From c020f1b65789b9214ec1f7a77d94474ad303f74f Mon Sep 17 00:00:00 2001 From: Alan King Date: Fri, 29 Sep 2023 11:32:45 -0400 Subject: [PATCH] [#7274] Fixes for native authentication configs TTL needs to be converted to seconds before comparing against the min/max password time configurations. clientLogin needs to return a better error message when a failure occurs in rcGetLimitedPassword. --- lib/core/src/clientLogin.cpp | 3 ++- plugins/database/src/db_plugin.cpp | 12 +++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/core/src/clientLogin.cpp b/lib/core/src/clientLogin.cpp index 87c59e34c1..ad83a2930a 100644 --- a/lib/core/src/clientLogin.cpp +++ b/lib/core/src/clientLogin.cpp @@ -253,7 +253,8 @@ int clientLoginTTL( rcComm_t *Conn, int ttl ) { if ( int status = rcGetLimitedPassword( Conn, &getLimitedPasswordInp, &getLimitedPasswordOut ) ) { - allocate_if_necessary_and_add_rError_msg(&Conn->rError, status, "rcGetLimitedPassword"); + const auto msg = fmt::format("rcGetLimitedPassword failed with error [{}]", status); + allocate_if_necessary_and_add_rError_msg(&Conn->rError, status, msg.c_str()); memset( userPassword, 0, sizeof( userPassword ) ); return status; } diff --git a/plugins/database/src/db_plugin.cpp b/plugins/database/src/db_plugin.cpp index 6509ca12e4..fb6d49ec14 100644 --- a/plugins/database/src/db_plugin.cpp +++ b/plugins/database/src/db_plugin.cpp @@ -7100,15 +7100,17 @@ irods::error db_make_limited_pw_op( return err; } - if (_ttl < ac.password_min_time || _ttl > ac.password_max_time) { - log_db::error( - "Invalid TTL - min time: [{}] max time:[{}] ttl: [{}]", ac.password_min_time, ac.password_max_time, _ttl); + // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers) + int timeToLive = _ttl * 3600; /* convert input hours to seconds */ + if (timeToLive < ac.password_min_time || timeToLive > ac.password_max_time) { + log_db::error("Invalid TTL - min time: [{}] max time:[{}] ttl: [{}]", + ac.password_min_time, + ac.password_max_time, + timeToLive); return ERROR( PAM_AUTH_PASSWORD_INVALID_TTL, "invalid ttl" ); } /* Insert the limited password */ - // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers) - int timeToLive = _ttl * 3600; /* convert input hours to seconds */ snprintf( expTime, sizeof expTime, "%d", timeToLive ); cllBindVars[cllBindVarCount++] = _ctx.comm()->clientUser.userName; // NOLINTNEXTLINE(cppcoreguidelines-pro-bounds-constant-array-index)