Hi All,

Please find the updated patches as per review comments.

On 03/18/2016 07:39 PM, Petr Vobornik wrote:
On 03/18/2016 02:21 PM, Abhijeet Kasurde wrote:
Hi All,

Please review these patches.

Fixes : https://fedorahosted.org/freeipa/ticket/5077

Thanks,
Abhijeet Kasurde


'invalid' is a default and right now is meant for invalid password(not correct, see below). So by reading the patch, it will break the case when user sets invalid password.

Better would be to process kinit output in rpcserver.py:login_password and set e.g: 'krbprincipal-expired' reason.

Then add it to a list of known errors in ipa.js:login_password:498. We should probaly add also 'invalid-password' to the list.

Then do the change as in this patch but only with: 'krbprincipal-expired'.

If 'invalid-password' is added to the list of know errors then we should change the default error from "The password or username you entered is incorrect. " to e.g.: 'Login failed from unknown reason"

Thanks Petr for suggestions.

Thanks,
Abhijeet Kasurde
From 908b71768f1cce792d5111434dbb73c71a4cedc3 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasu...@redhat.com>
Date: Tue, 22 Mar 2016 15:41:36 +0530
Subject: [PATCH] Added fix for notifying user about Kerberos principal
 expiration in WebUI

- User is now notified about "Kerberos Principal expiration" message instead of
  "Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
  generic error message.

Signed-off-by: Abhijeet Kasurde <akasu...@redhat.com>
---
 install/ui/src/freeipa/ipa.js                 |  7 +++++--
 install/ui/src/freeipa/widgets/LoginScreen.js | 13 +++++++++++--
 ipalib/errors.py                              |  8 +++++++-
 ipaserver/rpcserver.py                        | 13 +++++++++++--
 4 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 29af4048740894c6d46b5419a941e2a48cd68775..e241ad30ddc7492fd3e21daa051516ef46a93014 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -5,7 +5,7 @@
  *    John Dennis <jden...@redhat.com>
  *    Petr Vobornik <pvobo...@redhat.com>
  *
- * Copyright (C) 2010 Red Hat
+ * Copyright (C) 2010-2016 Red Hat
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or modify
@@ -495,7 +495,10 @@ IPA.login_password = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired' || reason === 'denied') {
+            if (reason === 'password-expired' ||
+                reason === 'denied' ||
+                reason === 'krbprincipal-expired' ||
+                reason === 'invalid-password') {
                 result = reason;
             }
         }
diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index 17f891e0ee1d200eb4c9aa881dafcac5fc2c86da..a9f70cce7f8bda01efc1b98f88765aff3c17b73c 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -1,7 +1,7 @@
 /*  Authors:
  *    Petr Vobornik <pvobo...@redhat.com>
  *
- * Copyright (C) 2013 Red Hat
+ * Copyright (C) 2013-2016 Red Hat
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or modify
@@ -57,7 +57,7 @@ define(['dojo/_base/declare',
                     "<a href='http://${host}/ipa/config/unauthorized.html'>configured</a>" +
                     " the browser correctly, then click Login. ",
 
-        form_auth_failed: "The password or username you entered is incorrect. ",
+        form_auth_failed: "Login failed due to an unknown reason. ",
 
         krb_auth_failed: "Authentication with Kerberos failed",
 
@@ -67,6 +67,9 @@ define(['dojo/_base/declare',
 
         denied: "Sorry you are not allowed to access this service.",
 
+        krbprincipal_expired: "Kerberos Principal you entered is expired.",
+
+        invalid_password: "The password you entered is incorrect. ",
 
         //nodes:
         login_btn_node: null,
@@ -231,6 +234,12 @@ define(['dojo/_base/declare',
                 } else if (result === 'password-expired') {
                     this.set('view', 'reset');
                     val_summary.add_info('login', this.password_expired);
+                } else if (result === 'krbprincipal-expired') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.krbprincipal_expired);
+                } else if (result === 'invalid-password') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.invalid_password);
                 } else {
                     password_f.set_value('');
                     val_summary.add_error('login', this.form_auth_failed);
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 52b770027081448827007d8af00143046d59de0a..c466ea0566a28bf9e15d315eb1b82ce43f6a4d85 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose <jder...@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2016  Red Hat
 # see file 'COPYING' for use and warranty inmsgion
 #
 # This program is free software; you can redistribute it and/or modify
@@ -601,6 +601,12 @@ class PasswordExpired(InvalidSessionPassword):
     """
     errno = 1202
 
