Merge branch 'pam-specific-error'

7b36fe48 · Nik | Klampfradler · b262c52e · 112831c3 · 7b36fe48 · 7b36fe48
Verified Commit 7b36fe48 authored 3 years ago by Nik | Klampfradler
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,6 +15,7 @@ crate-type = [ "cdylib" ]
 [dependencies]
 pamsm = { version = "^0.4.2", features = ["libpam"] }
 oauth2 = "^4.0.0"
+reqwest = "^0.11.3"
 config = "^0.11.0"
 log = "^0.4.11"
 syslog = "^5.0.0"

--- a/src/pam.rs
+++ b/src/pam.rs
@@ -25,6 +25,7 @@ use oauth2::{
    AuthUrl,
    ClientId,
    ClientSecret,
+    RequestTokenError,
    ResourceOwnerPassword,
    ResourceOwnerUsername,
    Scope,
@@ -34,6 +35,7 @@ use oauth2::basic::{
    BasicClient,
    BasicTokenResponse
 };
+use oauth2::reqwest;
 use oauth2::reqwest::http_client;

 use pamsm::{PamServiceModule, Pam, PamFlag, PamError, PamLibExt};
@@ -71,17 +73,51 @@ fn do_legacy_auth(username: String, password: String, config: Config) -> Result<
    let scope = get_or_pam_error(&config, "pam.scope")?;

    let client = BasicClient::new(client_id, Some(client_secret), auth_url, Some(token_url));
-    match client
+    let result = client
        .exchange_password(
            &ResourceOwnerUsername::new(username),
            &ResourceOwnerPassword::new(password)
        )
        .add_scope(Scope::new(scope.to_string()))
-        .request(http_client) {
+        .request(http_client);
+    match result {
            Ok(t) => Ok(t),
-            Err(e) => {
-                error!("Error requesting grant: {}", e);
-                return Err(PamError::AUTHINFO_UNAVAIL);
+            Err(e) => match e {
+                RequestTokenError::Request(re) => match re {
+                    reqwest::Error::Reqwest(ree) => {
+                        if ree.is_status() {
+                            error!("Authentication failed for invalid grant: {}", ree);
+                            return Err(PamError::AUTH_ERR);
+                        } else {
+                            error!("Request error requesting token: {}", ree);
+                            return Err(PamError::AUTHINFO_UNAVAIL);
+                        }
+                    },
+                    reqwest::Error::Http(he) => {
+                        error!("HTTP error requesting token: {}", he);
+                        return Err(PamError::AUTHINFO_UNAVAIL);
+                    },
+                    reqwest::Error::Io(ioe) => {
+                        error!("IO error requesting token: {}", ioe);
+                        return Err(PamError::SYSTEM_ERR);
+                    },
+                    _ => {
+                        error!("Unknown error: {}", re);
+                        return Err(PamError::SERVICE_ERR);
+                    },
+                },
+                RequestTokenError::ServerResponse(t) => {
+                    error!("Authorization server returned error: {}", t);
+                    return Err(PamError::AUTH_ERR);
+                },
+                RequestTokenError::Parse(pe, _) => {
+                    error!("Error parsing response: {}", pe);
+                    return Err(PamError::SERVICE_ERR);
+                },
+                _ => {
+                    error!("Unknown error: {}", e);
+                    return Err(PamError::SERVICE_ERR);
+                },
            },
        }
 }