Mercurial > dovecot > core-2.2
annotate src/auth/auth-request.c @ 5129:9b1a90eddfd0 HEAD
Special extra_fields weren't saved to auth cache. This was especially
problematic for allow_nets which was ignored if the user was already in
cache.
| author | Timo Sirainen <tss@iki.fi> |
|---|---|
| date | Thu, 15 Feb 2007 12:47:00 +0200 |
| parents | 005ad2165d08 |
| children | 142726697f29 |
| rev | line source |
|---|---|
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1 /* Copyright (C) 2002-2005 Timo Sirainen */ |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 #include "common.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 #include "ioloop.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 #include "buffer.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 #include "hash.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 #include "str.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 #include "safe-memset.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 #include "str-sanitize.h" |
|
4168
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
10 #include "strescape.h" |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 #include "var-expand.h" |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
12 #include "auth-cache.h" |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 #include "auth-request.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
14 #include "auth-client-connection.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
15 #include "auth-master-connection.h" |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 #include "passdb.h" |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
17 #include "passdb-blocking.h" |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
18 #include "userdb-blocking.h" |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 #include "passdb-cache.h" |
|
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
20 #include "password-scheme.h" |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
21 |
|
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
22 #include <stdlib.h> |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
23 |
| 3072 | 24 struct auth_request * |
| 25 auth_request_new(struct auth *auth, struct mech_module *mech, | |
| 3074 | 26 mech_callback_t *callback, void *context) |
| 3072 | 27 { |
| 28 struct auth_request *request; | |
| 29 | |
| 30 request = mech->auth_new(); | |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
31 request->state = AUTH_REQUEST_STATE_NEW; |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
32 request->passdb = auth->passdbs; |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
33 request->userdb = auth->userdbs; |
| 3072 | 34 |
| 35 request->refcount = 1; | |
| 3074 | 36 request->created = ioloop_time; |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
37 request->credentials = -1; |
| 3074 | 38 |
| 3072 | 39 request->auth = auth; |
| 40 request->mech = mech; | |
| 41 request->callback = callback; | |
| 3074 | 42 request->context = context; |
| 3072 | 43 return request; |
| 44 } | |
| 45 | |
|
3185
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
46 struct auth_request *auth_request_new_dummy(struct auth *auth) |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
47 { |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
48 struct auth_request *auth_request; |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
49 pool_t pool; |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
50 |
|
3695
4f8598b0ca62
Use a bit larger initial pool sizes
Timo Sirainen <tss@iki.fi>
parents:
3687
diff
changeset
|
51 pool = pool_alloconly_create("auth_request", 1024); |
|
3185
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
52 auth_request = p_new(pool, struct auth_request, 1); |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
53 auth_request->pool = pool; |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
54 |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
55 auth_request->refcount = 1; |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
56 auth_request->created = ioloop_time; |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
57 auth_request->auth = auth; |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
58 auth_request->passdb = auth->passdbs; |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
59 auth_request->userdb = auth->userdbs; |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
60 auth_request->credentials = -1; |
|
3185
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
61 |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
62 return auth_request; |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
63 } |
|
3089083e1d47
Handle USER requests from master connections.
Timo Sirainen <tss@iki.fi>
parents:
3183
diff
changeset
|
64 |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
65 void auth_request_success(struct auth_request *request, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
66 const void *data, size_t data_size) |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 { |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
68 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
69 |
|
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
70 if (request->passdb_failure) { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
71 /* password was valid, but some other check failed. */ |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
72 auth_request_fail(request); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
73 return; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
74 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
75 |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
76 request->state = AUTH_REQUEST_STATE_FINISHED; |
| 3074 | 77 request->successful = TRUE; |
| 78 request->callback(request, AUTH_CLIENT_RESULT_SUCCESS, | |
| 79 data, data_size); | |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
80 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
81 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
82 void auth_request_fail(struct auth_request *request) |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
83 { |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
84 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
85 |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
86 request->state = AUTH_REQUEST_STATE_FINISHED; |
| 3074 | 87 request->callback(request, AUTH_CLIENT_RESULT_FAILURE, NULL, 0); |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
88 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
89 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
90 void auth_request_internal_failure(struct auth_request *request) |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
91 { |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
92 request->internal_failure = TRUE; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
93 auth_request_fail(request); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
94 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
95 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
96 void auth_request_ref(struct auth_request *request) |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
97 { |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
98 request->refcount++; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
99 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 |
|
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
101 void auth_request_unref(struct auth_request **_request) |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
102 { |
|
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
103 struct auth_request *request = *_request; |
|
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
104 |
|
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
105 *_request = NULL; |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
106 i_assert(request->refcount > 0); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
107 if (--request->refcount > 0) |
|
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
108 return; |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
109 |
|
3386
e4b84d82c685
Master connection's USER command was leaking memory (with deliver binary).
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
110 if (request->mech != NULL) |
|
e4b84d82c685
Master connection's USER command was leaking memory (with deliver binary).
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
111 request->mech->auth_free(request); |
|
e4b84d82c685
Master connection's USER command was leaking memory (with deliver binary).
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
112 else |
|
e4b84d82c685
Master connection's USER command was leaking memory (with deliver binary).
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
113 pool_unref(request->pool); |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
114 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
115 |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
116 void auth_request_export(struct auth_request *request, string_t *str) |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
117 { |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
118 str_append(str, "user="); |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
119 str_append(str, request->user); |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
120 str_append(str, "\tservice="); |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
121 str_append(str, request->service); |
|
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
122 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
123 if (request->master_user != NULL) { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
124 str_append(str, "master_user="); |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
125 str_append(str, request->master_user); |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
126 } |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
127 |
|
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
128 if (request->local_ip.family != 0) { |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
129 str_append(str, "\tlip="); |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
130 str_append(str, net_ip2addr(&request->local_ip)); |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
131 } |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
132 if (request->remote_ip.family != 0) { |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
133 str_append(str, "\trip="); |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
134 str_append(str, net_ip2addr(&request->remote_ip)); |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
135 } |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
136 } |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
137 |
|
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3771
diff
changeset
|
138 bool auth_request_import(struct auth_request *request, |
|
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3771
diff
changeset
|
139 const char *key, const char *value) |
|
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
140 { |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
141 if (strcmp(key, "user") == 0) |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
142 request->user = p_strdup(request->pool, value); |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
143 else if (strcmp(key, "master_user") == 0) |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
144 request->master_user = p_strdup(request->pool, value); |
|
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
145 else if (strcmp(key, "cert_username") == 0) { |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
146 if (request->auth->ssl_username_from_cert) { |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
147 /* get username from SSL certificate. it overrides |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
148 the username given by the auth mechanism. */ |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
149 request->user = p_strdup(request->pool, value); |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
150 request->cert_username = TRUE; |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
151 } |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
152 } else if (strcmp(key, "service") == 0) |
|
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
153 request->service = p_strdup(request->pool, value); |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
154 else if (strcmp(key, "lip") == 0) |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
155 net_addr2ip(value, &request->local_ip); |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
156 else if (strcmp(key, "rip") == 0) |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
157 net_addr2ip(value, &request->remote_ip); |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
158 else |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
