This fixes several problems:
1. The PAM error was being retrieved from the wrong location
2. The error was not always logged properly
3. The error was not propogated up
4. Even if the error had been propgated up the auth_failed
routine failed to pass it to the error page template.
A dictionary is used to translate the PAM errors into something
more consulable. This can be used eventually to translate
into other languages.
https://fedorahosted.org/ipsilon/ticket/69
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
import cherrypy
import subprocess
import cherrypy
import subprocess
+# Translate PAM errors into more human-digestible values and eventually
+# other languages.
+PAM_AUTH_ERRORS = {
+ "Authentication token is no longer valid; new one required":
+ "Password is expired",
+ "Authentication failure":
+ "Authentication failure",
+}
+
class Form(LoginFormBase):
class Form(LoginFormBase):
if not user.is_anonymous:
return self.lm.auth_successful(self.trans, user.name, 'password')
else:
if not user.is_anonymous:
return self.lm.auth_successful(self.trans, user.name, 'password')
else:
- try:
- error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR']
- except KeyError:
- error = "Unknown error using external authentication"
- cherrypy.log.error("Error: %s" % error)
- return self.lm.auth_failed(self.trans)
+ error = cherrypy.request.wsgi_environ.get(
+ 'EXTERNAL_AUTH_ERROR',
+ 'Unknown error using external authentication'
+ )
+ error = PAM_AUTH_ERRORS.get(error, error)
+ cherrypy.log.error("Error: %s" % error)
+ return self.lm.auth_failed(self.trans, error)
class LoginManager(LoginManagerBase):
class LoginManager(LoginManagerBase):
trans.wipe()
raise cherrypy.HTTPRedirect(redirect)
trans.wipe()
raise cherrypy.HTTPRedirect(redirect)
- def auth_failed(self, trans):
+ def auth_failed(self, trans, message=None):
# try with next module
next_login = self.next_login()
if next_login:
# try with next module
next_login = self.next_login()
if next_login:
# destroy session and return error
if 'login_return' not in transdata:
session.logout(None)
# destroy session and return error
if 'login_return' not in transdata:
session.logout(None)
- raise cherrypy.HTTPError(401)
+ raise cherrypy.HTTPError(401, message)
raise cherrypy.HTTPRedirect(transdata['login_return'])
raise cherrypy.HTTPRedirect(transdata['login_return'])