Hi All,

Please review this patch.

Fixes : https://fedorahosted.org/freeipa/ticket/5076

Thanks,
Abhijeet Kasurde
From c921ae88b8497bc4bf47efe1d97fcf9df9907d31 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasu...@redhat.com>
Date: Wed, 20 Apr 2016 11:09:53 +0530
Subject: [PATCH] Added fix for notifying user about locked user account in
 WebUI

User in now notified about "Locked User account" message instead of
"The password or username you entered is incorrect" or any generic error
message

Fixes : https://fedorahosted.org/freeipa/ticket/5076

Signed-off-by: Abhijeet Kasurde <akasu...@redhat.com>
---
 install/ui/src/freeipa/ipa.js                 |  3 ++-
 install/ui/src/freeipa/widgets/LoginScreen.js |  5 +++++
 ipalib/errors.py                              |  6 ++++++
 ipaserver/rpcserver.py                        | 12 +++++++++++-
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index e241ad30ddc7492fd3e21daa051516ef46a93014..830def0542faeb14b62b71fb80c753bc121cace7 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -498,7 +498,8 @@ IPA.login_password = function(username, password) {
             if (reason === 'password-expired' ||
                 reason === 'denied' ||
                 reason === 'krbprincipal-expired' ||
-                reason === 'invalid-password') {
+                reason === 'invalid-password' ||
+                reason === 'user-locked') {
                 result = reason;
             }
         }
diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index a9f70cce7f8bda01efc1b98f88765aff3c17b73c..56b3888949745e200de91406dddc6f36d5d31bb1 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -71,6 +71,8 @@ define(['dojo/_base/declare',
 
         invalid_password: "The password you entered is incorrect. ",
 
+        user_locked: "The user account you entered is locked. ",
+
         //nodes:
         login_btn_node: null,
         reset_btn_node: null,
@@ -240,6 +242,9 @@ define(['dojo/_base/declare',
                 } else if (result === 'invalid-password') {
                     password_f.set_value('');
                     val_summary.add_error('login', this.invalid_password);
+                } else if (result === 'user-locked') {
+                    password_f.set_value('');
+                    val_summary.add_error('login', this.user_locked);
                 } else {
                     password_f.set_value('');
                     val_summary.add_error('login', this.form_auth_failed);
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 67ed2818f2d6270c6a27fba10783ac9b1958a0f5..52fa25f02e02d1d71c012f32d761b64a838917be 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -607,6 +607,12 @@ class KrbPrincipalExpired(SessionError):
     """
     errno = 1203
 
+class UserLocked(SessionError):
+    """
+    **1204** Raised when a user account is locked.
+    """
+    errno = 1204
+
 ##############################################################################
 # 2000 - 2999: Authorization errors
 class AuthorizationError(PublicError):
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 96f82d5e299b7887dd4af4da0a0db141f556e0bf..df647366925a36117afbc57f03b2fe03460b7676 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib.backend import Executioner
 from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
-    ExecutionError, PasswordExpired, KrbPrincipalExpired)
+    ExecutionError, PasswordExpired, KrbPrincipalExpired, UserLocked)
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
     json_encode_binary, json_decode_binary)
@@ -954,6 +954,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
                                      start_response,
                                      str(e),
                                      'krbprincipal-expired')
+        except UserLocked as e:
+            return self.unauthorized(environ,
+                                     start_response,
+                                     str(e),
+                                     'user-locked')
 
         return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
 
@@ -993,9 +998,14 @@ class login_password(Backend, KerberosSession, HTTP_Status):
                   ' has expired while getting initial credentials') in str(e):
                 raise KrbPrincipalExpired(principal=principal,
                                           message=unicode(e))
+            elif ('kinit: Clients credentials have been revoked '
+                  'while getting initial credentials') in str(e):
+                raise UserLocked(principal=principal,
+                                 message=unicode(e))
             raise InvalidSessionPassword(principal=principal,
                                          message=unicode(e))
 
+
 class change_password(Backend, HTTP_Status):
 
     content_type = 'text/plain'
-- 
2.4.11

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to