UI for lock screen online re-authentication

The saml user will be forced to re-authenticate through online flow
in the lockscreen. This feature is enable by setting
kDefaultSamlLockScreenReauthenticationEnabled to true.

Bug: 1113295
Change-Id: I7f89408aca31de9137006d5cbb96cfc91ee708d8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339359Reviewed-by: Denis Kuznetsov [CET] <antrim@chromium.org>
Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Commit-Queue: Mohammed Abdon <mohammedabdon@chromium.org>
Cr-Commit-Position: refs/heads/master@{#811655}

chrome/app/chromeos_strings.grdp

@@ -2597,6 +2597,27 @@
   <message name="IDS_ENTERPRISE_LOGIN_ERROR_ALLOWLIST" desc="Couldn't sign in because user is not authorized by the administrator.">
     You are not authorized to use this device. Please contact the administrator for sign-in permission.
   </message>
+  <message name="IDS_LOCK_SCREEN_VERIFY_ACCOUNT" desc="Title of online account verification on the lock screen">
+    Verify account
+  </message>
+  <message name="IDS_LOCK_SCREEN_VERIFY_BUTTON" desc="Next button for online account verification on the lock screen">
+    Verify
+  </message>
+  <message name="IDS_LOCK_SCREEN_VERIFY_AGAIN_BUTTON" desc="Next button for 2nd online account verification on the lock screen">
+    Verify again
+  </message>
+  <message name="IDS_LOCK_SCREEN_CANCEL_BUTTON" desc="Cancel button for online account verification on the lock screen">
+    Cancel
+  </message>
+  <message name="IDS_LOCK_SCREEN_VERIFICATION_FAILED" desc="Title of incorrect user online reauthentication on the lock screen">
+    Verification was not successful
+  </message>
+  <message name="IDS_LOCK_SCREEN_WRONG_USER" desc="User that was not logged in tries to unlock the device">
+    The account you verified is not authorized to access this device. Please make sure you are verifying <ph name="ACCOUNT">$1<ex>test@example.com</ex></ph> to unlock the session.
+  </message>
+  <message name="IDS_LOCK_SCREEN_REAUTH_SUBTITLE" desc="Subtitle for lock screen user re-auth dialog">
+    Sign in to <ph name="ACCOUNT">$1<ex>test@example.com</ex></ph> again to verify this account
+  </message>
   <message name="IDS_LOGIN_ERROR_GOOGLE_ACCOUNT_NOT_ALLOWED" desc="Couldn't sign into Google account on the Active Directory managed device.">
     Sorry, Google accounts are not allowed on this device.
   </message>

chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_CANCEL_BUTTON.png.sha1

+078b283c6e11478112e9461ae86bf07a0f9aceb7
\ No newline at end of file

chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_REAUTH_SUBTITLE.png.sha1

+078b283c6e11478112e9461ae86bf07a0f9aceb7
\ No newline at end of file

chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFICATION_FAILED.png.sha1

+9ae3a4fddbcc6f3f1533b1f366ff444fe6da91cb
\ No newline at end of file

chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_ACCOUNT.png.sha1

+078b283c6e11478112e9461ae86bf07a0f9aceb7
\ No newline at end of file

chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_AGAIN_BUTTON.png.sha1

+9ae3a4fddbcc6f3f1533b1f366ff444fe6da91cb
\ No newline at end of file

chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_VERIFY_BUTTON.png.sha1

+078b283c6e11478112e9461ae86bf07a0f9aceb7
\ No newline at end of file

chrome/app/chromeos_strings_grdp/IDS_LOCK_SCREEN_WRONG_USER.png.sha1

+9ae3a4fddbcc6f3f1533b1f366ff444fe6da91cb
\ No newline at end of file

chrome/browser/browser_resources.grd

@@ -267,7 +267,10 @@
         <include name="IDR_CONFIRM_PASSWORD_CHANGE_JS" file="resources\chromeos\password_change\confirm_password_change.js" type="chrome_html" />
         <include name="IDR_URGENT_PASSWORD_EXPIRY_NOTIFICATION_HTML" file="resources\chromeos\password_change\urgent_password_expiry_notification.html" flattenhtml="true" allowexternalscript="true" type="chrome_html" />
         <include name="IDR_URGENT_PASSWORD_EXPIRY_NOTIFICATION_JS" file="resources\chromeos\password_change\urgent_password_expiry_notification.js" type="chrome_html" />
-
+        <include name="IDR_GAIA_AUTH_AUTHENTICATOR_JS" file="resources\gaia_auth_host\authenticator.js" flattenhtml="true" type="BINDATA" />
+        <include name="IDR_LOCK_SCREEN_REAUTH_HTML" file="resources\chromeos\password_change\lock_screen_reauth.html" flattenhtml="true" type="BINDATA" />
+        <include name="IDR_LOCK_SCREEN_REAUTH_JS" file="resources\chromeos\password_change\lock_screen_reauth.js" type="BINDATA" />
+      
         <include name="IDR_CROSTINI_INSTALLER_INDEX_HTML" file="resources\chromeos\crostini_installer\index.html" type="BINDATA" />
         <include name="IDR_CROSTINI_INSTALLER_APP_JS" file="${root_gen_dir}\chrome\browser\resources\chromeos\crostini_installer\app.js" type="BINDATA" use_base_dir="false" />
         <include name="IDR_CROSTINI_INSTALLER_BROWSER_PROXY_JS" file="resources\chromeos\crostini_installer\browser_proxy.js" type="BINDATA" />

chrome/browser/chromeos/login/saml/in_session_password_sync_manager.cc

@@ -26,7 +26,6 @@ InSessionPasswordSyncManager::InSessionPasswordSyncManager(
       clock_(base::DefaultClock::GetInstance()),
       primary_user_(ProfileHelper::Get()->GetUserByProfile(primary_profile)) {
   DCHECK(primary_user_);
-
   auto* session_manager = session_manager::SessionManager::Get();
   // Extra check as SessionManager may be not initialized in some unit
   // tests

chrome/browser/chromeos/login/saml/in_session_password_sync_manager.h

@@ -13,6 +13,7 @@
 #include "base/time/time.h"
 #include "chrome/browser/chromeos/login/saml/password_sync_token_fetcher.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.h"
 #include "chromeos/components/proximity_auth/screenlock_bridge.h"
 #include "components/account_id/account_id.h"
 #include "components/keyed_service/core/keyed_service.h"
@@ -81,6 +82,8 @@ class InSessionPasswordSyncManager
   void OnTokenVerified(bool is_valid) override;
   void OnApiCallFailed(PasswordSyncTokenFetcher::ErrorType error_type) override;
 
+  std::unique_ptr<LockScreenStartReauthDialog> lock_screen_start_reauth_dialog;
+
  private:
   void UpdateOnlineAuth();
   // Password sync token API calls.