159 return FALSE; |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
160 |
|
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3318
diff
changeset
|
161 return TRUE; |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
162 } |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
163 |
| 3068 | 164 void auth_request_initial(struct auth_request *request, |
| 3071 | 165 const unsigned char *data, size_t data_size) |
| 3068 | 166 { |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
167 i_assert(request->state == AUTH_REQUEST_STATE_NEW); |
|
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
168 |
|
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
169 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE; |
| 3071 | 170 request->mech->auth_initial(request, data, data_size); |
| 3068 | 171 } |
| 172 | |
| 173 void auth_request_continue(struct auth_request *request, | |
| 3071 | 174 const unsigned char *data, size_t data_size) |
| 3068 | 175 { |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
176 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
|
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
177 |
| 3071 | 178 request->mech->auth_continue(request, data, data_size); |
| 3068 | 179 } |
| 180 | |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
181 static void auth_request_save_cache(struct auth_request *request, |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
182 enum passdb_result result) |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
183 { |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
184 struct passdb_module *passdb = request->passdb->passdb; |
| 3520 | 185 const char *extra_fields; |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
186 string_t *str; |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
187 |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
188 switch (result) { |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
189 case PASSDB_RESULT_USER_UNKNOWN: |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
190 case PASSDB_RESULT_PASSWORD_MISMATCH: |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
191 case PASSDB_RESULT_OK: |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
192 case PASSDB_RESULT_SCHEME_NOT_AVAILABLE: |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
193 /* can be cached */ |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
194 break; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
195 case PASSDB_RESULT_USER_DISABLED: |
|
4374
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
196 case PASSDB_RESULT_PASS_EXPIRED: |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
197 /* FIXME: we can't cache this now, or cache lookup would |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
198 return success. */ |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
199 return; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
200 case PASSDB_RESULT_INTERNAL_FAILURE: |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
201 i_unreached(); |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
202 } |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
203 |
| 3520 | 204 extra_fields = request->extra_fields == NULL ? NULL : |
| 205 auth_stream_reply_export(request->extra_fields); | |
| 206 i_assert(extra_fields == NULL || | |
| 207 (strstr(extra_fields, "\tpass=") == NULL && | |
| 208 strncmp(extra_fields, "pass=", 5) != 0)); | |
|
3432
079ec5c2d665
Last change caused user-given passwords to be cached, and later the password
Timo Sirainen <tss@iki.fi>
parents:
3431
diff
changeset
|
209 |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
210 if (passdb_cache == NULL) |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
211 return; |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
212 |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
213 if (passdb->cache_key == NULL) |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
214 return; |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
215 |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
216 if (result < 0) { |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
217 /* lookup failed. */ |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
218 if (result == PASSDB_RESULT_USER_UNKNOWN) { |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
219 auth_cache_insert(passdb_cache, request, |
|
4658
3b49b9ec87dc
auth_cache: Try to handle changing passwords automatically: If password
Timo Sirainen <tss@iki.fi>
parents:
4575
diff
changeset
|
220 passdb->cache_key, "", FALSE); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
221 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
222 return; |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
223 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
224 |
|
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
225 if (!request->no_password && request->passdb_password == NULL) { |
|
3656
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
226 /* passdb didn't provide the correct password */ |
|
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
227 if (result != PASSDB_RESULT_OK || |
|
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
228 request->mech_password == NULL) |
|
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
229 return; |
|
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
230 |
|
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
231 /* we can still cache valid password lookups though. |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
232 strdup() it so that mech_password doesn't get |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
233 cleared too early. */ |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
234 request->passdb_password = |
|
5039
953f02db95dc
auth cache: If passdb didn't provide the password, we used the user-given
Timo Sirainen <tss@iki.fi>
parents:
5036
diff
changeset
|
235 p_strconcat(request->pool, "{plain}", |
|
953f02db95dc
auth cache: If passdb didn't provide the password, we used the user-given
Timo Sirainen <tss@iki.fi>
parents:
5036
diff
changeset
|
236 request->mech_password, NULL); |
|
3645
81180ca12997
We were caching failed blocking requests wrong.
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
237 } |
|
81180ca12997
We were caching failed blocking requests wrong.
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
238 |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
239 /* save all except the currently given password in cache */ |
| 3520 | 240 str = t_str_new(256); |
|
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
241 if (request->passdb_password != NULL) { |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
242 if (*request->passdb_password != '{') { |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
243 /* cached passwords must have a known scheme */ |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
244 str_append_c(str, '{'); |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
245 str_append(str, passdb->default_pass_scheme); |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
246 str_append_c(str, '}'); |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
247 } |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
248 if (strchr(request->passdb_password, '\t') != NULL) |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
249 i_panic("%s: Password contains TAB", request->user); |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
250 if (strchr(request->passdb_password, '\n') != NULL) |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
251 i_panic("%s: Password contains LF", request->user); |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
252 str_append(str, request->passdb_password); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
253 } |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
254 |
|
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
255 if (extra_fields != NULL && *extra_fields != '\0') { |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
256 str_append_c(str, '\t'); |
| 3520 | 257 str_append(str, extra_fields); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
258 } |
|
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
259 if (request->extra_cache_fields != NULL) { |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
260 extra_fields = |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
261 auth_stream_reply_export(request->extra_cache_fields); |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
262 if (*extra_fields != '\0') { |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
263 str_append_c(str, '\t'); |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
264 str_append(str, extra_fields); |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
265 } |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
266 } |
|
4658
3b49b9ec87dc
auth_cache: Try to handle changing passwords automatically: If password
Timo Sirainen <tss@iki.fi>
parents:
4575
diff
changeset
|
267 auth_cache_insert(passdb_cache, request, passdb->cache_key, str_c(str), |
|
3b49b9ec87dc
auth_cache: Try to handle changing passwords automatically: If password
Timo Sirainen <tss@iki.fi>
parents:
4575
diff
changeset
|
268 result == PASSDB_RESULT_OK); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
269 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
270 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
271 static bool auth_request_master_lookup_finish(struct auth_request *request) |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
272 { |
|
4534
dee19849654b
If master login failed because of non-password failure (eg. allow_nets)
Timo Sirainen <tss@iki.fi>
parents:
4533
diff
changeset
|
273 if (request->passdb_failure) |
|
dee19849654b
If master login failed because of non-password failure (eg. allow_nets)
Timo Sirainen <tss@iki.fi>
parents:
4533
diff
changeset
|
274 return TRUE; |
|
dee19849654b
If master login failed because of non-password failure (eg. allow_nets)
Timo Sirainen <tss@iki.fi>
parents:
4533
diff
changeset
|
275 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
276 /* master login successful. update user and master_user variables. */ |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
277 auth_request_log_info(request, "passdb", "Master user logging in as %s", |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
278 request->requested_login_user); |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
279 |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
280 request->master_user = request->user; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
281 request->user = request->requested_login_user; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
282 request->requested_login_user = NULL; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
283 |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
284 request->skip_password_check = TRUE; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
285 request->passdb_password = NULL; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
286 |
|
4104
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
287 if (!request->passdb->pass) { |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
288 /* skip the passdb lookup, we're authenticated now. */ |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
289 return TRUE; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
290 } |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
291 |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
292 /* the authentication continues with passdb lookup for the |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
293 requested_login_user. */ |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
294 request->passdb = request->auth->passdbs; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
295 return FALSE; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
296 } |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
297 |
|
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3771
diff
changeset
|
298 static bool |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
299 auth_request_handle_passdb_callback(enum passdb_result *result, |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
300 struct auth_request *request) |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
301 { |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
302 if (request->passdb_password != NULL) { |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
303 safe_memset(request->passdb_password, 0, |
|
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
304 strlen(request->passdb_password)); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
305 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
306 |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
307 if (request->passdb->deny && *result != PASSDB_RESULT_USER_UNKNOWN) { |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
308 /* deny passdb. we can get through this step only if the |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
