dovecot/core-2.2: src/auth/auth-request.c annotate

annotate src/auth/auth-request.c @ 14159:98d696965c91

auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe.

author	Timo Sirainen <tss@iki.fi>
date	Sat, 25 Feb 2012 05:42:05 +0200
parents	8e2f395cf86c
children	716769cfbb1d

rev	line source
14133 ba770cba5598 Updated copyright notices to include year 2012. Timo Sirainen <tss@iki.fi> parents: 13956 diff changeset	1 /* Copyright (c) 2002-2012 Dovecot authors, see the included COPYING file */
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	2
9219 97cdfeb57129 Renamed headers to prevent collision if they were flattened on an install. Mark Washenberger parents: 9015 diff changeset	3 #include "auth-common.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	4 #include "ioloop.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	5 #include "buffer.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	6 #include "hash.h"
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	7 #include "sha1.h"
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	8 #include "hex-binary.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	9 #include "str.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	10 #include "safe-memset.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	11 #include "str-sanitize.h"
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	12 #include "strescape.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	13 #include "var-expand.h"
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	14 #include "dns-lookup.h"
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	15 #include "auth-cache.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	16 #include "auth-request.h"
11441 3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11255 diff changeset	17 #include "auth-request-handler.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	18 #include "auth-client-connection.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	19 #include "auth-master-connection.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	20 #include "passdb.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	21 #include "passdb-blocking.h"
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	22 #include "passdb-cache.h"
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	23 #include "passdb-template.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	24 #include "userdb-blocking.h"
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	25 #include "userdb-template.h"
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	26 #include "password-scheme.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	27
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	28 #include <stdlib.h>
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	29 #include <sys/stat.h>
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	30
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	31 #define AUTH_DNS_SOCKET_PATH "dns-client"
14156 8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	32 #define AUTH_DNS_DEFAULT_TIMEOUT_MSECS (1000*10)
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	33 #define AUTH_DNS_WARN_MSECS 500
10689 46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	34 #define CACHED_PASSWORD_SCHEME "SHA1"
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	35
11255 90410a8f3786 auth: Minor code fix/cleanup. Timo Sirainen <tss@iki.fi> parents: 11251 diff changeset	36 unsigned int auth_request_state_count[AUTH_REQUEST_STATE_MAX];
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	37
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	38 static void get_log_prefix(string_t str, struct auth_request auth_request,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	39 const char *subsystem);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	40
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	41 struct auth_request *
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11490 diff changeset	42 auth_request_new(const struct mech_module *mech)
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	43 {
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	44 struct auth_request *request;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	45
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	46 request = mech->auth_new();
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	47
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	48 request->state = AUTH_REQUEST_STATE_NEW;
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	49 auth_request_state_count[AUTH_REQUEST_STATE_NEW]++;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	50
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	51 request->refcount = 1;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	52 request->last_access = ioloop_time;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	53
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	54 request->set = global_auth_settings;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	55 request->mech = mech;
8111 d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	56 request->mech_name = mech == NULL ? NULL : mech->mech_name;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	57 return request;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	58 }
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	59
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	60 struct auth_request *auth_request_new_dummy(void)
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	61 {
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	62 struct auth_request *request;
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	63 pool_t pool;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	64
3695 4f8598b0ca62 Use a bit larger initial pool sizes Timo Sirainen <tss@iki.fi> parents: 3687 diff changeset	65 pool = pool_alloconly_create("auth_request", 1024);
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	66 request = p_new(pool, struct auth_request, 1);
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	67 request->pool = pool;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	68
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	69 request->state = AUTH_REQUEST_STATE_NEW;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	70 auth_request_state_count[AUTH_REQUEST_STATE_NEW]++;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	71
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	72 request->refcount = 1;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	73 request->last_access = ioloop_time;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	74 request->set = global_auth_settings;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	75 return request;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	76 }
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	77
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	78 void auth_request_set_state(struct auth_request *request,
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	79 enum auth_request_state state)
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	80 {
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	81 if (request->state == state)
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	82 return;
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	83
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	84 i_assert(auth_request_state_count[request->state] > 0);
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	85 auth_request_state_count[request->state]--;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	86 auth_request_state_count[state]++;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	87
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	88 request->state = state;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	89 auth_refresh_proctitle();
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	90 }
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	91
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	92 void auth_request_init(struct auth_request *request)
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	93 {
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	94 struct auth *auth;
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	95
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	96 auth = auth_request_get_auth(request);
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	97 request->set = auth->set;
10961 5050e2eb1bfe auth: Previous change broke non-master logins.. Timo Sirainen <tss@iki.fi> parents: 10960 diff changeset	98 request->passdb = auth->passdbs;
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	99 request->userdb = auth->userdbs;
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	100 }
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	101
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	102 struct auth auth_request_get_auth(struct auth_request request)
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	103 {
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	104 return auth_find_service(request->service);
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	105 }
6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	106
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	107 void auth_request_success(struct auth_request *request,
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	108 const void *data, size_t data_size)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	109 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	110 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	111
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	112 if (request->passdb_failure) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	113 /* password was valid, but some other check failed. */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	114 auth_request_fail(request);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	115 return;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	116 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	117
13765 f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	118 request->successful = TRUE;
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	119 if (data_size > 0 && !request->final_resp_ok) {
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	120 /* we'll need one more SASL round, since client doesn't support
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	121 the final SASL response */
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	122 auth_request_handler_reply_continue(request, data, data_size);
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	123 return;
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	124 }
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	125
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	126 auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED);
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	127 auth_request_refresh_last_access(request);
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11490 diff changeset	128 auth_request_handler_reply(request, AUTH_CLIENT_RESULT_SUCCESS,
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11490 diff changeset	129 data, data_size);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	130 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	131
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	132 void auth_request_fail(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	133 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	134 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	135
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	136 auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED);
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	137 auth_request_refresh_last_access(request);
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11490 diff changeset	138 auth_request_handler_reply(request, AUTH_CLIENT_RESULT_FAILURE,
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11490 diff changeset	139 NULL, 0);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	140 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	141
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	142 void auth_request_internal_failure(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	143 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	144 request->internal_failure = TRUE;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	145 auth_request_fail(request);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	146 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	147
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	148 void auth_request_ref(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	149 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	150 request->refcount++;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	151 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	152
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	153 void auth_request_unref(struct auth_request **_request)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	154 {
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	155 struct auth_request request = _request;
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	156
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	157 *_request = NULL;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	158 i_assert(request->refcount > 0);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	159 if (--request->refcount > 0)
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	160 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	161
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	162 auth_request_state_count[request->state]--;
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	163 auth_refresh_proctitle();
6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	164
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	165 if (request->mech_password != NULL) {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	166 safe_memset(request->mech_password, 0,
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	167 strlen(request->mech_password));
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	168 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	169
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	170 if (request->to_abort != NULL)
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	171 timeout_remove(&request->to_abort);
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	172 if (request->to_penalty != NULL)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	173 timeout_remove(&request->to_penalty);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	174
3386 e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	175 if (request->mech != NULL)
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	176 request->mech->auth_free(request);
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	177 else
6428 7cad076906eb pool_unref() now takes ** pointer. Timo Sirainen <tss@iki.fi> parents: 6411 diff changeset	178 pool_unref(&request->pool);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	179 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	180
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	181 void auth_request_export(struct auth_request *request,
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	182 struct auth_stream_reply *reply)
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	183 {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	184 auth_stream_reply_add(reply, "user", request->user);
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	185 auth_stream_reply_add(reply, "service", request->service);
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	186
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	187 if (request->master_user != NULL) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	188 auth_stream_reply_add(reply, "master_user",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	189 request->master_user);
8346 9f66028a1089 Pass original_username to auth-workers. Timo Sirainen <tss@iki.fi> parents: 8320 diff changeset	190 }
8347 fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	191 auth_stream_reply_add(reply, "original_username",
fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	192 request->original_username);
12006 3ba227176cde auth: Pass requested_login_user to auth worker processes. Timo Sirainen <tss@iki.fi> parents: 12005 diff changeset	193 auth_stream_reply_add(reply, "requested_login_user",
3ba227176cde auth: Pass requested_login_user to auth worker processes. Timo Sirainen <tss@iki.fi> parents: 12005 diff changeset	194 request->requested_login_user);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	195
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	196 if (request->local_ip.family != 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	197 auth_stream_reply_add(reply, "lip",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	198 net_ip2addr(&request->local_ip));
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	199 }
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	200 if (request->remote_ip.family != 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	201 auth_stream_reply_add(reply, "rip",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	202 net_ip2addr(&request->remote_ip));
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	203 }
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	204 if (request->local_port != 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	205 auth_stream_reply_add(reply, "lport",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	206 dec2str(request->local_port));
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	207 }
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	208 if (request->remote_port != 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	209 auth_stream_reply_add(reply, "rport",
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	210 dec2str(request->remote_port));
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	211 }
5585 e33158bc72b0 %c wasn't exported to auth worker processes. Patch by Andrey Panin Timo Sirainen <tss@iki.fi> parents: 5475 diff changeset	212 if (request->secured)
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	213 auth_stream_reply_add(reply, "secured", "1");
7318 be991f857c70 Fixed pass=yes with blocking passdbs. Also master_user wasn't exported Timo Sirainen <tss@iki.fi> parents: 7278 diff changeset	214 if (request->skip_password_check)
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	215 auth_stream_reply_add(reply, "skip_password_check", "1");
8320 d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 8163 diff changeset	216 if (request->valid_client_cert)
d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 8163 diff changeset	217 auth_stream_reply_add(reply, "valid-client-cert", "1");
12812 bf6749d4db08 auth: Allow clients to specify that they want to skip auth penalty check. Timo Sirainen <tss@iki.fi> parents: 12794 diff changeset	218 if (request->no_penalty)
bf6749d4db08 auth: Allow clients to specify that they want to skip auth penalty check. Timo Sirainen <tss@iki.fi> parents: 12794 diff changeset	219 auth_stream_reply_add(reply, "no-penalty", "1");
12941 bbcef91eac7e auth: Export/import auth_request->successful for auth workers. Timo Sirainen <tss@iki.fi> parents: 12915 diff changeset	220 if (request->successful)
bbcef91eac7e auth: Export/import auth_request->successful for auth workers. Timo Sirainen <tss@iki.fi> parents: 12915 diff changeset	221 auth_stream_reply_add(reply, "successful", "1");
8111 d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	222 if (request->mech_name != NULL)
d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	223 auth_stream_reply_add(reply, "mech", request->mech_name);
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	224 }
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	225
13728 9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	226 bool auth_request_import_info(struct auth_request *request,
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	227 const char key, const char value)
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	228 {
13728 9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	229 /* authentication and user lookups may set these */
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	230 if (strcmp(key, "service") == 0)
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	231 request->service = p_strdup(request->pool, value);
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	232 else if (strcmp(key, "lip") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	233 net_addr2ip(value, &request->local_ip);
