/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */

/*

 * Copyright © 2012 – 2017 Red Hat, Inc.

 *

 * This library is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public

 * License as published by the Free Software Foundation; either

 * version 2 of the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General

 * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.

 */

#include "config.h"

#include <glib/gi18n-lib.h>

#include "goaprovider.h"

#include "goaprovider-priv.h"

#include "goakerberosprovider.h"

#include "goautils.h"

#include "goaidentity.h"

#include "goaidentitymanagererror.h"

#include <gcr/gcr.h>

#include "org.gnome.Identity.h"

struct _GoaKerberosProvider

{

  GoaProvider parent_instance;

};

typedef struct _GoaKerberosProviderClass GoaKerberosProviderClass;

struct _GoaKerberosProviderClass

{

  GoaProviderClass parent_class;

};

static GoaIdentityServiceManager *identity_manager;

static GMutex identity_manager_mutex;

static GCond identity_manager_condition;

static GDBusObjectManager *object_manager;

static GMutex object_manager_mutex;

static GCond object_manager_condition;

static void ensure_identity_manager (void);

static void ensure_object_manager (void);

static char *sign_in_identity_sync (GoaKerberosProvider  *self,

                                    const char           *identifier,

                                    const char           *password,

                                    const char           *preauth_source,

                                    GCancellable         *cancellable,

                                    GError              **error);

static void sign_in_thread (GTask               *result,

                            GoaKerberosProvider *self,

                            gpointer             task_data,

                            GCancellable        *cancellable);

static GoaIdentityServiceIdentity *get_identity_from_object_manager (GoaKerberosProvider *self,

                                                                     const char          *identifier);

static gboolean dbus_proxy_reload_properties_sync (GDBusProxy    *proxy,

                                                   GCancellable  *cancellable);

static void goa_kerberos_provider_module_init (void);

static void create_object_manager (void);

static void create_identity_manager (void);

G_DEFINE_TYPE_WITH_CODE (GoaKerberosProvider, goa_kerberos_provider, GOA_TYPE_PROVIDER,

                         goa_kerberos_provider_module_init ();

                         goa_provider_ensure_extension_points_registered ();

                         g_io_extension_point_implement (GOA_PROVIDER_EXTENSION_POINT_NAME,

                                                         g_define_type_id,

                                                         GOA_KERBEROS_NAME,

                                                         0));

static void

goa_kerberos_provider_module_init (void)

{

  create_object_manager ();

  create_identity_manager ();

  g_debug ("activated kerberos provider");

}

static const gchar *

get_provider_type (GoaProvider *provider)

{

  return GOA_KERBEROS_NAME;

}

static gchar *

get_provider_name (GoaProvider *provider, GoaObject *object)

{

  return g_strdup(_("Enterprise Login (Kerberos)"));

}

static GoaProviderGroup

get_provider_group (GoaProvider *_provider)

{

  return GOA_PROVIDER_GROUP_TICKETING;

}

static GoaProviderFeatures

get_provider_features (GoaProvider *_provider)

{

  return GOA_PROVIDER_FEATURE_TICKETING;

}

static GIcon *

get_provider_icon (GoaProvider *provider, GoaObject *object)

{

  return g_themed_icon_new_with_default_fallbacks ("dialog-password-symbolic");

}

typedef struct

{

  GCancellable *cancellable;

  GtkDialog *dialog;

  GMainLoop *loop;

  GtkWidget *cluebar;

  GtkWidget *cluebar_label;

  GtkWidget *connect_button;

  GtkWidget *progress_grid;

  GtkWidget *principal;

  gchar *account_object_path;

  GError *error;

} SignInRequest;

static void

translate_error (GError **error)

{

  if (!g_dbus_error_is_remote_error (*error))

    return;

  g_dbus_error_strip_remote_error (*error);

