Added fix for notifying user about locked user account in WebUI

User in now notified about "Locked User account" message instead of
"The password or username you entered is incorrect" or any generic error
message

Fixes : https://fedorahosted.org/freeipa/ticket/5076

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>

install/ui/src/freeipa/ipa.js

@@ -498,7 +498,8 @@ IPA.login_password = function(username, password) {
             if (reason === 'password-expired' ||
                 reason === 'denied' ||
                 reason === 'krbprincipal-expired' ||
-                reason === 'invalid-password') {
+                reason === 'invalid-password' ||
+                reason === 'user-locked') {
                 result = reason;
             }
         }

install/ui/src/freeipa/widgets/LoginScreen.js

@@ -71,6 +71,8 @@ define(['dojo/_base/declare',
 
         invalid_password: "The password you entered is incorrect. ",
 
+        user_locked: "The user account you entered is locked. ",
+
         //nodes:
         login_btn_node: null,
         reset_btn_node: null,
@@ -240,6 +242,9 @@ define(['dojo/_base/declare',
                 } else if (result === 'invalid-password') {
                     password_f.set_value('');
                     val_summary.add_error('login', this.invalid_password);
+                } else if (result === 'user-locked') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.user_locked);
                 } else {
                     password_f.set_value('');
                     val_summary.add_error('login', this.form_auth_failed);

ipalib/errors.py

@@ -607,6 +607,12 @@ class KrbPrincipalExpired(SessionError):
     """
     errno = 1203
 
+class UserLocked(SessionError):
+    """
+    **1204** Raised when a user account is locked.
+    """
+    errno = 1204
+
 ##############################################################################
 # 2000 - 2999: Authorization errors
 class AuthorizationError(PublicError):

ipaserver/rpcserver.py

@@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib.backend import Executioner
 from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
-    ExecutionError, PasswordExpired, KrbPrincipalExpired)
+    ExecutionError, PasswordExpired, KrbPrincipalExpired, UserLocked)
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
     json_encode_binary, json_decode_binary)
@@ -954,6 +954,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
                                      start_response,
                                      str(e),
                                      'krbprincipal-expired')
+        except UserLocked as e:
+            return self.unauthorized(environ,
+                                     start_response,
+                                     str(e),
+                                     'user-locked')
 
         return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
 
@@ -993,9 +998,14 @@ class login_password(Backend, KerberosSession, HTTP_Status):
                   ' has expired while getting initial credentials') in str(e):
                 raise KrbPrincipalExpired(principal=principal,
                                           message=unicode(e))
+            elif ('kinit: Clients credentials have been revoked '
+                  'while getting initial credentials') in str(e):
+                raise UserLocked(principal=principal,
+                                 message=unicode(e))
             raise InvalidSessionPassword(principal=principal,
                                          message=unicode(e))
 
+
 class change_password(Backend, HTTP_Status):
 
     content_type = 'text/plain'