User is notified that password needs to be reset in forms-based login

Forms-based login procedure detects if 401 unauthorized response contains
'X-IPA-Rejection-Reason' http header with 'password-expired' value. If so
it displays an error message that user needs to reset his password.

https://fedorahosted.org/freeipa/ticket/2608

install/ui/ipa.js

@@ -359,10 +359,23 @@ IPA.logout = function() {
 
 IPA.login_password = function(username, password) {
 
-    var success = false;
+    var result = 'invalid';
 
     function success_handler(data, text_status, xhr) {
-        success = true;
+        result = 'success';
+    }
+
+    function error_handler(xhr, text_status, error_thrown) {
+
+        if (xhr.status === 401) {
+            var reason = xhr.getResponseHeader("X-IPA-Rejection-Reason");
+
+            //change result from invalid only if we have a header which we
+            //understand
+            if (reason === 'password-expired') {
+                result = 'expired';
+            }
+        }
     }
 
     var data = {
@@ -378,14 +391,15 @@ IPA.login_password = function(username, password) {
         dataType: 'html',
         async: false,
         type: 'POST',
-        success: success_handler
+        success: success_handler,
+        error: error_handler
     };
 
     IPA.display_activity_icon();
     $.ajax(request);
     IPA.hide_activity_icon();
 
-    return success;
+    return result;
 };
 
 /**
@@ -1340,6 +1354,10 @@ IPA.unauthorized_dialog = function(spec) {
                 "Please try again (make sure your caps lock is off).</p>" +
                 "<p>If the problem persists, contact your administrator.</p>";
 
+    that.password_expired = "<p><strong>Password expired</strong></p>" +
+                "<p>Please run kinit to reset the password and then try to login again.</p>" +
+                "<p>If the problem persists, contact your administrator.</p>";
+
     that.create = function() {
 
         that.krb_message_contatiner = $('<div\>').appendTo(that.container);
@@ -1482,13 +1500,17 @@ IPA.unauthorized_dialog = function(spec) {
 
         IPA.display_activity_icon();
 
-        var success = IPA.login_password(record.username[0], record.password[0]);
+        var result = IPA.login_password(record.username[0], record.password[0]);
 
         IPA.hide_activity_icon();
 
-        if (success) {
+        if (result === 'success') {
             that.on_login_success();
-        } else {
+        } else if (result === 'expired') {
+            that.error_box.html(that.password_expired);
+            that.error_box.css('display', 'block');
+        }else {
+            that.error_box.html(that.form_auth_failed);
             that.error_box.css('display', 'block');
         }
     };

install/ui/login.html

@@ -21,12 +21,19 @@
 
         <div id="formwindow">
             <h2>Login</h2>
-            <div id="error-box" style="display:none">
+
+            <div id="invalid" class="error-box" style="display:none">
                 <p><strong>Please re-enter your username or password</strong></p>
                 <p>The password or username you entered is incorrect. Please try again (make sure your caps lock is off).</p>
                 <p>If the problem persists, contact your administrator.</p>
             </div>
 
+            <div id="expired" class="error-box" style="display:none">
+                <p><strong>Password expired</strong></p>
+                <p>Please run kinit to reset the password and then try to login again.</p>
+                <p>If the problem persists, contact your administrator.</p>
+            </div>
+
             <form id="login">
                 <ul>
                     <li>

install/ui/login.js

@@ -22,10 +22,23 @@ var LP = {}; //Login Page
 
 LP.login = function(username, password) {
 
-    var success = false;
+    var result = 'invalid';
 
     function success_handler(data, text_status, xhr) {
-        success = true;
+        result = 'success';
+    }
+
+    function error_handler(xhr, text_status, error_thrown) {
+
+        if (xhr.status === 401) {
+            var reason = xhr.getResponseHeader("X-IPA-Rejection-Reason");
+
+            //change result from invalid only if we have a header which we
+            //understand
+            if (reason === 'password-expired') {
+                result = 'expired';
+            }
+        }
     }
 
     var data = {
@@ -36,14 +49,18 @@ LP.login = function(username, password) {
     var request = {
         url: '/ipa/session/login_password',
         data: data,
+        contentType: 'application/x-www-form-urlencoded',
+        processData: true,
+        dataType: 'html',
         async: false,
-        type: "POST",
+        type: 'POST',
-        success: success_handler
+        success: success_handler,
+        error: error_handler
     };
 
     $.ajax(request);
 
-    return success;
+    return result;
 };
 
 LP.on_submit = function() {
@@ -51,10 +68,14 @@ LP.on_submit = function() {
     var username = $('input[name=username]', LP.form).val();
     var password = $('input[name=password]', LP.form).val();
 
-    var success = LP.login(username, password);
+    var result = LP.login(username, password);
 
-    if (!success) {
+    if (result === 'invalid') {
-        $('#error-box').css('display', 'block');
+        $('#expired').css('display', 'none');
+        $('#invalid').css('display', 'block');
+    } else if (result === 'expired') {
+        $('#invalid').css('display', 'none');
+        $('#expired').css('display', 'block');
     } else {
         window.location = '/ipa/ui';
     }