Mercurial > dovecot > core-2.2
annotate src/auth/auth-request.h @ 14163:716769cfbb1d
auth: Added proxy_always extra field.
When used with proxy_maybe, it can be used to redirect "local" users to
local backends via director.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sat, 25 Feb 2012 07:08:27 +0200 |
parents | da43dc494753 |
children | f5aa38f0a9ac e5ed29ef593e |
rev | line source |
---|---|
6410
e4eb71ae8e96
Changed .h ifdef/defines to use <NAME>_H format.
Timo Sirainen <tss@iki.fi>
parents:
5882
diff
changeset
|
1 #ifndef AUTH_REQUEST_H |
e4eb71ae8e96
Changed .h ifdef/defines to use <NAME>_H format.
Timo Sirainen <tss@iki.fi>
parents:
5882
diff
changeset
|
2 #define AUTH_REQUEST_H |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 #include "network.h" |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 #include "mech.h" |
3068 | 6 #include "userdb.h" |
7 #include "passdb.h" | |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 struct auth_client_connection; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
11 enum auth_request_state { |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
12 AUTH_REQUEST_STATE_NEW, |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
13 AUTH_REQUEST_STATE_PASSDB, |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
14 AUTH_REQUEST_STATE_MECH_CONTINUE, |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
15 AUTH_REQUEST_STATE_FINISHED, |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
16 AUTH_REQUEST_STATE_USERDB, |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
17 |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
18 AUTH_REQUEST_STATE_MAX |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
19 }; |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
20 |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
21 typedef const char * |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
22 auth_request_escape_func_t(const char *string, |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
23 const struct auth_request *auth_request); |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
24 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
25 struct auth_request { |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
26 int refcount; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
28 pool_t pool; |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
29 enum auth_request_state state; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
30 /* user contains the user who is being authenticated. |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
31 When master user is logging in as someone else, it gets more |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
32 complicated. Initially user is set to master's username and the |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
33 requested_login_user is set to destination username. After masterdb |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
34 has validated user as a valid master user, master_user is set to |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
35 user and user is set to requested_login_user. */ |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
36 char *user, *requested_login_user, *master_user; |
4054
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4033
diff
changeset
|
37 /* original_username contains the username exactly as given by the |
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4033
diff
changeset
|
38 client. this is needed at least with DIGEST-MD5 for password |
6619
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6411
diff
changeset
|
39 verification. however with master logins the master username has |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6411
diff
changeset
|
40 been dropped from it. */ |
4054
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4033
diff
changeset
|
41 const char *original_username; |
6658
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
42 /* the username after doing all internal translations, but before |
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
43 being changed by a db lookup */ |
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
44 const char *translated_username; |
8766
888f57b1bf9c
DIGEST-MD5: Fixed authentication with user@domain usernames.
Timo Sirainen <tss@iki.fi>
parents:
8765
diff
changeset
|
45 /* realm for the request, may be specified by some auth mechanisms */ |
888f57b1bf9c
DIGEST-MD5: Fixed authentication with user@domain usernames.
Timo Sirainen <tss@iki.fi>
parents:
8765
diff
changeset
|
46 const char *realm; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
47 char *mech_password; /* set if verify_plain() is called */ |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
48 char *passdb_password; /* set after password lookup if successful */ |
4033 | 49 /* extra_fields are returned in authentication reply. Fields prefixed |
50 with "userdb_" are skipped. If prefetch userdb is used, it uses | |
51 the "userdb_" prefixed fields. */ | |
3520 | 52 struct auth_stream_reply *extra_fields; |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
53 /* extra_fields that aren't supposed to be sent to the client, but |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
54 are supposed to be stored to auth cache. */ |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
55 struct auth_stream_reply *extra_cache_fields; |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
56 /* the whole userdb result reply */ |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
57 struct auth_stream_reply *userdb_reply; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
58 |
5788
bdb16967be64
Further const'ification of struct mech_module.
Andrey Panin <pazke@donpac.ru>
parents:
5598
diff
changeset
|
59 const struct mech_module *mech; |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
60 const struct auth_settings *set; |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
61 struct auth_passdb *passdb; |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
62 struct auth_userdb *userdb; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
63 |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
64 /* passdb lookups have a handler, userdb lookups don't */ |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
65 struct auth_request_handler *handler; |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
66 struct auth_master_connection *master; |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
67 |
3074 | 68 unsigned int connect_uid; |
69 unsigned int client_pid; | |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
70 unsigned int id; |
5586
dad0e22b735a
Changed auth_request->created to last_access and update it a bit more often.
