dovecot/core-2.2: src/auth/auth-request-handler.c annotate

annotate src/auth/auth-request-handler.c @ 22614:cf66220d281e

doveadm proxy: Don't crash if remote doesn't support log proxying

author	Timo Sirainen <timo.sirainen@dovecot.fi>
date	Sat, 14 Oct 2017 12:54:18 +0300
parents	cb967fd0910c
children	cb108f786fb4

rev	line source
21390 2e2563132d5f Updated copyright notices to include the year 2017. Stephan Bosch <stephan.bosch@dovecot.fi> parents: 20927 diff changeset	1 /* Copyright (c) 2005-2017 Dovecot authors, see the included COPYING file */
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	2
9219 97cdfeb57129 Renamed headers to prevent collision if they were flattened on an install. Mark Washenberger parents: 9002 diff changeset	3 #include "auth-common.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	4 #include "ioloop.h"
7087 a281705a2360 Converted some buffers to arrays. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	5 #include "array.h"
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	6 #include "aqueue.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	7 #include "base64.h"
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	8 #include "hash.h"
15187 02451e967a06 Renamed network.[ch] to net.[ch]. Timo Sirainen <tss@iki.fi> parents: 15173 diff changeset	9 #include "net.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	10 #include "str.h"
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	11 #include "strescape.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	12 #include "str-sanitize.h"
11256 e08dd68309a9 auth/login related timeouts are now in one place and they make more sense. Timo Sirainen <tss@iki.fi> parents: 11254 diff changeset	13 #include "master-interface.h"
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	14 #include "auth-penalty.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	15 #include "auth-request.h"
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	16 #include "auth-token.h"
5038 b2921478f94f Several fixes to handling deinitialization without crashing. Timo Sirainen <tss@iki.fi> parents: 5005 diff changeset	17 #include "auth-master-connection.h"
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	18 #include "auth-request-handler.h"
20432 f1f7c73ecd45 auth: Finish policy.[ch] renaming.. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 20426 diff changeset	19 #include "auth-policy.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	20
7089 10d49a20b04e Added auth_failure_delay setting. Timo Sirainen <tss@iki.fi> parents: 7088 diff changeset	21 #define AUTH_FAILURE_DELAY_CHECK_MSECS 500
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	22
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	23 struct auth_request_handler {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	24 int refcount;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	25 pool_t pool;
14923 96fd2c3bf932 Reverted "support for non-pointers" part of the hash table API changes. Timo Sirainen <tss@iki.fi> parents: 14920 diff changeset	26 HASH_TABLE(void , struct auth_request ) requests;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	27
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	28 unsigned int connect_uid, client_pid;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	29
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	30 auth_client_request_callback_t *callback;
1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	31 struct auth_client_connection *conn;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	32
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	33 auth_master_request_callback_t *master_callback;
12212 bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	34
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	35 unsigned int destroyed:1;
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	36 unsigned int token_auth:1;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	37 };
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	38
14920 a097ef0a9d6d Array API changed: ARRAY_DEFINE(name, type) -> ARRAY(type) name Timo Sirainen <tss@iki.fi> parents: 14918 diff changeset	39 static ARRAY(struct auth_request *) auth_failures_arr;
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	40 static struct aqueue *auth_failures;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	41 static struct timeout *to_auth_failures;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	42
14629 c93ca5e46a8a Marked functions parameters that are allowed to be NULL. Some APIs were also changed. Timo Sirainen <tss@iki.fi> parents: 14577 diff changeset	43 static void auth_failure_timeout(void *context) ATTR_NULL(1);
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	44
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	45 struct auth_request_handler *
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	46 auth_request_handler_create(bool token_auth, auth_client_request_callback_t *callback,
1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	47 struct auth_client_connection *conn,
1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	48 auth_master_request_callback_t *master_callback)
