Use DNS to list the IPA servers

deployment/noggin.cfg.example

@@ -3,7 +3,7 @@
 TEMPLATES_AUTO_RELOAD = True
 
 # IPA settings
-FREEIPA_SERVERS = ['ipa.noggin.test']
+FREEIPA_DOMAIN = 'tinystage.test'
 FREEIPA_CACERT = '/etc/ipa/ca.crt'
 
 # Any user with admin privileges

devel/ansible/roles/noggin/templates/noggin.cfg

@@ -1,7 +1,7 @@
 TEMPLATES_AUTO_RELOAD = True
 
 # IPA settings
-FREEIPA_SERVERS = ['ipa.{{ ansible_domain }}']
+FREEIPA_DOMAIN = '{{ ansible_domain }}'
 FREEIPA_CACERT = '/etc/ipa/ca.crt'
 
 # Any user with admin privileges

devel/create-test-data.py

@@ -13,7 +13,7 @@
 fake = Faker()
 fake.seed_instance(0)
 
-ipa_server = "ipa.noggin.test"
+ipa_server = "ipa.tinystage.test"
 ipa_user = "admin"
 ipa_pw = "password"
 ipa = Client(host=ipa_server, verify_ssl=False)

news/1357.feature

@@ -0,0 +1 @@
+Use DNS to list the IPA servers

noggin/controller/authentication.py

@@ -11,7 +11,7 @@
 from flask_babel import _
 
 from noggin.form.sync_token import SyncTokenForm
-from noggin.security.ipa import maybe_ipa_login, untouched_ipa_client
+from noggin.security.ipa import NoIPAServer, maybe_ipa_login, untouched_ipa_client
 from noggin.utility.forms import FormError, handle_form_errors
 
 from . import blueprint as bp
@@ -82,5 +82,7 @@ def otp_sync():
                     f'{form.username}: {e}'
                 )
                 raise FormError("non_field_errors", e.message)
+            except NoIPAServer:
+                raise FormError("non_field_errors", _("No IPA server available"))
 
     return render_template('sync-token.html', sync_form=form)

noggin/controller/password.py

@@ -25,7 +25,7 @@
     PasswordResetForm,
 )
 from noggin.representation.user import User
-from noggin.security.ipa import maybe_ipa_session, untouched_ipa_client
+from noggin.security.ipa import NoIPAServer, maybe_ipa_session, untouched_ipa_client
 from noggin.utility import messaging
 from noggin.utility.controllers import require_self, user_or_404, with_ipa
 from noggin.utility.forms import FormError, handle_form_errors
@@ -38,7 +38,10 @@
 
 def _validate_change_pw_form(form, username, ipa=None):
     if ipa is None:
-        ipa = untouched_ipa_client(current_app, session)
+        try:
+            ipa = untouched_ipa_client(current_app, session)
+        except NoIPAServer:
+            raise FormError("non_field_errors", _("No IPA server available"))
 
     current_password = form.current_password.data
     password = form.password.data
@@ -87,9 +90,10 @@ def password_reset():
     form = PasswordResetForm()
 
     if form.validate_on_submit():
-        res = _validate_change_pw_form(form, username)
-        if res and res.ok:
-            return redirect(url_for('.root'))
+        with handle_form_errors(form):
+            res = _validate_change_pw_form(form, username)
+            if res and res.ok:
+                return redirect(url_for('.root'))
 
     return render_template(
         'password-reset.html', password_reset_form=form, username=username
@@ -110,9 +114,10 @@ def user_settings_password(ipa, username):
         form.current_password.description = ""
 
     if form.validate_on_submit():
-        res = _validate_change_pw_form(form, username, ipa)
-        if res and res.ok:
-            return redirect(url_for('.root'))
+        with handle_form_errors(form):
+            res = _validate_change_pw_form(form, username, ipa)
+            if res and res.ok:
+                return redirect(url_for('.root'))
 
     return render_template(
         'user-settings-password.html',
@@ -281,6 +286,8 @@ def forgot_password_change():
             form.non_field_errors.errors.append(
                 _('Could not change password, please try again.')
             )
+        except NoIPAServer:
+            form.non_field_errors.errors.append(_("No IPA server available"))
         else:
             lock.delete()
             flash(_('Your password has been changed.'), 'success')

