mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Harden transport in pam unixd (#3227)

Browse source 
In some cases if the transport drops out from underneath unixd,
it can be difficult to diagnose and leads to inconsistent errors
and output such as prompting for a password multiple times when
it can't succeed.

This makes it clearer that the transport had an error, and it
denies the inflight authsession to prevent spurious password
prompts.
This commit is contained in:
Firstyear 2024-11-21 17:43:14 +10:00 committed by GitHub
parent 7348c0348a
commit ce0ad8f854
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
unix_integration/resolver/src/idprovider/kanidm.rs
View file

@ -458,7 +458,7 @@ impl IdProvider for KanidmProvider {
Ok(AuthResult::Denied) Ok(AuthResult::Denied)
} }
Err(ClientError::Transport(err)) => { Err(ClientError::Transport(err)) => {
error!(?err); error!(?err, "A client transport error occured.");
Err(IdpError::Transport) Err(IdpError::Transport)
} }
Err(ClientError::Http(StatusCode::UNAUTHORIZED, reason, opid)) => { Err(ClientError::Http(StatusCode::UNAUTHORIZED, reason, opid)) => {

13
unix_integration/resolver/src/resolver.rs
View file

@ -1069,8 +1069,17 @@ impl Resolver {
Ok(PamAuthResponse::Denied) Ok(PamAuthResponse::Denied)
} }
Ok(AuthResult::Next(req)) => Ok(req.into()), Ok(AuthResult::Next(req)) => Ok(req.into()),
Err(IdpError::NotFound) => Ok(PamAuthResponse::Unknown), Err(IdpError::NotFound) => {
_ => Err(()), *auth_session = AuthSession::Denied;
Ok(PamAuthResponse::Unknown)
}
Err(err) => {
*auth_session = AuthSession::Denied;
error!(?err, "Unable to proceed, failing the session");
Err(())
}
} }
} }