163 lines
7.1 KiB
Go
163 lines
7.1 KiB
Go
package freeipa
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
)
|
|
|
|
// Standard FreeIPA error codes.
|
|
const (
|
|
PublicErrorCode = 900
|
|
VersionErrorCode = 901
|
|
UnknownErrorCode = 902
|
|
InternalErrorCode = 903
|
|
ServerInternalErrorCode = 904
|
|
CommandErrorCode = 905
|
|
ServerCommandErrorCode = 906
|
|
NetworkErrorCode = 907
|
|
ServerNetworkErrorCode = 908
|
|
JSONErrorCode = 909
|
|
XMLRPCMarshallErrorCode = 910
|
|
RefererErrorCode = 911
|
|
EnvironmentErrorCode = 912
|
|
SystemEncodingErrorCode = 913
|
|
AuthenticationErrorCode = 1000
|
|
KerberosErrorCode = 1100
|
|
CCacheErrorCode = 1101
|
|
ServiceErrorCode = 1102
|
|
NoCCacheErrorCode = 1103
|
|
TicketExpiredCode = 1104
|
|
BadCCachePermsCode = 1105
|
|
BadCCacheFormatCode = 1106
|
|
CannotResolveKDCCode = 1107
|
|
SessionErrorCode = 1200
|
|
InvalidSessionPasswordCode = 1201
|
|
PasswordExpiredCode = 1202
|
|
KrbPrincipalExpiredCode = 1203
|
|
UserLockedCode = 1204
|
|
AuthorizationErrorCode = 2000
|
|
ACIErrorCode = 2100
|
|
InvocationErrorCode = 3000
|
|
EncodingErrorCode = 3001
|
|
BinaryEncodingErrorCode = 3002
|
|
ZeroArgumentErrorCode = 3003
|
|
MaxArgumentErrorCode = 3004
|
|
OptionErrorCode = 3005
|
|
OverlapErrorCode = 3006
|
|
RequirementErrorCode = 3007
|
|
ConversionErrorCode = 3008
|
|
ValidationErrorCode = 3009
|
|
NoSuchNamespaceErrorCode = 3010
|
|
PasswordMismatchCode = 3011
|
|
NotImplementedErrorCode = 3012
|
|
NotConfiguredErrorCode = 3013
|
|
PromptFailedCode = 3014
|
|
DeprecationErrorCode = 3015
|
|
NotAForestRootErrorCode = 3016
|
|
ExecutionErrorCode = 4000
|
|
NotFoundCode = 4001
|
|
DuplicateEntryCode = 4002
|
|
HostServiceCode = 4003
|
|
MalformedServicePrincipalCode = 4004
|
|
RealmMismatchCode = 4005
|
|
RequiresRootCode = 4006
|
|
AlreadyPosixGroupCode = 4007
|
|
MalformedUserPrincipalCode = 4008
|
|
AlreadyActiveCode = 4009
|
|
AlreadyInactiveCode = 4010
|
|
HasNSAccountLockCode = 4011
|
|
NotGroupMemberCode = 4012
|
|
RecursiveGroupCode = 4013
|
|
AlreadyGroupMemberCode = 4014
|
|
Base64DecodeErrorCode = 4015
|
|
RemoteRetrieveErrorCode = 4016
|
|
SameGroupErrorCode = 4017
|
|
DefaultGroupErrorCode = 4018
|
|
DNSNotARecordErrorCode = 4019
|
|
ManagedGroupErrorCode = 4020
|
|
ManagedPolicyErrorCode = 4021
|
|
FileErrorCode = 4022
|
|
NoCertificateErrorCode = 4023
|
|
ManagedGroupExistsErrorCode = 4024
|
|
ReverseMemberErrorCode = 4025
|
|
AttrValueNotFoundCode = 4026
|
|
SingleMatchExpectedCode = 4027
|
|
AlreadyExternalGroupCode = 4028
|
|
ExternalGroupViolationCode = 4029
|
|
