summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/db/sysdb_ops.c17
-rw-r--r--src/tests/auth-tests.c6
-rw-r--r--src/tests/sysdb-tests.c12
-rw-r--r--src/util/auth_utils.h22
-rw-r--r--src/util/util_errors.c5
-rw-r--r--src/util/util_errors.h5
6 files changed, 42 insertions, 25 deletions
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0fb8ed49e..1f27af8db 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2754,7 +2754,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
if (ret != EOK) {
DEBUG(1, ("Failed to read the number of allowed failed login "
"attempts.\n"));
- ret = EIO;
+ ret = ERR_INTERNAL;
goto done;
}
ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY,
@@ -2763,7 +2763,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
&failed_login_delay);
if (ret != EOK) {
DEBUG(1, ("Failed to read the failed login delay.\n"));
- ret = EIO;
+ ret = ERR_INTERNAL;
goto done;
}
DEBUG(9, ("Failed login attempts [%d], allowed failed login attempts [%d], "
@@ -2781,12 +2781,12 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
} else {
DEBUG(7, ("login delayed until %lld.\n", (long long) end));
*delayed_until = end;
- ret = EACCES;
+ ret = ERR_AUTH_DENIED;
goto done;
}
} else {
DEBUG(4, ("Too many failed logins.\n"));
- ret = EACCES;
+ ret = ERR_AUTH_DENIED;
goto done;
}
}
@@ -2862,6 +2862,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
if (ret != EOK) {
DEBUG(1, ("sysdb_search_user_by_name failed [%d][%s].\n",
ret, strerror(ret)));
+ if (ret == ENOENT) ret = ERR_ACCOUNT_UNKNOWN;
goto done;
}
@@ -2884,7 +2885,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
if (expire_date < time(NULL)) {
DEBUG(4, ("Cached user entry is too old.\n"));
expire_date = 0;
- ret = EACCES;
+ ret = ERR_CACHED_CREDS_EXPIRED;
goto done;
}
} else {
@@ -2903,14 +2904,14 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
userhash = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_CACHEDPWD, NULL);
if (userhash == NULL || *userhash == '\0') {
DEBUG(4, ("Cached credentials not available.\n"));
- ret = ENOENT;
+ ret = ERR_NO_CACHED_CREDS;
goto done;
}
ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash);
if (ret) {
DEBUG(4, ("Failed to create password hash.\n"));
- ret = EFAULT;
+ ret = ERR_INTERNAL;
goto done;
}
@@ -2997,7 +2998,7 @@ done:
ret = EOK;
} else {
if (ret == EOK) {
- ret = EINVAL;
+ ret = ERR_AUTH_FAILED;
}
}
talloc_free(tmp_ctx);
diff --git a/src/tests/auth-tests.c b/src/tests/auth-tests.c
index 7b53c9b92..02fb39c88 100644
--- a/src/tests/auth-tests.c
+++ b/src/tests/auth-tests.c
@@ -229,8 +229,8 @@ START_TEST(test_failed_login_attempts)
* failed attempts >= offline_failed_login_attempts */
do_failed_login_test(0, 0, 2, 0, EOK, 0, -1);
do_failed_login_test(0, time(NULL), 2, 0, EOK, 0, -1);
- do_failed_login_test(2, 0, 2, 0, EACCES, 2, -1);
- do_failed_login_test(2, time(NULL), 2, 0, EACCES, 2, -1);
+ do_failed_login_test(2, 0, 2, 0, ERR_AUTH_DENIED, 2, -1);
+ do_failed_login_test(2, time(NULL), 2, 0, ERR_AUTH_DENIED, 2, -1);
/* if offline_failed_login_attempts != 0 and
* offline_failed_login_delay != 0 a login is denied only if the number of