+class KrbPrincipalExpired(SessionError):
+    """
+    **1203** Raised when Kerberos Principal is expired.
+    """
+    errno = 1203
+
 ##############################################################################
 # 2000 - 2999: Authorization errors
 class AuthorizationError(PublicError):
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 14796b978f862b95e81b0fe1eaa3d1e81129a665..96f82d5e299b7887dd4af4da0a0db141f556e0bf 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose <jder...@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2016  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib.backend import Executioner
 from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
-    ExecutionError, PasswordExpired)
+    ExecutionError, PasswordExpired, KrbPrincipalExpired)
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
     json_encode_binary, json_decode_binary)
@@ -949,6 +949,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
             return self.unauthorized(environ, start_response, str(e), 'password-expired')
         except InvalidSessionPassword as e:
             return self.unauthorized(environ, start_response, str(e), 'invalid-password')
+        except KrbPrincipalExpired as e:
+            return self.unauthorized(environ,
+                                     start_response,
+                                     str(e),
+                                     'krbprincipal-expired')
 
         return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
 
@@ -984,6 +989,10 @@ class login_password(Backend, KerberosSession, HTTP_Status):
             if ('kinit: Cannot read password while '
                     'getting initial credentials') in str(e):
                 raise PasswordExpired(principal=principal, message=unicode(e))
+            elif ('kinit: Client\'s entry in database'
+                  ' has expired while getting initial credentials') in str(e):
+                raise KrbPrincipalExpired(principal=principal,
+                                          message=unicode(e))
             raise InvalidSessionPassword(principal=principal,
                                          message=unicode(e))
 
-- 
2.4.3

From 94df0f8dd984e10724bd9a26a6624682e7cae339 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasu...@redhat.com>
Date: Tue, 22 Mar 2016 16:10:02 +0530
Subject: [PATCH] Added fix for notifying user about Kerberos principal
 expiration in WebUI

- User is now notified about "Kerberos Principal expiration" message instead of
  "Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
  generic error message.

https://fedorahosted.org/freeipa/ticket/5077

Signed-off-by: Abhijeet Kasurde <akasu...@redhat.com>
---
 install/ui/src/freeipa/ipa.js                 |  7 +++++--
 install/ui/src/freeipa/widgets/LoginScreen.js | 13 +++++++++++--
 ipalib/errors.py                              |  8 +++++++-
 ipaserver/rpcserver.py                        | 13 +++++++++++--
 4 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index eaaaaf7fcfaee873d97d96630b72365ecffe6b08..2f279e696332289c5884489262da0da7209dc831 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -5,7 +5,7 @@
  *    John Dennis <jden...@redhat.com>
  *    Petr Vobornik <pvobo...@redhat.com>
  *
- * Copyright (C) 2010 Red Hat
+ * Copyright (C) 2010-2016 Red Hat
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or modify
@@ -475,7 +475,10 @@ IPA.login_password = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired' || reason === 'denied') {
+            if (reason === 'password-expired' ||
+                reason === 'denied' ||
+                reason === 'krbprincipal-expired' ||
+                reason === 'invalid-password') {
                 result = reason;
             }
         }
diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index 2c778b50cfb10bfa8eef25c5456c6ce913e02695..24501d707b8921b311beb92f743d582fde7d589d 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -1,7 +1,7 @@
 /*  Authors:
  *    Petr Vobornik <pvobo...@redhat.com>
  *
- * Copyright (C) 2013 Red Hat
+ * Copyright (C) 2013-2016 Red Hat
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or modify
@@ -57,7 +57,7 @@ define(['dojo/_base/declare',
                     "<a href='http://${host}/ipa/config/unauthorized.html'>configured</a>" +
                     " the browser correctly, then click Login. ",
 