}

static void

sign_in_identity (GoaKerberosProvider  *self,

                  const char           *identifier,

                  const char           *password,

                  const char           *preauth_source,

                  GCancellable         *cancellable,

                  GAsyncReadyCallback   callback,

                  gpointer              user_data)

{

  GTask *operation_result;

  operation_result = g_task_new (self, cancellable, callback, user_data);

  g_task_set_source_tag (operation_result, (gpointer) identifier);

  g_object_set_data (G_OBJECT (operation_result),

                     "password",

                     (gpointer)

                     password);

  g_object_set_data_full (G_OBJECT (operation_result),

                          "preauthentication-source",

                          g_strdup (preauth_source),

                          g_free);

  g_task_run_in_thread (operation_result, (GTaskThreadFunc) sign_in_thread);

  g_object_unref (operation_result);

}

static gchar *

sign_in_identity_finish (GoaKerberosProvider  *self,

                         GAsyncResult         *result,

                         GError              **error)

{

  GTask *task;

  g_return_val_if_fail (GOA_IS_KERBEROS_PROVIDER (self), NULL);

  g_return_val_if_fail (error == NULL || *error == NULL, NULL);

  g_return_val_if_fail (g_task_is_valid (result, self), NULL);

  task = G_TASK (result);

  return g_task_propagate_pointer (task, error);

}

static gboolean

get_ticket_sync (GoaKerberosProvider *self,

                 GoaObject           *object,

                 gboolean             is_interactive,

                 GCancellable        *cancellable,

                 GError             **error)

{

  GVariant            *credentials = NULL;

  GError              *lookup_error;

  GError              *sign_in_error;

  GoaAccount          *account;

  GoaTicketing        *ticketing;

  GVariant            *details;

  const char          *identifier;

  const char          *password;

  const char          *preauth_source;

  char                *object_path = NULL;

  gboolean             ret = FALSE;

  account = goa_object_get_account (object);

  identifier = goa_account_get_identity (account);

  ticketing = goa_object_get_ticketing (object);

  if (ticketing == NULL)

    {

      g_set_error (error,

                   GOA_ERROR,

                   GOA_ERROR_NOT_SUPPORTED,

                   _("Ticketing is disabled for account"));

      goto out;

    }

  details = goa_ticketing_get_details (ticketing);

  preauth_source = NULL;

  g_variant_lookup (details, "preauthentication-source", "&s", &preauth_source);

  password = NULL;

  lookup_error = NULL;

  credentials = goa_utils_lookup_credentials_sync (GOA_PROVIDER (self),

                                                   object,

                                                   cancellable,

                                                   &lookup_error);

  if (credentials == NULL && !is_interactive)

    {

      if (lookup_error != NULL)

          g_propagate_error (error, lookup_error);

      else

          g_set_error (error,

                       GOA_ERROR,

                       GOA_ERROR_NOT_AUTHORIZED,

                       _("Could not find saved credentials for principal “%s” in keyring"), identifier);

      goto out;

    }

  else if (credentials != NULL)

    {

      gboolean has_password;

      has_password = g_variant_lookup (credentials, "password", "&s", &password);

      if (!has_password && !is_interactive)

        {

          g_set_error (error,

                       GOA_ERROR,

                       GOA_ERROR_NOT_AUTHORIZED,

                       _("Did not find password for principal “%s” in credentials"),

                       identifier);

          goto out;

        }

    }

  sign_in_error = NULL;

  object_path = sign_in_identity_sync (self,

                                       identifier,

                                       password,

                                       preauth_source,

                                       cancellable,

                                       &sign_in_error);

  if (sign_in_error != NULL)

    {

      g_propagate_error (error, sign_in_error);

      goto out;

    }

  ret = TRUE;

 out:

  g_clear_object (&account);

  g_clear_object (&ticketing);

  g_free (object_path);

  g_clear_pointer (&credentials, (GDestroyNotify) g_variant_unref);

  return ret;

}

static void

notify_is_temporary_cb (GObject *object, GParamSpec *pspec, gpointer user_data)

