This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
---
src/db/sysdb_ops.c | 17 +++++++++--------
src/tests/auth-tests.c | 6 +++---
src/tests/sysdb-tests.c | 12 ++++++++----
src/util/auth_utils.h | 22 ++++++++++++----------
src/util/util_errors.c | 5 +++++
src/util/util_errors.h | 5 +++++
6 files changed, 42 insertions(+), 25 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index
9974beb05ebfe6fdd295e7e6e07015fd26b631c2..8aacb816acdbbf24c17ed2191b1f008f5d462de2
100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2711,7 +2711,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx
*cdb,
if (ret != EOK) {
DEBUG(1, ("Failed to read the number of allowed failed login "
"attempts.\n"));
- ret = EIO;
+ ret = ERR_INTERNAL;
goto done;
}
ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY,
@@ -2720,7 +2720,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx
*cdb,
&failed_login_delay);
if (ret != EOK) {
DEBUG(1, ("Failed to read the failed login delay.\n"));
- ret = EIO;
+ ret = ERR_INTERNAL;
goto done;
}
DEBUG(9, ("Failed login attempts [%d], allowed failed login attempts [%d],
"
@@ -2738,12 +2738,12 @@ errno_t check_failed_login_attempts(struct confdb_ctx
*cdb,
} else {
DEBUG(7, ("login delayed until %lld.\n", (long long) end));
*delayed_until = end;
- ret = EACCES;
+ ret = ERR_AUTH_DENIED;
goto done;
}
} else {
DEBUG(4, ("Too many failed logins.\n"));
- ret = EACCES;
+ ret = ERR_AUTH_DENIED;
goto done;
}
}
@@ -2818,6 +2818,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
if (ret != EOK) {
DEBUG(1, ("sysdb_search_user_by_name failed [%d][%s].\n",
ret, strerror(ret)));
+ if (ret == ENOENT) ret = ERR_ACCOUNT_UNKNOWN;
goto done;
}
@@ -2840,7 +2841,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
if (expire_date < time(NULL)) {
DEBUG(4, ("Cached user entry is too old.\n"));
expire_date = 0;
- ret = EACCES;
+ ret = ERR_CACHED_CREDS_EXPIRED;
goto done;
}
} else {
@@ -2859,14 +2860,14 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
userhash = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_CACHEDPWD, NULL);
if (userhash == NULL || *userhash == '\0') {
DEBUG(4, ("Cached credentials not available.\n"));
- ret = ENOENT;
+ ret = ERR_NO_CACHED_CREDS;
goto done;
}
ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash);
if (ret) {
DEBUG(4, ("Failed to create password hash.\n"));
- ret = EFAULT;
+ ret = ERR_INTERNAL;
goto done;
}
@@ -2952,7 +2953,7 @@ done:
ret = EOK;
} else {
if (ret == EOK) {
- ret = EINVAL;
+ ret = ERR_AUTH_FAILED;
}
}
talloc_free(tmp_ctx);
diff --git a/src/tests/auth-tests.c b/src/tests/auth-tests.c
index
ff8b9e1bd73c09bc16774af6b53715e8b9d2fcd3..2f96a1638bc544f571b663b6231ccbe004a03764
100644
--- a/src/tests/auth-tests.c
+++ b/src/tests/auth-tests.c
@@ -229,8 +229,8 @@ START_TEST(test_failed_login_attempts)
* failed attempts >= offline_failed_login_attempts */
do_failed_login_test(0, 0, 2, 0, EOK, 0, -1);
do_failed_login_test(0, time(NULL), 2, 0, EOK, 0, -1);
- do_failed_login_test(2, 0, 2, 0, EACCES, 2, -1);
- do_failed_login_test(2, time(NULL), 2, 0, EACCES, 2, -1);
+ do_failed_login_test(2, 0, 2, 0, ERR_AUTH_DENIED, 2, -1);
+ do_failed_login_test(2, time(NULL), 2, 0, ERR_AUTH_DENIED, 2, -1);
/* if offline_failed_login_attempts != 0 and
* offline_failed_login_delay != 0 a login is denied only if the number of
@@ -240,7 +240,7 @@ START_TEST(test_failed_login_attempts)