309 lookup returned that user doesn't exist in it. internal |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
310 errors are fatal here. */ |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
311 if (*result != PASSDB_RESULT_INTERNAL_FAILURE) { |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
312 auth_request_log_info(request, "passdb", |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
313 "User found from deny passdb"); |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
314 *result = PASSDB_RESULT_USER_DISABLED; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
315 } |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
316 } else if (*result == PASSDB_RESULT_OK) { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
317 /* success */ |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
318 if (request->requested_login_user != NULL) { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
319 /* this was a master user lookup. */ |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
320 if (!auth_request_master_lookup_finish(request)) |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
321 return FALSE; |
|
4104
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
322 } else { |
|
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
323 if (request->passdb->pass) { |
|
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
324 /* this wasn't the final passdb lookup, |
|
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
325 continue to next passdb */ |
|
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
326 request->passdb = request->passdb->next; |
|
4402
8846e6be0e02
If multiple passdbs were configured and we tried to authenticate as user
Timo Sirainen <tss@iki.fi>
parents:
4374
diff
changeset
|
327 request->passdb_password = NULL; |
|
4104
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
328 return FALSE; |
|
77e10f1d2cb2
Removed master_no_passdb setting. Added pass setting which can be used to do
Timo Sirainen <tss@iki.fi>
parents:
4078
diff
changeset
|
329 } |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
330 } |
|
4374
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
331 } else if (*result == PASSDB_RESULT_PASS_EXPIRED) { |
|
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
332 if (request->extra_fields == NULL) |
|
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
333 request->extra_fields = auth_stream_reply_init(request); |
|
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
334 auth_stream_reply_add(request->extra_fields, "reason", |
|
96fd7a3f9bfe
If password is expired, give "Password expired" error. Currently works only
Timo Sirainen <tss@iki.fi>
parents:
4295
diff
changeset
|
335 "Password expired"); |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
336 } else if (request->passdb->next != NULL && |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
337 *result != PASSDB_RESULT_USER_DISABLED) { |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
338 /* try next passdb. */ |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
339 request->passdb = request->passdb->next; |
|
4402
8846e6be0e02
If multiple passdbs were configured and we tried to authenticate as user
Timo Sirainen <tss@iki.fi>
parents:
4374
diff
changeset
|
340 request->passdb_password = NULL; |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
341 |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
342 if (*result == PASSDB_RESULT_INTERNAL_FAILURE) { |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
343 /* remember that we have had an internal failure. at |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
344 the end return internal failure if we couldn't |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
345 successfully login. */ |
|
3606
8a8352cda514
If passdb lookup fails with internal error, try other passdbs anyway before
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
346 request->passdb_internal_failure = TRUE; |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
347 } |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
348 if (request->extra_fields != NULL) |
| 3520 | 349 auth_stream_reply_reset(request->extra_fields); |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
350 |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
351 return FALSE; |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
352 } else if (request->passdb_internal_failure) { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
353 /* last passdb lookup returned internal failure. it may have |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
354 had the correct password, so return internal failure |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
355 instead of plain failure. */ |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
356 *result = PASSDB_RESULT_INTERNAL_FAILURE; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
357 } |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
358 |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
359 return TRUE; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
360 } |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
361 |
|
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
362 static void |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
363 auth_request_verify_plain_callback_finish(enum passdb_result result, |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
364 struct auth_request *request) |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
365 { |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
366 if (!auth_request_handle_passdb_callback(&result, request)) { |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
367 /* try next passdb */ |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
368 auth_request_verify_plain(request, request->mech_password, |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
369 request->private_callback.verify_plain); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
370 } else { |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
371 auth_request_ref(request); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
372 request->private_callback.verify_plain(result, request); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
373 safe_memset(request->mech_password, 0, |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
374 strlen(request->mech_password)); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
375 auth_request_unref(&request); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
376 } |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
377 } |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
378 |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
379 void auth_request_verify_plain_callback(enum passdb_result result, |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
380 struct auth_request *request) |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
381 { |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
382 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB); |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
383 |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
384 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
385 |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
386 if (result != PASSDB_RESULT_INTERNAL_FAILURE) |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
387 auth_request_save_cache(request, result); |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
388 else { |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
389 /* lookup failed. if we're looking here only because the |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
390 request was expired in cache, fallback to using cached |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
391 expired record. */ |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
392 const char *cache_key = request->passdb->passdb->cache_key; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
393 |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
394 if (passdb_cache_verify_plain(request, cache_key, |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
395 request->mech_password, |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
396 &result, TRUE)) { |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
397 auth_request_log_info(request, "passdb", |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
398 "Fallbacking to expired data from cache"); |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
399 } |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
400 } |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
401 |
|
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
402 auth_request_verify_plain_callback_finish(result, request); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
403 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
404 |
| 3068 | 405 void auth_request_verify_plain(struct auth_request *request, |
| 406 const char *password, | |
| 407 verify_plain_callback_t *callback) | |
| 408 { | |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
409 struct passdb_module *passdb; |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
410 enum passdb_result result; |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
411 const char *cache_key; |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
412 |
|
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
413 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
414 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
415 if (request->passdb == NULL) { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
416 /* no masterdbs, master logins not supported */ |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
417 i_assert(request->requested_login_user != NULL); |
|
4139
68c2ad5e4f85
Master login attempts weren't logged if no master passdbs were defined.
Timo Sirainen <tss@iki.fi>
parents:
4136
diff
changeset
|
418 auth_request_log_info(request, "passdb", |
|
68c2ad5e4f85
Master login attempts weren't logged if no master passdbs were defined.
Timo Sirainen <tss@iki.fi>
parents:
4136
diff
changeset
|
419 "Attempted master login with no master passdbs"); |
|
68c2ad5e4f85
Master login attempts weren't logged if no master passdbs were defined.
Timo Sirainen <tss@iki.fi>
parents:
4136
diff
changeset
|
420 callback(PASSDB_RESULT_USER_UNKNOWN, request); |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
421 return; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
422 } |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
423 |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
424 passdb = request->passdb->passdb; |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
425 if (request->mech_password == NULL) |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
426 request->mech_password = p_strdup(request->pool, password); |
|
3656
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
427 else |
|
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3655
diff
changeset
|
428 i_assert(request->mech_password == password); |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
429 request->private_callback.verify_plain = callback; |
|
3164
da9e4ffef09f
Last changes broke proxying when user was in auth cache.
Timo Sirainen <tss@iki.fi>
parents:
3161
diff
changeset
|
430 |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
431 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key; |
|
3728
64ed35c97678
Don't crash if cache key isn't set but cache is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3695
diff
changeset
|
432 if (passdb_cache_verify_plain(request, cache_key, password, |
|
64ed35c97678
Don't crash if cache key isn't set but cache is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3695
diff
changeset
|
433 &result, FALSE)) { |
|
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
434 auth_request_verify_plain_callback_finish(result, request); |
|
3728
64ed35c97678
Don't crash if cache key isn't set but cache is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3695
diff
changeset
|
435 return; |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
436 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
437 |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
438 request->state = AUTH_REQUEST_STATE_PASSDB; |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
439 request->credentials = -1; |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
440 |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
441 if (passdb->blocking) |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
442 passdb_blocking_verify_plain(request); |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
443 else { |
|
3771
4b6d962485b9
Added authentication bind support. Patch by J.M. Maurer.
Timo Sirainen <tss@iki.fi>
parents:
3728
diff
changeset
|
444 passdb->iface.verify_plain(request, password, |
|
4b6d962485b9
Added authentication bind support. Patch by J.M. Maurer.
