Reverse trust prompt hosting

Bug #1352251 reported by Alberto Mardegan on 2014-08-04
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
qtmir (Ubuntu)
High
Unassigned
unity8 (Ubuntu)
High
Unassigned
unity8 (Ubuntu RTM)
High
Unassigned

Bug Description

In order to keep continuity, keeping this original bug rather than spawning a new one.

new description:
currently non ui process are asking for trust prompts from related focused ui's, example scopes ask for dash to host a prompt. however, it needs to be the other way around, with the ui process having a list of pid's that it can host for.

original description:

On the phone, a splash screen is shown as soon as QGuiApplication is instantiated; however, a QWindow might be created much later, or not be created at all.
We have for example a D-Bus service (ubuntu-system-settings-online-accounts) which is a QGuiApplication, but creates QWindows only as client requests arrive. In the common case, this works fine because the service is generally started when a window needs to be displayed, but we are now preparing for implementing trust session support, and that would require either this bug to be fixed, or a deeper refactoring of our code.

see below, that the original description was simply incorrectly using the default socket, instead of the trust socket. the default socket causes the splash screen, whereas the trust socket won't

Michał Sawicz (saviq) on 2014-08-04
Changed in qtmir:
status: New → Confirmed
Alberto Mardegan (mardy) wrote :

There is also another scenario in which this is triggered, and it's not something that can be helped with some refactoring:

When an application needs an OAuth token, it talks to Online Accounts (OA) to get it. If OA doesn't have a cached token (or if it's expired), OA will create a WebView, and load the OAuth URL into it. Since we are saving the session cookies, it is possible that there is no need to interact with the user, and that the WebView will be automatically redirected to the URL where the OAuth token can be collected from. When this happens, we don't want to bother the user at all.

However, in order to run a WebView, we need a QGuiApplication, which will make a blak window appear for some seconds.

Gerry Boland (gerboland) wrote :

What you are saying is clear, a splash screen is being incorrectly generated for these use-cases. Splash screens should only be generated for proper applications, not trust helpers/sessions.

Could you please give us steps to reproduce these issues though?

Gerry Boland (gerboland) on 2014-08-06
Changed in unity8:
status: New → Confirmed
Alberto Mardegan (mardy) wrote :

It's easy:

int main(int argc, char **argv)
{
    QGuiApplication app;
    return app.exec();
}

This program should not trigger a splash screen when run. :-)

Michał Sawicz (saviq) on 2014-09-03
Changed in unity8 (Ubuntu):
status: New → Confirmed
Michał Sawicz (saviq) on 2014-09-09
no longer affects: unity8
Gerry Boland (gerboland) wrote :

Unity8 tries to draw a splash screen for an app as soon as possible, so the UI is responsive to the user. It will paint a splash screen when either of these things happen:
1. user taps an app icon in launcher
2. when upstart notifies it an app is starting
3. when Mir notifies it an app connected

For point 3, note I said "connected" - not created a surface and set it to show(). A QGuiApplication will create a Mir connection on instantiation. A QCoreApplication will not show a splash, as that does not create a Mir connection. Creation of a QWindow has no relation to the creation of a splash screen.

This isn't something we want for desktop ofc, but for phablet I think it makes for a good user experience to paint a splash screen quickly.

As a result, I don't believe there's a way a binary can tell shell not to paint a splash screen for it.
Instead these are the only options I can think of:
1. shell having some heuristics to decide what apps should not get a splash screen
2. app supplies metadata via desktop file to specify if it wants a splash or not

I dislike option 2, as I fear it could be abused by app developers, and make our platform appear slow to react to user input. Option 1 is also poor, as heuristics would be unreliable. So no path forward is clear to me on this matter.

Thomas Strehl (strehl-t) on 2014-10-10
tags: added: rtm14
Joe Odukoya (jodukoya) wrote :

Please rate this as High.

