dovecot/core-2.2: src/auth/auth-request.c annotate

annotate src/auth/auth-request.c @ 5598:971050640e3b HEAD

All password schemes can now be encoded with base64 or hex. The encoding is ".b64", ".base64" or ".hex" suffix in the scheme, eg. {plain.b64}. Password scheme verification function can now be set to NULL, in which case the verification is done by generating a new crypted password from given plaintext password and comparing it.

author	Timo Sirainen <tss@iki.fi>
date	Sun, 13 May 2007 15:17:09 +0300
parents	f8dc0bdb06a7
children	121af23cfc65

rev	line source
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1 /* Copyright (C) 2002-2005 Timo Sirainen */
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	2
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	3 #include "common.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	4 #include "ioloop.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	5 #include "buffer.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	6 #include "hash.h"
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	7 #include "hex-binary.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	8 #include "str.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	9 #include "safe-memset.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	10 #include "str-sanitize.h"
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	11 #include "strescape.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	12 #include "var-expand.h"
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	13 #include "auth-cache.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	14 #include "auth-request.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	15 #include "auth-client-connection.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	16 #include "auth-master-connection.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	17 #include "passdb.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	18 #include "passdb-blocking.h"
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	19 #include "userdb-blocking.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	20 #include "passdb-cache.h"
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	21 #include "password-scheme.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	22
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	23 #include <stdlib.h>
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	24
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	25 struct auth_request *
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	26 auth_request_new(struct auth auth, struct mech_module mech,
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	27 mech_callback_t callback, void context)
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	28 {
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	29 struct auth_request *request;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	30
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	31 request = mech->auth_new();
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	32 request->state = AUTH_REQUEST_STATE_NEW;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	33 request->passdb = auth->passdbs;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	34 request->userdb = auth->userdbs;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	35
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	36 request->refcount = 1;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	37 request->last_access = ioloop_time;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	38
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	39 request->auth = auth;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	40 request->mech = mech;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	41 request->callback = callback;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	42 request->context = context;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	43 return request;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	44 }
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	45
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	46 struct auth_request auth_request_new_dummy(struct auth auth)
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	47 {
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	48 struct auth_request *auth_request;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	49 pool_t pool;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	50
3695 4f8598b0ca62 Use a bit larger initial pool sizes Timo Sirainen <tss@iki.fi> parents: 3687 diff changeset	51 pool = pool_alloconly_create("auth_request", 1024);
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	52 auth_request = p_new(pool, struct auth_request, 1);
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	53 auth_request->pool = pool;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	54
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	55 auth_request->refcount = 1;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	56 auth_request->last_access = ioloop_time;
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	57 auth_request->auth = auth;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	58 auth_request->passdb = auth->passdbs;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	59 auth_request->userdb = auth->userdbs;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	60
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	61 return auth_request;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	62 }
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	63
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	64 void auth_request_success(struct auth_request *request,
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	65 const void *data, size_t data_size)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	66 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	67 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	68
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	69 if (request->passdb_failure) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	70 /* password was valid, but some other check failed. */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	71 auth_request_fail(request);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	72 return;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	73 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	74
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	75 request->state = AUTH_REQUEST_STATE_FINISHED;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	76 request->successful = TRUE;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	77 request->last_access = ioloop_time;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	78 request->callback(request, AUTH_CLIENT_RESULT_SUCCESS,
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	79 data, data_size);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	80 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	81
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	82 void auth_request_fail(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	83 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	84 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	85
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	86 request->state = AUTH_REQUEST_STATE_FINISHED;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	87 request->last_access = ioloop_time;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	88 request->callback(request, AUTH_CLIENT_RESULT_FAILURE, NULL, 0);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	89 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	90
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	91 void auth_request_internal_failure(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	92 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	93 request->internal_failure = TRUE;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	94 auth_request_fail(request);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	95 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	96
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	97 void auth_request_ref(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	98 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	99 request->refcount++;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	100 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	101
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	102 void auth_request_unref(struct auth_request **_request)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	103 {
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	104 struct auth_request request = _request;
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	105
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	106 *_request = NULL;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	107 i_assert(request->refcount > 0);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	108 if (--request->refcount > 0)
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	109 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	110
3386 e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	111 if (request->mech != NULL)
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	112 request->mech->auth_free(request);
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	113 else
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	114 pool_unref(request->pool);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	115 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	116
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	117 void auth_request_export(struct auth_request request, string_t str)
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	118 {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	119 str_append(str, "user=");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	120 str_append(str, request->user);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	121 str_append(str, "\tservice=");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	122 str_append(str, request->service);
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	123
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	124 if (request->master_user != NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	125 str_append(str, "master_user=");
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	126 str_append(str, request->master_user);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	127 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	128
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	129 if (request->local_ip.family != 0) {
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	130 str_append(str, "\tlip=");
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	131 str_append(str, net_ip2addr(&request->local_ip));
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	132 }
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	133 if (request->remote_ip.family != 0) {
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	134 str_append(str, "\trip=");
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	135 str_append(str, net_ip2addr(&request->remote_ip));
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	136 }
5585 e33158bc72b0 %c wasn't exported to auth worker processes. Patch by Andrey Panin Timo Sirainen <tss@iki.fi> parents: 5475 diff changeset	137 if (request->secured)
e33158bc72b0 %c wasn't exported to auth worker processes. Patch by Andrey Panin Timo Sirainen <tss@iki.fi> parents: 5475 diff changeset	138 str_append(str, "\tsecured=1");
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	139 }
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	140
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	141 bool auth_request_import(struct auth_request *request,
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	142 const char key, const char value)
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	143 {
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	144 if (strcmp(key, "user") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	145 request->user = p_strdup(request->pool, value);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	146 else if (strcmp(key, "master_user") == 0)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	147 request->master_user = p_strdup(request->pool, value);
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	148 else if (strcmp(key, "cert_username") == 0) {
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	149 if (request->auth->ssl_username_from_cert) {
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	150 /* get username from SSL certificate. it overrides
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	151 the username given by the auth mechanism. */
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	152 request->user = p_strdup(request->pool, value);
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	153 request->cert_username = TRUE;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	154 }
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	155 } else if (strcmp(key, "service") == 0)
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	156 request->service = p_strdup(request->pool, value);
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	157 else if (strcmp(key, "lip") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	158 net_addr2ip(value, &request->local_ip);
