go-freeipa/errors.go
2023-08-11 09:39:38 -05:00

163 lines
7.1 KiB
Go

package freeipa
import (
"fmt"
"net/http"
)
// Standard FreeIPA error codes.
const (
PublicErrorCode = 900
VersionErrorCode = 901
UnknownErrorCode = 902
InternalErrorCode = 903
ServerInternalErrorCode = 904
CommandErrorCode = 905
ServerCommandErrorCode = 906
NetworkErrorCode = 907
ServerNetworkErrorCode = 908
JSONErrorCode = 909
XMLRPCMarshallErrorCode = 910
RefererErrorCode = 911
EnvironmentErrorCode = 912
SystemEncodingErrorCode = 913
AuthenticationErrorCode = 1000
KerberosErrorCode = 1100
CCacheErrorCode = 1101
ServiceErrorCode = 1102
NoCCacheErrorCode = 1103
TicketExpiredCode = 1104
BadCCachePermsCode = 1105
BadCCacheFormatCode = 1106
CannotResolveKDCCode = 1107
SessionErrorCode = 1200
InvalidSessionPasswordCode = 1201
PasswordExpiredCode = 1202
KrbPrincipalExpiredCode = 1203
UserLockedCode = 1204
AuthorizationErrorCode = 2000
ACIErrorCode = 2100
InvocationErrorCode = 3000
EncodingErrorCode = 3001
BinaryEncodingErrorCode = 3002
ZeroArgumentErrorCode = 3003
MaxArgumentErrorCode = 3004
OptionErrorCode = 3005
OverlapErrorCode = 3006
RequirementErrorCode = 3007
ConversionErrorCode = 3008
ValidationErrorCode = 3009
NoSuchNamespaceErrorCode = 3010
PasswordMismatchCode = 3011
NotImplementedErrorCode = 3012
NotConfiguredErrorCode = 3013
PromptFailedCode = 3014
DeprecationErrorCode = 3015
NotAForestRootErrorCode = 3016
ExecutionErrorCode = 4000
NotFoundCode = 4001
DuplicateEntryCode = 4002
HostServiceCode = 4003
MalformedServicePrincipalCode = 4004
RealmMismatchCode = 4005
RequiresRootCode = 4006
AlreadyPosixGroupCode = 4007
MalformedUserPrincipalCode = 4008
AlreadyActiveCode = 4009
AlreadyInactiveCode = 4010
HasNSAccountLockCode = 4011
NotGroupMemberCode = 4012
RecursiveGroupCode = 4013
AlreadyGroupMemberCode = 4014
Base64DecodeErrorCode = 4015
RemoteRetrieveErrorCode = 4016
SameGroupErrorCode = 4017
DefaultGroupErrorCode = 4018
DNSNotARecordErrorCode = 4019
ManagedGroupErrorCode = 4020
ManagedPolicyErrorCode = 4021
FileErrorCode = 4022
NoCertificateErrorCode = 4023
ManagedGroupExistsErrorCode = 4024
ReverseMemberErrorCode = 4025
AttrValueNotFoundCode = 4026
SingleMatchExpectedCode = 4027
AlreadyExternalGroupCode = 4028
ExternalGroupViolationCode = 4029
PosixGroupViolationCode = 4030
EmptyResultCode = 4031
InvalidDomainLevelErrorCode = 4032
ServerRemovalErrorCode = 4033
OperationNotSupportedForPrincipalTypeCode = 4034
HTTPRequestErrorCode = 4035
RedundantMappingRuleCode = 4036
CSRTemplateErrorCode = 4037
AlreadyContainsValueErrorCode = 4038
BuiltinErrorCode = 4100
HelpErrorCode = 4101
LDAPErrorCode = 4200
MidairCollisionCode = 4201
EmptyModlistCode = 4202
DatabaseErrorCode = 4203
LimitsExceededCode = 4204
ObjectclassViolationCode = 4205
NotAllowedOnRDNCode = 4206
OnlyOneValueAllowedCode = 4207
InvalidSyntaxCode = 4208
BadSearchFilterCode = 4209
NotAllowedOnNonLeafCode = 4210
DatabaseTimeoutCode = 4211
DNSDataMismatchCode = 4212
TaskTimeoutCode = 4213
TimeLimitExceededCode = 4214
SizeLimitExceededCode = 4215
AdminLimitExceededCode = 4216
CertificateErrorCode = 4300
CertificateOperationErrorCode = 4301
CertificateFormatErrorCode = 4302
MutuallyExclusiveErrorCode = 4303
NonFatalErrorCode = 4304
AlreadyRegisteredErrorCode = 4305
NotRegisteredErrorCode = 4306
DependentEntryCode = 4307
LastMemberErrorCode = 4308
ProtectedEntryErrorCode = 4309
CertificateInvalidErrorCode = 4310
SchemaUpToDateCode = 4311
DNSErrorCode = 4400
DNSResolverErrorCode = 4401
TrustErrorCode = 4500
TrustTopologyConflictErrorCode = 4501
GenericErrorCode = 5000
)
// Authentication rejection reasons.
const (
passwordExpiredUnauthorizedReason = "password-expired"
invalidSessionPasswordUnauthorizedReason = "invalid-password"
krbPrincipalExpiredUnauthorizedReason = "krbprincipal-expired"
userLockedUnauthorizedReason = "user-locked"
rejectionReasonHTTPHeader = "X-Ipa-Rejection-Reason"
)
// unauthorizedHTTPError: Add information from the rejection reason header to unauthorized error.
func unauthorizedHTTPError(resp *http.Response) error {
var errorCode int
rejectionReason := resp.Header.Get(rejectionReasonHTTPHeader)
switch rejectionReason {
case passwordExpiredUnauthorizedReason:
errorCode = PasswordExpiredCode
case invalidSessionPasswordUnauthorizedReason:
errorCode = InvalidSessionPasswordCode
case krbPrincipalExpiredUnauthorizedReason:
errorCode = KrbPrincipalExpiredCode
case userLockedUnauthorizedReason:
errorCode = UserLockedCode
default:
errorCode = GenericErrorCode
}
return fmt.Errorf("unauthorized response <%s> (%d)", rejectionReason, errorCode)
}