dovecot/core-2.2: src/auth/auth-request.c annotate

annotate src/auth/auth-request.c @ 10903:6e639833c3fc HEAD

auth: Initial support for per-protocol auth settings. Currently the list of services is hard-coded. This should be changed so that config lookup returns the service names.

author	Timo Sirainen <tss@iki.fi>
date	Sat, 13 Mar 2010 22:54:41 +0200
parents	52eb8317514f
children	bcd43231f723

rev	line source
10582 615eef3139c2 Updated copyright notices to include year 2010. Timo Sirainen <tss@iki.fi> parents: 10542 diff changeset	1 /* Copyright (c) 2002-2010 Dovecot authors, see the included COPYING file */
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	2
9219 97cdfeb57129 Renamed headers to prevent collision if they were flattened on an install. Mark Washenberger parents: 9015 diff changeset	3 #include "auth-common.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	4 #include "ioloop.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	5 #include "buffer.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	6 #include "hash.h"
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	7 #include "sha1.h"
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	8 #include "hex-binary.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	9 #include "str.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	10 #include "safe-memset.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	11 #include "str-sanitize.h"
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	12 #include "strescape.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	13 #include "var-expand.h"
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	14 #include "auth-cache.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	15 #include "auth-request.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	16 #include "auth-client-connection.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	17 #include "auth-master-connection.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	18 #include "passdb.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	19 #include "passdb-blocking.h"
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	20 #include "userdb-blocking.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	21 #include "passdb-cache.h"
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	22 #include "password-scheme.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	23
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	24 #include <stdlib.h>
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	25 #include <sys/stat.h>
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	26
10689 46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	27 #define CACHED_PASSWORD_SCHEME "SHA1"
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	28
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	29 static void get_log_prefix(string_t str, struct auth_request auth_request,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	30 const char *subsystem);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	31
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	32 struct auth_request *
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	33 auth_request_new(const struct mech_module *mech,
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	34 mech_callback_t callback, void context)
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	35 {
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	36 struct auth_request *request;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	37
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	38 request = mech->auth_new();
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	39 request->state = AUTH_REQUEST_STATE_NEW;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	40
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	41 request->refcount = 1;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	42 request->last_access = ioloop_time;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	43
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	44 request->set = global_auth_settings;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	45 request->mech = mech;
8111 d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	46 request->mech_name = mech == NULL ? NULL : mech->mech_name;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	47 request->callback = callback;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	48 request->context = context;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	49 return request;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	50 }
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	51
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	52 struct auth_request *auth_request_new_dummy(void)
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	53 {
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	54 struct auth_request *auth_request;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	55 pool_t pool;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	56
3695 4f8598b0ca62 Use a bit larger initial pool sizes Timo Sirainen <tss@iki.fi> parents: 3687 diff changeset	57 pool = pool_alloconly_create("auth_request", 1024);
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	58 auth_request = p_new(pool, struct auth_request, 1);
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	59 auth_request->pool = pool;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	60
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	61 auth_request->refcount = 1;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	62 auth_request->last_access = ioloop_time;
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	63 auth_request->set = global_auth_settings;
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	64
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	65 return auth_request;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	66 }
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	67
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	68 void auth_request_init(struct auth_request *request)
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	69 {
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	70 struct auth *auth;
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	71
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	72 auth = auth_request_get_auth(request);
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	73 request->set = auth->set;
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	74 request->passdb = auth->passdbs;
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	75 request->userdb = auth->userdbs;
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	76 }
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	77
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	78 struct auth auth_request_get_auth(struct auth_request request)
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	79 {
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	80 return auth_find_service(request->service);
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	81 }
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	82
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	83 void auth_request_success(struct auth_request *request,
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	84 const void *data, size_t data_size)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	85 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	86 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	87
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	88 if (request->passdb_failure) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	89 /* password was valid, but some other check failed. */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	90 auth_request_fail(request);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	91 return;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	92 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	93
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	94 request->state = AUTH_REQUEST_STATE_FINISHED;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	95 request->successful = TRUE;
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	96 auth_request_refresh_last_access(request);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	97 request->callback(request, AUTH_CLIENT_RESULT_SUCCESS,
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	98 data, data_size);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	99 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	100
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	101 void auth_request_fail(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	102 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	103 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	104
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	105 request->state = AUTH_REQUEST_STATE_FINISHED;
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	106 auth_request_refresh_last_access(request);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	107 request->callback(request, AUTH_CLIENT_RESULT_FAILURE, NULL, 0);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	108 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	109
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	110 void auth_request_internal_failure(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	111 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	112 request->internal_failure = TRUE;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	113 auth_request_fail(request);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	114 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	115
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	116 void auth_request_ref(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	117 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	118 request->refcount++;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	119 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	120
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	121 void auth_request_unref(struct auth_request **_request)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	122 {
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	123 struct auth_request request = _request;
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	124
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	125 *_request = NULL;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	126 i_assert(request->refcount > 0);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	127 if (--request->refcount > 0)
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	128 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	129
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	130 if (request->to_abort != NULL)
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	131 timeout_remove(&request->to_abort);
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	132 if (request->to_penalty != NULL)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	133 timeout_remove(&request->to_penalty);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	134
3386 e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	135 if (request->mech != NULL)
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	136 request->mech->auth_free(request);
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	137 else
6428 7cad076906eb pool_unref() now takes ** pointer. Timo Sirainen <tss@iki.fi> parents: 6411 diff changeset	138 pool_unref(&request->pool);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	139 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	140
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	141 void auth_request_export(struct auth_request *request,
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	142 struct auth_stream_reply *reply)
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	143 {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	144 auth_stream_reply_add(reply, "user", request->user);
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	145 auth_stream_reply_add(reply, "service", request->service);
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	146
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	147 if (request->master_user != NULL) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	148 auth_stream_reply_add(reply, "master_user",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	149 request->master_user);
8346 9f66028a1089 Pass original_username to auth-workers. Timo Sirainen <tss@iki.fi> parents: 8320 diff changeset	150 }
8347 fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	151 auth_stream_reply_add(reply, "original_username",
fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	152 request->original_username);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	153
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	154 if (request->local_ip.family != 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	155 auth_stream_reply_add(reply, "lip",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	156 net_ip2addr(&request->local_ip));
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	157 }
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	158 if (request->remote_ip.family != 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	159 auth_stream_reply_add(reply, "rip",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	160 net_ip2addr(&request->remote_ip));
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	161 }
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	162 if (request->local_port != 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	163 auth_stream_reply_add(reply, "lport",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	164 dec2str(request->local_port));
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	165 }
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	166 if (request->remote_port != 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	167 auth_stream_reply_add(reply, "rport",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	168 dec2str(request->remote_port));
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	169 }
5585 e33158bc72b0 %c wasn't exported to auth worker processes. Patch by Andrey Panin Timo Sirainen <tss@iki.fi> parents: 5475 diff changeset	170 if (request->secured)
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	171 auth_stream_reply_add(reply, "secured", "1");
7318 be991f857c70 Fixed pass=yes with blocking passdbs. Also master_user wasn't exported Timo Sirainen <tss@iki.fi> parents: 7278 diff changeset	172 if (request->skip_password_check)
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	173 auth_stream_reply_add(reply, "skip_password_check", "1");
8320 d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 8163 diff changeset	174 if (request->valid_client_cert)
d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 8163 diff changeset	175 auth_stream_reply_add(reply, "valid-client-cert", "1");
8111 d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	176 if (request->mech_name != NULL)
d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	177 auth_stream_reply_add(reply, "mech", request->mech_name);
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	178 }
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	179
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	180 bool auth_request_import(struct auth_request *request,
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	181 const char key, const char value)
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	182 {
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	183 if (strcmp(key, "user") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	184 request->user = p_strdup(request->pool, value);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	185 else if (strcmp(key, "master_user") == 0)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	186 request->master_user = p_strdup(request->pool, value);
8346 9f66028a1089 Pass original_username to auth-workers. Timo Sirainen <tss@iki.fi> parents: 8320 diff changeset	187 else if (strcmp(key, "original_username") == 0)
9f66028a1089 Pass original_username to auth-workers. Timo Sirainen <tss@iki.fi> parents: 8320 diff changeset	188 request->original_username = p_strdup(request->pool, value);