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	159 else if (strcmp(key, "rip") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	160 net_addr2ip(value, &request->remote_ip);
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	161 else if (strcmp(key, "secured") == 0)
0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	162 request->secured = TRUE;
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	163 else
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	164 return FALSE;
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	165
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	166 return TRUE;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	167 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	168
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	169 void auth_request_initial(struct auth_request *request,
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	170 const unsigned char *data, size_t data_size)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	171 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	172 i_assert(request->state == AUTH_REQUEST_STATE_NEW);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	173
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	174 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	175 request->mech->auth_initial(request, data, data_size);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	176 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	177
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	178 void auth_request_continue(struct auth_request *request,
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	179 const unsigned char *data, size_t data_size)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	180 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	181 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	182
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	183 request->last_access = ioloop_time;
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	184 request->mech->auth_continue(request, data, data_size);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	185 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	186
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	187 static void auth_request_save_cache(struct auth_request *request,
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	188 enum passdb_result result)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	189 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	190 struct passdb_module *passdb = request->passdb->passdb;
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	191 const char *extra_fields;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	192 string_t *str;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	193
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	194 switch (result) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	195 case PASSDB_RESULT_USER_UNKNOWN:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	196 case PASSDB_RESULT_PASSWORD_MISMATCH:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	197 case PASSDB_RESULT_OK:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	198 case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	199 /* can be cached */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	200 break;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	201 case PASSDB_RESULT_USER_DISABLED:
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	202 case PASSDB_RESULT_PASS_EXPIRED:
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	203 /* FIXME: we can't cache this now, or cache lookup would
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	204 return success. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	205 return;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	206 case PASSDB_RESULT_INTERNAL_FAILURE:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	207 i_unreached();
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	208 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	209
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	210 extra_fields = request->extra_fields == NULL ? NULL :
e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	211 auth_stream_reply_export(request->extra_fields);
3432 079ec5c2d665 Last change caused user-given passwords to be cached, and later the password Timo Sirainen <tss@iki.fi> parents: 3431 diff changeset	212
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	213 if (passdb_cache == NULL)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	214 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	215
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	216 if (passdb->cache_key == NULL)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	217 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	218
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	219 if (result < 0) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	220 /* lookup failed. */
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	221 if (result == PASSDB_RESULT_USER_UNKNOWN) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	222 auth_cache_insert(passdb_cache, request,
4658 3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	223 passdb->cache_key, "", FALSE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	224 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	225 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	226 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	227
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	228 if (!request->no_password && request->passdb_password == NULL) {
3656 fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	229 /* passdb didn't provide the correct password */
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	230 if (result != PASSDB_RESULT_OK \|\|
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	231 request->mech_password == NULL)
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	232 return;
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	233
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	234 /* we can still cache valid password lookups though.
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	235 strdup() it so that mech_password doesn't get
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	236 cleared too early. */
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	237 request->passdb_password =
5039 953f02db95dc auth cache: If passdb didn't provide the password, we used the user-given Timo Sirainen <tss@iki.fi> parents: 5036 diff changeset	238 p_strconcat(request->pool, "{plain}",
953f02db95dc auth cache: If passdb didn't provide the password, we used the user-given Timo Sirainen <tss@iki.fi> parents: 5036 diff changeset	239 request->mech_password, NULL);
3645 81180ca12997 We were caching failed blocking requests wrong. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	240 }
81180ca12997 We were caching failed blocking requests wrong. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	241
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	242 /* save all except the currently given password in cache */
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	243 str = t_str_new(256);
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	244 if (request->passdb_password != NULL) {
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	245 if (*request->passdb_password != '{') {
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	246 /* cached passwords must have a known scheme */
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	247 str_append_c(str, '{');
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	248 str_append(str, passdb->default_pass_scheme);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	249 str_append_c(str, '}');
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	250 }
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	251 if (strchr(request->passdb_password, '\t') != NULL)
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	252 i_panic("%s: Password contains TAB", request->user);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	253 if (strchr(request->passdb_password, '\n') != NULL)
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	254 i_panic("%s: Password contains LF", request->user);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	255 str_append(str, request->passdb_password);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	256 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	257
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	258 if (extra_fields != NULL && *extra_fields != '\0') {
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	259 str_append_c(str, '\t');
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	260 str_append(str, extra_fields);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	261 }
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	262 if (request->extra_cache_fields != NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	263 extra_fields =
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	264 auth_stream_reply_export(request->extra_cache_fields);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	265 if (*extra_fields != '\0') {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	266 str_append_c(str, '\t');
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	267 str_append(str, extra_fields);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	268 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	269 }
4658 3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	270 auth_cache_insert(passdb_cache, request, passdb->cache_key, str_c(str),
3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	271 result == PASSDB_RESULT_OK);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	272 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	273
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	274 static bool auth_request_master_lookup_finish(struct auth_request *request)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	275 {
4534 dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	276 if (request->passdb_failure)
dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	277 return TRUE;
dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	278
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	279 /* master login successful. update user and master_user variables. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	280 auth_request_log_info(request, "passdb", "Master user logging in as %s",
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	281 request->requested_login_user);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	282
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	283 request->master_user = request->user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	284 request->user = request->requested_login_user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	285 request->requested_login_user = NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	286
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	287 request->skip_password_check = TRUE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	288 request->passdb_password = NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	289
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	290 if (!request->passdb->pass) {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	291 /* skip the passdb lookup, we're authenticated now. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	292 return TRUE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	293 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	294
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	295 /* the authentication continues with passdb lookup for the
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	296 requested_login_user. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	297 request->passdb = request->auth->passdbs;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	298 return FALSE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	299 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	300
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	301 static bool
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	302 auth_request_handle_passdb_callback(enum passdb_result *result,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	303 struct auth_request *request)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	304 {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	305 if (request->passdb_password != NULL) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	306 safe_memset(request->passdb_password, 0,
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	307 strlen(request->passdb_password));
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	308 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	309
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	310 if (request->passdb->deny && *result != PASSDB_RESULT_USER_UNKNOWN) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	311 /* deny passdb. we can get through this step only if the
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	312 lookup returned that user doesn't exist in it. internal
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	313 errors are fatal here. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	314 if (*result != PASSDB_RESULT_INTERNAL_FAILURE) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	315 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	316 "User found from deny passdb");
