mirrored/vaultwarden
1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2024-09-28 21:53:55 +02:00
Code Issues Releases Aktivität

error handling cleanup

Quellcode durchsuchen
Dieser Commit ist enthalten in:
0x0fbc 2024-06-07 14:43:33 -04:00 committet von Mathijs van Veluw
Ursprung 1132638452
Commit 52b0ef674a
1 geänderte Dateien mit 22 neuen und 25 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Diff-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

47
src/api/core/two_factor/duo_oidc.rs
Datei anzeigen

@ -164,7 +164,7 @@ impl DuoClient {
&EncodingKey::from_secret(&self.client_secret.as_bytes()), &EncodingKey::from_secret(&self.client_secret.as_bytes()),
) { ) {
Ok(token) => Ok(token), Ok(token) => Ok(token),
Err(e) => err!(format!("{}", e)), Err(e) => err!(format!("Error encoding Duo JWT: {e:?}")),
} }
} }
@ -178,7 +178,7 @@ impl DuoClient {
let token = match self.encode_duo_jwt(jwt_payload) { let token = match self.encode_duo_jwt(jwt_payload) {
Ok(token) => token, Ok(token) => token,
Err(e) => err!(format!("{}", e)), Err(e) => return Err(e),
}; };
let mut post_body = HashMap::new(); let mut post_body = HashMap::new();
@ -193,12 +193,12 @@ impl DuoClient {
.await .await
{ {
Ok(r) => r, Ok(r) => r,
Err(e) => err!(format!("Error requesting Duo health check: {}", e)), Err(e) => err!(format!("Error requesting Duo health check: {e:?}")),
}; };
let response: HealthCheckResponse = match res.json::<HealthCheckResponse>().await { let response: HealthCheckResponse = match res.json::<HealthCheckResponse>().await {
Ok(r) => r, Ok(r) => r,
Err(e) => err!(format!("Duo health check response decode error: {}", e)), Err(e) => err!(format!("Duo health check response decode error: {e:?}")),
}; };
let health_stat: String = match response { let health_stat: String = match response {
@ -208,11 +208,11 @@ impl DuoClient {
HealthCheckResponse::HealthFail { HealthCheckResponse::HealthFail {
message, message,
message_detail, message_detail,
} => err!(format!("Duo health check FAIL response msg: {}, detail: {}", message, message_detail)), } => err!(format!("Duo health check FAIL response, msg: {}, detail: {}", message, message_detail)),
}; };
if health_stat != "OK" { if health_stat != "OK" {
err!("Duo health check returned OK-like body but did not contain an OK stat."); err!(format!("Duo health check failed, got OK-like body with stat {health_stat}"));
} }
Ok(()) Ok(())
@ -239,13 +239,13 @@ impl DuoClient {
let token = match self.encode_duo_jwt(jwt_payload) { let token = match self.encode_duo_jwt(jwt_payload) {
Ok(token) => token, Ok(token) => token,
Err(e) => err!(format!("{}", e)), Err(e) => return Err(e),
}; };
let authz_endpoint = format!(AUTHZ_ENDPOINT!(), self.api_host); let authz_endpoint = format!(AUTHZ_ENDPOINT!(), self.api_host);
let mut auth_url = match Url::parse(authz_endpoint.as_str()) { let mut auth_url = match Url::parse(authz_endpoint.as_str()) {
Ok(url) => url, Ok(url) => url,
Err(e) => err!(format!("{}", e)), Err(e) => err!(format!("Error parsing Duo authorization URL: {e:?}")),
}; };
{ {
@ -269,7 +269,7 @@ impl DuoClient {
nonce: &str, nonce: &str,
) -> Result<(), Error> { ) -> Result<(), Error> {
if duo_code.is_empty() { if duo_code.is_empty() {
err!("Invalid Duo Code") err!("Empty Duo authorization code")
} }
let token_url = format!(TOKEN_ENDPOINT!(), self.api_host); let token_url = format!(TOKEN_ENDPOINT!(), self.api_host);
@ -278,7 +278,7 @@ impl DuoClient {
let token = match self.encode_duo_jwt(jwt_payload) { let token = match self.encode_duo_jwt(jwt_payload) {
Ok(token) => token, Ok(token) => token,
Err(e) => err!(format!("{}", e)), Err(e) => return Err(e),
}; };
let mut post_body = HashMap::new(); let mut post_body = HashMap::new();
@ -297,7 +297,7 @@ impl DuoClient {
.await .await
{ {
Ok(r) => r, Ok(r) => r,
Err(e) => err!(format!("Error exchanging Duo code: {}", e)), Err(e) => err!(format!("Error exchanging Duo code: {e:?}")),
}; };
let status_code = res.status(); let status_code = res.status();
@ -307,7 +307,7 @@ impl DuoClient {
let response: IdTokenResponse = match res.json::<IdTokenResponse>().await { let response: IdTokenResponse = match res.json::<IdTokenResponse>().await {
Ok(r) => r, Ok(r) => r,
