From ab967283b710dfa05d11ee5b30c7ac916486ceec Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 21 Nov 2012 16:52:33 -0500
Subject: Use SSSD specific errors for offline auth

This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
---
 src/db/sysdb_ops.c      | 17 +++++++++--------
 src/tests/auth-tests.c  |  6 +++---
 src/tests/sysdb-tests.c | 12 ++++++++----
 src/util/auth_utils.h   | 22 ++++++++++++----------
 src/util/util_errors.c  |  5 +++++
 src/util/util_errors.h  |  5 +++++
 6 files changed, 42 insertions(+), 25 deletions(-)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0fb8ed49..1f27af8d 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2754,7 +2754,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
     if (ret != EOK) {
         DEBUG(1, ("Failed to read the number of allowed failed login "
                   "attempts.\n"));
-        ret = EIO;
+        ret = ERR_INTERNAL;
         goto done;
     }
     ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY,
@@ -2763,7 +2763,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
                          &failed_login_delay);
     if (ret != EOK) {
         DEBUG(1, ("Failed to read the failed login delay.\n"));
-        ret = EIO;
+        ret = ERR_INTERNAL;
         goto done;
     }
     DEBUG(9, ("Failed login attempts [%d], allowed failed login attempts [%d], "
@@ -2781,12 +2781,12 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
                 } else {
                     DEBUG(7, ("login delayed until %lld.\n", (long long) end));
                     *delayed_until = end;
-                    ret = EACCES;
+                    ret = ERR_AUTH_DENIED;
                     goto done;
                 }
             } else {
                 DEBUG(4, ("Too many failed logins.\n"));
-                ret = EACCES;
+                ret = ERR_AUTH_DENIED;
                 goto done;
             }
         }
@@ -2862,6 +2862,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
     if (ret != EOK) {
         DEBUG(1, ("sysdb_search_user_by_name failed [%d][%s].\n",
                   ret, strerror(ret)));
+        if (ret == ENOENT) ret = ERR_ACCOUNT_UNKNOWN;
         goto done;
     }
 
@@ -2884,7 +2885,7 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
         if (expire_date < time(NULL)) {
             DEBUG(4, ("Cached user entry is too old.\n"));
             expire_date = 0;
-            ret = EACCES;
+            ret = ERR_CACHED_CREDS_EXPIRED;
             goto done;
         }
     } else {
@@ -2903,14 +2904,14 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
     userhash = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_CACHEDPWD, NULL);
     if (userhash == NULL || *userhash == '\0') {
         DEBUG(4, ("Cached credentials not available.\n"));
-        ret = ENOENT;
+        ret = ERR_NO_CACHED_CREDS;
         goto done;
     }
 
     ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash);
     if (ret) {
         DEBUG(4, ("Failed to create password hash.\n"));
-        ret = EFAULT;
+        ret = ERR_INTERNAL;
         goto done;
     }
 
@@ -2997,7 +2998,7 @@ done:
         ret = EOK;
     } else {
         if (ret == EOK) {
-            ret = EINVAL;
+            ret = ERR_AUTH_FAILED;
         }
     }
     talloc_free(tmp_ctx);
diff --git a/src/tests/auth-tests.c b/src/tests/auth-tests.c
index 7b53c9b9..02fb39c8 100644
--- a/src/tests/auth-tests.c
+++ b/src/tests/auth-tests.c
@@ -229,8 +229,8 @@ START_TEST(test_failed_login_attempts)
      * failed attempts >= offline_failed_login_attempts */
     do_failed_login_test(0,          0, 2, 0, EOK, 0, -1);
     do_failed_login_test(0, time(NULL), 2, 0, EOK, 0, -1);
-    do_failed_login_test(2,          0, 2, 0, EACCES, 2, -1);
-    do_failed_login_test(2, time(NULL), 2, 0, EACCES, 2, -1);
+    do_failed_login_test(2,          0, 2, 0, ERR_AUTH_DENIED, 2, -1);
+    do_failed_login_test(2, time(NULL), 2, 0, ERR_AUTH_DENIED, 2, -1);
 