Timo Sirainen <tss@iki.fi>
parents:
3728
diff
changeset
|
445 auth_request_verify_plain_callback); |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
446 } |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
447 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
448 |
|
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
449 static void |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
450 auth_request_lookup_credentials_callback_finish(enum passdb_result result, |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
451 const char *password, |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
452 struct auth_request *request) |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
453 { |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
454 if (!auth_request_handle_passdb_callback(&result, request)) { |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
455 /* try next passdb */ |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
456 auth_request_lookup_credentials(request, request->credentials, |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
457 request->private_callback.lookup_credentials); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
458 } else { |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
459 if (request->auth->verbose_debug_passwords && |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
460 result == PASSDB_RESULT_OK) { |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
461 auth_request_log_debug(request, "password", |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
462 "Credentials: %s", password); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
463 } |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
464 request->private_callback. |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
465 lookup_credentials(result, password, request); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
466 } |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
467 } |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
468 |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
469 void auth_request_lookup_credentials_callback(enum passdb_result result, |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
470 const char *password, |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
471 struct auth_request *request) |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
472 { |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
473 const char *scheme; |
|
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
474 |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
475 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB); |
|
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
476 |
|
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
477 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE; |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
478 |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
479 if (result != PASSDB_RESULT_INTERNAL_FAILURE) |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
480 auth_request_save_cache(request, result); |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
481 else { |
|
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
482 /* lookup failed. if we're looking here only because the |
|
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
483 request was expired in cache, fallback to using cached |
|
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
484 expired record. */ |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
485 const char *cache_key = request->passdb->passdb->cache_key; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
486 |
|
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
487 if (passdb_cache_lookup_credentials(request, cache_key, |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
488 &password, &scheme, |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
489 &result, TRUE)) { |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
490 auth_request_log_info(request, "passdb", |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
491 "Fallbacking to expired data from cache"); |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
492 password = result != PASSDB_RESULT_OK ? NULL : |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
493 passdb_get_credentials(request, password, |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
494 scheme); |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
495 if (password == NULL && result == PASSDB_RESULT_OK) |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
496 result = PASSDB_RESULT_SCHEME_NOT_AVAILABLE; |
|
3167
97f53e0cce63
Fallback to using expired records from auth cache if database lookups fail.
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
497 } |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
498 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
499 |
|
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
500 auth_request_lookup_credentials_callback_finish(result, password, |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
501 request); |
| 3068 | 502 } |
| 503 | |
| 504 void auth_request_lookup_credentials(struct auth_request *request, | |
| 505 enum passdb_credentials credentials, | |
| 506 lookup_credentials_callback_t *callback) | |
| 507 { | |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
508 struct passdb_module *passdb = request->passdb->passdb; |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
509 const char *cache_key, *password, *scheme; |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
510 enum passdb_result result; |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
511 |
|
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
512 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
513 |
|
3682
0207808033ad
Non-plaintext authentication and passdb cache didn't work together. Patch by
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
514 request->credentials = credentials; |
|
0207808033ad
Non-plaintext authentication and passdb cache didn't work together. Patch by
Timo Sirainen <tss@iki.fi>
parents:
3669
diff
changeset
|
515 |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
516 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key; |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
517 if (cache_key != NULL) { |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
518 if (passdb_cache_lookup_credentials(request, cache_key, |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
519 &password, &scheme, |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
520 &result, FALSE)) { |
|
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
521 password = result != PASSDB_RESULT_OK ? NULL : |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
522 passdb_get_credentials(request, password, |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
523 scheme); |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
524 auth_request_lookup_credentials_callback_finish( |
|
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
525 result, password, request); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
526 return; |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
527 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
528 } |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
529 |
|
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3167
diff
changeset
|
530 request->state = AUTH_REQUEST_STATE_PASSDB; |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
531 request->private_callback.lookup_credentials = callback; |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
532 |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
533 if (passdb->blocking) |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
534 passdb_blocking_lookup_credentials(request); |
|
3771
4b6d962485b9
Added authentication bind support. Patch by J.M. Maurer.
Timo Sirainen <tss@iki.fi>
parents:
3728
diff
changeset
|
535 else if (passdb->iface.lookup_credentials != NULL) { |
|
4b6d962485b9
Added authentication bind support. Patch by J.M. Maurer.
Timo Sirainen <tss@iki.fi>
parents:
3728
diff
changeset
|
536 passdb->iface.lookup_credentials(request, |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
537 auth_request_lookup_credentials_callback); |
|
3655
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
538 } else { |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
539 /* this passdb doesn't support credentials */ |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
540 auth_request_lookup_credentials_callback( |
|
62fc6883faeb
Fixes and cleanups to credentials handling. Also fixed auth caching to work
Timo Sirainen <tss@iki.fi>
parents:
3645
diff
changeset
|
541 PASSDB_RESULT_SCHEME_NOT_AVAILABLE, NULL, request); |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
542 } |
| 3068 | 543 } |
| 544 | |
|
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
545 void auth_request_set_credentials(struct auth_request *request, |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
546 enum passdb_credentials credentials, |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
547 const char *data, |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
548 set_credentials_callback_t *callback) |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
549 { |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
550 struct passdb_module *passdb = request->passdb->passdb; |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
551 const char *cache_key, *new_credentials; |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
552 |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
553 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key; |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
554 if (cache_key != NULL) |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
555 auth_cache_remove(passdb_cache, request, cache_key); |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
556 |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
557 request->private_callback.set_credentials = callback; |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
558 |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
559 new_credentials = t_strconcat("{", |
|
4914
25597644067a
Changed the default naming for password schemes: HMAC-MD5 -> CRAM-MD5. MD5
Timo Sirainen <tss@iki.fi>
parents:
4880
diff
changeset
|
560 passdb_credentials_to_str(credentials, ""), "}", data, NULL); |
|
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
561 |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
562 if (passdb->blocking) |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
563 passdb_blocking_set_credentials(request, new_credentials); |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
564 else if (passdb->iface.set_credentials != NULL) { |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
565 passdb->iface.set_credentials(request, new_credentials, |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
566 callback); |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
567 } else { |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
568 /* this passdb doesn't support credentials update */ |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
569 callback(PASSDB_RESULT_INTERNAL_FAILURE, request); |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
570 } |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
571 } |
|
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4756
diff
changeset
|
572 |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
573 static void auth_request_userdb_save_cache(struct auth_request *request, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
574 struct auth_stream_reply *reply, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
575 enum userdb_result result) |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
576 { |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
577 struct userdb_module *userdb = request->userdb->userdb; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
578 const char *str; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
579 |
|
4983
8089e7461519
We crashed if auth cache was disabled. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
580 if (passdb_cache == NULL || userdb->cache_key == NULL) |
|
8089e7461519
We crashed if auth cache was disabled. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
581 return; |
|
8089e7461519
We crashed if auth cache was disabled. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents:
4955
diff
changeset
|
582 |
|
5069
005ad2165d08
If auth_cache was enabled and userdb returned "user unknown" (typically only
Timo Sirainen <tss@iki.fi>
parents:
5039
diff
changeset
|
583 str = result == USERDB_RESULT_USER_UNKNOWN ? "" : |
|
005ad2165d08
If auth_cache was enabled and userdb returned "user unknown" (typically only
Timo Sirainen <tss@iki.fi>
parents:
5039
diff
changeset
|
584 auth_stream_reply_export(reply); |
|
005ad2165d08
If auth_cache was enabled and userdb returned "user unknown" (typically only
Timo Sirainen <tss@iki.fi>
parents:
5039
diff
changeset
|
585 /* last_success has no meaning with userdb */ |
|
005ad2165d08
If auth_cache was enabled and userdb returned "user unknown" (typically only
Timo Sirainen <tss@iki.fi>
parents:
5039
diff
changeset
|
586 auth_cache_insert(passdb_cache, request, userdb->cache_key, str, FALSE); |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
587 } |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
588 |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
589 static bool auth_request_lookup_user_cache(struct auth_request *request, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
590 const char *key, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
591 struct auth_stream_reply **reply_r, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
592 enum userdb_result *result_r, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
593 bool use_expired) |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
594 { |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
595 const char *value; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