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	189 else if (strcmp(key, "cert_username") == 0) {
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	190 if (request->set->ssl_username_from_cert) {
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	191 /* get username from SSL certificate. it overrides
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	192 the username given by the auth mechanism. */
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	193 request->user = p_strdup(request->pool, value);
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	194 request->cert_username = TRUE;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	195 }
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	196 } else if (strcmp(key, "service") == 0)
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	197 request->service = p_strdup(request->pool, value);
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	198 else if (strcmp(key, "lip") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	199 net_addr2ip(value, &request->local_ip);
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	200 else if (strcmp(key, "rip") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	201 net_addr2ip(value, &request->remote_ip);
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	202 else if (strcmp(key, "lport") == 0)
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	203 request->local_port = atoi(value);
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	204 else if (strcmp(key, "rport") == 0)
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	205 request->remote_port = atoi(value);
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	206 else if (strcmp(key, "secured") == 0)
0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	207 request->secured = TRUE;
7106 1bd8b17bfabe If AUTH has "nologin" parameter, the request is freed when authentication is Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	208 else if (strcmp(key, "nologin") == 0)
1bd8b17bfabe If AUTH has "nologin" parameter, the request is freed when authentication is Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	209 request->no_login = TRUE;
8320 d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 8163 diff changeset	210 else if (strcmp(key, "valid-client-cert") == 0)
d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 8163 diff changeset	211 request->valid_client_cert = TRUE;
7318 be991f857c70 Fixed pass=yes with blocking passdbs. Also master_user wasn't exported Timo Sirainen <tss@iki.fi> parents: 7278 diff changeset	212 else if (strcmp(key, "skip_password_check") == 0) {
be991f857c70 Fixed pass=yes with blocking passdbs. Also master_user wasn't exported Timo Sirainen <tss@iki.fi> parents: 7278 diff changeset	213 i_assert(request->master_user != NULL);
be991f857c70 Fixed pass=yes with blocking passdbs. Also master_user wasn't exported Timo Sirainen <tss@iki.fi> parents: 7278 diff changeset	214 request->skip_password_check = TRUE;
8111 d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	215 } else if (strcmp(key, "mech") == 0)
d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	216 request->mech_name = p_strdup(request->pool, value);
d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	217 else
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	218 return FALSE;
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	219
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	220 return TRUE;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	221 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	222
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	223 void auth_request_initial(struct auth_request *request)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	224 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	225 i_assert(request->state == AUTH_REQUEST_STATE_NEW);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	226
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	227 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	228 request->mech->auth_initial(request, request->initial_response,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	229 request->initial_response_len);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	230 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	231
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	232 void auth_request_continue(struct auth_request *request,
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	233 const unsigned char *data, size_t data_size)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	234 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	235 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	236
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	237 auth_request_refresh_last_access(request);
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	238 request->mech->auth_continue(request, data, data_size);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	239 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	240
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	241 static void auth_request_save_cache(struct auth_request *request,
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	242 enum passdb_result result)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	243 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	244 struct passdb_module *passdb = request->passdb->passdb;
10689 46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	245 const char extra_fields, encoded_password;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	246 string_t *str;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	247
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	248 switch (result) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	249 case PASSDB_RESULT_USER_UNKNOWN:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	250 case PASSDB_RESULT_PASSWORD_MISMATCH:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	251 case PASSDB_RESULT_OK:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	252 case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	253 /* can be cached */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	254 break;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	255 case PASSDB_RESULT_USER_DISABLED:
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	256 case PASSDB_RESULT_PASS_EXPIRED:
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	257 /* FIXME: we can't cache this now, or cache lookup would
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	258 return success. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	259 return;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	260 case PASSDB_RESULT_INTERNAL_FAILURE:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	261 i_unreached();
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	262 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	263
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	264 extra_fields = request->extra_fields == NULL ? NULL :
e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	265 auth_stream_reply_export(request->extra_fields);
3432 079ec5c2d665 Last change caused user-given passwords to be cached, and later the password Timo Sirainen <tss@iki.fi> parents: 3431 diff changeset	266
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	267 if (passdb_cache == NULL)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	268 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	269
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	270 if (passdb->cache_key == NULL)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	271 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	272
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	273 if (result < 0) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	274 /* lookup failed. */
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	275 if (result == PASSDB_RESULT_USER_UNKNOWN) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	276 auth_cache_insert(passdb_cache, request,
4658 3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	277 passdb->cache_key, "", FALSE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	278 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	279 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	280 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	281
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	282 if (!request->no_password && request->passdb_password == NULL) {
3656 fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	283 /* passdb didn't provide the correct password */
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	284 if (result != PASSDB_RESULT_OK \|\|
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	285 request->mech_password == NULL)
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	286 return;
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	287
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	288 /* we can still cache valid password lookups though.
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	289 strdup() it so that mech_password doesn't get
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	290 cleared too early. */
10689 46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	291 if (!password_generate_encoded(request->mech_password,
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	292 request->user,
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	293 CACHED_PASSWORD_SCHEME,
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	294 &encoded_password))
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	295 i_unreached();
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	296 request->passdb_password =
10689 46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	297 p_strconcat(request->pool, "{"CACHED_PASSWORD_SCHEME"}",
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	298 encoded_password, NULL);
3645 81180ca12997 We were caching failed blocking requests wrong. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	299 }
81180ca12997 We were caching failed blocking requests wrong. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	300
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	301 /* save all except the currently given password in cache */
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	302 str = t_str_new(256);
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	303 if (request->passdb_password != NULL) {
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	304 if (*request->passdb_password != '{') {
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	305 /* cached passwords must have a known scheme */
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	306 str_append_c(str, '{');
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	307 str_append(str, passdb->default_pass_scheme);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	308 str_append_c(str, '}');
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	309 }
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	310 if (strchr(request->passdb_password, '\t') != NULL)
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	311 i_panic("%s: Password contains TAB", request->user);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	312 if (strchr(request->passdb_password, '\n') != NULL)
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	313 i_panic("%s: Password contains LF", request->user);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	314 str_append(str, request->passdb_password);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	315 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	316
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	317 if (extra_fields != NULL && *extra_fields != '\0') {
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	318 str_append_c(str, '\t');
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	319 str_append(str, extra_fields);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	320 }
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	321 if (request->extra_cache_fields != NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	322 extra_fields =
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	323 auth_stream_reply_export(request->extra_cache_fields);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	324 if (*extra_fields != '\0') {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	325 str_append_c(str, '\t');
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	326 str_append(str, extra_fields);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	327 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	328 }
4658 3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	329 auth_cache_insert(passdb_cache, request, passdb->cache_key, str_c(str),
3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	330 result == PASSDB_RESULT_OK);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	331 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	332
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	333 static bool auth_request_master_lookup_finish(struct auth_request *request)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	334 {
4534 dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	335 if (request->passdb_failure)
dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	336 return TRUE;
dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	337
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	338 /* master login successful. update user and master_user variables. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	339 auth_request_log_info(request, "passdb", "Master user logging in as %s",
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	340 request->requested_login_user);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	341
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	342 request->master_user = request->user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	343 request->user = request->requested_login_user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	344 request->requested_login_user = NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	345
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	346 request->skip_password_check = TRUE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	347 request->passdb_password = NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	348
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	349 if (!request->passdb->set->pass) {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	350 /* skip the passdb lookup, we're authenticated now. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	351 return TRUE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	352 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	353
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	354 /* the authentication continues with passdb lookup for the
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	355 requested_login_user. */
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	356 request->passdb = auth_request_get_auth(request)->passdbs;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	357 return FALSE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	358 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	359
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	360 static bool
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	361 auth_request_handle_passdb_callback(enum passdb_result *result,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	362 struct auth_request *request)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	363 {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	364 if (request->passdb_password != NULL) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	365 safe_memset(request->passdb_password, 0,
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	366 strlen(request->passdb_password));
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	367 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	368
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	369 if (request->passdb->set->deny &&
52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	370 *result != PASSDB_RESULT_USER_UNKNOWN) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	371 /* deny passdb. we can get through this step only if the