Pete Woods (pete-woods) on 2014-10-12
Changed in qtmir:
importance: Undecided → High
Changed in unity8 (Ubuntu):
importance: Undecided → High
kevin gunn (kgunn72) on 2014-11-06
tags: added: ota-2
Changed in qtmir:
assignee: nobody → Josh Arenson (josharenson)
Changed in unity8 (Ubuntu):
assignee: nobody → Josh Arenson (josharenson)
Victor Tuson Palau (vtuson) wrote :

this is required for ota1

tags: added: ota-1
removed: ota-2
kevin gunn (kgunn72) on 2014-11-21
Changed in unity8 (Ubuntu RTM):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Josh Arenson (josharenson)
Michał Sawicz (saviq) wrote :

I'm not sure this bug is valid any more. The trusted prompt mechanism is different to how apps are created. Trusted prompts don't have splash screens (maybe they should?), but in any case a trusted session is short-lived, just for the duration of the prompt. The connection to Mir needs to happen on the trusted socket, so there's no connection that could trigger the splash screen (even if there was a splash screen) too early.

Alberto Mardegan (mardy) wrote :

This bug is still valid: while all the UI interactions involving trust sessions are working fine (there is no splash screen -- as I believe is correct), there are still cases where the Online Accounts UI is not invoked within a trust session, and that's typically when the client process is not a GUI application. This is the case of scopes and some system services (sync-monitor, and maybe telepathy in the future).
As I wrote in comment #1, many times even if the OAuth access token is expired, the cookies are still valid and we might be able to get a new access token without showing a web page. But we cannot know this in advance: we'll know it only after loading a webview (and Oxide requires a QGuiApplication) which we'll keep hidden until either we get redirected to the page where we get the access token (in which case the user will not see any UI at all) or until it's clear that we cannot proceed without the user interaction, in which case we can either show a snap decision or just return an error to the client.

Olli Ries (ories) on 2014-11-26
Changed in canonical-devices-system-image:
assignee: nobody → Canonical Devices Products (canonical-devices-products-team)
importance: Undecided → High
milestone: none → r1
status: New → Confirmed
Michał Sawicz (saviq) wrote :

I believe that as far as trust prompts go, we've resolved that they should ultimately never talk to the default Mir socket, which is the only case when they get a splash screen. The backends should open a trust session, even if it's not going to create any UI in the end (that is, if they require a Mir connection to function, as is the case for Oxide). Until we have the headless-client hints implemented on surfaces, you can open the trusted session with dash's PID or whatever else makes sense.

Jury's still out on whether we want to disable splash screens for some apps, but that is more of a UX question than a technical one.

Another approach we might consider is dropping the --desktop_file_hint hack (I believe OA is one of the last instances of it) and think of a different way to allow trusted helpers in. We could also say that only UAL-backed apps get splash screens.

Michał Sawicz (saviq) wrote :

Alberto, can you please confirm if the above is good enough for you for now? And if not, please describe what other use case this lacks support for?

Alberto Mardegan (mardy) wrote :

Yes, this is not really blocking me; until the headless-client hints are implemented I can just play safe and simply return an error on all UI requests.

Michał Sawicz (saviq) wrote :

Bearing the above in mind we have time to properly consider all the use cases and implement the long-term solution without hackfixes.

Changed in canonical-devices-system-image:
status: Confirmed → New
Changed in unity8 (Ubuntu RTM):
assignee: Josh Arenson (josharenson) → nobody
Changed in unity8 (Ubuntu):
assignee: Josh Arenson (josharenson) → nobody
Changed in qtmir:
assignee: Josh Arenson (josharenson) → nobody
status: Confirmed → Opinion
Changed in unity8 (Ubuntu RTM):
status: Confirmed → Opinion
Changed in unity8 (Ubuntu):
status: Confirmed → Opinion
Pat McGowan (pat-mcgowan) wrote :

confirmed status in system-image means product team approved it, it is not related to subtask status

Changed in canonical-devices-system-image:
status: New → Confirmed
Michał Sawicz (saviq) wrote :

This one's targeted to ww51 as well, which is what I tried to counter.

