diff options
-rw-r--r-- | src/db/sysdb_ops.c | 17 | ||||
-rw-r--r-- | src/tests/auth-tests.c | 6 | ||||
-rw-r--r-- | src/tests/sysdb-tests.c | 12 | ||||
-rw-r--r-- | src/util/auth_utils.h | 22 | ||||
-rw-r--r-- | src/util/util_errors.c | 5 | ||||
-rw-r--r-- | src/util/util_errors.h | 5 |
6 files changed, 42 insertions, 25 deletions
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 0fb8ed49e..1f27af8db 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -2754,7 +2754,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb, if (ret != EOK) { DEBUG(1, ("Failed to read the number of allowed failed login " "attempts.\n")); - ret = EIO; + ret = ERR_INTERNAL; goto done; } ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, @@ -2763,7 +2763,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb, &failed_login_delay); if (ret != EOK) { DEBUG(1, ("Failed to read the failed login delay.\n")); - ret = EIO; + ret = ERR_INTERNAL; goto done; } DEBUG(9, ("Failed login attempts [%d], allowed failed login attempts [%d], " @@ -2781,12 +2781,12 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb, } else { DEBUG(7, ("login delayed until %lld.\n", (long long) end)); *delayed_until = end; - ret = EACCES; + ret = ERR_AUTH_DENIED; goto done; } } else { DEBUG(4, ("Too many failed logins.\n")); - ret = EACCES; + ret = ERR_AUTH_DENIED; goto done; } } @@ -2862,6 +2862,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb, if (ret != EOK) { DEBUG(1, ("sysdb_search_user_by_name failed [%d][%s].\n", ret, strerror(ret))); + if (ret == ENOENT) ret = ERR_ACCOUNT_UNKNOWN; goto done; } @@ -2884,7 +2885,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb, if (expire_date < time(NULL)) { DEBUG(4, ("Cached user entry is too old.\n")); expire_date = 0; - ret = EACCES; + ret = ERR_CACHED_CREDS_EXPIRED; goto done; } } else { @@ -2903,14 +2904,14 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb, userhash = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_CACHEDPWD, NULL); if (userhash == NULL || *userhash == '\0') { DEBUG(4, ("Cached credentials not available.\n")); - ret = ENOENT; + ret = ERR_NO_CACHED_CREDS; goto done; } ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash); if (ret) { DEBUG(4, ("Failed to create password hash.\n")); - ret = EFAULT; + ret = ERR_INTERNAL; goto done; } @@ -2997,7 +2998,7 @@ done: ret = EOK; } else { if (ret == EOK) { - ret = EINVAL; + ret = ERR_AUTH_FAILED; } } talloc_free(tmp_ctx); diff --git a/src/tests/auth-tests.c b/src/tests/auth-tests.c index 7b53c9b92..02fb39c88 100644 --- a/src/tests/auth-tests.c +++ b/src/tests/auth-tests.c @@ -229,8 +229,8 @@ START_TEST(test_failed_login_attempts) * failed attempts >= offline_failed_login_attempts */ do_failed_login_test(0, 0, 2, 0, EOK, 0, -1); do_failed_login_test(0, time(NULL), 2, 0, EOK, 0, -1); - do_failed_login_test(2, 0, 2, 0, EACCES, 2, -1); - do_failed_login_test(2, time(NULL), 2, 0, EACCES, 2, -1); + do_failed_login_test(2, 0, 2, 0, ERR_AUTH_DENIED, 2, -1); + do_failed_login_test(2, time(NULL), 2, 0, ERR_AUTH_DENIED, 2, -1); /* if offline_failed_login_attempts != 0 and * offline_failed_login_delay != 0 a login is denied only if the number of @@ -240,7 +240,7 @@ START_TEST(test_failed_login_attempts) do_failed_login_test(0, time(NULL), 2, 5, EOK, 0, -1); do_failed_login_test(2, 0, 2, 5, EOK, 0, -1); now = time(NULL); - do_failed_login_test(2, now, 2, 5, EACCES, 2, (now + 5 * 60)); + do_failed_login_test(2, now, 2, 5, ERR_AUTH_DENIED, 2, (now + 5 * 60)); } END_TEST diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index 081df6cf6..ada0ccc56 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -1845,8 +1845,10 @@ START_TEST (test_sysdb_cached_authentication_missing_password) username = talloc_asprintf(tmp_ctx, "testuser%d", _i); fail_unless(username != NULL, "talloc_asprintf failed."); - cached_authentication_without_expiration(username, "abc", ENOENT); - cached_authentication_with_expiration(username, "abc", ENOENT); + cached_authentication_without_expiration(username, "abc", + ERR_NO_CACHED_CREDS); + cached_authentication_with_expiration(username, "abc", + ERR_NO_CACHED_CREDS); talloc_free(tmp_ctx); @@ -1864,8 +1866,10 @@ START_TEST (test_sysdb_cached_authentication_wrong_password) username = talloc_asprintf(tmp_ctx, "testuser%d", _i); fail_unless(username != NULL, "talloc_asprintf failed."); - cached_authentication_without_expiration(username, "abc", EINVAL); - cached_authentication_with_expiration(username, "abc", EINVAL); + cached_authentication_without_expiration(username, "abc", + ERR_AUTH_FAILED); + cached_authentication_with_expiration(username, "abc", + ERR_AUTH_FAILED); talloc_free(tmp_ctx); diff --git a/src/util/auth_utils.h b/src/util/auth_utils.h index e9e60a085..8883c5ceb 100644 --- a/src/util/auth_utils.h +++ b/src/util/auth_utils.h @@ -28,15 +28,17 @@ static inline int cached_login_pam_status(int auth_res) { switch (auth_res) { - case EOK: - return PAM_SUCCESS; - case ENOENT: - return PAM_AUTHINFO_UNAVAIL; - case EINVAL: - return PAM_AUTH_ERR; - case EACCES: - return PAM_PERM_DENIED; + case EOK: + return PAM_SUCCESS; + case ERR_ACCOUNT_UNKNOWN: + return PAM_AUTHINFO_UNAVAIL; + case ERR_NO_CACHED_CREDS: + case ERR_CACHED_CREDS_EXPIRED: + case ERR_AUTH_DENIED: + return PAM_PERM_DENIED; + case ERR_AUTH_FAILED: + return PAM_AUTH_ERR; + default: + return PAM_SYSTEM_ERR; } - - return PAM_SYSTEM_ERR; } diff --git a/src/util/util_errors.c b/src/util/util_errors.c index 92dced3c5..c196aae38 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -27,6 +27,11 @@ struct err_string { struct err_string error_to_str[] = { { "Invalid Error" }, /* ERR_INVALID */ { "Internal Error" }, /* ERR_INTERNAL */ + { "Account Unknown" }, /* ERR_ACCOUNT_UNKNOWN */ + { "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */ + { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */ + { "Authentication Denied" }, /* ERR_AUTH_DENIED */ + { "Authentication Failed" }, /* ERR_AUTH_DENIED */ }; diff --git a/src/util/util_errors.h b/src/util/util_errors.h index eb0df77e6..870d9d44b 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -49,6 +49,11 @@ typedef int errno_t; enum sssd_errors { ERR_INVALID = ERR_BASE + 0, ERR_INTERNAL, + ERR_ACCOUNT_UNKNOWN, + ERR_NO_CACHED_CREDS, + ERR_CACHED_CREDS_EXPIRED, + ERR_AUTH_DENIED, + ERR_AUTH_FAILED, ERR_LAST /* ALWAYS LAST */ }; |