Bug 1157773

Summary: No password change url on login failure when password expires
Product: [Retired] oVirt Reporter: Pan Liyang <plysab>
Component: ovirt-engine-coreAssignee: Alexander Wels <awels>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.5CC: alonbl, awels, bugs, ecohen, gklein, gshereme, lsurette, oourfali, rbalakri, yeylon, ylavi
Target Milestone: ---   
Target Release: 3.5.4   
Hardware: x86_64   
OS: Linux   
Whiteboard: ux
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-03 13:54:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: UX RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Pan Liyang 2014-10-27 16:38:12 UTC
Description of problem:
No password change url on login failure when password expires

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. setup engine
2. configure a ad domain
3. run engine-manage-domains edit --domain=[domain] --provider=ad --user=[user]@[domain] --change-password-msg=youpasswordneedotbereset
4. restart engine
5. add new user with expired password in ad
6. login with the newly created user

Actual results:
login screen says: Cannot Login. User Password has expired. Use the following URL to change the password:

Expected results:
login screen says: Cannot Login. User Password has expired. Use the following URL to change the password: youpasswordneedotbereset

Additional info:


# engine-manage-domains edit --domain=[domain] --provider=ad --user=[user]@[domain] --change-password-msg=youpasswordneedotbereset
Enter password:
Please enter message or URL to appear when user tries to login with an expired password (Not providing a value will cause the existing value to be reset):youpasswordneedotbereset
The domain [domain] has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager.
Users from this domain can be granted permissions by editing the domain using action edit and specifying --add-permissions or from the Web administration interface logging in as admin@internal user.
oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully


# cat /etc/issue
CentOS release 6.5 (Final)
Kernel \r on an \m

# rpm -qa |grep ovirt-engine

Comment 1 Einav Cohen 2014-10-28 15:36:30 UTC
adding gshereme to CC list, just in case there some assistance will be needed to display the URL properly within the newly-styled login page (not sure what the exact problem is though, so may not be related at all).

Comment 2 Mooli Tayer 2014-11-26 11:55:34 UTC
1.) This bug reproduces for me.
2.) I've confirmed that the change password URL is:
    * stored in db
    * returned by aaa builtin extension to bll.
    * returned from bll
    * returns to the browser:
function Jae$(_0,_1){_0.c=_1;return _0}function Xqb$(_0){return L7(Xqb,{292:1,300:1,316:1},0,_0)}function bti$(_0,_1,_2,_3,_4){_0.b=_1;_0.c=_3;return _0}return [(_._3=jAg(Jae$(_._4=new (kaf(Xhb)),Xqb$([0,(_._0=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([4,"USER_PASSWORD_EXPIRED_CHANGE_URL_PROVIDED","$URL ","USER_PASSWORD_EXPIRED_CHANGE_MSG_PROVIDED","$MSG Hay, Bye."])),_._0),_._0),0,0,null,"",(_._1=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([0])),_._1),_._1),(_._2=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([0])),_._2),_._2),1,bti$(new (kaf(BDb)),(Vsi(),Hli),null,"ENGINE",null),(Llg(),Hlg)]))),iAg(_._4,_._3),_._3)];

The message here is  "Hay, Bye."

Greg could you take a look (per comment 1)?

Comment 3 Oved Ourfali 2014-12-07 13:00:05 UTC
Per comment #2 moving to UX, and removing the needinfo.

Comment 4 Einav Cohen 2015-02-18 14:35:39 UTC
reassigning to Alexander.

Comment 5 Alexander Wels 2015-02-26 15:38:01 UTC
So I investigated this a little bit and it appears the following is happening.

There are 2 options one can pass:

--change-password-msg: This is an additional message besides the URL.
--change-password-url: This is the URL to display in the reported message.

When the password is expired the backend passes 2 failure messages into the result object. The change password URL message with the URL substituted from the above --change-password-url option. And 'Cannot login. User Password has expired. Detailed message: $MSG' with $MSG substituted from --change-password-msg.

Since the first commit the LoginModel has always obtained the first message (The URL one in this case) and displayed that. The second message has always been ignored.

There has been a lot of work on the authentication side of things recently and it looks like the order of the messages was reversed before. So the first error message was the one associated with --change-password-msg and the second one with --change-password-url. So the url message was silently ignored.

However in the current state the order switched so now the url is first and the msg is the one ignored. It also appears there is a bug in the backend that doesn't ignore adding the url/msg if they are blank (just null).

I will do the following:
1. Fix the backend to also check for blank urls or msgs.
2. Fix the LoginModel to allow multiple error messages.
3. Fix the display to properly format and show all messages.

Comment 6 Yaniv Lavi 2015-03-12 14:38:06 UTC
Is there a option to set change-password-msg in the new AAA method?

Comment 7 Alon Bar-Lev 2015-03-12 16:42:31 UTC
(In reply to Yaniv Dary from comment #6)
> Is there a option to set change-password-msg in the new AAA method?

this is extension specific.

in case of ldap see [1] look for:
 * config.authn.credentials-change.url
 * config.authn.credentials-change.message

[1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l296

Comment 8 Yaniv Lavi 2015-03-16 07:48:12 UTC
When testing this please make sure the message works with the options listed in comment #7 as well.

Comment 9 Einav Cohen 2015-03-30 14:23:26 UTC
Alexander, did you make sure that the fix is working well for the new AAA stuff as well?

Comment 10 Alexander Wels 2015-03-30 18:02:21 UTC
Yes this will work with the new AAA, that was actually what exposed the existing issue.

Comment 11 Einav Cohen 2015-04-20 14:09:38 UTC
moving back to POST. 
@Alexander - this needs a backport to ovirt-engine-3.5.

Comment 12 Einav Cohen 2015-04-27 14:19:10 UTC
pushing TR to 3.5.4, so no need to cherry-pick the fix to the 'ovirt-engine-3.5.3' branch. Once 'ovirt-engine-3.5' is merge - please move the BZ to MODIFIED.

Comment 13 Einav Cohen 2015-04-27 14:20:21 UTC
(In reply to Einav Cohen from comment #12)
> Once 'ovirt-engine-3.5' is merge

Once *the* 'ovirt-engine-3.5' *patch* is *merged*

Comment 14 Sandro Bonazzola 2015-07-02 06:51:31 UTC
Since oVirt 3.5.4 RC1 has been released, please ensure that the fix is included in the build and move the bug to ON_QA accordingly.

Comment 15 Ondra Machacek 2015-07-07 09:15:19 UTC
Works fine in vt16.1 for both legacy and new AAA.

Comment 16 Sandro Bonazzola 2015-09-03 13:54:57 UTC
This is an automated message.
oVirt 3.5.4 has been released on September 3rd 2015 and should include the fix for this BZ. Moving to closed current release.