596 struct auth_cache_node *node; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
597 bool expired; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
598 |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
599 value = auth_cache_lookup(passdb_cache, request, key, &node, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
600 &expired); |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
601 if (value == NULL || (expired && !use_expired)) |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
602 return FALSE; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
603 |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
604 if (*value == '\0') { |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
605 /* negative cache entry */ |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
606 *result_r = PASSDB_RESULT_USER_UNKNOWN; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
607 *reply_r = auth_stream_reply_init(request); |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
608 return TRUE; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
609 } |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
610 |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
611 *result_r = PASSDB_RESULT_OK; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
612 *reply_r = auth_stream_reply_init(request); |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
613 auth_stream_reply_import(*reply_r, value); |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
614 return TRUE; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
615 } |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
616 |
|
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
617 void auth_request_userdb_callback(enum userdb_result result, |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
618 struct auth_stream_reply *reply, |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
619 struct auth_request *request) |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
620 { |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
621 struct userdb_module *userdb = request->userdb->userdb; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
622 |
|
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
623 if (result != USERDB_RESULT_OK && request->userdb->next != NULL) { |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
624 /* try next userdb. */ |
|
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
625 if (result == USERDB_RESULT_INTERNAL_FAILURE) |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
626 request->userdb_internal_failure = TRUE; |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
627 |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
628 request->userdb = request->userdb->next; |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
629 auth_request_lookup_user(request, |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
630 request->private_callback.userdb); |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
631 return; |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
632 } |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
633 |
|
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
634 if (request->userdb_internal_failure && result != USERDB_RESULT_OK) { |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
635 /* one of the userdb lookups failed. the user might have been |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
636 in there, so this is an internal failure */ |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
637 result = USERDB_RESULT_INTERNAL_FAILURE; |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
638 } else if (result == USERDB_RESULT_USER_UNKNOWN && |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
639 request->client_pid != 0) { |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
640 /* this was an actual login attempt, the user should |
|
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
641 have been found. */ |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
642 auth_request_log_error(request, "userdb", |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
643 "user not found from userdb"); |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
644 } |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
645 |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
646 if (result != PASSDB_RESULT_INTERNAL_FAILURE) |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
647 auth_request_userdb_save_cache(request, reply, result); |
|
5036
df93cf66022a
If request fails with internal failure, don't crash if auth cache is
Timo Sirainen <tss@iki.fi>
parents:
4983
diff
changeset
|
648 else if (passdb_cache != NULL && userdb->cache_key != NULL) { |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
649 /* lookup failed. if we're looking here only because the |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
650 request was expired in cache, fallback to using cached |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
651 expired record. */ |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
652 const char *cache_key = userdb->cache_key; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
653 |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
654 if (auth_request_lookup_user_cache(request, cache_key, &reply, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
655 &result, TRUE)) |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
656 auth_request_log_info(request, "userdb", |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
657 "Fallbacking to expired data from cache"); |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
658 } |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
659 |
|
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4872
diff
changeset
|
660 request->private_callback.userdb(result, reply, request); |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
661 } |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
662 |
| 3068 | 663 void auth_request_lookup_user(struct auth_request *request, |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
664 userdb_callback_t *callback) |
| 3068 | 665 { |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
666 struct userdb_module *userdb = request->userdb->userdb; |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
667 const char *cache_key; |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
668 |
|
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
669 request->private_callback.userdb = callback; |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
670 request->userdb_lookup = TRUE; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
671 |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
672 /* (for now) auth_cache is shared between passdb and userdb */ |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
673 cache_key = passdb_cache == NULL ? NULL : userdb->cache_key; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
674 if (cache_key != NULL) { |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
675 struct auth_stream_reply *reply; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
676 enum userdb_result result; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
677 |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
678 if (auth_request_lookup_user_cache(request, cache_key, &reply, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
679 &result, FALSE)) { |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
680 request->private_callback.userdb(result, reply, |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
681 request); |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
682 return; |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
683 } |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
684 } |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
685 |
|
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
686 if (userdb->blocking) |
|
3183
16ea551957ed
Replaced userdb/passdb settings with blocks so it's possible to give
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
687 userdb_blocking_lookup(request); |
|
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3164
diff
changeset
|
688 else |
|
3658
fc4622b1c1ef
Separated userdb_module's interface and the actual data struct.
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
689 userdb->iface->lookup(request, auth_request_userdb_callback); |
| 3068 | 690 } |
| 691 | |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
692 static char * |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
693 auth_request_fix_username(struct auth_request *request, const char *username, |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
694 const char **error_r) |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
695 { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
696 unsigned char *p; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
697 char *user; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
698 |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
699 if (strchr(username, '@') == NULL && |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
700 request->auth->default_realm != NULL) { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
701 user = p_strconcat(request->pool, username, "@", |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
702 request->auth->default_realm, NULL); |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
703 } else { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
704 user = p_strdup(request->pool, username); |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
705 } |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
706 |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
707 for (p = (unsigned char *)user; *p != '\0'; p++) { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
708 if (request->auth->username_translation[*p & 0xff] != 0) |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
709 *p = request->auth->username_translation[*p & 0xff]; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
710 if (request->auth->username_chars[*p & 0xff] == 0) { |
|
4834
679c9326741c
When invalid character is found from username, say what character it is in
Timo Sirainen <tss@iki.fi>
parents:
4825
diff
changeset
|
711 *error_r = t_strdup_printf( |
|
679c9326741c
When invalid character is found from username, say what character it is in
Timo Sirainen <tss@iki.fi>
parents:
4825
diff
changeset
|
712 "Username contains disallowed character: " |
|
679c9326741c
When invalid character is found from username, say what character it is in
Timo Sirainen <tss@iki.fi>
parents:
4825
diff
changeset
|
713 "0x%02x", *p); |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
714 return NULL; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
715 } |
|
4168
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
716 } |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
717 |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
718 if (request->auth->username_format != NULL) { |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
719 /* username format given, put it through variable expansion. |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
720 we'll have to temporarily replace request->user to get |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
721 %u to be the wanted username */ |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
722 const struct var_expand_table *table; |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
723 char *old_username; |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
724 string_t *dest; |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
725 |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
726 old_username = request->user; |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
727 request->user = user; |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
728 |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
729 t_push(); |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
730 dest = t_str_new(256); |
|
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
731 table = auth_request_get_var_expand_table(request, |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
732 auth_request_str_escape); |
|
4168
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
733 var_expand(dest, request->auth->username_format, table); |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
734 user = p_strdup(request->pool, str_c(dest)); |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
735 t_pop(); |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
736 |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
737 request->user = old_username; |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
738 } |
|
3f27bf7832a2
Added auth_username_format setting.
Timo Sirainen <tss@iki.fi>
parents:
4164
diff
changeset
|
739 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
740 return user; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
741 } |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
742 |
|
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3771
diff
changeset
|
743 bool auth_request_set_username(struct auth_request *request, |
|
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3771
diff
changeset
|
744 const char *username, const char **error_r) |
|
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
745 { |
|
4164
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
746 const char *p, *login_username = NULL; |
|
4108
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
747 |
|
4054
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4042
diff
changeset
|
748 if (request->original_username == NULL) { |
|
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4042
diff
changeset
|
749 /* the username may change later, but we need to use this |
|
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4042
diff
changeset
|
750 username when verifying at least DIGEST-MD5 password */ |
|
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4042
diff
changeset
|
751 request->original_username = p_strdup(request->pool, username); |
|
f83d7d14b999
Digest-MD5 logins didn't work if passdb changed username.