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	49 {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	50 struct auth_request_handler *handler;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	51 pool_t pool;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	52
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	53 pool = pool_alloconly_create("auth request handler", 4096);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	54
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	55 handler = p_new(pool, struct auth_request_handler, 1);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	56 handler->refcount = 1;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	57 handler->pool = pool;
14918 8eae4e205c82 Hash table API is now (mostly) type safe. Timo Sirainen <tss@iki.fi> parents: 14917 diff changeset	58 hash_table_create_direct(&handler->requests, pool, 0);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	59 handler->callback = callback;
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	60 handler->conn = conn;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	61 handler->master_callback = master_callback;
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	62 handler->token_auth = token_auth;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	63 return handler;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	64 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	65
13722 2ecd0e90402a auth: Log a warning if auth client disconnects while it still has pending requests. Timo Sirainen <tss@iki.fi> parents: 13488 diff changeset	66 unsigned int
2ecd0e90402a auth: Log a warning if auth client disconnects while it still has pending requests. Timo Sirainen <tss@iki.fi> parents: 13488 diff changeset	67 auth_request_handler_get_request_count(struct auth_request_handler *handler)
2ecd0e90402a auth: Log a warning if auth client disconnects while it still has pending requests. Timo Sirainen <tss@iki.fi> parents: 13488 diff changeset	68 {
2ecd0e90402a auth: Log a warning if auth client disconnects while it still has pending requests. Timo Sirainen <tss@iki.fi> parents: 13488 diff changeset	69 return hash_table_count(handler->requests);
2ecd0e90402a auth: Log a warning if auth client disconnects while it still has pending requests. Timo Sirainen <tss@iki.fi> parents: 13488 diff changeset	70 }
2ecd0e90402a auth: Log a warning if auth client disconnects while it still has pending requests. Timo Sirainen <tss@iki.fi> parents: 13488 diff changeset	71
11498 190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	72 void auth_request_handler_abort_requests(struct auth_request_handler *handler)
11492 fd447208ccb9 auth: Another attempt in trying to fix crashed at deinit on pending async auth request lookups. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	73 {
fd447208ccb9 auth: Another attempt in trying to fix crashed at deinit on pending async auth request lookups. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	74 struct hash_iterate_context *iter;
14923 96fd2c3bf932 Reverted "support for non-pointers" part of the hash table API changes. Timo Sirainen <tss@iki.fi> parents: 14920 diff changeset	75 void *key;
96fd2c3bf932 Reverted "support for non-pointers" part of the hash table API changes. Timo Sirainen <tss@iki.fi> parents: 14920 diff changeset	76 struct auth_request *auth_request;
11492 fd447208ccb9 auth: Another attempt in trying to fix crashed at deinit on pending async auth request lookups. Timo Sirainen <tss@iki.fi> parents: 11456 diff changeset	77
8573 f9166a09423a Renamed hash_() to hash_table_() to avoid conflicts with OSX's strhash.h Timo Sirainen <tss@iki.fi> parents: 8546 diff changeset	78 iter = hash_table_iterate_init(handler->requests);
14923 96fd2c3bf932 Reverted "support for non-pointers" part of the hash table API changes. Timo Sirainen <tss@iki.fi> parents: 14920 diff changeset	79 while (hash_table_iterate(iter, handler->requests, &key, &auth_request)) {
12035 d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	80 switch (auth_request->state) {
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	81 case AUTH_REQUEST_STATE_NEW:
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	82 case AUTH_REQUEST_STATE_MECH_CONTINUE:
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	83 case AUTH_REQUEST_STATE_FINISHED:
20927 12bc0868ef0e auth: Fixed assert-crash on invalid auth-client input Timo Sirainen <timo.sirainen@dovecot.fi> parents: 20515 diff changeset	84 auth_request->removed_from_handler = TRUE;
12035 d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	85 auth_request_unref(&auth_request);
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	86 hash_table_remove(handler->requests, key);
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	87 break;
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	88 case AUTH_REQUEST_STATE_PASSDB:
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	89 case AUTH_REQUEST_STATE_USERDB:
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	90 /* can't abort a pending passdb/userdb lookup */
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	91 break;
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	92 case AUTH_REQUEST_STATE_MAX:
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	93 i_unreached();