Timo Sirainen <tss@iki.fi>
parents:
5475
diff
changeset
|
71 time_t last_access; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
72 |
8111
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
73 const char *service, *mech_name; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
74 struct ip_addr local_ip, remote_ip; |
5882
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
75 unsigned int local_port, remote_port; |
3074 | 76 |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
77 struct timeout *to_abort, *to_penalty; |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
78 unsigned int last_penalty; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
79 unsigned int initial_response_len; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
80 const unsigned char *initial_response; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
81 |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
82 union { |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
83 verify_plain_callback_t *verify_plain; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
84 lookup_credentials_callback_t *lookup_credentials; |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
85 set_credentials_callback_t *set_credentials; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
86 userdb_callback_t *userdb; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
87 } private_callback; |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
88 const char *credentials_scheme; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
89 |
3074 | 90 void *context; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
91 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
92 unsigned int successful:1; |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
93 unsigned int passdb_failure:1; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
94 unsigned int internal_failure:1; |
12489
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
95 unsigned int passdb_user_unknown:1; |
3606
8a8352cda514
If passdb lookup fails with internal error, try other passdbs anyway before
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
96 unsigned int passdb_internal_failure:1; |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
97 unsigned int userdb_internal_failure:1; |
3074 | 98 unsigned int delayed_failure:1; |
8766
888f57b1bf9c
DIGEST-MD5: Fixed authentication with user@domain usernames.
Timo Sirainen <tss@iki.fi>
parents:
8765
diff
changeset
|
99 unsigned int domain_is_realm:1; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 unsigned int accept_input:1; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
101 unsigned int no_failure_delay:1; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
102 unsigned int no_login:1; |
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
103 unsigned int no_password:1; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
104 unsigned int skip_password_check:1; |
8765
d69763bee853
auth workers: Return plaintext credentials to parent process if possible, so it gets cached instead of some other scheme.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
105 unsigned int prefer_plain_credentials:1; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
106 unsigned int proxy:1; |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
6658
diff
changeset
|
107 unsigned int proxy_maybe:1; |
14163
716769cfbb1d
auth: Added proxy_always extra field.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
108 unsigned int proxy_always:1; |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
109 unsigned int proxy_host_is_self:1; |
8320
d49aa6720fb2
Added %k variable to display valid-client-cert status. It expands to "valid" or empty.
Timo Sirainen <tss@iki.fi>
parents:
8111
diff
changeset
|
110 unsigned int valid_client_cert:1; |
12812
bf6749d4db08
auth: Allow clients to specify that they want to skip auth penalty check.
Timo Sirainen <tss@iki.fi>
parents:
12794
diff
changeset
|
111 unsigned int no_penalty:1; |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3606
diff
changeset
|
112 unsigned int cert_username:1; |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4880
diff
changeset
|
113 unsigned int userdb_lookup:1; |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
114 unsigned int userdb_lookup_failed:1; |
5260
0d72eb2ed8af
Added %c variable which expands to "secured" with SSL/TLS/localhost.
Timo Sirainen <tss@iki.fi>
parents:
5153
diff
changeset
|
115 unsigned int secured:1; |
13765
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
116 unsigned int final_resp_ok:1; |
12211
dfa2b49d8298
auth: Avoid crashing when finishing failed requests that already timed out.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
117 unsigned int removed_from_handler:1; |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3606
diff
changeset
|
118 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
119 /* ... mechanism specific data ... */ |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
120 }; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
121 |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
122 typedef void auth_request_proxy_cb_t(bool success, struct auth_request *); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
123 |
11255 | 124 extern unsigned int auth_request_state_count[AUTH_REQUEST_STATE_MAX]; |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
125 |
3074 | 126 struct auth_request * |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
127 auth_request_new(const struct mech_module *mech); |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
128 struct auth_request *auth_request_new_dummy(void); |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
129 void auth_request_init(struct auth_request *request); |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
130 struct auth *auth_request_get_auth(struct auth_request *request); |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
131 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
132 void auth_request_set_state(struct auth_request *request, |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
133 enum auth_request_state state); |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
134 |
3074 | 135 void auth_request_ref(struct auth_request *request); |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
136 void auth_request_unref(struct auth_request **request); |
3074 | 137 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
138 void auth_request_success(struct auth_request *request, |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
139 const void *data, size_t data_size); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
140 void auth_request_fail(struct auth_request *request); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
141 void auth_request_internal_failure(struct auth_request *request); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
142 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
143 void auth_request_export(struct auth_request *request, |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
144 struct auth_stream_reply *reply); |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
145 bool auth_request_import(struct auth_request *request, |
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
146 const char *key, const char *value); |
13728
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
12812
diff
changeset
|
147 bool auth_request_import_info(struct auth_request *request, |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