chrome/browser/resources/chromeos/password_change/lock_screen_reauth.html

+<!doctype html>
+<html dir="$i18n{textdirection}" lang="$i18n{language}">
+
+<head>
+  <include src="../login/components/oobe_icons.html">
+  <link rel="stylesheet" href="chrome://resources/css/text_defaults.css">
+
+  <script src="chrome://resources/js/cr.js"></script>
+  <script src="chrome://resources/js/cr/event_target.js"></script>
+  <script src="chrome://resources/js/load_time_data.js"></script>
+  <script src="chrome://resources/js/util.js"></script>
+  <script src="chrome://lock-reauth/authenticator.js"></script>
+
+  <script type="module" src="chrome://lock-reauth/lock_screen_reauth.js"></script>
+
+  <dom-module id="lock-reauth">
+    <template>
+      <style>
+        ::part(dialog) {
+          /* The HTML dialog should fill the entire system dialog. */
+          height: 100%;
+          width: 100%;
+          display: flex;
+        }
+
+        ::part(wrapper) {
+          height: 100%;
+          width: 100%;
+          display: flex;
+        }
+
+        #saml-close-button {
+          --cr-icon-button-margin-end: 0;
+          --cr-icon-button-margin-start: 0;
+        }
+
+        [slot='body'],
+        #signin-frame {
+          width: 100%;
+          height: 100%;
+        }
+
+        #title-icon {
+          --iron-icon-height: 32px;
+          --iron-icon-width: 32px;
+          /* #1a73e8 */
+          --iron-icon-fill-color: rgb(26, 115, 232);
+        }
+
+        [slot='header'] {
+          background: white;
+          padding-bottom: 0;
+          padding-inline-end: 64px;
+          padding-inline-start: 64px;
+          padding-top: 64px;
+          flex: 1;
+        }
+
+        [slot='header'],
+        #title {
+          /* #202124 */
+          color: rgb(32, 33, 36);
+          font-size: 28px;
+          font-weight: 400;
+          padding-top: 20px;
+          margin: 0;
+        }
+
+        [slot='header'],
+        #subtitle {
+          /* #5f6368 */
+          color: rgb(95, 99, 104);
+          font-size: 13px;
+          font-weight: 400;
+          padding-top: 8px;
+          margin: 0;
+        }
+
+        [slot="button-container"] {
+          padding: 40px;
+        }
+      </style>
+      <cr-dialog id="dialog" exportparts="dialog">
+        <div slot="header">
+          <iron-icon id="title-icon" icon="oobe-64:alert"></iron-icon>
+          <div id="title" hidden="[[isErrorDisplayed_]]">
+            $i18n{loginWelcomeMessage}
+          </div>
+          <div id="title" hidden="[[!isErrorDisplayed_]]">
+            $i18n{loginWelcomeMessageWithError}
+          </div>
+          <div id="subtitle" hidden="[[isErrorDisplayed_]]">
+            $i18n{lockScreenReauthSubtitile}
+          </div>
+          <div id="subtitle" hidden="[[!isErrorDisplayed_]]">
+            $i18n{lockScreenReauthSubtitileWithError}
+          </div>
+        </div>
+        <div slot="body" hidden="[[isButtonsEnabled_]]">
+          <cr-icon-button id="saml-close-button" iron-icon="cr:close" on-click="onCloseTap_">
+          </cr-icon-button>
+          <webview id="signin-frame" name="signin-frame" class="flex">
+          </webview>
+        </div>
+        <div slot="button-container" class="flex layout horizontal">
+          <cr-button id="cancelButton" class="cancel-button" on-click="onCloseTap_"
+              hidden="[[!isButtonsEnabled_]]">
+            $i18n{lockScreenCancelButton}
+          </cr-button>
+          <cr-button id="nextButton" class="action-button" on-click="onNext_"
+              hidden="[[!isVerifyButtonEnabled_]]">
+            $i18n{lockScreenVerifyButton}
+          </cr-button>
+          <cr-button id="nextButton" class="action-button" on-click="onNext_"
+              hidden="[[!isVerifyAgainButtonEnabled_]]">
+            $i18n{lockScreenVerifyAgainButton}
+          </cr-button>
+        </div>
+      </cr-dialog>
+    </template>
+  </dom-module>
+</head>
+
+<body>
+  <lock-reauth id="main-element">
+  </lock-reauth>
+</body>
+
+</html>
\ No newline at end of file