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	234 else if (strcmp(key, "rip") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	235 net_addr2ip(value, &request->remote_ip);
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	236 else if (strcmp(key, "lport") == 0)
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	237 request->local_port = atoi(value);
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	238 else if (strcmp(key, "rport") == 0)
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	239 request->remote_port = atoi(value);
13728 9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	240 else
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	241 return FALSE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	242 return TRUE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	243 }
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	244
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	245 bool auth_request_import_auth(struct auth_request *request,
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	246 const char key, const char value)
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	247 {
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	248 if (auth_request_import_info(request, key, value))
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	249 return TRUE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	250
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	251 /* auth client may set these */
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	252 if (strcmp(key, "secured") == 0)
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	253 request->secured = TRUE;
13765 f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	254 else if (strcmp(key, "final-resp-ok") == 0)
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	255 request->final_resp_ok = TRUE;
13728 9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	256 else if (strcmp(key, "no-penalty") == 0)
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	257 request->no_penalty = TRUE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	258 else if (strcmp(key, "valid-client-cert") == 0)
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	259 request->valid_client_cert = TRUE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	260 else if (strcmp(key, "cert_username") == 0) {
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	261 if (request->set->ssl_username_from_cert) {
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	262 /* get username from SSL certificate. it overrides
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	263 the username given by the auth mechanism. */
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	264 request->user = p_strdup(request->pool, value);
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	265 request->cert_username = TRUE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	266 }
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	267 } else {
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	268 return FALSE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	269 }
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	270 return TRUE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	271 }
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	272
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	273 bool auth_request_import(struct auth_request *request,
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	274 const char key, const char value)
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	275 {
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	276 if (auth_request_import_auth(request, key, value))
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	277 return TRUE;
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	278
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	279 /* for communication between auth master and worker processes */
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	280 if (strcmp(key, "user") == 0)
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	281 request->user = p_strdup(request->pool, value);
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	282 else if (strcmp(key, "master_user") == 0)
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	283 request->master_user = p_strdup(request->pool, value);
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	284 else if (strcmp(key, "original_username") == 0)
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	285 request->original_username = p_strdup(request->pool, value);
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	286 else if (strcmp(key, "requested_login_user") == 0)
9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13566 diff changeset	287 request->requested_login_user = p_strdup(request->pool, value);
7106 1bd8b17bfabe If AUTH has "nologin" parameter, the request is freed when authentication is Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	288 else if (strcmp(key, "nologin") == 0)
1bd8b17bfabe If AUTH has "nologin" parameter, the request is freed when authentication is Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	289 request->no_login = TRUE;
12941 bbcef91eac7e auth: Export/import auth_request->successful for auth workers. Timo Sirainen <tss@iki.fi> parents: 12915 diff changeset	290 else if (strcmp(key, "successful") == 0)
bbcef91eac7e auth: Export/import auth_request->successful for auth workers. Timo Sirainen <tss@iki.fi> parents: 12915 diff changeset	291 request->successful = TRUE;
7318 be991f857c70 Fixed pass=yes with blocking passdbs. Also master_user wasn't exported Timo Sirainen <tss@iki.fi> parents: 7278 diff changeset	292 else if (strcmp(key, "skip_password_check") == 0) {
be991f857c70 Fixed pass=yes with blocking passdbs. Also master_user wasn't exported Timo Sirainen <tss@iki.fi> parents: 7278 diff changeset	293 i_assert(request->master_user != NULL);
be991f857c70 Fixed pass=yes with blocking passdbs. Also master_user wasn't exported Timo Sirainen <tss@iki.fi> parents: 7278 diff changeset	294 request->skip_password_check = TRUE;
8111 d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	295 } else if (strcmp(key, "mech") == 0)
d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	296 request->mech_name = p_strdup(request->pool, value);
d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	297 else
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	298 return FALSE;
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	299
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	300 return TRUE;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	301 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	302
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	303 void auth_request_initial(struct auth_request *request)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	304 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	305 i_assert(request->state == AUTH_REQUEST_STATE_NEW);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	306
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	307 auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE);
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	308 request->mech->auth_initial(request, request->initial_response,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 10082 diff changeset	309 request->initial_response_len);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	310 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	311
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	312 void auth_request_continue(struct auth_request *request,
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	313 const unsigned char *data, size_t data_size)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	314 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	315 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	316
13765 f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	317 if (request->successful) {
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	318 auth_request_success(request, NULL, 0);
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	319 return;
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	320 }
f2608c3a64ee auth: If client gives "final-resp-ok" parameter, send it in OK reply with DIGEST-MD5, SCRAM-SHA-1 Timo Sirainen <tss@iki.fi> parents: 13728 diff changeset	321
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	322 auth_request_refresh_last_access(request);
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	323 request->mech->auth_continue(request, data, data_size);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	324 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	325
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	326 static void auth_request_save_cache(struct auth_request *request,
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	327 enum passdb_result result)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	328 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	329 struct passdb_module *passdb = request->passdb->passdb;
10689 46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	330 const char extra_fields, encoded_password;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	331 string_t *str;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	332
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	333 switch (result) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	334 case PASSDB_RESULT_USER_UNKNOWN:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	335 case PASSDB_RESULT_PASSWORD_MISMATCH:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	336 case PASSDB_RESULT_OK:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	337 case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	338 /* can be cached */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	339 break;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	340 case PASSDB_RESULT_USER_DISABLED:
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	341 case PASSDB_RESULT_PASS_EXPIRED:
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	342 /* FIXME: we can't cache this now, or cache lookup would
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	343 return success. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	344 return;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	345 case PASSDB_RESULT_INTERNAL_FAILURE:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	346 i_unreached();
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	347 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	348
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	349 extra_fields = request->extra_fields == NULL ? NULL :
e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	350 auth_stream_reply_export(request->extra_fields);
3432 079ec5c2d665 Last change caused user-given passwords to be cached, and later the password Timo Sirainen <tss@iki.fi> parents: 3431 diff changeset	351
12363 075963b71b94 auth: Disable auth caching entirely for master users. Timo Sirainen <tss@iki.fi> parents: 12297 diff changeset	352 if (passdb_cache == NULL \|\| passdb->cache_key == NULL \|\|
075963b71b94 auth: Disable auth caching entirely for master users. Timo Sirainen <tss@iki.fi> parents: 12297 diff changeset	353 request->master_user != NULL)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	354 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	355
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	356 if (result < 0) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	357 /* lookup failed. */
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	358 if (result == PASSDB_RESULT_USER_UNKNOWN) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	359 auth_cache_insert(passdb_cache, request,
4658 3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	360 passdb->cache_key, "", FALSE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	361 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	362 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	363 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	364
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	365 if (!request->no_password && request->passdb_password == NULL) {
3656 fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	366 /* passdb didn't provide the correct password */
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	367 if (result != PASSDB_RESULT_OK \|\|
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	368 request->mech_password == NULL)
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	369 return;
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	370
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	371 /* we can still cache valid password lookups though.
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	372 strdup() it so that mech_password doesn't get
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	373 cleared too early. */
10689 46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	374 if (!password_generate_encoded(request->mech_password,
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	375 request->user,
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	376 CACHED_PASSWORD_SCHEME,
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	377 &encoded_password))
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	378 i_unreached();
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	379 request->passdb_password =
10689 46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	380 p_strconcat(request->pool, "{"CACHED_PASSWORD_SCHEME"}",
46ae2e53d688 auth: When caching user-given passwords, cache their SHA1, not the plaintext. Timo Sirainen <tss@iki.fi> parents: 10585 diff changeset	381 encoded_password, NULL);
3645 81180ca12997 We were caching failed blocking requests wrong. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	382 }
81180ca12997 We were caching failed blocking requests wrong. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	383
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	384 /* save all except the currently given password in cache */
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	385 str = t_str_new(256);
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	386 if (request->passdb_password != NULL) {
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	387 if (*request->passdb_password != '{') {
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	388 /* cached passwords must have a known scheme */
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	389 str_append_c(str, '{');
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	390 str_append(str, passdb->default_pass_scheme);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	391 str_append_c(str, '}');
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	392 }
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	393 if (strchr(request->passdb_password, '\t') != NULL)
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	394 i_panic("%s: Password contains TAB", request->user);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	395 if (strchr(request->passdb_password, '\n') != NULL)
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	396 i_panic("%s: Password contains LF", request->user);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	397 str_append(str, request->passdb_password);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	398 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	399
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	400 if (extra_fields != NULL && *extra_fields != '\0') {
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	401 str_append_c(str, '\t');
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	402 str_append(str, extra_fields);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	403 }
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	404 if (request->extra_cache_fields != NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	405 extra_fields =
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	406 auth_stream_reply_export(request->extra_cache_fields);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	407 if (*extra_fields != '\0') {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	408 str_append_c(str, '\t');
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	409 str_append(str, extra_fields);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	410 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	411 }
4658 3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	412 auth_cache_insert(passdb_cache, request, passdb->cache_key, str_c(str),
3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	413 result == PASSDB_RESULT_OK);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	414 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	415
12558 f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	416 static void auth_request_userdb_reply_update_user(struct auth_request *request)
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	417 {
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	418 const char str, p;
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	419
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	420 str = t_strdup(auth_stream_reply_export(request->userdb_reply));
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	421
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	422 /* reset the reply and add the new username */
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	423 auth_stream_reply_reset(request->userdb_reply);
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	424 auth_stream_reply_add(request->userdb_reply, NULL, request->user);
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	425
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	426 /* add the rest */
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	427 p = strchr(str, '\t');
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	428 if (p != NULL)
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	429 auth_stream_reply_import(request->userdb_reply, p + 1);
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	430 }
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	431
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	432 static bool auth_request_master_lookup_finish(struct auth_request *request)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	433 {
12261 f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	434 struct auth_passdb *passdb;
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	435
4534 dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	436 if (request->passdb_failure)
dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	437 return TRUE;
dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	438
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	439 /* master login successful. update user and master_user variables. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	440 auth_request_log_info(request, "passdb", "Master user logging in as %s",
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	441 request->requested_login_user);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	442
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	443 request->master_user = request->user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	444 request->user = request->requested_login_user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	445 request->requested_login_user = NULL;
12558 f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	446 if (request->userdb_reply != NULL)
f9d34d929c3f auth: Master user login + prefetch userdb changed username to master user. Timo Sirainen <tss@iki.fi> parents: 12489 diff changeset	447 auth_request_userdb_reply_update_user(request);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	448
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	449 request->skip_password_check = TRUE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	450 request->passdb_password = NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	451
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	452 if (!request->passdb->set->pass) {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	453 /* skip the passdb lookup, we're authenticated now. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	454 return TRUE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	455 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	456
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	457 /* the authentication continues with passdb lookup for the
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	458 requested_login_user. */
