Mercurial > dovecot > core-2.2
annotate src/auth/auth-request.c @ 14159:98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sat, 25 Feb 2012 05:42:05 +0200 |
parents | 8e2f395cf86c |
children | 716769cfbb1d |
rev | line source |
---|---|
14133
ba770cba5598
Updated copyright notices to include year 2012.
Timo Sirainen <tss@iki.fi>
parents:
13956
diff
changeset
|
1 /* Copyright (c) 2002-2012 Dovecot authors, see the included COPYING file */ |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 |
9219
97cdfeb57129
Renamed headers to prevent collision if they were flattened on an install.
Mark Washenberger
parents:
9015
diff
changeset
|
3 #include "auth-common.h" |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 #include "ioloop.h" |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 #include "buffer.h" |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 #include "hash.h" |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
7 #include "sha1.h" |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
8 #include "hex-binary.h" |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 #include "str.h" |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 #include "safe-memset.h" |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 #include "str-sanitize.h" |
4168
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
12 #include "strescape.h" |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 #include "var-expand.h" |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
14 #include "dns-lookup.h" |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
15 #include "auth-cache.h" |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 #include "auth-request.h" |
11441
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11255
diff
changeset
|
17 #include "auth-request-handler.h" |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
18 #include "auth-client-connection.h" |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 #include "auth-master-connection.h" |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
20 #include "passdb.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
21 #include "passdb-blocking.h" |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
22 #include "passdb-cache.h" |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
23 #include "passdb-template.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
24 #include "userdb-blocking.h" |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
25 #include "userdb-template.h" |
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
26 #include "password-scheme.h" |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
28 #include <stdlib.h> |
5879
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
29 #include <sys/stat.h> |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
30 |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
31 #define AUTH_DNS_SOCKET_PATH "dns-client" |
14156
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
32 #define AUTH_DNS_DEFAULT_TIMEOUT_MSECS (1000*10) |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
33 #define AUTH_DNS_WARN_MSECS 500 |
10689
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
34 #define CACHED_PASSWORD_SCHEME "SHA1" |
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
35 |
11255 | 36 unsigned int auth_request_state_count[AUTH_REQUEST_STATE_MAX]; |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
37 |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
38 static void get_log_prefix(string_t *str, struct auth_request *auth_request, |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
39 const char *subsystem); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
40 |
3072 | 41 struct auth_request * |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11490
diff
changeset
|
42 auth_request_new(const struct mech_module *mech) |
3072 | 43 { |
44 struct auth_request *request; | |
45 | |
46 request = mech->auth_new(); | |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
47 |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
48 request->state = AUTH_REQUEST_STATE_NEW; |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
49 auth_request_state_count[AUTH_REQUEST_STATE_NEW]++; |
3072 | 50 |
51 request->refcount = 1; | |
5586
dad0e22b735a
Changed auth_request->created to last_access and update it a bit more often.
Timo Sirainen <tss@iki.fi>
parents:
5585
diff
changeset
|
52 request->last_access = ioloop_time; |
3074 | 53 |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
54 request->set = global_auth_settings; |
3072 | 55 request->mech = mech; |
8111
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7919
diff
changeset
|
56 request->mech_name = mech == NULL ? NULL : mech->mech_name; |
3072 | 57 return request; |
58 } | |
59 | |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
60 struct auth_request *auth_request_new_dummy(void) |
3185
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
61 { |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
62 struct auth_request *request; |
3185
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
63 pool_t pool; |
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
64 |
3695
4f8598b0ca62
Use a bit larger initial pool sizes
Timo Sirainen <tss@iki.fi>
parents:
3687
diff
changeset
|
65 pool = pool_alloconly_create("auth_request", 1024); |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
66 request = p_new(pool, struct auth_request, 1); |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
67 request->pool = pool; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
68 |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
69 request->state = AUTH_REQUEST_STATE_NEW; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
70 auth_request_state_count[AUTH_REQUEST_STATE_NEW]++; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
71 |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
72 request->refcount = 1; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
73 request->last_access = ioloop_time; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
74 request->set = global_auth_settings; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
75 return request; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
76 } |
3185
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
77 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
78 void auth_request_set_state(struct auth_request *request, |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
79 enum auth_request_state state) |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
80 { |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
81 if (request->state == state) |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
82 return; |
3185
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
83 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
84 i_assert(auth_request_state_count[request->state] > 0); |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
85 auth_request_state_count[request->state]--; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
86 auth_request_state_count[state]++; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
87 |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
88 request->state = state; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
89 auth_refresh_proctitle(); |
3185
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
90 } |
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
91 |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
92 void auth_request_init(struct auth_request *request) |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
93 { |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
94 struct auth *auth; |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
95 |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
96 auth = auth_request_get_auth(request); |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
97 request->set = auth->set; |
10961
5050e2eb1bfe
auth: Previous change broke non-master logins..
Timo Sirainen <tss@iki.fi>
parents:
10960
diff
changeset
|
98 request->passdb = auth->passdbs; |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
99 request->userdb = auth->userdbs; |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
100 } |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
101 |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
102 struct auth *auth_request_get_auth(struct auth_request *request) |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
103 { |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
104 return auth_find_service(request->service); |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
105 } |
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
106 |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
107 void auth_request_success(struct auth_request *request, |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
108 const void *data, size_t data_size) |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
109 { |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
110 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
111 |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
112 if (request->passdb_failure) { |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
113 /* password was valid, but some other check failed. */ |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
114 auth_request_fail(request); |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
115 return; |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
116 } |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
117 |
13765
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
118 request->successful = TRUE; |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
119 if (data_size > 0 && !request->final_resp_ok) { |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
120 /* we'll need one more SASL round, since client doesn't support |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
121 the final SASL response */ |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
122 auth_request_handler_reply_continue(request, data, data_size); |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
123 return; |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
124 } |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
125 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
126 auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED); |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
127 auth_request_refresh_last_access(request); |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11490
diff
changeset
|
128 auth_request_handler_reply(request, AUTH_CLIENT_RESULT_SUCCESS, |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11490
diff
changeset
|
129 data, data_size); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
130 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
131 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
132 void auth_request_fail(struct auth_request *request) |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
133 { |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
134 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
135 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
136 auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED); |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
137 auth_request_refresh_last_access(request); |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11490
diff
changeset
|
138 auth_request_handler_reply(request, AUTH_CLIENT_RESULT_FAILURE, |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11490
diff
changeset
|
139 NULL, 0); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
140 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
141 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
142 void auth_request_internal_failure(struct auth_request *request) |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
143 { |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
144 request->internal_failure = TRUE; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
145 auth_request_fail(request); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
146 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
147 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
148 void auth_request_ref(struct auth_request *request) |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
149 { |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
150 request->refcount++; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
151 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
152 |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
153 void auth_request_unref(struct auth_request **_request) |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
154 { |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
155 struct auth_request *request = *_request; |
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
156 |
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
157 *_request = NULL; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
158 i_assert(request->refcount > 0); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 if (--request->refcount > 0) |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
160 return; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
161 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
162 auth_request_state_count[request->state]--; |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
163 auth_refresh_proctitle(); |
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
164 |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
165 if (request->mech_password != NULL) { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
166 safe_memset(request->mech_password, 0, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
167 strlen(request->mech_password)); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
168 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
169 |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
170 if (request->to_abort != NULL) |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
171 timeout_remove(&request->to_abort); |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
10082
diff
changeset
|
172 if (request->to_penalty != NULL) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
10082
diff
changeset
|
173 timeout_remove(&request->to_penalty); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
10082
diff
changeset
|
174 |
3386
e4b84d82c685
Master connection's USER command was leaking memory (with deliver binary).
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
175 if (request->mech != NULL) |
e4b84d82c685
Master connection's USER command was leaking memory (with deliver binary).
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
176 request->mech->auth_free(request); |
e4b84d82c685
Master connection's USER command was leaking memory (with deliver binary).
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
177 else |
6428
7cad076906eb
pool_unref() now takes ** pointer.
Timo Sirainen <tss@iki.fi>
parents:
6411
diff
changeset
|
178 pool_unref(&request->pool); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
179 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
180 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
181 void auth_request_export(struct auth_request *request, |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
182 struct auth_stream_reply *reply) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
183 { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
184 auth_stream_reply_add(reply, "user", request->user); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
185 auth_stream_reply_add(reply, "service", request->service); |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
186 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
187 if (request->master_user != NULL) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
188 auth_stream_reply_add(reply, "master_user", |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
189 request->master_user); |
8346
9f66028a1089
Pass original_username to auth-workers.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
190 } |
8347
fc5683975951
auth: original_username should never be NULL, removed all code that checks for it.
Timo Sirainen <tss@iki.fi>
parents:
8346
diff
changeset
|
191 auth_stream_reply_add(reply, "original_username", |
fc5683975951
auth: original_username should never be NULL, removed all code that checks for it.
Timo Sirainen <tss@iki.fi>
parents:
8346
diff
changeset
|
192 request->original_username); |
12006
3ba227176cde
auth: Pass requested_login_user to auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
12005
diff
changeset
|
193 auth_stream_reply_add(reply, "requested_login_user", |
3ba227176cde
auth: Pass requested_login_user to auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
12005
diff
changeset
|
194 request->requested_login_user); |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
195 |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
196 if (request->local_ip.family != 0) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
197 auth_stream_reply_add(reply, "lip", |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
198 net_ip2addr(&request->local_ip)); |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
199 } |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
200 if (request->remote_ip.family != 0) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
201 auth_stream_reply_add(reply, "rip", |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
202 net_ip2addr(&request->remote_ip)); |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
203 } |
5882
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
204 if (request->local_port != 0) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
205 auth_stream_reply_add(reply, "lport", |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
206 dec2str(request->local_port)); |
5882
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
207 } |
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
208 if (request->remote_port != 0) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
209 auth_stream_reply_add(reply, "rport", |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
210 dec2str(request->remote_port)); |
5882
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
211 } |
5585
e33158bc72b0
%c wasn't exported to auth worker processes. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
5475
diff
changeset
|
212 if (request->secured) |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
213 auth_stream_reply_add(reply, "secured", "1"); |
7318
be991f857c70
Fixed pass=yes with blocking passdbs. Also master_user wasn't exported
Timo Sirainen <tss@iki.fi>
parents:
7278
diff
changeset
|
214 if (request->skip_password_check) |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
215 auth_stream_reply_add(reply, "skip_password_check", "1"); |
8320
d49aa6720fb2
Added %k variable to display valid-client-cert status. It expands to "valid" or empty.
Timo Sirainen <tss@iki.fi>
parents:
8163
diff
changeset
|
216 if (request->valid_client_cert) |
d49aa6720fb2
Added %k variable to display valid-client-cert status. It expands to "valid" or empty.
Timo Sirainen <tss@iki.fi>
parents:
8163
diff
changeset
|
217 auth_stream_reply_add(reply, "valid-client-cert", "1"); |
12812
bf6749d4db08
auth: Allow clients to specify that they want to skip auth penalty check.
Timo Sirainen <tss@iki.fi>
parents:
12794
diff
changeset
|
218 if (request->no_penalty) |
bf6749d4db08
auth: Allow clients to specify that they want to skip auth penalty check.
Timo Sirainen <tss@iki.fi>
parents:
12794
diff
changeset
|
219 auth_stream_reply_add(reply, "no-penalty", "1"); |
12941
bbcef91eac7e
auth: Export/import auth_request->successful for auth workers.
Timo Sirainen <tss@iki.fi>
parents:
12915
diff
changeset
|
220 if (request->successful) |
bbcef91eac7e
auth: Export/import auth_request->successful for auth workers.
Timo Sirainen <tss@iki.fi>
parents:
12915
diff
changeset
|
221 auth_stream_reply_add(reply, "successful", "1"); |
8111
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7919
diff
changeset
|
222 if (request->mech_name != NULL) |
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7919
diff
changeset
|
223 auth_stream_reply_add(reply, "mech", request->mech_name); |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
224 } |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
225 |
13728
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
226 bool auth_request_import_info(struct auth_request *request, |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
227 const char *key, const char *value) |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
228 { |
13728
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
229 /* authentication and user lookups may set these */ |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
230 if (strcmp(key, "service") == 0) |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
231 request->service = p_strdup(request->pool, value); |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
232 else if (strcmp(key, "lip") == 0) |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
233 net_addr2ip(value, &request->local_ip); |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
234 else if (strcmp(key, "rip") == 0) |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
235 net_addr2ip(value, &request->remote_ip); |
5882
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
236 else if (strcmp(key, "lport") == 0) |
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
237 request->local_port = atoi(value); |
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
238 else if (strcmp(key, "rport") == 0) |
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
239 request->remote_port = atoi(value); |
13728
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
240 else |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
241 return FALSE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
242 return TRUE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
243 } |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
244 |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
245 bool auth_request_import_auth(struct auth_request *request, |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
246 const char *key, const char *value) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
247 { |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
248 if (auth_request_import_info(request, key, value)) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
249 return TRUE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
250 |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
251 /* auth client may set these */ |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
252 if (strcmp(key, "secured") == 0) |
5260
0d72eb2ed8af
Added %c variable which expands to "secured" with SSL/TLS/localhost.
Timo Sirainen <tss@iki.fi>
parents:
5251
diff
changeset
|
253 request->secured = TRUE; |
13765
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
254 else if (strcmp(key, "final-resp-ok") == 0) |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
255 request->final_resp_ok = TRUE; |
13728
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
256 else if (strcmp(key, "no-penalty") == 0) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
257 request->no_penalty = TRUE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
258 else if (strcmp(key, "valid-client-cert") == 0) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
259 request->valid_client_cert = TRUE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
260 else if (strcmp(key, "cert_username") == 0) { |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
261 if (request->set->ssl_username_from_cert) { |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
262 /* get username from SSL certificate. it overrides |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
263 the username given by the auth mechanism. */ |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
264 request->user = p_strdup(request->pool, value); |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
265 request->cert_username = TRUE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
266 } |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
267 } else { |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
268 return FALSE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
269 } |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
270 return TRUE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
271 } |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
272 |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
273 bool auth_request_import(struct auth_request *request, |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
274 const char *key, const char *value) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
275 { |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
276 if (auth_request_import_auth(request, key, value)) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
277 return TRUE; |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
278 |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
279 /* for communication between auth master and worker processes */ |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
280 if (strcmp(key, "user") == 0) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
281 request->user = p_strdup(request->pool, value); |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
282 else if (strcmp(key, "master_user") == 0) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
283 request->master_user = p_strdup(request->pool, value); |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
284 else if (strcmp(key, "original_username") == 0) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
285 request->original_username = p_strdup(request->pool, value); |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
286 else if (strcmp(key, "requested_login_user") == 0) |
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13566
diff
changeset
|
287 request->requested_login_user = p_strdup(request->pool, value); |
7106
1bd8b17bfabe
If AUTH has "nologin" parameter, the request is freed when authentication is
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
288 else if (strcmp(key, "nologin") == 0) |
1bd8b17bfabe
If AUTH has "nologin" parameter, the request is freed when authentication is
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
289 request->no_login = TRUE; |
12941
bbcef91eac7e
auth: Export/import auth_request->successful for auth workers.
Timo Sirainen <tss@iki.fi>
parents:
12915
diff
changeset
|
290 else if (strcmp(key, "successful") == 0) |
bbcef91eac7e
auth: Export/import auth_request->successful for auth workers.
Timo Sirainen <tss@iki.fi>
parents:
12915
diff
changeset
|
291 request->successful = TRUE; |
7318
be991f857c70
Fixed pass=yes with blocking passdbs. Also master_user wasn't exported
Timo Sirainen <tss@iki.fi>
parents:
7278
diff
changeset
|
292 else if (strcmp(key, "skip_password_check") == 0) { |
be991f857c70
Fixed pass=yes with blocking passdbs. Also master_user wasn't exported
Timo Sirainen <tss@iki.fi>
parents:
7278
diff
changeset
|
293 i_assert(request->master_user != NULL); |
be991f857c70
Fixed pass=yes with blocking passdbs. Also master_user wasn't exported
Timo Sirainen <tss@iki.fi>
parents:
7278
diff
changeset
|
294 request->skip_password_check = TRUE; |
8111
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7919
diff
changeset
|
295 } else if (strcmp(key, "mech") == 0) |
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7919
diff
changeset
|
296 request->mech_name = p_strdup(request->pool, value); |
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7919
diff
changeset
|
297 else |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
298 return FALSE; |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
299 |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
300 return TRUE; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
301 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
302 |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
10082
diff
changeset
|
303 void auth_request_initial(struct auth_request *request) |
3068 | 304 { |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
305 i_assert(request->state == AUTH_REQUEST_STATE_NEW); |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
306 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
307 auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE); |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
10082
diff
changeset
|
308 request->mech->auth_initial(request, request->initial_response, |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
10082
diff
changeset
|
309 request->initial_response_len); |
3068 | 310 } |
311 | |
312 void auth_request_continue(struct auth_request *request, | |
3071 | 313 const unsigned char *data, size_t data_size) |
3068 | 314 { |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
315 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
316 |
13765
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
317 if (request->successful) { |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
318 auth_request_success(request, NULL, 0); |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
319 return; |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
320 } |
f2608c3a64ee
auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1
Timo Sirainen <tss@iki.fi>
parents:
13728
diff
changeset
|
321 |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
322 auth_request_refresh_last_access(request); |
3071 | 323 request->mech->auth_continue(request, data, data_size); |
3068 | 324 } |
325 | |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
326 static void auth_request_save_cache(struct auth_request *request, |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
327 enum passdb_result result) |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
328 { |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
329 struct passdb_module *passdb = request->passdb->passdb; |
10689
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
330 const char *extra_fields, *encoded_password; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
331 string_t *str; |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
332 |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
333 switch (result) { |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
334 case PASSDB_RESULT_USER_UNKNOWN: |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
335 case PASSDB_RESULT_PASSWORD_MISMATCH: |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
336 case PASSDB_RESULT_OK: |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
337 case PASSDB_RESULT_SCHEME_NOT_AVAILABLE: |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
338 /* can be cached */ |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
339 break; |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
340 case PASSDB_RESULT_USER_DISABLED: |
4374
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
341 case PASSDB_RESULT_PASS_EXPIRED: |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
342 /* FIXME: we can't cache this now, or cache lookup would |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
343 return success. */ |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
344 return; |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
345 case PASSDB_RESULT_INTERNAL_FAILURE: |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
346 i_unreached(); |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
347 } |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
348 |
3520 | 349 extra_fields = request->extra_fields == NULL ? NULL : |
350 auth_stream_reply_export(request->extra_fields); | |
3432
079ec5c2d665
Last change caused user-given passwords to be cached, and later the password
Timo Sirainen <tss@iki.fi>
parents:
3431
diff
changeset
|
351 |
12363
075963b71b94
auth: Disable auth caching entirely for master users.
Timo Sirainen <tss@iki.fi>
parents:
12297
diff
changeset
|
352 if (passdb_cache == NULL || passdb->cache_key == NULL || |
075963b71b94
auth: Disable auth caching entirely for master users.
Timo Sirainen <tss@iki.fi>
parents:
12297
diff
changeset
|
353 request->master_user != NULL) |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
354 return; |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
355 |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
356 if (result < 0) { |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
357 /* lookup failed. */ |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
358 if (result == PASSDB_RESULT_USER_UNKNOWN) { |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
359 auth_cache_insert(passdb_cache, request, |
4658
3b49b9ec87dc
auth_cache: Try to handle changing passwords automatically: If password
Timo Sirainen <tss@iki.fi>
parents:
4575
diff
changeset
|
360 passdb->cache_key, "", FALSE); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
361 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
362 return; |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
363 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
364 |
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
365 if (!request->no_password && request->passdb_password == NULL) { |
3656
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
366 /* passdb didn't provide the correct password */ |
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
367 if (result != PASSDB_RESULT_OK || |
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
368 request->mech_password == NULL) |
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
369 return; |
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
370 |
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
371 /* we can still cache valid password lookups though. |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
372 strdup() it so that mech_password doesn't get |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
373 cleared too early. */ |
10689
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
374 if (!password_generate_encoded(request->mech_password, |
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
375 request->user, |
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
376 CACHED_PASSWORD_SCHEME, |
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
377 &encoded_password)) |
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
378 i_unreached(); |
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
379 request->passdb_password = |
10689
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
380 p_strconcat(request->pool, "{"CACHED_PASSWORD_SCHEME"}", |
46ae2e53d688
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
Timo Sirainen <tss@iki.fi>
parents:
10585
diff
changeset
|
381 encoded_password, NULL); |
3645
81180ca12997
We were caching failed blocking requests wrong.
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
382 } |
81180ca12997
We were caching failed blocking requests wrong.
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
383 |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
384 /* save all except the currently given password in cache */ |
3520 | 385 str = t_str_new(256); |
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
386 if (request->passdb_password != NULL) { |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
387 if (*request->passdb_password != '{') { |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
388 /* cached passwords must have a known scheme */ |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
389 str_append_c(str, '{'); |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
390 str_append(str, passdb->default_pass_scheme); |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
391 str_append_c(str, '}'); |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
392 } |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
393 if (strchr(request->passdb_password, '\t') != NULL) |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
394 i_panic("%s: Password contains TAB", request->user); |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
395 if (strchr(request->passdb_password, '\n') != NULL) |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
396 i_panic("%s: Password contains LF", request->user); |
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
397 str_append(str, request->passdb_password); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
398 } |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
399 |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
400 if (extra_fields != NULL && *extra_fields != '\0') { |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
401 str_append_c(str, '\t'); |
3520 | 402 str_append(str, extra_fields); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
403 } |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
404 if (request->extra_cache_fields != NULL) { |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
405 extra_fields = |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
406 auth_stream_reply_export(request->extra_cache_fields); |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
407 if (*extra_fields != '\0') { |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
408 str_append_c(str, '\t'); |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
409 str_append(str, extra_fields); |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
410 } |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
411 } |
4658
3b49b9ec87dc
auth_cache: Try to handle changing passwords automatically: If password
Timo Sirainen <tss@iki.fi>
parents:
4575
diff
changeset
|
412 auth_cache_insert(passdb_cache, request, passdb->cache_key, str_c(str), |
3b49b9ec87dc
auth_cache: Try to handle changing passwords automatically: If password
Timo Sirainen <tss@iki.fi>
parents:
4575
diff
changeset
|
413 result == PASSDB_RESULT_OK); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
414 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
415 |
12558
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
416 static void auth_request_userdb_reply_update_user(struct auth_request *request) |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
417 { |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
418 const char *str, *p; |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
419 |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
420 str = t_strdup(auth_stream_reply_export(request->userdb_reply)); |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
421 |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
422 /* reset the reply and add the new username */ |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
423 auth_stream_reply_reset(request->userdb_reply); |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
424 auth_stream_reply_add(request->userdb_reply, NULL, request->user); |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
425 |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
426 /* add the rest */ |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
427 p = strchr(str, '\t'); |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
428 if (p != NULL) |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
429 auth_stream_reply_import(request->userdb_reply, p + 1); |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
430 } |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
431 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
432 static bool auth_request_master_lookup_finish(struct auth_request *request) |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
433 { |
12261
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
434 struct auth_passdb *passdb; |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
435 |
4534
dee19849654b
If master login failed because of non-password failure (eg. allow_nets)
Timo Sirainen <tss@iki.fi>
parents:
4533
diff
changeset
|
436 if (request->passdb_failure) |
dee19849654b
If master login failed because of non-password failure (eg. allow_nets)
Timo Sirainen <tss@iki.fi>
parents:
4533
diff
changeset
|
437 return TRUE; |
dee19849654b
If master login failed because of non-password failure (eg. allow_nets)
Timo Sirainen <tss@iki.fi>
parents:
4533
diff
changeset
|
438 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
439 /* master login successful. update user and master_user variables. */ |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
440 auth_request_log_info(request, "passdb", "Master user logging in as %s", |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
441 request->requested_login_user); |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
442 |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
443 request->master_user = request->user; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
444 request->user = request->requested_login_user; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
445 request->requested_login_user = NULL; |
12558
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
446 if (request->userdb_reply != NULL) |
f9d34d929c3f
auth: Master user login + prefetch userdb changed username to master user.
Timo Sirainen <tss@iki.fi>
parents:
12489
diff
changeset
|
447 auth_request_userdb_reply_update_user(request); |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
448 |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
449 request->skip_password_check = TRUE; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
450 request->passdb_password = NULL; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
451 |
10897
52eb8317514f
auth: Cleaned up struct auth_passdb/auth_userdb.
Timo Sirainen <tss@iki.fi>
parents:
10893
diff
changeset
|
452 if (!request->passdb->set->pass) { |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
453 /* skip the passdb lookup, we're authenticated now. */ |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
454 return TRUE; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
455 } |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
456 |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
457 /* the authentication continues with passdb lookup for the |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
458 requested_login_user. */ |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
459 request->passdb = auth_request_get_auth(request)->passdbs; |
12261
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
460 |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
461 for (passdb = request->passdb; passdb != NULL; passdb = passdb->next) { |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
462 if (passdb->passdb->iface.lookup_credentials != NULL) |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
463 break; |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
464 } |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
465 if (passdb == NULL) { |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
466 auth_request_log_error(request, "passdb", |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
467 "No passdbs support skipping password verification - " |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
468 "pass=yes can't be used in master passdb"); |
f451ffa51772
auth: Give a better error message if pass=yes can't be used in master passdb.
Timo Sirainen <tss@iki.fi>
parents:
12006
diff
changeset
|
469 } |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
470 return FALSE; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
471 } |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
472 |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3771
diff
changeset
|
473 static bool |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
474 auth_request_handle_passdb_callback(enum passdb_result *result, |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
475 struct auth_request *request) |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
476 { |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
477 if (request->passdb_password != NULL) { |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
478 safe_memset(request->passdb_password, 0, |
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
479 strlen(request->passdb_password)); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
480 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
481 |
10897
52eb8317514f
auth: Cleaned up struct auth_passdb/auth_userdb.
Timo Sirainen <tss@iki.fi>
parents:
10893
diff
changeset
|
482 if (request->passdb->set->deny && |
52eb8317514f
auth: Cleaned up struct auth_passdb/auth_userdb.