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	372 lookup returned that user doesn't exist in it. internal
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	373 errors are fatal here. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	374 if (*result != PASSDB_RESULT_INTERNAL_FAILURE) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	375 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	376 "User found from deny passdb");
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	377 *result = PASSDB_RESULT_USER_DISABLED;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	378 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	379 } else if (*result == PASSDB_RESULT_OK) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	380 /* success */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	381 if (request->requested_login_user != NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	382 /* this was a master user lookup. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	383 if (!auth_request_master_lookup_finish(request))
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	384 return FALSE;
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	385 } else {
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	386 if (request->passdb->set->pass) {
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	387 /* this wasn't the final passdb lookup,
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	388 continue to next passdb */
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	389 request->passdb = request->passdb->next;
4402 8846e6be0e02 If multiple passdbs were configured and we tried to authenticate as user Timo Sirainen <tss@iki.fi> parents: 4374 diff changeset	390 request->passdb_password = NULL;
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	391 return FALSE;
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	392 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	393 }
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	394 } else if (*result == PASSDB_RESULT_PASS_EXPIRED) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	395 if (request->extra_fields == NULL) {
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	396 request->extra_fields =
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	397 auth_stream_reply_init(request->pool);
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	398 }
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	399 auth_stream_reply_add(request->extra_fields, "reason",
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	400 "Password expired");
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	401 } else if (request->passdb->next != NULL &&
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	402 *result != PASSDB_RESULT_USER_DISABLED) {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	403 /* try next passdb. */
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	404 request->passdb = request->passdb->next;
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	405 request->passdb_password = NULL;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	406
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	407 if (*result == PASSDB_RESULT_INTERNAL_FAILURE) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	408 /* remember that we have had an internal failure. at
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	409 the end return internal failure if we couldn't
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	410 successfully login. */
3606 8a8352cda514 If passdb lookup fails with internal error, try other passdbs anyway before Timo Sirainen <tss@iki.fi> parents: 3520 diff changeset	411 request->passdb_internal_failure = TRUE;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	412 }
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	413 if (request->extra_fields != NULL)
769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	414 auth_stream_reply_reset(request->extra_fields);
769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	415
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	416 return FALSE;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	417 } else if (request->passdb_internal_failure) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	418 /* last passdb lookup returned internal failure. it may have
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	419 had the correct password, so return internal failure
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	420 instead of plain failure. */
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	421 *result = PASSDB_RESULT_INTERNAL_FAILURE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	422 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	423
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	424 return TRUE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	425 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	426
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	427 static void
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	428 auth_request_verify_plain_callback_finish(enum passdb_result result,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	429 struct auth_request *request)
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	430 {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	431 if (!auth_request_handle_passdb_callback(&result, request)) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	432 /* try next passdb */
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	433 auth_request_verify_plain(request, request->mech_password,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	434 request->private_callback.verify_plain);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	435 } else {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	436 auth_request_ref(request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	437 request->private_callback.verify_plain(result, request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	438 safe_memset(request->mech_password, 0,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	439 strlen(request->mech_password));
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	440 auth_request_unref(&request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	441 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	442 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	443
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	444 void auth_request_verify_plain_callback(enum passdb_result result,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	445 struct auth_request *request)
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	446 {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	447 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	448
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	449 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	450
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	451 if (result != PASSDB_RESULT_INTERNAL_FAILURE)
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	452 auth_request_save_cache(request, result);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	453 else {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	454 /* lookup failed. if we're looking here only because the
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	455 request was expired in cache, fallback to using cached
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	456 expired record. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	457 const char *cache_key = request->passdb->passdb->cache_key;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	458
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	459 if (passdb_cache_verify_plain(request, cache_key,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	460 request->mech_password,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	461 &result, TRUE)) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	462 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	463 "Fallbacking to expired data from cache");
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	464 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	465 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	466
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	467 auth_request_verify_plain_callback_finish(result, request);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	468 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	469
7389 1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	470 static bool password_has_illegal_chars(const char *password)
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	471 {
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	472 for (; *password != '\0'; password++) {
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	473 switch (*password) {
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	474 case '\001':
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	475 case '\t':
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	476 case '\r':
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	477 case '\n':
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	478 /* these characters have a special meaning in internal
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	479 protocols, make sure the password doesn't
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	480 accidentally get there unescaped. */
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	481 return TRUE;
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	482 }
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	483 }
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	484 return FALSE;
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	485 }
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	486
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	487 void auth_request_verify_plain(struct auth_request *request,
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	488 const char *password,
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	489 verify_plain_callback_t *callback)
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	490 {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	491 struct passdb_module *passdb;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	492 enum passdb_result result;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	493 const char *cache_key;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	494
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	495 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	496
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	497 if (request->passdb == NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	498 /* no masterdbs, master logins not supported */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	499 i_assert(request->requested_login_user != NULL);
4139 68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	500 auth_request_log_info(request, "passdb",
8456 529034798b6b Add login username in "Attempted master login with no master passdbs" error. Timo Sirainen <tss@iki.fi> parents: 8402 diff changeset	501 "Attempted master login with no master passdbs "
529034798b6b Add login username in "Attempted master login with no master passdbs" error. Timo Sirainen <tss@iki.fi> parents: 8402 diff changeset	502 "(trying to log in as user: %s)",
529034798b6b Add login username in "Attempted master login with no master passdbs" error. Timo Sirainen <tss@iki.fi> parents: 8402 diff changeset	503 request->requested_login_user);
4139 68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	504 callback(PASSDB_RESULT_USER_UNKNOWN, request);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	505 return;
7389 1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	506 }
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	507
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	508 if (password_has_illegal_chars(password)) {
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	509 auth_request_log_info(request, "passdb",
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	510 "Attempted login with password having illegal chars");
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	511 callback(PASSDB_RESULT_USER_UNKNOWN, request);
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	512 return;
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	513 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	514
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	515 passdb = request->passdb->passdb;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	516 if (request->mech_password == NULL)
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	517 request->mech_password = p_strdup(request->pool, password);
3656 fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	518 else
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	519 i_assert(request->mech_password == password);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	520 request->private_callback.verify_plain = callback;
3164 da9e4ffef09f Last changes broke proxying when user was in auth cache. Timo Sirainen <tss@iki.fi> parents: 3161 diff changeset	521
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	522 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
3728 64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	523 if (passdb_cache_verify_plain(request, cache_key, password,
64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	524 &result, FALSE)) {
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	525 auth_request_verify_plain_callback_finish(result, request);
3728 64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	526 return;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	527 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	528
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	529 request->state = AUTH_REQUEST_STATE_PASSDB;
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	530 request->credentials_scheme = NULL;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	531
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	532 if (passdb->blocking)
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	533 passdb_blocking_verify_plain(request);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	534 else {
3771 4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	535 passdb->iface.verify_plain(request, password,
4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	536 auth_request_verify_plain_callback);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	537 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	538 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	539
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	540 static void
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	541 auth_request_lookup_credentials_finish(enum passdb_result result,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	542 const unsigned char *credentials,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	543 size_t size,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	544 struct auth_request *request)
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	545 {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	546 if (!auth_request_handle_passdb_callback(&result, request)) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	547 /* try next passdb */
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	548 auth_request_lookup_credentials(request,
f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	549 request->credentials_scheme,
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	550 request->private_callback.lookup_credentials);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	551 } else {
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	552 if (request->set->debug_passwords &&
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	553 result == PASSDB_RESULT_OK) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	554 auth_request_log_debug(request, "password",
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	555 "Credentials: %s",
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	556 binary_to_hex(credentials, size));
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	557 }
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	558 request->private_callback.
