Follow-ups for recent changes to creds (#39040)

UID entry in the machine state file is introduced in v258,
hence when a host is upgraded to v258, the field does not exist in the
file, thus the variable 'uid' is NULL.

Follow-up for 276d20018623ef14956ce87975be48da5de63f29.
Fixes #39061.

src/core/exec-credential.c

@@ -520,7 +520,7 @@ static int maybe_decrypt_and_write_credential(
                 }
                 if (r < 0) {
                         if (graceful) {
-                                log_warning_errno(r, "Unable to decrypt credential '%s', skipping.", id);
+                                log_warning_errno(r, "Unable to decrypt credential '%s', skipping: %m", id);
                                 return 0;
                         }
 
@@ -739,7 +739,7 @@ static int load_credential(
         if (r < 0)
                 return log_debug_errno(r, "Failed to read credential '%s': %m", path);
 
-        return maybe_decrypt_and_write_credential(args, id, data, size, /* graceful= */ true);
+        return maybe_decrypt_and_write_credential(args, id, data, size, /* graceful= */ false);
 }
 
 static int load_cred_recurse_dir_cb(

src/creds/creds.c

@@ -1409,28 +1409,15 @@ static int vl_method_decrypt(sd_varlink *link, sd_json_variant *parameters, sd_v
                 ask_polkit = true;
         }
 
-        if (r == -EBADMSG)
-                return sd_varlink_error(link, "io.systemd.Credentials.BadFormat", NULL);
-        if (r == -EDESTADDRREQ)
-                return sd_varlink_error(link, "io.systemd.Credentials.NameMismatch", NULL);
-        if (r == -ESTALE)
-                return sd_varlink_error(link, "io.systemd.Credentials.TimeMismatch", NULL);
-        if (r == -ESRCH)
-                return sd_varlink_error(link, "io.systemd.Credentials.NoSuchUser", NULL);
-        if (r == -EMEDIUMTYPE)
-                return sd_varlink_error(link, "io.systemd.Credentials.BadScope", NULL);
-        if (r == -EHOSTDOWN)
-                return sd_varlink_error(link, "io.systemd.Credentials.CantFindPCRSignature", NULL);
-        if (r == -EHWPOISON)
-                return sd_varlink_error(link, "io.systemd.Credentials.NullKeyNotAllowed", NULL);
-        if (r == -EREMOTE)
-                return sd_varlink_error(link, "io.systemd.Credentials.KeyBelongsToOtherTPM", NULL);
-        if (r == -ENOLCK)
-                return sd_varlink_error(link, "io.systemd.Credentials.TPMInDictionaryLockout", NULL);
         if (IN_SET(r, -EREMCHG, -ENOANO, -EUCLEAN, -EPERM))
                 return sd_varlink_error(link, "io.systemd.Credentials.UnexpectedPCRState", NULL);
-        if (r < 0)
+        if (r < 0) {
+                const CredentialsVarlinkError *e = credentials_varlink_error_by_errno(r);
+                if (e)
+                        return sd_varlink_error(link, e->id, NULL);
+
                 return r;
+        }
 
         _cleanup_(sd_json_variant_unrefp) sd_json_variant *reply = NULL;
 

src/machine/machine.c

@@ -403,9 +403,11 @@ int machine_load(Machine *m) {
                         log_warning_errno(r, "Failed to parse AF_VSOCK CID, ignoring: %s", vsock_cid);
         }
 
-        r = parse_uid(uid, &m->uid);
+        if (uid) {
-        if (r < 0)
+                r = parse_uid(uid, &m->uid);
-                log_warning_errno(r, "Failed to parse owning UID, ignoring: %s", uid);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to parse owning UID, ignoring: %s", uid);
+        }
 