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	459 request->passdb = auth_request_get_auth(request)->passdbs;
12261 f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	460
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	461 for (passdb = request->passdb; passdb != NULL; passdb = passdb->next) {
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	462 if (passdb->passdb->iface.lookup_credentials != NULL)
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	463 break;
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	464 }
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	465 if (passdb == NULL) {
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	466 auth_request_log_error(request, "passdb",
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	467 "No passdbs support skipping password verification - "
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	468 "pass=yes can't be used in master passdb");
f451ffa51772 auth: Give a better error message if pass=yes can't be used in master passdb. Timo Sirainen <tss@iki.fi> parents: 12006 diff changeset	469 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	470 return FALSE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	471 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	472
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	473 static bool
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	474 auth_request_handle_passdb_callback(enum passdb_result *result,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	475 struct auth_request *request)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	476 {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	477 if (request->passdb_password != NULL) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	478 safe_memset(request->passdb_password, 0,
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	479 strlen(request->passdb_password));
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	480 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	481
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	482 if (request->passdb->set->deny &&
52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	483 *result != PASSDB_RESULT_USER_UNKNOWN) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	484 /* deny passdb. we can get through this step only if the
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	485 lookup returned that user doesn't exist in it. internal
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	486 errors are fatal here. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	487 if (*result != PASSDB_RESULT_INTERNAL_FAILURE) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	488 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	489 "User found from deny passdb");
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	490 *result = PASSDB_RESULT_USER_DISABLED;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	491 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	492 } else if (*result == PASSDB_RESULT_OK) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	493 /* success */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	494 if (request->requested_login_user != NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	495 /* this was a master user lookup. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	496 if (!auth_request_master_lookup_finish(request))
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	497 return FALSE;
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	498 } else {
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	499 if (request->passdb->set->pass) {
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	500 /* this wasn't the final passdb lookup,
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	501 continue to next passdb */
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	502 request->passdb = request->passdb->next;
4402 8846e6be0e02 If multiple passdbs were configured and we tried to authenticate as user Timo Sirainen <tss@iki.fi> parents: 4374 diff changeset	503 request->passdb_password = NULL;
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	504 return FALSE;
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	505 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	506 }
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	507 } else if (*result == PASSDB_RESULT_PASS_EXPIRED) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	508 if (request->extra_fields == NULL) {
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	509 request->extra_fields =
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	510 auth_stream_reply_init(request->pool);
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	511 }
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	512 auth_stream_reply_add(request->extra_fields, "reason",
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	513 "Password expired");
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	514 } else if (request->passdb->next != NULL &&
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	515 *result != PASSDB_RESULT_USER_DISABLED) {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	516 /* try next passdb. */
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	517 request->passdb = request->passdb->next;
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	518 request->passdb_password = NULL;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	519
12489 627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	520 if (*result == PASSDB_RESULT_USER_UNKNOWN) {
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	521 /* remember that we did at least one successful
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	522 passdb lookup */
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	523 request->passdb_user_unknown = TRUE;
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	524 } else if (*result == PASSDB_RESULT_INTERNAL_FAILURE) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	525 /* remember that we have had an internal failure. at
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	526 the end return internal failure if we couldn't
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	527 successfully login. */
3606 8a8352cda514 If passdb lookup fails with internal error, try other passdbs anyway before Timo Sirainen <tss@iki.fi> parents: 3520 diff changeset	528 request->passdb_internal_failure = TRUE;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	529 }
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	530 if (request->extra_fields != NULL)
769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	531 auth_stream_reply_reset(request->extra_fields);
769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	532
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	533 return FALSE;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	534 } else if (request->passdb_internal_failure) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	535 /* last passdb lookup returned internal failure. it may have
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	536 had the correct password, so return internal failure
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	537 instead of plain failure. */
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	538 *result = PASSDB_RESULT_INTERNAL_FAILURE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	539 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	540
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	541 return TRUE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	542 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	543
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	544 static void
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	545 auth_request_verify_plain_callback_finish(enum passdb_result result,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	546 struct auth_request *request)
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	547 {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	548 if (!auth_request_handle_passdb_callback(&result, request)) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	549 /* try next passdb */
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	550 auth_request_verify_plain(request, request->mech_password,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	551 request->private_callback.verify_plain);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	552 } else {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	553 auth_request_ref(request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	554 request->private_callback.verify_plain(result, request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	555 auth_request_unref(&request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	556 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	557 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	558
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	559 void auth_request_verify_plain_callback(enum passdb_result result,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	560 struct auth_request *request)
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	561 {
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	562 struct passdb_module *passdb = request->passdb->passdb;
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	563
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	564 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	565
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	566 auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE);
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	567
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	568 if (result != PASSDB_RESULT_INTERNAL_FAILURE) {
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	569 passdb_template_export(passdb->override_fields_tmpl, request);
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	570 auth_request_save_cache(request, result);
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	571 } else {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	572 /* lookup failed. if we're looking here only because the
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	573 request was expired in cache, fallback to using cached
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	574 expired record. */
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	575 const char *cache_key = passdb->cache_key;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	576
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	577 if (passdb_cache_verify_plain(request, cache_key,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	578 request->mech_password,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	579 &result, TRUE)) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	580 auth_request_log_info(request, "passdb",
13920 ee7b18b1fc00 s/Fallbacking/Falling back/ Timo Sirainen <tss@iki.fi> parents: 13910 diff changeset	581 "Falling back to expired data from cache");
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	582 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	583 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	584
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	585 auth_request_verify_plain_callback_finish(result, request);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	586 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	587
7389 1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	588 static bool password_has_illegal_chars(const char *password)
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	589 {
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	590 for (; *password != '\0'; password++) {
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	591 switch (*password) {
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	592 case '\001':
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	593 case '\t':
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	594 case '\r':
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	595 case '\n':
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	596 /* these characters have a special meaning in internal
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	597 protocols, make sure the password doesn't
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	598 accidentally get there unescaped. */
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	599 return TRUE;
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	600 }
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	601 }
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	602 return FALSE;
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	603 }
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	604
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	605 void auth_request_verify_plain(struct auth_request *request,
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	606 const char *password,
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	607 verify_plain_callback_t *callback)
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	608 {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	609 struct passdb_module *passdb;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	610 enum passdb_result result;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	611 const char *cache_key;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	612
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	613 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	614
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	615 if (request->passdb == NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	616 /* no masterdbs, master logins not supported */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	617 i_assert(request->requested_login_user != NULL);
4139 68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	618 auth_request_log_info(request, "passdb",
8456 529034798b6b Add login username in "Attempted master login with no master passdbs" error. Timo Sirainen <tss@iki.fi> parents: 8402 diff changeset	619 "Attempted master login with no master passdbs "
529034798b6b Add login username in "Attempted master login with no master passdbs" error. Timo Sirainen <tss@iki.fi> parents: 8402 diff changeset	620 "(trying to log in as user: %s)",
529034798b6b Add login username in "Attempted master login with no master passdbs" error. Timo Sirainen <tss@iki.fi> parents: 8402 diff changeset	621 request->requested_login_user);
4139 68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	622 callback(PASSDB_RESULT_USER_UNKNOWN, request);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	623 return;
7389 1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	624 }
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	625
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	626 if (password_has_illegal_chars(password)) {
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	627 auth_request_log_info(request, "passdb",
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	628 "Attempted login with password having illegal chars");
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	629 callback(PASSDB_RESULT_USER_UNKNOWN, request);
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	630 return;
1125d2d59e82 If trying to log in with password having illegal characters, make sure we Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	631 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	632
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	633 passdb = request->passdb->passdb;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	634 if (request->mech_password == NULL)
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	635 request->mech_password = p_strdup(request->pool, password);
3656 fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	636 else
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	637 i_assert(request->mech_password == password);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	638 request->private_callback.verify_plain = callback;
3164 da9e4ffef09f Last changes broke proxying when user was in auth cache. Timo Sirainen <tss@iki.fi> parents: 3161 diff changeset	639
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	640 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
3728 64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	641 if (passdb_cache_verify_plain(request, cache_key, password,
64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	642 &result, FALSE)) {
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	643 auth_request_verify_plain_callback_finish(result, request);
3728 64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	644 return;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	645 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	646
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	647 auth_request_set_state(request, AUTH_REQUEST_STATE_PASSDB);
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	648 request->credentials_scheme = NULL;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	649
11498 190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	650 if (passdb->iface.verify_plain == NULL) {
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	651 /* we're deinitializing and just want to get rid of this
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	652 request */
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	653 auth_request_verify_plain_callback(
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	654 PASSDB_RESULT_INTERNAL_FAILURE, request);
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	655 } else if (passdb->blocking) {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	656 passdb_blocking_verify_plain(request);
13910 5173218ff7fe Removed unnecessary code. Timo Sirainen <tss@iki.fi> parents: 13765 diff changeset	657 } else {
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	658 passdb_template_export(passdb->default_fields_tmpl, request);
3771 4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	659 passdb->iface.verify_plain(request, password,
4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	660 auth_request_verify_plain_callback);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	661 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	662 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	663
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	664 static void
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	665 auth_request_lookup_credentials_finish(enum passdb_result result,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	666 const unsigned char *credentials,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	667 size_t size,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	668 struct auth_request *request)
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	669 {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	670 if (!auth_request_handle_passdb_callback(&result, request)) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	671 /* try next passdb */
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	672 auth_request_lookup_credentials(request,
f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	673 request->credentials_scheme,
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	674 request->private_callback.lookup_credentials);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	675 } else {
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	676 if (request->set->debug_passwords &&
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	677 result == PASSDB_RESULT_OK) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	678 auth_request_log_debug(request, "password",
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	679 "Credentials: %s",
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	680 binary_to_hex(credentials, size));
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	681 }
12489 627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	682 if (result == PASSDB_RESULT_SCHEME_NOT_AVAILABLE &&
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	683 request->passdb_user_unknown) {
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	684 /* one of the passdbs accepted the scheme,
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	685 but the user was unknown there */
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	686 result = PASSDB_RESULT_USER_UNKNOWN;
627aeadb0955 auth: passdb credentials lookup fix when using multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 12363 diff changeset	687 }
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	688 request->private_callback.