chrome/browser/resources/chromeos/password_change/lock_screen_reauth.js

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+/**
+ * @fileoverview An UI component to let user init online re-auth flow on
+ * the lock screen.
+ */
+
+
+import {assert} from 'chrome://resources/js/assert.m.js';
+import {I18nBehavior} from 'chrome://resources/js/i18n_behavior.m.js';
+import {loadTimeData} from 'chrome://resources/js/load_time_data.m.js';
+import {Polymer} from 'chrome://resources/polymer/v3_0/polymer/polymer_bundled.min.js';
+import 'chrome://resources/cr_elements/cr_button/cr_button.m.js';
+import 'chrome://resources/cr_elements/cr_dialog/cr_dialog.m.js';
+import 'chrome://resources/cr_elements/icons.m.js';
+
+
+Polymer({
+  is: 'lock-reauth',
+  behaviors: [I18nBehavior],
+
+  properties: {
+    isErrorDisplayed_: {
+      type: Boolean,
+      value: false,
+    },
+
+    isButtonsEnabled_: {
+      type: Boolean,
+      value: true,
+    },
+
+    isVerifyButtonEnabled_: {
+      type: Boolean,
+      computed:
+          'computeVerifyButtonEnabled_(isErrorDisplayed_,isButtonsEnabled_)',
+    },
+
+    isVerifyAgainButtonEnabled_: {
+      type: Boolean,
+      computed:
+          'computeVerifyAgainButtonEnabled_(isErrorDisplayed_,isButtonsEnabled_)',
+    },
+  },
+
+  /**
+   * The UI component that hosts IdP pages.
+   * @type {!cr.login.Authenticator|undefined}
+   */
+  authenticator_: undefined,
+
+  /**
+   * Webview that view IdP page
+   * @type {!webview|undefined}
+   * @private
+   */
+  signinFrame_: undefined,
+
+  /** @override */
+  attached() {
+    this.$.dialog.showModal();
+  },
+
+  /** @override */
+  ready() {
+    this.signinFrame_ = this.getSigninFrame_();
+    this.authenticator_ = new cr.login.Authenticator(this.signinFrame_);
+    chrome.send('initialize');
+  },
+
+  /**
+   * @return {!Element}
+   * @private
+   */
+  getSigninFrame_() {
+    // Note: Can't use |this.$|, since it returns cached references to elements
+    // originally present in DOM, while the signin-frame is dynamically
+    // recreated (see Authenticator.setWebviewPartition()).
+    const signinFrame = this.shadowRoot.getElementById('signin-frame');
+    assert(signinFrame);
+    return signinFrame;
+  },
+
+  /** @private */
+  computeVerifyButtonEnabled_(isErrorDisplayed, isButtonsEnabled) {
+    return !isErrorDisplayed && isButtonsEnabled;
+  },
+
+  /** @private */
+  computeVerifyAgainButtonEnabled_(isErrorDisplayed, isButtonsEnabled) {
+    return isErrorDisplayed && isButtonsEnabled;
+  },
+
+  /** @private */
+  onNext_() {
+    this.isButtonsEnabled_ = false;
+  },
+
+  /** @private */
+  onCloseTap_() {
+    chrome.send('dialogClose');
+  },
+
+});

chrome/browser/resources/gaia_auth_host/post_message_channel.js

@@ -20,8 +20,12 @@
    * Allowed origins of the hosting page.
    * @type {Array<string>}
    */
-  const ALLOWED_ORIGINS =
-      ['chrome://oobe', 'chrome://chrome-signin', 'chrome://password-change'];
+  const ALLOWED_ORIGINS = [
+    'chrome://oobe',
+    'chrome://chrome-signin',
+    'chrome://password-change',
+    'chrome://lock-reauth'
+  ];
 
   /** @const */
   const PORT_MESSAGE = 'post-message-port-message';

chrome/browser/ui/BUILD.gn

@@ -2181,6 +2181,12 @@ static_library("ui") {
       "webui/chromeos/image_source.h",
       "webui/chromeos/in_session_password_change/confirm_password_change_handler.cc",
       "webui/chromeos/in_session_password_change/confirm_password_change_handler.h",
+      "webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.cc",
+      "webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.h",
+      "webui/chromeos/in_session_password_change/lock_screen_reauth_handler.cc",
+      "webui/chromeos/in_session_password_change/lock_screen_reauth_handler.h",
+      "webui/chromeos/in_session_password_change/lock_screen_start_reauth_ui.cc",
+      "webui/chromeos/in_session_password_change/lock_screen_start_reauth_ui.h",
       "webui/chromeos/in_session_password_change/password_change_dialogs.cc",
       "webui/chromeos/in_session_password_change/password_change_dialogs.h",
       "webui/chromeos/in_session_password_change/password_change_handler.cc",