Timo Sirainen <tss@iki.fi>
parents:
4042
diff
changeset
|
752 } |
|
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
753 if (request->cert_username) { |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
754 /* cert_username overrides the username given by |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
755 authentication mechanism. */ |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
756 return TRUE; |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
757 } |
|
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3609
diff
changeset
|
758 |
|
4108
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
759 if (request->auth->master_user_separator != '\0') { |
|
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
760 /* check if the username contains a master user */ |
|
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
761 p = strchr(username, request->auth->master_user_separator); |
|
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
762 if (p != NULL) { |
|
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
763 /* it does, set it. */ |
|
4140
52a2e6f35acf
The login and master usernames were reversed when using
Timo Sirainen <tss@iki.fi>
parents:
4139
diff
changeset
|
764 login_username = t_strdup_until(username, p); |
|
52a2e6f35acf
The login and master usernames were reversed when using
Timo Sirainen <tss@iki.fi>
parents:
4139
diff
changeset
|
765 |
|
52a2e6f35acf
The login and master usernames were reversed when using
Timo Sirainen <tss@iki.fi>
parents:
4139
diff
changeset
|
766 /* username is the master user */ |
|
52a2e6f35acf
The login and master usernames were reversed when using
Timo Sirainen <tss@iki.fi>
parents:
4139
diff
changeset
|
767 username = p + 1; |
|
4108
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
768 } |
|
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
769 } |
|
e1774d677536
Added auth_master_user_separator setting which allows giving the master username inside the normal username.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4104
diff
changeset
|
770 |
|
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
771 if (*username == '\0') { |
|
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
772 /* Some PAM plugins go nuts with empty usernames */ |
|
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
773 *error_r = "Empty username"; |
|
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
774 return FALSE; |
|
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
775 } |
|
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
776 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
777 request->user = auth_request_fix_username(request, username, error_r); |
|
4834
679c9326741c
When invalid character is found from username, say what character it is in
Timo Sirainen <tss@iki.fi>
parents:
4825
diff
changeset
|
778 if (request->user == NULL) { |
|
679c9326741c
When invalid character is found from username, say what character it is in
Timo Sirainen <tss@iki.fi>
parents:
4825
diff
changeset
|
779 auth_request_log_debug(request, "auth", |
|
679c9326741c
When invalid character is found from username, say what character it is in
Timo Sirainen <tss@iki.fi>
parents:
4825
diff
changeset
|
780 "Invalid username: %s", str_sanitize(username, 128)); |
|
4164
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
781 return FALSE; |
|
4834
679c9326741c
When invalid character is found from username, say what character it is in
Timo Sirainen <tss@iki.fi>
parents:
4825
diff
changeset
|
782 } |
|
4164
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
783 |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
784 if (login_username != NULL) { |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
785 if (!auth_request_set_login_username(request, |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
786 login_username, |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
787 error_r)) |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
788 return FALSE; |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
789 } |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
790 return TRUE; |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
791 } |
|
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
792 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
793 bool auth_request_set_login_username(struct auth_request *request, |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
794 const char *username, |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
795 const char **error_r) |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
796 { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
797 i_assert(*username != '\0'); |
|
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
798 |
|
4164
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
799 if (strcmp(username, request->user) == 0) { |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
800 /* The usernames are the same, we don't really wish to log |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
801 in as someone else */ |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
802 return TRUE; |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
803 } |
|
d38dd6312be1
Master login fixes, PLAIN authentication was still broken..
Timo Sirainen <tss@iki.fi>
parents:
4146
diff
changeset
|
804 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
805 /* lookup request->user from masterdb first */ |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
806 request->passdb = request->auth->masterdbs; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
807 |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
808 request->requested_login_user = |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
809 auth_request_fix_username(request, username, error_r); |
|
4136
f7731e6eec7e
If master login username is the same as the normal username, we don't want
Timo Sirainen <tss@iki.fi>
parents:
4108
diff
changeset
|
810 return request->requested_login_user != NULL; |
|
3065
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
811 } |
|
29d83a8bb50d
Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents:
3064
diff
changeset
|
812 |
|
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
813 static int is_ip_in_network(const char *network, const struct ip_addr *ip) |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
814 { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
815 const uint32_t *ip1, *ip2; |
|
4685
dc5875c28aac
When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual
Timo Sirainen <tss@iki.fi>
parents:
4658
diff
changeset
|
816 struct ip_addr src_ip, net_ip; |
|
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
817 const char *p; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
818 unsigned int max_bits, bits, pos, i; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
819 uint32_t mask; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
820 |
|
4685
dc5875c28aac
When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual
Timo Sirainen <tss@iki.fi>
parents:
4658
diff
changeset
|
821 if (net_ipv6_mapped_ipv4_convert(ip, &src_ip) == 0) |
|
dc5875c28aac
When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual
Timo Sirainen <tss@iki.fi>
parents:
4658
diff
changeset
|
822 ip = &src_ip; |
|
dc5875c28aac
When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual
Timo Sirainen <tss@iki.fi>
parents:
4658
diff
changeset
|
823 |
|
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
824 max_bits = IPADDR_IS_V4(ip) ? 32 : 128; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
825 p = strchr(network, '/'); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
826 if (p == NULL) { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
827 /* full IP address must match */ |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
828 bits = max_bits; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
829 } else { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
830 /* get the network mask */ |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
831 network = t_strdup_until(network, p); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
832 bits = strtoul(p+1, NULL, 10); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
833 if (bits > max_bits) |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
834 bits = max_bits; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
835 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
836 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
837 if (net_addr2ip(network, &net_ip) < 0) |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
838 return -1; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
839 |
|
4533
92199dcb4018
If we logged in with IPv6 address and allow_nets contained IPv4 address, we
Timo Sirainen <tss@iki.fi>
parents:
4420
diff
changeset
|
840 if (IPADDR_IS_V4(ip) != IPADDR_IS_V4(&net_ip)) { |
|
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
841 /* one is IPv6 and one is IPv4 */ |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
842 return 0; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
843 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
844 i_assert(IPADDR_IS_V6(ip) == IPADDR_IS_V6(&net_ip)); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
845 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
846 ip1 = (const uint32_t *)&ip->ip; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
847 ip2 = (const uint32_t *)&net_ip.ip; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
848 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
849 /* check first the full 32bit ints */ |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
850 for (pos = 0, i = 0; pos + 32 <= bits; pos += 32, i++) { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
851 if (ip1[i] != ip2[i]) |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
852 return 0; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
853 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
854 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
855 /* check the last full bytes */ |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
856 for (mask = 0xff; pos + 8 <= bits; pos += 8, mask <<= 8) { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
857 if ((ip1[i] & mask) != (ip2[i] & mask)) |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
858 return 0; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
859 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
860 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
861 /* check the last bits, they're reversed in bytes */ |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
862 bits -= pos; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
863 for (mask = 0x80 << (pos % 32); bits > 0; bits--, mask >>= 1) { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
864 if ((ip1[i] & mask) != (ip2[i] & mask)) |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
865 return 0; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
866 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
867 return 1; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
868 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
869 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
870 static void auth_request_validate_networks(struct auth_request *request, |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
871 const char *networks) |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
872 { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
873 const char *const *net; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
874 bool found = FALSE; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
875 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
876 if (request->remote_ip.family == 0) { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
877 /* IP not known */ |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
878 auth_request_log_info(request, "passdb", |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
879 "allow_nets check failed: Remote IP not known"); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
880 request->passdb_failure = TRUE; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
881 return; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
882 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
883 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
884 t_push(); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
885 for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) { |
|
4420
1174e508593d
auth_debug: If allow_nets is given, print debug messages when matching
Timo Sirainen <tss@iki.fi>
parents:
4402
diff
changeset
|
886 auth_request_log_debug(request, "auth", |
|
1174e508593d
auth_debug: If allow_nets is given, print debug messages when matching
Timo Sirainen <tss@iki.fi>
parents:
4402
diff
changeset
|
887 "allow_nets: Matching for network %s", *net); |
|
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
888 switch (is_ip_in_network(*net, &request->remote_ip)) { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
889 case 1: |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
890 found = TRUE; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
891 break; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
892 case -1: |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
893 auth_request_log_info(request, "passdb", |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
894 "allow_nets: Invalid network '%s'", *net); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
895 break; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
896 default: |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
897 break; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
898 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
899 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
900 t_pop(); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
901 |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
902 if (!found) { |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
903 auth_request_log_info(request, "passdb", |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
904 "allow_nets check failed: IP not in allowed networks"); |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
905 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
906 request->passdb_failure = !found; |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
907 } |
|
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
908 |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
909 void auth_request_set_field(struct auth_request *request, |
|
3272
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
910 const char *name, const char *value, |
|
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
911 const char *default_scheme) |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
912 { |
|
4017
e2d267e6f930
Check that we don't pass around key=value pairs with empty keys.