d2b49c7d4046 auth: Crashfix when aborting auth request doing async passdb/userdb lookup. Timo Sirainen <tss@iki.fi> parents: 11501 diff changeset	94 }
3952 d7a0354861b8 If authentication client disconnects while it still has pending requests, Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	95 }
8573 f9166a09423a Renamed hash_() to hash_table_() to avoid conflicts with OSX's strhash.h Timo Sirainen <tss@iki.fi> parents: 8546 diff changeset	96 hash_table_iterate_deinit(&iter);
3077 eb46a5dee02d Changed the way multiple auth processes are handled. It no longer uses a pid Timo Sirainen <tss@iki.fi> parents: 3074 diff changeset	97 }
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	98
11498 190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	99 void auth_request_handler_unref(struct auth_request_handler **_handler)
11441 3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11354 diff changeset	100 {
3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11354 diff changeset	101 struct auth_request_handler handler = _handler;
3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11354 diff changeset	102
3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11354 diff changeset	103 *_handler = NULL;
3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11354 diff changeset	104
11498 190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	105 i_assert(handler->refcount > 0);
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	106 if (--handler->refcount > 0)
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	107 return;
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	108
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	109 i_assert(hash_table_count(handler->requests) == 0);
11441 3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11354 diff changeset	110
11498 190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	111 /* notify parent that we're done with all requests */
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	112 handler->callback(NULL, handler->conn);
11498 190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	113
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	114 hash_table_destroy(&handler->requests);
190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	115 pool_unref(&handler->pool);
11441 3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11354 diff changeset	116 }
3ef582c3fb72 auth: Aborting pending async requests on deinit caused crashes. Timo Sirainen <tss@iki.fi> parents: 11354 diff changeset	117
12212 bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	118 void auth_request_handler_destroy(struct auth_request_handler **_handler)
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	119 {
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	120 struct auth_request_handler handler = _handler;
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	121
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	122 *_handler = NULL;
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	123
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	124 i_assert(!handler->destroyed);
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	125
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	126 handler->destroyed = TRUE;
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	127 auth_request_handler_unref(&handler);
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	128 }
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	129
3077 eb46a5dee02d Changed the way multiple auth processes are handled. It no longer uses a pid Timo Sirainen <tss@iki.fi> parents: 3074 diff changeset	130 void auth_request_handler_set(struct auth_request_handler *handler,
eb46a5dee02d Changed the way multiple auth processes are handled. It no longer uses a pid Timo Sirainen <tss@iki.fi> parents: 3074 diff changeset	131 unsigned int connect_uid,
eb46a5dee02d Changed the way multiple auth processes are handled. It no longer uses a pid Timo Sirainen <tss@iki.fi> parents: 3074 diff changeset	132 unsigned int client_pid)
eb46a5dee02d Changed the way multiple auth processes are handled. It no longer uses a pid Timo Sirainen <tss@iki.fi> parents: 3074 diff changeset	133 {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	134 handler->connect_uid = connect_uid;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	135 handler->client_pid = client_pid;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	136 }
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	137
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	138 static void auth_request_handler_remove(struct auth_request_handler *handler,
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	139 struct auth_request *request)
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	140 {
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	141 i_assert(request->handler == handler);
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	142
12211 dfa2b49d8298 auth: Avoid crashing when finishing failed requests that already timed out. Timo Sirainen <tss@iki.fi> parents: 12035 diff changeset	143 if (request->removed_from_handler) {
dfa2b49d8298 auth: Avoid crashing when finishing failed requests that already timed out. Timo Sirainen <tss@iki.fi> parents: 12035 diff changeset	144 /* already removed it */