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	317 *result = PASSDB_RESULT_USER_DISABLED;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	318 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	319 } else if (*result == PASSDB_RESULT_OK) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	320 /* success */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	321 if (request->requested_login_user != NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	322 /* this was a master user lookup. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	323 if (!auth_request_master_lookup_finish(request))
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	324 return FALSE;
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	325 } else {
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	326 if (request->passdb->pass) {
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	327 /* this wasn't the final passdb lookup,
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	328 continue to next passdb */
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	329 request->passdb = request->passdb->next;
4402 8846e6be0e02 If multiple passdbs were configured and we tried to authenticate as user Timo Sirainen <tss@iki.fi> parents: 4374 diff changeset	330 request->passdb_password = NULL;
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	331 return FALSE;
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	332 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	333 }
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	334 } else if (*result == PASSDB_RESULT_PASS_EXPIRED) {
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	335 if (request->extra_fields == NULL)
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	336 request->extra_fields = auth_stream_reply_init(request);
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	337 auth_stream_reply_add(request->extra_fields, "reason",
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	338 "Password expired");
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	339 } else if (request->passdb->next != NULL &&
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	340 *result != PASSDB_RESULT_USER_DISABLED) {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	341 /* try next passdb. */
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	342 request->passdb = request->passdb->next;
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	343 request->passdb_password = NULL;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	344
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	345 if (*result == PASSDB_RESULT_INTERNAL_FAILURE) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	346 /* remember that we have had an internal failure. at
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	347 the end return internal failure if we couldn't
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	348 successfully login. */
3606 8a8352cda514 If passdb lookup fails with internal error, try other passdbs anyway before Timo Sirainen <tss@iki.fi> parents: 3520 diff changeset	349 request->passdb_internal_failure = TRUE;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	350 }
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	351 if (request->extra_fields != NULL)
769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	352 auth_stream_reply_reset(request->extra_fields);
769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	353
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	354 return FALSE;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	355 } else if (request->passdb_internal_failure) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	356 /* last passdb lookup returned internal failure. it may have
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	357 had the correct password, so return internal failure
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	358 instead of plain failure. */
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	359 *result = PASSDB_RESULT_INTERNAL_FAILURE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	360 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	361
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	362 return TRUE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	363 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	364
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	365 static void
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	366 auth_request_verify_plain_callback_finish(enum passdb_result result,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	367 struct auth_request *request)
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	368 {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	369 if (!auth_request_handle_passdb_callback(&result, request)) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	370 /* try next passdb */
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	371 auth_request_verify_plain(request, request->mech_password,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	372 request->private_callback.verify_plain);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	373 } else {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	374 auth_request_ref(request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	375 request->private_callback.verify_plain(result, request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	376 safe_memset(request->mech_password, 0,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	377 strlen(request->mech_password));
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	378 auth_request_unref(&request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	379 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	380 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	381
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	382 void auth_request_verify_plain_callback(enum passdb_result result,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	383 struct auth_request *request)
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	384 {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	385 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	386
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	387 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	388
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	389 if (result != PASSDB_RESULT_INTERNAL_FAILURE)
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	390 auth_request_save_cache(request, result);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	391 else {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	392 /* lookup failed. if we're looking here only because the
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	393 request was expired in cache, fallback to using cached
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	394 expired record. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	395 const char *cache_key = request->passdb->passdb->cache_key;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	396
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	397 if (passdb_cache_verify_plain(request, cache_key,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	398 request->mech_password,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	399 &result, TRUE)) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	400 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	401 "Fallbacking to expired data from cache");
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	402 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	403 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	404
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	405 auth_request_verify_plain_callback_finish(result, request);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	406 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	407
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	408 void auth_request_verify_plain(struct auth_request *request,
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	409 const char *password,
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	410 verify_plain_callback_t *callback)
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	411 {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	412 struct passdb_module *passdb;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	413 enum passdb_result result;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	414 const char *cache_key;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	415
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	416 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	417
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	418 if (request->passdb == NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	419 /* no masterdbs, master logins not supported */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	420 i_assert(request->requested_login_user != NULL);
4139 68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	421 auth_request_log_info(request, "passdb",
68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	422 "Attempted master login with no master passdbs");
68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	423 callback(PASSDB_RESULT_USER_UNKNOWN, request);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	424 return;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	425 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	426
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	427 passdb = request->passdb->passdb;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	428 if (request->mech_password == NULL)
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	429 request->mech_password = p_strdup(request->pool, password);
3656 fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	430 else
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	431 i_assert(request->mech_password == password);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	432 request->private_callback.verify_plain = callback;
3164 da9e4ffef09f Last changes broke proxying when user was in auth cache. Timo Sirainen <tss@iki.fi> parents: 3161 diff changeset	433
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	434 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
3728 64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	435 if (passdb_cache_verify_plain(request, cache_key, password,
64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	436 &result, FALSE)) {
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	437 auth_request_verify_plain_callback_finish(result, request);
3728 64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	438 return;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	439 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	440
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	441 request->state = AUTH_REQUEST_STATE_PASSDB;
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	442 request->credentials_scheme = NULL;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	443
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	444 if (passdb->blocking)
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	445 passdb_blocking_verify_plain(request);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	446 else {
3771 4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	447 passdb->iface.verify_plain(request, password,
4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	448 auth_request_verify_plain_callback);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	449 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	450 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	451
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	452 static void
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	453 auth_request_lookup_credentials_finish(enum passdb_result result,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	454 const unsigned char *credentials,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	455 size_t size,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	456 struct auth_request *request)
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	457 {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	458 if (!auth_request_handle_passdb_callback(&result, request)) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	459 /* try next passdb */
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	460 auth_request_lookup_credentials(request,
f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	461 request->credentials_scheme,
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	462 request->private_callback.lookup_credentials);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	463 } else {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	464 if (request->auth->verbose_debug_passwords &&
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	465 result == PASSDB_RESULT_OK) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	466 auth_request_log_debug(request, "password",
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	467 "Credentials: %s",
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	468 binary_to_hex(credentials, size));
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	469 }
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	470 request->private_callback.
