On 11/14/2012 07:15 PM, Simo Sorce wrote:
On Wed, 2012-11-14 at 19:04 +0100, Petr Vobornik wrote:
This is Web UI part of #3252 which depends on tbabej's python part which
will be send by tbabej later.

When user from other realm than FreeIPA's tries to use Web UI (login via
forms-based auth or with valid trusted realm ticket), he gets an
unauthorized error with X-Ipa-Rejection-Reason=invalid-realm. Web UI
responds with showing login dialog with following error message:
'Invalid realm: Login for users from other realms is not supported.'.

Note: such users are not supported because they don't have a
corresponding entry in LDAP which is needed for ACLs.

https://fedorahosted.org/freeipa/ticket/3252

I am not sure how you can tell the difference between invalid
credentials being returned due to the realm being invalid or because
later on we decided to allow only a subset of user from a realm and so
the real m is valid but the user just do not have access.

I would be more generic and return something like
X-Ipa-Rehjection-Reason=denied and issue a generic message: "sorry you
are not allowed to access this service" or similar.

Simo.

Changed. Updated patch attached.
--
Petr Vobornik
From 0220a5987ee312e9df02079d19095d615c693d8b Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 14 Nov 2012 09:35:03 +0100
Subject: [PATCH] Better error message for login of users from other realms

When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), he gets an unauthorized error with X-Ipa-Rejection-Reason=denied. Web UI responds with showing login dialog with following error message: 'Sorry you
are not allowed to access this service.'.

Note: such users are not supported because they don't have a corresponding entry in LDAP which is needed for ACLs.

https://fedorahosted.org/freeipa/ticket/3252

denied change
---
 install/ui/ipa.js     | 35 ++++++++++++++++++++++++++++++-----
 install/ui/login.html |  4 ++++
 install/ui/login.js   | 16 +++++++++-------
 3 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index e20d3c08a640c1908c25c5e6f94b11f7622b3522..a33fbfd5e4e066321155f1430c449d5b997551ff 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -399,8 +399,8 @@ IPA.login_password = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired') {
-                result = 'expired';
+            if (reason === 'password-expired' || reason === 'denied') {
+                result = reason;
             }
         }
 
@@ -1701,6 +1701,8 @@ IPA.unauthorized_dialog = function(spec) {
 
     that.password_expired = "Your password has expired. Please enter a new password.";
 
+    that.denied = "Sorry you are not allowed to access this service.";
+
     that.create = function() {
 
         that.session_expired_form();
@@ -1816,6 +1818,16 @@ IPA.unauthorized_dialog = function(spec) {
     that.open = function() {
         that.dialog_open();
         that.show_session_form();
+        that.check_error_reason();
+    };
+
+    that.check_error_reason = function() {
+        if (this.xhr) {
+            var reason = this.xhr.getResponseHeader("X-IPA-Rejection-Reason");
+            if (reason) {
+                that.show_login_error_message(reason);
+            }
+        }
     };
 
     that.on_username_change = function() {
@@ -1858,6 +1870,20 @@ IPA.unauthorized_dialog = function(spec) {
         that.new_password_widget.focus_input();
     };
 
+    that.show_login_error_message = function(reason) {
+        var errors = {
+            'invalid': that.form_auth_failed,
+            'denied': that.denied
+        };
+
+        var message = errors[reason];
+
+        if (message) {
+            that.login_error_box.html(message);
+            that.login_error_box.css('display', 'block');
+        }
+    };
+
     that.on_login_keyup = function(event) {
 
         if (that.switching) {
@@ -1903,12 +1929,11 @@ IPA.unauthorized_dialog = function(spec) {
 
         if (result === 'success') {
             that.on_login_success();
-        } else if (result === 'expired') {
+        } else if (result === 'password-expired') {
             that.reset_error_box.css('display', 'none');
             that.show_reset_form();
         } else {
-            that.login_error_box.html(that.form_auth_failed);
-            that.login_error_box.css('display', 'block');
+            that.show_login_error_message(result);
         }
     };
 
diff --git a/install/ui/login.html b/install/ui/login.html
index 69e3dea7f0f09906a7586c745e5df8c326803580..f279f027de0072e861925dbd0da5cbe7d8c64537 100644
--- a/install/ui/login.html
+++ b/install/ui/login.html
@@ -34,6 +34,10 @@
                 <p>If the problem persists, contact your administrator.</p>
             </div>
 
+            <div id="denied" class="error-box" style="display:none">
+                <p>Sorry you are not allowed to access this service.</p>
+            </div>
+
             <form id="login">
                 <ul>
                     <li>
diff --git a/install/ui/login.js b/install/ui/login.js
index cd4e72d9567e6f5fef5efdbe3d9aeb0cbac85d08..1fce8ecc58e1ab963fce925a011f63d55df533b4 100644
--- a/install/ui/login.js
+++ b/install/ui/login.js
@@ -35,8 +35,8 @@ LP.login = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired') {
-                result = 'expired';
+            if (reason === 'password-expired' || reason === 'denied') {
+                result = reason;
             }
         }
     }
@@ -70,12 +70,14 @@ LP.on_submit = function() {
 
     var result = LP.login(username, password);
 
+    $('.error-box').hide();
+
     if (result === 'invalid') {
-        $('#expired').css('display', 'none');
-        $('#invalid').css('display', 'block');
-    } else if (result === 'expired') {
-        $('#invalid').css('display', 'none');
-        $('#expired').css('display', 'block');
+        $('#invalid').show();
+    } else if (result === 'password-expired') {
+        $('#expired').show();
+    } else if(result === 'denied') {
+        $('#denied').show();
     } else {
         window.location = '/ipa/ui';
     }
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to