mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 13:07:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

changing errors to errors (#599)

Browse source
This commit is contained in:
James Hodgkinson 2021-10-17 21:28:04 +10:00 committed by GitHub
parent b0542c7e54
commit a993eb9cf3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
kanidmd/src/lib/idm/authsession.rs
View file

@ -176,7 +176,7 @@ impl CredHandler {
CredState::Success(AuthType::Anonymous) CredState::Success(AuthType::Anonymous)
} }
_ => { _ => {
security_info!( security_error!(
"Handler::Anonymous -> Result::Denied - invalid cred type for handler" "Handler::Anonymous -> Result::Denied - invalid cred type for handler"
); );
CredState::Denied(BAD_AUTH_TYPE_MSG) CredState::Denied(BAD_AUTH_TYPE_MSG)
@ -198,7 +198,7 @@ impl CredHandler {
if pw.verify(cleartext.as_str()).unwrap_or(false) { if pw.verify(cleartext.as_str()).unwrap_or(false) {
match pw_badlist_set { match pw_badlist_set {
Some(p) if p.contains(&cleartext.to_lowercase()) => { Some(p) if p.contains(&cleartext.to_lowercase()) => {
security_info!("Handler::Password -> Result::Denied - Password found in badlist during login"); security_error!("Handler::Password -> Result::Denied - Password found in badlist during login");
CredState::Denied(PW_BADLIST_MSG) CredState::Denied(PW_BADLIST_MSG)
} }
_ => { _ => {
@ -212,13 +212,13 @@ impl CredHandler {
} }
} }
} else { } else {
security_info!("Handler::Password -> Result::Denied - incorrect password"); security_error!("Handler::Password -> Result::Denied - incorrect password");
CredState::Denied(BAD_PASSWORD_MSG) CredState::Denied(BAD_PASSWORD_MSG)
} }
} }
// All other cases fail. // All other cases fail.
_ => { _ => {
security_info!( security_error!(
"Handler::Password -> Result::Denied - invalid cred type for handler" "Handler::Password -> Result::Denied - invalid cred type for handler"
); );
CredState::Denied(BAD_AUTH_TYPE_MSG) CredState::Denied(BAD_AUTH_TYPE_MSG)
@ -272,7 +272,7 @@ impl CredHandler {
Err(e) => { Err(e) => {
pw_mfa.mfa_state = CredVerifyState::Fail; pw_mfa.mfa_state = CredVerifyState::Fail;
// Denied. // Denied.
security_info!( security_error!(
?e, ?e,
"Handler::Webauthn -> Result::Denied - webauthn error" "Handler::Webauthn -> Result::Denied - webauthn error"
); );
@ -289,7 +289,7 @@ impl CredHandler {
CredState::Continue(vec![AuthAllowed::Password]) CredState::Continue(vec![AuthAllowed::Password])
} else { } else {
pw_mfa.mfa_state = CredVerifyState::Fail; pw_mfa.mfa_state = CredVerifyState::Fail;
security_info!( security_error!(
"Handler::PasswordMfa -> Result::Denied - TOTP Fail, password -" "Handler::PasswordMfa -> Result::Denied - TOTP Fail, password -"
); );
CredState::Denied(BAD_TOTP_MSG) CredState::Denied(BAD_TOTP_MSG)
@ -312,12 +312,12 @@ impl CredHandler {
CredState::Continue(vec![AuthAllowed::Password]) CredState::Continue(vec![AuthAllowed::Password])
} else { } else {
pw_mfa.mfa_state = CredVerifyState::Fail; pw_mfa.mfa_state = CredVerifyState::Fail;
security_info!("Handler::PasswordMfa -> Result::Denied - BackupCode Fail, password -"); security_error!("Handler::PasswordMfa -> Result::Denied - BackupCode Fail, password -");
CredState::Denied(BAD_BACKUPCODE_MSG) CredState::Denied(BAD_BACKUPCODE_MSG)
} }
} }
_ => { _ => {
security_info!("Handler::PasswordMfa -> Result::Denied - invalid cred type for handler"); security_error!("Handler::PasswordMfa -> Result::Denied - invalid cred type for handler");
CredState::Denied(BAD_AUTH_TYPE_MSG) CredState::Denied(BAD_AUTH_TYPE_MSG)
} }
} }
@ -330,7 +330,7 @@ impl CredHandler {
match pw_badlist_set { match pw_badlist_set {
Some(p) if p.contains(&cleartext.to_lowercase()) => { Some(p) if p.contains(&cleartext.to_lowercase()) => {
pw_mfa.pw_state = CredVerifyState::Fail; pw_mfa.pw_state = CredVerifyState::Fail;
security_info!("Handler::PasswordMfa -> Result::Denied - Password found in badlist during login"); security_error!("Handler::PasswordMfa -> Result::Denied - Password found in badlist during login");
CredState::Denied(PW_BADLIST_MSG) CredState::Denied(PW_BADLIST_MSG)
} }
_ => { _ => {
@ -347,19 +347,19 @@ impl CredHandler {
} }
} else { } else {
pw_mfa.pw_state = CredVerifyState::Fail; pw_mfa.pw_state = CredVerifyState::Fail;
security_info!("Handler::PasswordMfa -> Result::Denied - TOTP/WebAuthn/BackupCode OK, password Fail"); security_error!("Handler::PasswordMfa -> Result::Denied - TOTP/WebAuthn/BackupCode OK, password Fail");
CredState::Denied(BAD_PASSWORD_MSG) CredState::Denied(BAD_PASSWORD_MSG)
} }
} }
_ => { _ => {
security_info!("Handler::PasswordMfa -> Result::Denied - invalid cred type for handler"); security_error!("Handler::PasswordMfa -> Result::Denied - invalid cred type for handler");
CredState::Denied(BAD_AUTH_TYPE_MSG) CredState::Denied(BAD_AUTH_TYPE_MSG)
} }
} }
} }
_ => { _ => {
security_info!( security_error!(
"Handler::PasswordMfa -> Result::Denied - invalid credential mfa and pw state" "Handler::PasswordMfa -> Result::lenied - invalid credential mfa and pw state"
); );
CredState::Denied(BAD_AUTH_TYPE_MSG) CredState::Denied(BAD_AUTH_TYPE_MSG)
} }
@ -375,7 +375,7 @@ impl CredHandler {
async_tx: &Sender<DelayedAction>, async_tx: &Sender<DelayedAction>,
) -> CredState { ) -> CredState {
if wan_cred.state != CredVerifyState::Init { if wan_cred.state != CredVerifyState::Init {
security_info!("Handler::Webauthn -> Result::Denied - Internal State Already Fail"); security_error!("Handler::Webauthn -> Result::Denied - Internal State Already Fail");
return CredState::Denied(BAD_WEBAUTHN_MSG); return CredState::Denied(BAD_WEBAUTHN_MSG);
} }
@ -404,13 +404,13 @@ impl CredHandler {
Err(e) => { Err(e) => {
wan_cred.state = CredVerifyState::Fail; wan_cred.state = CredVerifyState::Fail;
// Denied. // Denied.
security_info!(?e, "Handler::Webauthn -> Result::Denied - webauthn error"); security_error!(?e, "Handler::Webauthn -> Result::Denied - webauthn error");
CredState::Denied(BAD_WEBAUTHN_MSG) CredState::Denied(BAD_WEBAUTHN_MSG)
} }
} }
} }
_ => { _ => {
security_info!( security_error!(
"Handler::Webauthn -> Result::Denied - invalid cred type for handler" "Handler::Webauthn -> Result::Denied - invalid cred type for handler"
); );
CredState::Denied(BAD_AUTH_TYPE_MSG) CredState::Denied(BAD_AUTH_TYPE_MSG)