dfa2b49d8298 auth: Avoid crashing when finishing failed requests that already timed out. Timo Sirainen <tss@iki.fi> parents: 12035 diff changeset	145 return;
dfa2b49d8298 auth: Avoid crashing when finishing failed requests that already timed out. Timo Sirainen <tss@iki.fi> parents: 12035 diff changeset	146 }
dfa2b49d8298 auth: Avoid crashing when finishing failed requests that already timed out. Timo Sirainen <tss@iki.fi> parents: 12035 diff changeset	147 request->removed_from_handler = TRUE;
dfa2b49d8298 auth: Avoid crashing when finishing failed requests that already timed out. Timo Sirainen <tss@iki.fi> parents: 12035 diff changeset	148
11254 83b4020d1edf auth: Don't crash when auth requests timeout. Timo Sirainen <tss@iki.fi> parents: 11251 diff changeset	149 /* if db lookup is stuck, this call doesn't actually free the auth
83b4020d1edf auth: Don't crash when auth requests timeout. Timo Sirainen <tss@iki.fi> parents: 11251 diff changeset	150 request, so make sure we don't get back here. */
83b4020d1edf auth: Don't crash when auth requests timeout. Timo Sirainen <tss@iki.fi> parents: 11251 diff changeset	151 timeout_remove(&request->to_abort);
83b4020d1edf auth: Don't crash when auth requests timeout. Timo Sirainen <tss@iki.fi> parents: 11251 diff changeset	152
8573 f9166a09423a Renamed hash_() to hash_table_() to avoid conflicts with OSX's strhash.h Timo Sirainen <tss@iki.fi> parents: 8546 diff changeset	153 hash_table_remove(handler->requests, POINTER_CAST(request->id));
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	154 auth_request_unref(&request);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	155 }
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	156
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	157 static void
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	158 auth_str_add_keyvalue(string_t dest, const char key, const char *value)
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	159 {
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	160 str_append_c(dest, '\t');
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	161 str_append(dest, key);
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	162 str_append_c(dest, '=');
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	163 str_append_tabescaped(dest, value);
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	164 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	165
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	166 static void
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	167 auth_str_append_extra_fields(struct auth_request request, string_t dest)
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	168 {
17099 61142fbbecf0 auth: Send original_user to auth client also when there aren't any extra fields. Timo Sirainen <tss@iki.fi> parents: 17042 diff changeset	169 if (!auth_fields_is_empty(request->extra_fields)) {
61142fbbecf0 auth: Send original_user to auth client also when there aren't any extra fields. Timo Sirainen <tss@iki.fi> parents: 17042 diff changeset	170 str_append_c(dest, '\t');
61142fbbecf0 auth: Send original_user to auth client also when there aren't any extra fields. Timo Sirainen <tss@iki.fi> parents: 17042 diff changeset	171 auth_fields_append(request->extra_fields, dest,
61142fbbecf0 auth: Send original_user to auth client also when there aren't any extra fields. Timo Sirainen <tss@iki.fi> parents: 17042 diff changeset	172 AUTH_FIELD_FLAG_HIDDEN, 0);
61142fbbecf0 auth: Send original_user to auth client also when there aren't any extra fields. Timo Sirainen <tss@iki.fi> parents: 17042 diff changeset	173 }
4758 2fc38c1e48c4 Don't send "pass" back if it's already set, or if it's not known. Timo Sirainen <tss@iki.fi> parents: 4739 diff changeset	174
16924 f66b0fe68439 auth: Potential crashfix Timo Sirainen <tss@iki.fi> parents: 16909 diff changeset	175 if (request->original_username != NULL &&
18387 0540c2834f68 auth: Don't add original_user or auth_user to passdb reply if they already exist. Timo Sirainen <tss@iki.fi> parents: 18137 diff changeset	176 null_strcmp(request->original_username, request->user) != 0 &&
0540c2834f68 auth: Don't add original_user or auth_user to passdb reply if they already exist. Timo Sirainen <tss@iki.fi> parents: 18137 diff changeset	177 !auth_fields_exists(request->extra_fields, "original_user")) {
16802 a32eea97afc1 -login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables. Timo Sirainen <tss@iki.fi>* parents: 16033 diff changeset	178 auth_str_add_keyvalue(dest, "original_user",
a32eea97afc1 -login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables. Timo Sirainen <tss@iki.fi>* parents: 16033 diff changeset	179 request->original_username);
a32eea97afc1 -login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables. Timo Sirainen <tss@iki.fi>* parents: 16033 diff changeset	180 }
18387 0540c2834f68 auth: Don't add original_user or auth_user to passdb reply if they already exist. Timo Sirainen <tss@iki.fi> parents: 18137 diff changeset	181 if (request->master_user != NULL &&
0540c2834f68 auth: Don't add original_user or auth_user to passdb reply if they already exist. Timo Sirainen <tss@iki.fi> parents: 18137 diff changeset	182 !auth_fields_exists(request->extra_fields, "auth_user"))