Timo Sirainen <tss@iki.fi>
parents:
10893
diff
changeset
|
483 *result != PASSDB_RESULT_USER_UNKNOWN) { |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
484 /* deny passdb. we can get through this step only if the |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
485 lookup returned that user doesn't exist in it. internal |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
486 errors are fatal here. */ |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
487 if (*result != PASSDB_RESULT_INTERNAL_FAILURE) { |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
488 auth_request_log_info(request, "passdb", |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
489 "User found from deny passdb"); |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
490 *result = PASSDB_RESULT_USER_DISABLED; |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
491 } |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
492 } else if (*result == PASSDB_RESULT_OK) { |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
493 /* success */ |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
494 if (request->requested_login_user != NULL) { |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
495 /* this was a master user lookup. */ |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
496 if (!auth_request_master_lookup_finish(request)) |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
497 return FALSE; |
4104
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
498 } else { |
10897
52eb8317514f
auth: Cleaned up struct auth_passdb/auth_userdb.
Timo Sirainen <tss@iki.fi>
parents:
10893
diff
changeset
|
499 if (request->passdb->set->pass) { |
4104
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
500 /* this wasn't the final passdb lookup, |
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
501 continue to next passdb */ |
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
502 request->passdb = request->passdb->next; |
4402
8846e6be0e02
If multiple passdbs were configured and we tried to authenticate as user
Timo Sirainen <tss@iki.fi>
parents:
4374
diff
changeset
|
503 request->passdb_password = NULL; |
4104
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
504 return FALSE; |
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
505 } |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
506 } |
4374
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
507 } else if (*result == PASSDB_RESULT_PASS_EXPIRED) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
508 if (request->extra_fields == NULL) { |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
509 request->extra_fields = |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
510 auth_stream_reply_init(request->pool); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
511 } |
4374
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
512 auth_stream_reply_add(request->extra_fields, "reason", |
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
513 "Password expired"); |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
514 } else if (request->passdb->next != NULL && |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
515 *result != PASSDB_RESULT_USER_DISABLED) { |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
516 /* try next passdb. */ |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
517 request->passdb = request->passdb->next; |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
518 request->passdb_password = NULL; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
519 |
12489
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
520 if (*result == PASSDB_RESULT_USER_UNKNOWN) { |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
521 /* remember that we did at least one successful |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
522 passdb lookup */ |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
523 request->passdb_user_unknown = TRUE; |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
524 } else if (*result == PASSDB_RESULT_INTERNAL_FAILURE) { |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
525 /* remember that we have had an internal failure. at |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
526 the end return internal failure if we couldn't |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
527 successfully login. */ |
3606
8a8352cda514
If passdb lookup fails with internal error, try other passdbs anyway before
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
528 request->passdb_internal_failure = TRUE; |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
529 } |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
530 if (request->extra_fields != NULL) |
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
531 auth_stream_reply_reset(request->extra_fields); |
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
532 |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
533 return FALSE; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
534 } else if (request->passdb_internal_failure) { |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
535 /* last passdb lookup returned internal failure. it may have |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
536 had the correct password, so return internal failure |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
537 instead of plain failure. */ |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
538 *result = PASSDB_RESULT_INTERNAL_FAILURE; |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
539 } |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
540 |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
541 return TRUE; |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
542 } |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
543 |
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
544 static void |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
545 auth_request_verify_plain_callback_finish(enum passdb_result result, |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
546 struct auth_request *request) |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
547 { |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
548 if (!auth_request_handle_passdb_callback(&result, request)) { |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
549 /* try next passdb */ |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
550 auth_request_verify_plain(request, request->mech_password, |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
551 request->private_callback.verify_plain); |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
552 } else { |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
553 auth_request_ref(request); |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
554 request->private_callback.verify_plain(result, request); |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
555 auth_request_unref(&request); |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
556 } |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
557 } |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
558 |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
559 void auth_request_verify_plain_callback(enum passdb_result result, |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
560 struct auth_request *request) |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
561 { |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
562 struct passdb_module *passdb = request->passdb->passdb; |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
563 |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
564 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB); |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
565 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
566 auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE); |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
567 |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
568 if (result != PASSDB_RESULT_INTERNAL_FAILURE) { |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
569 passdb_template_export(passdb->override_fields_tmpl, request); |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
570 auth_request_save_cache(request, result); |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
571 } else { |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
572 /* lookup failed. if we're looking here only because the |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
573 request was expired in cache, fallback to using cached |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
574 expired record. */ |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
575 const char *cache_key = passdb->cache_key; |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
576 |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
577 if (passdb_cache_verify_plain(request, cache_key, |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
578 request->mech_password, |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
579 &result, TRUE)) { |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
580 auth_request_log_info(request, "passdb", |
13920 | 581 "Falling back to expired data from cache"); |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
582 } |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
583 } |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
584 |
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
585 auth_request_verify_plain_callback_finish(result, request); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
586 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
587 |
7389
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
588 static bool password_has_illegal_chars(const char *password) |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
589 { |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
590 for (; *password != '\0'; password++) { |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
591 switch (*password) { |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
592 case '\001': |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
593 case '\t': |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
594 case '\r': |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
595 case '\n': |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
596 /* these characters have a special meaning in internal |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
597 protocols, make sure the password doesn't |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
598 accidentally get there unescaped. */ |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
599 return TRUE; |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
600 } |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
601 } |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
602 return FALSE; |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
603 } |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
604 |
3068 | 605 void auth_request_verify_plain(struct auth_request *request, |
606 const char *password, | |
607 verify_plain_callback_t *callback) | |
608 { | |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
609 struct passdb_module *passdb; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
610 enum passdb_result result; |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
611 const char *cache_key; |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
612 |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
613 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
614 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
615 if (request->passdb == NULL) { |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
616 /* no masterdbs, master logins not supported */ |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
617 i_assert(request->requested_login_user != NULL); |
4139
68c2ad5e4f85
Master login attempts weren't logged if no master passdbs were defined.
Timo Sirainen <tss@iki.fi>
parents:
4136
diff
changeset
|
618 auth_request_log_info(request, "passdb", |
8456
529034798b6b
Add login username in "Attempted master login with no master passdbs" error.
Timo Sirainen <tss@iki.fi>
parents:
8402
diff
changeset
|
619 "Attempted master login with no master passdbs " |
529034798b6b
Add login username in "Attempted master login with no master passdbs" error.
Timo Sirainen <tss@iki.fi>
parents:
8402
diff
changeset
|
620 "(trying to log in as user: %s)", |
529034798b6b
Add login username in "Attempted master login with no master passdbs" error.
Timo Sirainen <tss@iki.fi>
parents:
8402
diff
changeset
|
621 request->requested_login_user); |
4139
68c2ad5e4f85
Master login attempts weren't logged if no master passdbs were defined.
Timo Sirainen <tss@iki.fi>
parents:
4136
diff
changeset
|
622 callback(PASSDB_RESULT_USER_UNKNOWN, request); |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
623 return; |
7389
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
624 } |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
625 |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
626 if (password_has_illegal_chars(password)) { |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
627 auth_request_log_info(request, "passdb", |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
628 "Attempted login with password having illegal chars"); |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
629 callback(PASSDB_RESULT_USER_UNKNOWN, request); |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
630 return; |
1125d2d59e82
If trying to log in with password having illegal characters, make sure we
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
631 } |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
632 |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
633 passdb = request->passdb->passdb; |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
634 if (request->mech_password == NULL) |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
635 request->mech_password = p_strdup(request->pool, password); |
3656
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
636 else |
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
637 i_assert(request->mech_password == password); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
638 request->private_callback.verify_plain = callback; |
3164
da9e4ffef09f
Last changes broke proxying when user was in auth cache.
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
639 |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
640 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key; |
3728
64ed35c97678
Don't crash if cache key isn't set but cache is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3695
diff
changeset
|
641 if (passdb_cache_verify_plain(request, cache_key, password, |
64ed35c97678
Don't crash if cache key isn't set but cache is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3695
diff
changeset
|
642 &result, FALSE)) { |
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
643 auth_request_verify_plain_callback_finish(result, request); |
3728
64ed35c97678
Don't crash if cache key isn't set but cache is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3695
diff
changeset
|
644 return; |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
645 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
646 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
647 auth_request_set_state(request, AUTH_REQUEST_STATE_PASSDB); |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
648 request->credentials_scheme = NULL; |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
649 |
11498
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
650 if (passdb->iface.verify_plain == NULL) { |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
651 /* we're deinitializing and just want to get rid of this |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
652 request */ |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
653 auth_request_verify_plain_callback( |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
654 PASSDB_RESULT_INTERNAL_FAILURE, request); |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
655 } else if (passdb->blocking) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
656 passdb_blocking_verify_plain(request); |
13910 | 657 } else { |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
658 passdb_template_export(passdb->default_fields_tmpl, request); |
3771
4b6d962485b9
Added authentication bind support. Patch by J.M. Maurer.
Timo Sirainen <tss@iki.fi>
parents:
3728
diff
changeset
|
659 passdb->iface.verify_plain(request, password, |
4b6d962485b9
Added authentication bind support. Patch by J.M. Maurer.
Timo Sirainen <tss@iki.fi>
parents:
3728
diff
changeset
|
660 auth_request_verify_plain_callback); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
661 } |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
662 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
663 |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
664 static void |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
665 auth_request_lookup_credentials_finish(enum passdb_result result, |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
666 const unsigned char *credentials, |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
667 size_t size, |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
668 struct auth_request *request) |
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
669 { |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
670 if (!auth_request_handle_passdb_callback(&result, request)) { |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
671 /* try next passdb */ |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
672 auth_request_lookup_credentials(request, |
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
673 request->credentials_scheme, |
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
674 request->private_callback.lookup_credentials); |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
675 } else { |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
676 if (request->set->debug_passwords && |
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
677 result == PASSDB_RESULT_OK) { |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
678 auth_request_log_debug(request, "password", |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
679 "Credentials: %s", |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
680 binary_to_hex(credentials, size)); |
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
681 } |
12489
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
682 if (result == PASSDB_RESULT_SCHEME_NOT_AVAILABLE && |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
683 request->passdb_user_unknown) { |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
684 /* one of the passdbs accepted the scheme, |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
685 but the user was unknown there */ |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
686 result = PASSDB_RESULT_USER_UNKNOWN; |
627aeadb0955
auth: passdb credentials lookup fix when using multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
12363
diff
changeset
|
687 } |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
688 request->private_callback. |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
689 lookup_credentials(result, credentials, size, request); |
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
690 } |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
691 } |
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
692 |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
693 void auth_request_lookup_credentials_callback(enum passdb_result result, |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
694 const unsigned char *credentials, |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
695 size_t size, |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
696 struct auth_request *request) |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
697 { |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
698 struct passdb_module *passdb = request->passdb->passdb; |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
699 const char *cache_cred, *cache_scheme; |
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
700 |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
701 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB); |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
702 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
703 auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
704 |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
705 if (result != PASSDB_RESULT_INTERNAL_FAILURE) { |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
706 passdb_template_export(passdb->override_fields_tmpl, request); |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
707 auth_request_save_cache(request, result); |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
708 } else { |
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
709 /* lookup failed. if we're looking here only because the |
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
710 request was expired in cache, fallback to using cached |
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
711 expired record. */ |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
712 const char *cache_key = passdb->cache_key; |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
713 |
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
714 if (passdb_cache_lookup_credentials(request, cache_key, |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
715 &cache_cred, &cache_scheme, |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
716 &result, TRUE)) { |
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
717 auth_request_log_info(request, "passdb", |
13920 | 718 "Falling back to expired data from cache"); |
8764
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
719 passdb_handle_credentials( |
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
720 result, cache_cred, cache_scheme, |
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
721 auth_request_lookup_credentials_finish, |
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
722 request); |
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
723 return; |
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
724 } |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
725 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
726 |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
727 auth_request_lookup_credentials_finish(result, credentials, size, |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
728 request); |
3068 | 729 } |
730 | |
731 void auth_request_lookup_credentials(struct auth_request *request, | |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
732 const char *scheme, |
3068 | 733 lookup_credentials_callback_t *callback) |
734 { | |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
735 struct passdb_module *passdb = request->passdb->passdb; |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
736 const char *cache_key, *cache_cred, *cache_scheme; |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
737 enum passdb_result result; |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
738 |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
739 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
740 |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
741 request->credentials_scheme = p_strdup(request->pool, scheme); |
5233
359a8f31aa9b
Fixed a crash when non-plaintext mechanism used auth_cache.
Timo Sirainen <tss@iki.fi>
parents:
5170
diff
changeset
|
742 request->private_callback.lookup_credentials = callback; |
3682
0207808033ad
Non-plaintext authentication and passdb cache didn't work together. Patch by
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
743 |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
744 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key; |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
745 if (cache_key != NULL) { |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
746 if (passdb_cache_lookup_credentials(request, cache_key, |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
747 &cache_cred, &cache_scheme, |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
748 &result, FALSE)) { |
8764
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
749 passdb_handle_credentials( |
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
750 result, cache_cred, cache_scheme, |
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
751 auth_request_lookup_credentials_finish, |
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
752 request); |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
753 return; |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
754 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
755 } |
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
756 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11151
diff
changeset
|
757 auth_request_set_state(request, AUTH_REQUEST_STATE_PASSDB); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
758 |
6243
f4739631ce87
Don't crash if blocking passdb doesn't support credential lookups.
Timo Sirainen <tss@iki.fi>
parents:
5988
diff
changeset
|
759 if (passdb->iface.lookup_credentials == NULL) { |
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
760 /* this passdb doesn't support credentials */ |
8764
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
761 auth_request_log_debug(request, "password", |
90e2a21a4298
auth: Improved logging for "password scheme not available" failures.