@@ -240,7 +240,7 @@ START_TEST(test_failed_login_attempts)
do_failed_login_test(0, time(NULL), 2, 5, EOK, 0, -1);
do_failed_login_test(2, 0, 2, 5, EOK, 0, -1);
now = time(NULL);
- do_failed_login_test(2, now, 2, 5, EACCES, 2, (now + 5 * 60));
+ do_failed_login_test(2, now, 2, 5, ERR_AUTH_DENIED, 2, (now + 5 * 60));
}
END_TEST
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 081df6cf6..ada0ccc56 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1845,8 +1845,10 @@ START_TEST (test_sysdb_cached_authentication_missing_password)
username = talloc_asprintf(tmp_ctx, "testuser%d", _i);
fail_unless(username != NULL, "talloc_asprintf failed.");
- cached_authentication_without_expiration(username, "abc", ENOENT);
- cached_authentication_with_expiration(username, "abc", ENOENT);
+ cached_authentication_without_expiration(username, "abc",
+ ERR_NO_CACHED_CREDS);
+ cached_authentication_with_expiration(username, "abc",
+ ERR_NO_CACHED_CREDS);
talloc_free(tmp_ctx);
@@ -1864,8 +1866,10 @@ START_TEST (test_sysdb_cached_authentication_wrong_password)
username = talloc_asprintf(tmp_ctx, "testuser%d", _i);
fail_unless(username != NULL, "talloc_asprintf failed.");
- cached_authentication_without_expiration(username, "abc", EINVAL);
- cached_authentication_with_expiration(username, "abc", EINVAL);
+ cached_authentication_without_expiration(username, "abc",
+ ERR_AUTH_FAILED);
+ cached_authentication_with_expiration(username, "abc",
+ ERR_AUTH_FAILED);
talloc_free(tmp_ctx);
diff --git a/src/util/auth_utils.h b/src/util/auth_utils.h
index e9e60a085..8883c5ceb 100644
--- a/src/util/auth_utils.h
+++ b/src/util/auth_utils.h
@@ -28,15 +28,17 @@
static inline int cached_login_pam_status(int auth_res)
{
switch (auth_res) {
- case EOK:
- return PAM_SUCCESS;
- case ENOENT:
- return PAM_AUTHINFO_UNAVAIL;
- case EINVAL:
- return PAM_AUTH_ERR;
- case EACCES:
- return PAM_PERM_DENIED;
+ case EOK:
+ return PAM_SUCCESS;
+ case ERR_ACCOUNT_UNKNOWN:
+ return PAM_AUTHINFO_UNAVAIL;
+ case ERR_NO_CACHED_CREDS:
+ case ERR_CACHED_CREDS_EXPIRED:
+ case ERR_AUTH_DENIED:
+ return PAM_PERM_DENIED;
+ case ERR_AUTH_FAILED:
+ return PAM_AUTH_ERR;
+ default:
+ return PAM_SYSTEM_ERR;
}
-
- return PAM_SYSTEM_ERR;
}
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 92dced3c5..c196aae38 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -27,6 +27,11 @@ struct err_string {
struct err_string error_to_str[] = {
{ "Invalid Error" }, /* ERR_INVALID */
{ "Internal Error" }, /* ERR_INTERNAL */
+ { "Account Unknown" }, /* ERR_ACCOUNT_UNKNOWN */
+ { "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */
+ { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
+ { "Authentication Denied" }, /* ERR_AUTH_DENIED */
+ { "Authentication Failed" }, /* ERR_AUTH_DENIED */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index eb0df77e6..870d9d44b 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -49,6 +49,11 @@ typedef int errno_t;
enum sssd_errors {
ERR_INVALID = ERR_BASE + 0,
ERR_INTERNAL,
+ ERR_ACCOUNT_UNKNOWN,
+ ERR_NO_CACHED_CREDS,
+ ERR_CACHED_CREDS_EXPIRED,
+ ERR_AUTH_DENIED,
+ ERR_AUTH_FAILED,
ERR_LAST /* ALWAYS LAST */
};