diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2015-07-14 15:35:21 -0400 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2015-07-15 16:39:20 +0200 |
| commit | 426f03dffc8f648a12b5f8a4b2ab30c8b4498be3 (patch) | |
| tree | 0cdf26ef9a5bde9c13c79b7c10b17c0f07769dd4 | |
| parent | ac7c20cca81c3d23ee66f224030b316bdff2274a (diff) | |
| download | ipsilon-426f03dffc8f648a12b5f8a4b2ab30c8b4498be3.tar.gz ipsilon-426f03dffc8f648a12b5f8a4b2ab30c8b4498be3.tar.xz ipsilon-426f03dffc8f648a12b5f8a4b2ab30c8b4498be3.zip | |
Return PAM errors from mod_intercept_form_submit
This fixes several problems:
1. The PAM error was being retrieved from the wrong location
2. The error was not always logged properly
3. The error was not propogated up
4. Even if the error had been propgated up the auth_failed
routine failed to pass it to the error page template.
A dictionary is used to translate the PAM errors into something
more consulable. This can be used eventually to translate
into other languages.
https://fedorahosted.org/ipsilon/ticket/69
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
| -rw-r--r-- | ipsilon/login/authform.py | 22 | ||||
| -rw-r--r-- | ipsilon/login/common.py | 4 |
2 files changed, 18 insertions, 8 deletions
diff --git a/ipsilon/login/authform.py b/ipsilon/login/authform.py index eed35fc..b61d4c9 100644 --- a/ipsilon/login/authform.py +++ b/ipsilon/login/authform.py @@ -9,6 +9,15 @@ from string import Template import cherrypy import subprocess +# Translate PAM errors into more human-digestible values and eventually +# other languages. +PAM_AUTH_ERRORS = { + "Authentication token is no longer valid; new one required": + "Password is expired", + "Authentication failure": + "Authentication failure", +} + class Form(LoginFormBase): @@ -19,12 +28,13 @@ class Form(LoginFormBase): if not user.is_anonymous: return self.lm.auth_successful(self.trans, user.name, 'password') else: - try: - error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR'] - except KeyError: - error = "Unknown error using external authentication" - cherrypy.log.error("Error: %s" % error) - return self.lm.auth_failed(self.trans) + error = cherrypy.request.wsgi_environ.get( + 'EXTERNAL_AUTH_ERROR', + 'Unknown error using external authentication' + ) + error = PAM_AUTH_ERRORS.get(error, error) + cherrypy.log.error("Error: %s" % error) + return self.lm.auth_failed(self.trans, error) class LoginManager(LoginManagerBase): diff --git a/ipsilon/login/common.py b/ipsilon/login/common.py index db71fb0..31053a0 100644 --- a/ipsilon/login/common.py +++ b/ipsilon/login/common.py @@ -85,7 +85,7 @@ class LoginManagerBase(ConfigHelper, PluginObject): trans.wipe() raise cherrypy.HTTPRedirect(redirect) - def auth_failed(self, trans): + def auth_failed(self, trans, message=None): # try with next module next_login = self.next_login() if next_login: @@ -104,7 +104,7 @@ class LoginManagerBase(ConfigHelper, PluginObject): # destroy session and return error if 'login_return' not in transdata: session.logout(None) - raise cherrypy.HTTPError(401) + raise cherrypy.HTTPError(401, message) raise cherrypy.HTTPRedirect(transdata['login_return']) |