Timo Sirainen <tss@iki.fi>
parents:
8696
diff
changeset
|
762 "passdb doesn't support credential lookups"); |
5475
769aaaee6821
Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents:
5462
diff
changeset
|
763 auth_request_lookup_credentials_callback( |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
764 PASSDB_RESULT_SCHEME_NOT_AVAILABLE, NULL, 0, request); |
6243
f4739631ce87
Don't crash if blocking passdb doesn't support credential lookups.
Timo Sirainen <tss@iki.fi>
parents:
5988
diff
changeset
|
765 } else if (passdb->blocking) { |
f4739631ce87
Don't crash if blocking passdb doesn't support credential lookups.
Timo Sirainen <tss@iki.fi>
parents:
5988
diff
changeset
|
766 passdb_blocking_lookup_credentials(request); |
f4739631ce87
Don't crash if blocking passdb doesn't support credential lookups.
Timo Sirainen <tss@iki.fi>
parents:
5988
diff
changeset
|
767 } else { |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
768 passdb_template_export(passdb->default_fields_tmpl, request); |
6243
f4739631ce87
Don't crash if blocking passdb doesn't support credential lookups.
Timo Sirainen <tss@iki.fi>
parents:
5988
diff
changeset
|
769 passdb->iface.lookup_credentials(request, |
f4739631ce87
Don't crash if blocking passdb doesn't support credential lookups.
Timo Sirainen <tss@iki.fi>
parents:
5988
diff
changeset
|
770 auth_request_lookup_credentials_callback); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
771 } |
3068 | 772 } |
773 | |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
774 void auth_request_set_credentials(struct auth_request *request, |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
775 const char *scheme, const char *data, |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
776 set_credentials_callback_t *callback) |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
777 { |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
778 struct passdb_module *passdb = request->passdb->passdb; |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
779 const char *cache_key, *new_credentials; |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
780 |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
781 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key; |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
782 if (cache_key != NULL) |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
783 auth_cache_remove(passdb_cache, request, cache_key); |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
784 |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
785 request->private_callback.set_credentials = callback; |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
786 |
5593
f8dc0bdb06a7
Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents:
5586
diff
changeset
|
787 new_credentials = t_strdup_printf("{%s}%s", scheme, data); |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
788 if (passdb->blocking) |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
789 passdb_blocking_set_credentials(request, new_credentials); |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
790 else if (passdb->iface.set_credentials != NULL) { |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
791 passdb->iface.set_credentials(request, new_credentials, |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
792 callback); |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
793 } else { |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
794 /* this passdb doesn't support credentials update */ |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
795 callback(PASSDB_RESULT_INTERNAL_FAILURE, request); |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
796 } |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
797 } |
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
798 |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
799 static void auth_request_userdb_save_cache(struct auth_request *request, |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
800 enum userdb_result result) |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
801 { |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
802 struct userdb_module *userdb = request->userdb->userdb; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
803 const char *str; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
804 |
12363
075963b71b94
auth: Disable auth caching entirely for master users.
Timo Sirainen <tss@iki.fi>
parents:
12297
diff
changeset
|
805 if (passdb_cache == NULL || userdb->cache_key == NULL || |
075963b71b94
auth: Disable auth caching entirely for master users.
Timo Sirainen <tss@iki.fi>
parents:
12297
diff
changeset
|
806 request->master_user != NULL) |
4983
8089e7461519
We crashed if auth cache was disabled. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
807 return; |
8089e7461519
We crashed if auth cache was disabled. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
808 |
5069
005ad2165d08
If auth_cache was enabled and userdb returned "user unknown" (typically only
Timo Sirainen <tss@iki.fi>
parents:
5039
diff
changeset
|
809 str = result == USERDB_RESULT_USER_UNKNOWN ? "" : |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
810 auth_stream_reply_export(request->userdb_reply); |
5069
005ad2165d08
If auth_cache was enabled and userdb returned "user unknown" (typically only
Timo Sirainen <tss@iki.fi>
parents:
5039
diff
changeset
|
811 /* last_success has no meaning with userdb */ |
005ad2165d08
If auth_cache was enabled and userdb returned "user unknown" (typically only
Timo Sirainen <tss@iki.fi>
parents:
5039
diff
changeset
|
812 auth_cache_insert(passdb_cache, request, userdb->cache_key, str, FALSE); |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
813 } |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
814 |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
815 static bool auth_request_lookup_user_cache(struct auth_request *request, |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
816 const char *key, |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
817 struct auth_stream_reply **reply_r, |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
818 enum userdb_result *result_r, |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
819 bool use_expired) |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
820 { |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
821 const char *value; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
822 struct auth_cache_node *node; |
10836
81e085f9bd75
auth_cache_negative_ttl is now also used for password mismatches.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
823 bool expired, neg_expired; |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
824 |
12363
075963b71b94
auth: Disable auth caching entirely for master users.
Timo Sirainen <tss@iki.fi>
parents:
12297
diff
changeset
|
825 if (request->master_user != NULL) |
075963b71b94
auth: Disable auth caching entirely for master users.
Timo Sirainen <tss@iki.fi>
parents:
12297
diff
changeset
|
826 return FALSE; |
075963b71b94
auth: Disable auth caching entirely for master users.
Timo Sirainen <tss@iki.fi>
parents:
12297
diff
changeset
|
827 |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
828 value = auth_cache_lookup(passdb_cache, request, key, &node, |
10836
81e085f9bd75
auth_cache_negative_ttl is now also used for password mismatches.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
829 &expired, &neg_expired); |
12297
b0ef4e803b1a
auth: Log userdb cache hits and misses with auth_debug=yes
Timo Sirainen <tss@iki.fi>
parents:
12261
diff
changeset
|
830 if (value == NULL || (expired && !use_expired)) { |
b0ef4e803b1a
auth: Log userdb cache hits and misses with auth_debug=yes
Timo Sirainen <tss@iki.fi>
parents:
12261
diff
changeset
|
831 auth_request_log_debug(request, "userdb-cache", |
b0ef4e803b1a
auth: Log userdb cache hits and misses with auth_debug=yes
Timo Sirainen <tss@iki.fi>
parents:
12261
diff
changeset
|
832 value == NULL ? "miss" : "expired"); |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
833 return FALSE; |
12297
b0ef4e803b1a
auth: Log userdb cache hits and misses with auth_debug=yes
Timo Sirainen <tss@iki.fi>
parents:
12261
diff
changeset
|
834 } |
b0ef4e803b1a
auth: Log userdb cache hits and misses with auth_debug=yes
Timo Sirainen <tss@iki.fi>
parents:
12261
diff
changeset
|
835 auth_request_log_debug(request, "userdb-cache", "hit: %s", value); |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
836 |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
837 if (*value == '\0') { |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
838 /* negative cache entry */ |
5302
db232a079106
If unknown user was found from auth cache, we returned an invalid value
Timo Sirainen <tss@iki.fi>
parents:
5260
diff
changeset
|
839 *result_r = USERDB_RESULT_USER_UNKNOWN; |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
840 *reply_r = auth_stream_reply_init(request->pool); |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
841 return TRUE; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
842 } |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
843 |
5302
db232a079106
If unknown user was found from auth cache, we returned an invalid value
Timo Sirainen <tss@iki.fi>
parents:
5260
diff
changeset
|
844 *result_r = USERDB_RESULT_OK; |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
845 *reply_r = auth_stream_reply_init(request->pool); |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
846 auth_stream_reply_import(*reply_r, value); |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
847 return TRUE; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
848 } |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
849 |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
850 void auth_request_userdb_callback(enum userdb_result result, |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
851 struct auth_request *request) |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
852 { |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
853 struct userdb_module *userdb = request->userdb->userdb; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
854 |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
855 if (result != USERDB_RESULT_OK && request->userdb->next != NULL) { |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
856 /* try next userdb. */ |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
857 if (result == USERDB_RESULT_INTERNAL_FAILURE) |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
858 request->userdb_internal_failure = TRUE; |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
859 |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
860 request->userdb = request->userdb->next; |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
861 auth_request_lookup_user(request, |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
862 request->private_callback.userdb); |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
863 return; |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
864 } |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
865 |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
866 if (result == USERDB_RESULT_OK) |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
867 userdb_template_export(userdb->override_fields_tmpl, request); |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
868 else if (request->userdb_internal_failure) { |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
869 /* one of the userdb lookups failed. the user might have been |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
870 in there, so this is an internal failure */ |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
871 result = USERDB_RESULT_INTERNAL_FAILURE; |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
872 } else if (result == USERDB_RESULT_USER_UNKNOWN && |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
873 request->client_pid != 0) { |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
874 /* this was an actual login attempt, the user should |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
875 have been found. */ |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
876 if (auth_request_get_auth(request)->userdbs->next == NULL) { |
8402
244addad91a5
auth: Improved "user not found from userdb" error message.
Timo Sirainen <tss@iki.fi>
parents:
8347
diff
changeset
|
877 auth_request_log_error(request, "userdb", |
244addad91a5
auth: Improved "user not found from userdb" error message.
Timo Sirainen <tss@iki.fi>
parents:
8347
diff
changeset
|
878 "user not found from userdb %s", |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
879 request->userdb->userdb->iface->name); |
8402
244addad91a5
auth: Improved "user not found from userdb" error message.
Timo Sirainen <tss@iki.fi>
parents:
8347
diff
changeset
|
880 } else { |
244addad91a5
auth: Improved "user not found from userdb" error message.
Timo Sirainen <tss@iki.fi>
parents:
8347
diff
changeset
|
881 auth_request_log_error(request, "userdb", |
244addad91a5
auth: Improved "user not found from userdb" error message.
Timo Sirainen <tss@iki.fi>
parents:
8347
diff
changeset
|
882 "user not found from any userdbs"); |
244addad91a5
auth: Improved "user not found from userdb" error message.
Timo Sirainen <tss@iki.fi>
parents:
8347
diff
changeset
|
883 } |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
884 } |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
885 |
11017
ce7ed594d99e
auth: If userdb lookup fails internally, don't cache the result.
Timo Sirainen <tss@iki.fi>
parents:
10989
diff
changeset
|
886 if (request->userdb_lookup_failed) { |
ce7ed594d99e
auth: If userdb lookup fails internally, don't cache the result.
Timo Sirainen <tss@iki.fi>
parents:
10989
diff
changeset
|
887 /* no caching */ |
ce7ed594d99e
auth: If userdb lookup fails internally, don't cache the result.
Timo Sirainen <tss@iki.fi>
parents:
10989
diff
changeset
|
888 } else if (result != USERDB_RESULT_INTERNAL_FAILURE) |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
889 auth_request_userdb_save_cache(request, result); |
5036
df93cf66022a
If request fails with internal failure, don't crash if auth cache is
Timo Sirainen <tss@iki.fi>
parents:
4983
diff
changeset
|
890 else if (passdb_cache != NULL && userdb->cache_key != NULL) { |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
891 /* lookup failed. if we're looking here only because the |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
892 request was expired in cache, fallback to using cached |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
893 expired record. */ |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
894 const char *cache_key = userdb->cache_key; |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
895 struct auth_stream_reply *reply; |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
896 |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
897 if (auth_request_lookup_user_cache(request, cache_key, &reply, |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
898 &result, TRUE)) { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
899 request->userdb_reply = reply; |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
900 auth_request_log_info(request, "userdb", |
13920 | 901 "Falling back to expired data from cache"); |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
902 } |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
903 } |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
904 |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
905 request->private_callback.userdb(result, request); |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
906 } |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
907 |
3068 | 908 void auth_request_lookup_user(struct auth_request *request, |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
909 userdb_callback_t *callback) |
3068 | 910 { |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
911 struct userdb_module *userdb = request->userdb->userdb; |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
912 const char *cache_key; |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
913 |
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
914 request->private_callback.userdb = callback; |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
915 request->userdb_lookup = TRUE; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
916 |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
917 /* (for now) auth_cache is shared between passdb and userdb */ |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
918 cache_key = passdb_cache == NULL ? NULL : userdb->cache_key; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
919 if (cache_key != NULL) { |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
920 struct auth_stream_reply *reply; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
921 enum userdb_result result; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
922 |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
923 if (auth_request_lookup_user_cache(request, cache_key, &reply, |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
924 &result, FALSE)) { |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
925 request->userdb_reply = reply; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
926 request->private_callback.userdb(result, request); |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
927 return; |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
928 } |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
929 } |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
930 |
11498
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
931 if (userdb->iface->lookup == NULL) { |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
932 /* we are deinitializing */ |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
933 auth_request_userdb_callback(USERDB_RESULT_INTERNAL_FAILURE, |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
934 request); |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
935 } else if (userdb->blocking) |
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
936 userdb_blocking_lookup(request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
937 else |
3658
fc4622b1c1ef
Separated userdb_module's interface and the actual data struct.
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
938 userdb->iface->lookup(request, auth_request_userdb_callback); |
3068 | 939 } |
940 | |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
941 static char * |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
942 auth_request_fix_username(struct auth_request *request, const char *username, |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
943 const char **error_r) |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
944 { |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
945 const struct auth_settings *set = request->set; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
946 unsigned char *p; |
10892
9675d9a54ac9
auth: Moved some variables generated from settings to struct auth_settings.
Timo Sirainen <tss@iki.fi>
parents:
10836
diff
changeset
|
947 char *user; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
948 |
10892
9675d9a54ac9
auth: Moved some variables generated from settings to struct auth_settings.