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	471 lookup_credentials(result, credentials, size, request);
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	472 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	473 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	474
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	475 void auth_request_lookup_credentials_callback(enum passdb_result result,
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	476 const unsigned char *credentials,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	477 size_t size,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	478 struct auth_request *request)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	479 {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	480 const char cache_cred, cache_scheme;
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	481
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	482 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	483
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	484 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	485
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	486 if (result != PASSDB_RESULT_INTERNAL_FAILURE)
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	487 auth_request_save_cache(request, result);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	488 else {
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	489 /* lookup failed. if we're looking here only because the
97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	490 request was expired in cache, fallback to using cached
97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	491 expired record. */
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	492 const char *cache_key = request->passdb->passdb->cache_key;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	493
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	494 if (passdb_cache_lookup_credentials(request, cache_key,
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	495 &cache_cred, &cache_scheme,
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	496 &result, TRUE)) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	497 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	498 "Fallbacking to expired data from cache");
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	499 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	500 if (result == PASSDB_RESULT_OK) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	501 if (!passdb_get_credentials(request, cache_cred,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	502 cache_scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	503 &credentials, &size))
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	504 result = PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	505 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	506 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	507
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	508 auth_request_lookup_credentials_finish(result, credentials, size,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	509 request);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	510 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	511
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	512 void auth_request_lookup_credentials(struct auth_request *request,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	513 const char *scheme,
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	514 lookup_credentials_callback_t *callback)
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	515 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	516 struct passdb_module *passdb = request->passdb->passdb;
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	517 const char cache_key, cache_cred, *cache_scheme;
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	518 const unsigned char *credentials;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	519 size_t size;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	520 enum passdb_result result;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	521
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	522 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	523
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	524 request->credentials_scheme = p_strdup(request->pool, scheme);
5233 359a8f31aa9b Fixed a crash when non-plaintext mechanism used auth_cache. Timo Sirainen <tss@iki.fi> parents: 5170 diff changeset	525 request->private_callback.lookup_credentials = callback;
3682 0207808033ad Non-plaintext authentication and passdb cache didn't work together. Patch by Timo Sirainen <tss@iki.fi> parents: 3669 diff changeset	526
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	527 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	528 if (cache_key != NULL) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	529 if (passdb_cache_lookup_credentials(request, cache_key,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	530 &cache_cred, &cache_scheme,
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	531 &result, FALSE)) {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	532 if (result == PASSDB_RESULT_OK &&
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	533 !passdb_get_credentials(request, cache_cred,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	534 cache_scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	535 &credentials, &size))
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	536 result = PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	537 auth_request_lookup_credentials_finish(
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	538 result, credentials, size, request);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	539 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	540 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	541 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	542
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	543 request->state = AUTH_REQUEST_STATE_PASSDB;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	544
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	545 if (passdb->blocking)
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	546 passdb_blocking_lookup_credentials(request);
3771 4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	547 else if (passdb->iface.lookup_credentials != NULL) {
4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	548 passdb->iface.lookup_credentials(request,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	549 auth_request_lookup_credentials_callback);
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	550 } else {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	551 /* this passdb doesn't support credentials */
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	552 auth_request_lookup_credentials_callback(
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	553 PASSDB_RESULT_SCHEME_NOT_AVAILABLE, NULL, 0, request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	554 }
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	555 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	556
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	557 void auth_request_set_credentials(struct auth_request *request,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	558 const char scheme, const char data,
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	559 set_credentials_callback_t *callback)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	560 {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	561 struct passdb_module *passdb = request->passdb->passdb;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	562 const char cache_key, new_credentials;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	563
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	564 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	565 if (cache_key != NULL)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	566 auth_cache_remove(passdb_cache, request, cache_key);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	567
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	568 request->private_callback.set_credentials = callback;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	569
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	570 new_credentials = t_strdup_printf("{%s}%s", scheme, data);
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	571 if (passdb->blocking)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	572 passdb_blocking_set_credentials(request, new_credentials);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	573 else if (passdb->iface.set_credentials != NULL) {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	574 passdb->iface.set_credentials(request, new_credentials,
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	575 callback);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	576 } else {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	577 /* this passdb doesn't support credentials update */
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	578 callback(PASSDB_RESULT_INTERNAL_FAILURE, request);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	579 }
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	580 }
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	581
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	582 static void auth_request_userdb_save_cache(struct auth_request *request,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	583 struct auth_stream_reply *reply,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	584 enum userdb_result result)
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	585 {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	586 struct userdb_module *userdb = request->userdb->userdb;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	587 const char *str;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	588
4983 8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	589 if (passdb_cache == NULL \|\| userdb->cache_key == NULL)
8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	590 return;
8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	591
5069 005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	592 str = result == USERDB_RESULT_USER_UNKNOWN ? "" :
005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	593 auth_stream_reply_export(reply);
005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	594 /* last_success has no meaning with userdb */
005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	595 auth_cache_insert(passdb_cache, request, userdb->cache_key, str, FALSE);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	596 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	597
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	598 static bool auth_request_lookup_user_cache(struct auth_request *request,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	599 const char *key,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	600 struct auth_stream_reply **reply_r,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	601 enum userdb_result *result_r,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	602 bool use_expired)
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	603 {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	604 const char *value;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	605 struct auth_cache_node *node;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	606 bool expired;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	607
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	608 value = auth_cache_lookup(passdb_cache, request, key, &node,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	609 &expired);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	610 if (value == NULL \|\| (expired && !use_expired))
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	611 return FALSE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	612
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	613 if (*value == '\0') {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	614 /* negative cache entry */
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	615 *result_r = USERDB_RESULT_USER_UNKNOWN;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	616 *reply_r = auth_stream_reply_init(request);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	617 return TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	618 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	619
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	620 *result_r = USERDB_RESULT_OK;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	621 *reply_r = auth_stream_reply_init(request);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	622 auth_stream_reply_import(*reply_r, value);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	623 return TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	624 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	625