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	689 lookup_credentials(result, credentials, size, request);
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	690 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	691 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	692
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	693 void auth_request_lookup_credentials_callback(enum passdb_result result,
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	694 const unsigned char *credentials,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	695 size_t size,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	696 struct auth_request *request)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	697 {
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	698 struct passdb_module *passdb = request->passdb->passdb;
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	699 const char cache_cred, cache_scheme;
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	700
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	701 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	702
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	703 auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	704
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	705 if (result != PASSDB_RESULT_INTERNAL_FAILURE) {
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	706 passdb_template_export(passdb->override_fields_tmpl, request);
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	707 auth_request_save_cache(request, result);
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	708 } else {
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	709 /* lookup failed. if we're looking here only because the
97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	710 request was expired in cache, fallback to using cached
97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	711 expired record. */
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	712 const char *cache_key = passdb->cache_key;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	713
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	714 if (passdb_cache_lookup_credentials(request, cache_key,
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	715 &cache_cred, &cache_scheme,
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	716 &result, TRUE)) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	717 auth_request_log_info(request, "passdb",
13920 ee7b18b1fc00 s/Fallbacking/Falling back/ Timo Sirainen <tss@iki.fi> parents: 13910 diff changeset	718 "Falling back to expired data from cache");
8764 90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	719 passdb_handle_credentials(
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	720 result, cache_cred, cache_scheme,
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	721 auth_request_lookup_credentials_finish,
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	722 request);
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	723 return;
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	724 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	725 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	726
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	727 auth_request_lookup_credentials_finish(result, credentials, size,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	728 request);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	729 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	730
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	731 void auth_request_lookup_credentials(struct auth_request *request,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	732 const char *scheme,
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	733 lookup_credentials_callback_t *callback)
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	734 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	735 struct passdb_module *passdb = request->passdb->passdb;
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	736 const char cache_key, cache_cred, *cache_scheme;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	737 enum passdb_result result;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	738
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	739 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	740
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	741 request->credentials_scheme = p_strdup(request->pool, scheme);
5233 359a8f31aa9b Fixed a crash when non-plaintext mechanism used auth_cache. Timo Sirainen <tss@iki.fi> parents: 5170 diff changeset	742 request->private_callback.lookup_credentials = callback;
3682 0207808033ad Non-plaintext authentication and passdb cache didn't work together. Patch by Timo Sirainen <tss@iki.fi> parents: 3669 diff changeset	743
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	744 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	745 if (cache_key != NULL) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	746 if (passdb_cache_lookup_credentials(request, cache_key,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	747 &cache_cred, &cache_scheme,
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	748 &result, FALSE)) {
8764 90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	749 passdb_handle_credentials(
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	750 result, cache_cred, cache_scheme,
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	751 auth_request_lookup_credentials_finish,
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	752 request);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	753 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	754 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	755 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	756
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11151 diff changeset	757 auth_request_set_state(request, AUTH_REQUEST_STATE_PASSDB);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	758
6243 f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	759 if (passdb->iface.lookup_credentials == NULL) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	760 /* this passdb doesn't support credentials */
8764 90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	761 auth_request_log_debug(request, "password",
90e2a21a4298 auth: Improved logging for "password scheme not available" failures. Timo Sirainen <tss@iki.fi> parents: 8696 diff changeset	762 "passdb doesn't support credential lookups");
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	763 auth_request_lookup_credentials_callback(
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	764 PASSDB_RESULT_SCHEME_NOT_AVAILABLE, NULL, 0, request);
6243 f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	765 } else if (passdb->blocking) {
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	766 passdb_blocking_lookup_credentials(request);
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	767 } else {
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	768 passdb_template_export(passdb->default_fields_tmpl, request);
6243 f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	769 passdb->iface.lookup_credentials(request,
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	770 auth_request_lookup_credentials_callback);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	771 }
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	772 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	773
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	774 void auth_request_set_credentials(struct auth_request *request,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	775 const char scheme, const char data,
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	776 set_credentials_callback_t *callback)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	777 {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	778 struct passdb_module *passdb = request->passdb->passdb;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	779 const char cache_key, new_credentials;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	780
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	781 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	782 if (cache_key != NULL)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	783 auth_cache_remove(passdb_cache, request, cache_key);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	784
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	785 request->private_callback.set_credentials = callback;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	786
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	787 new_credentials = t_strdup_printf("{%s}%s", scheme, data);
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	788 if (passdb->blocking)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	789 passdb_blocking_set_credentials(request, new_credentials);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	790 else if (passdb->iface.set_credentials != NULL) {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	791 passdb->iface.set_credentials(request, new_credentials,
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	792 callback);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	793 } else {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	794 /* this passdb doesn't support credentials update */
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	795 callback(PASSDB_RESULT_INTERNAL_FAILURE, request);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	796 }
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	797 }
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	798
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	799 static void auth_request_userdb_save_cache(struct auth_request *request,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	800 enum userdb_result result)
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	801 {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	802 struct userdb_module *userdb = request->userdb->userdb;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	803 const char *str;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	804
12363 075963b71b94 auth: Disable auth caching entirely for master users. Timo Sirainen <tss@iki.fi> parents: 12297 diff changeset	805 if (passdb_cache == NULL \|\| userdb->cache_key == NULL \|\|
075963b71b94 auth: Disable auth caching entirely for master users. Timo Sirainen <tss@iki.fi> parents: 12297 diff changeset	806 request->master_user != NULL)
4983 8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	807 return;
8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	808
5069 005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	809 str = result == USERDB_RESULT_USER_UNKNOWN ? "" :
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	810 auth_stream_reply_export(request->userdb_reply);
5069 005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	811 /* last_success has no meaning with userdb */
005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	812 auth_cache_insert(passdb_cache, request, userdb->cache_key, str, FALSE);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	813 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	814
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	815 static bool auth_request_lookup_user_cache(struct auth_request *request,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	816 const char *key,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	817 struct auth_stream_reply **reply_r,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	818 enum userdb_result *result_r,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	819 bool use_expired)
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	820 {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	821 const char *value;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	822 struct auth_cache_node *node;
10836 81e085f9bd75 auth_cache_negative_ttl is now also used for password mismatches. Timo Sirainen <tss@iki.fi> parents: 10757 diff changeset	823 bool expired, neg_expired;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	824
12363 075963b71b94 auth: Disable auth caching entirely for master users. Timo Sirainen <tss@iki.fi> parents: 12297 diff changeset	825 if (request->master_user != NULL)
075963b71b94 auth: Disable auth caching entirely for master users. Timo Sirainen <tss@iki.fi> parents: 12297 diff changeset	826 return FALSE;
075963b71b94 auth: Disable auth caching entirely for master users. Timo Sirainen <tss@iki.fi> parents: 12297 diff changeset	827
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	828 value = auth_cache_lookup(passdb_cache, request, key, &node,
10836 81e085f9bd75 auth_cache_negative_ttl is now also used for password mismatches. Timo Sirainen <tss@iki.fi> parents: 10757 diff changeset	829 &expired, &neg_expired);
12297 b0ef4e803b1a auth: Log userdb cache hits and misses with auth_debug=yes Timo Sirainen <tss@iki.fi> parents: 12261 diff changeset	830 if (value == NULL \|\| (expired && !use_expired)) {
b0ef4e803b1a auth: Log userdb cache hits and misses with auth_debug=yes Timo Sirainen <tss@iki.fi> parents: 12261 diff changeset	831 auth_request_log_debug(request, "userdb-cache",
b0ef4e803b1a auth: Log userdb cache hits and misses with auth_debug=yes Timo Sirainen <tss@iki.fi> parents: 12261 diff changeset	832 value == NULL ? "miss" : "expired");
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	833 return FALSE;
12297 b0ef4e803b1a auth: Log userdb cache hits and misses with auth_debug=yes Timo Sirainen <tss@iki.fi> parents: 12261 diff changeset	834 }
b0ef4e803b1a auth: Log userdb cache hits and misses with auth_debug=yes Timo Sirainen <tss@iki.fi> parents: 12261 diff changeset	835 auth_request_log_debug(request, "userdb-cache", "hit: %s", value);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	836
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	837 if (*value == '\0') {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	838 /* negative cache entry */
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	839 *result_r = USERDB_RESULT_USER_UNKNOWN;
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	840 *reply_r = auth_stream_reply_init(request->pool);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	841 return TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	842 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	843
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	844 *result_r = USERDB_RESULT_OK;
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	845 *reply_r = auth_stream_reply_init(request->pool);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	846 auth_stream_reply_import(*reply_r, value);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	847 return TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	848 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	849
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	850 void auth_request_userdb_callback(enum userdb_result result,
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	851 struct auth_request *request)
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	852 {
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	853 struct userdb_module *userdb = request->userdb->userdb;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	854
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	855 if (result != USERDB_RESULT_OK && request->userdb->next != NULL) {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	856 /* try next userdb. */
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	857 if (result == USERDB_RESULT_INTERNAL_FAILURE)
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	858 request->userdb_internal_failure = TRUE;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	859
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	860 request->userdb = request->userdb->next;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	861 auth_request_lookup_user(request,
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	862 request->private_callback.userdb);
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	863 return;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	864 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	865
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	866 if (result == USERDB_RESULT_OK)
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	867 userdb_template_export(userdb->override_fields_tmpl, request);
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	868 else if (request->userdb_internal_failure) {
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	869 /* one of the userdb lookups failed. the user might have been
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	870 in there, so this is an internal failure */
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	871 result = USERDB_RESULT_INTERNAL_FAILURE;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	872 } else if (result == USERDB_RESULT_USER_UNKNOWN &&
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	873 request->client_pid != 0) {
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	874 /* this was an actual login attempt, the user should
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	875 have been found. */
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	876 if (auth_request_get_auth(request)->userdbs->next == NULL) {
8402 244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	877 auth_request_log_error(request, "userdb",
244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	878 "user not found from userdb %s",
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	879 request->userdb->userdb->iface->name);
8402 244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	880 } else {
244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	881 auth_request_log_error(request, "userdb",
244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	882 "user not found from any userdbs");
244addad91a5 auth: Improved "user not found from userdb" error message. Timo Sirainen <tss@iki.fi> parents: 8347 diff changeset	883 }
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	884 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	885
11017 ce7ed594d99e auth: If userdb lookup fails internally, don't cache the result. Timo Sirainen <tss@iki.fi> parents: 10989 diff changeset	886 if (request->userdb_lookup_failed) {
ce7ed594d99e auth: If userdb lookup fails internally, don't cache the result. Timo Sirainen <tss@iki.fi> parents: 10989 diff changeset	887 /* no caching */
ce7ed594d99e auth: If userdb lookup fails internally, don't cache the result. Timo Sirainen <tss@iki.fi> parents: 10989 diff changeset	888 } else if (result != USERDB_RESULT_INTERNAL_FAILURE)
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	889 auth_request_userdb_save_cache(request, result);
5036 df93cf66022a If request fails with internal failure, don't crash if auth cache is Timo Sirainen <tss@iki.fi> parents: 4983 diff changeset	890 else if (passdb_cache != NULL && userdb->cache_key != NULL) {
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	891 /* lookup failed. if we're looking here only because the
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	892 request was expired in cache, fallback to using cached
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	893 expired record. */
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	894 const char *cache_key = userdb->cache_key;
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	895 struct auth_stream_reply *reply;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	896
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	897 if (auth_request_lookup_user_cache(request, cache_key, &reply,
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	898 &result, TRUE)) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	899 request->userdb_reply = reply;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	900 auth_request_log_info(request, "userdb",
13920 ee7b18b1fc00 s/Fallbacking/Falling back/ Timo Sirainen <tss@iki.fi> parents: 13910 diff changeset	901 "Falling back to expired data from cache");
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	902 }
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	903 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	904
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	905 request->private_callback.userdb(result, request);
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	906 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	907
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	908 void auth_request_lookup_user(struct auth_request *request,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	909 userdb_callback_t *callback)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	910 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	911 struct userdb_module *userdb = request->userdb->userdb;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	912 const char *cache_key;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	913
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	914 request->private_callback.userdb = callback;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	915 request->userdb_lookup = TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	916
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	917 /* (for now) auth_cache is shared between passdb and userdb */
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	918 cache_key = passdb_cache == NULL ? NULL : userdb->cache_key;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	919 if (cache_key != NULL) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	920 struct auth_stream_reply *reply;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	921 enum userdb_result result;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	922
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	923 if (auth_request_lookup_user_cache(request, cache_key, &reply,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	924 &result, FALSE)) {
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	925 request->userdb_reply = reply;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	926 request->private_callback.userdb(result, request);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	927 return;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	928 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	929 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	930
11498 190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	931 if (userdb->iface->lookup == NULL) {
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	932 /* we are deinitializing */
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	933 auth_request_userdb_callback(USERDB_RESULT_INTERNAL_FAILURE,
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	934 request);
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	935 } else if (userdb->blocking)
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	936 userdb_blocking_lookup(request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	937 else
3658 fc4622b1c1ef Separated userdb_module's interface and the actual data struct. Timo Sirainen <tss@iki.fi> parents: 3657 diff changeset	938 userdb->iface->lookup(request, auth_request_userdb_callback);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	939 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	940
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	941 static char *
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	942 auth_request_fix_username(struct auth_request request, const char username,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	943 const char **error_r)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	944 {
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	945 const struct auth_settings *set = request->set;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	946 unsigned char *p;
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	947 char *user;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	948
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	949 if (*set->default_realm != '\0' &&
9002 9d0037a997f4 Initial commit for config rewrite. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	950 strchr(username, '@') == NULL) {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	951 user = p_strconcat(request->pool, username, "@",
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	952 set->default_realm, NULL);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	953 } else {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	954 user = p_strdup(request->pool, username);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	955 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	956
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	957 for (p = (unsigned char )user; p != '\0'; p++) {
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	958 if (set->username_translation_map[*p & 0xff] != 0)
9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	959 p = set->username_translation_map[p & 0xff];
9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	960 if (set->username_chars_map[*p & 0xff] == 0) {
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	961 *error_r = t_strdup_printf(
12915 3eaf0d3a38d4 auth: Mention auth_username_chars in log when disallowing username because of it. Timo Sirainen <tss@iki.fi> parents: 12822 diff changeset	962 "Username character disallowed by auth_username_chars: "
12732 049a922c193c auth: If username contains invalid chars, log sanitized username even without auth_debug. Timo Sirainen <tss@iki.fi> parents: 12703 diff changeset	963 "0x%02x (username: %s)", *p,
049a922c193c auth: If username contains invalid chars, log sanitized username even without auth_debug. Timo Sirainen <tss@iki.fi> parents: 12703 diff changeset	964 str_sanitize(username, 128));
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	965 return NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	966 }
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	967 }
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	968
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	969 if (*set->username_format != '\0') {
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	970 /* username format given, put it through variable expansion.