Timo Sirainen <tss@iki.fi>
parents:
10836
diff
changeset
|
949 if (*set->default_realm != '\0' && |
9002
9d0037a997f4
Initial commit for config rewrite.
Timo Sirainen <tss@iki.fi>
parents:
8599
diff
changeset
|
950 strchr(username, '@') == NULL) { |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
951 user = p_strconcat(request->pool, username, "@", |
10892
9675d9a54ac9
auth: Moved some variables generated from settings to struct auth_settings.
Timo Sirainen <tss@iki.fi>
parents:
10836
diff
changeset
|
952 set->default_realm, NULL); |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
953 } else { |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
954 user = p_strdup(request->pool, username); |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
955 } |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
956 |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
957 for (p = (unsigned char *)user; *p != '\0'; p++) { |
10892
9675d9a54ac9
auth: Moved some variables generated from settings to struct auth_settings.
Timo Sirainen <tss@iki.fi>
parents:
10836
diff
changeset
|
958 if (set->username_translation_map[*p & 0xff] != 0) |
9675d9a54ac9
auth: Moved some variables generated from settings to struct auth_settings.
Timo Sirainen <tss@iki.fi>
parents:
10836
diff
changeset
|
959 *p = set->username_translation_map[*p & 0xff]; |
9675d9a54ac9
auth: Moved some variables generated from settings to struct auth_settings.
Timo Sirainen <tss@iki.fi>
parents:
10836
diff
changeset
|
960 if (set->username_chars_map[*p & 0xff] == 0) { |
4834
679c9326741c
When invalid character is found from username, say what character it is in
Timo Sirainen <tss@iki.fi>
parents:
4825
diff
changeset
|
961 *error_r = t_strdup_printf( |
12915
3eaf0d3a38d4
auth: Mention auth_username_chars in log when disallowing username because of it.
Timo Sirainen <tss@iki.fi>
parents:
12822
diff
changeset
|
962 "Username character disallowed by auth_username_chars: " |
12732
049a922c193c
auth: If username contains invalid chars, log sanitized username even without auth_debug.
Timo Sirainen <tss@iki.fi>
parents:
12703
diff
changeset
|
963 "0x%02x (username: %s)", *p, |
049a922c193c
auth: If username contains invalid chars, log sanitized username even without auth_debug.
Timo Sirainen <tss@iki.fi>
parents:
12703
diff
changeset
|
964 str_sanitize(username, 128)); |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
965 return NULL; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
966 } |
4168
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
967 } |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
968 |
10892
9675d9a54ac9
auth: Moved some variables generated from settings to struct auth_settings.
Timo Sirainen <tss@iki.fi>
parents:
10836
diff
changeset
|
969 if (*set->username_format != '\0') { |
4168
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
970 /* username format given, put it through variable expansion. |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
971 we'll have to temporarily replace request->user to get |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
972 %u to be the wanted username */ |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
973 const struct var_expand_table *table; |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
974 char *old_username; |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
975 string_t *dest; |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
976 |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
977 old_username = request->user; |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
978 request->user = user; |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
979 |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
980 dest = t_str_new(256); |
8597
9f885dbd8157
auth: Removed extra string escaping from places where it's not necessary (or is even harmful).
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
981 table = auth_request_get_var_expand_table(request, NULL); |
10892
9675d9a54ac9
auth: Moved some variables generated from settings to struct auth_settings.
Timo Sirainen <tss@iki.fi>
parents:
10836
diff
changeset
|
982 var_expand(dest, set->username_format, table); |
4168
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
983 user = p_strdup(request->pool, str_c(dest)); |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
984 |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
985 request->user = old_username; |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
986 } |
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
987 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
988 return user; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
989 } |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
990 |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3771
diff
changeset
|
991 bool auth_request_set_username(struct auth_request *request, |
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3771
diff
changeset
|
992 const char *username, const char **error_r) |
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
993 { |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
994 const struct auth_settings *set = request->set; |
4164
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
995 const char *p, *login_username = NULL; |
4108
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
996 |
9002
9d0037a997f4
Initial commit for config rewrite.
Timo Sirainen <tss@iki.fi>
parents:
8599
diff
changeset
|
997 if (*set->master_user_separator != '\0' && !request->userdb_lookup) { |
4108
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
998 /* check if the username contains a master user */ |
9002
9d0037a997f4
Initial commit for config rewrite.
Timo Sirainen <tss@iki.fi>
parents:
8599
diff
changeset
|
999 p = strchr(username, *set->master_user_separator); |
4108
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
1000 if (p != NULL) { |
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
1001 /* it does, set it. */ |
4140
52a2e6f35acf
The login and master usernames were reversed when using
Timo Sirainen <tss@iki.fi>
parents:
4139
diff
changeset
|
1002 login_username = t_strdup_until(username, p); |
52a2e6f35acf
The login and master usernames were reversed when using
Timo Sirainen <tss@iki.fi>
parents:
4139
diff
changeset
|
1003 |
9477
6462ba85d751
auth: Don't assert-crash if trying to log in as master user but with empty login username.
Timo Sirainen <tss@iki.fi>
parents:
9383
diff
changeset
|
1004 if (*login_username == '\0') { |
6462ba85d751
auth: Don't assert-crash if trying to log in as master user but with empty login username.
Timo Sirainen <tss@iki.fi>
parents:
9383
diff
changeset
|
1005 *error_r = "Empty login username"; |
6462ba85d751
auth: Don't assert-crash if trying to log in as master user but with empty login username.
Timo Sirainen <tss@iki.fi>
parents:
9383
diff
changeset
|
1006 return FALSE; |
6462ba85d751
auth: Don't assert-crash if trying to log in as master user but with empty login username.
Timo Sirainen <tss@iki.fi>
parents:
9383
diff
changeset
|
1007 } |
6462ba85d751
auth: Don't assert-crash if trying to log in as master user but with empty login username.
Timo Sirainen <tss@iki.fi>
parents:
9383
diff
changeset
|
1008 |
4140
52a2e6f35acf
The login and master usernames were reversed when using
Timo Sirainen <tss@iki.fi>
parents:
4139
diff
changeset
|
1009 /* username is the master user */ |
52a2e6f35acf
The login and master usernames were reversed when using
Timo Sirainen <tss@iki.fi>
parents:
4139
diff
changeset
|
1010 username = p + 1; |
4108
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
1011 } |
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
1012 } |
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
1013 |
6619
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1014 if (request->original_username == NULL) { |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1015 /* the username may change later, but we need to use this |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1016 username when verifying at least DIGEST-MD5 password. */ |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1017 request->original_username = p_strdup(request->pool, username); |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1018 } |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1019 if (request->cert_username) { |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1020 /* cert_username overrides the username given by |
10954
bcd43231f723
auth: Do username checks/translations even when ssl_username_from_cert=yes
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
1021 authentication mechanism. but still do checks and |
bcd43231f723
auth: Do username checks/translations even when ssl_username_from_cert=yes
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
1022 translations to it. */ |
bcd43231f723
auth: Do username checks/translations even when ssl_username_from_cert=yes
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
1023 username = request->user; |
6619
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1024 } |
2a36e7d9ddb6
Don't keep master username in original_username.
Timo Sirainen <tss@iki.fi>
parents:
6575
diff
changeset
|
1025 |
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1026 if (*username == '\0') { |
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1027 /* Some PAM plugins go nuts with empty usernames */ |
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1028 *error_r = "Empty username"; |
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1029 return FALSE; |
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1030 } |
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1031 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1032 request->user = auth_request_fix_username(request, username, error_r); |
12732
049a922c193c
auth: If username contains invalid chars, log sanitized username even without auth_debug.
Timo Sirainen <tss@iki.fi>
parents:
12703
diff
changeset
|
1033 if (request->user == NULL) |
4164
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1034 return FALSE; |
6658
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
1035 if (request->translated_username == NULL) { |
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
1036 /* similar to original_username, but after translations */ |
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
1037 request->translated_username = request->user; |
d22888a77a1e
Auth cache didn't work for usernames that got translated internally.
Timo Sirainen <tss@iki.fi>
parents:
6619
diff
changeset
|
1038 } |
4164
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1039 |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1040 if (login_username != NULL) { |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1041 if (!auth_request_set_login_username(request, |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1042 login_username, |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1043 error_r)) |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1044 return FALSE; |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1045 } |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1046 return TRUE; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1047 } |
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1048 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1049 bool auth_request_set_login_username(struct auth_request *request, |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1050 const char *username, |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1051 const char **error_r) |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1052 { |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1053 i_assert(*username != '\0'); |
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1054 |
4164
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1055 if (strcmp(username, request->user) == 0) { |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1056 /* The usernames are the same, we don't really wish to log |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1057 in as someone else */ |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1058 return TRUE; |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1059 } |
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
1060 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1061 /* lookup request->user from masterdb first */ |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
1062 request->passdb = auth_request_get_auth(request)->masterdbs; |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1063 |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1064 request->requested_login_user = |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1065 auth_request_fix_username(request, username, error_r); |
12005
7428338c8df2
auth: Added more master user login debugging.
Timo Sirainen <tss@iki.fi>
parents:
11913
diff
changeset
|
1066 if (request->requested_login_user == NULL) |
7428338c8df2
auth: Added more master user login debugging.
Timo Sirainen <tss@iki.fi>
parents:
11913
diff
changeset
|
1067 return FALSE; |
7428338c8df2
auth: Added more master user login debugging.
Timo Sirainen <tss@iki.fi>
parents:
11913
diff
changeset
|
1068 |
7428338c8df2
auth: Added more master user login debugging.
Timo Sirainen <tss@iki.fi>
parents:
11913
diff
changeset
|
1069 auth_request_log_debug(request, "auth", |
7428338c8df2
auth: Added more master user login debugging.
Timo Sirainen <tss@iki.fi>
parents:
11913
diff
changeset
|
1070 "Master user lookup for login: %s", |
7428338c8df2
auth: Added more master user login debugging.
Timo Sirainen <tss@iki.fi>
parents:
11913
diff
changeset
|
1071 request->requested_login_user); |
7428338c8df2
auth: Added more master user login debugging.
Timo Sirainen <tss@iki.fi>
parents:
11913
diff
changeset
|
1072 return TRUE; |
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1073 } |
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
1074 |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1075 static void auth_request_validate_networks(struct auth_request *request, |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1076 const char *networks) |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1077 { |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1078 const char *const *net; |
7919
423b8e3fedbb
Created net_parse_range() from auth code.
Timo Sirainen <tss@iki.fi>
parents:
7517
diff
changeset
|
1079 struct ip_addr net_ip; |
423b8e3fedbb
Created net_parse_range() from auth code.
Timo Sirainen <tss@iki.fi>
parents:
7517
diff
changeset
|
1080 unsigned int bits; |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1081 bool found = FALSE; |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1082 |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1083 if (request->remote_ip.family == 0) { |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1084 /* IP not known */ |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1085 auth_request_log_info(request, "passdb", |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1086 "allow_nets check failed: Remote IP not known"); |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1087 request->passdb_failure = TRUE; |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1088 return; |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1089 } |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1090 |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1091 for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) { |
4420
1174e508593d
auth_debug: If allow_nets is given, print debug messages when matching
Timo Sirainen <tss@iki.fi>
parents:
4402
diff
changeset
|
1092 auth_request_log_debug(request, "auth", |
1174e508593d
auth_debug: If allow_nets is given, print debug messages when matching
Timo Sirainen <tss@iki.fi>
parents:
4402
diff
changeset
|
1093 "allow_nets: Matching for network %s", *net); |
7919
423b8e3fedbb
Created net_parse_range() from auth code.
Timo Sirainen <tss@iki.fi>
parents:
7517
diff
changeset
|
1094 |
423b8e3fedbb
Created net_parse_range() from auth code.
Timo Sirainen <tss@iki.fi>
parents:
7517
diff
changeset
|
1095 if (net_parse_range(*net, &net_ip, &bits) < 0) { |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1096 auth_request_log_info(request, "passdb", |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1097 "allow_nets: Invalid network '%s'", *net); |
7919
423b8e3fedbb
Created net_parse_range() from auth code.
Timo Sirainen <tss@iki.fi>
parents:
7517
diff
changeset
|
1098 } |
423b8e3fedbb
Created net_parse_range() from auth code.
Timo Sirainen <tss@iki.fi>
parents:
7517
diff
changeset
|
1099 |
423b8e3fedbb
Created net_parse_range() from auth code.
Timo Sirainen <tss@iki.fi>
parents:
7517
diff
changeset
|
1100 if (net_is_in_network(&request->remote_ip, &net_ip, bits)) { |
423b8e3fedbb
Created net_parse_range() from auth code.