{

  GoaAccount *account;

  gboolean is_temporary;

  account = GOA_ACCOUNT (object);

  is_temporary = goa_account_get_is_temporary (account);

  /* Toggle IsTemporary */

  goa_utils_keyfile_set_boolean (account, "IsTemporary", is_temporary);

  /* Set/unset SessionId */

  if (is_temporary)

    {

      GDBusConnection *connection;

      const gchar *guid;

      connection = G_DBUS_CONNECTION (user_data);

      guid = g_dbus_connection_get_guid (connection);

      goa_utils_keyfile_set_string (account, "SessionId", guid);

    }

  else

    goa_utils_keyfile_remove_key (account, "SessionId");

}

static gboolean

on_handle_get_ticket (GoaTicketing          *interface,

                      GDBusMethodInvocation *invocation)

{

  GoaObject *object;

  GoaAccount *account;

  GoaProvider *provider;

  GError *error;

  gboolean got_ticket;

  const gchar *id;

  const gchar *method_name;

  const gchar *provider_type;

  object = GOA_OBJECT (g_dbus_interface_get_object (G_DBUS_INTERFACE (interface)));

  account = goa_object_peek_account (object);

  id = goa_account_get_id (account);

  provider_type = goa_account_get_provider_type (account);

  method_name = g_dbus_method_invocation_get_method_name (invocation);

  g_debug ("Handling %s for account (%s, %s)", method_name, provider_type, id);

  provider = goa_provider_get_for_provider_type (provider_type);

  error = NULL;

  got_ticket = get_ticket_sync (GOA_KERBEROS_PROVIDER (provider),

                                object,

                                TRUE /* Allow interaction */,

                                NULL,

                                &error);

  if (!got_ticket)

    g_dbus_method_invocation_take_error (invocation, error);

  else

    goa_ticketing_complete_get_ticket (interface, invocation);

  g_object_unref (provider);

  return TRUE;

}

static gboolean

build_object (GoaProvider         *provider,

              GoaObjectSkeleton   *object,

              GKeyFile            *key_file,

              const gchar         *group,

              GDBusConnection     *connection,

              gboolean             just_added,

              GError             **error)

{

  GoaAccount   *account;

  GoaTicketing *ticketing = NULL;

  gboolean      ticketing_enabled;

  gboolean      ret = FALSE;

  if (!GOA_PROVIDER_CLASS (goa_kerberos_provider_parent_class)->build_object (provider,

                                                                              object,

                                                                              key_file,

                                                                              group,

                                                                              connection,

                                                                              just_added,

                                                                              error))

    goto out;

  account = goa_object_get_account (GOA_OBJECT (object));

  ticketing = goa_object_get_ticketing (GOA_OBJECT (object));

  ticketing_enabled = g_key_file_get_boolean (key_file, group, "TicketingEnabled", NULL);

  if (ticketing_enabled)

    {

      if (ticketing == NULL)

        {

          char            *preauthentication_source;

          GVariantBuilder  details;

          ticketing = goa_ticketing_skeleton_new ();

          g_signal_connect (ticketing,

                            "handle-get-ticket",

                            G_CALLBACK (on_handle_get_ticket),

                            NULL);

          goa_object_skeleton_set_ticketing (object, ticketing);

          g_variant_builder_init (&details, G_VARIANT_TYPE ("a{ss}"));

	  preauthentication_source = g_key_file_get_string (key_file, group, "PreauthenticationSource", NULL);

          if (preauthentication_source)

            g_variant_builder_add (&details, "{ss}", "preauthentication-source", preauthentication_source);

	  g_object_set (G_OBJECT (ticketing), "details", g_variant_builder_end (&details), NULL);

        }

    }

  else if (ticketing != NULL)

    {

      goa_object_skeleton_set_ticketing (object, NULL);

    }

  if (just_added)

