mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use specific errors for intent token revoked (#3291)

Browse source 
Rather than the generic 'invalid state' error, we now return
proper site-specific errors for credential commit failures, with
error messages to explain what went wrong.
This commit is contained in:
Firstyear 2024-12-16 10:28:00 +10:00 committed by William Brown
parent d4a373365e
commit ab8ef8d977
4 changed files with 22 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
proto/src/internal/error.rs
View file

@ -153,6 +153,15 @@ pub enum OperationError {
CU0001WebauthnAttestationNotTrusted, CU0001WebauthnAttestationNotTrusted,
CU0002WebauthnRegistrationError, CU0002WebauthnRegistrationError,
CU0003WebauthnUserNotVerified, CU0003WebauthnUserNotVerified,
// The session is inconsistent and can't be committed, but the errors
// can be resolved.
CU0004SessionInconsistent,
// Another session used this intent token, and so it can't be committed.
CU0005IntentTokenConflict,
// The intent token was invalidated before we could commit.
CU0006IntentTokenInvalidated,
// ValueSet errors // ValueSet errors
VS0001IncomingReplSshPublicKey, VS0001IncomingReplSshPublicKey,
VS0002CertificatePublicKeyDigest, VS0002CertificatePublicKeyDigest,
@ -271,7 +280,7 @@ impl Display for OperationError {
impl OperationError { impl OperationError {
/// Return the message associated with the error if there is one. /// Return the message associated with the error if there is one.
fn message(&self) -> Option<String> { pub fn message(&self) -> Option<String> {
match self { match self {
Self::SessionExpired => None, Self::SessionExpired => None,
Self::EmptyRequest => None, Self::EmptyRequest => None,
@ -340,6 +349,11 @@ impl OperationError {
Self::CU0001WebauthnAttestationNotTrusted => None, Self::CU0001WebauthnAttestationNotTrusted => None,
Self::CU0002WebauthnRegistrationError => None, Self::CU0002WebauthnRegistrationError => None,
Self::CU0003WebauthnUserNotVerified => Some("User Verification bit not set while registering credential, you may need to configure a PIN on this device.".into()), Self::CU0003WebauthnUserNotVerified => Some("User Verification bit not set while registering credential, you may need to configure a PIN on this device.".into()),
Self::CU0004SessionInconsistent => Some("The session is unable to be committed due to unresolved warnings.".into()),
Self::CU0005IntentTokenConflict => Some("The intent token used to create this session has been reused in another browser/tab and may not proceed.".into()),
Self::CU0006IntentTokenInvalidated => Some("The intent token has been invalidated/revoked before the commit could be accepted. Has it been used in another browser or tab?".into()),
Self::DB0001MismatchedRestoreVersion => None, Self::DB0001MismatchedRestoreVersion => None,
Self::DB0002MismatchedRestoreVersion => None, Self::DB0002MismatchedRestoreVersion => None,
Self::DB0003FilterResolveCacheBuild => None, Self::DB0003FilterResolveCacheBuild => None,

2
server/core/src/https/views/constants.rs
View file

@ -24,6 +24,7 @@ impl std::fmt::Display for UiMessage {
pub(crate) enum Urls { pub(crate) enum Urls {
Apps, Apps,
CredReset, CredReset,
CredResetError,
Profile, Profile,
UpdateCredentials, UpdateCredentials,
Oauth2Resume, Oauth2Resume,
@ -36,6 +37,7 @@ impl AsRef<str> for Urls {
match self { match self {
Self::Apps => "/ui/apps", Self::Apps => "/ui/apps",
Self::CredReset => "/ui/reset", Self::CredReset => "/ui/reset",
Self::CredResetError => "/ui/reset/err",
Self::Profile => "/ui/profile", Self::Profile => "/ui/profile",
Self::UpdateCredentials => "/ui/update_credentials", Self::UpdateCredentials => "/ui/update_credentials",
Self::Oauth2Resume => "/ui/oauth2/resume", Self::Oauth2Resume => "/ui/oauth2/resume",

3
server/core/templates/unrecoverable_error.html
View file

@ -9,8 +9,9 @@
<h2>Error</h2> <h2>Error</h2>
<main id="main"> <main id="main">
<p>An unrecoverable error occurred. Please contact your administrator with the details below.</p> <p>An unrecoverable error occurred. Please contact your administrator with the details below.</p>
<p>Error Code: (( err_code ))</p>
<p>Operation ID: (( operation_id ))</p> <p>Operation ID: (( operation_id ))</p>
<p>Error Code: (( err_code ))</p>
<a href=((Urls::Ui))>Return</a>
</main> </main>
(% endblock %) (% endblock %)

7
server/lib/src/idm/credupdatesession.rs
View file

@ -1311,8 +1311,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
"Session is unable to commit due to: {}", "Session is unable to commit due to: {}",
commit_failure_reasons commit_failure_reasons
); );
// TODO: perhaps it would be more helpful to add a new operation error that describes what the issue is return Err(OperationError::CU0004SessionInconsistent);
return Err(OperationError::InvalidState);
} }
// Setup mods for the various bits. We always assert an *exact* state. // Setup mods for the various bits. We always assert an *exact* state.
@ -1339,7 +1338,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
}) => { }) => {
if *session_id != session_token.sessionid { if *session_id != session_token.sessionid {
security_info!("Session originated from an intent token, but the intent token has initiated a conflicting second update session. Refusing to commit changes."); security_info!("Session originated from an intent token, but the intent token has initiated a conflicting second update session. Refusing to commit changes.");
return Err(OperationError::InvalidState); return Err(OperationError::CU0005IntentTokenConflict);
} else { } else {
*max_ttl *max_ttl
} }
@ -1351,7 +1350,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
}) })
| None => { | None => {
security_info!("Session originated from an intent token, but the intent token has transitioned to an invalid state. Refusing to commit changes."); security_info!("Session originated from an intent token, but the intent token has transitioned to an invalid state. Refusing to commit changes.");
return Err(OperationError::InvalidState); return Err(OperationError::CU0006IntentTokenInvalidated);
} }
}; };