PosixGroupViolationCode = 4030
|
|
EmptyResultCode = 4031
|
|
InvalidDomainLevelErrorCode = 4032
|
|
ServerRemovalErrorCode = 4033
|
|
OperationNotSupportedForPrincipalTypeCode = 4034
|
|
HTTPRequestErrorCode = 4035
|
|
RedundantMappingRuleCode = 4036
|
|
CSRTemplateErrorCode = 4037
|
|
AlreadyContainsValueErrorCode = 4038
|
|
BuiltinErrorCode = 4100
|
|
HelpErrorCode = 4101
|
|
LDAPErrorCode = 4200
|
|
MidairCollisionCode = 4201
|
|
EmptyModlistCode = 4202
|
|
DatabaseErrorCode = 4203
|
|
LimitsExceededCode = 4204
|
|
ObjectclassViolationCode = 4205
|
|
NotAllowedOnRDNCode = 4206
|
|
OnlyOneValueAllowedCode = 4207
|
|
InvalidSyntaxCode = 4208
|
|
BadSearchFilterCode = 4209
|
|
NotAllowedOnNonLeafCode = 4210
|
|
DatabaseTimeoutCode = 4211
|
|
DNSDataMismatchCode = 4212
|
|
TaskTimeoutCode = 4213
|
|
TimeLimitExceededCode = 4214
|
|
SizeLimitExceededCode = 4215
|
|
AdminLimitExceededCode = 4216
|
|
CertificateErrorCode = 4300
|
|
CertificateOperationErrorCode = 4301
|
|
CertificateFormatErrorCode = 4302
|
|
MutuallyExclusiveErrorCode = 4303
|
|
NonFatalErrorCode = 4304
|
|
AlreadyRegisteredErrorCode = 4305
|
|
NotRegisteredErrorCode = 4306
|
|
DependentEntryCode = 4307
|
|
LastMemberErrorCode = 4308
|
|
ProtectedEntryErrorCode = 4309
|
|
CertificateInvalidErrorCode = 4310
|
|
SchemaUpToDateCode = 4311
|
|
DNSErrorCode = 4400
|
|
DNSResolverErrorCode = 4401
|
|
TrustErrorCode = 4500
|
|
TrustTopologyConflictErrorCode = 4501
|
|
GenericErrorCode = 5000
|
|
)
|
|
|
|
// Authentication rejection reasons.
|
|
const (
|
|
passwordExpiredUnauthorizedReason = "password-expired"
|
|
invalidSessionPasswordUnauthorizedReason = "invalid-password"
|
|
krbPrincipalExpiredUnauthorizedReason = "krbprincipal-expired"
|
|
userLockedUnauthorizedReason = "user-locked"
|
|
rejectionReasonHTTPHeader = "X-Ipa-Rejection-Reason"
|
|
)
|
|
|
|
// unauthorizedHTTPError: Add information from the rejection reason header to unauthorized error.
|
|
func unauthorizedHTTPError(resp *http.Response) error {
|
|
var errorCode int
|
|
rejectionReason := resp.Header.Get(rejectionReasonHTTPHeader)
|
|
|
|
switch rejectionReason {
|
|
case passwordExpiredUnauthorizedReason:
|
|
errorCode = PasswordExpiredCode
|
|
case invalidSessionPasswordUnauthorizedReason:
|
|
errorCode = InvalidSessionPasswordCode
|
|
case krbPrincipalExpiredUnauthorizedReason:
|
|
errorCode = KrbPrincipalExpiredCode
|
|
case userLockedUnauthorizedReason:
|
|
errorCode = UserLockedCode
|
|
|
|
default:
|
|
errorCode = GenericErrorCode
|
|
}
|
|
return fmt.Errorf("unauthorized response <%s> (%d)", rejectionReason, errorCode)
|
|
}
|