Mercurial > dovecot > core-2.2
annotate src/auth/auth-request.h @ 15187:02451e967a06
Renamed network.[ch] to net.[ch].
The function prefixes already started with net_ instead of network_.
And icecap wants to use network.h for other purpose. :)
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 03 Oct 2012 18:17:26 +0300 |
parents | ff66315076ce |
children | 55d20120b348 |
rev | line source |
---|---|
6410
e4eb71ae8e96
Changed .h ifdef/defines to use <NAME>_H format.
Timo Sirainen <tss@iki.fi>
parents:
5882
diff
changeset
|
1 #ifndef AUTH_REQUEST_H |
e4eb71ae8e96
Changed .h ifdef/defines to use <NAME>_H format.
Timo Sirainen <tss@iki.fi>
parents:
5882
diff
changeset
|
2 #define AUTH_REQUEST_H |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 |
15187
02451e967a06
Renamed network.[ch] to net.[ch].
Timo Sirainen <tss@iki.fi>
parents:
15173
diff
changeset
|
4 #include "net.h" |
14340
a090cbbe3008
auth: Fixed auth cache key generation to support %{long} variables
Timo Sirainen <tss@iki.fi>
parents:
14314
diff
changeset
|
5 #include "var-expand.h" |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 #include "mech.h" |
3068 | 7 #include "userdb.h" |
8 #include "passdb.h" | |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 struct auth_client_connection; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
12 enum auth_request_state { |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
13 AUTH_REQUEST_STATE_NEW, |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
14 AUTH_REQUEST_STATE_PASSDB, |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
15 AUTH_REQUEST_STATE_MECH_CONTINUE, |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
16 AUTH_REQUEST_STATE_FINISHED, |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
17 AUTH_REQUEST_STATE_USERDB, |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
18 |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
19 AUTH_REQUEST_STATE_MAX |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
20 }; |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
21 |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
22 typedef const char * |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
23 auth_request_escape_func_t(const char *string, |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
24 const struct auth_request *auth_request); |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
25 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
26 struct auth_request { |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 int refcount; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
28 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
29 pool_t pool; |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
30 enum auth_request_state state; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
31 /* user contains the user who is being authenticated. |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
32 When master user is logging in as someone else, it gets more |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
33 complicated. Initially user is set to master's username and the |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
34 requested_login_user is set to destination username. After masterdb |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
35 has validated user as a valid master user, master_user is set to |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
36 user and user is set to requested_login_user. */ |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
37 char *user, *requested_login_user, *master_user; |
4054
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4033
diff
changeset
|
38 /* original_username contains the username exactly as given by the |
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4033
diff
changeset
|
39 client. this is needed at least with DIGEST-MD5 for password |
6619
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6411
diff
changeset
|
40 verification. however with master logins the master username has |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6411
diff
changeset
|
41 been dropped from it. */ |
4054
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4033
diff
changeset
|
42 const char *original_username; |
6658
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
43 /* the username after doing all internal translations, but before |
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
44 being changed by a db lookup */ |
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
45 const char *translated_username; |
8766
888f57b1bf9c
DIGEST-MD5: Fixed authentication with user@domain usernames.
Timo Sirainen <tss@iki.fi>
parents:
8765
diff
changeset
|
46 /* realm for the request, may be specified by some auth mechanisms */ |
888f57b1bf9c
DIGEST-MD5: Fixed authentication with user@domain usernames.
Timo Sirainen <tss@iki.fi>
parents:
8765
diff
changeset
|
47 const char *realm; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
48 char *mech_password; /* set if verify_plain() is called */ |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
49 char *passdb_password; /* set after password lookup if successful */ |
4033 | 50 /* extra_fields are returned in authentication reply. Fields prefixed |
51 with "userdb_" are skipped. If prefetch userdb is used, it uses | |
52 the "userdb_" prefixed fields. */ | |
3520 | 53 struct auth_stream_reply *extra_fields; |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
54 /* extra_fields that aren't supposed to be sent to the client, but |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
55 are supposed to be stored to auth cache. */ |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
56 struct auth_stream_reply *extra_cache_fields; |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
57 /* the whole userdb result reply */ |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
58 struct auth_stream_reply *userdb_reply; |
14222
f5aa38f0a9ac
lib-dns: dns_lookup() returns now the lookup struct, and it can be aborted.
Timo Sirainen <tss@iki.fi>
parents:
14163
diff
changeset
|
59 struct auth_request_proxy_dns_lookup_ctx *dns_lookup_ctx; |
14565
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14525
diff
changeset
|
60 /* Result of passdb lookup */ |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14525
diff
changeset
|
61 enum passdb_result passdb_result; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 |
5788
bdb16967be64
Further const'ification of struct mech_module.