17100 5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	183 auth_str_add_keyvalue(dest, "auth_user", request->master_user);
16802 a32eea97afc1 -login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables. Timo Sirainen <tss@iki.fi>* parents: 16033 diff changeset	184
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	185 if (!request->auth_only &&
686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	186 auth_fields_exists(request->extra_fields, "proxy")) {
8546 50f49805b13b imap/pop3 proxy: Support master user logins. Timo Sirainen <tss@iki.fi> parents: 8413 diff changeset	187 /* we're proxying */
15685 17f5257d60c1 auth: Code cleanup: Renamed auth-stream to auth-fields. Timo Sirainen <tss@iki.fi> parents: 15684 diff changeset	188 if (!auth_fields_exists(request->extra_fields, "pass") &&
15681 3fac9306be3e auth: Code cleanup: Removed unnecessary userdb_ prefix checks. Timo Sirainen <tss@iki.fi> parents: 15500 diff changeset	189 request->mech_password != NULL) {
8546 50f49805b13b imap/pop3 proxy: Support master user logins. Timo Sirainen <tss@iki.fi> parents: 8413 diff changeset	190 /* send back the password that was sent by user
50f49805b13b imap/pop3 proxy: Support master user logins. Timo Sirainen <tss@iki.fi> parents: 8413 diff changeset	191 (not the password in passdb). */
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	192 auth_str_add_keyvalue(dest, "pass",
8546 50f49805b13b imap/pop3 proxy: Support master user logins. Timo Sirainen <tss@iki.fi> parents: 8413 diff changeset	193 request->mech_password);
50f49805b13b imap/pop3 proxy: Support master user logins. Timo Sirainen <tss@iki.fi> parents: 8413 diff changeset	194 }
14997 1bc8f7b823e7 auth: Don't add "master" to passdb reply if the passdb itself already added it. Timo Sirainen <tss@iki.fi> parents: 14565 diff changeset	195 if (request->master_user != NULL &&
15685 17f5257d60c1 auth: Code cleanup: Renamed auth-stream to auth-fields. Timo Sirainen <tss@iki.fi> parents: 15684 diff changeset	196 !auth_fields_exists(request->extra_fields, "master")) {
8546 50f49805b13b imap/pop3 proxy: Support master user logins. Timo Sirainen <tss@iki.fi> parents: 8413 diff changeset	197 /* the master username needs to be forwarded */
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	198 auth_str_add_keyvalue(dest, "master",
8546 50f49805b13b imap/pop3 proxy: Support master user logins. Timo Sirainen <tss@iki.fi> parents: 8413 diff changeset	199 request->master_user);
50f49805b13b imap/pop3 proxy: Support master user logins. Timo Sirainen <tss@iki.fi> parents: 8413 diff changeset	200 }
3432 079ec5c2d665 Last change caused user-given passwords to be cached, and later the password Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	201 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	202 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	203
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	204 static void
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	205 auth_request_handle_failure(struct auth_request request, const char reply)
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	206 {
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	207 struct auth_request_handler *handler = request->handler;
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	208
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	209 if (request->in_delayed_failure_queue) {
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	210 /* we came here from flush_failures() */
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	211 handler->callback(reply, handler->conn);
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	212 return;
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	213 }
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	214
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	215 /* remove the request from requests-list */
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	216 auth_request_ref(request);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	217 auth_request_handler_remove(handler, request);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	218
20420 5b48cdd7b54c auth-policy: Hook auth policy to auth code Aki Tuomi <aki.tuomi@dovecot.fi> parents: 19925 diff changeset	219 auth_policy_report(request);
5b48cdd7b54c auth-policy: Hook auth policy to auth code Aki Tuomi <aki.tuomi@dovecot.fi> parents: 19925 diff changeset	220
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	221 if (auth_fields_exists(request->extra_fields, "nodelay")) {
11498 190a5278e58b auth: Changed how auth deinitilization works. Timo Sirainen <tss@iki.fi> parents: 11497 diff changeset	222 /* passdb specifically requested not to delay the reply. */
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	223 handler->callback(reply, handler->conn);
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	224 auth_request_unref(&request);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	225 return;
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	226 }
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	227
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	228 /* failure. don't announce it immediately to avoid