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	559 lookup_credentials(result, credentials, size, request);
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	560 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	561 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	562
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	563 void auth_request_lookup_credentials_callback(enum passdb_result result,
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	564 const unsigned char *credentials,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	565 size_t size,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	566 struct auth_request *request)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	567 {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	568 const char cache_cred, cache_scheme;
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	569
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	570 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	571
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	572 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	573
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	574 if (result != PASSDB_RESULT_INTERNAL_FAILURE)
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	575 auth_request_save_cache(request, result);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	576 else {
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	577 /* lookup failed. if we're looking here only because the
97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	578 request was expired in cache, fallback to using cached
97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	579 expired record. */
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	580 const char *cache_key = request->passdb->passdb->cache_key;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	581
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	582 if (passdb_cache_lookup_credentials(request, cache_key,
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	583 &cache_cred, &cache_scheme,
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	584 &result, TRUE)) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	585 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	586 "Fallbacking to expired data from cache");
8764 90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	587 passdb_handle_credentials(
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	588 result, cache_cred, cache_scheme,
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	589 auth_request_lookup_credentials_finish,
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	590 request);
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	591 return;
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	592 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	593 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	594
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	595 auth_request_lookup_credentials_finish(result, credentials, size,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	596 request);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	597 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	598
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	599 void auth_request_lookup_credentials(struct auth_request *request,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	600 const char *scheme,
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	601 lookup_credentials_callback_t *callback)
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	602 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	603 struct passdb_module *passdb = request->passdb->passdb;
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	604 const char cache_key, cache_cred, *cache_scheme;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	605 enum passdb_result result;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	606
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	607 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	608
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	609 request->credentials_scheme = p_strdup(request->pool, scheme);
5233 359a8f31aa9b Fixed a crash when non-plaintext mechanism used auth_cache. Timo Sirainen <tss@iki.fi> parents: 5170 diff changeset	610 request->private_callback.lookup_credentials = callback;
3682 0207808033ad Non-plaintext authentication and passdb cache didn't work together. Patch by Timo Sirainen <tss@iki.fi> parents: 3669 diff changeset	611
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	612 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	613 if (cache_key != NULL) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	614 if (passdb_cache_lookup_credentials(request, cache_key,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	615 &cache_cred, &cache_scheme,
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	616 &result, FALSE)) {
8764 90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	617 passdb_handle_credentials(
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	618 result, cache_cred, cache_scheme,
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	619 auth_request_lookup_credentials_finish,
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	620 request);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	621 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	622 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	623 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	624
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	625 request->state = AUTH_REQUEST_STATE_PASSDB;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	626
6243 f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	627 if (passdb->iface.lookup_credentials == NULL) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	628 /* this passdb doesn't support credentials */
8764 90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	629 auth_request_log_debug(request, "password",
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	630 "passdb doesn't support credential lookups");
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	631 auth_request_lookup_credentials_callback(
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	632 PASSDB_RESULT_SCHEME_NOT_AVAILABLE, NULL, 0, request);
6243 f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	633 } else if (passdb->blocking) {
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	634 passdb_blocking_lookup_credentials(request);
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	635 } else {
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	636 passdb->iface.lookup_credentials(request,
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	637 auth_request_lookup_credentials_callback);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	638 }
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	639 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	640
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	641 void auth_request_set_credentials(struct auth_request *request,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	642 const char scheme, const char data,
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	643 set_credentials_callback_t *callback)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	644 {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	645 struct passdb_module *passdb = request->passdb->passdb;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	646 const char cache_key, new_credentials;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	647
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	648 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	649 if (cache_key != NULL)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	650 auth_cache_remove(passdb_cache, request, cache_key);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	651
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	652 request->private_callback.set_credentials = callback;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	653
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	654 new_credentials = t_strdup_printf("{%s}%s", scheme, data);
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	655 if (passdb->blocking)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	656 passdb_blocking_set_credentials(request, new_credentials);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	657 else if (passdb->iface.set_credentials != NULL) {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	658 passdb->iface.set_credentials(request, new_credentials,
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	659 callback);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	660 } else {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	661 /* this passdb doesn't support credentials update */
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	662 callback(PASSDB_RESULT_INTERNAL_FAILURE, request);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	663 }
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	664 }
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	665
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	666 static void auth_request_userdb_save_cache(struct auth_request *request,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	667 enum userdb_result result)
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	668 {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	669 struct userdb_module *userdb = request->userdb->userdb;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	670 const char *str;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	671
4983 8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	672 if (passdb_cache == NULL \|\| userdb->cache_key == NULL)
8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	673 return;
8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	674
5069 005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	675 str = result == USERDB_RESULT_USER_UNKNOWN ? "" :
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	676 auth_stream_reply_export(request->userdb_reply);
5069 005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	677 /* last_success has no meaning with userdb */
005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	678 auth_cache_insert(passdb_cache, request, userdb->cache_key, str, FALSE);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	679 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	680
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	681 static bool auth_request_lookup_user_cache(struct auth_request *request,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	682 const char *key,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	683 struct auth_stream_reply **reply_r,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	684 enum userdb_result *result_r,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	685 bool use_expired)
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	686 {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	687 const char *value;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	688 struct auth_cache_node *node;
10836 81e085f9bd75 auth_cache_negative_ttl is now also used for password mismatches. Timo Sirainen <tss@iki.fi> parents: 10757 diff changeset	689 bool expired, neg_expired;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	690
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	691 value = auth_cache_lookup(passdb_cache, request, key, &node,
10836 81e085f9bd75 auth_cache_negative_ttl is now also used for password mismatches. Timo Sirainen <tss@iki.fi> parents: 10757 diff changeset	692 &expired, &neg_expired);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	693 if (value == NULL \|\| (expired && !use_expired))
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	694 return FALSE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	695
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	696 if (*value == '\0') {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	697 /* negative cache entry */
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	698 *result_r = USERDB_RESULT_USER_UNKNOWN;
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	699 *reply_r = auth_stream_reply_init(request->pool);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	700 return TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	701 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	702
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	703 *result_r = USERDB_RESULT_OK;
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	704 *reply_r = auth_stream_reply_init(request->pool);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	705 auth_stream_reply_import(*reply_r, value);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	706 return TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	707 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	708
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	709 void auth_request_userdb_callback(enum userdb_result result,
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	710 struct auth_request *request)
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	711 {
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	712 struct userdb_module *userdb = request->userdb->userdb;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	713
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	714 if (result != USERDB_RESULT_OK && request->userdb->next != NULL) {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	715 /* try next userdb. */
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	716 if (result == USERDB_RESULT_INTERNAL_FAILURE)
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	717 request->userdb_internal_failure = TRUE;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	718
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	719 request->userdb = request->userdb->next;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	720 auth_request_lookup_user(request,
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	721 request->private_callback.userdb);
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	722 return;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	723 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	724
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	725 if (request->userdb_internal_failure && result != USERDB_RESULT_OK) {
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	726 /* one of the userdb lookups failed. the user might have been
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	727 in there, so this is an internal failure */
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	728 result = USERDB_RESULT_INTERNAL_FAILURE;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	729 } else if (result == USERDB_RESULT_USER_UNKNOWN &&
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	730 request->client_pid != 0) {
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	731 /* this was an actual login attempt, the user should
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	732 have been found. */
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	733 if (auth_request_get_auth(request)->userdbs->next == NULL) {
8402 244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	734 auth_request_log_error(request, "userdb",
244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	735 "user not found from userdb %s",
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	736 request->userdb->userdb->iface->name);
8402 244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	737 } else {
244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	738 auth_request_log_error(request, "userdb",
244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	739 "user not found from any userdbs");
244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	740 }
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	741 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	742
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	743 if (result != USERDB_RESULT_INTERNAL_FAILURE)
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	744 auth_request_userdb_save_cache(request, result);
5036 df93cf66022a If request fails with internal failure, don't crash if auth cache is Timo Sirainen <tss@iki.fi> parents: 4983 diff changeset	745 else if (passdb_cache != NULL && userdb->cache_key != NULL) {
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	746 /* lookup failed. if we're looking here only because the
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	747 request was expired in cache, fallback to using cached
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	748 expired record. */
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	749 const char *cache_key = userdb->cache_key;
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	750 struct auth_stream_reply *reply;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	751
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	752 if (auth_request_lookup_user_cache(request, cache_key, &reply,
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	753 &result, TRUE)) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	754 request->userdb_reply = reply;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	755 auth_request_log_info(request, "userdb",
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	756 "Fallbacking to expired data from cache");
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	757 }
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	758 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	759
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	760 request->private_callback.userdb(result, request);
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	761 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	762
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	763 void auth_request_lookup_user(struct auth_request *request,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	764 userdb_callback_t *callback)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	765 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	766 struct userdb_module *userdb = request->userdb->userdb;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	767 const char *cache_key;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	768
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	769 request->private_callback.userdb = callback;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	770 request->userdb_lookup = TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	771
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	772 /* (for now) auth_cache is shared between passdb and userdb */
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	773 cache_key = passdb_cache == NULL ? NULL : userdb->cache_key;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	774 if (cache_key != NULL) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	775 struct auth_stream_reply *reply;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	776 enum userdb_result result;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	777
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	778 if (auth_request_lookup_user_cache(request, cache_key, &reply,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	779 &result, FALSE)) {
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	780 request->userdb_reply = reply;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	781 request->private_callback.userdb(result, request);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	782 return;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	783 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	784 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	785
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	786 if (userdb->blocking)
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	787 userdb_blocking_lookup(request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	788 else
3658 fc4622b1c1ef Separated userdb_module's interface and the actual data struct. Timo Sirainen <tss@iki.fi> parents: 3657 diff changeset	789 userdb->iface->lookup(request, auth_request_userdb_callback);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	790 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	791
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	792 static char *
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	793 auth_request_fix_username(struct auth_request request, const char username,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	794 const char **error_r)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	795 {
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	796 const struct auth_settings *set = request->set;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	797 unsigned char *p;
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	798 char *user;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	799
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	800 if (*set->default_realm != '\0' &&
9002 9d0037a997f4 Initial commit for config rewrite. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	801 strchr(username, '@') == NULL) {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	802 user = p_strconcat(request->pool, username, "@",
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	803 set->default_realm, NULL);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	804 } else {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	805 user = p_strdup(request->pool, username);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	806 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	807
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	808 for (p = (unsigned char )user; p != '\0'; p++) {
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	809 if (set->username_translation_map[*p & 0xff] != 0)
9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	810 p = set->username_translation_map[p & 0xff];
9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	811 if (set->username_chars_map[*p & 0xff] == 0) {
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	812 *error_r = t_strdup_printf(
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	813 "Username contains disallowed character: "
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	814 "0x%02x", *p);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	815 return NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	816 }
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	817 }
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	818
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	819 if (*set->username_format != '\0') {
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	820 /* username format given, put it through variable expansion.
