From dd3ea36d47bbbbd01a87487c8da765496d753a72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 7 May 2021 09:54:28 +0200
Subject: [PATCH] Properly error out when we can't login to IPA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 ipsilon/providers/openid/extensions/api.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipsilon/providers/openid/extensions/api.py b/ipsilon/providers/openid/extensions/api.py
index 6919253..326e3e9 100644
--- a/ipsilon/providers/openid/extensions/api.py
+++ b/ipsilon/providers/openid/extensions/api.py
@@ -3,6 +3,7 @@
 from __future__ import absolute_import
 
 from python_freeipa.client_meta import ClientMeta as IPAClient
+from python_freeipa.exceptions import InvalidSessionPassword
 
 from ipsilon.providers.openid.extensions.common import OpenidExtensionBase
 import ipsilon.root
@@ -89,7 +90,13 @@ class APIV1Page(Page):
         ipa_config.read("/etc/ipa/default.conf")
         ipa_server = ipa_config.get("global", "server", fallback=None)
         ipa = IPAClient(ipa_server, verify_ssl="/etc/ipa/ca.crt")
-        auth = ipa.login(username, password)
+        try:
+            auth = ipa.login(username, password)
+        except InvalidSessionPassword:
+            print('Could not authenticate %s to IPA' % username)
+            return {'success': False,
+                    'status': 400,
+                    'message': 'Authentication failed'}
         if auth and auth.logged_in:
             user = ipa.user_find(whoami=True)["result"][0]
             userdata = {