Added fix for notifying user about locked user account in WebUI

User in now notified about "Locked User account" message instead of "The password or username you entered is incorrect" or any generic error message Fixes : https://fedorahosted.org/freeipa/ticket/5076 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
author: Abhijeet Kasurde <akasurde@redhat.com> 2016-04-20 11:09:53 +0530
committer: Martin Basti <mbasti@redhat.com> 2016-04-28 17:04:37 +0200
commit: 3d07c889ce21ffe1d8baec3fd0c13bc67aa1d725 (patch)
tree: 64de24101dfd378cf73ebc76bfb0f05abf461f3f
parent: 05cb4ba4e97d8cbffaf1c16451c488db4a90a878 (diff)
download: freeipa-3d07c889ce21ffe1d8baec3fd0c13bc67aa1d725.tar.gz
freeipa-3d07c889ce21ffe1d8baec3fd0c13bc67aa1d725.tar.xz
freeipa-3d07c889ce21ffe1d8baec3fd0c13bc67aa1d725.zip
4 files changed, 24 insertions, 2 deletions
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index e241ad30d..830def054 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -498,7 +498,8 @@ IPA.login_password = function(username, password) {
             if (reason === 'password-expired' ||
                 reason === 'denied' ||
                 reason === 'krbprincipal-expired' ||
-                reason === 'invalid-password') {
+                reason === 'invalid-password' ||
+                reason === 'user-locked') {
                 result = reason;
             }
         }
diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index a9f70cce7..56b388894 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -71,6 +71,8 @@ define(['dojo/_base/declare',
 
         invalid_password: "The password you entered is incorrect. ",
 
+        user_locked: "The user account you entered is locked. ",
+
         //nodes:
         login_btn_node: null,
         reset_btn_node: null,
@@ -240,6 +242,9 @@ define(['dojo/_base/declare',
                 } else if (result === 'invalid-password') {
                     password_f.set_value('');
                     val_summary.add_error('login', this.invalid_password);
+                } else if (result === 'user-locked') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.user_locked);
                 } else {
                     password_f.set_value('');
                     val_summary.add_error('login', this.form_auth_failed);
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 67ed2818f..52fa25f02 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -607,6 +607,12 @@ class KrbPrincipalExpired(SessionError):
     """
     errno = 1203
 
+class UserLocked(SessionError):
+    """
+    **1204** Raised when a user account is locked.
+    """
+    errno = 1204
+
 ##############################################################################
 # 2000 - 2999: Authorization errors
 class AuthorizationError(PublicError):
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 96f82d5e2..df6473669 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib.backend import Executioner
 from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
-    ExecutionError, PasswordExpired, KrbPrincipalExpired)
+    ExecutionError, PasswordExpired, KrbPrincipalExpired, UserLocked)
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
     json_encode_binary, json_decode_binary)
@@ -954,6 +954,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
                                      start_response,
                                      str(e),
                                      'krbprincipal-expired')
+        except UserLocked as e:
+            return self.unauthorized(environ,
+                                     start_response,
+                                     str(e),
+                                     'user-locked')
 
         return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
 
@@ -993,9 +998,14 @@ class login_password(Backend, KerberosSession, HTTP_Status):
                   ' has expired while getting initial credentials') in str(e):
                 raise KrbPrincipalExpired(principal=principal,
                                           message=unicode(e))
+            elif ('kinit: Clients credentials have been revoked '
+                  'while getting initial credentials') in str(e):
+                raise UserLocked(principal=principal,
+                                 message=unicode(e))
             raise InvalidSessionPassword(principal=principal,
                                          message=unicode(e))
 
+
 class change_password(Backend, HTTP_Status):
 
     content_type = 'text/plain'
author	Abhijeet Kasurde <akasurde@redhat.com>	2016-04-20 11:09:53 +0530
committer	Martin Basti <mbasti@redhat.com>	2016-04-28 17:04:37 +0200
commit	3d07c889ce21ffe1d8baec3fd0c13bc67aa1d725 (patch)
tree	64de24101dfd378cf73ebc76bfb0f05abf461f3f
parent	05cb4ba4e97d8cbffaf1c16451c488db4a90a878 (diff)
download	freeipa-3d07c889ce21ffe1d8baec3fd0c13bc67aa1d725.tar.gz freeipa-3d07c889ce21ffe1d8baec3fd0c13bc67aa1d725.tar.xz freeipa-3d07c889ce21ffe1d8baec3fd0c13bc67aa1d725.zip