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	821 we'll have to temporarily replace request->user to get
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	822 %u to be the wanted username */
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	823 const struct var_expand_table *table;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	824 char *old_username;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	825 string_t *dest;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	826
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	827 old_username = request->user;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	828 request->user = user;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	829
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	830 dest = t_str_new(256);
8597 9f885dbd8157 auth: Removed extra string escaping from places where it's not necessary (or is even harmful). Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	831 table = auth_request_get_var_expand_table(request, NULL);
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	832 var_expand(dest, set->username_format, table);
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	833 user = p_strdup(request->pool, str_c(dest));
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	834
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	835 request->user = old_username;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	836 }
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	837
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	838 return user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	839 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	840
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	841 bool auth_request_set_username(struct auth_request *request,
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	842 const char username, const char *error_r)
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	843 {
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	844 const struct auth_settings *set = request->set;
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	845 const char p, login_username = NULL;
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	846
9002 9d0037a997f4 Initial commit for config rewrite. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	847 if (*set->master_user_separator != '\0' && !request->userdb_lookup) {
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	848 /* check if the username contains a master user */
9002 9d0037a997f4 Initial commit for config rewrite. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	849 p = strchr(username, *set->master_user_separator);
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	850 if (p != NULL) {
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	851 /* it does, set it. */
4140 52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	852 login_username = t_strdup_until(username, p);
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	853
9477 6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	854 if (*login_username == '\0') {
6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	855 *error_r = "Empty login username";
6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	856 return FALSE;
6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	857 }
6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	858
4140 52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	859 /* username is the master user */
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	860 username = p + 1;
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	861 }
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	862 }
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	863
6619 2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	864 if (request->original_username == NULL) {
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	865 /* the username may change later, but we need to use this
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	866 username when verifying at least DIGEST-MD5 password. */
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	867 request->original_username = p_strdup(request->pool, username);
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	868 }
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	869 if (request->cert_username) {
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	870 /* cert_username overrides the username given by
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	871 authentication mechanism. */
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	872 return TRUE;
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	873 }
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	874
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	875 if (*username == '\0') {
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	876 /* Some PAM plugins go nuts with empty usernames */
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	877 *error_r = "Empty username";
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	878 return FALSE;
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	879 }
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	880
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	881 request->user = auth_request_fix_username(request, username, error_r);
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	882 if (request->user == NULL) {
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	883 auth_request_log_debug(request, "auth",
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	884 "Invalid username: %s", str_sanitize(username, 128));
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	885 return FALSE;
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	886 }
6658 d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	887 if (request->translated_username == NULL) {
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	888 /* similar to original_username, but after translations */
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	889 request->translated_username = request->user;
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	890 }
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	891
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	892 if (login_username != NULL) {
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	893 if (!auth_request_set_login_username(request,
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	894 login_username,
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	895 error_r))
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	896 return FALSE;
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	897 }
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	898 return TRUE;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	899 }
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	900
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	901 bool auth_request_set_login_username(struct auth_request *request,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	902 const char *username,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	903 const char **error_r)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	904 {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	905 i_assert(*username != '\0');
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	906
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	907 if (strcmp(username, request->user) == 0) {
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	908 /* The usernames are the same, we don't really wish to log
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	909 in as someone else */
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	910 return TRUE;
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	911 }
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	912
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	913 /* lookup request->user from masterdb first */
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	914 request->passdb = auth_request_get_auth(request)->masterdbs;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	915
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	916 request->requested_login_user =
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	917 auth_request_fix_username(request, username, error_r);
4136 f7731e6eec7e If master login username is the same as the normal username, we don't want Timo Sirainen <tss@iki.fi> parents: 4108 diff changeset	918 return request->requested_login_user != NULL;
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	919 }
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	920
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	921 static void auth_request_validate_networks(struct auth_request *request,
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	922 const char *networks)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	923 {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	924 const char const net;
7919 423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	925 struct ip_addr net_ip;
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	926 unsigned int bits;
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	927 bool found = FALSE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	928
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	929 if (request->remote_ip.family == 0) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	930 /* IP not known */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	931 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	932 "allow_nets check failed: Remote IP not known");
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	933 request->passdb_failure = TRUE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	934 return;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	935 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	936
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	937 for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) {
4420 1174e508593d auth_debug: If allow_nets is given, print debug messages when matching Timo Sirainen <tss@iki.fi> parents: 4402 diff changeset	938 auth_request_log_debug(request, "auth",
1174e508593d auth_debug: If allow_nets is given, print debug messages when matching Timo Sirainen <tss@iki.fi> parents: 4402 diff changeset	939 "allow_nets: Matching for network %s", *net);
7919 423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	940
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	941 if (net_parse_range(*net, &net_ip, &bits) < 0) {
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	942 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	943 "allow_nets: Invalid network '%s'", *net);
7919 423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	944 }
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	945
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	946 if (net_is_in_network(&request->remote_ip, &net_ip, bits)) {
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	947 found = TRUE;
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	948 break;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	949 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	950 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	951
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	952 if (!found) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	953 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	954 "allow_nets check failed: IP not in allowed networks");
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	955 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	956 request->passdb_failure = !found;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	957 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	958
6855 5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	959 static void
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	960 auth_request_set_password(struct auth_request request, const char value,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	961 const char *default_scheme, bool noscheme)
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	962 {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	963 if (request->passdb_password != NULL) {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	964 auth_request_log_error(request,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	965 request->passdb->passdb->iface.name,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	966 "Multiple password values not supported");
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	967 return;
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	968 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	969
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	970 /* if the password starts with '{' it most likely contains
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	971 also '}'. check it anyway to make sure, because we
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	972 assert-crash later if it doesn't exist. this could happen
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	973 if plaintext passwords are used. */
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	974 if (*value == '{' && !noscheme && strchr(value, '}') != NULL)
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	975 request->passdb_password = p_strdup(request->pool, value);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	976 else {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	977 i_assert(default_scheme != NULL);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	978 request->passdb_password =
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	979 p_strdup_printf(request->pool, "{%s}%s",
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	980 default_scheme, value);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	981 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	982 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	983
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	984 static void auth_request_set_reply_field(struct auth_request *request,
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	985 const char name, const char value)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	986 {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	987 if (strcmp(name, "nologin") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	988 /* user can't actually login - don't keep this
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	989 reply for master */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	990 request->no_login = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	991 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	992 } else if (strcmp(name, "proxy") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	993 /* we're proxying authentication for this user. send
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	994 password back if using plaintext authentication. */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	995 request->proxy = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	996 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	997 } else if (strcmp(name, "proxy_maybe") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	998 /* like "proxy", but log in normally if we're proxying to
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	999 ourself */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1000 request->proxy = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1001 request->proxy_maybe = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1002 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1003 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1004
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1005 if (request->extra_fields == NULL)
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	1006 request->extra_fields = auth_stream_reply_init(request->pool);
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1007 auth_stream_reply_add(request->extra_fields, name, value);
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1008 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1009
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	1010 void auth_request_set_field(struct auth_request *request,
3272 36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	1011 const char name, const char value,