Timo Sirainen <tss@iki.fi>
parents:
3918
diff
changeset
|
913 i_assert(*name != '\0'); |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
914 i_assert(value != NULL); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
915 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
916 if (strcmp(name, "password") == 0) { |
|
3272
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
917 if (request->passdb_password != NULL) { |
|
4042
dabe100f3c38
Multiple password database error prints now the passdb name that caused it.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4030
diff
changeset
|
918 auth_request_log_error(request, |
|
dabe100f3c38
Multiple password database error prints now the passdb name that caused it.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4030
diff
changeset
|
919 request->passdb->passdb->iface.name, |
|
3272
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
920 "Multiple password values not supported"); |
|
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
921 return; |
|
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
922 } |
|
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
923 |
|
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
924 if (*value == '{') { |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
925 request->passdb_password = |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
926 p_strdup(request->pool, value); |
|
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
927 } else { |
|
3274
859c4ffd514e
Don't crash if cache is enabled and we're caching more than just
Timo Sirainen <tss@iki.fi>
parents:
3272
diff
changeset
|
928 i_assert(default_scheme != NULL); |
|
3272
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
929 request->passdb_password = |
|
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
930 p_strdup_printf(request->pool, "{%s}%s", |
|
36db3285f4a7
Try to keep scheme always included in auth_request->passdb_password.
Timo Sirainen <tss@iki.fi>
parents:
3257
diff
changeset
|
931 default_scheme, value); |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
932 } |
|
3397
2db396230881
auth_request_set_field() shouldn't save password to extra_fields. Fixes a
Timo Sirainen <tss@iki.fi>
parents:
3386
diff
changeset
|
933 return; |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
934 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
935 |
|
3257
92c16e82b806
passdb can now change the username that was used to log in. This is mostly
Timo Sirainen <tss@iki.fi>
parents:
3192
diff
changeset
|
936 if (strcmp(name, "user") == 0) { |
|
92c16e82b806
passdb can now change the username that was used to log in. This is mostly
Timo Sirainen <tss@iki.fi>
parents:
3192
diff
changeset
|
937 /* update username to be exactly as it's in database */ |
|
3427
3f7575e43202
If username changes, log the change if debugging is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3397
diff
changeset
|
938 if (strcmp(request->user, value) != 0) { |
|
3f7575e43202
If username changes, log the change if debugging is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3397
diff
changeset
|
939 auth_request_log_debug(request, "auth", |
|
3f7575e43202
If username changes, log the change if debugging is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3397
diff
changeset
|
940 "username changed %s -> %s", |
|
3f7575e43202
If username changes, log the change if debugging is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3397
diff
changeset
|
941 request->user, value); |
|
3f7575e43202
If username changes, log the change if debugging is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3397
diff
changeset
|
942 request->user = p_strdup(request->pool, value); |
|
3f7575e43202
If username changes, log the change if debugging is enabled.
Timo Sirainen <tss@iki.fi>
parents:
3397
diff
changeset
|
943 } |
|
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
944 } else if (strcmp(name, "nodelay") == 0) { |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
945 /* don't delay replying to client of the failure */ |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
946 request->no_failure_delay = TRUE; |
|
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
947 } else if (strcmp(name, "nopassword") == 0) { |
|
3669
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
948 /* NULL password - anything goes */ |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
949 i_assert(request->passdb_password == NULL); |
|
09b5e002ad8a
If passdb returned NULL password (ie. no password needed), it wasn't cached
Timo Sirainen <tss@iki.fi>
parents:
3668
diff
changeset
|
950 request->no_password = TRUE; |
|
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
951 } else if (strcmp(name, "allow_nets") == 0) { |
|
4078
265655f270df
Added "allow_nets" extra field. If set, the user can log in only from
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4054
diff
changeset
|
952 auth_request_validate_networks(request, value); |
|
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
953 } else if (strcmp(name, "nologin") == 0) { |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
954 /* user can't actually login - don't keep this |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
955 reply for master */ |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
956 request->no_login = TRUE; |
|
3668
c9f1bd1e1ec2
nologin/proxy are now always in boolean format, ie. without any "=Y".
Timo Sirainen <tss@iki.fi>
parents:
3658
diff
changeset
|
957 value = NULL; |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
958 } else if (strcmp(name, "proxy") == 0) { |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
959 /* we're proxying authentication for this user. send |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
960 password back if using plaintext authentication. */ |
|
3161
6a3254e3c3de
Moved cache handling from sql/ldap-specific code to generic auth-request
Timo Sirainen <tss@iki.fi>
parents:
3158
diff
changeset
|
961 request->proxy = TRUE; |
|
4756
28b76a225e54
If proxy is returned, set also no_login automatically, since it's always
Timo Sirainen <tss@iki.fi>
parents:
4689
diff
changeset
|
962 request->no_login = TRUE; |
|
3668
c9f1bd1e1ec2
nologin/proxy are now always in boolean format, ie. without any "=Y".