Timo Sirainen <tss@iki.fi>
parents:
7517
diff
changeset
|
1101 found = TRUE; |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1102 break; |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1103 } |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1104 } |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1105 |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1106 if (!found) { |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1107 auth_request_log_info(request, "passdb", |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1108 "allow_nets check failed: IP not in allowed networks"); |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1109 } |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1110 request->passdb_failure = !found; |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1111 } |
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1112 |
6855
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1113 static void |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1114 auth_request_set_password(struct auth_request *request, const char *value, |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1115 const char *default_scheme, bool noscheme) |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1116 { |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1117 if (request->passdb_password != NULL) { |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1118 auth_request_log_error(request, |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1119 request->passdb->passdb->iface.name, |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1120 "Multiple password values not supported"); |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1121 return; |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1122 } |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1123 |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1124 /* if the password starts with '{' it most likely contains |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1125 also '}'. check it anyway to make sure, because we |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1126 assert-crash later if it doesn't exist. this could happen |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1127 if plaintext passwords are used. */ |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1128 if (*value == '{' && !noscheme && strchr(value, '}') != NULL) |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1129 request->passdb_password = p_strdup(request->pool, value); |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1130 else { |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1131 i_assert(default_scheme != NULL); |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1132 request->passdb_password = |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1133 p_strdup_printf(request->pool, "{%s}%s", |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1134 default_scheme, value); |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1135 } |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1136 } |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1137 |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1138 static void auth_request_set_reply_field(struct auth_request *request, |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1139 const char *name, const char *value) |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1140 { |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1141 if (strcmp(name, "nologin") == 0) { |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1142 /* user can't actually login - don't keep this |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1143 reply for master */ |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1144 request->no_login = TRUE; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1145 value = NULL; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1146 } else if (strcmp(name, "proxy") == 0) { |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1147 /* we're proxying authentication for this user. send |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1148 password back if using plaintext authentication. */ |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1149 request->proxy = TRUE; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1150 value = NULL; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1151 } else if (strcmp(name, "proxy_maybe") == 0) { |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1152 /* like "proxy", but log in normally if we're proxying to |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1153 ourself */ |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1154 request->proxy = TRUE; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1155 request->proxy_maybe = TRUE; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1156 value = NULL; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1157 } |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1158 |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1159 if (request->extra_fields == NULL) |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
1160 request->extra_fields = auth_stream_reply_init(request->pool); |
13956
05940646a0f4
auth: Avoid adding duplicate extra fields to auth replies.
Timo Sirainen <tss@iki.fi>
parents:
13920
diff
changeset
|
1161 auth_stream_reply_remove(request->extra_fields, name); |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1162 auth_stream_reply_add(request->extra_fields, name, value); |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1163 } |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1164 |
11913
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1165 static const char * |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1166 get_updated_username(const char *old_username, |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1167 const char *name, const char *value) |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1168 { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1169 const char *p; |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1170 |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1171 if (strcmp(name, "user") == 0) { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1172 /* replace the whole username */ |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1173 return value; |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1174 } |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1175 |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1176 p = strchr(old_username, '@'); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1177 if (strcmp(name, "username") == 0) { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1178 if (strchr(value, '@') != NULL) |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1179 return value; |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1180 |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1181 /* preserve the current @domain */ |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1182 return t_strconcat(value, p, NULL); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1183 } |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1184 |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1185 if (strcmp(name, "domain") == 0) { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1186 if (p == NULL) { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1187 /* add the domain */ |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1188 return t_strconcat(old_username, "@", value, NULL); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1189 } else { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1190 /* replace the existing domain */ |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1191 p = t_strdup_until(old_username, p + 1); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1192 return t_strconcat(p, value, NULL); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1193 } |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1194 } |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1195 return NULL; |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1196 } |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1197 |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1198 static bool |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1199 auth_request_try_update_username(struct auth_request *request, |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1200 const char *name, const char *value) |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1201 { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1202 const char *new_value; |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1203 |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1204 new_value = get_updated_username(request->user, name, value); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1205 if (new_value == NULL) |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1206 return FALSE; |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1207 |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1208 if (strcmp(request->user, new_value) != 0) { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1209 auth_request_log_debug(request, "auth", |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1210 "username changed %s -> %s", |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1211 request->user, new_value); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1212 request->user = p_strdup(request->pool, new_value); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1213 if (request->userdb_reply != NULL) |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1214 auth_request_userdb_reply_update_user(request); |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1215 } |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1216 return TRUE; |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1217 } |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1218 |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
1219 void auth_request_set_field(struct auth_request *request, |
3272
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
1220 const char *name, const char *value, |
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
1221 const char *default_scheme) |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1222 { |
4017
e2d267e6f930
Check that we don't pass around key=value pairs with empty keys.
Timo Sirainen <tss@iki.fi>
parents:
3918
diff
changeset
|
1223 i_assert(*name != '\0'); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1224 i_assert(value != NULL); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1225 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1226 if (strcmp(name, "password") == 0) { |
6855
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1227 auth_request_set_password(request, value, |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1228 default_scheme, FALSE); |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1229 return; |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1230 } |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1231 if (strcmp(name, "password_noscheme") == 0) { |
5c514ebda66a
Added "password_noscheme" field which assumes the password is in the default
Timo Sirainen <tss@iki.fi>
parents:
6854
diff
changeset
|
1232 auth_request_set_password(request, value, default_scheme, TRUE); |
3397
2db396230881
auth_request_set_field() shouldn't save password to extra_fields. Fixes a
Timo Sirainen <tss@iki.fi>
parents:
3386
diff
changeset
|
1233 return; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1234 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1235 |
11913
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1236 if (auth_request_try_update_username(request, name, value)) { |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1237 /* don't change the original value so it gets saved correctly |
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1238 to cache. */ |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1239 } else if (strcmp(name, "nodelay") == 0) { |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1240 /* don't delay replying to client of the failure */ |
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
1241 request->no_failure_delay = TRUE; |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1242 } else if (strcmp(name, "nopassword") == 0) { |
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
1243 /* NULL password - anything goes */ |
5619
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1244 const char *password = request->passdb_password; |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1245 |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1246 if (password != NULL) { |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1247 (void)password_get_scheme(&password); |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1248 if (*password != '\0') { |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1249 auth_request_log_error(request, |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1250 request->passdb->passdb->iface.name, |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1251 "nopassword set but password is " |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1252 "non-empty"); |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1253 return; |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1254 } |
5412
79187982328f
If "nopassword" is set, don't crash if password is non-NULL. However give an
Timo Sirainen <tss@iki.fi>
parents:
5302
diff
changeset
|
1255 } |
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
1256 request->no_password = TRUE; |
5412
79187982328f
If "nopassword" is set, don't crash if password is non-NULL. However give an
Timo Sirainen <tss@iki.fi>
parents:
5302
diff
changeset
|
1257 request->passdb_password = NULL; |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1258 } else if (strcmp(name, "allow_nets") == 0) { |
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
1259 auth_request_validate_networks(request, value); |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1260 } else if (strncmp(name, "userdb_", 7) == 0) { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1261 /* for prefetch userdb */ |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1262 if (request->userdb_reply == NULL) |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1263 auth_request_init_userdb_reply(request); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1264 auth_request_set_userdb_field(request, name + 7, value); |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1265 } else { |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1266 /* these fields are returned to client */ |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1267 auth_request_set_reply_field(request, name, value); |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1268 return; |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1269 } |
3520 | 1270 |
8599
812a977d7c1a
auth worker processes shouldn't duplicate the auth cache.
Timo Sirainen <tss@iki.fi>
parents:
8597
diff
changeset
|
1271 if ((passdb_cache != NULL && |
812a977d7c1a
auth worker processes shouldn't duplicate the auth cache.
Timo Sirainen <tss@iki.fi>
parents:
8597
diff
changeset
|
1272 request->passdb->passdb->cache_key != NULL) || worker) { |
812a977d7c1a
auth worker processes shouldn't duplicate the auth cache.
Timo Sirainen <tss@iki.fi>
parents:
8597
diff
changeset
|
1273 /* we'll need to get this field stored into cache, |
812a977d7c1a
auth worker processes shouldn't duplicate the auth cache.
Timo Sirainen <tss@iki.fi>
parents:
8597
diff
changeset
|
1274 or we're a worker and we'll need to send this to the main |
812a977d7c1a
auth worker processes shouldn't duplicate the auth cache.
Timo Sirainen <tss@iki.fi>
parents:
8597
diff
changeset
|
1275 auth process that can store it in the cache. */ |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1276 if (request->extra_cache_fields == NULL) { |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1277 request->extra_cache_fields = |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
1278 auth_stream_reply_init(request->pool); |
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1279 } |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1280 auth_stream_reply_add(request->extra_cache_fields, name, value); |
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
1281 } |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1282 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1283 |
5153
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1284 void auth_request_set_fields(struct auth_request *request, |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1285 const char *const *fields, |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1286 const char *default_scheme) |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1287 { |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1288 const char *key, *value; |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1289 |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1290 for (; *fields != NULL; fields++) { |
5163
39d3fca337a5
auth_request_set_fields(): Don't crash with empty fields.
Timo Sirainen <tss@iki.fi>
parents:
5153
diff
changeset
|
1291 if (**fields == '\0') |
39d3fca337a5
auth_request_set_fields(): Don't crash with empty fields.
Timo Sirainen <tss@iki.fi>
parents:
5153
diff
changeset
|
1292 continue; |
39d3fca337a5
auth_request_set_fields(): Don't crash with empty fields.
Timo Sirainen <tss@iki.fi>
parents:
5153
diff
changeset
|
1293 |
5153
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1294 value = strchr(*fields, '='); |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1295 if (value == NULL) { |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1296 key = *fields; |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1297 value = ""; |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1298 } else { |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1299 key = t_strdup_until(*fields, value); |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1300 value++; |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1301 } |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1302 auth_request_set_field(request, key, value, default_scheme); |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1303 } |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1304 } |
83f361144a8a
Added auth_request_set_fields() and used it instead of duplicating the code
Timo Sirainen <tss@iki.fi>
parents:
5134
diff
changeset
|
1305 |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1306 void auth_request_init_userdb_reply(struct auth_request *request) |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1307 { |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1308 struct userdb_module *module = request->userdb->userdb; |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1309 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7318
diff
changeset
|
1310 request->userdb_reply = auth_stream_reply_init(request->pool); |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1311 auth_stream_reply_add(request->userdb_reply, NULL, request->user); |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1312 |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1313 userdb_template_export(module->default_fields_tmpl, request); |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1314 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1315 |
5879
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1316 static void auth_request_set_uidgid_file(struct auth_request *request, |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1317 const char *path_template) |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1318 { |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1319 string_t *path; |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1320 struct stat st; |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1321 |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1322 path = t_str_new(256); |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1323 var_expand(path, path_template, |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1324 auth_request_get_var_expand_table(request, NULL)); |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1325 if (stat(str_c(path), &st) < 0) { |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1326 auth_request_log_error(request, "uidgid_file", |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1327 "stat(%s) failed: %m", str_c(path)); |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1328 } else { |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1329 auth_stream_reply_add(request->userdb_reply, |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1330 "uid", dec2str(st.st_uid)); |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1331 auth_stream_reply_add(request->userdb_reply, |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1332 "gid", dec2str(st.st_gid)); |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1333 } |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1334 } |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1335 |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1336 void auth_request_set_userdb_field(struct auth_request *request, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1337 const char *name, const char *value) |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1338 { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1339 uid_t uid; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1340 gid_t gid; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1341 |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1342 if (strcmp(name, "uid") == 0) { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1343 uid = userdb_parse_uid(request, value); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1344 if (uid == (uid_t)-1) { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1345 request->userdb_lookup_failed = TRUE; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1346 return; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1347 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1348 value = dec2str(uid); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1349 } else if (strcmp(name, "gid") == 0) { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1350 gid = userdb_parse_gid(request, value); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1351 if (gid == (gid_t)-1) { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1352 request->userdb_lookup_failed = TRUE; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1353 return; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1354 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1355 value = dec2str(gid); |
10989
53f4e8e0166a
auth: Added "tempfail" userdb field.
Timo Sirainen <tss@iki.fi>
parents:
10961
diff
changeset
|
1356 } else if (strcmp(name, "tempfail") == 0) { |
53f4e8e0166a
auth: Added "tempfail" userdb field.
Timo Sirainen <tss@iki.fi>
parents:
10961
diff
changeset
|
1357 request->userdb_lookup_failed = TRUE; |
11151
093591e1110b
auth: Fixed userdb tempfail to work with blocking userdbs.
Timo Sirainen <tss@iki.fi>
parents:
11086
diff
changeset
|
1358 return; |
11913
63124518977a
auth: Support "username" and "domain" extra fields also for userdb.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
1359 } else if (auth_request_try_update_username(request, name, value)) { |
5879
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1360 return; |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1361 } else if (strcmp(name, "uidgid_file") == 0) { |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1362 auth_request_set_uidgid_file(request, value); |
f7cdede45a88
If uidgid_file=<template_path> is set, the uid and gid are looked up by
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
1363 return; |
8163
498dd1ec2b93
Added a special userdb_import field to add TAB-separated fields to userdb reply.
Timo Sirainen <tss@iki.fi>
parents:
8111
diff
changeset
|
1364 } else if (strcmp(name, "userdb_import") == 0) { |
498dd1ec2b93
Added a special userdb_import field to add TAB-separated fields to userdb reply.
Timo Sirainen <tss@iki.fi>
parents:
8111
diff
changeset
|
1365 auth_stream_reply_import(request->userdb_reply, value); |
498dd1ec2b93
Added a special userdb_import field to add TAB-separated fields to userdb reply.
Timo Sirainen <tss@iki.fi>
parents:
8111
diff
changeset
|
1366 return; |
8768
91e880ae387a
Authentication: system_user userdb extra field renamed to system_groups_user.
Timo Sirainen <tss@iki.fi>
parents:
8764
diff
changeset
|
1367 } else if (strcmp(name, "system_user") == 0) { |
91e880ae387a
Authentication: system_user userdb extra field renamed to system_groups_user.