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	971 we'll have to temporarily replace request->user to get
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	972 %u to be the wanted username */
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	973 const struct var_expand_table *table;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	974 char *old_username;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	975 string_t *dest;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	976
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	977 old_username = request->user;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	978 request->user = user;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	979
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	980 dest = t_str_new(256);
8597 9f885dbd8157 auth: Removed extra string escaping from places where it's not necessary (or is even harmful). Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	981 table = auth_request_get_var_expand_table(request, NULL);
10892 9675d9a54ac9 auth: Moved some variables generated from settings to struct auth_settings. Timo Sirainen <tss@iki.fi> parents: 10836 diff changeset	982 var_expand(dest, set->username_format, table);
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	983 user = p_strdup(request->pool, str_c(dest));
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	984
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	985 request->user = old_username;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	986 }
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	987
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	988 return user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	989 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	990
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	991 bool auth_request_set_username(struct auth_request *request,
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	992 const char username, const char *error_r)
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	993 {
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	994 const struct auth_settings *set = request->set;
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	995 const char p, login_username = NULL;
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	996
9002 9d0037a997f4 Initial commit for config rewrite. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	997 if (*set->master_user_separator != '\0' && !request->userdb_lookup) {
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	998 /* check if the username contains a master user */
9002 9d0037a997f4 Initial commit for config rewrite. Timo Sirainen <tss@iki.fi> parents: 8599 diff changeset	999 p = strchr(username, *set->master_user_separator);
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	1000 if (p != NULL) {
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	1001 /* it does, set it. */
4140 52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	1002 login_username = t_strdup_until(username, p);
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	1003
9477 6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	1004 if (*login_username == '\0') {
6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	1005 *error_r = "Empty login username";
6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	1006 return FALSE;
6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	1007 }
6462ba85d751 auth: Don't assert-crash if trying to log in as master user but with empty login username. Timo Sirainen <tss@iki.fi> parents: 9383 diff changeset	1008
4140 52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	1009 /* username is the master user */
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	1010 username = p + 1;
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	1011 }
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	1012 }
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	1013
6619 2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1014 if (request->original_username == NULL) {
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1015 /* the username may change later, but we need to use this
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1016 username when verifying at least DIGEST-MD5 password. */
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1017 request->original_username = p_strdup(request->pool, username);
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1018 }
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1019 if (request->cert_username) {
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1020 /* cert_username overrides the username given by
10954 bcd43231f723 auth: Do username checks/translations even when ssl_username_from_cert=yes Timo Sirainen <tss@iki.fi> parents: 10903 diff changeset	1021 authentication mechanism. but still do checks and
bcd43231f723 auth: Do username checks/translations even when ssl_username_from_cert=yes Timo Sirainen <tss@iki.fi> parents: 10903 diff changeset	1022 translations to it. */
bcd43231f723 auth: Do username checks/translations even when ssl_username_from_cert=yes Timo Sirainen <tss@iki.fi> parents: 10903 diff changeset	1023 username = request->user;
6619 2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1024 }
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	1025
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1026 if (*username == '\0') {
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1027 /* Some PAM plugins go nuts with empty usernames */
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1028 *error_r = "Empty username";
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1029 return FALSE;
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1030 }
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1031
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1032 request->user = auth_request_fix_username(request, username, error_r);
12732 049a922c193c auth: If username contains invalid chars, log sanitized username even without auth_debug. Timo Sirainen <tss@iki.fi> parents: 12703 diff changeset	1033 if (request->user == NULL)
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1034 return FALSE;
6658 d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	1035 if (request->translated_username == NULL) {
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	1036 /* similar to original_username, but after translations */
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	1037 request->translated_username = request->user;
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	1038 }
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1039
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1040 if (login_username != NULL) {
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1041 if (!auth_request_set_login_username(request,
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1042 login_username,
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1043 error_r))
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1044 return FALSE;
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1045 }
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1046 return TRUE;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1047 }
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1048
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1049 bool auth_request_set_login_username(struct auth_request *request,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1050 const char *username,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1051 const char **error_r)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1052 {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1053 i_assert(*username != '\0');
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1054
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1055 if (strcmp(username, request->user) == 0) {
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1056 /* The usernames are the same, we don't really wish to log
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1057 in as someone else */
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1058 return TRUE;
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1059 }
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	1060
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1061 /* lookup request->user from masterdb first */
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	1062 request->passdb = auth_request_get_auth(request)->masterdbs;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1063
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1064 request->requested_login_user =
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1065 auth_request_fix_username(request, username, error_r);
12005 7428338c8df2 auth: Added more master user login debugging. Timo Sirainen <tss@iki.fi> parents: 11913 diff changeset	1066 if (request->requested_login_user == NULL)
7428338c8df2 auth: Added more master user login debugging. Timo Sirainen <tss@iki.fi> parents: 11913 diff changeset	1067 return FALSE;
7428338c8df2 auth: Added more master user login debugging. Timo Sirainen <tss@iki.fi> parents: 11913 diff changeset	1068
7428338c8df2 auth: Added more master user login debugging. Timo Sirainen <tss@iki.fi> parents: 11913 diff changeset	1069 auth_request_log_debug(request, "auth",
7428338c8df2 auth: Added more master user login debugging. Timo Sirainen <tss@iki.fi> parents: 11913 diff changeset	1070 "Master user lookup for login: %s",
7428338c8df2 auth: Added more master user login debugging. Timo Sirainen <tss@iki.fi> parents: 11913 diff changeset	1071 request->requested_login_user);
7428338c8df2 auth: Added more master user login debugging. Timo Sirainen <tss@iki.fi> parents: 11913 diff changeset	1072 return TRUE;
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1073 }
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	1074
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1075 static void auth_request_validate_networks(struct auth_request *request,
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1076 const char *networks)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1077 {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1078 const char const net;
7919 423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	1079 struct ip_addr net_ip;
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	1080 unsigned int bits;
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1081 bool found = FALSE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1082
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1083 if (request->remote_ip.family == 0) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1084 /* IP not known */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1085 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1086 "allow_nets check failed: Remote IP not known");
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1087 request->passdb_failure = TRUE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1088 return;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1089 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1090
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1091 for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) {
4420 1174e508593d auth_debug: If allow_nets is given, print debug messages when matching Timo Sirainen <tss@iki.fi> parents: 4402 diff changeset	1092 auth_request_log_debug(request, "auth",
1174e508593d auth_debug: If allow_nets is given, print debug messages when matching Timo Sirainen <tss@iki.fi> parents: 4402 diff changeset	1093 "allow_nets: Matching for network %s", *net);
7919 423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	1094
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	1095 if (net_parse_range(*net, &net_ip, &bits) < 0) {
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1096 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1097 "allow_nets: Invalid network '%s'", *net);
7919 423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	1098 }
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	1099
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	1100 if (net_is_in_network(&request->remote_ip, &net_ip, bits)) {
423b8e3fedbb Created net_parse_range() from auth code. Timo Sirainen <tss@iki.fi> parents: 7517 diff changeset	1101 found = TRUE;
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1102 break;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1103 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1104 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1105
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1106 if (!found) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1107 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1108 "allow_nets check failed: IP not in allowed networks");
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1109 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1110 request->passdb_failure = !found;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1111 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1112
6855 5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1113 static void
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1114 auth_request_set_password(struct auth_request request, const char value,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1115 const char *default_scheme, bool noscheme)
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1116 {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1117 if (request->passdb_password != NULL) {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1118 auth_request_log_error(request,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1119 request->passdb->passdb->iface.name,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1120 "Multiple password values not supported");
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1121 return;
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1122 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1123
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1124 /* if the password starts with '{' it most likely contains
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1125 also '}'. check it anyway to make sure, because we
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1126 assert-crash later if it doesn't exist. this could happen
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1127 if plaintext passwords are used. */
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1128 if (*value == '{' && !noscheme && strchr(value, '}') != NULL)
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1129 request->passdb_password = p_strdup(request->pool, value);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1130 else {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1131 i_assert(default_scheme != NULL);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1132 request->passdb_password =
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1133 p_strdup_printf(request->pool, "{%s}%s",
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1134 default_scheme, value);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1135 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1136 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1137
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1138 static void auth_request_set_reply_field(struct auth_request *request,
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1139 const char name, const char value)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1140 {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1141 if (strcmp(name, "nologin") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1142 /* user can't actually login - don't keep this
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1143 reply for master */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1144 request->no_login = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1145 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1146 } else if (strcmp(name, "proxy") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1147 /* we're proxying authentication for this user. send
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1148 password back if using plaintext authentication. */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1149 request->proxy = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1150 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1151 } else if (strcmp(name, "proxy_maybe") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1152 /* like "proxy", but log in normally if we're proxying to
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1153 ourself */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1154 request->proxy = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1155 request->proxy_maybe = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1156 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1157 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1158
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1159 if (request->extra_fields == NULL)
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	1160 request->extra_fields = auth_stream_reply_init(request->pool);
13956 05940646a0f4 auth: Avoid adding duplicate extra fields to auth replies. Timo Sirainen <tss@iki.fi> parents: 13920 diff changeset	1161 auth_stream_reply_remove(request->extra_fields, name);
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1162 auth_stream_reply_add(request->extra_fields, name, value);
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1163 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1164
11913 63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1165 static const char *
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1166 get_updated_username(const char *old_username,
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1167 const char name, const char value)
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1168 {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1169 const char *p;
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1170
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1171 if (strcmp(name, "user") == 0) {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1172 /* replace the whole username */
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1173 return value;
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1174 }
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1175
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1176 p = strchr(old_username, '@');
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1177 if (strcmp(name, "username") == 0) {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1178 if (strchr(value, '@') != NULL)
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1179 return value;
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1180
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1181 /* preserve the current @domain */
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1182 return t_strconcat(value, p, NULL);
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1183 }
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1184
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1185 if (strcmp(name, "domain") == 0) {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1186 if (p == NULL) {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1187 /* add the domain */
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1188 return t_strconcat(old_username, "@", value, NULL);
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1189 } else {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1190 /* replace the existing domain */
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1191 p = t_strdup_until(old_username, p + 1);
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1192 return t_strconcat(p, value, NULL);
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1193 }
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1194 }
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1195 return NULL;
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1196 }
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1197
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1198 static bool
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1199 auth_request_try_update_username(struct auth_request *request,
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1200 const char name, const char value)
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1201 {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1202 const char *new_value;
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1203
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1204 new_value = get_updated_username(request->user, name, value);
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1205 if (new_value == NULL)
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1206 return FALSE;
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1207
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1208 if (strcmp(request->user, new_value) != 0) {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1209 auth_request_log_debug(request, "auth",
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1210 "username changed %s -> %s",
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1211 request->user, new_value);