     /* if offline_failed_login_attempts != 0 and
      * offline_failed_login_delay != 0 a login is denied only if the number of
@@ -240,7 +240,7 @@ START_TEST(test_failed_login_attempts)
     do_failed_login_test(0, time(NULL), 2, 5, EOK, 0, -1);
     do_failed_login_test(2,          0, 2, 5, EOK, 0, -1);
     now = time(NULL);
-    do_failed_login_test(2, now, 2, 5, EACCES, 2, (now + 5 * 60));
+    do_failed_login_test(2, now, 2, 5, ERR_AUTH_DENIED, 2, (now + 5 * 60));
 
 }
 END_TEST
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 081df6cf..ada0ccc5 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1845,8 +1845,10 @@ START_TEST (test_sysdb_cached_authentication_missing_password)
     username = talloc_asprintf(tmp_ctx, "testuser%d", _i);
     fail_unless(username != NULL, "talloc_asprintf failed.");
 
-    cached_authentication_without_expiration(username, "abc", ENOENT);
-    cached_authentication_with_expiration(username, "abc", ENOENT);
+    cached_authentication_without_expiration(username, "abc",
+                                             ERR_NO_CACHED_CREDS);
+    cached_authentication_with_expiration(username, "abc",
+                                             ERR_NO_CACHED_CREDS);
 
     talloc_free(tmp_ctx);
 
@@ -1864,8 +1866,10 @@ START_TEST (test_sysdb_cached_authentication_wrong_password)
     username = talloc_asprintf(tmp_ctx, "testuser%d", _i);
     fail_unless(username != NULL, "talloc_asprintf failed.");
 
-    cached_authentication_without_expiration(username, "abc", EINVAL);
-    cached_authentication_with_expiration(username, "abc", EINVAL);
+    cached_authentication_without_expiration(username, "abc",
+                                             ERR_AUTH_FAILED);
+    cached_authentication_with_expiration(username, "abc",
+                                             ERR_AUTH_FAILED);
 
     talloc_free(tmp_ctx);
 
diff --git a/src/util/auth_utils.h b/src/util/auth_utils.h
index e9e60a08..8883c5ce 100644
--- a/src/util/auth_utils.h
+++ b/src/util/auth_utils.h
@@ -28,15 +28,17 @@
 static inline int cached_login_pam_status(int auth_res)
 {
     switch (auth_res) {
-        case EOK:
-            return PAM_SUCCESS;
-        case ENOENT:
-            return PAM_AUTHINFO_UNAVAIL;
-        case EINVAL:
-            return PAM_AUTH_ERR;
-        case EACCES:
-            return PAM_PERM_DENIED;
+    case EOK:
+        return PAM_SUCCESS;
+    case ERR_ACCOUNT_UNKNOWN:
+        return PAM_AUTHINFO_UNAVAIL;
+    case ERR_NO_CACHED_CREDS:
+    case ERR_CACHED_CREDS_EXPIRED:
+    case ERR_AUTH_DENIED:
+        return PAM_PERM_DENIED;
+    case ERR_AUTH_FAILED:
+        return PAM_AUTH_ERR;
+    default:
+        return PAM_SYSTEM_ERR;
     }
-
-    return PAM_SYSTEM_ERR;
 }
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 92dced3c..c196aae3 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -27,6 +27,11 @@ struct err_string {
 struct err_string error_to_str[] = {
     { "Invalid Error" },        /* ERR_INVALID */
     { "Internal Error" },       /* ERR_INTERNAL */
+    { "Account Unknown" },      /* ERR_ACCOUNT_UNKNOWN */
+    { "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */
+    { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
+    { "Authentication Denied" }, /* ERR_AUTH_DENIED */
+    { "Authentication Failed" }, /* ERR_AUTH_DENIED */
 };
 
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index eb0df77e..870d9d44 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -49,6 +49,11 @@ typedef int errno_t;
 enum sssd_errors {
     ERR_INVALID = ERR_BASE + 0,
     ERR_INTERNAL,
+    ERR_ACCOUNT_UNKNOWN,
+    ERR_NO_CACHED_CREDS,
+    ERR_CACHED_CREDS_EXPIRED,
+    ERR_AUTH_DENIED,
+    ERR_AUTH_FAILED,
     ERR_LAST            /* ALWAYS LAST */
 };
 
-- 
cgit