Timo Sirainen <tss@iki.fi>
parents:
8764
diff
changeset
|
1368 /* FIXME: the system_user is for backwards compatibility */ |
13330
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1369 static bool warned = FALSE; |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1370 if (!warned) { |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1371 i_warning("userdb: Replace system_user with system_groups_user"); |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1372 warned = TRUE; |
83ac50d3b76f
auth: Added default_fields and override_fields settings to all passdbs and userdbs.
Timo Sirainen <tss@iki.fi>
parents:
12977
diff
changeset
|
1373 } |
8768
91e880ae387a
Authentication: system_user userdb extra field renamed to system_groups_user.
Timo Sirainen <tss@iki.fi>
parents:
8764
diff
changeset
|
1374 name = "system_groups_user"; |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1375 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1376 |
13956
05940646a0f4
auth: Avoid adding duplicate extra fields to auth replies.
Timo Sirainen <tss@iki.fi>
parents:
13920
diff
changeset
|
1377 auth_stream_reply_remove(request->userdb_reply, name); |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1378 auth_stream_reply_add(request->userdb_reply, name, value); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1379 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1380 |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1381 void auth_request_set_userdb_field_values(struct auth_request *request, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1382 const char *name, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1383 const char *const *values) |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1384 { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1385 if (*values == NULL) |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1386 return; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1387 |
12794
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1388 if (strcmp(name, "gid") == 0) { |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1389 /* convert gids to comma separated list */ |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1390 string_t *value; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1391 gid_t gid; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1392 |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1393 value = t_str_new(128); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1394 for (; *values != NULL; values++) { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1395 gid = userdb_parse_gid(request, *values); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1396 if (gid == (gid_t)-1) { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1397 request->userdb_lookup_failed = TRUE; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1398 return; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1399 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1400 |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1401 if (str_len(value) > 0) |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1402 str_append_c(value, ','); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1403 str_append(value, dec2str(gid)); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1404 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1405 auth_stream_reply_add(request->userdb_reply, name, |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1406 str_c(value)); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1407 } else { |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1408 /* add only one */ |
12794
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1409 if (values[1] != NULL) { |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1410 auth_request_log_warning(request, "userdb", |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1411 "Multiple values found for '%s', " |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1412 "using value '%s'", name, *values); |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1413 } |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1414 auth_request_set_userdb_field(request, name, *values); |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1415 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1416 } |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
1417 |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1418 static bool auth_request_proxy_is_self(struct auth_request *request) |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1419 { |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1420 const char *const *tmp, *port = NULL, *destuser = NULL; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1421 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1422 if (!request->proxy_host_is_self) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1423 return FALSE; |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1424 |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1425 tmp = auth_stream_split(request->extra_fields); |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1426 for (; *tmp != NULL; tmp++) { |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1427 if (strncmp(*tmp, "port=", 5) == 0) |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1428 port = *tmp + 5; |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1429 else if (strncmp(*tmp, "destuser=", 9) == 0) |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1430 destuser = *tmp + 9; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1431 } |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1432 |
11086
260e190306b0
Started using str_to_*() functions instead of libc's ones.
Timo Sirainen <tss@iki.fi>
parents:
11017
diff
changeset
|
1433 if (port != NULL && !str_uint_equals(port, request->local_port)) |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1434 return FALSE; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1435 return destuser == NULL || |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1436 strcmp(destuser, request->original_username) == 0; |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1437 } |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1438 |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1439 static bool |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1440 auth_request_proxy_ip_is_self(struct auth_request *request, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1441 const struct ip_addr *ip) |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1442 { |
14159
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1443 unsigned int i; |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1444 |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1445 if (net_ip_compare(ip, &request->local_ip)) |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1446 return TRUE; |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1447 |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1448 for (i = 0; request->set->proxy_self_ips[i].family != 0; i++) { |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1449 if (net_ip_compare(ip, &request->set->proxy_self_ips[i])) |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1450 return TRUE; |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1451 } |
98d696965c91
auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.
Timo Sirainen <tss@iki.fi>
parents:
14156
diff
changeset
|
1452 return FALSE; |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1453 } |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1454 |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1455 static void auth_request_proxy_finish_ip(struct auth_request *request) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1456 { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1457 if (!request->proxy_maybe) { |
7278 | 1458 /* proxying */ |
1459 request->no_login = TRUE; | |
1460 } else if (!auth_request_proxy_is_self(request)) { | |
1461 /* proxy destination isn't ourself - proxy */ | |
1462 auth_stream_reply_remove(request->extra_fields, "proxy_maybe"); | |
1463 auth_stream_reply_add(request->extra_fields, "proxy", NULL); | |
1464 request->no_login = TRUE; | |
7123
25e7c37c7c10
If proxy user has a password and authentication fails, don't return the
Timo Sirainen <tss@iki.fi>
parents:
7122
diff
changeset
|
1465 } else { |
25e7c37c7c10
If proxy user has a password and authentication fails, don't return the
Timo Sirainen <tss@iki.fi>
parents:
7122
diff
changeset
|
1466 /* proxying to ourself - log in without proxying by dropping |
25e7c37c7c10
If proxy user has a password and authentication fails, don't return the
Timo Sirainen <tss@iki.fi>
parents:
7122
diff
changeset
|
1467 all the proxying fields. */ |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1468 auth_request_proxy_finish_failure(request); |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1469 } |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1470 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1471 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1472 struct auth_request_proxy_dns_lookup_ctx { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1473 struct auth_request *request; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1474 auth_request_proxy_cb_t *callback; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1475 }; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1476 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1477 static void |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1478 auth_request_proxy_dns_callback(const struct dns_lookup_result *result, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1479 void *context) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1480 { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1481 struct auth_request_proxy_dns_lookup_ctx *ctx = context; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1482 struct auth_request *request = ctx->request; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1483 const char *host; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1484 unsigned int i; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1485 |
14156
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1486 host = auth_stream_reply_find(request->extra_fields, "host"); |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1487 i_assert(host != NULL); |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1488 |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1489 if (result->ret != 0) { |
14156
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1490 auth_request_log_error(request, "proxy", |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1491 "DNS lookup for %s failed: %s", host, result->error); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1492 request->internal_failure = TRUE; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1493 auth_request_proxy_finish_failure(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1494 } else { |
14156
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1495 if (result->msecs > AUTH_DNS_WARN_MSECS) { |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1496 auth_request_log_warning(request, "proxy", |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1497 "DNS lookup for %s took %u.%03u s", |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1498 host, result->msecs/1000, result->msecs % 1000); |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1499 } |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1500 auth_stream_reply_remove(request->extra_fields, "host"); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1501 auth_stream_reply_add(request->extra_fields, "host", |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1502 net_ip2addr(&result->ips[0])); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1503 for (i = 0; i < result->ips_count; i++) { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1504 if (auth_request_proxy_ip_is_self(request, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1505 &result->ips[i])) { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1506 request->proxy_host_is_self = TRUE; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1507 break; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1508 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1509 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1510 auth_request_proxy_finish_ip(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1511 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1512 if (ctx->callback != NULL) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1513 ctx->callback(result->ret == 0, request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1514 i_free(ctx); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1515 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1516 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1517 static int auth_request_proxy_host_lookup(struct auth_request *request, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1518 auth_request_proxy_cb_t *callback) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1519 { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1520 struct auth_request_proxy_dns_lookup_ctx *ctx; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1521 struct dns_lookup_settings dns_set; |
14156
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1522 const char *host, *value; |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1523 struct ip_addr ip; |
14156
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1524 unsigned int secs; |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1525 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1526 host = auth_stream_reply_find(request->extra_fields, "host"); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1527 if (host == NULL) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1528 return 1; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1529 if (net_addr2ip(host, &ip) == 0) { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1530 if (auth_request_proxy_ip_is_self(request, &ip)) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1531 request->proxy_host_is_self = TRUE; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1532 return 1; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1533 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1534 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1535 /* need to do dns lookup for the host */ |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1536 memset(&dns_set, 0, sizeof(dns_set)); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1537 dns_set.dns_client_socket_path = AUTH_DNS_SOCKET_PATH; |
14156
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1538 dns_set.timeout_msecs = AUTH_DNS_DEFAULT_TIMEOUT_MSECS; |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1539 value = auth_stream_reply_find(request->extra_fields, "proxy_timeout"); |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1540 if (value != NULL) { |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1541 if (str_to_uint(value, &secs) < 0) { |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1542 auth_request_log_error(request, "proxy", |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1543 "Invalid proxy_timeout value: %s", value); |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1544 } else { |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1545 dns_set.timeout_msecs = secs*1000; |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1546 } |
8e2f395cf86c
auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s.
Timo Sirainen <tss@iki.fi>
parents:
14155
diff
changeset
|
1547 } |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1548 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1549 ctx = i_new(struct auth_request_proxy_dns_lookup_ctx, 1); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1550 ctx->request = request; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1551 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1552 if (dns_lookup(host, &dns_set, auth_request_proxy_dns_callback, ctx) < 0) { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1553 /* failed early */ |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1554 request->internal_failure = TRUE; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1555 auth_request_proxy_finish_failure(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1556 return -1; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1557 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1558 ctx->callback = callback; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1559 return 0; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1560 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1561 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1562 int auth_request_proxy_finish(struct auth_request *request, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1563 auth_request_proxy_cb_t *callback) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1564 { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1565 int ret; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1566 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1567 if (!request->proxy) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1568 return 1; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1569 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1570 if ((ret = auth_request_proxy_host_lookup(request, callback)) <= 0) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1571 return ret; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1572 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1573 auth_request_proxy_finish_ip(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1574 return 1; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1575 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1576 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1577 void auth_request_proxy_finish_failure(struct auth_request *request) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1578 { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1579 if (!request->proxy) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1580 return; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1581 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
1582 /* drop all proxying fields */ |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1583 auth_stream_reply_remove(request->extra_fields, "proxy"); |
7278 | 1584 auth_stream_reply_remove(request->extra_fields, "proxy_maybe"); |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1585 auth_stream_reply_remove(request->extra_fields, "host"); |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1586 auth_stream_reply_remove(request->extra_fields, "port"); |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1587 auth_stream_reply_remove(request->extra_fields, "destuser"); |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1588 } |
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7106
diff
changeset
|
1589 |
10542
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1590 static void log_password_failure(struct auth_request *request, |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1591 const char *plain_password, |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1592 const char *crypted_password, |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1593 const char *scheme, const char *user, |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1594 const char *subsystem) |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1595 { |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1596 static bool scheme_ok = FALSE; |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1597 string_t *str = t_str_new(256); |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1598 const char *working_scheme; |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1599 |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1600 str_printfa(str, "%s(%s) != '%s'", scheme, |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1601 plain_password, crypted_password); |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1602 |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1603 if (!scheme_ok) { |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1604 /* perhaps the scheme is wrong - see if we can find |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1605 a working one */ |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1606 working_scheme = password_scheme_detect(plain_password, |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1607 crypted_password, user); |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1608 if (working_scheme != NULL) { |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1609 str_printfa(str, ", try %s scheme instead", |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1610 working_scheme); |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1611 } |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1612 } |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1613 |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1614 auth_request_log_debug(request, subsystem, "%s", str_c(str)); |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1615 } |
de75c45e6765
auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it.
Timo Sirainen <tss@iki.fi>
parents:
10301
diff
changeset
|
1616 |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1617 void auth_request_log_password_mismatch(struct auth_request *request, |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1618 const char *subsystem) |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1619 { |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1620 string_t *str; |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
1621 const char *log_type = request->set->verbose_passwords; |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1622 |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1623 if (strcmp(log_type, "no") == 0) { |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1624 auth_request_log_info(request, subsystem, "Password mismatch"); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1625 return; |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1626 } |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1627 |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1628 str = t_str_new(128); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1629 get_log_prefix(str, request, subsystem); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1630 str_append(str, "Password mismatch "); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1631 |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1632 if (strcmp(log_type, "plain") == 0) { |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1633 str_printfa(str, "(given password: %s)", |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1634 request->mech_password); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1635 } else if (strcmp(log_type, "sha1") == 0) { |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1636 unsigned char sha1[SHA1_RESULTLEN]; |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1637 |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1638 sha1_get_digest(request->mech_password, |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1639 strlen(request->mech_password), sha1); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1640 str_printfa(str, "(SHA1 of given password: %s)", |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1641 binary_to_hex(sha1, sizeof(sha1))); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1642 } else { |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1643 i_unreached(); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1644 } |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1645 |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1646 i_info("%s", str_c(str)); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1647 } |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1648 |
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1649 int auth_request_password_verify(struct auth_request *request, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1650 const char *plain_password, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1651 const char *crypted_password, |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1652 const char *scheme, const char *subsystem) |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1653 { |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1654 const unsigned char *raw_password; |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1655 size_t raw_password_size; |
12977
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1656 const char *error; |
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1657 int ret; |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1658 |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1659 if (request->skip_password_check) { |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1660 /* currently this can happen only with master logins */ |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1661 i_assert(request->master_user != NULL); |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1662 return 1; |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1663 } |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1664 |
10897
52eb8317514f
auth: Cleaned up struct auth_passdb/auth_userdb.
Timo Sirainen <tss@iki.fi>
parents:
10893
diff
changeset
|
1665 if (request->passdb->set->deny) { |
4689
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
1666 /* this is a deny database, we don't care about the password */ |
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
1667 return 0; |
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
1668 } |
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
1669 |
5619
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1670 if (request->no_password) { |
12703
4b16a5b1da62
auth: Logging improvement for nopassword=y.
