QLightDM
+ {
++class GreeterImpl : public QObject
++{
++    Q_OBJECT
++
++    typedef QFutureInterface<QString> ResponseFuture;
++
++public:
++    explicit GreeterImpl(Greeter *parent, GreeterPrivate *greeterPrivate)
++        : QObject(parent),
++          greeter(parent),
++          greeterPrivate(greeterPrivate),
++          pamHandle(NULL)
++    {
++        qRegisterMetaType<QLightDM::GreeterImpl::ResponseFuture>("QLightDM::GreeterImpl::ResponseFuture");
++
++        connect(&futureWatcher, SIGNAL(finished()),
++                this, SLOT(finishPam()));
++        connect(this, SIGNAL(showMessage(QString, QLightDM::Greeter::MessageType)),
++                greeter, SIGNAL(showMessage(QString, QLightDM::Greeter::MessageType)));
++        // This next connect is how we pass ResponseFutures between threads
++        connect(this, SIGNAL(showPrompt(QString, QLightDM::Greeter::PromptType, QLightDM::GreeterImpl::ResponseFuture)),
++                this, SLOT(handlePrompt(QString, QLightDM::Greeter::PromptType, QLightDM::GreeterImpl::ResponseFuture)));
++    }
++
++    void start(QString username)
++    {
++        // Clear out any existing PAM interactions first (we can't simply
++        // cancel our QFuture because QtConcurrent::run doesn't support cancel)
++        if (pamHandle != NULL) {
++            pam_handle *handle = pamHandle;
++            pamHandle = NULL; // to disable normal finishPam() handling
++            while (respond(QString())); // clear our local queue of QFutures
++            pam_end(handle, PAM_CONV_ERR);
++        }
++
++        // Now actually start a new conversation with PAM
++        pam_conv conversation;
++        conversation.conv = converseWithPam;
++        conversation.appdata_ptr = static_cast<void*>(this);
++
++        if (pam_start("lightdm", username.toUtf8(), &conversation, &pamHandle) == PAM_SUCCESS) {
++            futureWatcher.setFuture(QtConcurrent::run(authenticateWithPam, pamHandle));
++        } else {
++            greeterPrivate->authenticated = false;
++            Q_EMIT greeter->showMessage("Internal error: could not start PAM authentication", QLightDM::Greeter::MessageTypeError);
++            Q_EMIT greeter->authenticationComplete();
++        }
++    }
++
++    static int authenticateWithPam(pam_handle* pamHandle)
++    {
++        int pamStatus = pam_authenticate(pamHandle, 0);
++        if (pamStatus == PAM_SUCCESS) {
++            pamStatus = pam_acct_mgmt(pamHandle, 0);
++        }
++        if (pamStatus == PAM_NEW_AUTHTOK_REQD) {
++            pamStatus = pam_chauthtok(pamHandle, PAM_CHANGE_EXPIRED_AUTHTOK);
++        }
++        if (pamStatus == PAM_SUCCESS) {
++            pam_setcred(pamHandle, PAM_REINITIALIZE_CRED);
++        }
++        return pamStatus;
++    }
++
++    static int converseWithPam(int num_msg, const pam_message** msg,
++                               pam_response** resp, void* appdata_ptr)
++    {
++        if (num_msg <= 0)
++            return PAM_CONV_ERR;
++
++        auto* tmp_response = static_cast<pam_response*>(calloc(num_msg, sizeof(pam_response)));
++        if (!tmp_response)
++            return PAM_CONV_ERR;
++
++        GreeterImpl* impl = static_cast<GreeterImpl*>(appdata_ptr);
++
++        int count;
++        QVector<ResponseFuture> responses;
++
++        for (count = 0; count < num_msg; ++count)
++        {
++            switch (msg[count]->msg_style)
++            {
++            case PAM_PROMPT_ECHO_ON:
++            {
++                QString message(msg[count]->msg);
++                responses.append(ResponseFuture());
++                responses.last().reportStarted();
++                Q_EMIT impl->showPrompt(message, Greeter::PromptTypeQuestion, responses.last());
++                break;
++            }
++            case PAM_PROMPT_ECHO_OFF:
++            {
++                QString message(msg[count]->msg);
++                responses.append(ResponseFuture());
++                responses.last().reportStarted();
++                Q_EMIT impl->showPrompt(message, Greeter::PromptTypeSecret, responses.last());
