3 files changed, 66 insertions, 3 deletions

diff --git a/openstack_auth/locale/en_GB/LC_MESSAGES/django.po b/openstack_auth/locale/en_GB/LC_MESSAGES/django.po
index f4f35ce1d..53b157572 100644
--- a/openstack_auth/locale/en_GB/LC_MESSAGES/django.po
+++ b/openstack_auth/locale/en_GB/LC_MESSAGES/django.po
@@ -1,15 +1,16 @@
 # Andi Chandler <andi@gowling.com>, 2017. #zanata
 # Andi Chandler <andi@gowling.com>, 2018. #zanata
 # Andi Chandler <andi@gowling.com>, 2019. #zanata
+# Andi Chandler <andi@gowling.com>, 2020. #zanata
 msgid ""
 msgstr ""
 "Project-Id-Version: horizon VERSION\n"
 "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n"
-"POT-Creation-Date: 2020-01-08 17:20+0000\n"
+"POT-Creation-Date: 2020-10-19 06:37+0000\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2019-11-14 11:14+0000\n"
+"PO-Revision-Date: 2020-10-19 02:49+0000\n"
 "Last-Translator: Andi Chandler <andi@gowling.com>\n"
 "Language-Team: English (United Kingdom)\n"
 "Language: en_GB\n"
@@ -25,6 +26,10 @@ msgstr "Authenticate using"
 msgid "Confirm password"
 msgstr "Confirm password"
 
+msgid "Cookies may be turned off. Make sure cookies are enabled and try again."
+msgstr ""
+"Cookies may be turned off. Make sure cookies are enabled and try again."
+
 msgid "Could not find service provider ID on keystone."
 msgstr "Could not find service provider ID on Keystone."
 
diff --git a/openstack_auth/tests/unit/test_views.py b/openstack_auth/tests/unit/test_views.py
new file mode 100644
index 000000000..948a7224e
--- /dev/null
+++ b/openstack_auth/tests/unit/test_views.py
@@ -0,0 +1,38 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from django.middleware import csrf
+from django import test
+
+from openstack_auth import views
+
+
+class CsrfTestCase(test.TestCase):
+    COOKIES_OFF_MSG = ("Cookies may be turned off. "
+                       "Make sure cookies are enabled and try again.")
+
+    def test_no_csrf(self):
+        reason = views.get_csrf_reason(None)
+        self.assertIsNone(reason)
+
+    def test_valid_csrf(self):
+        reason = views.get_csrf_reason(csrf.REASON_NO_CSRF_COOKIE)
+        expected = csrf.REASON_NO_CSRF_COOKIE + " " + self.COOKIES_OFF_MSG
+
+        self.assertEqual(expected, reason)
+
+    def test_invalid_csrf(self):
+        reason = views.get_csrf_reason("error message")
+        expected = self.COOKIES_OFF_MSG
+
+        self.assertEqual(expected, reason)
diff --git a/openstack_auth/views.py b/openstack_auth/views.py
index 376d12d79..353dc9915 100644
--- a/openstack_auth/views.py
+++ b/openstack_auth/views.py
@@ -19,6 +19,7 @@ from django.contrib.auth.decorators import login_required
 from django.contrib.auth import views as django_auth_views
 from django.contrib import messages
 from django import http as django_http
+from django.middleware import csrf
 from django import shortcuts
 from django.urls import reverse
 from django.utils import functional
@@ -47,6 +48,24 @@ from openstack_auth import utils
 LOG = logging.getLogger(__name__)
 
 
+def get_csrf_reason(reason):
+    if not reason:
+        return
+
+    if reason not in [csrf.REASON_NO_REFERER,
+                      csrf.REASON_BAD_REFERER,
+                      csrf.REASON_NO_CSRF_COOKIE,
+                      csrf.REASON_BAD_TOKEN,
+                      csrf.REASON_MALFORMED_REFERER,
+                      csrf.REASON_INSECURE_REFERER]:
+        reason = ""
+    else:
+        reason += " "
+    reason += str(_("Cookies may be turned off. "
+                    "Make sure cookies are enabled and try again."))
+    return reason
+
+
 # TODO(stephenfin): Migrate to CBV
 @sensitive_post_parameters()
 @csrf_protect
@@ -102,9 +121,10 @@ def login(request):
         form = functional.curry(forms.Login, initial=initial)
 
     choices = settings.WEBSSO_CHOICES
+    reason = get_csrf_reason(request.GET.get('csrf_failure'))
     extra_context = {
         'redirect_field_name': auth.REDIRECT_FIELD_NAME,
-        'csrf_failure': request.GET.get('csrf_failure'),
+        'csrf_failure': reason,
         'show_sso_opts': settings.WEBSSO_ENABLED and len(choices) > 1,
         'classes': {
             'value': '',