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1212 request->user = p_strdup(request->pool, new_value);
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1213 if (request->userdb_reply != NULL)
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1214 auth_request_userdb_reply_update_user(request);
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1215 }
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1216 return TRUE;
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1217 }
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1218
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	1219 void auth_request_set_field(struct auth_request *request,
3272 36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	1220 const char name, const char value,
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	1221 const char *default_scheme)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1222 {
4017 e2d267e6f930 Check that we don't pass around key=value pairs with empty keys. Timo Sirainen <tss@iki.fi> parents: 3918 diff changeset	1223 i_assert(*name != '\0');
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1224 i_assert(value != NULL);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1225
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1226 if (strcmp(name, "password") == 0) {
6855 5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1227 auth_request_set_password(request, value,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1228 default_scheme, FALSE);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1229 return;
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1230 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1231 if (strcmp(name, "password_noscheme") == 0) {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1232 auth_request_set_password(request, value, default_scheme, TRUE);
3397 2db396230881 auth_request_set_field() shouldn't save password to extra_fields. Fixes a Timo Sirainen <tss@iki.fi> parents: 3386 diff changeset	1233 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1234 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1235
11913 63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1236 if (auth_request_try_update_username(request, name, value)) {
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1237 /* don't change the original value so it gets saved correctly
63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1238 to cache. */
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1239 } else if (strcmp(name, "nodelay") == 0) {
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1240 /* don't delay replying to client of the failure */
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	1241 request->no_failure_delay = TRUE;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1242 } else if (strcmp(name, "nopassword") == 0) {
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	1243 /* NULL password - anything goes */
5619 121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1244 const char *password = request->passdb_password;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1245
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1246 if (password != NULL) {
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1247 (void)password_get_scheme(&password);
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1248 if (*password != '\0') {
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1249 auth_request_log_error(request,
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1250 request->passdb->passdb->iface.name,
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1251 "nopassword set but password is "
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1252 "non-empty");
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1253 return;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1254 }
5412 79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	1255 }
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	1256 request->no_password = TRUE;
5412 79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	1257 request->passdb_password = NULL;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1258 } else if (strcmp(name, "allow_nets") == 0) {
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1259 auth_request_validate_networks(request, value);
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1260 } else if (strncmp(name, "userdb_", 7) == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1261 /* for prefetch userdb */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1262 if (request->userdb_reply == NULL)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1263 auth_request_init_userdb_reply(request);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1264 auth_request_set_userdb_field(request, name + 7, value);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1265 } else {
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1266 /* these fields are returned to client */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1267 auth_request_set_reply_field(request, name, value);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1268 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1269 }
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	1270
8599 812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1271 if ((passdb_cache != NULL &&
812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1272 request->passdb->passdb->cache_key != NULL) \|\| worker) {
812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1273 /* we'll need to get this field stored into cache,
812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1274 or we're a worker and we'll need to send this to the main
812a977d7c1a auth worker processes shouldn't duplicate the auth cache. Timo Sirainen <tss@iki.fi> parents: 8597 diff changeset	1275 auth process that can store it in the cache. */
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1276 if (request->extra_cache_fields == NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1277 request->extra_cache_fields =
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	1278 auth_stream_reply_init(request->pool);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1279 }
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1280 auth_stream_reply_add(request->extra_cache_fields, name, value);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1281 }
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1282 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1283
5153 83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1284 void auth_request_set_fields(struct auth_request *request,
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1285 const char const fields,
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1286 const char *default_scheme)
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1287 {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1288 const char key, value;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1289
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1290 for (; *fields != NULL; fields++) {
5163 39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1291 if (**fields == '\0')
39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1292 continue;
39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1293
5153 83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1294 value = strchr(*fields, '=');
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1295 if (value == NULL) {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1296 key = *fields;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1297 value = "";
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1298 } else {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1299 key = t_strdup_until(*fields, value);
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1300 value++;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1301 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1302 auth_request_set_field(request, key, value, default_scheme);
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1303 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1304 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1305
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1306 void auth_request_init_userdb_reply(struct auth_request *request)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1307 {
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1308 struct userdb_module *module = request->userdb->userdb;
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1309
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7318 diff changeset	1310 request->userdb_reply = auth_stream_reply_init(request->pool);
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1311 auth_stream_reply_add(request->userdb_reply, NULL, request->user);
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1312
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1313 userdb_template_export(module->default_fields_tmpl, request);
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1314 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1315
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1316 static void auth_request_set_uidgid_file(struct auth_request *request,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1317 const char *path_template)
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1318 {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1319 string_t *path;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1320 struct stat st;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1321
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1322 path = t_str_new(256);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1323 var_expand(path, path_template,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1324 auth_request_get_var_expand_table(request, NULL));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1325 if (stat(str_c(path), &st) < 0) {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1326 auth_request_log_error(request, "uidgid_file",
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1327 "stat(%s) failed: %m", str_c(path));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1328 } else {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1329 auth_stream_reply_add(request->userdb_reply,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1330 "uid", dec2str(st.st_uid));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1331 auth_stream_reply_add(request->userdb_reply,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1332 "gid", dec2str(st.st_gid));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1333 }
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1334 }
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1335
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1336 void auth_request_set_userdb_field(struct auth_request *request,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1337 const char name, const char value)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1338 {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1339 uid_t uid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1340 gid_t gid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1341
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1342 if (strcmp(name, "uid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1343 uid = userdb_parse_uid(request, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1344 if (uid == (uid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1345 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1346 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1347 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1348 value = dec2str(uid);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1349 } else if (strcmp(name, "gid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1350 gid = userdb_parse_gid(request, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1351 if (gid == (gid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1352 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1353 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1354 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1355 value = dec2str(gid);
10989 53f4e8e0166a auth: Added "tempfail" userdb field. Timo Sirainen <tss@iki.fi> parents: 10961 diff changeset	1356 } else if (strcmp(name, "tempfail") == 0) {
53f4e8e0166a auth: Added "tempfail" userdb field. Timo Sirainen <tss@iki.fi> parents: 10961 diff changeset	1357 request->userdb_lookup_failed = TRUE;
11151 093591e1110b auth: Fixed userdb tempfail to work with blocking userdbs. Timo Sirainen <tss@iki.fi> parents: 11086 diff changeset	1358 return;
11913 63124518977a auth: Support "username" and "domain" extra fields also for userdb. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	1359 } else if (auth_request_try_update_username(request, name, value)) {
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1360 return;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1361 } else if (strcmp(name, "uidgid_file") == 0) {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1362 auth_request_set_uidgid_file(request, value);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1363 return;
8163 498dd1ec2b93 Added a special userdb_import field to add TAB-separated fields to userdb reply. Timo Sirainen <tss@iki.fi> parents: 8111 diff changeset	1364 } else if (strcmp(name, "userdb_import") == 0) {
498dd1ec2b93 Added a special userdb_import field to add TAB-separated fields to userdb reply. Timo Sirainen <tss@iki.fi> parents: 8111 diff changeset	1365 auth_stream_reply_import(request->userdb_reply, value);
498dd1ec2b93 Added a special userdb_import field to add TAB-separated fields to userdb reply. Timo Sirainen <tss@iki.fi> parents: 8111 diff changeset	1366 return;
8768 91e880ae387a Authentication: system_user userdb extra field renamed to system_groups_user. Timo Sirainen <tss@iki.fi> parents: 8764 diff changeset	1367 } else if (strcmp(name, "system_user") == 0) {
91e880ae387a Authentication: system_user userdb extra field renamed to system_groups_user. Timo Sirainen <tss@iki.fi> parents: 8764 diff changeset	1368 /* FIXME: the system_user is for backwards compatibility */
13330 83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1369 static bool warned = FALSE;
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1370 if (!warned) {
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1371 i_warning("userdb: Replace system_user with system_groups_user");
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1372 warned = TRUE;
83ac50d3b76f auth: Added default_fields and override_fields settings to all passdbs and userdbs. Timo Sirainen <tss@iki.fi> parents: 12977 diff changeset	1373 }
8768 91e880ae387a Authentication: system_user userdb extra field renamed to system_groups_user. Timo Sirainen <tss@iki.fi> parents: 8764 diff changeset	1374 name = "system_groups_user";
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1375 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1376
13956 05940646a0f4 auth: Avoid adding duplicate extra fields to auth replies. Timo Sirainen <tss@iki.fi> parents: 13920 diff changeset	1377 auth_stream_reply_remove(request->userdb_reply, name);
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1378 auth_stream_reply_add(request->userdb_reply, name, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1379 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1380
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1381 void auth_request_set_userdb_field_values(struct auth_request *request,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1382 const char *name,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1383 const char const values)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1384 {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1385 if (*values == NULL)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1386 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1387
12794 946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1388 if (strcmp(name, "gid") == 0) {
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1389 /* convert gids to comma separated list */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1390 string_t *value;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1391 gid_t gid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1392
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1393 value = t_str_new(128);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1394 for (; *values != NULL; values++) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1395 gid = userdb_parse_gid(request, *values);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1396 if (gid == (gid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1397 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1398 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1399 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1400
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1401 if (str_len(value) > 0)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1402 str_append_c(value, ',');
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1403 str_append(value, dec2str(gid));
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1404 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1405 auth_stream_reply_add(request->userdb_reply, name,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1406 str_c(value));
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1407 } else {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1408 /* add only one */
12794 946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1409 if (values[1] != NULL) {
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1410 auth_request_log_warning(request, "userdb",
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1411 "Multiple values found for '%s', "
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1412 "using value '%s'", name, *values);
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1413 }
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1414 auth_request_set_userdb_field(request, name, *values);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1415 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1416 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1417
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1418 static bool auth_request_proxy_is_self(struct auth_request *request)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1419 {
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1420 const char const tmp, port = NULL, destuser = NULL;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1421
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1422 if (!request->proxy_host_is_self)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1423 return FALSE;
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1424
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1425 tmp = auth_stream_split(request->extra_fields);
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1426 for (; *tmp != NULL; tmp++) {
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1427 if (strncmp(*tmp, "port=", 5) == 0)
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1428 port = *tmp + 5;
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1429 else if (strncmp(*tmp, "destuser=", 9) == 0)
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1430 destuser = *tmp + 9;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1431 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1432
11086 260e190306b0 Started using str_to_() functions instead of libc's ones. Timo Sirainen <tss@iki.fi>* parents: 11017 diff changeset	1433 if (port != NULL && !str_uint_equals(port, request->local_port))
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1434 return FALSE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1435 return destuser == NULL \|\|
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1436 strcmp(destuser, request->original_username) == 0;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1437 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1438
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1439 static bool
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1440 auth_request_proxy_ip_is_self(struct auth_request *request,
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1441 const struct ip_addr *ip)
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1442 {
14159 98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1443 unsigned int i;
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1444
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1445 if (net_ip_compare(ip, &request->local_ip))
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1446 return TRUE;
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1447
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1448 for (i = 0; request->set->proxy_self_ips[i].family != 0; i++) {
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1449 if (net_ip_compare(ip, &request->set->proxy_self_ips[i]))
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1450 return TRUE;
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1451 }
98d696965c91 auth: Added auth_proxy_self setting to specify IPs that are considered as "self" for proxy_maybe. Timo Sirainen <tss@iki.fi> parents: 14156 diff changeset	1452 return FALSE;
