commit d887fff197b2fc3357bcbb1adb028521699a204a
author Joseph Reynolds <joseph-reynolds@charter.net> Tue Jan 14 16:34:09 2020 -0600
committer Joseph Reynolds <joseph-reynolds@charter.net> Thu Jan 30 16:24:12 2020 +0000
tree cd2038b1dfd796becf9444d27b1024ca5dc4b7d7
parent d04ba325f3ef4e60eb4fd8e7477af78d1be0d79d

Enhance return value from pamAuthenticateUser

This enhances the return value from the pamAuthenticateUser function so
callers can articulate PAM error codes like PAM_NEW_AUTHTOK_REQD which
means the credentials are correct, but the password must be changed.

Tested: Yes, scenarios via both Redfish login and Basic Auth:
 - correct username and password, password is not expired
 - correct username and password, password is expired
 - correct username and incorrect password, password is not expired
 - correct username and incorrect password, password is expired
 - non-existent user (passsword is not relevant)

Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I1114d6c9cc591fb0a1853cb4edea32ad22f7b015

include/token_authorization_middleware.hpp

diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp
index 4d7cc08..abdedaf 100644
--- a/include/token_authorization_middleware.hpp
+++ b/include/token_authorization_middleware.hpp
@@ -138,7 +138,7 @@
 
         BMCWEB_LOG_DEBUG << "[AuthMiddleware] Authenticating user: " << user;
 
-        if (!pamAuthenticateUser(user, pass))
+        if (pamAuthenticateUser(user, pass) != PAM_SUCCESS)
         {
             return nullptr;
         }
@@ -395,7 +395,7 @@
 
             if (!username.empty() && !password.empty())
             {
-                if (!pamAuthenticateUser(username, password))
+                if (pamAuthenticateUser(username, password) != PAM_SUCCESS)
                 {
                     res.result(boost::beast::http::status::unauthorized);
                 }