         return r;
 }

src/shared/creds-util.c

@@ -1652,26 +1652,9 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp,
         if (r < 0)
                 return log_error_errno(r, "Failed to call Decrypt() varlink call.");
         if (!isempty(error_id))  {
-                static struct {
+                const CredentialsVarlinkError *e = credentials_varlink_error_by_id(error_id);
-                        const char *id;
+                if (e)
-                        int errnum;
+                        return log_error_errno(SYNTHETIC_ERRNO(e->errnum), "%s", e->msg);
-                        const char *msg;
-                } table[] = {
-                        { "io.systemd.Credentials.BadFormat",              EBADMSG,      "Bad credential format." },
-                        { "io.systemd.Credentials.NameMismatch",           EDESTADDRREQ, "Name in credential doesn't match expectations." },
-                        { "io.systemd.Credentials.TimeMismatch",           ESTALE,       "Outside of credential validity time window." },
-                        { "io.systemd.Credentials.NoSuchUser",             ESRCH,        "No such user." },
-                        { "io.systemd.Credentials.BadScope",               EMEDIUMTYPE,  "Scope mismatch." },
-                        { "io.systemd.Credentials.CantFindPCRSignature",   EHOSTDOWN,    "PCR signature required for decryption, but could not be found." },
-                        { "io.systemd.Credentials.NullKeyNotAllowed",      EHWPOISON,    "The key was encrypted with a null key, but that's now allowed during decryption." },
-                        { "io.systemd.Credentials.KeyBelongsToOtherTPM",   EREMOTE,      "The TPM integrity check for this key failed, key probably belongs to another TPM, or was corrupted." },
-                        { "io.systemd.Credentials.TPMInDictionaryLockout", ENOLCK,       "The TPM is in dictionary lockout mode, cannot operate." },
-                        { "io.systemd.Credentials.UnexpectedPCRState" ,    EUCLEAN,      "Unexpected TPM PCR state of the system." },
-                };
-
-                FOREACH_ELEMENT(i, table)
-                        if (streq(i->id, error_id))
-                                return log_error_errno(SYNTHETIC_ERRNO(i->errnum), "%s", i->msg);
 
                 return log_error_errno(sd_varlink_error_to_errno(error_id, reply), "Failed to decrypt: %s", error_id);
         }
@@ -1824,3 +1807,38 @@ int pick_up_credentials(const PickUpCredential *table, size_t n_table_entry) {
 
         return ret;
 }
+
+static const CredentialsVarlinkError credentials_varlink_error_table[] = {
+        { "io.systemd.Credentials.BadFormat",              EBADMSG,      "Bad credential format." },
+        { "io.systemd.Credentials.NameMismatch",           EDESTADDRREQ, "Name in credential doesn't match expectations." },
+        { "io.systemd.Credentials.TimeMismatch",           ESTALE,       "Outside of credential validity time window." },
+        { "io.systemd.Credentials.NoSuchUser",             ESRCH,        "No such user." },
+        { "io.systemd.Credentials.BadScope",               EMEDIUMTYPE,  "Scope mismatch." },
+        { "io.systemd.Credentials.CantFindPCRSignature",   EHOSTDOWN,    "PCR signature required for decryption, but could not be found." },
+        { "io.systemd.Credentials.NullKeyNotAllowed",      EHWPOISON,    "The key was encrypted with a null key, but that's now allowed during decryption." },
+        { "io.systemd.Credentials.KeyBelongsToOtherTPM",   EREMOTE,      "The TPM integrity check for this key failed, key probably belongs to another TPM, or was corrupted." },
+        { "io.systemd.Credentials.TPMInDictionaryLockout", ENOLCK,       "The TPM is in dictionary lockout mode, cannot operate." },
+        { "io.systemd.Credentials.UnexpectedPCRState" ,    EUCLEAN,      "Unexpected TPM PCR state of the system." },
+};
+
+const CredentialsVarlinkError* credentials_varlink_error_by_id(const char *id) {
+        assert(id);
+
+        FOREACH_ELEMENT(i, credentials_varlink_error_table)
+                if (streq(id, i->id))
+                        return i;
+
+        return NULL;
+}
+
+const CredentialsVarlinkError* credentials_varlink_error_by_errno(int errnum) {
+        assert(errnum != 0);
+
+        errnum = ABS(errnum);
+
+        FOREACH_ELEMENT(i, credentials_varlink_error_table)
+                if (errnum == i->errnum)
+                        return i;
+
+        return NULL;
+}

src/shared/creds-util.h

@@ -102,3 +102,12 @@ typedef struct PickUpCredential {
 } PickUpCredential;
 
 int pick_up_credentials(const PickUpCredential *table, size_t n_table_entry);
+
+typedef struct CredentialsVarlinkError {
+        const char *id;
+        int errnum;
+        const char *msg;
+} CredentialsVarlinkError;
+
+const CredentialsVarlinkError* credentials_varlink_error_by_id(const char *id) _pure_;
+const CredentialsVarlinkError* credentials_varlink_error_by_errno(int errnum) _const_;