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	626 void auth_request_userdb_callback(enum userdb_result result,
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	627 struct auth_stream_reply *reply,
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	628 struct auth_request *request)
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	629 {
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	630 struct userdb_module *userdb = request->userdb->userdb;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	631
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	632 if (result != USERDB_RESULT_OK && request->userdb->next != NULL) {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	633 /* try next userdb. */
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	634 if (result == USERDB_RESULT_INTERNAL_FAILURE)
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	635 request->userdb_internal_failure = TRUE;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	636
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	637 request->userdb = request->userdb->next;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	638 auth_request_lookup_user(request,
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	639 request->private_callback.userdb);
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	640 return;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	641 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	642
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	643 if (request->userdb_internal_failure && result != USERDB_RESULT_OK) {
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	644 /* one of the userdb lookups failed. the user might have been
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	645 in there, so this is an internal failure */
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	646 result = USERDB_RESULT_INTERNAL_FAILURE;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	647 } else if (result == USERDB_RESULT_USER_UNKNOWN &&
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	648 request->client_pid != 0) {
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	649 /* this was an actual login attempt, the user should
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	650 have been found. */
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	651 auth_request_log_error(request, "userdb",
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	652 "user not found from userdb");
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	653 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	654
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	655 if (result != USERDB_RESULT_INTERNAL_FAILURE)
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	656 auth_request_userdb_save_cache(request, reply, result);
5036 df93cf66022a If request fails with internal failure, don't crash if auth cache is Timo Sirainen <tss@iki.fi> parents: 4983 diff changeset	657 else if (passdb_cache != NULL && userdb->cache_key != NULL) {
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	658 /* lookup failed. if we're looking here only because the
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	659 request was expired in cache, fallback to using cached
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	660 expired record. */
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	661 const char *cache_key = userdb->cache_key;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	662
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	663 if (auth_request_lookup_user_cache(request, cache_key, &reply,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	664 &result, TRUE))
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	665 auth_request_log_info(request, "userdb",
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	666 "Fallbacking to expired data from cache");
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	667 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	668
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	669 request->private_callback.userdb(result, reply, request);
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	670 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	671
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	672 void auth_request_lookup_user(struct auth_request *request,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	673 userdb_callback_t *callback)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	674 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	675 struct userdb_module *userdb = request->userdb->userdb;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	676 const char *cache_key;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	677
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	678 request->private_callback.userdb = callback;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	679 request->userdb_lookup = TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	680
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	681 /* (for now) auth_cache is shared between passdb and userdb */
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	682 cache_key = passdb_cache == NULL ? NULL : userdb->cache_key;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	683 if (cache_key != NULL) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	684 struct auth_stream_reply *reply;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	685 enum userdb_result result;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	686
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	687 if (auth_request_lookup_user_cache(request, cache_key, &reply,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	688 &result, FALSE)) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	689 request->private_callback.userdb(result, reply,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	690 request);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	691 return;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	692 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	693 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	694
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	695 if (userdb->blocking)
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	696 userdb_blocking_lookup(request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	697 else
3658 fc4622b1c1ef Separated userdb_module's interface and the actual data struct. Timo Sirainen <tss@iki.fi> parents: 3657 diff changeset	698 userdb->iface->lookup(request, auth_request_userdb_callback);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	699 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	700
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	701 static char *
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	702 auth_request_fix_username(struct auth_request request, const char username,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	703 const char **error_r)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	704 {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	705 unsigned char *p;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	706 char *user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	707
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	708 if (strchr(username, '@') == NULL &&
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	709 request->auth->default_realm != NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	710 user = p_strconcat(request->pool, username, "@",
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	711 request->auth->default_realm, NULL);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	712 } else {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	713 user = p_strdup(request->pool, username);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	714 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	715
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	716 for (p = (unsigned char )user; p != '\0'; p++) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	717 if (request->auth->username_translation[*p & 0xff] != 0)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	718 p = request->auth->username_translation[p & 0xff];
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	719 if (request->auth->username_chars[*p & 0xff] == 0) {
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	720 *error_r = t_strdup_printf(
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	721 "Username contains disallowed character: "
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	722 "0x%02x", *p);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	723 return NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	724 }
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	725 }
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	726
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	727 if (request->auth->username_format != NULL) {
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	728 /* username format given, put it through variable expansion.
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	729 we'll have to temporarily replace request->user to get
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	730 %u to be the wanted username */
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	731 const struct var_expand_table *table;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	732 char *old_username;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	733 string_t *dest;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	734
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	735 old_username = request->user;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	736 request->user = user;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	737
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	738 t_push();
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	739 dest = t_str_new(256);
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	740 table = auth_request_get_var_expand_table(request,
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	741 auth_request_str_escape);
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	742 var_expand(dest, request->auth->username_format, table);
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	743 user = p_strdup(request->pool, str_c(dest));
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	744 t_pop();
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	745
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	746 request->user = old_username;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	747 }
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	748
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	749 return user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	750 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	751
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	752 bool auth_request_set_username(struct auth_request *request,
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	753 const char username, const char *error_r)
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	754 {
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	755 const char p, login_username = NULL;
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	756
4054 f83d7d14b999 Digest-MD5 logins didn't work if passdb changed username. Timo Sirainen <tss@iki.fi> parents: 4042 diff changeset	757 if (request->original_username == NULL) {
f83d7d14b999 Digest-MD5 logins didn't work if passdb changed username. Timo Sirainen <tss@iki.fi> parents: 4042 diff changeset	758 /* the username may change later, but we need to use this
f83d7d14b999 Digest-MD5 logins didn't work if passdb changed username. Timo Sirainen <tss@iki.fi> parents: 4042 diff changeset	759 username when verifying at least DIGEST-MD5 password */
f83d7d14b999 Digest-MD5 logins didn't work if passdb changed username. Timo Sirainen <tss@iki.fi> parents: 4042 diff changeset	760 request->original_username = p_strdup(request->pool, username);
f83d7d14b999 Digest-MD5 logins didn't work if passdb changed username. Timo Sirainen <tss@iki.fi> parents: 4042 diff changeset	761 }
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	762 if (request->cert_username) {
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	763 /* cert_username overrides the username given by
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	764 authentication mechanism. */
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	765 return TRUE;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	766 }
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	767
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	768 if (request->auth->master_user_separator != '\0') {