Err(e) => err!(format!("Error decoding ID token response: {}", e)), Err(e) => err!(format!("Error decoding ID token response: {e:?}")),
}; };
let mut validation = Validation::new(DUO_RESP_SIGNATURE_ALG); let mut validation = Validation::new(DUO_RESP_SIGNATURE_ALG);
@ -321,17 +321,14 @@ impl DuoClient {
&validation, &validation,
) { ) {
Ok(c) => c, Ok(c) => c,
Err(e) => err!(format!("Failed to decode Duo token {}", e)), Err(e) => err!(format!("Failed to decode Duo token {e:?}")),
}; };
let matching_nonces = crypto::ct_eq(&nonce, &token_data.claims.nonce); let matching_nonces = crypto::ct_eq(&nonce, &token_data.claims.nonce);
let matching_usernames = crypto::ct_eq(&duo_username, &token_data.claims.preferred_username); let matching_usernames = crypto::ct_eq(&duo_username, &token_data.claims.preferred_username);
if !(matching_nonces && matching_usernames) { if !(matching_nonces && matching_usernames) {
err!(format!( err!(format!("Error validating Duo authorization, Matching nonces? {matching_nonces}, Matching usernames? {matching_usernames}"))
"Error validating Duo user, expected {}, got {}",
duo_username, token_data.claims.preferred_username
))
}; };
Ok(()) Ok(())
@ -390,13 +387,13 @@ fn make_callback_url(client_name: &str) -> Result<String, Error> {
// Get the location of this application as defined in the config. // Get the location of this application as defined in the config.
let base = match Url::parse(CONFIG.domain().as_str()) { let base = match Url::parse(CONFIG.domain().as_str()) {
Ok(url) => url, Ok(url) => url,
Err(e) => err!(format!("{}", e)), Err(e) => err!(format!("Error parsing configured domain URL: {e:?} Check your domain configuration.")),
}; };
// Add the client redirect bridge location // Add the client redirect bridge location
let mut callback = match base.join(DUO_REDIRECT_LOCATION) { let mut callback = match base.join(DUO_REDIRECT_LOCATION) {
Ok(url) => url, Ok(url) => url,
Err(e) => err!(format!("{}", e)), Err(e) => err!(format!("Error constructing Duo redirect URL: {e:?} Check your domain configuration.")),
}; };
// Add the 'client' string. This is sent by clients in the 'Bitwarden-Client-Name' // Add the 'client' string. This is sent by clients in the 'Bitwarden-Client-Name'
@ -418,14 +415,14 @@ pub async fn get_duo_auth_url(email: &str,
let callback_url = match make_callback_url(client_id.as_str()) { let callback_url = match make_callback_url(client_id.as_str()) {
Ok(url) => url, Ok(url) => url,
Err(e) => err!(format!("{}", e)), Err(e) => return Err(e),
}; };
let client = DuoClient::new(ik, sk, host, callback_url); let client = DuoClient::new(ik, sk, host, callback_url);
match client.health_check().await { match client.health_check().await {
Ok(()) => {} Ok(()) => {}
Err(e) => err!(format!("{}", e)), Err(e) => return Err(e),
}; };
// Generate random OAuth2 state and OIDC Nonce // Generate random OAuth2 state and OIDC Nonce
@ -439,7 +436,7 @@ pub async fn get_duo_auth_url(email: &str,
match TwoFactorDuoContext::save(state.as_str(), email, nonce.as_str(), CTX_VALIDITY_SECS, conn).await { match TwoFactorDuoContext::save(state.as_str(), email, nonce.as_str(), CTX_VALIDITY_SECS, conn).await {
Ok(()) => client.make_authz_req_url(email, state, hash), Ok(()) => client.make_authz_req_url(email, state, hash),
Err(e) => err!(format!("Error storing Duo authentication context: {}", e)) Err(e) => err!(format!("Error saving Duo authentication context: {e:?}"))
} }
} }
@ -501,14 +498,14 @@ pub async fn validate_duo_login(
let callback_url = match make_callback_url(client_id.as_str()) { let callback_url = match make_callback_url(client_id.as_str()) {
Ok(url) => url, Ok(url) => url,
Err(e) => err!(format!("{}", e)), Err(e) => return Err(e),
}; };
let client = DuoClient::new(ik, sk, host, callback_url); let client = DuoClient::new(ik, sk, host, callback_url);
match client.health_check().await { match client.health_check().await {
Ok(()) => {} Ok(()) => {}
Err(e) => err!(format!("{}", e)), Err(e) => return Err(e),
}; };
let d: Digest = digest(&SHA512_256, format!("{}{}", ctx.nonce, device_identifier).as_bytes()); let d: Digest = digest(&SHA512_256, format!("{}{}", ctx.nonce, device_identifier).as_bytes());
@ -525,4 +522,4 @@ pub async fn validate_duo_login(
) )
} }
} }
} }