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	1012 const char *default_scheme)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1013 {
8696 20345491824c auth: Using "username" or "domain" passdb fields caused problems with cache and blocking passdbs. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	1014 const char p, orig_value;
6575 d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1015
4017 e2d267e6f930 Check that we don't pass around key=value pairs with empty keys. Timo Sirainen <tss@iki.fi> parents: 3918 diff changeset	1016 i_assert(*name != '\0');
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1017 i_assert(value != NULL);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1018
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1019 if (strcmp(name, "password") == 0) {
6855 5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1020 auth_request_set_password(request, value,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1021 default_scheme, FALSE);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1022 return;
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1023 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1024 if (strcmp(name, "password_noscheme") == 0) {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1025 auth_request_set_password(request, value, default_scheme, TRUE);
3397 2db396230881 auth_request_set_field() shouldn't save password to extra_fields. Fixes a Timo Sirainen <tss@iki.fi> parents: 3386 diff changeset	1026 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1027 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1028
6575 d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1029 if (strcmp(name, "user") == 0 \|\|
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1030 strcmp(name, "username") == 0 \|\| strcmp(name, "domain") == 0) {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1031 /* update username */
8696 20345491824c auth: Using "username" or "domain" passdb fields caused problems with cache and blocking passdbs. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	1032 orig_value = value;
6575 d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1033 if (strcmp(name, "username") == 0 &&
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1034 strchr(value, '@') == NULL &&
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1035 (p = strchr(request->user, '@')) != NULL) {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1036 /* preserve the current @domain */
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1037 value = t_strconcat(value, p, NULL);
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1038 } else if (strcmp(name, "domain") == 0) {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1039 p = strchr(request->user, '@');
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1040 if (p == NULL) {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1041 /* add the domain */
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1042 value = t_strconcat(request->user, "@",
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1043 value, NULL);
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1044 } else {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1045 /* replace the existing domain */
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1046 p = t_strdup_until(request->user, p + 1);
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1047 value = t_strconcat(p, value, NULL);
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1048 }
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1049 }
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1050
3427 3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1051 if (strcmp(request->user, value) != 0) {
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1052 auth_request_log_debug(request, "auth",
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1053 "username changed %s -> %s",
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1054 request->user, value);
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1055 request->user = p_strdup(request->pool, value);
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1056 }
8696 20345491824c auth: Using "username" or "domain" passdb fields caused problems with cache and blocking passdbs. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	1057 /* restore the original value so it gets saved correctly to
20345491824c auth: Using "username" or "domain" passdb fields caused problems with cache and blocking passdbs. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	1058 cache. */
20345491824c auth: Using "username" or "domain" passdb fields caused problems with cache and blocking passdbs. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	1059 value = orig_value;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1060 } else if (strcmp(name, "nodelay") == 0) {
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1061 /* don't delay replying to client of the failure */
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	1062 request->no_failure_delay = TRUE;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1063 } else if (strcmp(name, "nopassword") == 0) {
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	1064 /* NULL password - anything goes */
5619 121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1065 const char *password = request->passdb_password;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1066
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1067 if (password != NULL) {
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1068 (void)password_get_scheme(&password);
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1069 if (*password != '\0') {
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1070 auth_request_log_error(request,
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1071 request->passdb->passdb->iface.name,
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1072 "nopassword set but password is "
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1073 "non-empty");
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1074 return;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1075 }
5412 79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	1076 }
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	1077 request->no_password = TRUE;
5412 79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	1078 request->passdb_password = NULL;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1079 } else if (strcmp(name, "allow_nets") == 0) {
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1080 auth_request_validate_networks(request, value);
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1081 } else if (strncmp(name, "userdb_", 7) == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1082 /* for prefetch userdb */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1083 if (request->userdb_reply == NULL)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1084 auth_request_init_userdb_reply(request);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1085 auth_request_set_userdb_field(request, name + 7, value);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1086 } else {
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1087 /* these fields are returned to client */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1088 auth_request_set_reply_field(request, name, value);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1089 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1090 }
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	1091
8599 812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1092 if ((passdb_cache != NULL &&
812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1093 request->passdb->passdb->cache_key != NULL) \|\| worker) {
812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1094 /* we'll need to get this field stored into cache,
812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1095 or we're a worker and we'll need to send this to the main
812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1096 auth process that can store it in the cache. */
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1097 if (request->extra_cache_fields == NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1098 request->extra_cache_fields =
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	1099 auth_stream_reply_init(request->pool);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1100 }
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1101 auth_stream_reply_add(request->extra_cache_fields, name, value);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1102 }
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1103 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1104
5153 83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1105 void auth_request_set_fields(struct auth_request *request,
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1106 const char const fields,
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1107 const char *default_scheme)
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1108 {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1109 const char key, value;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1110
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1111 for (; *fields != NULL; fields++) {
5163 39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1112 if (**fields == '\0')
39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1113 continue;
39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1114
5153 83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1115 value = strchr(*fields, '=');
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1116 if (value == NULL) {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1117 key = *fields;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1118 value = "";
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1119 } else {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1120 key = t_strdup_until(*fields, value);
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1121 value++;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1122 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1123 auth_request_set_field(request, key, value, default_scheme);
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1124 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1125 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1126
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1127 void auth_request_init_userdb_reply(struct auth_request *request)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1128 {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	1129 request->userdb_reply = auth_stream_reply_init(request->pool);
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1130 auth_stream_reply_add(request->userdb_reply, NULL, request->user);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1131 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1132
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1133 static void
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1134 auth_request_change_userdb_user(struct auth_request request, const char user)
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1135 {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1136 const char *str;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1137
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1138 /* replace the username in userdb_reply if it changed */
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1139 if (strcmp(user, request->user) == 0)
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1140 return;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1141
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1142 str = t_strdup(auth_stream_reply_export(request->userdb_reply));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1143
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1144 /* reset the reply and add the new username */
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1145 auth_request_set_field(request, "user", user, NULL);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1146 auth_stream_reply_reset(request->userdb_reply);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1147 auth_stream_reply_add(request->userdb_reply,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1148 NULL, request->user);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1149
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1150 /* add the rest */
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1151 str = strchr(str, '\t');
7394 2d3b9a6d23f5 Changing "user" from userdb crashed. Timo Sirainen <tss@iki.fi> parents: 7389 diff changeset	1152 if (str != NULL)
2d3b9a6d23f5 Changing "user" from userdb crashed. Timo Sirainen <tss@iki.fi> parents: 7389 diff changeset	1153 auth_stream_reply_import(request->userdb_reply, str + 1);
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1154 }
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1155
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1156 static void auth_request_set_uidgid_file(struct auth_request *request,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1157 const char *path_template)
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1158 {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1159 string_t *path;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1160 struct stat st;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1161
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1162 path = t_str_new(256);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1163 var_expand(path, path_template,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1164 auth_request_get_var_expand_table(request, NULL));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1165 if (stat(str_c(path), &st) < 0) {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1166 auth_request_log_error(request, "uidgid_file",
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1167 "stat(%s) failed: %m", str_c(path));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1168 } else {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1169 auth_stream_reply_add(request->userdb_reply,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1170 "uid", dec2str(st.st_uid));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1171 auth_stream_reply_add(request->userdb_reply,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1172 "gid", dec2str(st.st_gid));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1173 }
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1174 }
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1175
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1176 void auth_request_set_userdb_field(struct auth_request *request,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1177 const char name, const char value)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1178 {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1179 uid_t uid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1180 gid_t gid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1181
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1182 if (strcmp(name, "uid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1183 uid = userdb_parse_uid(request, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1184 if (uid == (uid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1185 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1186 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1187 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1188 value = dec2str(uid);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1189 } else if (strcmp(name, "gid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1190 gid = userdb_parse_gid(request, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1191 if (gid == (gid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1192 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1193 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1194 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1195 value = dec2str(gid);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1196 } else if (strcmp(name, "user") == 0) {