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	769 /* check if the username contains a master user */
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	770 p = strchr(username, request->auth->master_user_separator);
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	771 if (p != NULL) {
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	772 /* it does, set it. */
4140 52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	773 login_username = t_strdup_until(username, p);
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	774
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	775 /* username is the master user */
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	776 username = p + 1;
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	777 }
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	778 }
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	779
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	780 if (*username == '\0') {
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	781 /* Some PAM plugins go nuts with empty usernames */
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	782 *error_r = "Empty username";
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	783 return FALSE;
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	784 }
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	785
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	786 request->user = auth_request_fix_username(request, username, error_r);
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	787 if (request->user == NULL) {
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	788 auth_request_log_debug(request, "auth",
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	789 "Invalid username: %s", str_sanitize(username, 128));
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	790 return FALSE;
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	791 }
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	792
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	793 if (login_username != NULL) {
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	794 if (!auth_request_set_login_username(request,
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	795 login_username,
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	796 error_r))
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	797 return FALSE;
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	798 }
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	799 return TRUE;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	800 }
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	801
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	802 bool auth_request_set_login_username(struct auth_request *request,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	803 const char *username,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	804 const char **error_r)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	805 {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	806 i_assert(*username != '\0');
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	807
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	808 if (strcmp(username, request->user) == 0) {
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	809 /* The usernames are the same, we don't really wish to log
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	810 in as someone else */
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	811 return TRUE;
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	812 }
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	813
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	814 /* lookup request->user from masterdb first */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	815 request->passdb = request->auth->masterdbs;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	816
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	817 request->requested_login_user =
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	818 auth_request_fix_username(request, username, error_r);
4136 f7731e6eec7e If master login username is the same as the normal username, we don't want Timo Sirainen <tss@iki.fi> parents: 4108 diff changeset	819 return request->requested_login_user != NULL;
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	820 }
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	821
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	822 static int is_ip_in_network(const char network, const struct ip_addr ip)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	823 {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	824 const uint32_t ip1, ip2;
4685 dc5875c28aac When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual Timo Sirainen <tss@iki.fi> parents: 4658 diff changeset	825 struct ip_addr src_ip, net_ip;
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	826 const char *p;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	827 unsigned int max_bits, bits, pos, i;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	828 uint32_t mask;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	829
4685 dc5875c28aac When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual Timo Sirainen <tss@iki.fi> parents: 4658 diff changeset	830 if (net_ipv6_mapped_ipv4_convert(ip, &src_ip) == 0)
dc5875c28aac When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual Timo Sirainen <tss@iki.fi> parents: 4658 diff changeset	831 ip = &src_ip;
dc5875c28aac When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual Timo Sirainen <tss@iki.fi> parents: 4658 diff changeset	832
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	833 max_bits = IPADDR_IS_V4(ip) ? 32 : 128;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	834 p = strchr(network, '/');
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	835 if (p == NULL) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	836 /* full IP address must match */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	837 bits = max_bits;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	838 } else {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	839 /* get the network mask */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	840 network = t_strdup_until(network, p);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	841 bits = strtoul(p+1, NULL, 10);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	842 if (bits > max_bits)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	843 bits = max_bits;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	844 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	845
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	846 if (net_addr2ip(network, &net_ip) < 0)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	847 return -1;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	848
4533 92199dcb4018 If we logged in with IPv6 address and allow_nets contained IPv4 address, we Timo Sirainen <tss@iki.fi> parents: 4420 diff changeset	849 if (IPADDR_IS_V4(ip) != IPADDR_IS_V4(&net_ip)) {
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	850 /* one is IPv6 and one is IPv4 */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	851 return 0;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	852 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	853 i_assert(IPADDR_IS_V6(ip) == IPADDR_IS_V6(&net_ip));
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	854
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	855 ip1 = (const uint32_t *)&ip->ip;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	856 ip2 = (const uint32_t *)&net_ip.ip;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	857
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	858 /* check first the full 32bit ints */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	859 for (pos = 0, i = 0; pos + 32 <= bits; pos += 32, i++) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	860 if (ip1[i] != ip2[i])
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	861 return 0;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	862 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	863
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	864 /* check the last full bytes */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	865 for (mask = 0xff; pos + 8 <= bits; pos += 8, mask <<= 8) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	866 if ((ip1[i] & mask) != (ip2[i] & mask))
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	867 return 0;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	868 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	869
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	870 /* check the last bits, they're reversed in bytes */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	871 bits -= pos;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	872 for (mask = 0x80 << (pos % 32); bits > 0; bits--, mask >>= 1) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	873 if ((ip1[i] & mask) != (ip2[i] & mask))
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	874 return 0;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	875 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	876 return 1;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	877 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	878
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	879 static void auth_request_validate_networks(struct auth_request *request,
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	880 const char *networks)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	881 {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	882 const char const net;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	883 bool found = FALSE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	884
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	885 if (request->remote_ip.family == 0) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	886 /* IP not known */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	887 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	888 "allow_nets check failed: Remote IP not known");
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	889 request->passdb_failure = TRUE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	890 return;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	891 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	892
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	893 t_push();
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	894 for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) {
4420 1174e508593d auth_debug: If allow_nets is given, print debug messages when matching Timo Sirainen <tss@iki.fi> parents: 4402 diff changeset	895 auth_request_log_debug(request, "auth",
1174e508593d auth_debug: If allow_nets is given, print debug messages when matching Timo Sirainen <tss@iki.fi> parents: 4402 diff changeset	896 "allow_nets: Matching for network %s", *net);
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	897 switch (is_ip_in_network(*net, &request->remote_ip)) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	898 case 1:
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	899 found = TRUE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	900 break;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	901 case -1:
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	902 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	903 "allow_nets: Invalid network '%s'", *net);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	904 break;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	905 default:
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	906 break;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	907 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	908 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	909 t_pop();
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	910
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	911 if (!found) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	912 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	913 "allow_nets check failed: IP not in allowed networks");
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	914 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	915 request->passdb_failure = !found;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	916 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	917
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	918 void auth_request_set_field(struct auth_request *request,
3272 36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	919 const char name, const char value,
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	920 const char *default_scheme)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	921 {
4017 e2d267e6f930 Check that we don't pass around key=value pairs with empty keys. Timo Sirainen <tss@iki.fi> parents: 3918 diff changeset	922 i_assert(*name != '\0');