    {

      goa_account_set_ticketing_disabled (account, !ticketing_enabled);

      g_signal_connect (account,

                        "notify::is-temporary",

                        G_CALLBACK (notify_is_temporary_cb),

                        connection);

      g_signal_connect (account,

                        "notify::ticketing-disabled",

                        G_CALLBACK (goa_util_account_notify_property_cb),

                        (gpointer) "TicketingEnabled");

    }

  ret = TRUE;

 out:

  g_clear_object (&ticketing);

  return ret;

}

static void

add_entry (GtkWidget     *grid,

           gint           row,

           const gchar   *text,

           GtkWidget    **out_entry)

{

  GtkStyleContext *context;

  GtkWidget *label;

  GtkWidget *entry;

  label = gtk_label_new_with_mnemonic (text);

  context = gtk_widget_get_style_context (label);

  gtk_style_context_add_class (context, GTK_STYLE_CLASS_DIM_LABEL);

  gtk_widget_set_halign (label, GTK_ALIGN_END);

  gtk_widget_set_hexpand (label, TRUE);

  gtk_grid_attach (GTK_GRID (grid), label, 0, row, 1, 1);

  entry = gtk_entry_new ();

  gtk_widget_set_hexpand (entry, TRUE);

  gtk_entry_set_activates_default (GTK_ENTRY (entry), TRUE);

  gtk_grid_attach (GTK_GRID (grid), entry, 1, row, 3, 1);

  gtk_label_set_mnemonic_widget (GTK_LABEL (label), entry);

  if (out_entry != NULL)

    *out_entry = entry;

}

static gchar *

normalize_principal (const gchar *principal, gchar **out_realm)

{

  gchar *domain = NULL;

  gchar *realm = NULL;

  gchar *ret = NULL;

  gchar *username = NULL;

  if (!goa_utils_parse_email_address (principal, &username, &domain))

    goto out;

  realm = g_utf8_strup (domain, -1);

  ret = g_strconcat (username, "@", realm, NULL);

  if (out_realm != NULL)

    {

      *out_realm = realm;

      realm = NULL;

    }

 out:

  g_free (domain);

  g_free (realm);

  g_free (username);

  return ret;

}

static void

on_principal_changed (GtkEditable *editable, gpointer user_data)

{

  SignInRequest *request = user_data;

  gboolean can_add;

  const gchar *principal;

  principal = gtk_entry_get_text (GTK_ENTRY (request->principal));

  can_add = goa_utils_parse_email_address (principal, NULL, NULL);

  gtk_dialog_set_response_sensitive (request->dialog, GTK_RESPONSE_OK, can_add);

}

static void

show_progress_ui (GtkContainer *container, gboolean progress)

{

  GList *children;

  GList *l;

  children = gtk_container_get_children (container);

  for (l = children; l != NULL; l = l->next)

    {

      GtkWidget *widget = GTK_WIDGET (l->data);

      gdouble opacity;

      opacity = progress ? 1.0 : 0.0;

      gtk_widget_set_opacity (widget, opacity);

    }

  g_list_free (children);

}

static void

create_account_details_ui (GoaKerberosProvider *self,

                           GtkDialog           *dialog,

                           GtkWidget           *vbox,

                           gboolean             new_account,

                           SignInRequest       *request)

{

  GtkWidget *grid0;

  GtkWidget *grid1;

  GtkWidget *label;