-        form_auth_failed: "The password or username you entered is incorrect. ",
+        form_auth_failed: "Login failed due to an unknown reason. ",
 
         krb_auth_failed: "Authentication with Kerberos failed",
 
@@ -67,6 +67,9 @@ define(['dojo/_base/declare',
 
         denied: "Sorry you are not allowed to access this service.",
 
+        krbprincipal_expired: "Kerberos Principal you entered is expired.",
+
+        invalid_password: "The password you entered is incorrect. ",
 
         //nodes:
         login_btn_node: null,
@@ -231,6 +234,12 @@ define(['dojo/_base/declare',
                 } else if (result === 'password-expired') {
                     this.set('view', 'reset');
                     val_summary.add_info('login', this.password_expired);
+                } else if (result === 'krbprincipal-expired') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.krbprincipal_expired);
+                } else if (result === 'invalid-password') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.invalid_password);
                 } else {
                     password_f.set_value('');
                     val_summary.add_error('login', this.form_auth_failed);
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 7e34a879f1d9fad1ed0cbde263cda5cf6d84b7f9..dc5853cb6a9357f1ba27616f54731a0249b296b6 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose <jder...@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2016  Red Hat
 # see file 'COPYING' for use and warranty inmsgion
 #
 # This program is free software; you can redistribute it and/or modify
@@ -590,6 +590,12 @@ class PasswordExpired(InvalidSessionPassword):
     """
     errno = 1202
 
+class KrbPrincipalExpired(SessionError):
+    """
+    **1203** Raised when Kerberos Principal is expired.
+    """
+    errno = 1203
+
 ##############################################################################
 # 2000 - 2999: Authorization errors
 class AuthorizationError(PublicError):
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index ead830def127492cecda09cb1dc7964c314f2912..ea3e8a33062b9e3957bc29861b0f1580dd676a08 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose <jder...@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2016  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -41,7 +41,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib.backend import Executioner
 from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
-    ExecutionError, PasswordExpired)
+    ExecutionError, PasswordExpired, KrbPrincipalExpired)
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
     json_encode_binary, json_decode_binary)
@@ -946,6 +946,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
             return self.unauthorized(environ, start_response, str(e), 'password-expired')
         except InvalidSessionPassword as e:
             return self.unauthorized(environ, start_response, str(e), 'invalid-password')
+        except KrbPrincipalExpired as e:
+            return self.unauthorized(environ,
+                                     start_response,
+                                     str(e),
+                                     'krbprincipal-expired')
 
         return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
 
@@ -981,6 +986,10 @@ class login_password(Backend, KerberosSession, HTTP_Status):
             if ('kinit: Cannot read password while '
                     'getting initial credentials') in str(e):
                 raise PasswordExpired(principal=principal, message=unicode(e))
+            elif ('kinit: Client\'s entry in database'
+                  ' has expired while getting initial credentials') in str(e):
+                raise KrbPrincipalExpired(principal=principal,
+                                          message=unicode(e))
             raise InvalidSessionPassword(principal=principal,
                                          message=unicode(e))
 
-- 
2.4.3

From 7b5a16f368ff1bdea8d30e02035117c71042c891 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasu...@redhat.com>
Date: Tue, 22 Mar 2016 16:21:49 +0530
Subject: [PATCH] Added fix for notifying user about Kerberos principal
 expiration in WebUI

- User is now notified about "Kerberos Principal expiration" message instead of
  "Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
  generic error message.