chrome/browser/ui/ash/login_screen_client.cc

@@ -15,16 +15,22 @@
 #include "chrome/browser/chromeos/login/help_app_launcher.h"
 #include "chrome/browser/chromeos/login/lock/screen_locker.h"
 #include "chrome/browser/chromeos/login/login_auth_recorder.h"
+#include "chrome/browser/chromeos/login/login_pref_names.h"
 #include "chrome/browser/chromeos/login/reauth_stats.h"
+#include "chrome/browser/chromeos/login/saml/in_session_password_sync_manager.h"
+#include "chrome/browser/chromeos/login/saml/in_session_password_sync_manager_factory.h"
 #include "chrome/browser/chromeos/login/ui/login_display_host.h"
 #include "chrome/browser/chromeos/login/ui/user_adding_screen.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/profiles/profile_metrics.h"
 #include "chrome/browser/ui/ash/wallpaper_controller_client.h"
 #include "chrome/browser/ui/settings_window_manager_chromeos.h"
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.h"
 #include "chrome/browser/ui/webui/chromeos/login/l10n_util.h"
 #include "chrome/browser/ui/webui/settings/chromeos/constants/routes.mojom.h"
 #include "chrome/common/webui_url_constants.h"
+#include "components/session_manager/core/session_manager.h"
 #include "components/user_manager/remove_user_delegate.h"
 #include "components/user_manager/user_names.h"
 
@@ -329,5 +335,21 @@ void LoginScreenClient::ShowGaiaSigninInternal(
   if (chromeos::LoginDisplayHost::default_host()) {
     chromeos::LoginDisplayHost::default_host()->ShowGaiaDialog(
         prefilled_account);
+  } else {
+    const user_manager::User* user =
+        user_manager::UserManager::Get()->FindUser(prefilled_account);
+    Profile* profile = chromeos::ProfileHelper::Get()->GetProfileByUser(user);
+    if (profile->GetPrefs()->GetBoolean(
+            chromeos::prefs::kSamlLockScreenReauthenticationEnabled)) {
+      DCHECK(session_manager::SessionManager::Get()->IsScreenLocked());
+      chromeos::InSessionPasswordSyncManager* password_sync_manager =
+          chromeos::InSessionPasswordSyncManagerFactory::GetForProfile(profile);
+      if (!password_sync_manager->lock_screen_start_reauth_dialog) {
+        password_sync_manager->lock_screen_start_reauth_dialog =
+            std::unique_ptr<chromeos::LockScreenStartReauthDialog>(
+                new chromeos::LockScreenStartReauthDialog());
+      }
+      password_sync_manager->lock_screen_start_reauth_dialog->Show();
+    }
   }
 }

chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc

@@ -34,6 +34,7 @@
 #include "chrome/browser/ui/webui/chromeos/account_manager/account_manager_welcome_ui.h"
 #include "chrome/browser/ui/webui/chromeos/account_manager/account_migration_welcome_ui.h"
 #include "chrome/browser/ui/webui/chromeos/chrome_url_disabled/chrome_url_disabled_ui.h"
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_start_reauth_ui.h"
 #include "chrome/browser/ui/webui/chromeos/in_session_password_change/password_change_ui.h"
 #include "chrome/browser/ui/webui/commander/commander_ui.h"
 #include "chrome/browser/ui/webui/components/components_ui.h"
@@ -623,6 +624,13 @@ WebUIFactoryFunction GetWebUIFactoryFunction(WebUI* web_ui,
     }
     return &NewWebUI<chromeos::UrgentPasswordExpiryNotificationUI>;
   }
+  if (url.host_piece() == chrome::kChromeUILockScreenStartReauthHost) {
+    if (!profile->GetPrefs()->GetBoolean(
+            chromeos::prefs::kSamlLockScreenReauthenticationEnabled)) {
+      return nullptr;
+    }
+    return &NewWebUI<chromeos::LockScreenStartReauthUI>;
+  }
   if (url.host_piece() == chrome::kChromeUIAccountManagerErrorHost)
     return &NewWebUI<chromeos::AccountManagerErrorUI>;
   if (url.host_piece() == chrome::kChromeUIAccountManagerWelcomeHost)

chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.h"
+
+#include <memory>
+
+#include "base/bind.h"
+#include "base/json/json_writer.h"
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/confirm_password_change_handler.h"
+#include "chrome/common/webui_url_constants.h"
+#include "chrome/grit/browser_resources.h"
+#include "chrome/grit/generated_resources.h"
+#include "content/public/browser/browser_thread.h"
+#include "content/public/browser/web_ui_data_source.h"
+#include "ui/display/display.h"
+#include "ui/display/screen.h"
+#include "ui/strings/grit/ui_strings.h"
+
+namespace chromeos {
+
+namespace {
+
+LockScreenStartReauthDialog* g_dialog = nullptr;
+
+constexpr gfx::Size kLockScreenReauthSize(768, 640);
+
+gfx::Size FitSizeToDisplay(const gfx::Size& desired) {
+  const display::Display display =
+      display::Screen::GetScreen()->GetPrimaryDisplay();
+
+  gfx::Size display_size = display.size();
+
+  if (display.rotation() == display::Display::ROTATE_90 ||
+      display.rotation() == display::Display::ROTATE_270) {
+    display_size = gfx::Size(display_size.height(), display_size.width());
+  }
+
+  display_size.SetToMin(desired);
+  return display_size;
+}
+
+}  // namespace
+
+BaseLockDialog::BaseLockDialog(GURL url, gfx::Size desired_size)
+    : SystemWebDialogDelegate(url, /*title=*/base::string16()),
+      desired_size_(desired_size) {}
+
+BaseLockDialog::~BaseLockDialog() {}
+
+void BaseLockDialog::GetDialogSize(gfx::Size* size) const {
+  *size = FitSizeToDisplay(desired_size_);
+}
+
+void BaseLockDialog::AdjustWidgetInitParams(views::Widget::InitParams* params) {
+  params->type = views::Widget::InitParams::TYPE_WINDOW_FRAMELESS;
+}
+
+ui::ModalType BaseLockDialog::GetDialogModalType() const {
+  return ui::ModalType::MODAL_TYPE_SYSTEM;
+}
+
+void LockScreenStartReauthDialog::Show() {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  if (g_dialog) {
+    g_dialog->Focus();
+    return;
+  }
+  g_dialog = new LockScreenStartReauthDialog();
+  g_dialog->ShowSystemDialog();
+}
+
+void LockScreenStartReauthDialog::Dismiss() {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  if (g_dialog)
+    g_dialog->Close();
+}
+
+bool LockScreenStartReauthDialog::IsRunning() {
+  return g_dialog;
+}
+
+LockScreenStartReauthDialog::LockScreenStartReauthDialog()
+    : BaseLockDialog(GURL(chrome::kChromeUILockScreenStartReauthURL),
+                           kLockScreenReauthSize) {}
+
+LockScreenStartReauthDialog::~LockScreenStartReauthDialog() {
+  DCHECK_EQ(this, g_dialog);
+  g_dialog = nullptr;
+}
+
+}  // namespace chromeos

chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_dialogs.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_REAUTH_DIALOGS_H_
+#define CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_REAUTH_DIALOGS_H_
+
+#include "base/macros.h"
+#include "base/strings/string16.h"
+#include "chrome/browser/ui/webui/chromeos/system_web_dialog_delegate.h"
+#include "ui/web_dialogs/web_dialog_ui.h"
+
+namespace chromeos {
+
+// A modal system dialog without any frame decorating it.
+class BaseLockDialog : public SystemWebDialogDelegate {
+ protected:
+  BaseLockDialog(GURL url, gfx::Size desired_size);
+  BaseLockDialog(BaseLockDialog const&) = delete;
+  ~BaseLockDialog() override;
+
+  // ui::WebDialogDelegate:
+  void GetDialogSize(gfx::Size* size) const override;
+  void AdjustWidgetInitParams(views::Widget::InitParams* params) override;
+  ui::ModalType GetDialogModalType() const override;
+
+ private:
+  gfx::Size desired_size_;
+};
+
+class LockScreenStartReauthDialog : public BaseLockDialog {
+ public:
+  LockScreenStartReauthDialog();
+  LockScreenStartReauthDialog(LockScreenStartReauthDialog const&) = delete;
+  ~LockScreenStartReauthDialog() override;
+
+  void Show();
+  void Dismiss();
+  bool IsRunning();
+};
+
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_REAUTH_DIALOGS_H_

chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_handler.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_handler.h"
+
+namespace chromeos {
+
+LockScreenReauthHandler::LockScreenReauthHandler() = default;
+LockScreenReauthHandler::~LockScreenReauthHandler() = default;
+
+void LockScreenReauthHandler::HandleInitialize(const base::ListValue* value) {}
+
+void LockScreenReauthHandler::RegisterMessages() {
+  web_ui()->RegisterMessageCallback(
+      "initialize",
+      base::BindRepeating(&LockScreenReauthHandler::HandleInitialize,
+                          weak_factory_.GetWeakPtr()));
+}
+
+}  // namespace chromeos
\ No newline at end of file

chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_handler.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_REAUTH_HANDLER_H_
+#define CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_REAUTH_HANDLER_H_
+
+#include "base/memory/weak_ptr.h"
+#include "base/values.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "components/user_manager/user.h"
+#include "content/public/browser/web_ui_message_handler.h"
+
+namespace chromeos {
+
+class LockScreenReauthHandler : public content::WebUIMessageHandler {
+ public:
+  LockScreenReauthHandler();
+  ~LockScreenReauthHandler() override;
+
+  void RegisterMessages() override;
+
+  void HandleInitialize(const base::ListValue*);
+
+ private:
+  base::WeakPtrFactory<LockScreenReauthHandler> weak_factory_{this};
+};
+
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_REAUTH_HANDLER_H_

chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_start_reauth_ui.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_start_reauth_ui.h"
+
+#include <memory>
+
+#include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
+#include "chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_reauth_handler.h"
+#include "chrome/common/webui_url_constants.h"
+#include "chrome/grit/browser_resources.h"
+#include "chrome/grit/generated_resources.h"
+#include "content/public/browser/web_ui_data_source.h"
+#include "ui/base/l10n/l10n_util.h"
+
+namespace chromeos {
+
+LockScreenStartReauthUI::LockScreenStartReauthUI(content::WebUI* web_ui)
+    : ui::WebDialogUI(web_ui) {
+  Profile* profile = Profile::FromWebUI(web_ui);
+  const user_manager::User* user =
+      ProfileHelper::Get()->GetUserByProfile(profile);
+  std::string email;
+  if (user) {
+    email = user->GetDisplayEmail();
+  }
+
+  content::WebUIDataSource* source = content::WebUIDataSource::Create(
+      chrome::kChromeUILockScreenStartReauthHost);
+
+  web_ui->AddMessageHandler(std::make_unique<LockScreenReauthHandler>());
+
+  // TODO(crbug.com/1098690): Trusted Type Polymer
+  source->DisableTrustedTypesCSP();
+
+  source->AddString("lockScreenReauthSubtitile",
+                    l10n_util::GetStringFUTF16(IDS_LOCK_SCREEN_REAUTH_SUBTITLE,
+                                               base::UTF8ToUTF16(email)));
+  source->AddString("lockScreenReauthSubtitileWithError",
+                    l10n_util::GetStringFUTF16(IDS_LOCK_SCREEN_WRONG_USER,
+                                               base::UTF8ToUTF16(email)));
+
+  source->AddString("lockScreenVerifyButton",
+                    l10n_util::GetStringUTF16(IDS_LOCK_SCREEN_VERIFY_BUTTON));
+  source->AddString(
+      "lockScreenVerifyAgainButton",
+      l10n_util::GetStringUTF16(IDS_LOCK_SCREEN_VERIFY_AGAIN_BUTTON));
+  source->AddString("lockScreenCancelButton",
+                    l10n_util::GetStringUTF16(IDS_LOCK_SCREEN_CANCEL_BUTTON));
+  source->AddString("loginWelcomeMessage",
+                    l10n_util::GetStringUTF16(IDS_LOCK_SCREEN_VERIFY_ACCOUNT));
+  source->AddString(
+      "loginWelcomeMessageWithError",
+      l10n_util::GetStringUTF16(IDS_LOCK_SCREEN_VERIFICATION_FAILED));
+
+  source->SetDefaultResource(IDR_LOCK_SCREEN_REAUTH_HTML);
+
+  source->AddResourcePath("authenticator.js", IDR_GAIA_AUTH_AUTHENTICATOR_JS);
+
+  source->AddResourcePath("lock_screen_reauth.js", IDR_LOCK_SCREEN_REAUTH_JS);
+
+  content::WebUIDataSource::Add(profile, source);
+}
+
+LockScreenStartReauthUI::~LockScreenStartReauthUI() = default;
+
+}  // namespace chromeos