Pat McGowan (pat-mcgowan) wrote :

Defer per discussion in the bug

Changed in canonical-devices-system-image:
milestone: ww51-2014 → ww05-2015
kevin gunn (kgunn72) on 2014-12-11
description: updated
summary: - Splash screen is shown as soon as QGuiApplication is instantiated
+ Reverse trust prompt hosting
Alberto Mardegan (mardy) wrote :

I tried one of the suggested workarounds, that is setting QT_QPA_PLATFORM=minimal before opening the online-accounts-ui when we know that the client doesn't want any UI to be shown on top of it.
Unfortunately this doesn't work, as oxide won't work with the "minimal" backend:

  [1211/183336:FATAL:oxide_browser_process_main.cc(112)] Check failed: native_display_is_valid_.

Michał Sawicz (saviq) wrote :

I don't think we'll manage to make all the necessary changes by ww05, might need to push further out.

kevin gunn (kgunn72) wrote :

note, we need to address this for this bug as well
bug 1387691
see comments #9 & 10

Changed in qtmir:
status: Opinion → Triaged
Changed in unity8 (Ubuntu):
status: Opinion → Triaged
Changed in unity8 (Ubuntu RTM):
status: Opinion → Triaged
Changed in canonical-devices-system-image:
milestone: ww05-2015 → ww09-2015
Michał Sawicz (saviq) wrote :

Alberto, having talked through this with tvoss we think we found a sustainable solution for your use case. Just make sure to use ${MIR_SOCKET}_trusted for no-UI oxide thingy. You don't need anything special to connect to that, no need to create a trusted session or anything.

Pat McGowan (pat-mcgowan) wrote :

is this going to get attention this iteration?

Changed in canonical-devices-system-image:
assignee: Canonical Devices Products (canonical-devices-products-team) → David Barth (dbarth)
Michał Sawicz (saviq) wrote :

We discussed this with tvoss in Brussels, there's an improvement on the architecture of this that we want to happen, but AFAIU it's not critical to any user experience at the moment. IMO this should be pulled off the RTM list.

Changed in canonical-devices-system-image:
status: Confirmed → New

Agreed. I thought this could solve focus issues we're experiencing with
trust prompts

But Saviq confirmed this is unrelated. So I agree that all system clients
that would benefit from that have otherwise found ways around this and
there is no user experience broken by the absence of this I can think of.

On Fri, Feb 13, 2015 at 12:20 PM, Michał Sawicz <<email address hidden>
> wrote:

> We discussed this with tvoss in Brussels, there's an improvement on the
> architecture of this that we want to happen, but AFAIU it's not critical
> to any user experience at the moment. IMO this should be pulled off the
> RTM list.
>
> ** Changed in: canonical-devices-system-image
> Status: Confirmed => New
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1352251
>
> Title:
> Reverse trust prompt hosting
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/canonical-devices-system-image/+bug/1352251/+subscriptions
>

no longer affects: canonical-devices-system-image
Michał Sawicz (saviq) wrote :

Explaining per kgunn's request:

What we have currently is: whatever initiates a trusted session provides a PID of the process it wants to open the prompt on. The problem there is that trusted helpers need not necessarily know what that PID should be, because the request might come from a scope, which has no UI. Currently the helpers just cheat by going `pidof unity8-dash` and open the session with that.

In the general case it's fine because apps interact with trusted helpers directly, so the helpers can identify the connecting PID (with the exception that upcoming multi-surface support will somewhat break this, as the helper has no way to uniquely identify the surface to relate the session to).

What we need is for the trusted "broker", that scope-registry is, to be able to create a non-spoofable relation between whatever surface displays the data for a particular scope, and pass it down to the scope, which will then pass it to trusted helpers. The exact solution is not clear yet.

In addition, somewhat off-topic, we want to add an optional "type" and "metadata" or "geometry" arguments for a trusted prompt, to allow per-type transitions (immediate use case - media player as trusted prompt should grow from a thumbnail to fullscreen).

Michał Sawicz (saviq) on 2017-03-13
affects: qtmir → qtmir (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers