From affbc42741bb82eab8ea7243e75586e0e88c6747 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= Date: Tue, 24 Sep 2024 19:31:54 +0200 Subject: [PATCH] pam/nativemodel: Do not report the authentication denied PAM error twice In case that the authentication failed, the authentication model sends a pamError that includes the error message and that our pam module will eventually write. So, there's no need to handle the error again in the native module or we'd duplicate such error string --- .../golden/deny_authentication_if_max_attempts_reached | 4 ++-- .../golden/prevent_change_password_if_auth_fails | 4 ++-- pam/internal/adapter/nativemodel.go | 5 ++++- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/pam/integration-tests/testdata/TestNativeAuthenticate/golden/deny_authentication_if_max_attempts_reached b/pam/integration-tests/testdata/TestNativeAuthenticate/golden/deny_authentication_if_max_attempts_reached index d0ae85167..fdd794fff 100644 --- a/pam/integration-tests/testdata/TestNativeAuthenticate/golden/deny_authentication_if_max_attempts_reached +++ b/pam/integration-tests/testdata/TestNativeAuthenticate/golden/deny_authentication_if_max_attempts_reached @@ -283,7 +283,6 @@ invalid password 'wrongpass', should be 'goodpass' Insert 'r' to cancel the request and go back Gimme your password: invalid password 'wrongpass', should be 'goodpass' -invalid password 'wrongpass', should be 'goodpass' PAM Authenticate() for user "user-integration-max-attempts" exited with error (PAM exit code: 7) : Authentication failure acct=incomplete @@ -294,6 +293,7 @@ dispatch + ──────────────────────────────────────────────────────────────────────────────── > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true Username: user-integration-max-attempts @@ -316,7 +316,6 @@ invalid password 'wrongpass', should be 'goodpass' Insert 'r' to cancel the request and go back Gimme your password: invalid password 'wrongpass', should be 'goodpass' -invalid password 'wrongpass', should be 'goodpass' PAM Authenticate() for user "user-integration-max-attempts" exited with error (PAM exit code: 7) : Authentication failure acct=incomplete @@ -327,4 +326,5 @@ dispatch + ──────────────────────────────────────────────────────────────────────────────── diff --git a/pam/integration-tests/testdata/TestNativeChangeAuthTok/golden/prevent_change_password_if_auth_fails b/pam/integration-tests/testdata/TestNativeChangeAuthTok/golden/prevent_change_password_if_auth_fails index e51f7c0f3..700b0be83 100644 --- a/pam/integration-tests/testdata/TestNativeChangeAuthTok/golden/prevent_change_password_if_auth_fails +++ b/pam/integration-tests/testdata/TestNativeChangeAuthTok/golden/prevent_change_password_if_auth_fails @@ -283,7 +283,6 @@ invalid password 'wrongpass', should be 'goodpass' Insert 'r' to cancel the request and go back Gimme your password: invalid password 'wrongpass', should be 'goodpass' -invalid password 'wrongpass', should be 'goodpass' PAM ChangeAuthTok() for user "user-integration-max-attempts" exited with error (PAM exit code: 7 ): Authentication failure acct=incomplete @@ -294,6 +293,7 @@ dispatch + ──────────────────────────────────────────────────────────────────────────────── > ./pam_authd passwd socket=${AUTHD_TESTS_CLI_AUTHTOK_TESTS_SOCK} force_native_client=true Username: user-integration-max-attempts @@ -316,7 +316,6 @@ invalid password 'wrongpass', should be 'goodpass' Insert 'r' to cancel the request and go back Gimme your password: invalid password 'wrongpass', should be 'goodpass' -invalid password 'wrongpass', should be 'goodpass' PAM ChangeAuthTok() for user "user-integration-max-attempts" exited with error (PAM exit code: 7 ): Authentication failure acct=incomplete @@ -327,4 +326,5 @@ dispatch + ──────────────────────────────────────────────────────────────────────────────── diff --git a/pam/internal/adapter/nativemodel.go b/pam/internal/adapter/nativemodel.go index 508ca73dd..a0565358c 100644 --- a/pam/internal/adapter/nativemodel.go +++ b/pam/internal/adapter/nativemodel.go @@ -272,8 +272,11 @@ func (m nativeModel) Update(msg tea.Msg) (nativeModel, tea.Cmd) { case brokers.AuthNext: m.uiLayout = nil return m, maybeSendPamError(m.sendInfo(authMsg)) - case brokers.AuthDenied, brokers.AuthRetry: + case brokers.AuthRetry: return m, maybeSendPamError(m.sendError(authMsg)) + case brokers.AuthDenied: + // This is handled by the main authentication model + return m, nil case brokers.AuthCancelled: return m, sendEvent(isAuthenticatedCancelled{}) default: