crates/nonstick: src/constants.rs comparison

comparison src/constants.rs @ 166:2f5913131295

Separate flag/action flags into flags and action. This also individualizes the type of flag for each PAM function, so that you can only call a function with the right flags and values.

author	Paul Fisher <paul@pfish.zone>
date	Tue, 15 Jul 2025 00:32:24 -0400
parents	4b3a5095f68c
children	f052e2417195

comparison

equal deleted inserted replaced

-:c4b1e280463c
+:2f5913131295
 //! Constants and enum values from the PAM library.
 use crate::_doc::{linklist, man7, manbsd, xsso};
 use bitflags::bitflags;
+use libpam_sys_consts::constants;
 use num_enum::{IntoPrimitive, TryFromPrimitive};
 use std::error::Error;
 use std::ffi::c_int;
 use std::fmt;
 use std::fmt::{Display, Formatter};
 use std::result::Result as StdResult;
-/// Values for constants not provided by certain PAM implementations.
+/// Creates a bitflags! macro, with an extra SILENT element.
-///
+macro_rules! pam_flags {
-/// **The values of these constants are deliberately selected _not_ to match
+(
-/// any PAM implementations. Applications should always use the symbolic value
+$(#[$m:meta])*
-/// and not a magic number.**
+$name:ident {
-mod pam_constants {
+$($inner:tt)*
-pub use libpam_sys_consts::constants::*;
+}
+) => {
-macro_rules! define {
+bitflags! {
-($(#[$attr:meta])* $($name:ident = $value:expr;)+) => {
+$(#[$m])*
-define!(
+#[derive(Clone, Copy, Debug, Default, PartialEq)]
-@meta { $(#[$attr])* }
+#[repr(transparent)]
-$(pub const $name: i32 = $value;)+
+pub struct $name: c_int {
-);
+/// The module should not generate any messages.
-};
+const SILENT = constants::PAM_SILENT;
-(@meta $m:tt $($i:item)+) => { define!(@expand $($m $i)+); };
+$($inner)*
-(@expand $({ $(#[$m:meta])* } $i:item)+) => {$($(#[$m])* $i)+};
+}
 }
+}
-define!(
+}
-/// A fictitious constant for testing purposes.
-#[cfg(not(pam_impl = "OpenPam"))]
+pam_flags! {
-PAM_BAD_CONSTANT = 513;
+/// Flags for authentication and account management.
-PAM_BAD_FEATURE = 514;
+AuthnFlags {
-);
+/// The module should return [AuthError](ErrorCode::AuthError)
+/// if the user has an empty authentication token, rather than
-define!(
+/// allowing them to log in.
-/// A fictitious constant for testing purposes.
+const DISALLOW_NULL_AUTHTOK = constants::PAM_DISALLOW_NULL_AUTHTOK;
-#[cfg(not(any(pam_impl = "LinuxPam", pam_impl = "OpenPam")))]
+}
-PAM_BAD_ITEM = 515;
+}
-PAM_MODULE_UNKNOWN = 516;
-);
+pam_flags! {
+/// Flags for changing the authentication token.
-define!(
+AuthtokFlags {
-/// A fictitious constant for testing purposes.
+/// Indicates that the user's authentication token should
-#[cfg(not(pam_impl = "LinuxPam"))]
+/// only be changed if it is expired. If not passed,
-PAM_CONV_AGAIN = 517;
+/// the authentication token should be changed unconditionally.
-PAM_INCOMPLETE = 518;
+const CHANGE_EXPIRED_AUTHTOK = constants::PAM_CHANGE_EXPIRED_AUTHTOK;
-);
-}
+/// Don't check if the password is any good (Sun only).
+#[cfg(pam_impl = "Sun")]
-bitflags! {
+const NO_AUTHTOK_CHECK = constants::PAM_NO_AUTHTOK_CHECK;
-/// The available PAM flags.
+}
-///
+}
-/// See `/usr/include/security/_pam_types.h` and
-/// See `/usr/include/security/pam_modules.h` for more details.
+pam_flags! {
-#[derive(Debug, Default, PartialEq)]
+/// Common flag(s) shared by all PAM actions.
-#[repr(transparent)]
+BaseFlags {}
-pub struct Flags: c_int {
+}
-/// The module should not generate any messages.
-const SILENT = pam_constants::PAM_SILENT;
+#[cfg(feature = "openpam-ext")]
+const BAD_CONST: ErrorCode = ErrorCode::BadConstant;
-/// The module should return [ErrorCode::AuthError]
+#[cfg(not(feature = "openpam-ext"))]
-/// if the user has an empty authentication token
+const BAD_CONST: ErrorCode = ErrorCode::SystemError;
-/// rather than immediately accepting them.
-const DISALLOW_NULL_AUTHTOK = pam_constants::PAM_DISALLOW_NULL_AUTHTOK;
+macro_rules! flag_enum {
+(
-// Flag used for `set_credentials`.
+$(#[$m:meta])*
+$name:ident {
-/// Set user credentials for an authentication service.
+$(
-const ESTABLISH_CREDENTIALS = pam_constants::PAM_ESTABLISH_CRED;
+$(#[$item_m:meta])*
-/// Delete user credentials associated with
+$item_name:ident = $item_value:expr,
-/// an authentication service.
+)*
-const DELETE_CREDENTIALS = pam_constants::PAM_DELETE_CRED;
+}
-/// Reinitialize user credentials.
+) => {
-const REINITIALIZE_CREDENTIALS = pam_constants::PAM_REINITIALIZE_CRED;
+$(#[$m])*
-/// Extend the lifetime of user credentials.
+#[derive(Clone, Copy, Debug, PartialEq, TryFromPrimitive, IntoPrimitive)]
-const REFRESH_CREDENTIALS = pam_constants::PAM_REFRESH_CRED;
+#[repr(i32)]
+pub enum $name {
-// Flags used for password changing.
+$(
+$(#[$item_m])*
-/// The password service should only update those passwords
+$item_name = $item_value,
-/// that have aged. If this flag is _not_ passed,
+)*
-/// the password service should update all passwords.
+}
-///
-/// This flag is only used by `change_authtok`.
+impl $name {
-const CHANGE_EXPIRED_AUTHTOK = pam_constants::PAM_CHANGE_EXPIRED_AUTHTOK;
+const ALL_VALUES: i32 = 0 $( | $item_value)*;
-/// This is a preliminary check for password changing.
-/// The password should not be changed.
+fn split(value: i32) -> Result<(Option<Self>, i32)> {
-///
+let me = value & Self::ALL_VALUES;
-/// This is only used between PAM and a module.
+let them = value & !Self::ALL_VALUES;
-/// Applications may not use this flag.
+let me = match me {
-///
+0 => None,
-/// This flag is only used by `change_authtok`.
+n => Some(Self::try_from(n).map_err(|_| BAD_CONST)?),
-const PRELIMINARY_CHECK = pam_constants::PAM_PRELIM_CHECK;
+};
-/// The password should actuallyPR be updated.
+Ok((me, them))
-/// This and [Self::PRELIMINARY_CHECK] are mutually exclusive.
+}
-///
+}
-/// This is only used between PAM and a module.
+}
-/// Applications may not use this flag.
+}
-///
-/// This flag is only used by `change_authtok`.
+flag_enum! {
-const UPDATE_AUTHTOK = pam_constants::PAM_UPDATE_AUTHTOK;
+/// The credential management action that should take place.
+CredAction {
+/// Set the user's credentials from this module. Default if unspecified.
+Establish = constants::PAM_ESTABLISH_CRED,
+/// Revoke the user's credentials established by this module.
+Delete = constants::PAM_DELETE_CRED,
+/// Fully reinitialize the user's credentials from this module.
+Reinitialize = constants::PAM_REINITIALIZE_CRED,
+/// Extend the lifetime of the user's credentials from this module.
+Refresh = constants::PAM_REFRESH_CRED,
+}
+}
+impl CredAction {
+/// Separates this enum from the remaining [`BaseFlags`].
+pub fn extract(value: i32) -> Result<(Self, BaseFlags)> {
+Self::split(value)
+.map(|(act, rest)| (act.unwrap_or_default(), BaseFlags::from_bits_retain(rest)))
+}
+}
+impl Default for CredAction {
+fn default() -> Self {
+Self::Establish
+}
+}
+flag_enum! {
+AuthtokAction {
+/// This is a preliminary call to check if we're ready to change passwords
+/// and that the new password is acceptable.
+PreliminaryCheck = constants::PAM_PRELIM_CHECK,
+/// You should actually update the password.
+Update = constants::PAM_UPDATE_AUTHTOK,
+}
+}
+impl AuthtokAction {
+/// Separates this enum from the remaining [`AuthtokFlags`].
+pub fn extract(value: i32) -> Result<(Self, AuthtokFlags)> {
+match Self::split(value)? {
+(Some(act), rest) => Ok((act, AuthtokFlags::from_bits_retain(rest))),
+(None, _) => Err(BAD_CONST),
+}
 }
 }
 /// The PAM error return codes.
 ///
 #[allow(non_camel_case_types, dead_code)]
 #[derive(Copy, Clone, Debug, PartialEq, TryFromPrimitive, IntoPrimitive)]
 #[non_exhaustive] // C might give us anything!
 #[repr(i32)]
 pub enum ErrorCode {
-OpenError = pam_constants::PAM_OPEN_ERR,
+OpenError = constants::PAM_OPEN_ERR,
-SymbolError = pam_constants::PAM_SYMBOL_ERR,
+SymbolError = constants::PAM_SYMBOL_ERR,
-ServiceError = pam_constants::PAM_SERVICE_ERR,
+ServiceError = constants::PAM_SERVICE_ERR,
-SystemError = pam_constants::PAM_SYSTEM_ERR,
+SystemError = constants::PAM_SYSTEM_ERR,
-BufferError = pam_constants::PAM_BUF_ERR,
+BufferError = constants::PAM_BUF_ERR,
-PermissionDenied = pam_constants::PAM_PERM_DENIED,
+PermissionDenied = constants::PAM_PERM_DENIED,
-AuthenticationError = pam_constants::PAM_AUTH_ERR,
+AuthenticationError = constants::PAM_AUTH_ERR,
-CredentialsInsufficient = pam_constants::PAM_CRED_INSUFFICIENT,
+CredentialsInsufficient = constants::PAM_CRED_INSUFFICIENT,
-AuthInfoUnavailable = pam_constants::PAM_AUTHINFO_UNAVAIL,
+AuthInfoUnavailable = constants::PAM_AUTHINFO_UNAVAIL,
-UserUnknown = pam_constants::PAM_USER_UNKNOWN,
+UserUnknown = constants::PAM_USER_UNKNOWN,
-MaxTries = pam_constants::PAM_MAXTRIES,
+MaxTries = constants::PAM_MAXTRIES,
-NewAuthTokRequired = pam_constants::PAM_NEW_AUTHTOK_REQD,
+NewAuthTokRequired = constants::PAM_NEW_AUTHTOK_REQD,
-AccountExpired = pam_constants::PAM_ACCT_EXPIRED,
+AccountExpired = constants::PAM_ACCT_EXPIRED,
-SessionError = pam_constants::PAM_SESSION_ERR,
+SessionError = constants::PAM_SESSION_ERR,
-CredentialsUnavailable = pam_constants::PAM_CRED_UNAVAIL,
+CredentialsUnavailable = constants::PAM_CRED_UNAVAIL,
-CredentialsExpired = pam_constants::PAM_CRED_EXPIRED,
+CredentialsExpired = constants::PAM_CRED_EXPIRED,
-CredentialsError = pam_constants::PAM_CRED_ERR,
+CredentialsError = constants::PAM_CRED_ERR,
-NoModuleData = pam_constants::PAM_NO_MODULE_DATA,
+NoModuleData = constants::PAM_NO_MODULE_DATA,
-ConversationError = pam_constants::PAM_CONV_ERR,
+ConversationError = constants::PAM_CONV_ERR,
-AuthTokError = pam_constants::PAM_AUTHTOK_ERR,
+AuthTokError = constants::PAM_AUTHTOK_ERR,
-AuthTokRecoveryError = pam_constants::PAM_AUTHTOK_RECOVERY_ERR,
+AuthTokRecoveryError = constants::PAM_AUTHTOK_RECOVERY_ERR,
-AuthTokLockBusy = pam_constants::PAM_AUTHTOK_LOCK_BUSY,
+AuthTokLockBusy = constants::PAM_AUTHTOK_LOCK_BUSY,
-AuthTokDisableAging = pam_constants::PAM_AUTHTOK_DISABLE_AGING,
+AuthTokDisableAging = constants::PAM_AUTHTOK_DISABLE_AGING,
-TryAgain = pam_constants::PAM_TRY_AGAIN,
+TryAgain = constants::PAM_TRY_AGAIN,
-Ignore = pam_constants::PAM_IGNORE,
+Ignore = constants::PAM_IGNORE,
-Abort = pam_constants::PAM_ABORT,
+Abort = constants::PAM_ABORT,
-AuthTokExpired = pam_constants::PAM_AUTHTOK_EXPIRED,
+AuthTokExpired = constants::PAM_AUTHTOK_EXPIRED,
 #[cfg(feature = "basic-ext")]
-ModuleUnknown = pam_constants::PAM_MODULE_UNKNOWN,
+ModuleUnknown = constants::PAM_MODULE_UNKNOWN,
 #[cfg(feature = "basic-ext")]
-BadItem = pam_constants::PAM_BAD_ITEM,
+BadItem = constants::PAM_BAD_ITEM,
 #[cfg(feature = "linux-pam-ext")]
-ConversationAgain = pam_constants::PAM_CONV_AGAIN,
+ConversationAgain = constants::PAM_CONV_AGAIN,
 #[cfg(feature = "linux-pam-ext")]
-Incomplete = pam_constants::PAM_INCOMPLETE,
+Incomplete = constants::PAM_INCOMPLETE,
+#[cfg(feature = "openpam-ext")]
+DomainUnknown = constants::PAM_DOMAIN_UNKNOWN,
+#[cfg(feature = "openpam-ext")]
+BadHandle = constants::PAM_BAD_HANDLE,
+#[cfg(feature = "openpam-ext")]
+BadFeature = constants::PAM_BAD_FEATURE,
+#[cfg(feature = "openpam-ext")]
+BadConstant = constants::PAM_BAD_CONSTANT,
 }
 /// A PAM-specific Result type with an [ErrorCode] error.
 pub type Result<T> = StdResult<T, ErrorCode>;
 #[test]
 fn test_enums() {
 assert_eq!(Ok(()), ErrorCode::result_from(0));
 assert_eq!(
-pam_constants::PAM_SESSION_ERR,
+constants::PAM_SESSION_ERR,
 ErrorCode::result_to_c::<()>(Err(ErrorCode::SessionError))
 );
 assert_eq!(
 Err(ErrorCode::Abort),
-ErrorCode::result_from(pam_constants::PAM_ABORT)
+ErrorCode::result_from(constants::PAM_ABORT)
 );
 assert_eq!(Err(ErrorCode::SystemError), ErrorCode::result_from(423));
 }
-}
+#[test]
+fn test_flag_enums() {
+AuthtokAction::extract(-1).expect_err("too many set");
+AuthtokAction::extract(0).expect_err("too few set");
+assert_eq!(
+Ok((
+AuthtokAction::Update,
+AuthtokFlags::from_bits_retain(0x7fff0000)
+)),
+AuthtokAction::extract(0x7fff0000 | constants::PAM_UPDATE_AUTHTOK)
+);
+CredAction::extract(0xffff).expect_err("too many set");
+assert_eq!(
+Ok((CredAction::Establish, BaseFlags::empty())),
+CredAction::extract(0)
+);
+assert_eq!(
+Ok((CredAction::Delete, BaseFlags::from_bits_retain(0x55000000))),
+CredAction::extract(0x55000000 | constants::PAM_DELETE_CRED)
+);
+}
+}

Mercurial > crates > nonstick

comparison src/constants.rs @ 166:2f5913131295