Added fix for notifying user about Kerberos principal expiration in WebUI

- User is now notified about "Kerberos Principal expiration" message instead of
  "Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
  generic error message.

https://fedorahosted.org/freeipa/ticket/5077

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>

install/ui/src/freeipa/ipa.js

@@ -5,7 +5,7 @@
  *    John Dennis <jdennis@redhat.com>
  *    Petr Vobornik <pvoborni@redhat.com>
  *
- * Copyright (C) 2010 Red Hat
+ * Copyright (C) 2010-2016 Red Hat
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or modify
@@ -495,7 +495,10 @@ IPA.login_password = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired' || reason === 'denied') {
+            if (reason === 'password-expired' ||
+                reason === 'denied' ||
+                reason === 'krbprincipal-expired' ||
+                reason === 'invalid-password') {
                 result = reason;
             }
         }

install/ui/src/freeipa/widgets/LoginScreen.js

@@ -1,7 +1,7 @@
 /*  Authors:
  *    Petr Vobornik <pvoborni@redhat.com>
  *
- * Copyright (C) 2013 Red Hat
+ * Copyright (C) 2013-2016 Red Hat
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or modify
@@ -57,7 +57,7 @@ define(['dojo/_base/declare',
                     "<a href='http://${host}/ipa/config/unauthorized.html'>configured</a>" +
                     " the browser correctly, then click Login. ",
 
-        form_auth_failed: "The password or username you entered is incorrect. ",
+        form_auth_failed: "Login failed due to an unknown reason. ",
 
         krb_auth_failed: "Authentication with Kerberos failed",
 
@@ -67,6 +67,9 @@ define(['dojo/_base/declare',
 
         denied: "Sorry you are not allowed to access this service.",
 
+        krbprincipal_expired: "Kerberos Principal you entered is expired.",
+
+        invalid_password: "The password you entered is incorrect. ",
 
         //nodes:
         login_btn_node: null,
@@ -231,6 +234,12 @@ define(['dojo/_base/declare',
                 } else if (result === 'password-expired') {
                     this.set('view', 'reset');
                     val_summary.add_info('login', this.password_expired);
+                } else if (result === 'krbprincipal-expired') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.krbprincipal_expired);
+                } else if (result === 'invalid-password') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.invalid_password);
                 } else {
                     password_f.set_value('');
                     val_summary.add_error('login', this.form_auth_failed);

ipalib/errors.py

@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose <jderose@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2016  Red Hat
 # see file 'COPYING' for use and warranty inmsgion
 #
 # This program is free software; you can redistribute it and/or modify
@@ -601,6 +601,12 @@ class PasswordExpired(InvalidSessionPassword):
     """
     errno = 1202
 
+class KrbPrincipalExpired(SessionError):
+    """
+    **1203** Raised when Kerberos Principal is expired.
+    """
+    errno = 1203
+
 ##############################################################################
 # 2000 - 2999: Authorization errors
 class AuthorizationError(PublicError):

ipaserver/rpcserver.py

@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose <jderose@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2016  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib.backend import Executioner
 from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
-    ExecutionError, PasswordExpired)
+    ExecutionError, PasswordExpired, KrbPrincipalExpired)
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
     json_encode_binary, json_decode_binary)
@@ -949,6 +949,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
             return self.unauthorized(environ, start_response, str(e), 'password-expired')
         except InvalidSessionPassword as e:
             return self.unauthorized(environ, start_response, str(e), 'invalid-password')
+        except KrbPrincipalExpired as e:
+            return self.unauthorized(environ,
+                                     start_response,
+                                     str(e),
+                                     'krbprincipal-expired')
 
         return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
 
@@ -984,6 +989,10 @@ class login_password(Backend, KerberosSession, HTTP_Status):
             if ('kinit: Cannot read password while '
                     'getting initial credentials') in str(e):
                 raise PasswordExpired(principal=principal, message=unicode(e))
+            elif ('kinit: Client\'s entry in database'
+                  ' has expired while getting initial credentials') in str(e):
+                raise KrbPrincipalExpired(principal=principal,
+                                          message=unicode(e))
             raise InvalidSessionPassword(principal=principal,
                                          message=unicode(e))