[Spice-devel] [PATCH v2 spice-gtk 1/2] authentication: Handle failed SASL authentication separately

Snir Sheriber ssheribe at redhat.com
Tue Feb 21 15:28:00 UTC 2017 

Hi,


On 02/20/2017 07:00 PM, Christophe de Dinechin wrote:
>> On 19 Feb 2017, at 15:47, Snir Sheriber <ssheribe at redhat.com> wrote:
>>
>> Remove handling with failures in the SASL authentication
>> process to separate function
>> ---
>> src/spice-channel.c | 44 +++++++++++++++++++++++++++-----------------
>> 1 file changed, 27 insertions(+), 17 deletions(-)
>>
>> diff --git a/src/spice-channel.c b/src/spice-channel.c
>> index af67931..cbf1291 100644
>> --- a/src/spice-channel.c
>> +++ b/src/spice-channel.c
>> @@ -1113,28 +1113,38 @@ static int spice_channel_read(SpiceChannel *channel, void *data, size_t length)
>>      return length;
>> }
>>
>> +#if HAVE_SASL
>> /* coroutine context */
>> -static void spice_channel_failed_authentication(SpiceChannel *channel,
>> -                                                gboolean invalidPassword)
>> +static void spice_channel_failed_sasl_authentication(SpiceChannel *channel)
>> {
>>      SpiceChannelPrivate *c = channel->priv;
>> +    gint err_code; /* Affects the authentication window activated fileds */
>>
>>      if (c->auth_needs_username && c->auth_needs_password)
>> -        g_set_error_literal(&c->error,
>> -                            SPICE_CLIENT_ERROR,
>> -                            SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME,
>> -                            _("Authentication failed: password and username are required"));
>> +        err_code = SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME;
>>      else if (c->auth_needs_username)
>> -        g_set_error_literal(&c->error,
>> -                            SPICE_CLIENT_ERROR,
>> -                            SPICE_CLIENT_ERROR_AUTH_NEEDS_USERNAME,
>> -                            _("Authentication failed: username is required"));
>> -    else if (c->auth_needs_password)
>> -        g_set_error_literal(&c->error,
>> -                            SPICE_CLIENT_ERROR,
>> -                            SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD,
>> -                            _("Authentication failed: password is required"));
>> -    else if (invalidPassword)
>> +        err_code = SPICE_CLIENT_ERROR_AUTH_NEEDS_USERNAME;
>> +    else
>> +        err_code = SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD;
>> +
>> +    g_set_error_literal(&c->error,
>> +                        SPICE_CLIENT_ERROR,
>> +                        err_code,
>> +                        _("SASL authentication failed"));
> Per the recent discussion (Feb 14 with Christophe F), can’t we map common SASL errors to Spice messages? To me, it’s different if the problem is that I used a wrong password or if the server is down. The message as is seems quite terse.
>
> Errors that seem be reportable (although not all of them seem relevant to Spice):
>
> SASL_BADAUTH	Authentication failure.
> SASL_NOAUTHZ	Authorization failure.
> SASL_EXPIRED	The passphrase expired and must be reset.
> SASL_DISABLED	Account disabled.
> SASL_NOUSER	User not found.
> SASL_BADVERS	Version mismatch with plug-in.
> SASL_NOVERIFY	The user exists, but there is no verifier for the user.
> SASL_WEAKPASS	The passphrase is too weak for security policy.
> SASL_NOUSERPASS	User supplied passwords are not permitted.
>
>
> Some that may need to be “translated” in Spicese if they ever get back to us:
>
> SASL_TOOWEAK	The mechanism is too weak for this user.
> SASL_ENCRYPT	Encryption is needed to use this mechanism.
> SASL_TRANS		One time use of a plaintext password will enable requested mechanism for user.
>
> Others should probably collected into a “default” in a switch statement, something like “Unexpected SASL error code <blah>”.
>
As link result/error? I guess it would be the best , but first it 
requires to inform the client in some other way that it can stop waiting 
for the sasl server start\step result (currently it just freeing the link)
btw according to sasl docs the full error string should be sent
>> +
>> +    c->event = SPICE_CHANNEL_ERROR_AUTH;
>> +
>> +    c->has_error = TRUE; /* force disconnect */
>> +}
>> +#endif
>> +
>> +/* coroutine context */
>> +static void spice_channel_failed_authentication(SpiceChannel *channel,
>> +                                                gboolean invalidPassword)
>> +{
>> +    SpiceChannelPrivate *c = channel->priv;
>> +
>> +    if (invalidPassword)
>>          g_set_error_literal(&c->error,
>>                              SPICE_CLIENT_ERROR,
>>                              SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD,
>> @@ -1808,7 +1818,7 @@ error:
>>      if (saslconn)
>>          sasl_dispose(&saslconn);
>>
>> -    spice_channel_failed_authentication(channel, FALSE);
>> +    spice_channel_failed_sasl_authentication(channel);
>>      ret = FALSE;
>>
>> cleanup:
>> -- 
>> 2.9.3
>>
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list