do_failed_login_test(0, time(NULL), 2, 5, EOK, 0, -1);
do_failed_login_test(2, 0, 2, 5, EOK, 0, -1);
now = time(NULL);
- do_failed_login_test(2, now, 2, 5, EACCES, 2, (now + 5 * 60));
+ do_failed_login_test(2, now, 2, 5, ERR_AUTH_DENIED, 2, (now + 5 * 60));
}
END_TEST
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index
a5526280afc7f303daace8efaa00b2b486f9233a..50d2ca5e40728804b46ebe66b40dccb992f2c888
100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1663,8 +1663,10 @@ START_TEST
(test_sysdb_cached_authentication_missing_password)
username = talloc_asprintf(tmp_ctx, "testuser%d", _i);
fail_unless(username != NULL, "talloc_asprintf failed.");
- cached_authentication_without_expiration(username, "abc", ENOENT);
- cached_authentication_with_expiration(username, "abc", ENOENT);
+ cached_authentication_without_expiration(username, "abc",
+ ERR_NO_CACHED_CREDS);
+ cached_authentication_with_expiration(username, "abc",
+ ERR_NO_CACHED_CREDS);
talloc_free(tmp_ctx);
@@ -1682,8 +1684,10 @@ START_TEST
(test_sysdb_cached_authentication_wrong_password)
username = talloc_asprintf(tmp_ctx, "testuser%d", _i);
fail_unless(username != NULL, "talloc_asprintf failed.");
- cached_authentication_without_expiration(username, "abc", EINVAL);
- cached_authentication_with_expiration(username, "abc", EINVAL);
+ cached_authentication_without_expiration(username, "abc",
+ ERR_AUTH_FAILED);
+ cached_authentication_with_expiration(username, "abc",
+ ERR_AUTH_FAILED);
talloc_free(tmp_ctx);
diff --git a/src/util/auth_utils.h b/src/util/auth_utils.h
index
e9e60a085c386c1354732a816f8d982c5e6bf23f..8883c5ceb3691a89cc553c28bd6a76c5c611da0e
100644
--- a/src/util/auth_utils.h
+++ b/src/util/auth_utils.h
@@ -28,15 +28,17 @@
static inline int cached_login_pam_status(int auth_res)
{
switch (auth_res) {
- case EOK:
- return PAM_SUCCESS;
- case ENOENT:
- return PAM_AUTHINFO_UNAVAIL;
- case EINVAL:
- return PAM_AUTH_ERR;
- case EACCES:
- return PAM_PERM_DENIED;
+ case EOK:
+ return PAM_SUCCESS;
+ case ERR_ACCOUNT_UNKNOWN:
+ return PAM_AUTHINFO_UNAVAIL;
+ case ERR_NO_CACHED_CREDS:
+ case ERR_CACHED_CREDS_EXPIRED:
+ case ERR_AUTH_DENIED:
+ return PAM_PERM_DENIED;
+ case ERR_AUTH_FAILED:
+ return PAM_AUTH_ERR;
+ default:
+ return PAM_SYSTEM_ERR;
}
-
- return PAM_SYSTEM_ERR;
}
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index
92dced3c5f75f964adbaa1d886a07427c3f0a8c3..c196aae38a696df0333ed2de611202340066510e
100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -27,6 +27,11 @@ struct err_string {
struct err_string error_to_str[] = {
{ "Invalid Error" }, /* ERR_INVALID */
{ "Internal Error" }, /* ERR_INTERNAL */
+ { "Account Unknown" }, /* ERR_ACCOUNT_UNKNOWN */
+ { "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */
+ { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
+ { "Authentication Denied" }, /* ERR_AUTH_DENIED */
+ { "Authentication Failed" }, /* ERR_AUTH_DENIED */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index
eb0df77e6e8dbe2829cd59def3dee1d8abfce810..870d9d44bcb9a674e7208400ad649b7c761903de
100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -49,6 +49,11 @@ typedef int errno_t;
enum sssd_errors {
ERR_INVALID = ERR_BASE + 0,
ERR_INTERNAL,
+ ERR_ACCOUNT_UNKNOWN,
+ ERR_NO_CACHED_CREDS,
+ ERR_CACHED_CREDS_EXPIRED,
+ ERR_AUTH_DENIED,
+ ERR_AUTH_FAILED,
ERR_LAST /* ALWAYS LAST */
};
--
1.7.1
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