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	229 a) timing attacks, b) flooding */
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	230 request->in_delayed_failure_queue = TRUE;
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	231 handler->refcount++;
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	232
11501 149d57c1a9c0 auth: Abort pending penalty lookups earlier in deinit. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	233 if (auth_penalty != NULL) {
149d57c1a9c0 auth: Abort pending penalty lookups earlier in deinit. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	234 auth_penalty_update(auth_penalty, request,
149d57c1a9c0 auth: Abort pending penalty lookups earlier in deinit. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	235 request->last_penalty + 1);
149d57c1a9c0 auth: Abort pending penalty lookups earlier in deinit. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	236 }
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	237
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	238 auth_request_refresh_last_access(request);
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	239 aqueue_append(auth_failures, &request);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	240 if (to_auth_failures == NULL) {
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	241 to_auth_failures =
14577 a47c95872745 Use timeout_add_short() for sub-second timeouts. Fail at compile time if timeout_add() is <1s. Timo Sirainen <tss@iki.fi> parents: 14565 diff changeset	242 timeout_add_short(AUTH_FAILURE_DELAY_CHECK_MSECS,
15079 925d4a890a9b Fixed compiling with OSes where NULL isn't defined as void pointer (e.g. Solaris). Timo Sirainen <tss@iki.fi> parents: 15049 diff changeset	243 auth_failure_timeout, (void *)NULL);
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	244 }
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	245 }
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	246
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	247 static void
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	248 auth_request_handler_reply_success_finish(struct auth_request *request)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	249 {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	250 struct auth_request_handler *handler = request->handler;
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	251 string_t *str = t_str_new(128);
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	252
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	253 if (request->last_penalty != 0 && auth_penalty != NULL) {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	254 /* reset penalty */
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	255 auth_penalty_update(auth_penalty, request, 0);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	256 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	257
16033 d7d7cbcc2b67 auth: Return "nologin" and "proxy" fields to login process without "=value". Timo Sirainen <tss@iki.fi> parents: 15715 diff changeset	258 /* sanitize these fields, since the login code currently assumes they
d7d7cbcc2b67 auth: Return "nologin" and "proxy" fields to login process without "=value". Timo Sirainen <tss@iki.fi> parents: 15715 diff changeset	259 are exactly in this format. */
d7d7cbcc2b67 auth: Return "nologin" and "proxy" fields to login process without "=value". Timo Sirainen <tss@iki.fi> parents: 15715 diff changeset	260 auth_fields_booleanize(request->extra_fields, "nologin");
d7d7cbcc2b67 auth: Return "nologin" and "proxy" fields to login process without "=value". Timo Sirainen <tss@iki.fi> parents: 15715 diff changeset	261 auth_fields_booleanize(request->extra_fields, "proxy");
d7d7cbcc2b67 auth: Return "nologin" and "proxy" fields to login process without "=value". Timo Sirainen <tss@iki.fi> parents: 15715 diff changeset	262
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	263 str_printfa(str, "OK\t%u\tuser=", request->id);
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	264 str_append_tabescaped(str, request->user);
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	265 auth_str_append_extra_fields(request, str);
20426 3a12f30c03d5 auth-policy: Report success earlier Aki Tuomi <aki.tuomi@dovecot.fi> parents: 20420 diff changeset	266
3a12f30c03d5 auth-policy: Report success earlier Aki Tuomi <aki.tuomi@dovecot.fi> parents: 20420 diff changeset	267 auth_policy_report(request);
3a12f30c03d5 auth-policy: Report success earlier Aki Tuomi <aki.tuomi@dovecot.fi> parents: 20420 diff changeset	268
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	269 if (handler->master_callback == NULL \|\|
686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	270 auth_fields_exists(request->extra_fields, "nologin") \|\|
686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	271 auth_fields_exists(request->extra_fields, "proxy")) {
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	272 /* this request doesn't have to wait for master
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	273 process to pick it up. delete it */
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	274 auth_request_handler_remove(handler, request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	275 }