Timo Sirainen <tss@iki.fi>
parents:
12558
diff
changeset
|
1671 auth_request_log_debug(request, subsystem, |
4b16a5b1da62
auth: Logging improvement for nopassword=y.
Timo Sirainen <tss@iki.fi>
parents:
12558
diff
changeset
|
1672 "Allowing any password"); |
5619
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1673 return 1; |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1674 } |
121af23cfc65
Empty password doesn't anymore allow user to log in with any password,
Timo Sirainen <tss@iki.fi>
parents:
5598
diff
changeset
|
1675 |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1676 ret = password_decode(crypted_password, scheme, |
13566
c9894346b1a3
auth: If password data isn't valid for specified scheme, give a better error message.
Timo Sirainen <tss@iki.fi>
parents:
13330
diff
changeset
|
1677 &raw_password, &raw_password_size, &error); |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1678 if (ret <= 0) { |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1679 if (ret < 0) { |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1680 auth_request_log_error(request, subsystem, |
13566
c9894346b1a3
auth: If password data isn't valid for specified scheme, give a better error message.
Timo Sirainen <tss@iki.fi>
parents:
13330
diff
changeset
|
1681 "Password data is not valid for scheme %s: %s", |
c9894346b1a3
auth: If password data isn't valid for specified scheme, give a better error message.
Timo Sirainen <tss@iki.fi>
parents:
13330
diff
changeset
|
1682 scheme, error); |
5598
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1683 } else { |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1684 auth_request_log_error(request, subsystem, |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1685 "Unknown scheme %s", scheme); |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1686 } |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1687 return -1; |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1688 } |
971050640e3b
All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents:
5593
diff
changeset
|
1689 |
8347
fc5683975951
auth: original_username should never be NULL, removed all code that checks for it.
Timo Sirainen <tss@iki.fi>
parents:
8346
diff
changeset
|
1690 /* Use original_username since it may be important for some |
4872
07bdc78ce38e
Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're
Timo Sirainen <tss@iki.fi>
parents:
4834
diff
changeset
|
1691 password schemes (eg. digest-md5). Otherwise the username is used |
07bdc78ce38e
Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're
Timo Sirainen <tss@iki.fi>
parents:
4834
diff
changeset
|
1692 only for logging purposes. */ |
8347
fc5683975951
auth: original_username should never be NULL, removed all code that checks for it.
Timo Sirainen <tss@iki.fi>
parents:
8346
diff
changeset
|
1693 ret = password_verify(plain_password, request->original_username, |
12977
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1694 scheme, raw_password, raw_password_size, &error); |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1695 if (ret < 0) { |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1696 const char *password_str = request->set->debug_passwords ? |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1697 t_strdup_printf(" '%s'", crypted_password) : ""; |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1698 auth_request_log_error(request, subsystem, |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1699 "Invalid password%s in passdb: %s", |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1700 password_str, error); |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1701 } else if (ret == 0) { |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1702 auth_request_log_password_mismatch(request, subsystem); |
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1703 } |
12977
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1704 if (ret <= 0 && request->set->debug_passwords) T_BEGIN { |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1705 log_password_failure(request, plain_password, |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1706 crypted_password, scheme, |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1707 request->original_username, |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1708 subsystem); |
9490d57d2f7b
auth: Give password scheme suggestions also when passdb data is invalid for scheme.
Timo Sirainen <tss@iki.fi>
parents:
12969
diff
changeset
|
1709 } T_END; |
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1710 return ret; |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1711 } |
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1712 |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1713 static const char * |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1714 escape_none(const char *string, |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6243
diff
changeset
|
1715 const struct auth_request *request ATTR_UNUSED) |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1716 { |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1717 return string; |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1718 } |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1719 |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1720 const char * |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1721 auth_request_str_escape(const char *string, |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6243
diff
changeset
|
1722 const struct auth_request *request ATTR_UNUSED) |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1723 { |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1724 return str_escape(string); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1725 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1726 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1727 const struct var_expand_table * |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1728 auth_request_get_var_expand_table(const struct auth_request *auth_request, |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1729 auth_request_escape_func_t *escape_func) |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1730 { |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1731 static struct var_expand_table static_tab[] = { |
8544
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1732 { 'u', NULL, "user" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1733 { 'n', NULL, "username" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1734 { 'd', NULL, "domain" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1735 { 's', NULL, "service" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1736 { 'h', NULL, "home" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1737 { 'l', NULL, "lip" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1738 { 'r', NULL, "rip" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1739 { 'p', NULL, "pid" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1740 { 'w', NULL, "password" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1741 { '!', NULL, NULL }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1742 { 'm', NULL, "mech" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1743 { 'c', NULL, "secured" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1744 { 'a', NULL, "lport" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1745 { 'b', NULL, "rport" }, |
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1746 { 'k', NULL, "cert" }, |
11466
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1747 { '\0', NULL, "login_user" }, |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1748 { '\0', NULL, "login_username" }, |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1749 { '\0', NULL, "login_domain" }, |
8544
983d38de06c9
var_expand(): Added support for long %{variable} names.
Timo Sirainen <tss@iki.fi>
parents:
8456
diff
changeset
|
1750 { '\0', NULL, NULL } |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1751 }; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1752 struct var_expand_table *tab; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1753 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1754 if (escape_func == NULL) |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1755 escape_func = escape_none; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1756 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1757 tab = t_malloc(sizeof(static_tab)); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1758 memcpy(tab, static_tab, sizeof(static_tab)); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1759 |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1760 tab[0].value = escape_func(auth_request->user, auth_request); |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1761 tab[1].value = escape_func(t_strcut(auth_request->user, '@'), |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1762 auth_request); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1763 tab[2].value = strchr(auth_request->user, '@'); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1764 if (tab[2].value != NULL) |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1765 tab[2].value = escape_func(tab[2].value+1, auth_request); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1766 tab[3].value = auth_request->service; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1767 /* tab[4] = we have no home dir */ |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1768 if (auth_request->local_ip.family != 0) |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1769 tab[5].value = net_ip2addr(&auth_request->local_ip); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1770 if (auth_request->remote_ip.family != 0) |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1771 tab[6].value = net_ip2addr(&auth_request->remote_ip); |
3074 | 1772 tab[7].value = dec2str(auth_request->client_pid); |
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1773 if (auth_request->mech_password != NULL) { |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1774 tab[8].value = escape_func(auth_request->mech_password, |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1775 auth_request); |
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1776 } |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1777 if (auth_request->userdb_lookup) { |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1778 tab[9].value = auth_request->userdb == NULL ? "" : |
10897
52eb8317514f
auth: Cleaned up struct auth_passdb/auth_userdb.
Timo Sirainen <tss@iki.fi>
parents:
10893
diff
changeset
|
1779 dec2str(auth_request->userdb->userdb->id); |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1780 } else { |
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1781 tab[9].value = auth_request->passdb == NULL ? "" : |
10897
52eb8317514f
auth: Cleaned up struct auth_passdb/auth_userdb.
Timo Sirainen <tss@iki.fi>
parents:
10893
diff
changeset
|
1782 dec2str(auth_request->passdb->passdb->id); |
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1783 } |
8111
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7919
diff
changeset
|
1784 tab[10].value = auth_request->mech_name == NULL ? "" : |
d49bdda63506
auth: %m variable didn't work with blocking passdbs
Timo Sirainen <tss@iki.fi>
parents:
7919
diff
changeset
|
1785 auth_request->mech_name; |
5260
0d72eb2ed8af
Added %c variable which expands to "secured" with SSL/TLS/localhost.
Timo Sirainen <tss@iki.fi>
parents:
5251
diff
changeset
|
1786 tab[11].value = auth_request->secured ? "secured" : ""; |
5882
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
1787 tab[12].value = dec2str(auth_request->local_port); |
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5879
diff
changeset
|
1788 tab[13].value = dec2str(auth_request->remote_port); |
8320
d49aa6720fb2
Added %k variable to display valid-client-cert status. It expands to "valid" or empty.
Timo Sirainen <tss@iki.fi>
parents:
8163
diff
changeset
|
1789 tab[14].value = auth_request->valid_client_cert ? "valid" : ""; |
11466
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1790 |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1791 if (auth_request->requested_login_user != NULL) { |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1792 const char *login_user = auth_request->requested_login_user; |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1793 |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1794 tab[15].value = escape_func(login_user, auth_request); |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1795 tab[16].value = escape_func(t_strcut(login_user, '@'), |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1796 auth_request); |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1797 tab[17].value = strchr(login_user, '@'); |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1798 if (tab[17].value != NULL) { |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1799 tab[17].value = escape_func(tab[17].value+1, |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1800 auth_request); |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1801 } |
5ae4a5c14f5b
auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
1802 } |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1803 return tab; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1804 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1805 |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1806 static void get_log_prefix(string_t *str, struct auth_request *auth_request, |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1807 const char *subsystem) |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1808 { |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1809 #define MAX_LOG_USERNAME_LEN 64 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1810 const char *ip; |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1811 |
3069 | 1812 str_append(str, subsystem); |
1813 str_append_c(str, '('); | |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1814 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1815 if (auth_request->user == NULL) |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1816 str_append(str, "?"); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1817 else { |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1818 str_sanitize_append(str, auth_request->user, |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1819 MAX_LOG_USERNAME_LEN); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1820 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1821 |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1822 ip = net_ip2addr(&auth_request->remote_ip); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1823 if (ip != NULL) { |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1824 str_append_c(str, ','); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1825 str_append(str, ip); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1826 } |
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1827 if (auth_request->requested_login_user != NULL) |
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1828 str_append(str, ",master"); |
3069 | 1829 str_append(str, "): "); |
10585
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1830 } |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1831 |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1832 static const char * ATTR_FORMAT(3, 0) |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1833 get_log_str(struct auth_request *auth_request, const char *subsystem, |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1834 const char *format, va_list va) |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1835 { |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1836 string_t *str; |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1837 |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1838 str = t_str_new(128); |
941511db13c3
Added auth_verbose_passwords = no|plain|sha1.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
1839 get_log_prefix(str, auth_request, subsystem); |
3069 | 1840 str_vprintfa(str, format, va); |
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1841 return str_c(str); |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1842 } |
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1843 |
3069 | 1844 void auth_request_log_debug(struct auth_request *auth_request, |
1845 const char *subsystem, | |
1846 const char *format, ...) | |
1847 { | |
1848 va_list va; | |
1849 | |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
1850 if (!auth_request->set->debug) |
3069 | 1851 return; |
1852 | |
1853 va_start(va, format); | |
7226
e6693a0ec8e1
Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
1854 T_BEGIN { |
10082
62b37dcf173e
Log debug-level messages with i_debug().
Pascal Volk <user@localhost.localdomain.org>
parents:
9477
diff
changeset
|
1855 i_debug("%s", get_log_str(auth_request, subsystem, format, va)); |
7226
e6693a0ec8e1
Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
1856 } T_END; |
3069 | 1857 va_end(va); |
1858 } | |
1859 | |
1860 void auth_request_log_info(struct auth_request *auth_request, | |
1861 const char *subsystem, | |
1862 const char *format, ...) | |
1863 { | |
1864 va_list va; | |
1865 | |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10897
diff
changeset
|
1866 if (!auth_request->set->verbose) |
3069 | 1867 return; |
1868 | |
1869 va_start(va, format); | |
7226
e6693a0ec8e1
Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
1870 T_BEGIN { |
6940
414c9d631a81
Replaced t_push/t_pop calls with T_FRAME*() macros.
Timo Sirainen <tss@iki.fi>
parents:
6855
diff
changeset
|
1871 i_info("%s", get_log_str(auth_request, subsystem, format, va)); |
7226
e6693a0ec8e1
Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
1872 } T_END; |
3069 | 1873 va_end(va); |
1874 } | |
1875 | |
12794
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1876 void auth_request_log_warning(struct auth_request *auth_request, |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1877 const char *subsystem, |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1878 const char *format, ...) |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1879 { |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1880 va_list va; |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1881 |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1882 va_start(va, format); |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1883 T_BEGIN { |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1884 i_warning("%s", get_log_str(auth_request, subsystem, format, va)); |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1885 } T_END; |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1886 va_end(va); |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1887 } |
946d1cd3300b
auth: Log a warning if ldap attribute has unexpectedly multiple values.
Timo Sirainen <tss@iki.fi>
parents:
12732
diff
changeset
|
1888 |
3069 | 1889 void auth_request_log_error(struct auth_request *auth_request, |
1890 const char *subsystem, | |
1891 const char *format, ...) | |
1892 { | |
1893 va_list va; | |
1894 | |
1895 va_start(va, format); | |
7226
e6693a0ec8e1
Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
1896 T_BEGIN { |
6940
414c9d631a81
Replaced t_push/t_pop calls with T_FRAME*() macros.
Timo Sirainen <tss@iki.fi>
parents:
6855
diff
changeset
|
1897 i_error("%s", get_log_str(auth_request, subsystem, format, va)); |
7226
e6693a0ec8e1
Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and
Timo Sirainen <tss@iki.fi>
parents:
7123
diff
changeset
|
1898 } T_END; |
3069 | 1899 va_end(va); |
1900 } | |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
1901 |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
1902 void auth_request_refresh_last_access(struct auth_request *request) |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
1903 { |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
1904 request->last_access = ioloop_time; |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
1905 if (request->to_abort != NULL) |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
1906 timeout_reset(request->to_abort); |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10689
diff
changeset
|
1907 } |