https://fedorahosted.org/freeipa/ticket/5077

Signed-off-by: Abhijeet Kasurde <akasu...@redhat.com>
---
 install/ui/src/freeipa/ipa.js                 |  7 +++++--
 install/ui/src/freeipa/widgets/LoginScreen.js | 13 +++++++++++--
 ipalib/errors.py                              |  8 +++++++-
 ipaserver/rpcserver.py                        | 13 +++++++++++--
 4 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 23efd6916cdaa76973491a5741f0800caa186fee..e682600f80986183afa22c44e82ecefc9e25e8e1 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -5,7 +5,7 @@
  *    John Dennis <jden...@redhat.com>
  *    Petr Vobornik <pvobo...@redhat.com>
  *
- * Copyright (C) 2010 Red Hat
+ * Copyright (C) 2010-2016 Red Hat
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or modify
@@ -487,7 +487,10 @@ IPA.login_password = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired' || reason === 'denied') {
+            if (reason === 'password-expired' ||
+                reason === 'denied' ||
+                reason === 'krbprincipal-expired' ||
+                reason === 'invalid-password') {
                 result = reason;
             }
         }
diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index 2c778b50cfb10bfa8eef25c5456c6ce913e02695..24501d707b8921b311beb92f743d582fde7d589d 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -1,7 +1,7 @@
 /*  Authors:
  *    Petr Vobornik <pvobo...@redhat.com>
  *
- * Copyright (C) 2013 Red Hat
+ * Copyright (C) 2013-2016 Red Hat
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or modify
@@ -57,7 +57,7 @@ define(['dojo/_base/declare',
                     "<a href='http://${host}/ipa/config/unauthorized.html'>configured</a>" +
                     " the browser correctly, then click Login. ",
 
-        form_auth_failed: "The password or username you entered is incorrect. ",
+        form_auth_failed: "Login failed due to an unknown reason. ",
 
         krb_auth_failed: "Authentication with Kerberos failed",
 
@@ -67,6 +67,9 @@ define(['dojo/_base/declare',
 
         denied: "Sorry you are not allowed to access this service.",
 
+        krbprincipal_expired: "Kerberos Principal you entered is expired.",
+
+        invalid_password: "The password you entered is incorrect. ",
 
         //nodes:
         login_btn_node: null,
@@ -231,6 +234,12 @@ define(['dojo/_base/declare',
                 } else if (result === 'password-expired') {
                     this.set('view', 'reset');
                     val_summary.add_info('login', this.password_expired);
+                } else if (result === 'krbprincipal-expired') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.krbprincipal_expired);
+                } else if (result === 'invalid-password') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.invalid_password);
                 } else {
                     password_f.set_value('');
                     val_summary.add_error('login', this.form_auth_failed);
diff --git a/ipalib/errors.py b/ipalib/errors.py
index b82d19949df6a648359b33a16455d2b258d5f2d7..1b0231e4093240d1dd26bc2ce63aeebed85e21e7 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose <jder...@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2016  Red Hat
 # see file 'COPYING' for use and warranty inmsgion
 #
 # This program is free software; you can redistribute it and/or modify
@@ -601,6 +601,12 @@ class PasswordExpired(InvalidSessionPassword):
     """
     errno = 1202
 
+class KrbPrincipalExpired(SessionError):
+    """
+    **1203** Raised when Kerberos Principal is expired.
+    """
+    errno = 1203
+
 ##############################################################################
 # 2000 - 2999: Authorization errors
 class AuthorizationError(PublicError):
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 64620b4cc8f36c4dbfdd681267ffbbff85558bf2..b005bd04c552711570c0f74a03edbe74d08e1b91 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose <jder...@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2016  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib.backend import Executioner
 from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
-    ExecutionError, PasswordExpired)
+    ExecutionError, PasswordExpired, KrbPrincipalExpired)
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
     json_encode_binary, json_decode_binary)
@@ -949,6 +949,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
             return self.unauthorized(environ, start_response, str(e), 'password-expired')
         except InvalidSessionPassword as e:
             return self.unauthorized(environ, start_response, str(e), 'invalid-password')
+        except KrbPrincipalExpired as e:
+            return self.unauthorized(environ,
+                                     start_response,
+                                     str(e),
+                                     'krbprincipal-expired')
 
         return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
 
@@ -984,6 +989,10 @@ class login_password(Backend, KerberosSession, HTTP_Status):
             if ('kinit: Cannot read password while '
                     'getting initial credentials') in str(e):
                 raise PasswordExpired(principal=principal, message=unicode(e))
+            elif ('kinit: Client\'s entry in database'
+                  ' has expired while getting initial credentials') in str(e):
+                raise KrbPrincipalExpired(principal=principal,
+                                          message=unicode(e))
             raise InvalidSessionPassword(principal=principal,
                                          message=unicode(e))
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to