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	923 i_assert(value != NULL);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	924
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	925 if (strcmp(name, "password") == 0) {
3272 36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	926 if (request->passdb_password != NULL) {
4042 dabe100f3c38 Multiple password database error prints now the passdb name that caused it. Timo Sirainen <timo.sirainen@movial.fi> parents: 4030 diff changeset	927 auth_request_log_error(request,
dabe100f3c38 Multiple password database error prints now the passdb name that caused it. Timo Sirainen <timo.sirainen@movial.fi> parents: 4030 diff changeset	928 request->passdb->passdb->iface.name,
3272 36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	929 "Multiple password values not supported");
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	930 return;
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	931 }
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	932
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	933 if (*value == '{') {
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	934 request->passdb_password =
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	935 p_strdup(request->pool, value);
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	936 } else {
3274 859c4ffd514e Don't crash if cache is enabled and we're caching more than just Timo Sirainen <tss@iki.fi> parents: 3272 diff changeset	937 i_assert(default_scheme != NULL);
3272 36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	938 request->passdb_password =
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	939 p_strdup_printf(request->pool, "{%s}%s",
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	940 default_scheme, value);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	941 }
3397 2db396230881 auth_request_set_field() shouldn't save password to extra_fields. Fixes a Timo Sirainen <tss@iki.fi> parents: 3386 diff changeset	942 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	943 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	944
3257 92c16e82b806 passdb can now change the username that was used to log in. This is mostly Timo Sirainen <tss@iki.fi> parents: 3192 diff changeset	945 if (strcmp(name, "user") == 0) {
92c16e82b806 passdb can now change the username that was used to log in. This is mostly Timo Sirainen <tss@iki.fi> parents: 3192 diff changeset	946 /* update username to be exactly as it's in database */
3427 3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	947 if (strcmp(request->user, value) != 0) {
5131 172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	948 /* remember the original username for cache */
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	949 if (request->original_username == NULL) {
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	950 request->original_username =
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	951 p_strdup(request->pool, request->user);
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	952 }
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	953
3427 3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	954 auth_request_log_debug(request, "auth",
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	955 "username changed %s -> %s",
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	956 request->user, value);
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	957 request->user = p_strdup(request->pool, value);
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	958 }
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	959 } else if (strcmp(name, "nodelay") == 0) {
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	960 /* don't delay replying to client of the failure */
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	961 request->no_failure_delay = TRUE;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	962 } else if (strcmp(name, "nopassword") == 0) {
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	963 /* NULL password - anything goes */
5412 79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	964 if (request->passdb_password != NULL &&
79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	965 *request->passdb_password != '\0') {
79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	966 auth_request_log_error(request,
79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	967 request->passdb->passdb->iface.name,
79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	968 "nopassword set but password is non-empty");
79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	969 return;
79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	970 }
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	971 request->no_password = TRUE;
5412 79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	972 request->passdb_password = NULL;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	973 } else if (strcmp(name, "allow_nets") == 0) {
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	974 auth_request_validate_networks(request, value);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	975 } else {
5170 3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	976 if (strcmp(name, "nologin") == 0) {
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	977 /* user can't actually login - don't keep this
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	978 reply for master */
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	979 request->no_login = TRUE;
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	980 value = NULL;
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	981 } else if (strcmp(name, "proxy") == 0) {
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	982 /* we're proxying authentication for this user. send
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	983 password back if using plaintext authentication. */
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	984 request->proxy = TRUE;
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	985 request->no_login = TRUE;
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	986 value = NULL;
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	987 }
3516e9856179 proxy and nologin was broken in last changes. Timo Sirainen <tss@iki.fi> parents: 5163 diff changeset	988
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	989 if (request->extra_fields == NULL)
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	990 request->extra_fields = auth_stream_reply_init(request);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	991 auth_stream_reply_add(request->extra_fields, name, value);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	992 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	993 }
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	994
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	995 if (passdb_cache != NULL &&
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	996 request->passdb->passdb->cache_key != NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	997 /* we'll need to get this field stored into cache */
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	998 if (request->extra_cache_fields == NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	999 request->extra_cache_fields =
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1000 auth_stream_reply_init(request);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1001 }
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1002 auth_stream_reply_add(request->extra_cache_fields, name, value);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1003 }
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1004 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1005
5153 83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1006 void auth_request_set_fields(struct auth_request *request,
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1007 const char const fields,
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1008 const char *default_scheme)
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1009 {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1010 const char key, value;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1011
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1012 t_push();
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1013 for (; *fields != NULL; fields++) {
5163 39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1014 if (**fields == '\0')
39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1015 continue;
39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1016
5153 83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1017 value = strchr(*fields, '=');
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1018 if (value == NULL) {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1019 key = *fields;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1020 value = "";
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1021 } else {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1022 key = t_strdup_until(*fields, value);
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1023 value++;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1024 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1025 auth_request_set_field(request, key, value, default_scheme);
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1026 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1027 t_pop();
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1028 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1029
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1030 int auth_request_password_verify(struct auth_request *request,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1031 const char *plain_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1032 const char *crypted_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1033 const char scheme, const char subsystem)
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1034 {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1035 const unsigned char *raw_password;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1036 size_t raw_password_size;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1037 const char *user;
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1038 int ret;
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1039
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1040 if (request->skip_password_check) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1041 /* currently this can happen only with master logins */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1042 i_assert(request->master_user != NULL);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1043 return 1;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1044 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1045
4689 80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1046 if (request->passdb->deny) {
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1047 /* this is a deny database, we don't care about the password */
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1048 return 0;
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1049 }
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1050
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1051 ret = password_decode(crypted_password, scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1052 &raw_password, &raw_password_size);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1053 if (ret <= 0) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1054 if (ret < 0) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1055 auth_request_log_error(request, subsystem,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1056 "Invalid password format for scheme %s",
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1057 scheme);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1058 } else {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1059 auth_request_log_error(request, subsystem,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1060 "Unknown scheme %s", scheme);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1061 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1062 return -1;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1063 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1064
4872 07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1065 /* If original_username is set, use it. It may be important for some
07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1066 password schemes (eg. digest-md5). Otherwise the username is used
07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1067 only for logging purposes. */
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1068 user = request->original_username != NULL ?