Timo Sirainen <tss@iki.fi>
parents:
3658
diff
changeset
|
963 value = NULL; |
|
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
964 } else { |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
965 if (request->extra_fields == NULL) |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
966 request->extra_fields = auth_stream_reply_init(request); |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
967 auth_stream_reply_add(request->extra_fields, name, value); |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
968 return; |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
969 } |
| 3520 | 970 |
|
5129
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
971 if (passdb_cache != NULL && |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
972 request->passdb->passdb->cache_key != NULL) { |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
973 /* we'll need to get this field stored into cache */ |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
974 if (request->extra_cache_fields == NULL) { |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
975 request->extra_cache_fields = |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
976 auth_stream_reply_init(request); |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
977 } |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
978 auth_stream_reply_add(request->extra_cache_fields, name, value); |
|
9b1a90eddfd0
Special extra_fields weren't saved to auth cache. This was especially
Timo Sirainen <tss@iki.fi>
parents:
5069
diff
changeset
|
979 } |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
980 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
981 |
|
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
982 int auth_request_password_verify(struct auth_request *request, |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
983 const char *plain_password, |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
984 const char *crypted_password, |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
985 const char *scheme, const char *subsystem) |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
986 { |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
987 int ret; |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
988 |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
989 if (request->skip_password_check) { |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
990 /* currently this can happen only with master logins */ |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
991 i_assert(request->master_user != NULL); |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
992 return 1; |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
993 } |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
994 |
|
4689
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
995 if (request->passdb->deny) { |
|
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
996 /* this is a deny database, we don't care about the password */ |
|
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
997 return 0; |
|
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
998 } |
|
80023f898ddd
Don't even try to verify password with deny=yes passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4686
diff
changeset
|
999 |
|
4872
07bdc78ce38e
Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're
Timo Sirainen <tss@iki.fi>
parents:
4834
diff
changeset
|
1000 /* If original_username is set, use it. It may be important for some |
|
07bdc78ce38e
Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're
Timo Sirainen <tss@iki.fi>
parents:
4834
diff
changeset
|
1001 password schemes (eg. digest-md5). Otherwise the username is used |
|
07bdc78ce38e
Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're
Timo Sirainen <tss@iki.fi>
parents:
4834
diff
changeset
|
1002 only for logging purposes. */ |
|
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1003 ret = password_verify(plain_password, crypted_password, scheme, |
|
4872
07bdc78ce38e
Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're
Timo Sirainen <tss@iki.fi>
parents:
4834
diff
changeset
|
1004 request->original_username != NULL ? |
|
07bdc78ce38e
Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're
Timo Sirainen <tss@iki.fi>
parents:
4834
diff
changeset
|
1005 request->original_username : request->user); |
|
3918
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1006 if (ret < 0) { |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1007 auth_request_log_error(request, subsystem, |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1008 "Unknown password scheme %s", scheme); |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1009 } else if (ret == 0) { |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1010 auth_request_log_info(request, subsystem, |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1011 "Password mismatch"); |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1012 if (request->auth->verbose_debug_passwords) { |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1013 auth_request_log_debug(request, subsystem, |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1014 "%s(%s) != '%s'", scheme, |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1015 plain_password, |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1016 crypted_password); |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1017 } |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1018 } |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1019 return ret; |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1020 } |
|
40a461d554e6
Added auth_debug_passwords setting. If it's not enabled, hide all password
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
1021 |
|
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1022 static const char * |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1023 escape_none(const char *string, |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1024 const struct auth_request *request __attr_unused__) |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1025 { |
|
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1026 return string; |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1027 } |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1028 |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1029 const char * |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1030 auth_request_str_escape(const char *string, |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1031 const struct auth_request *request __attr_unused__) |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1032 { |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1033 return str_escape(string); |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1034 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1035 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1036 const struct var_expand_table * |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1037 auth_request_get_var_expand_table(const struct auth_request *auth_request, |
|
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1038 auth_request_escape_func_t *escape_func) |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1039 { |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1040 static struct var_expand_table static_tab[] = { |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1041 { 'u', NULL }, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1042 { 'n', NULL }, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1043 { 'd', NULL }, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1044 { 's', NULL }, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1045 { 'h', NULL }, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1046 { 'l', NULL }, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1047 { 'r', NULL }, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1048 { 'p', NULL }, |
| 3687 | 1049 { 'w', NULL }, |
|
4686
ba802ac3b743
auth cache didn't work properly with multiple passdbs.
Timo Sirainen <tss@iki.fi>
parents:
4685
diff
changeset
|
1050 { '!', NULL }, |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1051 { '\0', NULL } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1052 }; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1053 struct var_expand_table *tab; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1054 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1055 if (escape_func == NULL) |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1056 escape_func = escape_none; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1057 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1058 tab = t_malloc(sizeof(static_tab)); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1059 memcpy(tab, static_tab, sizeof(static_tab)); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1060 |
|
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1061 tab[0].value = escape_func(auth_request->user, auth_request); |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1062 tab[1].value = escape_func(t_strcut(auth_request->user, '@'), |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1063 auth_request); |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1064 tab[2].value = strchr(auth_request->user, '@'); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1065 if (tab[2].value != NULL) |
|
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1066 tab[2].value = escape_func(tab[2].value+1, auth_request); |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1067 tab[3].value = auth_request->service; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1068 /* tab[4] = we have no home dir */ |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1069 if (auth_request->local_ip.family != 0) |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1070 tab[5].value = net_ip2addr(&auth_request->local_ip); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1071 if (auth_request->remote_ip.family != 0) |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1072 tab[6].value = net_ip2addr(&auth_request->remote_ip); |
| 3074 | 1073 tab[7].value = dec2str(auth_request->client_pid); |
|
4295
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1074 if (auth_request->mech_password != NULL) { |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1075 tab[8].value = escape_func(auth_request->mech_password, |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1076 auth_request); |
|
4fc637010202
Escape SQL strings using sql_escape_string(). Fixes the problems with
Timo Sirainen <tss@iki.fi>
parents:
4168
diff
changeset
|
1077 } |
|
4955
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1078 if (auth_request->userdb_lookup) { |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1079 tab[9].value = auth_request->userdb == NULL ? "" : |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1080 dec2str(auth_request->userdb->num); |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1081 } else { |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1082 tab[9].value = auth_request->passdb == NULL ? "" : |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1083 dec2str(auth_request->passdb->id); |
|
f0cc5486696e
Authentication cache caches now also userdb data. Code by Tommi Saviranta.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4914
diff
changeset
|
1084 } |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1085 return tab; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1086 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1087 |
| 4825 | 1088 static const char * __attr_format__(3, 0) |
| 3069 | 1089 get_log_str(struct auth_request *auth_request, const char *subsystem, |
| 1090 const char *format, va_list va) | |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1091 { |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1092 #define MAX_LOG_USERNAME_LEN 64 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1093 const char *ip; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1094 string_t *str; |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1095 |
| 3069 | 1096 str = t_str_new(128); |
| 1097 str_append(str, subsystem); | |
| 1098 str_append_c(str, '('); | |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1099 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1100 if (auth_request->user == NULL) |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1101 str_append(str, "?"); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1102 else { |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1103 str_sanitize_append(str, auth_request->user, |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1104 MAX_LOG_USERNAME_LEN); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1105 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1106 |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1107 ip = net_ip2addr(&auth_request->remote_ip); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1108 if (ip != NULL) { |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1109 str_append_c(str, ','); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1110 str_append(str, ip); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1111 } |
|
4030
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1112 if (auth_request->requested_login_user != NULL) |
|
faf83f3e19b5
Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string.
Timo Sirainen <timo.sirainen@movial.fi>
parents:
4017
diff
changeset
|
1113 str_append(str, ",master"); |
| 3069 | 1114 str_append(str, "): "); |
| 1115 str_vprintfa(str, format, va); | |
|
3064
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1116 return str_c(str); |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1117 } |
|
2d33734b16d5
Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1118 |
| 3069 | 1119 void auth_request_log_debug(struct auth_request *auth_request, |
| 1120 const char *subsystem, | |
| 1121 const char *format, ...) | |
| 1122 { | |
| 1123 va_list va; | |
| 1124 | |
| 1125 if (!auth_request->auth->verbose_debug) | |
| 1126 return; | |
| 1127 | |
| 1128 va_start(va, format); | |
| 1129 t_push(); | |
| 1130 i_info("%s", get_log_str(auth_request, subsystem, format, va)); | |
| 1131 t_pop(); | |
| 1132 va_end(va); | |
| 1133 } | |
| 1134 | |
| 1135 void auth_request_log_info(struct auth_request *auth_request, | |
| 1136 const char *subsystem, | |
| 1137 const char *format, ...) | |
| 1138 { | |
| 1139 va_list va; | |
| 1140 | |
| 1141 if (!auth_request->auth->verbose) | |
| 1142 return; | |
| 1143 | |
| 1144 va_start(va, format); | |
| 1145 t_push(); | |
| 1146 i_info("%s", get_log_str(auth_request, subsystem, format, va)); | |
| 1147 t_pop(); | |
| 1148 va_end(va); | |
| 1149 } | |
| 1150 | |
| 1151 void auth_request_log_error(struct auth_request *auth_request, | |
| 1152 const char *subsystem, | |
| 1153 const char *format, ...) | |
| 1154 { | |
| 1155 va_list va; | |
| 1156 | |
| 1157 va_start(va, format); | |
| 1158 t_push(); | |
|
3158
8849f2e380d1
userdb can now return extra parameters to master. Removed special handling
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
1159 i_error("%s", get_log_str(auth_request, subsystem, format, va)); |
| 3069 | 1160 t_pop(); |
| 1161 va_end(va); | |
| 1162 } |