2
kanidmd/src/lib/lib.rs
View file

@ -86,7 +86,7 @@ pub mod prelude {
pub use crate::{ pub use crate::{
admin_error, admin_info, admin_warn, filter_error, filter_info, filter_trace, filter_warn, admin_error, admin_info, admin_warn, filter_error, filter_info, filter_trace, filter_warn,
perf_trace, request_error, request_info, request_trace, request_warn, security_access, perf_trace, request_error, request_info, request_trace, request_warn, security_access,
security_critical, security_info, spanned, security_critical, security_error, security_info, spanned,
}; };
} }

8
kanidmd/src/lib/tracing_tree/event_tag.rs
View file

@ -13,6 +13,7 @@ pub enum EventTag {
SecurityCritical, SecurityCritical,
SecurityInfo, SecurityInfo,
SecurityAccess, SecurityAccess,
SecurityError,
FilterError, FilterError,
FilterWarn, FilterWarn,
FilterInfo, FilterInfo,
@ -33,6 +34,7 @@ impl EventTag {
EventTag::SecurityCritical => "security.critical", EventTag::SecurityCritical => "security.critical",
EventTag::SecurityInfo => "security.info", EventTag::SecurityInfo => "security.info",
EventTag::SecurityAccess => "security.access", EventTag::SecurityAccess => "security.access",
EventTag::SecurityError => "security.error",
EventTag::FilterError => "filter.error", EventTag::FilterError => "filter.error",
EventTag::FilterWarn => "filter.warn", EventTag::FilterWarn => "filter.warn",
EventTag::FilterInfo => "filter.info", EventTag::FilterInfo => "filter.info",
@ -44,9 +46,9 @@ impl EventTag {
pub fn emoji(self) -> &'static str { pub fn emoji(self) -> &'static str {
use EventTag::*; use EventTag::*;
match self { match self {
AdminError | RequestError | FilterError => "🚨", AdminError | FilterError | RequestError | SecurityError => "🚨",
AdminWarn | RequestWarn | FilterWarn => "🚧", AdminWarn | FilterWarn | RequestWarn => "🚧",
AdminInfo | RequestInfo | SecurityInfo | FilterInfo => "💬", AdminInfo | FilterInfo | RequestInfo | SecurityInfo => "💬",
RequestTrace | FilterTrace | PerfTrace => "📍", RequestTrace | FilterTrace | PerfTrace => "📍",
SecurityCritical => "🔐", SecurityCritical => "🔐",
SecurityAccess => "🔓", SecurityAccess => "🔓",

5
kanidmd/src/lib/tracing_tree/macros.rs
View file

@ -65,6 +65,11 @@ macro_rules! security_critical {
($($arg:tt)*) => { crate::tagged_event!(INFO, crate::tracing_tree::EventTag::SecurityCritical, $($arg)*) } ($($arg:tt)*) => { crate::tagged_event!(INFO, crate::tracing_tree::EventTag::SecurityCritical, $($arg)*) }
} }
#[macro_export]
macro_rules! security_error {
($($arg:tt)*) => { crate::tagged_event!(ERROR, crate::tracing_tree::EventTag::SecurityError, $($arg)*) }
}
#[macro_export] #[macro_export]
macro_rules! security_info { macro_rules! security_info {
($($arg:tt)*) => { crate::tagged_event!(INFO, crate::tracing_tree::EventTag::SecurityInfo, $($arg)*) } ($($arg:tt)*) => { crate::tagged_event!(INFO, crate::tracing_tree::EventTag::SecurityInfo, $($arg)*) }