Andrey Panin <pazke@donpac.ru>
parents:
5598
diff
changeset
|
63 const struct mech_module *mech; |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
64 const struct auth_settings *set; |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
65 struct auth_passdb *passdb; |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
66 struct auth_userdb *userdb; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
68 /* passdb lookups have a handler, userdb lookups don't */ |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
69 struct auth_request_handler *handler; |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
70 struct auth_master_connection *master; |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
71 |
3074 | 72 unsigned int connect_uid; |
73 unsigned int client_pid; | |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
74 unsigned int id; |
5586
dad0e22b735a
Changed auth_request->created to last_access and update it a bit more often.
Timo Sirainen <tss@iki.fi>
parents:
5475
diff
changeset
|
75 time_t last_access; |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
14840
diff
changeset
|
76 pid_t session_pid; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
77 |
14525
629afda8e29d
auth: Include session ID in log line prefix.
Timo Sirainen <tss@iki.fi>
parents:
14382
diff
changeset
|
78 const char *service, *mech_name, *session_id; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
79 struct ip_addr local_ip, remote_ip; |
5882
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
80 unsigned int local_port, remote_port; |
3074 | 81 |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
82 struct timeout *to_abort, *to_penalty; |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
83 unsigned int last_penalty; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
84 unsigned int initial_response_len; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
85 const unsigned char *initial_response; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
86 |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
87 union { |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
88 verify_plain_callback_t *verify_plain; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
89 lookup_credentials_callback_t *lookup_credentials; |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
90 set_credentials_callback_t *set_credentials; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
91 userdb_callback_t *userdb; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
92 } private_callback; |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
93 const char *credentials_scheme; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
94 |
3074 | 95 void *context; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
96 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
97 unsigned int successful:1; |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
98 unsigned int passdb_failure:1; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
99 unsigned int internal_failure:1; |
12489
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
100 unsigned int passdb_user_unknown:1; |
3606
8a8352cda514
If passdb lookup fails with internal error, try other passdbs anyway before
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
101 unsigned int passdb_internal_failure:1; |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
102 unsigned int userdb_internal_failure:1; |
3074 | 103 unsigned int delayed_failure:1; |
15173
ff66315076ce
auth: Don't add proxy/pass fields when we're only authenticating (not logging in).
Timo Sirainen <tss@iki.fi>
parents:
15162
diff
changeset
|
104 unsigned int auth_only:1; |
8766
888f57b1bf9c
DIGEST-MD5: Fixed authentication with user@domain usernames.
Timo Sirainen <tss@iki.fi>
parents:
8765
diff
changeset
|
105 unsigned int domain_is_realm:1; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
106 unsigned int accept_input:1; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
107 unsigned int no_failure_delay:1; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
108 unsigned int no_login:1; |
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
109 unsigned int no_password:1; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
110 unsigned int skip_password_check:1; |
8765
d69763bee853
auth workers: Return plaintext credentials to parent process if possible, so it gets cached instead of some other scheme.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
111 unsigned int prefer_plain_credentials:1; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
112 unsigned int proxy:1; |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
6658
diff
changeset
|
113 unsigned int proxy_maybe:1; |
14163
716769cfbb1d
auth: Added proxy_always extra field.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
114 unsigned int proxy_always:1; |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
115 unsigned int proxy_host_is_self:1; |
8320
d49aa6720fb2
Added %k variable to display valid-client-cert status. It expands to "valid" or empty.
Timo Sirainen <tss@iki.fi>
parents:
8111
diff
changeset
|
116 unsigned int valid_client_cert:1; |
12812
bf6749d4db08
auth: Allow clients to specify that they want to skip auth penalty check.
Timo Sirainen <tss@iki.fi>
parents:
12794
diff
changeset
|
117 unsigned int no_penalty:1; |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3606
diff
changeset
|
118 unsigned int cert_username:1; |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4880
diff
changeset
|
119 unsigned int userdb_lookup:1; |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
120 unsigned int userdb_lookup_failed:1; |
5260
0d72eb2ed8af
Added %c variable which expands to "secured" with SSL/TLS/localhost.
Timo Sirainen <tss@iki.fi>
parents:
5153
diff
changeset
|
121 unsigned int secured:1; |
13765
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
122 unsigned int final_resp_ok:1; |
12211
dfa2b49d8298
auth: Avoid crashing when finishing failed requests that already timed out.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
123 unsigned int removed_from_handler:1; |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3606
diff
changeset
|
124 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
125 /* ... mechanism specific data ... */ |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
126 }; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
127 |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
128 typedef void auth_request_proxy_cb_t(bool success, struct auth_request *); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
129 |
11255 | 130 extern unsigned int auth_request_state_count[AUTH_REQUEST_STATE_MAX]; |
14777
007bf0047ab0
auth: Added CACHE-FLUSH command to flush some/all users from auth cache.
