diff options
author | Abhijeet Kasurde <akasurde@redhat.com> | 2016-03-22 15:41:36 +0530 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2016-04-15 17:58:04 +0200 |
commit | 2a20c746336f85c4a9bd095db242de11f0015903 (patch) | |
tree | 48576186c21d44f85fd91fffc7c95c070aec874d | |
parent | d01f7e85560039543b01f3f923c670936e11e31c (diff) | |
download | freeipa-2a20c746336f85c4a9bd095db242de11f0015903.tar.gz freeipa-2a20c746336f85c4a9bd095db242de11f0015903.tar.xz freeipa-2a20c746336f85c4a9bd095db242de11f0015903.zip |
Added fix for notifying user about Kerberos principal expiration in WebUI
- User is now notified about "Kerberos Principal expiration" message instead of
"Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
generic error message.
https://fedorahosted.org/freeipa/ticket/5077
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
-rw-r--r-- | install/ui/src/freeipa/ipa.js | 7 | ||||
-rw-r--r-- | install/ui/src/freeipa/widgets/LoginScreen.js | 13 | ||||
-rw-r--r-- | ipalib/errors.py | 8 | ||||
-rw-r--r-- | ipaserver/rpcserver.py | 13 |
4 files changed, 34 insertions, 7 deletions
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js index 29af40487..e241ad30d 100644 --- a/install/ui/src/freeipa/ipa.js +++ b/install/ui/src/freeipa/ipa.js @@ -5,7 +5,7 @@ * John Dennis <jdennis@redhat.com> * Petr Vobornik <pvoborni@redhat.com> * - * Copyright (C) 2010 Red Hat + * Copyright (C) 2010-2016 Red Hat * see file 'COPYING' for use and warranty information * * This program is free software; you can redistribute it and/or modify @@ -495,7 +495,10 @@ IPA.login_password = function(username, password) { //change result from invalid only if we have a header which we //understand - if (reason === 'password-expired' || reason === 'denied') { + if (reason === 'password-expired' || + reason === 'denied' || + reason === 'krbprincipal-expired' || + reason === 'invalid-password') { result = reason; } } diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js index 17f891e0e..a9f70cce7 100644 --- a/install/ui/src/freeipa/widgets/LoginScreen.js +++ b/install/ui/src/freeipa/widgets/LoginScreen.js @@ -1,7 +1,7 @@ /* Authors: * Petr Vobornik <pvoborni@redhat.com> * - * Copyright (C) 2013 Red Hat + * Copyright (C) 2013-2016 Red Hat * see file 'COPYING' for use and warranty information * * This program is free software; you can redistribute it and/or modify @@ -57,7 +57,7 @@ define(['dojo/_base/declare', "<a href='http://${host}/ipa/config/unauthorized.html'>configured</a>" + " the browser correctly, then click Login. ", - form_auth_failed: "The password or username you entered is incorrect. ", + form_auth_failed: "Login failed due to an unknown reason. ", krb_auth_failed: "Authentication with Kerberos failed", @@ -67,6 +67,9 @@ define(['dojo/_base/declare', denied: "Sorry you are not allowed to access this service.", + krbprincipal_expired: "Kerberos Principal you entered is expired.", + + invalid_password: "The password you entered is incorrect. ", //nodes: login_btn_node: null, @@ -231,6 +234,12 @@ define(['dojo/_base/declare', } else if (result === 'password-expired') { this.set('view', 'reset'); val_summary.add_info('login', this.password_expired); + } else if (result === 'krbprincipal-expired') { + password_f.set_value(''); + val_summary.add_error('login', this.krbprincipal_expired); + } else if (result === 'invalid-password') { + password_f.set_value(''); + val_summary.add_error('login', this.invalid_password); } else { password_f.set_value(''); val_summary.add_error('login', this.form_auth_failed); diff --git a/ipalib/errors.py b/ipalib/errors.py index 2507e13dc..67ed2818f 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1,7 +1,7 @@ # Authors: # Jason Gerard DeRose <jderose@redhat.com> # -# Copyright (C) 2008 Red Hat +# Copyright (C) 2008-2016 Red Hat # see file 'COPYING' for use and warranty inmsgion # # This program is free software; you can redistribute it and/or modify @@ -601,6 +601,12 @@ class PasswordExpired(InvalidSessionPassword): """ errno = 1202 +class KrbPrincipalExpired(SessionError): + """ + **1203** Raised when Kerberos Principal is expired. + """ + errno = 1203 + ############################################################################## # 2000 - 2999: Authorization errors class AuthorizationError(PublicError): diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 14796b978..96f82d5e2 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -1,7 +1,7 @@ # Authors: # Jason Gerard DeRose <jderose@redhat.com> # -# Copyright (C) 2008 Red Hat +# Copyright (C) 2008-2016 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES from ipalib.backend import Executioner from ipalib.errors import (PublicError, InternalError, CommandError, JSONError, CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError, - ExecutionError, PasswordExpired) + ExecutionError, PasswordExpired, KrbPrincipalExpired) from ipalib.request import context, destroy_context from ipalib.rpc import (xml_dumps, xml_loads, json_encode_binary, json_decode_binary) @@ -949,6 +949,11 @@ class login_password(Backend, KerberosSession, HTTP_Status): return self.unauthorized(environ, start_response, str(e), 'password-expired') except InvalidSessionPassword as e: return self.unauthorized(environ, start_response, str(e), 'invalid-password') + except KrbPrincipalExpired as e: + return self.unauthorized(environ, + start_response, + str(e), + 'krbprincipal-expired') return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response) @@ -984,6 +989,10 @@ class login_password(Backend, KerberosSession, HTTP_Status): if ('kinit: Cannot read password while ' 'getting initial credentials') in str(e): raise PasswordExpired(principal=principal, message=unicode(e)) + elif ('kinit: Client\'s entry in database' + ' has expired while getting initial credentials') in str(e): + raise KrbPrincipalExpired(principal=principal, + message=unicode(e)) raise InvalidSessionPassword(principal=principal, message=unicode(e)) |