webui: handle back button when unauthenticated

using browser history when unauthenticated causes transition to
the original and/or preceding facets. But nothing works since
all commands fail due to expired credentials in session.

These changes make sure that user stays on login screen if he misses
valid session credentials while he wants to switch to facet which
requires authentication.

https://fedorahosted.org/freeipa/ticket/4353

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>

install/ui/src/freeipa/Application_controller.js

@@ -27,6 +27,7 @@ define([
         'dojo/topic',
         'dojo/query',
         'dojo/dom-class',
+        './auth',
         './json2',
         './widgets/App',
         './widgets/FacetContainer',
@@ -36,7 +37,7 @@ define([
         './navigation/Router',
         './navigation/menu_spec'
        ],
-       function(declare, lang, array, Deferred, on, topic, query, dom_class,
+       function(declare, lang, array, Deferred, on, topic, query, dom_class, auth,
             JSON, App_widget, FacetContainer, IPA, reg, Menu, Router, menu_spec) {
 
     /**
@@ -297,6 +298,12 @@ define([
 
         show_facet: function(facet) {
 
+            // prevent changing facet when authenticating
+            if (this.current_facet && this.current_facet.name === 'login' &&
+                !auth.current.authenticated && facet.requires_auth) {
+                return;
+            }
+
             // choose container
             var container = this.containers[facet.preferred_container];
             if (!container) container = this.containers.main;
@@ -455,7 +462,6 @@ define([
                 var login_facet = reg.facet.get('login');
 
                 on.once(login_facet, "logged_in", function() {
-
                     if (facet) {
                         self.show_facet(facet);
                     }

install/ui/src/freeipa/facet.js

@@ -220,6 +220,13 @@ exp.facet = IPA.facet = function(spec, no_init) {
      */
     that._needs_update = spec.needs_update;
 
+
+    /**
+     * Facet is shown
+     * @property {Boolean}
+     */
+    that.is_shown = false;
+
     /**
      * Marks facet as expired - needs update
      *
@@ -291,6 +298,13 @@ exp.facet = IPA.facet = function(spec, no_init) {
      */
     that.redirect_info = spec.redirect_info;
 
+
+    /**
+     * Facet requires authenticated user
+     * @type {Boolean}
+     */
+    that.requires_auth = spec.requires_auth !== undefined ? spec.requires_auth : true;
+
     /**
      * Public state
      * @property {facet.FacetState}
@@ -480,7 +494,7 @@ exp.facet = IPA.facet = function(spec, no_init) {
         that.old_state = state;
 
         // we don't have to reflect any changes if facet dom is not yet created
-        if (!that.dom_node) {
+        if (!that.dom_node || !that.is_shown) {
             if (needs_update) that.set_expired_flag();
             return;
         }
@@ -651,10 +665,14 @@ exp.facet = IPA.facet = function(spec, no_init) {
      */
     that.show = function() {
 
+        if (that.is_shown) return;
+        that.is_shown = true;
+
         that.entity.facet = that; // FIXME: remove
 
         if (!that.dom_node) {
             that.create();
+        }
 
         var state = that.state.clone();
         var needs_update = that.needs_update(state);
@@ -671,11 +689,6 @@ exp.facet = IPA.facet = function(spec, no_init) {
         if (needs_update) {
             that.refresh();
         }
-        } else {
-            that.dom_node.addClass('active-facet');
-            that.show_content();
-            that.header.select_tab();
-        }
     };
 
     /**
@@ -714,6 +727,7 @@ exp.facet = IPA.facet = function(spec, no_init) {
      * Un-mark itself as active facet
      */
     that.hide = function() {
+        that.is_shown = false;
         that.dom_node.removeClass('active-facet');
     };
 

install/ui/src/freeipa/facets/Facet.js

@@ -112,6 +112,12 @@ define(['dojo/_base/declare',
          */
         redirect_info: null,
 
+        /**
+         * Facet requires authenticated user
+         * @type {Boolean}
+         */
+        requires_auth: true,
+
         /**
          * Public state
          * @property {facet.FacetState}
@@ -323,6 +329,9 @@ define(['dojo/_base/declare',
             this.container_node = spec.container_node;
             this.dom_node = spec.dom_node;
             this.redirect_info = spec.redirect_info;
+            if (spec.requires_auth !== undefined) {
+                this.requires_auth = spec.requires_auth;
+            }
             this.state = new mod_facet.FacetState();
             on(this.state, 'set', lang.hitch(this, this.on_state_set));
         }

install/ui/src/freeipa/plugins/load_page.js

@@ -40,6 +40,7 @@ define([
     load.facet_spec = {
         name: 'load',
         preferred_container: 'simple',
+        requires_auth: false,
         'class': 'login-pf-body',
         widgets: [
             {

install/ui/src/freeipa/plugins/login.js

@@ -43,6 +43,7 @@ define(['dojo/_base/declare',
     login.facet_spec = {
         name: 'login',
         preferred_container: 'simple',
+        requires_auth: false,
         widgets: [
             {
                 $type: 'activity',
@@ -60,7 +61,7 @@ define(['dojo/_base/declare',
     login.LoginFacet = declare([Facet], {
 
         can_leave: function() {
-            return auth.authenticated;
+            return auth.current.authenticated;
         },
 
         init: function() {

install/ui/src/freeipa/rpc.js

@@ -289,7 +289,7 @@ rpc.command = function(spec) {
             // With trusts, user from trusted domain can use his ticket but he
             // doesn't have rights for LDAP modify. It will throw internal error.
             // We should offer form base login.
-            if (xhr.status === 500 && auth.authenticated_by === 'kerberos' &&
+            if (xhr.status === 500 && auth.current.authenticated_by === 'kerberos' &&
                 !IPA.ui.initialized) {
                 error_handler_auth(xhr, text_status, error_thrown);
                 return;