diff options
| author | Simo Sorce <simo@redhat.com> | 2012-11-21 16:52:33 -0500 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-01-04 14:40:54 -0500 |
| commit | 707d7b29652f12a683dfd18ea84173b4147cdb8b (patch) | |
| tree | 023c9a6aec01070abf81a78432692c1e52e8920d | |
| parent | a8fd47c45cf61af28b8bc82b4ac79b67cd26135a (diff) | |
| download | sssd-707d7b29652f12a683dfd18ea84173b4147cdb8b.tar.gz sssd-707d7b29652f12a683dfd18ea84173b4147cdb8b.tar.xz sssd-707d7b29652f12a683dfd18ea84173b4147cdb8b.zip | |
Use SSSD specific errors for offline auth
This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
| -rw-r--r-- | src/db/sysdb_ops.c | 17 | ||||
| -rw-r--r-- | src/tests/auth-tests.c | 6 | ||||
| -rw-r--r-- | src/tests/sysdb-tests.c | 12 | ||||
| -rw-r--r-- | src/util/auth_utils.h | 22 | ||||
| -rw-r--r-- | src/util/util_errors.c | 5 | ||||
| -rw-r--r-- | src/util/util_errors.h | 5 |
6 files changed, 42 insertions, 25 deletions
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 4bbc76c5..d68627e7 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -2628,7 +2628,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb, if (ret != EOK) { DEBUG(1, ("Failed to read the number of allowed failed login " "attempts.\n")); - ret = EIO; + ret = ERR_INTERNAL; goto done; } ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, @@ -2637,7 +2637,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb, &failed_login_delay); if (ret != EOK) { DEBUG(1, ("Failed to read the failed login delay.\n")); - ret = EIO; + ret = ERR_INTERNAL; goto done; } DEBUG(9, ("Failed login attempts [%d], allowed failed login attempts [%d], " @@ -2655,12 +2655,12 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb, } else { DEBUG(7, ("login delayed until %lld.\n", (long long) end)); *delayed_until = end; - ret = EACCES; + ret = ERR_AUTH_DENIED; goto done; } } else { DEBUG(4, ("Too many failed logins.\n")); - ret = EACCES; + ret = ERR_AUTH_DENIED; goto done; } } @@ -2738,6 +2738,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb, if (ret != EOK) { DEBUG(1, ("sysdb_search_user_by_name failed [%d][%s].\n", ret, strerror(ret))); + if (ret == ENOENT) ret = ERR_ACCOUNT_UNKNOWN; goto done; } @@ -2760,7 +2761,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb, if (expire_date < time(NULL)) { DEBUG(4, ("Cached user entry is too old.\n")); expire_date = 0; - ret = EACCES; + ret = ERR_CACHED_CREDS_EXPIRED; goto done; } } else { @@ -2786,14 +2787,14 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb, userhash = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_CACHEDPWD, NULL); if (userhash == NULL || *userhash == '\0') { DEBUG(4, ("Cached credentials not available.\n")); - ret = ENOENT; + ret = ERR_NO_CACHED_CREDS; goto done; } ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash); if (ret) { DEBUG(4, ("Failed to create password hash.\n")); - ret = EFAULT; + ret = ERR_INTERNAL; goto done; } @@ -2880,7 +2881,7 @@ done: ret = EOK; } else { if (ret == EOK) { - ret = EINVAL; + ret = ERR_AUTH_FAILED; } } talloc_free(tmp_ctx); diff --git a/src/tests/auth-tests.c b/src/tests/auth-tests.c index ff8b9e1b..2f96a163 100644 --- a/src/tests/auth-tests.c +++ b/src/tests/auth-tests.c @@ -229,8 +229,8 @@ START_TEST(test_failed_login_attempts) * failed attempts >= offline_failed_login_attempts */ do_failed_login_test(0, 0, 2, 0, EOK, 0, -1); do_failed_login_test(0, time(NULL), 2, 0, EOK, 0, -1); - do_failed_login_test(2, 0, 2, 0, EACCES, 