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1197 auth_request_change_userdb_user(request, value);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1198 return;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1199 } else if (strcmp(name, "uidgid_file") == 0) {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1200 auth_request_set_uidgid_file(request, value);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1201 return;
8163 498dd1ec2b93 Added a special userdb_import field to add TAB-separated fields to userdb reply. Timo Sirainen <tss@iki.fi> parents: 8111 diff changeset	1202 } else if (strcmp(name, "userdb_import") == 0) {
498dd1ec2b93 Added a special userdb_import field to add TAB-separated fields to userdb reply. Timo Sirainen <tss@iki.fi> parents: 8111 diff changeset	1203 auth_stream_reply_import(request->userdb_reply, value);
498dd1ec2b93 Added a special userdb_import field to add TAB-separated fields to userdb reply. Timo Sirainen <tss@iki.fi> parents: 8111 diff changeset	1204 return;
8768 91e880ae387a Authentication: system_user userdb extra field renamed to system_groups_user. Timo Sirainen <tss@iki.fi> parents: 8764 diff changeset	1205 } else if (strcmp(name, "system_user") == 0) {
91e880ae387a Authentication: system_user userdb extra field renamed to system_groups_user. Timo Sirainen <tss@iki.fi> parents: 8764 diff changeset	1206 /* FIXME: the system_user is for backwards compatibility */
91e880ae387a Authentication: system_user userdb extra field renamed to system_groups_user. Timo Sirainen <tss@iki.fi> parents: 8764 diff changeset	1207 name = "system_groups_user";
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1208 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1209
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1210 auth_stream_reply_add(request->userdb_reply, name, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1211 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1212
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1213 void auth_request_set_userdb_field_values(struct auth_request *request,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1214 const char *name,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1215 const char const values)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1216 {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1217 if (*values == NULL)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1218 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1219
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1220 if (strcmp(name, "uid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1221 /* there can be only one. use the first one. */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1222 auth_request_set_userdb_field(request, name, *values);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1223 } else if (strcmp(name, "gid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1224 /* convert gids to comma separated list */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1225 string_t *value;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1226 gid_t gid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1227
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1228 value = t_str_new(128);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1229 for (; *values != NULL; values++) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1230 gid = userdb_parse_gid(request, *values);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1231 if (gid == (gid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1232 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1233 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1234 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1235
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1236 if (str_len(value) > 0)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1237 str_append_c(value, ',');
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1238 str_append(value, dec2str(gid));
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1239 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1240 auth_stream_reply_add(request->userdb_reply, name,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1241 str_c(value));
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1242 } else {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1243 /* add only one */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1244 auth_request_set_userdb_field(request, name, *values);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1245 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1246 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1247
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1248 static bool auth_request_proxy_is_self(struct auth_request *request)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1249 {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1250 const char const tmp, host = NULL, port = NULL, *destuser = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1251 struct ip_addr ip;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1252
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1253 tmp = auth_stream_split(request->extra_fields);
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1254 for (; *tmp != NULL; tmp++) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1255 if (strncmp(*tmp, "host=", 5) == 0)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1256 host = *tmp + 5;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1257 else if (strncmp(*tmp, "port=", 5) == 0)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1258 port = *tmp + 5;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1259 if (strncmp(*tmp, "destuser=", 9) == 0)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1260 destuser = *tmp + 9;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1261 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1262
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1263 if (host == NULL \|\| net_addr2ip(host, &ip) < 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1264 /* broken setup */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1265 return FALSE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1266 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1267 if (!net_ip_compare(&ip, &request->local_ip))
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1268 return FALSE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1269
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1270 if (port != NULL && (unsigned int)atoi(port) != request->local_port)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1271 return FALSE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1272 return destuser == NULL \|\|
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1273 strcmp(destuser, request->original_username) == 0;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1274 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1275
7123 25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1276 void auth_request_proxy_finish(struct auth_request *request, bool success)
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1277 {
7123 25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1278 if (!request->proxy \|\| request->no_login)
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1279 return;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1280
7123 25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1281 if (!success) {
25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1282 /* drop all proxy fields */
7278 27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1283 } else if (!request->proxy_maybe) {
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1284 /* proxying */
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1285 request->no_login = TRUE;
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1286 return;
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1287 } else if (!auth_request_proxy_is_self(request)) {
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1288 /* proxy destination isn't ourself - proxy */
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1289 auth_stream_reply_remove(request->extra_fields, "proxy_maybe");
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1290 auth_stream_reply_add(request->extra_fields, "proxy", NULL);
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1291 request->no_login = TRUE;
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1292 return;
7123 25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1293 } else {
25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1294 /* proxying to ourself - log in without proxying by dropping
25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1295 all the proxying fields. */
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1296 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1297 auth_stream_reply_remove(request->extra_fields, "proxy");
7278 27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1298 auth_stream_reply_remove(request->extra_fields, "proxy_maybe");
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1299 auth_stream_reply_remove(request->extra_fields, "host");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1300 auth_stream_reply_remove(request->extra_fields, "port");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1301 auth_stream_reply_remove(request->extra_fields, "destuser");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1302 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1303
10542 de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1304 static void log_password_failure(struct auth_request *request,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1305 const char *plain_password,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1306 const char *crypted_password,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1307 const char scheme, const char user,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1308 const char *subsystem)
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1309 {
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1310 static bool scheme_ok = FALSE;
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1311 string_t *str = t_str_new(256);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1312 const char *working_scheme;
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1313
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1314 str_printfa(str, "%s(%s) != '%s'", scheme,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1315 plain_password, crypted_password);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1316
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1317 if (!scheme_ok) {
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1318 /* perhaps the scheme is wrong - see if we can find
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1319 a working one */
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1320 working_scheme = password_scheme_detect(plain_password,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1321 crypted_password, user);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1322 if (working_scheme != NULL) {
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1323 str_printfa(str, ", try %s scheme instead",
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1324 working_scheme);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1325 }
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1326 }
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1327
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1328 auth_request_log_debug(request, subsystem, "%s", str_c(str));
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1329 }
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1330
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1331 void auth_request_log_password_mismatch(struct auth_request *request,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1332 const char *subsystem)
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1333 {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1334 string_t *str;
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	1335 const char *log_type = request->set->verbose_passwords;
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1336
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1337 if (strcmp(log_type, "no") == 0) {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1338 auth_request_log_info(request, subsystem, "Password mismatch");
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1339 return;
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1340 }
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1341
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1342 str = t_str_new(128);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1343 get_log_prefix(str, request, subsystem);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1344 str_append(str, "Password mismatch ");
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1345
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1346 if (strcmp(log_type, "plain") == 0) {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1347 str_printfa(str, "(given password: %s)",
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1348 request->mech_password);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1349 } else if (strcmp(log_type, "sha1") == 0) {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1350 unsigned char sha1[SHA1_RESULTLEN];
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1351
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1352 sha1_get_digest(request->mech_password,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1353 strlen(request->mech_password), sha1);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1354 str_printfa(str, "(SHA1 of given password: %s)",
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1355 binary_to_hex(sha1, sizeof(sha1)));
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1356 } else {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1357 i_unreached();
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1358 }
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1359
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1360 i_info("%s", str_c(str));
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1361 }
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1362
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1363 int auth_request_password_verify(struct auth_request *request,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1364 const char *plain_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1365 const char *crypted_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1366 const char scheme, const char subsystem)
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1367 {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1368 const unsigned char *raw_password;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1369 size_t raw_password_size;
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1370 int ret;
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1371
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1372 if (request->skip_password_check) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1373 /* currently this can happen only with master logins */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1374 i_assert(request->master_user != NULL);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1375 return 1;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1376 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1377
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	1378 if (request->passdb->set->deny) {
4689 80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1379 /* this is a deny database, we don't care about the password */
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1380 return 0;
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1381 }
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1382
5619 121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1383 if (request->no_password) {
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1384 auth_request_log_info(request, subsystem, "No password");
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1385 return 1;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1386 }