++                break;
++            }
++            case PAM_TEXT_INFO:
++            {
++                QString message(msg[count]->msg);
++                Q_EMIT impl->showMessage(message, Greeter::MessageTypeInfo);
++                break;
++            }
++            default:
++            {
++                QString message(msg[count]->msg);
++                Q_EMIT impl->showMessage(message, Greeter::MessageTypeError);
++                break;
++            }
++            }
++        }
++
++        int i = 0;
++        bool raise_error = false;
++
++        for (auto &response : responses)
++        {
++            pam_response* resp_item = &tmp_response[i++];
++            resp_item->resp_retcode = 0;
++            resp_item->resp = strdup(response.future().result().toUtf8());
++
++            if (!resp_item->resp)
++            {
++                raise_error = true;
++                break;
++            }
++        }
++
++        if (raise_error)
++        {
++            for (int i = 0; i < count; ++i)
++                free(tmp_response[i].resp);
++
++            free(tmp_response);
++            return PAM_CONV_ERR;
++        }
++        else
++        {
++            *resp = tmp_response;
++            return PAM_SUCCESS;
++        }
++    }
++
++public Q_SLOTS:
++    bool respond(QString response)
++    {
++        if (!futures.isEmpty()) {
++            futures.dequeue().reportFinished(&response);
++            return true;
++        } else {
++            return false;
++        }
++    }
++
++Q_SIGNALS:
++    void showMessage(QString text, QLightDM::Greeter::MessageType type);
++    void showPrompt(QString text, QLightDM::Greeter::PromptType type, QLightDM::GreeterImpl::ResponseFuture response);
++
++private Q_SLOTS:
++    void finishPam()
++    {
++        if (pamHandle == NULL) {
++            return;
++        }
++
++        int pamStatus = futureWatcher.result();
++
++        pam_end(pamHandle, pamStatus);
++        pamHandle = NULL;
++
++        greeterPrivate->authenticated = (pamStatus == PAM_SUCCESS);
++        Q_EMIT greeter->authenticationComplete();
++    }
++
++    void handlePrompt(QString text, QLightDM::Greeter::PromptType type, QLightDM::GreeterImpl::ResponseFuture future)
++    {
++        futures.enqueue(future);
++        Q_EMIT greeter->showPrompt(text, type);
++    }
++
++private:
++    Greeter *greeter;
++    GreeterPrivate *greeterPrivate;
++    pam_handle* pamHandle;
++    QFutureWatcher<int> futureWatcher;
++    QQueue<ResponseFuture> futures;
++};
++
  GreeterPrivate::GreeterPrivate(Greeter* parent)
    : authenticated(false),
      authenticationUser(),
++    m_impl(new GreeterImpl(parent, this)),
      q_ptr(parent)
+ {
+ }
  void GreeterPrivate::handleAuthenticate()
+ {
--    Q_Q(Greeter);
--
--    QSettings settings(QDir::homePath() + "/.unity8-greeter-demo", QSettings::NativeFormat);
--    settings.beginGroup(authenticationUser);
--    QVariant password = settings.value("password", "none");
--
--    if (password == "pin") {
--        Q_EMIT q->showPrompt("PIN", Greeter::PromptTypeSecret);
--    } else if (password == "keyboard") {
--        Q_EMIT q->showPrompt("Password", Greeter::PromptTypeSecret);
--    } else {
--        authenticated = true;
--        Q_EMIT q->authenticationComplete();
--    }
++    m_impl->start(authenticationUser);
+ }
  void GreeterPrivate::handleRespond(const QString &response)
+ {
--    Q_Q(Greeter);
--
--    QSettings settings(QDir::homePath() + "/.unity8-greeter-demo", QSettings::NativeFormat);
--    settings.beginGroup(authenticationUser);
--    QVariant password = settings.value("password", "none");
--
--    QString passwordValue;
--    if (password == "pin") {
--        passwordValue = settings.value("passwordValue", "1234").toString();
--    } else {
--        passwordValue = settings.value("passwordValue", "password").toString();
--    }
--    authenticated = (response == passwordValue);
--    Q_EMIT q->authenticationComplete();
--}
--
--}
++    m_impl->respond(response);
++}
++
++}
++