  GtkWidget *spinner;

  gint row;

  gint width;

  goa_utils_set_dialog_title (GOA_PROVIDER (self), dialog, new_account);

  grid0 = gtk_grid_new ();

  gtk_container_set_border_width (GTK_CONTAINER (grid0), 5);

  gtk_widget_set_margin_bottom (grid0, 6);

  gtk_orientable_set_orientation (GTK_ORIENTABLE (grid0), GTK_ORIENTATION_VERTICAL);

  gtk_grid_set_row_spacing (GTK_GRID (grid0), 12);

  gtk_container_add (GTK_CONTAINER (vbox), grid0);

  request->cluebar = gtk_info_bar_new ();

  gtk_info_bar_set_message_type (GTK_INFO_BAR (request->cluebar), GTK_MESSAGE_ERROR);

  gtk_widget_set_hexpand (request->cluebar, TRUE);

  gtk_widget_set_no_show_all (request->cluebar, TRUE);

  gtk_container_add (GTK_CONTAINER (grid0), request->cluebar);

  request->cluebar_label = gtk_label_new ("");

  gtk_label_set_line_wrap (GTK_LABEL (request->cluebar_label), TRUE);

  gtk_container_add (GTK_CONTAINER (gtk_info_bar_get_content_area (GTK_INFO_BAR (request->cluebar))),

                     request->cluebar_label);

  grid1 = gtk_grid_new ();

  gtk_grid_set_column_spacing (GTK_GRID (grid1), 12);

  gtk_grid_set_row_spacing (GTK_GRID (grid1), 12);

  gtk_container_add (GTK_CONTAINER (grid0), grid1);

  row = 0;

  add_entry (grid1, row++, _("_Principal"), &request->principal);

  gtk_widget_grab_focus (request->principal);

  g_signal_connect (request->principal, "changed", G_CALLBACK (on_principal_changed), request);

  gtk_dialog_add_button (request->dialog, _("_Cancel"), GTK_RESPONSE_CANCEL);

  request->connect_button = gtk_dialog_add_button (request->dialog, _("C_onnect"), GTK_RESPONSE_OK);

  gtk_dialog_set_default_response (request->dialog, GTK_RESPONSE_OK);

  gtk_dialog_set_response_sensitive (request->dialog, GTK_RESPONSE_OK, FALSE);

  request->progress_grid = gtk_grid_new ();

  gtk_orientable_set_orientation (GTK_ORIENTABLE (request->progress_grid), GTK_ORIENTATION_HORIZONTAL);

  gtk_grid_set_column_spacing (GTK_GRID (request->progress_grid), 3);

  gtk_container_add (GTK_CONTAINER (grid0), request->progress_grid);

  spinner = gtk_spinner_new ();

  gtk_widget_set_opacity (spinner, 0.0);

  gtk_widget_set_size_request (spinner, 20, 20);

  gtk_spinner_start (GTK_SPINNER (spinner));

  gtk_container_add (GTK_CONTAINER (request->progress_grid), spinner);

  label = gtk_label_new (_("Connecting…"));

  gtk_widget_set_opacity (label, 0.0);

  gtk_container_add (GTK_CONTAINER (request->progress_grid), label);

  gtk_window_get_size (GTK_WINDOW (request->dialog), &width, NULL);

  gtk_window_set_default_size (GTK_WINDOW (request->dialog), width, -1);

}

static void

add_account_cb (GoaManager   *manager,

                GAsyncResult *result,

                gpointer      user_data)

{

  SignInRequest *request = user_data;

  goa_manager_call_add_account_finish (manager,

                                       &request->account_object_path,

                                       result,

                                       &request->error);

  if (request->error != NULL)

    translate_error (&request->error);

  g_main_loop_quit (request->loop);

  gtk_widget_set_sensitive (request->connect_button, TRUE);

  gtk_widget_set_sensitive (request->principal, TRUE);

  show_progress_ui (GTK_CONTAINER (request->progress_grid), FALSE);

}

static void

remove_account_cb (GoaAccount   *account,

                   GAsyncResult *result,

                   GMainLoop    *loop)

{

  goa_account_call_remove_finish (account, result, NULL);

  g_main_loop_quit (loop);

}

static gboolean

refresh_account (GoaProvider    *provider,

                 GoaClient      *client,

                 GoaObject      *object,

                 GtkWindow      *parent,

                 GError        **error)

{

  GoaKerberosProvider *self = GOA_KERBEROS_PROVIDER (provider);

  gboolean             got_ticket;