12812
diff
changeset
|
148 const char *key, const char *value); |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
12812
diff
changeset
|
149 bool auth_request_import_auth(struct auth_request *request, |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
12812
diff
changeset
|
150 const char *key, const char *value); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
151 |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
8766
diff
changeset
|
152 void auth_request_initial(struct auth_request *request); |
3068 | 153 void auth_request_continue(struct auth_request *request, |
3071 | 154 const unsigned char *data, size_t data_size); |
3068 | 155 |
156 void auth_request_verify_plain(struct auth_request *request, | |
157 const char *password, | |
158 verify_plain_callback_t *callback); | |
159 void auth_request_lookup_credentials(struct auth_request *request, | |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
160 const char *scheme, |
3068 | 161 lookup_credentials_callback_t *callback); |
162 void auth_request_lookup_user(struct auth_request *request, | |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
163 userdb_callback_t *callback); |
3068 | 164 |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
165 bool auth_request_set_username(struct auth_request *request, |
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
166 const char *username, const char **error_r); |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
167 bool auth_request_set_login_username(struct auth_request *request, |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
168 const char *username, |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
3918
diff
changeset
|
169 const char **error_r); |
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
170 |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
171 void auth_request_set_field(struct auth_request *request, |
3272
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3185
diff
changeset
|
172 const char *name, const char *value, |
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3185
diff
changeset
|
173 const char *default_scheme); |
5153
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5129
diff
changeset
|
174 void auth_request_set_fields(struct auth_request *request, |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5129
diff
changeset
|
175 const char *const *fields, |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5129
diff
changeset
|
176 const char *default_scheme); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
177 |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
178 void auth_request_init_userdb_reply(struct auth_request *request); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
179 void auth_request_set_userdb_field(struct auth_request *request, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
180 const char *name, const char *value); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
181 void auth_request_set_userdb_field_values(struct auth_request *request, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
182 const char *name, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
183 const char *const *values); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
184 /* returns -1 = failed, 0 = callback is called later, 1 = finished */ |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
185 int auth_request_proxy_finish(struct auth_request *request, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
186 auth_request_proxy_cb_t *callback); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
13765
diff
changeset
|
187 void auth_request_proxy_finish_failure(struct auth_request *request); |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
188 |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
189 void auth_request_log_password_mismatch(struct auth_request *request, |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
190 const char *subsystem); |
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
191 int auth_request_password_verify(struct auth_request *request, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
192 const char *plain_password, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
193 const char *crypted_password, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
194 const char *scheme, const char *subsystem); |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
195 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
196 const struct var_expand_table * |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
197 auth_request_get_var_expand_table(const struct auth_request *auth_request, |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
198 auth_request_escape_func_t *escape_func); |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
199 const char *auth_request_str_escape(const char *string, |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
200 const struct auth_request *request); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
201 |
3069 | 202 void auth_request_log_debug(struct auth_request *auth_request, |
203 const char *subsystem, | |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6410
diff
changeset
|
204 const char *format, ...) ATTR_FORMAT(3, 4); |
3069 | 205 void auth_request_log_info(struct auth_request *auth_request, |
206 const char *subsystem, | |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6410
diff
changeset
|
207 const char *format, ...) ATTR_FORMAT(3, 4); |
12794
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
208 void auth_request_log_warning(struct auth_request *auth_request, |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
209 const char *subsystem, |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
210 const char *format, ...); |
3069 | 211 void auth_request_log_error(struct auth_request *auth_request, |
212 const char *subsystem, | |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6410
diff
changeset
|
213 const char *format, ...) ATTR_FORMAT(3, 4); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
214 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
215 void auth_request_verify_plain_callback(enum passdb_result result, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
216 struct auth_request *request); |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
217 void auth_request_lookup_credentials_callback(enum passdb_result result, |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
218 const unsigned char *credentials, |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
219 size_t size, |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
220 struct auth_request *request); |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
221 void auth_request_set_credentials(struct auth_request *request, |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
222 const char *scheme, const char *data, |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
223 set_credentials_callback_t *callback); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4782
diff
changeset
|
224 void auth_request_userdb_callback(enum userdb_result result, |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
225 struct auth_request *request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
226 |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
227 void auth_request_refresh_last_access(struct auth_request *request); |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
228 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
229 #endif |