chrome/browser/ui/webui/chromeos/in_session_password_change/lock_screen_start_reauth_ui.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_START_REAUTH_UI_H_
+#define CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_START_REAUTH_UI_H_
+
+#include "ui/web_dialogs/web_dialog_ui.h"
+
+namespace chromeos {
+
+// For chrome:://lock-reauth
+class LockScreenStartReauthUI : public ui::WebDialogUI {
+ public:
+  explicit LockScreenStartReauthUI(content::WebUI* web_ui);
+  ~LockScreenStartReauthUI() override;
+};
+
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_UI_WEBUI_CHROMEOS_IN_SESSION_PASSWORD_CHANGE_LOCK_SCREEN_START_REAUTH_UI_H_

chrome/common/webui_url_constants.cc

@@ -255,6 +255,8 @@ const char kChromeUIInternetConfigDialogHost[] = "internet-config-dialog";
 const char kChromeUIInternetDetailDialogHost[] = "internet-detail-dialog";
 const char kChromeUICrostiniCreditsHost[] = "crostini-credits";
 const char kChromeUICrostiniCreditsURL[] = "chrome://crostini-credits/";
+const char kChromeUILockScreenStartReauthHost[] = "lock-reauth";
+const char kChromeUILockScreenStartReauthURL[] = "chrome://lock-reauth";
 const char kChromeUIMachineLearningInternalsHost[] =
     "machine-learning-internals";
 const char kChromeUIMobileSetupHost[] = "mobilesetup";
@@ -315,6 +317,7 @@ bool IsSystemWebUIHost(base::StringPiece host) {
       kChromeUIFirstRunHost,
       kChromeUIInternetConfigDialogHost,
       kChromeUIInternetDetailDialogHost,
+      kChromeUILockScreenStartReauthHost,
       kChromeUIMobileSetupHost,
       kChromeUIMultiDeviceSetupHost,
       kChromeUINetworkHost,

chrome/common/webui_url_constants.h

@@ -246,6 +246,8 @@ extern const char kChromeUIInternetConfigDialogHost[];
 extern const char kChromeUIInternetDetailDialogHost[];
 extern const char kChromeUICrostiniCreditsHost[];
 extern const char kChromeUICrostiniCreditsURL[];
+extern const char kChromeUILockScreenStartReauthHost[];
+extern const char kChromeUILockScreenStartReauthURL[];
 extern const char kChromeUIMachineLearningInternalsHost[];
 extern const char kChromeUIMobileSetupHost[];
 extern const char kChromeUIMobileSetupURL[];

extensions/common/api/_api_features.json

@@ -231,7 +231,8 @@
         "chrome://hats/*",
         "chrome://mobilesetup/*",
         "chrome://oobe/*",
-        "chrome://password-change/*"
+        "chrome://password-change/*",
+        "chrome://lock-reauth/*"
       ]
     }
   ],
@@ -652,7 +653,8 @@
       "chrome://home/*",
       "chrome://mobilesetup/*",
       "chrome://oobe/*",
-      "chrome://password-change/*"
+      "chrome://password-change/*",
+      "chrome://lock-reauth/*"
     ]
   }],
   "webViewInternal": [{
@@ -673,7 +675,8 @@
       "chrome://home/*",
       "chrome://mobilesetup/*",
       "chrome://oobe/*",
-      "chrome://password-change/*"
+      "chrome://password-change/*",
+      "chrome://lock-reauth/*"
     ]
   }],
   "webViewRequest": [{