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1069 request->original_username : request->user;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1070 ret = password_verify(plain_password, user, scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1071 raw_password, raw_password_size);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1072 i_assert(ret >= 0);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1073 if (ret == 0) {
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1074 auth_request_log_info(request, subsystem,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1075 "Password mismatch");
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1076 if (request->auth->verbose_debug_passwords) {
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1077 auth_request_log_debug(request, subsystem,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1078 "%s(%s) != '%s'", scheme,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1079 plain_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1080 crypted_password);
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1081 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1082 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1083 return ret;
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1084 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1085
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1086 static const char *
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1087 escape_none(const char *string,
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1088 const struct auth_request *request __attr_unused__)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1089 {
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1090 return string;
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1091 }
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1092
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1093 const char *
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1094 auth_request_str_escape(const char *string,
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1095 const struct auth_request *request __attr_unused__)
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1096 {
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1097 return str_escape(string);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1098 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1099
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1100 const struct var_expand_table *
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1101 auth_request_get_var_expand_table(const struct auth_request *auth_request,
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1102 auth_request_escape_func_t *escape_func)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1103 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1104 static struct var_expand_table static_tab[] = {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1105 { 'u', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1106 { 'n', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1107 { 'd', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1108 { 's', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1109 { 'h', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1110 { 'l', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1111 { 'r', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1112 { 'p', NULL },
3687 629ffe1a3874 %w contains now password Timo Sirainen <tss@iki.fi> parents: 3682 diff changeset	1113 { 'w', NULL },
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	1114 { '!', NULL },
5251 c1d7e9493f08 Added %m = mechanism name Timo Sirainen <tss@iki.fi> parents: 5233 diff changeset	1115 { 'm', NULL },
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	1116 { 'c', NULL },
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1117 { '\0', NULL }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1118 };
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1119 struct var_expand_table *tab;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1120
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1121 if (escape_func == NULL)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1122 escape_func = escape_none;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1123
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1124 tab = t_malloc(sizeof(static_tab));
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1125 memcpy(tab, static_tab, sizeof(static_tab));
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1126
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1127 tab[0].value = escape_func(auth_request->user, auth_request);
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1128 tab[1].value = escape_func(t_strcut(auth_request->user, '@'),
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1129 auth_request);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1130 tab[2].value = strchr(auth_request->user, '@');
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1131 if (tab[2].value != NULL)
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1132 tab[2].value = escape_func(tab[2].value+1, auth_request);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1133 tab[3].value = auth_request->service;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1134 /* tab[4] = we have no home dir */
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1135 if (auth_request->local_ip.family != 0)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1136 tab[5].value = net_ip2addr(&auth_request->local_ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1137 if (auth_request->remote_ip.family != 0)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1138 tab[6].value = net_ip2addr(&auth_request->remote_ip);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	1139 tab[7].value = dec2str(auth_request->client_pid);
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1140 if (auth_request->mech_password != NULL) {
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1141 tab[8].value = escape_func(auth_request->mech_password,
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1142 auth_request);
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1143 }
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1144 if (auth_request->userdb_lookup) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1145 tab[9].value = auth_request->userdb == NULL ? "" :
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1146 dec2str(auth_request->userdb->num);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1147 } else {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1148 tab[9].value = auth_request->passdb == NULL ? "" :
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1149 dec2str(auth_request->passdb->id);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1150 }
5251 c1d7e9493f08 Added %m = mechanism name Timo Sirainen <tss@iki.fi> parents: 5233 diff changeset	1151 tab[10].value = auth_request->mech == NULL ? "" :
c1d7e9493f08 Added %m = mechanism name Timo Sirainen <tss@iki.fi> parents: 5233 diff changeset	1152 auth_request->mech->mech_name;
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	1153 tab[11].value = auth_request->secured ? "secured" : "";
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1154 return tab;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1155 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1156
4825 66287003e3cc Added __attr_format__ Timo Sirainen <tss@iki.fi> parents: 4782 diff changeset	1157 static const char * __attr_format__(3, 0)
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1158 get_log_str(struct auth_request auth_request, const char subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1159 const char *format, va_list va)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1160 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1161 #define MAX_LOG_USERNAME_LEN 64
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1162 const char *ip;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1163 string_t *str;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1164
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1165 str = t_str_new(128);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1166 str_append(str, subsystem);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1167 str_append_c(str, '(');
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1168
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1169 if (auth_request->user == NULL)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1170 str_append(str, "?");
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1171 else {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1172 str_sanitize_append(str, auth_request->user,
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1173 MAX_LOG_USERNAME_LEN);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1174 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1175
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1176 ip = net_ip2addr(&auth_request->remote_ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1177 if (ip != NULL) {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1178 str_append_c(str, ',');
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1179 str_append(str, ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1180 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1181 if (auth_request->requested_login_user != NULL)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1182 str_append(str, ",master");
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1183 str_append(str, "): ");
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1184 str_vprintfa(str, format, va);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1185 return str_c(str);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1186 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1187
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1188 void auth_request_log_debug(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1189 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1190 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1191 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1192 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1193
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1194 if (!auth_request->auth->verbose_debug)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1195 return;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1196
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1197 va_start(va, format);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1198 t_push();
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1199 i_info("%s", get_log_str(auth_request, subsystem, format, va));
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1200 t_pop();
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1201 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1202 }
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1203
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1204 void auth_request_log_info(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1205 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1206 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1207 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1208 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1209
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1210 if (!auth_request->auth->verbose)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1211 return;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1212
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1213 va_start(va, format);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1214 t_push();
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1215 i_info("%s", get_log_str(auth_request, subsystem, format, va));
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1216 t_pop();
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1217 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1218 }
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1219
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1220 void auth_request_log_error(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1221 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1222 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1223 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1224 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1225
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1226 va_start(va, format);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1227 t_push();
3158 8849f2e380d1 userdb can now return extra parameters to master. Removed special handling Timo Sirainen <tss@iki.fi> parents: 3074 diff changeset	1228 i_error("%s", get_log_str(auth_request, subsystem, format, va));
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1229 t_pop();
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1230 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1231 }

Mercurial > dovecot > core-2.2

annotate src/auth/auth-request.c @ 5598:971050640e3b HEAD