2, -1); - do_failed_login_test(2, time(NULL), 2, 0, EACCES, 2, -1); + do_failed_login_test(2, 0, 2, 0, ERR_AUTH_DENIED, 2, -1); + do_failed_login_test(2, time(NULL), 2, 0, ERR_AUTH_DENIED, 2, -1); /* if offline_failed_login_attempts != 0 and * offline_failed_login_delay != 0 a login is denied only if the number of @@ -240,7 +240,7 @@ START_TEST(test_failed_login_attempts) do_failed_login_test(0, time(NULL), 2, 5, EOK, 0, -1); do_failed_login_test(2, 0, 2, 5, EOK, 0, -1); now = time(NULL); - do_failed_login_test(2, now, 2, 5, EACCES, 2, (now + 5 * 60)); + do_failed_login_test(2, now, 2, 5, ERR_AUTH_DENIED, 2, (now + 5 * 60)); } END_TEST diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index 1db907b5..a7c9d837 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -1665,8 +1665,10 @@ START_TEST (test_sysdb_cached_authentication_missing_password) username = talloc_asprintf(tmp_ctx, "testuser%d", _i); fail_unless(username != NULL, "talloc_asprintf failed."); - cached_authentication_without_expiration(username, "abc", ENOENT); - cached_authentication_with_expiration(username, "abc", ENOENT); + cached_authentication_without_expiration(username, "abc", + ERR_NO_CACHED_CREDS); + cached_authentication_with_expiration(username, "abc", + ERR_NO_CACHED_CREDS); talloc_free(tmp_ctx); @@ -1684,8 +1686,10 @@ START_TEST (test_sysdb_cached_authentication_wrong_password) username = talloc_asprintf(tmp_ctx, "testuser%d", _i); fail_unless(username != NULL, "talloc_asprintf failed."); - cached_authentication_without_expiration(username, "abc", EINVAL); - cached_authentication_with_expiration(username, "abc", EINVAL); + cached_authentication_without_expiration(username, "abc", + ERR_AUTH_FAILED); + cached_authentication_with_expiration(username, "abc", + ERR_AUTH_FAILED); talloc_free(tmp_ctx); diff --git a/src/util/auth_utils.h b/src/util/auth_utils.h index e9e60a08..8883c5ce 100644 --- a/src/util/auth_utils.h +++ b/src/util/auth_utils.h @@ -28,15 +28,17 @@ static inline int cached_login_pam_status(int auth_res) { switch (auth_res) { - case EOK: - return PAM_SUCCESS; - case ENOENT: - return PAM_AUTHINFO_UNAVAIL; - case EINVAL: - return PAM_AUTH_ERR; - case EACCES: - return PAM_PERM_DENIED; + case EOK: + return PAM_SUCCESS; + case ERR_ACCOUNT_UNKNOWN: + return PAM_AUTHINFO_UNAVAIL; + case ERR_NO_CACHED_CREDS: + case ERR_CACHED_CREDS_EXPIRED: + case ERR_AUTH_DENIED: + return PAM_PERM_DENIED; + case ERR_AUTH_FAILED: + return PAM_AUTH_ERR; + default: + return PAM_SYSTEM_ERR; } - - return PAM_SYSTEM_ERR; } diff --git a/src/util/util_errors.c b/src/util/util_errors.c index 92dced3c..c196aae3 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -27,6 +27,11 @@ struct err_string { struct err_string error_to_str[] = { { "Invalid Error" }, /* ERR_INVALID */ { "Internal Error" }, /* ERR_INTERNAL */ + { "Account Unknown" }, /* ERR_ACCOUNT_UNKNOWN */ + { "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */ + { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */ + { "Authentication Denied" }, /* ERR_AUTH_DENIED */ + { "Authentication Failed" }, /* ERR_AUTH_DENIED */ }; diff --git a/src/util/util_errors.h b/src/util/util_errors.h index eb0df77e..870d9d44 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -49,6 +49,11 @@ typedef int errno_t; enum sssd_errors { ERR_INVALID = ERR_BASE + 0, ERR_INTERNAL, + ERR_ACCOUNT_UNKNOWN, + ERR_NO_CACHED_CREDS, + ERR_CACHED_CREDS_EXPIRED, + ERR_AUTH_DENIED, + ERR_AUTH_FAILED, ERR_LAST /* ALWAYS LAST */ }; |