  GError              *ticket_error = NULL;

  g_return_val_if_fail (GOA_IS_KERBEROS_PROVIDER (provider), FALSE);

  g_return_val_if_fail (GOA_IS_CLIENT (client), FALSE);

  g_return_val_if_fail (GOA_IS_OBJECT (object), FALSE);

  g_return_val_if_fail (parent == NULL || GTK_IS_WINDOW (parent), FALSE);

  g_return_val_if_fail (error == NULL || *error == NULL, FALSE);

  got_ticket = get_ticket_sync (self,

                                object,

                                TRUE /* Allow interaction */,

                                NULL,

                                &ticket_error);

  if (ticket_error != NULL)

    {

      translate_error (&ticket_error);

      g_propagate_error (error, ticket_error);

    }

  return got_ticket;

}

static void

on_initial_sign_in_done (GoaKerberosProvider *self,

                         GAsyncResult        *result,

                         GTask               *operation_result)

{

  GError     *error;

  gboolean    remember_password;

  GoaObject  *object;

  char       *object_path;

  object = g_task_get_source_tag (operation_result);

  remember_password = GPOINTER_TO_INT (g_object_get_data (G_OBJECT (operation_result),

                                                          "remember-password"));

  error = NULL;

  object_path = sign_in_identity_finish (self, result, &error);

  if (error != NULL)

    {

      g_task_return_error (operation_result, error);

      goto out;

    }

  if (remember_password)

    {

      GVariantBuilder  builder;

      if (object_path != NULL && object != NULL)

        {

          GcrSecretExchange *secret_exchange;

          const char        *password;

          secret_exchange = g_object_get_data (G_OBJECT (operation_result), "secret-exchange");

          password = gcr_secret_exchange_get_secret (secret_exchange, NULL);

          /* FIXME: we go to great lengths to keep the password in non-pageable memory,

           * and then just duplicate it into a gvariant here

           */

          g_variant_builder_init (&builder, G_VARIANT_TYPE_VARDICT);

          g_variant_builder_add (&builder,

                                 "{sv}",

                                 "password",

                                 g_variant_new_string (password));

          error = NULL;

          goa_utils_store_credentials_for_object_sync (GOA_PROVIDER (self),

                                                       object,

                                                       g_variant_builder_end (&builder),

                                                       NULL,

                                                       NULL);

        }

    }

  g_task_return_boolean (operation_result, TRUE);

 out:

  g_free (object_path);

  g_object_unref (operation_result);

}

static void

on_system_prompt_answered_for_initial_sign_in (GcrPrompt          *prompt,

                                               GAsyncResult       *result,

                                               GTask              *operation_result)

{

  GoaKerberosProvider *self;

  GCancellable        *cancellable;

  GError              *error;

  const char          *principal;

  const char          *password;

  const char          *preauth_source;

  GcrSecretExchange   *secret_exchange;

  self = GOA_KERBEROS_PROVIDER (g_task_get_source_object (operation_result));

  principal = g_object_get_data (G_OBJECT (operation_result), "principal");

  cancellable = g_task_get_cancellable (operation_result);

  /* We currently don't prompt the user to choose a preauthentication source during initial sign in

   * so we assume there's no preauthentication source

   */

  preauth_source = NULL;

  error = NULL;

  password = gcr_prompt_password_finish (prompt, result, &error);

  if (password == NULL)

    {

      gcr_system_prompt_close (GCR_SYSTEM_PROMPT (prompt), NULL, NULL);

      if (error != NULL)

        {

          g_task_return_error (operation_result, error);

        }

      else

        {

          g_task_return_new_error (operation_result,

                                   G_IO_ERROR,

                                   G_IO_ERROR_CANCELLED,

                                   _("Operation was cancelled"));

        }

      g_object_unref (operation_result);

      return;