Timo Sirainen <tss@iki.fi>
parents:
14565
diff
changeset
|
131 #define AUTH_REQUEST_VAR_TAB_USER_IDX 0 |
007bf0047ab0
auth: Added CACHE-FLUSH command to flush some/all users from auth cache.
Timo Sirainen <tss@iki.fi>
parents:
14565
diff
changeset
|
132 #define AUTH_REQUEST_VAR_TAB_USERNAME_IDX 1 |
007bf0047ab0
auth: Added CACHE-FLUSH command to flush some/all users from auth cache.
Timo Sirainen <tss@iki.fi>
parents:
14565
diff
changeset
|
133 #define AUTH_REQUEST_VAR_TAB_DOMAIN_IDX 2 |
007bf0047ab0
auth: Added CACHE-FLUSH command to flush some/all users from auth cache.
Timo Sirainen <tss@iki.fi>
parents:
14565
diff
changeset
|
134 #define AUTH_REQUEST_VAR_TAB_COUNT 19 |
14340
a090cbbe3008
auth: Fixed auth cache key generation to support %{long} variables
Timo Sirainen <tss@iki.fi>
parents:
14314
diff
changeset
|
135 extern const struct var_expand_table auth_request_var_expand_static_tab[]; |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
136 |
3074 | 137 struct auth_request * |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
138 auth_request_new(const struct mech_module *mech); |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
139 struct auth_request *auth_request_new_dummy(void); |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
140 void auth_request_init(struct auth_request *request); |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
141 struct auth *auth_request_get_auth(struct auth_request *request); |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
142 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
143 void auth_request_set_state(struct auth_request *request, |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
144 enum auth_request_state state); |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
145 |
3074 | 146 void auth_request_ref(struct auth_request *request); |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
147 void auth_request_unref(struct auth_request **request); |
3074 | 148 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
149 void auth_request_success(struct auth_request *request, |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
150 const void *data, size_t data_size); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
151 void auth_request_fail(struct auth_request *request); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
152 void auth_request_internal_failure(struct auth_request *request); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
153 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
154 void auth_request_export(struct auth_request *request, |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
155 struct auth_stream_reply *reply); |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
156 bool auth_request_import(struct auth_request *request, |
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
157 const char *key, const char *value); |
13728
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
12812
diff
changeset
|
158 bool auth_request_import_info(struct auth_request *request, |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
12812
diff
changeset
|
159 const char *key, const char *value); |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
12812
diff
changeset
|
160 bool auth_request_import_auth(struct auth_request *request, |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
12812
diff
changeset
|
161 const char *key, const char *value); |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
14840
diff
changeset
|
162 bool auth_request_import_master(struct auth_request *request, |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
14840
diff
changeset
|
163 const char *key, const char *value); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
164 |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
165 void auth_request_initial(struct auth_request *request); |
3068 | 166 void auth_request_continue(struct auth_request *request, |
3071 | 167 const unsigned char *data, size_t data_size); |
3068 | 168 |
169 void auth_request_verify_plain(struct auth_request *request, | |
170 const char *password, | |
171 verify_plain_callback_t *callback); | |
172 void auth_request_lookup_credentials(struct auth_request *request, | |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
173 const char *scheme, |
3068 | 174 lookup_credentials_callback_t *callback); |
175 void auth_request_lookup_user(struct auth_request *request, | |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
176 userdb_callback_t *callback); |
3068 | 177 |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
178 bool auth_request_set_username(struct auth_request *request, |
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
179 const char *username, const char **error_r); |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
180 bool auth_request_set_login_username(struct auth_request *request, |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
181 const char *username, |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
182 const char **error_r); |
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
183 |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
184 void auth_request_set_field(struct auth_request *request, |
3272
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3185
diff
changeset
|
185 const char *name, const char *value, |
14629
c93ca5e46a8a
Marked functions parameters that are allowed to be NULL. Some APIs were also changed.
Timo Sirainen <tss@iki.fi>
parents:
14576
diff
changeset
|
186 const char *default_scheme) ATTR_NULL(4); |
14314
e5ed29ef593e
checkpassword: Escape transferred extra fields properly.
Timo Sirainen <tss@iki.fi>
parents:
14163
diff
changeset
|
187 void auth_request_set_field_keyvalue(struct auth_request *request, |
e5ed29ef593e
checkpassword: Escape transferred extra fields properly.