++#include "GreeterPrivate.moc"
 === modified file 'tests/mocks/LightDM/demo/UsersModelPrivate.cpp'
 --- tests/mocks/LightDM/demo/UsersModelPrivate.cpp	2014-06-11 15:36:51 +0000
 +++ tests/mocks/LightDM/demo/UsersModelPrivate.cpp	2014-07-25 13:39:35 +0000
@@ -29,7 +29,7 @@
    : q_ptr(parent)
+ {
      QSettings settings(QDir::homePath() + "/.unity8-greeter-demo", QSettings::NativeFormat);
--    QStringList users = settings.value("users", QStringList() << "phablet").toStringList();
++    QStringList users = settings.value("users", QStringList() << qgetenv("USER")).toStringList();
      Q_FOREACH(const QString &user, users)
+     {
 === modified file 'tests/mocks/LightDM/full/GreeterPrivate.cpp'
 --- tests/mocks/LightDM/full/GreeterPrivate.cpp	2013-06-11 10:30:07 +0000
 +++ tests/mocks/LightDM/full/GreeterPrivate.cpp	2014-07-25 13:39:35 +0000
@@ -54,7 +54,7 @@
          authenticated = true;
          Q_EMIT q->authenticationComplete();
      } else if (authenticationUser == "has-pin"){
--        Q_EMIT q->showPrompt("PIN", Greeter::PromptTypeSecret);
++        Q_EMIT q->showPrompt("Password:", Greeter::PromptTypeSecret);
      } else if (authenticationUser == "auth-error") {
          authenticated = false;
          Q_EMIT q->authenticationComplete();
 === modified file 'tests/mocks/LightDM/single-pin/GreeterPrivate.cpp'
 --- tests/mocks/LightDM/single-pin/GreeterPrivate.cpp	2014-06-24 23:52:12 +0000
 +++ tests/mocks/LightDM/single-pin/GreeterPrivate.cpp	2014-07-25 13:39:35 +0000
@@ -32,7 +32,7 @@
  void GreeterPrivate::handleAuthenticate()
+ {
      Q_Q(Greeter);
--    Q_EMIT q->showPrompt("PIN", Greeter::PromptTypeSecret);
++    Q_EMIT q->showPrompt("Password:", Greeter::PromptTypeSecret);
+ }
  void GreeterPrivate::handleRespond(const QString &response)
 === modified file 'tests/mocks/LightDM/single-pin/UsersModelPrivate.cpp'
 --- tests/mocks/LightDM/single-pin/UsersModelPrivate.cpp	2013-06-14 19:35:25 +0000
 +++ tests/mocks/LightDM/single-pin/UsersModelPrivate.cpp	2014-07-25 13:39:35 +0000
@@ -26,7 +26,7 @@
+ {
      entries =
+     {
--        { "single", "Has PIN", 0, 0, false, false, 0, 0 },
++        { "has-pin", "Has PIN", 0, 0, false, false, 0, 0 },
      };
+ }
 === modified file 'tests/qmltests/Greeter/tst_Lockscreen.qml'
 --- tests/qmltests/Greeter/tst_Lockscreen.qml	2014-06-30 22:26:41 +0000
 +++ tests/qmltests/Greeter/tst_Lockscreen.qml	2014-07-25 13:39:35 +0000
@@ -18,8 +18,9 @@
  import QtTest 1.0
  import ".."
  import "../../../qml/Components"
++import AccountsService 0.1
++import LightDM 0.1 as LightDM
  import Ubuntu.Components 0.1
--import LightDM 0.1 as LightDM
  import Unity.Test 0.1 as UT
  Rectangle {
@@ -53,11 +54,16 @@
+         }
+     }
++    function setUser(username) {
++        AccountsService.user = username
++        LightDM.Greeter.authenticate(username)
++    }
++
      Connections {
          target: LightDM.Greeter
          onShowPrompt: {
--            if (text === "PIN") {
++            if (AccountsService.passwordDisplayHint === AccountsService.Numeric) {
                  pinPadCheckBox.checked = false
              } else {
                  pinPadCheckBox.checked = true
@@ -139,12 +145,12 @@
              Button {
                  text: "start auth (1234)"
                  width: parent.width
--                onClicked: LightDM.Greeter.authenticate("has-pin")
++                onClicked: setUser("has-pin")
+             }
              Button {
                  text: "start auth (password)"
                  width: parent.width
--                onClicked: LightDM.Greeter.authenticate("has-password")
++                onClicked: setUser("has-password")
+             }
              TextField {
@@ -255,7 +261,7 @@
              enteredLabel.text = ""
              minPinLengthTextField.text = data.minPinLength
              maxPinLengthTextField.text = data.maxPinLength
--            LightDM.Greeter.authenticate(data.username)
++            setUser(data.username)
              waitForLockscreenReady();
              var inputField = findChild(lockscreen, "pinentryField")