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1387
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1388 ret = password_decode(crypted_password, scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1389 &raw_password, &raw_password_size);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1390 if (ret <= 0) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1391 if (ret < 0) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1392 auth_request_log_error(request, subsystem,
9383 513691dbe21c auth: Improved "Password not in expected scheme" error message. Timo Sirainen <tss@iki.fi> parents: 9219 diff changeset	1393 "Password in passdb is not in expected scheme %s",
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1394 scheme);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1395 } else {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1396 auth_request_log_error(request, subsystem,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1397 "Unknown scheme %s", scheme);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1398 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1399 return -1;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1400 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1401
8347 fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	1402 /* Use original_username since it may be important for some
4872 07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1403 password schemes (eg. digest-md5). Otherwise the username is used
07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1404 only for logging purposes. */
8347 fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	1405 ret = password_verify(plain_password, request->original_username,
fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	1406 scheme, raw_password, raw_password_size);
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1407 i_assert(ret >= 0);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1408 if (ret == 0) {
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1409 auth_request_log_password_mismatch(request, subsystem);
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	1410 if (request->set->debug_passwords) T_BEGIN {
10542 de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1411 log_password_failure(request, plain_password,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1412 crypted_password, scheme,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1413 request->original_username,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1414 subsystem);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1415 } T_END;
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1416 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1417 return ret;
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1418 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1419
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1420 static const char *
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1421 escape_none(const char *string,
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6243 diff changeset	1422 const struct auth_request *request ATTR_UNUSED)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1423 {
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1424 return string;
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1425 }
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1426
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1427 const char *
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1428 auth_request_str_escape(const char *string,
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6243 diff changeset	1429 const struct auth_request *request ATTR_UNUSED)
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1430 {
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1431 return str_escape(string);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1432 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1433
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1434 const struct var_expand_table *
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1435 auth_request_get_var_expand_table(const struct auth_request *auth_request,
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1436 auth_request_escape_func_t *escape_func)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1437 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1438 static struct var_expand_table static_tab[] = {
8544 983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1439 { 'u', NULL, "user" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1440 { 'n', NULL, "username" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1441 { 'd', NULL, "domain" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1442 { 's', NULL, "service" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1443 { 'h', NULL, "home" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1444 { 'l', NULL, "lip" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1445 { 'r', NULL, "rip" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1446 { 'p', NULL, "pid" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1447 { 'w', NULL, "password" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1448 { '!', NULL, NULL },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1449 { 'm', NULL, "mech" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1450 { 'c', NULL, "secured" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1451 { 'a', NULL, "lport" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1452 { 'b', NULL, "rport" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1453 { 'k', NULL, "cert" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1454 { '\0', NULL, NULL }
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1455 };
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1456 struct var_expand_table *tab;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1457
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1458 if (escape_func == NULL)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1459 escape_func = escape_none;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1460
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1461 tab = t_malloc(sizeof(static_tab));
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1462 memcpy(tab, static_tab, sizeof(static_tab));
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1463
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1464 tab[0].value = escape_func(auth_request->user, auth_request);
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1465 tab[1].value = escape_func(t_strcut(auth_request->user, '@'),
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1466 auth_request);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1467 tab[2].value = strchr(auth_request->user, '@');
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1468 if (tab[2].value != NULL)
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1469 tab[2].value = escape_func(tab[2].value+1, auth_request);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1470 tab[3].value = auth_request->service;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1471 /* tab[4] = we have no home dir */
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1472 if (auth_request->local_ip.family != 0)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1473 tab[5].value = net_ip2addr(&auth_request->local_ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1474 if (auth_request->remote_ip.family != 0)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1475 tab[6].value = net_ip2addr(&auth_request->remote_ip);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	1476 tab[7].value = dec2str(auth_request->client_pid);
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1477 if (auth_request->mech_password != NULL) {
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1478 tab[8].value = escape_func(auth_request->mech_password,
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1479 auth_request);
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1480 }
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1481 if (auth_request->userdb_lookup) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1482 tab[9].value = auth_request->userdb == NULL ? "" :
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	1483 dec2str(auth_request->userdb->userdb->id);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1484 } else {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1485 tab[9].value = auth_request->passdb == NULL ? "" :
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	1486 dec2str(auth_request->passdb->passdb->id);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1487 }
8111 d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	1488 tab[10].value = auth_request->mech_name == NULL ? "" :
d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	1489 auth_request->mech_name;
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	1490 tab[11].value = auth_request->secured ? "secured" : "";
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	1491 tab[12].value = dec2str(auth_request->local_port);
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	1492 tab[13].value = dec2str(auth_request->remote_port);
8320 d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 8163 diff changeset	1493 tab[14].value = auth_request->valid_client_cert ? "valid" : "";
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1494 return tab;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1495 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1496
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1497 static void get_log_prefix(string_t str, struct auth_request auth_request,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1498 const char *subsystem)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1499 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1500 #define MAX_LOG_USERNAME_LEN 64
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1501 const char *ip;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1502
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1503 str_append(str, subsystem);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1504 str_append_c(str, '(');
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1505
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1506 if (auth_request->user == NULL)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1507 str_append(str, "?");
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1508 else {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1509 str_sanitize_append(str, auth_request->user,
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1510 MAX_LOG_USERNAME_LEN);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1511 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1512
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1513 ip = net_ip2addr(&auth_request->remote_ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1514 if (ip != NULL) {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1515 str_append_c(str, ',');
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1516 str_append(str, ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1517 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1518 if (auth_request->requested_login_user != NULL)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1519 str_append(str, ",master");
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1520 str_append(str, "): ");
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1521 }
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1522
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1523 static const char * ATTR_FORMAT(3, 0)
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1524 get_log_str(struct auth_request auth_request, const char subsystem,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1525 const char *format, va_list va)
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1526 {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1527 string_t *str;
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1528
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1529 str = t_str_new(128);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1530 get_log_prefix(str, auth_request, subsystem);
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1531 str_vprintfa(str, format, va);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1532 return str_c(str);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1533 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1534
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1535 void auth_request_log_debug(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1536 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1537 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1538 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1539 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1540
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	1541 if (!auth_request->set->debug)
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1542 return;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1543
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1544 va_start(va, format);
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1545 T_BEGIN {
10082 62b37dcf173e Log debug-level messages with i_debug(). Pascal Volk <user@localhost.localdomain.org> parents: 9477 diff changeset	1546 i_debug("%s", get_log_str(auth_request, subsystem, format, va));
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1547 } T_END;
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1548 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1549 }
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1550
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1551 void auth_request_log_info(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1552 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1553 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1554 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1555 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1556
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	1557 if (!auth_request->set->verbose)
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1558 return;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1559
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1560 va_start(va, format);
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1561 T_BEGIN {
6940 414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1562 i_info("%s", get_log_str(auth_request, subsystem, format, va));
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1563 } T_END;
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1564 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1565 }
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1566
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1567 void auth_request_log_error(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1568 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1569 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1570 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1571 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1572
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1573 va_start(va, format);
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1574 T_BEGIN {
6940 414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1575 i_error("%s", get_log_str(auth_request, subsystem, format, va));
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1576 } T_END;
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1577 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1578 }
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1579
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1580 void auth_request_refresh_last_access(struct auth_request *request)
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1581 {
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1582 request->last_access = ioloop_time;
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1583 if (request->to_abort != NULL)
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1584 timeout_reset(request->to_abort);
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1585 }

Mercurial > dovecot > core-2.2

annotate src/auth/auth-request.c @ 10903:6e639833c3fc HEAD