On 11/14/2012 07:15 PM, Simo Sorce wrote:
On Wed, 2012-11-14 at 19:04 +0100, Petr Vobornik wrote:
This is Web UI part of #3252 which depends on tbabej's python part which
will be send by tbabej later.
When user from other realm than FreeIPA's tries to use Web UI (login via
forms-based auth or with valid trusted realm ticket), he gets an
unauthorized error with X-Ipa-Rejection-Reason=invalid-realm. Web UI
responds with showing login dialog with following error message:
'Invalid realm: Login for users from other realms is not supported.'.
Note: such users are not supported because they don't have a
corresponding entry in LDAP which is needed for ACLs.
https://fedorahosted.org/freeipa/ticket/3252
I am not sure how you can tell the difference between invalid
credentials being returned due to the realm being invalid or because
later on we decided to allow only a subset of user from a realm and so
the real m is valid but the user just do not have access.
I would be more generic and return something like
X-Ipa-Rehjection-Reason=denied and issue a generic message: "sorry you
are not allowed to access this service" or similar.
Simo.
Changed. Updated patch attached.
--
Petr Vobornik
From 0220a5987ee312e9df02079d19095d615c693d8b Mon Sep 17 00:00:00 2001
From: Petr Vobornik <[email protected]>
Date: Wed, 14 Nov 2012 09:35:03 +0100
Subject: [PATCH] Better error message for login of users from other realms
When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), he gets an unauthorized error with X-Ipa-Rejection-Reason=denied. Web UI responds with showing login dialog with following error message: 'Sorry you
are not allowed to access this service.'.
Note: such users are not supported because they don't have a corresponding entry in LDAP which is needed for ACLs.
https://fedorahosted.org/freeipa/ticket/3252
denied change
---
install/ui/ipa.js | 35 ++++++++++++++++++++++++++++++-----
install/ui/login.html | 4 ++++
install/ui/login.js | 16 +++++++++-------
3 files changed, 43 insertions(+), 12 deletions(-)
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index e20d3c08a640c1908c25c5e6f94b11f7622b3522..a33fbfd5e4e066321155f1430c449d5b997551ff 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -399,8 +399,8 @@ IPA.login_password = function(username, password) {
//change result from invalid only if we have a header which we
//understand
- if (reason === 'password-expired') {
- result = 'expired';
+ if (reason === 'password-expired' || reason === 'denied') {
+ result = reason;
}
}
@@ -1701,6 +1701,8 @@ IPA.unauthorized_dialog = function(spec) {
that.password_expired = "Your password has expired. Please enter a new password.";
+ that.denied = "Sorry you are not allowed to access this service.";
+
that.create = function() {
that.session_expired_form();
@@ -1816,6 +1818,16 @@ IPA.unauthorized_dialog = function(spec) {
that.open = function() {
that.dialog_open();
that.show_session_form();
+ that.check_error_reason();
+ };
+
+ that.check_error_reason = function() {
+ if (this.xhr) {
+ var reason = this.xhr.getResponseHeader("X-IPA-Rejection-Reason");
+ if (reason) {
+ that.show_login_error_message(reason);
+ }
+ }
};
that.on_username_change = function() {
@@ -1858,6 +1870,20 @@ IPA.unauthorized_dialog = function(spec) {
that.new_password_widget.focus_input();
};
+ that.show_login_error_message = function(reason) {
+ var errors = {
+ 'invalid': that.form_auth_failed,
+ 'denied': that.denied
+ };
+
+ var message = errors[reason];
+
+ if (message) {
+ that.login_error_box.html(message);
+ that.login_error_box.css('display', 'block');
+ }
+ };
+
that.on_login_keyup = function(event) {
if (that.switching) {
@@ -1903,12 +1929,11 @@ IPA.unauthorized_dialog = function(spec) {
if (result === 'success') {
that.on_login_success();
- } else if (result === 'expired') {
+ } else if (result === 'password-expired') {
that.reset_error_box.css('display', 'none');
that.show_reset_form();
} else {
- that.login_error_box.html(that.form_auth_failed);
- that.login_error_box.css('display', 'block');
+ that.show_login_error_message(result);
}
};
diff --git a/install/ui/login.html b/install/ui/login.html
index 69e3dea7f0f09906a7586c745e5df8c326803580..f279f027de0072e861925dbd0da5cbe7d8c64537 100644
--- a/install/ui/login.html
+++ b/install/ui/login.html
@@ -34,6 +34,10 @@
<p>If the problem persists, contact your administrator.</p>
</div>
+ <div id="denied" class="error-box" style="display:none">
+ <p>Sorry you are not allowed to access this service.</p>
+ </div>
+
<form id="login">
<ul>
<li>
diff --git a/install/ui/login.js b/install/ui/login.js
index cd4e72d9567e6f5fef5efdbe3d9aeb0cbac85d08..1fce8ecc58e1ab963fce925a011f63d55df533b4 100644
--- a/install/ui/login.js
+++ b/install/ui/login.js
@@ -35,8 +35,8 @@ LP.login = function(username, password) {
//change result from invalid only if we have a header which we
//understand
- if (reason === 'password-expired') {
- result = 'expired';
+ if (reason === 'password-expired' || reason === 'denied') {
+ result = reason;
}
}
}
@@ -70,12 +70,14 @@ LP.on_submit = function() {
var result = LP.login(username, password);
+ $('.error-box').hide();
+
if (result === 'invalid') {
- $('#expired').css('display', 'none');
- $('#invalid').css('display', 'block');
- } else if (result === 'expired') {
- $('#invalid').css('display', 'none');
- $('#expired').css('display', 'block');
+ $('#invalid').show();
+ } else if (result === 'password-expired') {
+ $('#expired').show();
+ } else if(result === 'denied') {
+ $('#denied').show();
} else {
window.location = '/ipa/ui';
}
--
1.7.11.7
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