Timo Sirainen <tss@iki.fi>
parents:
14163
diff
changeset
|
188 const char *field, |
14629
c93ca5e46a8a
Marked functions parameters that are allowed to be NULL. Some APIs were also changed.
Timo Sirainen <tss@iki.fi>
parents:
14576
diff
changeset
|
189 const char *default_scheme) ATTR_NULL(3); |
5153
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5129
diff
changeset
|
190 void auth_request_set_fields(struct auth_request *request, |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5129
diff
changeset
|
191 const char *const *fields, |
14629
c93ca5e46a8a
Marked functions parameters that are allowed to be NULL. Some APIs were also changed.
Timo Sirainen <tss@iki.fi>
parents:
14576
diff
changeset
|
192 const char *default_scheme) ATTR_NULL(3); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
193 |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
194 void auth_request_init_userdb_reply(struct auth_request *request); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
195 void auth_request_set_userdb_field(struct auth_request *request, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
196 const char *name, const char *value); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
197 void auth_request_set_userdb_field_values(struct auth_request *request, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
198 const char *name, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
199 const char *const *values); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
200 /* returns -1 = failed, 0 = callback is called later, 1 = finished */ |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
201 int auth_request_proxy_finish(struct auth_request *request, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
202 auth_request_proxy_cb_t *callback); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
203 void auth_request_proxy_finish_failure(struct auth_request *request); |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
204 |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
205 void auth_request_log_password_mismatch(struct auth_request *request, |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
206 const char *subsystem); |
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
207 int auth_request_password_verify(struct auth_request *request, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
208 const char *plain_password, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
209 const char *crypted_password, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
210 const char *scheme, const char *subsystem); |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
211 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
212 const struct var_expand_table * |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
213 auth_request_get_var_expand_table(const struct auth_request *auth_request, |
14629
c93ca5e46a8a
Marked functions parameters that are allowed to be NULL. Some APIs were also changed.
Timo Sirainen <tss@iki.fi>
parents:
14576
diff
changeset
|
214 auth_request_escape_func_t *escape_func) |
c93ca5e46a8a
Marked functions parameters that are allowed to be NULL. Some APIs were also changed.
Timo Sirainen <tss@iki.fi>
parents:
14576
diff
changeset
|
215 ATTR_NULL(2); |
15160
18c8d840b028
ldap auth: Update %variables after each field update.
Timo Sirainen <tss@iki.fi>
parents:
14777
diff
changeset
|
216 struct var_expand_table * |
18c8d840b028
ldap auth: Update %variables after each field update.
Timo Sirainen <tss@iki.fi>
parents:
14777
diff
changeset
|
217 auth_request_get_var_expand_table_full(const struct auth_request *auth_request, |
18c8d840b028
ldap auth: Update %variables after each field update.
Timo Sirainen <tss@iki.fi>
parents:
14777
diff
changeset
|
218 auth_request_escape_func_t *escape_func, |
15162 | 219 unsigned int *count) ATTR_NULL(2); |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
220 const char *auth_request_str_escape(const char *string, |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
221 const struct auth_request *request); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
222 |
3069 | 223 void auth_request_log_debug(struct auth_request *auth_request, |
224 const char *subsystem, | |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6410
diff
changeset
|
225 const char *format, ...) ATTR_FORMAT(3, 4); |
3069 | 226 void auth_request_log_info(struct auth_request *auth_request, |
227 const char *subsystem, | |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6410
diff
changeset
|
228 const char *format, ...) ATTR_FORMAT(3, 4); |
12794
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
229 void auth_request_log_warning(struct auth_request *auth_request, |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
230 const char *subsystem, |
14382 | 231 const char *format, ...) ATTR_FORMAT(3, 4); |
3069 | 232 void auth_request_log_error(struct auth_request *auth_request, |
233 const char *subsystem, | |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6410
diff
changeset
|
234 const char *format, ...) ATTR_FORMAT(3, 4); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
235 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
236 void auth_request_verify_plain_callback(enum passdb_result result, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
237 struct auth_request *request); |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
238 void auth_request_lookup_credentials_callback(enum passdb_result result, |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
239 const unsigned char *credentials, |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
240 size_t size, |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
241 struct auth_request *request); |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
242 void auth_request_set_credentials(struct auth_request *request, |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
243 const char *scheme, const char *data, |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
244 set_credentials_callback_t *callback); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
245 void auth_request_userdb_callback(enum userdb_result result, |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
246 struct auth_request *request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
247 |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
248 void auth_request_refresh_last_access(struct auth_request *request); |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
249 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
250 #endif |