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1453 }
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1454
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1455 static void auth_request_proxy_finish_ip(struct auth_request *request)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1456 {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1457 if (!request->proxy_maybe) {
7278 27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1458 /* proxying */
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1459 request->no_login = TRUE;
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1460 } else if (!auth_request_proxy_is_self(request)) {
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1461 /* proxy destination isn't ourself - proxy */
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1462 auth_stream_reply_remove(request->extra_fields, "proxy_maybe");
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1463 auth_stream_reply_add(request->extra_fields, "proxy", NULL);
27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1464 request->no_login = TRUE;
7123 25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1465 } else {
25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1466 /* proxying to ourself - log in without proxying by dropping
25e7c37c7c10 If proxy user has a password and authentication fails, don't return the Timo Sirainen <tss@iki.fi> parents: 7122 diff changeset	1467 all the proxying fields. */
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1468 auth_request_proxy_finish_failure(request);
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1469 }
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1470 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1471
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1472 struct auth_request_proxy_dns_lookup_ctx {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1473 struct auth_request *request;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1474 auth_request_proxy_cb_t *callback;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1475 };
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1476
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1477 static void
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1478 auth_request_proxy_dns_callback(const struct dns_lookup_result *result,
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1479 void *context)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1480 {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1481 struct auth_request_proxy_dns_lookup_ctx *ctx = context;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1482 struct auth_request *request = ctx->request;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1483 const char *host;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1484 unsigned int i;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1485
14156 8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1486 host = auth_stream_reply_find(request->extra_fields, "host");
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1487 i_assert(host != NULL);
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1488
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1489 if (result->ret != 0) {
14156 8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1490 auth_request_log_error(request, "proxy",
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1491 "DNS lookup for %s failed: %s", host, result->error);
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1492 request->internal_failure = TRUE;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1493 auth_request_proxy_finish_failure(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1494 } else {
14156 8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1495 if (result->msecs > AUTH_DNS_WARN_MSECS) {
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1496 auth_request_log_warning(request, "proxy",
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1497 "DNS lookup for %s took %u.%03u s",
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1498 host, result->msecs/1000, result->msecs % 1000);
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1499 }
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1500 auth_stream_reply_remove(request->extra_fields, "host");
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1501 auth_stream_reply_add(request->extra_fields, "host",
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1502 net_ip2addr(&result->ips[0]));
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1503 for (i = 0; i < result->ips_count; i++) {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1504 if (auth_request_proxy_ip_is_self(request,
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1505 &result->ips[i])) {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1506 request->proxy_host_is_self = TRUE;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1507 break;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1508 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1509 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1510 auth_request_proxy_finish_ip(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1511 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1512 if (ctx->callback != NULL)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1513 ctx->callback(result->ret == 0, request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1514 i_free(ctx);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1515 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1516
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1517 static int auth_request_proxy_host_lookup(struct auth_request *request,
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1518 auth_request_proxy_cb_t *callback)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1519 {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1520 struct auth_request_proxy_dns_lookup_ctx *ctx;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1521 struct dns_lookup_settings dns_set;
14156 8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1522 const char host, value;
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1523 struct ip_addr ip;
14156 8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1524 unsigned int secs;
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1525
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1526 host = auth_stream_reply_find(request->extra_fields, "host");
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1527 if (host == NULL)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1528 return 1;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1529 if (net_addr2ip(host, &ip) == 0) {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1530 if (auth_request_proxy_ip_is_self(request, &ip))
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1531 request->proxy_host_is_self = TRUE;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1532 return 1;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1533 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1534
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1535 /* need to do dns lookup for the host */
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1536 memset(&dns_set, 0, sizeof(dns_set));
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1537 dns_set.dns_client_socket_path = AUTH_DNS_SOCKET_PATH;
14156 8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1538 dns_set.timeout_msecs = AUTH_DNS_DEFAULT_TIMEOUT_MSECS;
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1539 value = auth_stream_reply_find(request->extra_fields, "proxy_timeout");
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1540 if (value != NULL) {
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1541 if (str_to_uint(value, &secs) < 0) {
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1542 auth_request_log_error(request, "proxy",
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1543 "Invalid proxy_timeout value: %s", value);
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1544 } else {
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1545 dns_set.timeout_msecs = secs*1000;
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1546 }
8e2f395cf86c auth: Use proxy_timeout as DNS lookup timeout, if available. Warn if lookup takes >0.5s. Timo Sirainen <tss@iki.fi> parents: 14155 diff changeset	1547 }
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1548
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1549 ctx = i_new(struct auth_request_proxy_dns_lookup_ctx, 1);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1550 ctx->request = request;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1551
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1552 if (dns_lookup(host, &dns_set, auth_request_proxy_dns_callback, ctx) < 0) {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1553 /* failed early */
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1554 request->internal_failure = TRUE;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1555 auth_request_proxy_finish_failure(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1556 return -1;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1557 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1558 ctx->callback = callback;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1559 return 0;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1560 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1561
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1562 int auth_request_proxy_finish(struct auth_request *request,
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1563 auth_request_proxy_cb_t *callback)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1564 {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1565 int ret;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1566
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1567 if (!request->proxy)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1568 return 1;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1569
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1570 if ((ret = auth_request_proxy_host_lookup(request, callback)) <= 0)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1571 return ret;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1572
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1573 auth_request_proxy_finish_ip(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1574 return 1;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1575 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1576
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1577 void auth_request_proxy_finish_failure(struct auth_request *request)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1578 {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1579 if (!request->proxy)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1580 return;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1581
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	1582 /* drop all proxying fields */
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1583 auth_stream_reply_remove(request->extra_fields, "proxy");
7278 27b7b6c34961 Fixed proxy_maybe handling. Timo Sirainen <tss@iki.fi> parents: 7226 diff changeset	1584 auth_stream_reply_remove(request->extra_fields, "proxy_maybe");
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1585 auth_stream_reply_remove(request->extra_fields, "host");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1586 auth_stream_reply_remove(request->extra_fields, "port");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1587 auth_stream_reply_remove(request->extra_fields, "destuser");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1588 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1589
10542 de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1590 static void log_password_failure(struct auth_request *request,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1591 const char *plain_password,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1592 const char *crypted_password,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1593 const char scheme, const char user,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1594 const char *subsystem)
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1595 {
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1596 static bool scheme_ok = FALSE;
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1597 string_t *str = t_str_new(256);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1598 const char *working_scheme;
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1599
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1600 str_printfa(str, "%s(%s) != '%s'", scheme,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1601 plain_password, crypted_password);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1602
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1603 if (!scheme_ok) {
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1604 /* perhaps the scheme is wrong - see if we can find
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1605 a working one */
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1606 working_scheme = password_scheme_detect(plain_password,
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1607 crypted_password, user);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1608 if (working_scheme != NULL) {
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1609 str_printfa(str, ", try %s scheme instead",
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1610 working_scheme);
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1611 }
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1612 }
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1613
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1614 auth_request_log_debug(request, subsystem, "%s", str_c(str));
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1615 }
de75c45e6765 auth_debug_passwords: If password is correct but scheme is wrong, try to detect and log it. Timo Sirainen <tss@iki.fi> parents: 10301 diff changeset	1616
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1617 void auth_request_log_password_mismatch(struct auth_request *request,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1618 const char *subsystem)
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1619 {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1620 string_t *str;
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	1621 const char *log_type = request->set->verbose_passwords;
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1622
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1623 if (strcmp(log_type, "no") == 0) {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1624 auth_request_log_info(request, subsystem, "Password mismatch");
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1625 return;
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1626 }
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1627
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1628 str = t_str_new(128);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1629 get_log_prefix(str, request, subsystem);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1630 str_append(str, "Password mismatch ");
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1631
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1632 if (strcmp(log_type, "plain") == 0) {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1633 str_printfa(str, "(given password: %s)",
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1634 request->mech_password);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1635 } else if (strcmp(log_type, "sha1") == 0) {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1636 unsigned char sha1[SHA1_RESULTLEN];
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1637
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1638 sha1_get_digest(request->mech_password,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1639 strlen(request->mech_password), sha1);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1640 str_printfa(str, "(SHA1 of given password: %s)",
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1641 binary_to_hex(sha1, sizeof(sha1)));
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1642 } else {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1643 i_unreached();
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1644 }
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1645
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1646 i_info("%s", str_c(str));
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1647 }
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1648
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1649 int auth_request_password_verify(struct auth_request *request,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1650 const char *plain_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1651 const char *crypted_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1652 const char scheme, const char subsystem)
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1653 {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1654 const unsigned char *raw_password;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1655 size_t raw_password_size;
12977 9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1656 const char *error;
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1657 int ret;
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1658
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1659 if (request->skip_password_check) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1660 /* currently this can happen only with master logins */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1661 i_assert(request->master_user != NULL);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1662 return 1;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1663 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1664
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	1665 if (request->passdb->set->deny) {
4689 80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1666 /* this is a deny database, we don't care about the password */
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1667 return 0;
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1668 }
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1669
5619 121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1670 if (request->no_password) {
12703 4b16a5b1da62 auth: Logging improvement for nopassword=y. Timo Sirainen <tss@iki.fi> parents: 12558 diff changeset	1671 auth_request_log_debug(request, subsystem,
4b16a5b1da62 auth: Logging improvement for nopassword=y. Timo Sirainen <tss@iki.fi> parents: 12558 diff changeset	1672 "Allowing any password");
5619 121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1673 return 1;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1674 }
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1675
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1676 ret = password_decode(crypted_password, scheme,
13566 c9894346b1a3 auth: If password data isn't valid for specified scheme, give a better error message. Timo Sirainen <tss@iki.fi> parents: 13330 diff changeset	1677 &raw_password, &raw_password_size, &error);
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1678 if (ret <= 0) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1679 if (ret < 0) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1680 auth_request_log_error(request, subsystem,
13566 c9894346b1a3 auth: If password data isn't valid for specified scheme, give a better error message. Timo Sirainen <tss@iki.fi> parents: 13330 diff changeset	1681 "Password data is not valid for scheme %s: %s",
c9894346b1a3 auth: If password data isn't valid for specified scheme, give a better error message. Timo Sirainen <tss@iki.fi> parents: 13330 diff changeset	1682 scheme, error);
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1683 } else {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1684 auth_request_log_error(request, subsystem,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1685 "Unknown scheme %s", scheme);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1686 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1687 return -1;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1688 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1689
8347 fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	1690 /* Use original_username since it may be important for some
4872 07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1691 password schemes (eg. digest-md5). Otherwise the username is used
07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1692 only for logging purposes. */
8347 fc5683975951 auth: original_username should never be NULL, removed all code that checks for it. Timo Sirainen <tss@iki.fi> parents: 8346 diff changeset	1693 ret = password_verify(plain_password, request->original_username,
12977 9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1694 scheme, raw_password, raw_password_size, &error);
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1695 if (ret < 0) {
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1696 const char *password_str = request->set->debug_passwords ?