    }

  secret_exchange = gcr_system_prompt_get_secret_exchange (GCR_SYSTEM_PROMPT (prompt));

  g_object_set_data_full (G_OBJECT (operation_result),

                          "secret-exchange",

                          g_object_ref (secret_exchange),

                          (GDestroyNotify)

                          g_object_unref);

  g_object_set_data (G_OBJECT (operation_result),

                     "remember-password",

                     GINT_TO_POINTER (gcr_prompt_get_choice_chosen (prompt)));

  gcr_system_prompt_close (GCR_SYSTEM_PROMPT (prompt), NULL, NULL);

  sign_in_identity (self,

                    principal,

                    password,

                    preauth_source,

                    cancellable,

                    (GAsyncReadyCallback)

                    on_initial_sign_in_done,

                    operation_result);

}

static void

on_system_prompt_open_for_initial_sign_in (GcrSystemPrompt     *system_prompt,

                                           GAsyncResult        *result,

                                           GTask               *operation_result)

{

  GCancellable *cancellable;

  GcrPrompt    *prompt = NULL;

  GError       *error;

  cancellable = g_task_get_cancellable (operation_result);

  error = NULL;

  prompt = gcr_system_prompt_open_finish (result, &error);

  if (prompt == NULL)

    {

      g_task_return_error (operation_result, error);

      g_object_unref (operation_result);

      goto out;

    }

  gcr_prompt_set_title (prompt, _("Log In to Realm"));

  gcr_prompt_set_description (prompt, _("Please enter your password below."));

  gcr_prompt_set_choice_label (prompt, _("Remember this password"));

  gcr_prompt_password_async (prompt,

                             cancellable,

                             (GAsyncReadyCallback)

                             on_system_prompt_answered_for_initial_sign_in,

                             operation_result);

 out:

  g_clear_object (&prompt);

}

static void

perform_initial_sign_in (GoaKerberosProvider *self,

                         GoaObject           *object,

                         const char          *principal,

                         GCancellable        *cancellable,

                         GAsyncReadyCallback  callback,

                         gpointer             user_data)

{

  GTask        *operation_result;

  operation_result = g_task_new (self, cancellable, callback, user_data);

  g_task_set_source_tag (operation_result, object);

  g_object_set_data (G_OBJECT (operation_result),

                     "principal",

                     (gpointer)

                     principal);

  gcr_system_prompt_open_async (-1,

                                cancellable,

                                (GAsyncReadyCallback)

                                on_system_prompt_open_for_initial_sign_in,

                                operation_result);

}

static gboolean

perform_initial_sign_in_finish (GoaKerberosProvider  *self,

                                GAsyncResult         *result,

                                GError              **error)

{

  GTask *task;

  g_return_val_if_fail (GOA_IS_KERBEROS_PROVIDER (self), FALSE);

  g_return_val_if_fail (g_task_is_valid (result, self), FALSE);

  task = G_TASK (result);

  g_return_val_if_fail (error == NULL || *error == NULL, FALSE);

  return g_task_propagate_boolean (task, error);

}

static void

on_account_signed_in (GoaKerberosProvider  *self,

                      GAsyncResult         *result,

                      SignInRequest        *request)

{

  perform_initial_sign_in_finish (self, result, &request->error);

  g_main_loop_quit (request->loop);

}

static GoaObject *

add_account (GoaProvider    *provider,

             GoaClient      *client,

             GtkDialog      *dialog,

             GtkBox         *vbox,

             GError        **error)

{

  GoaKerberosProvider *self = GOA_KERBEROS_PROVIDER (provider);

  SignInRequest request;

  GVariantBuilder credentials;

  GVariantBuilder details;

  GoaObject   *object = NULL;

  GoaAccount  *account;

  char        *realm = NULL;

  const char *principal_text;

  const char *provider_type;

  gchar      *principal = NULL;

  gint        response;

  memset (&request, 0, sizeof (SignInRequest));

  request.cancellable = g_cancellable_new ();