IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Added fix for notifying user about Kerberos principal expiration in WebUI

Browse Source 
- User is now notified about "Kerberos Principal expiration" message instead of
  "Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
  generic error message.

https://fedorahosted.org/freeipa/ticket/5077

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This commit is contained in:
Abhijeet Kasurde 2016-03-22 15:41:36 +05:30 committed by Petr Vobornik
parent d01f7e8556
commit 2a20c74633
4 changed files with 34 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
install/ui/src/freeipa/ipa.js
View File

@ -5,7 +5,7 @@
* John Dennis <jdennis@redhat.com> * John Dennis <jdennis@redhat.com>
* Petr Vobornik <pvoborni@redhat.com> * Petr Vobornik <pvoborni@redhat.com>
* *
* Copyright (C) 2010 Red Hat * Copyright (C) 2010-2016 Red Hat
* see file 'COPYING' for use and warranty information * see file 'COPYING' for use and warranty information
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
@ -495,7 +495,10 @@ IPA.login_password = function(username, password) {
//change result from invalid only if we have a header which we //change result from invalid only if we have a header which we
//understand //understand
if (reason === 'password-expired' || reason === 'denied') { if (reason === 'password-expired' ||
reason === 'denied' ||
reason === 'krbprincipal-expired' ||
reason === 'invalid-password') {
result = reason; result = reason;
} }
} }

13
install/ui/src/freeipa/widgets/LoginScreen.js
View File

@ -1,7 +1,7 @@
/* Authors: /* Authors:
* Petr Vobornik <pvoborni@redhat.com> * Petr Vobornik <pvoborni@redhat.com>
* *
* Copyright (C) 2013 Red Hat * Copyright (C) 2013-2016 Red Hat
* see file 'COPYING' for use and warranty information * see file 'COPYING' for use and warranty information
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
@ -57,7 +57,7 @@ define(['dojo/_base/declare',
"<a href='http://${host}/ipa/config/unauthorized.html'>configured</a>" + "<a href='http://${host}/ipa/config/unauthorized.html'>configured</a>" +
" the browser correctly, then click Login. ", " the browser correctly, then click Login. ",
form_auth_failed: "The password or username you entered is incorrect. ", form_auth_failed: "Login failed due to an unknown reason. ",
krb_auth_failed: "Authentication with Kerberos failed", krb_auth_failed: "Authentication with Kerberos failed",
@ -67,6 +67,9 @@ define(['dojo/_base/declare',
denied: "Sorry you are not allowed to access this service.", denied: "Sorry you are not allowed to access this service.",
krbprincipal_expired: "Kerberos Principal you entered is expired.",
invalid_password: "The password you entered is incorrect. ",
//nodes: //nodes:
login_btn_node: null, login_btn_node: null,
@ -231,6 +234,12 @@ define(['dojo/_base/declare',
} else if (result === 'password-expired') { } else if (result === 'password-expired') {
this.set('view', 'reset'); this.set('view', 'reset');
val_summary.add_info('login', this.password_expired); val_summary.add_info('login', this.password_expired);
} else if (result === 'krbprincipal-expired') {
password_f.set_value('');
val_summary.add_error('login', this.krbprincipal_expired);
} else if (result === 'invalid-password') {
password_f.set_value('');
val_summary.add_error('login', this.invalid_password);
} else { } else {
password_f.set_value(''); password_f.set_value('');
val_summary.add_error('login', this.form_auth_failed); val_summary.add_error('login', this.form_auth_failed);

8
ipalib/errors.py
View File

@ -1,7 +1,7 @@
# Authors: # Authors:
# Jason Gerard DeRose <jderose@redhat.com> # Jason Gerard DeRose <jderose@redhat.com>
# #
# Copyright (C) 2008 Red Hat # Copyright (C) 2008-2016 Red Hat
# see file 'COPYING' for use and warranty inmsgion # see file 'COPYING' for use and warranty inmsgion
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
@ -601,6 +601,12 @@ class PasswordExpired(InvalidSessionPassword):
""" """
errno = 1202 errno = 1202
class KrbPrincipalExpired(SessionError):
"""
**1203** Raised when Kerberos Principal is expired.
"""
errno = 1203
############################################################################## ##############################################################################
# 2000 - 2999: Authorization errors # 2000 - 2999: Authorization errors
class AuthorizationError(PublicError): class AuthorizationError(PublicError):

13
ipaserver/rpcserver.py
View File

@ -1,7 +1,7 @@
# Authors: # Authors:
# Jason Gerard DeRose <jderose@redhat.com> # Jason Gerard DeRose <jderose@redhat.com>
# #
# Copyright (C) 2008 Red Hat # Copyright (C) 2008-2016 Red Hat
# see file 'COPYING' for use and warranty information # see file 'COPYING' for use and warranty information
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
from ipalib.backend import Executioner from ipalib.backend import Executioner
from ipalib.errors import (PublicError, InternalError, CommandError, JSONError, from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError, CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
ExecutionError, PasswordExpired) ExecutionError, PasswordExpired, KrbPrincipalExpired)
from ipalib.request import context, destroy_context from ipalib.request import context, destroy_context
from ipalib.rpc import (xml_dumps, xml_loads, from ipalib.rpc import (xml_dumps, xml_loads,
json_encode_binary, json_decode_binary) json_encode_binary, json_decode_binary)
@ -949,6 +949,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
return self.unauthorized(environ, start_response, str(e), 'password-expired') return self.unauthorized(environ, start_response, str(e), 'password-expired')
except InvalidSessionPassword as e: except InvalidSessionPassword as e:
return self.unauthorized(environ, start_response, str(e), 'invalid-password') return self.unauthorized(environ, start_response, str(e), 'invalid-password')
except KrbPrincipalExpired as e:
return self.unauthorized(environ,
start_response,
str(e),
'krbprincipal-expired')
return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response) return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
@ -984,6 +989,10 @@ class login_password(Backend, KerberosSession, HTTP_Status):
if ('kinit: Cannot read password while ' if ('kinit: Cannot read password while '
'getting initial credentials') in str(e): 'getting initial credentials') in str(e):
raise PasswordExpired(principal=principal, message=unicode(e)) raise PasswordExpired(principal=principal, message=unicode(e))
elif ('kinit: Client\'s entry in database'
' has expired while getting initial credentials') in str(e):
raise KrbPrincipalExpired(principal=principal,
message=unicode(e))
raise InvalidSessionPassword(principal=principal, raise InvalidSessionPassword(principal=principal,
message=unicode(e)) message=unicode(e))