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1697 t_strdup_printf(" '%s'", crypted_password) : "";
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1698 auth_request_log_error(request, subsystem,
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1699 "Invalid password%s in passdb: %s",
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1700 password_str, error);
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1701 } else if (ret == 0) {
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1702 auth_request_log_password_mismatch(request, subsystem);
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1703 }
12977 9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1704 if (ret <= 0 && request->set->debug_passwords) T_BEGIN {
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1705 log_password_failure(request, plain_password,
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1706 crypted_password, scheme,
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1707 request->original_username,
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1708 subsystem);
9490d57d2f7b auth: Give password scheme suggestions also when passdb data is invalid for scheme. Timo Sirainen <tss@iki.fi> parents: 12969 diff changeset	1709 } T_END;
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1710 return ret;
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1711 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1712
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1713 static const char *
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1714 escape_none(const char *string,
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6243 diff changeset	1715 const struct auth_request *request ATTR_UNUSED)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1716 {
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1717 return string;
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1718 }
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1719
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1720 const char *
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1721 auth_request_str_escape(const char *string,
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6243 diff changeset	1722 const struct auth_request *request ATTR_UNUSED)
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1723 {
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1724 return str_escape(string);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1725 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1726
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1727 const struct var_expand_table *
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1728 auth_request_get_var_expand_table(const struct auth_request *auth_request,
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1729 auth_request_escape_func_t *escape_func)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1730 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1731 static struct var_expand_table static_tab[] = {
8544 983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1732 { 'u', NULL, "user" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1733 { 'n', NULL, "username" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1734 { 'd', NULL, "domain" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1735 { 's', NULL, "service" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1736 { 'h', NULL, "home" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1737 { 'l', NULL, "lip" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1738 { 'r', NULL, "rip" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1739 { 'p', NULL, "pid" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1740 { 'w', NULL, "password" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1741 { '!', NULL, NULL },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1742 { 'm', NULL, "mech" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1743 { 'c', NULL, "secured" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1744 { 'a', NULL, "lport" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1745 { 'b', NULL, "rport" },
983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1746 { 'k', NULL, "cert" },
11466 5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1747 { '\0', NULL, "login_user" },
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1748 { '\0', NULL, "login_username" },
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1749 { '\0', NULL, "login_domain" },
8544 983d38de06c9 var_expand(): Added support for long %{variable} names. Timo Sirainen <tss@iki.fi> parents: 8456 diff changeset	1750 { '\0', NULL, NULL }
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1751 };
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1752 struct var_expand_table *tab;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1753
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1754 if (escape_func == NULL)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1755 escape_func = escape_none;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1756
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1757 tab = t_malloc(sizeof(static_tab));
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1758 memcpy(tab, static_tab, sizeof(static_tab));
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1759
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1760 tab[0].value = escape_func(auth_request->user, auth_request);
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1761 tab[1].value = escape_func(t_strcut(auth_request->user, '@'),
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1762 auth_request);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1763 tab[2].value = strchr(auth_request->user, '@');
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1764 if (tab[2].value != NULL)
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1765 tab[2].value = escape_func(tab[2].value+1, auth_request);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1766 tab[3].value = auth_request->service;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1767 /* tab[4] = we have no home dir */
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1768 if (auth_request->local_ip.family != 0)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1769 tab[5].value = net_ip2addr(&auth_request->local_ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1770 if (auth_request->remote_ip.family != 0)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1771 tab[6].value = net_ip2addr(&auth_request->remote_ip);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	1772 tab[7].value = dec2str(auth_request->client_pid);
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1773 if (auth_request->mech_password != NULL) {
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1774 tab[8].value = escape_func(auth_request->mech_password,
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1775 auth_request);
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1776 }
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1777 if (auth_request->userdb_lookup) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1778 tab[9].value = auth_request->userdb == NULL ? "" :
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	1779 dec2str(auth_request->userdb->userdb->id);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1780 } else {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1781 tab[9].value = auth_request->passdb == NULL ? "" :
10897 52eb8317514f auth: Cleaned up struct auth_passdb/auth_userdb. Timo Sirainen <tss@iki.fi> parents: 10893 diff changeset	1782 dec2str(auth_request->passdb->passdb->id);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1783 }
8111 d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	1784 tab[10].value = auth_request->mech_name == NULL ? "" :
d49bdda63506 auth: %m variable didn't work with blocking passdbs Timo Sirainen <tss@iki.fi> parents: 7919 diff changeset	1785 auth_request->mech_name;
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	1786 tab[11].value = auth_request->secured ? "secured" : "";
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	1787 tab[12].value = dec2str(auth_request->local_port);
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	1788 tab[13].value = dec2str(auth_request->remote_port);
8320 d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 8163 diff changeset	1789 tab[14].value = auth_request->valid_client_cert ? "valid" : "";
11466 5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1790
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1791 if (auth_request->requested_login_user != NULL) {
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1792 const char *login_user = auth_request->requested_login_user;
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1793
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1794 tab[15].value = escape_func(login_user, auth_request);
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1795 tab[16].value = escape_func(t_strcut(login_user, '@'),
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1796 auth_request);
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1797 tab[17].value = strchr(login_user, '@');
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1798 if (tab[17].value != NULL) {
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1799 tab[17].value = escape_func(tab[17].value+1,
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1800 auth_request);
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1801 }
5ae4a5c14f5b auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	1802 }
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1803 return tab;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1804 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1805
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1806 static void get_log_prefix(string_t str, struct auth_request auth_request,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1807 const char *subsystem)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1808 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1809 #define MAX_LOG_USERNAME_LEN 64
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1810 const char *ip;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1811
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1812 str_append(str, subsystem);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1813 str_append_c(str, '(');
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1814
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1815 if (auth_request->user == NULL)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1816 str_append(str, "?");
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1817 else {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1818 str_sanitize_append(str, auth_request->user,
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1819 MAX_LOG_USERNAME_LEN);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1820 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1821
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1822 ip = net_ip2addr(&auth_request->remote_ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1823 if (ip != NULL) {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1824 str_append_c(str, ',');
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1825 str_append(str, ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1826 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1827 if (auth_request->requested_login_user != NULL)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1828 str_append(str, ",master");
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1829 str_append(str, "): ");
10585 941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1830 }
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1831
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1832 static const char * ATTR_FORMAT(3, 0)
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1833 get_log_str(struct auth_request auth_request, const char subsystem,
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1834 const char *format, va_list va)
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1835 {
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1836 string_t *str;
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1837
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1838 str = t_str_new(128);
941511db13c3 Added auth_verbose_passwords = no\|plain\|sha1. Timo Sirainen <tss@iki.fi> parents: 10582 diff changeset	1839 get_log_prefix(str, auth_request, subsystem);
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1840 str_vprintfa(str, format, va);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1841 return str_c(str);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1842 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1843
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1844 void auth_request_log_debug(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1845 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1846 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1847 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1848 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1849
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	1850 if (!auth_request->set->debug)
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1851 return;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1852
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1853 va_start(va, format);
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1854 T_BEGIN {
10082 62b37dcf173e Log debug-level messages with i_debug(). Pascal Volk <user@localhost.localdomain.org> parents: 9477 diff changeset	1855 i_debug("%s", get_log_str(auth_request, subsystem, format, va));
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1856 } T_END;
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1857 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1858 }
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1859
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1860 void auth_request_log_info(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1861 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1862 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1863 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1864 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1865
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10897 diff changeset	1866 if (!auth_request->set->verbose)
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1867 return;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1868
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1869 va_start(va, format);
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1870 T_BEGIN {
6940 414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1871 i_info("%s", get_log_str(auth_request, subsystem, format, va));
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1872 } T_END;
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1873 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1874 }
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1875
12794 946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1876 void auth_request_log_warning(struct auth_request *auth_request,
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1877 const char *subsystem,
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1878 const char *format, ...)
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1879 {
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1880 va_list va;
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1881
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1882 va_start(va, format);
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1883 T_BEGIN {
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1884 i_warning("%s", get_log_str(auth_request, subsystem, format, va));
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1885 } T_END;
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1886 va_end(va);
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1887 }
946d1cd3300b auth: Log a warning if ldap attribute has unexpectedly multiple values. Timo Sirainen <tss@iki.fi> parents: 12732 diff changeset	1888
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1889 void auth_request_log_error(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1890 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1891 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1892 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1893 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1894
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1895 va_start(va, format);
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1896 T_BEGIN {
6940 414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1897 i_error("%s", get_log_str(auth_request, subsystem, format, va));
7226 e6693a0ec8e1 Renamed T_FRAME_BEGIN/END to T_BEGIN/END. Removed T_FRAME() macro and Timo Sirainen <tss@iki.fi> parents: 7123 diff changeset	1898 } T_END;
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1899 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1900 }
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1901
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1902 void auth_request_refresh_last_access(struct auth_request *request)
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1903 {
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1904 request->last_access = ioloop_time;
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1905 if (request->to_abort != NULL)
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1906 timeout_reset(request->to_abort);
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10689 diff changeset	1907 }

Mercurial > dovecot > core-2.2

annotate src/auth/auth-request.c @ 14159:98d696965c91