noggin/controller/registration.py

@@ -27,7 +27,7 @@
 )
 from noggin.l10n import guess_locale
 from noggin.representation.user import User
-from noggin.security.ipa import maybe_ipa_login, untouched_ipa_client
+from noggin.security.ipa import NoIPAServer, maybe_ipa_login, untouched_ipa_client
 from noggin.signals import stageuser_created, user_registered
 from noggin.utility.controllers import with_ipa
 from noggin.utility.forms import FormError, handle_form_errors
@@ -300,6 +300,8 @@ def activate_account():
                     'warning',
                 )
                 return redirect(url_for(".root"))
+            except NoIPAServer:
+                raise FormError("non_field_errors", _("No IPA server available"))
 
             # Try to log them in directly, so they don't have to type their password again.
             try:

noggin/defaults.py

@@ -1,8 +1,11 @@
 # This file contains the default configuration values
+import socket
+
 
 TEMPLATES_AUTO_RELOAD = False
 SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_SECURE = True
+FREEIPA_DOMAIN = ".".join(socket.getfqdn().split('.')[1:])
 USER_DEFAULTS = {
     "locale": "en-US",
     "timezone": "UTC",

noggin/security/ipa.py

@@ -1,6 +1,5 @@
-import random
-
 import python_freeipa
+import srvlookup
 from cryptography.fernet import Fernet
 from python_freeipa.client_meta import ClientMeta as IPAClient
 from python_freeipa.exceptions import BadRequest, ValidationError
@@ -112,6 +111,12 @@ def fasagreement_disable(self, agreement, **kwargs):
         self._request('fasagreement_disable', agreement, kwargs)
 
 
+class NoIPAServer(Exception):
+    """No IPA server available."""
+
+    pass
+
+
 def raise_on_failed(result):
     failed = result.get("failed", {})
     num_failed = sum(
@@ -130,9 +135,22 @@ def choose_server(app, session=None):
     server = None
     if session is not None:
         server = session.get('noggin_ipa_server_hostname', None)
-    available_servers = app.config['FREEIPA_SERVERS']
+    try:
+        available_servers = [
+            record.hostname
+            for record in srvlookup.lookup('ldap', domain=app.config["FREEIPA_DOMAIN"])
+        ]
+    except srvlookup.SRVQueryFailure:
+        available_servers = []
     if server is None or server not in available_servers:
-        server = random.choice(available_servers)
+        try:
+            server = available_servers[0]
+        except IndexError:
+            app.logger.warning(
+                "IPA server not found. Available servers: %s",
+                ", ".join(available_servers),
+            )
+            raise NoIPAServer
     if session is not None:
         session['noggin_ipa_server_hostname'] = server
     return server
@@ -157,7 +175,10 @@ def untouched_ipa_client(app, session):
 # It will be None if no session was provided or was provided but invalid.
 def maybe_ipa_session(app, session):
     encrypted_session = session.get('noggin_session', None)
-    server_hostname = choose_server(app, session)
+    try:
+        server_hostname = choose_server(app, session)
+    except NoIPAServer:
+        return None
     if encrypted_session and server_hostname:
         fernet = Fernet(app.config['FERNET_SECRET'])
         ipa_session = fernet.decrypt(encrypted_session)
@@ -189,9 +210,12 @@ def maybe_ipa_login(app, session, username, userpassword):
     # in the session and just always use that. Flask sessions are signed, so we
     # are safe in later assuming that the server hostname cookie has not been
     # altered.
-    client = Client(
-        choose_server(app, session), verify_ssl=app.config['FREEIPA_CACERT']
-    )
+    try:
+        client = Client(
+            choose_server(app, session), verify_ssl=app.config['FREEIPA_CACERT']
+        )
+    except NoIPAServer:
+        return None
 
     auth = client.login(username, userpassword)
 

pyproject.toml

@@ -65,6 +65,7 @@ translitcodec = "0.7.0"
 unidecode = "^1.2.0"
 flask-talisman = ">=0.8.1, <2.0"
 pyotp = "^2.2.7"
+srvlookup = "^2.0.0 || ^3.0.0"
 
 [tool.poetry.group.dev.dependencies]
 pytest = ">=7.1.0"