20420 5b48cdd7b54c auth-policy: Hook auth policy to auth code Aki Tuomi <aki.tuomi@dovecot.fi> parents: 19925 diff changeset	276
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	277 handler->callback(str_c(str), handler->conn);
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	278 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	279
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	280 static void
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	281 auth_request_handler_reply_failure_finish(struct auth_request *request)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	282 {
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	283 string_t *str = t_str_new(128);
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	284
17323 3a5304b63f88 auth: If authentication fails, never send back "nologin" field. Timo Sirainen <tss@iki.fi> parents: 17235 diff changeset	285 auth_fields_remove(request->extra_fields, "nologin");
3a5304b63f88 auth: If authentication fails, never send back "nologin" field. Timo Sirainen <tss@iki.fi> parents: 17235 diff changeset	286
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	287 str_printfa(str, "FAIL\t%u", request->id);
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	288 if (request->user != NULL)
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	289 auth_str_add_keyvalue(str, "user", request->user);
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	290 else if (request->original_username != NULL) {
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	291 auth_str_add_keyvalue(str, "user",
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	292 request->original_username);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	293 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	294
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	295 if (request->internal_failure)
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	296 str_append(str, "\ttemp");
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	297 else if (request->master_user != NULL) {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	298 /* authentication succeeded, but we can't log in
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	299 as the wanted user */
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	300 str_append(str, "\tauthz");
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	301 }
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	302 if (auth_fields_exists(request->extra_fields, "nodelay")) {
686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	303 /* this is normally a hidden field, need to add it explicitly */
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	304 str_append(str, "\tnodelay");
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	305 }
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	306 auth_str_append_extra_fields(request, str);
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	307
14565 d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	308 switch (request->passdb_result) {
20515 84cd7e08e8d6 auth: Skip authentication with noauthenticate Aki Tuomi <aki.tuomi@dovecot.fi> parents: 20432 diff changeset	309 case PASSDB_RESULT_NEXT:
14565 d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	310 case PASSDB_RESULT_INTERNAL_FAILURE:
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	311 case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	312 case PASSDB_RESULT_USER_UNKNOWN:
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	313 case PASSDB_RESULT_PASSWORD_MISMATCH:
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	314 case PASSDB_RESULT_OK:
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	315 break;
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	316 case PASSDB_RESULT_USER_DISABLED:
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	317 str_append(str, "\tuser_disabled");
14565 d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	318 break;
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	319 case PASSDB_RESULT_PASS_EXPIRED:
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	320 str_append(str, "\tpass_expired");
14565 d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	321 break;
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	322 }
d6f06ce44b0b auth: If user is disabled or password expired, tell about it to auth-client. Timo Sirainen <tss@iki.fi> parents: 14514 diff changeset	323
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	324 auth_request_handle_failure(request, str_c(str));
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	325 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	326
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	327 static void
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	328 auth_request_handler_proxy_callback(bool success, struct auth_request *request)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	329 {
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	330 struct auth_request_handler *handler = request->handler;
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	331
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	332 if (success)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	333 auth_request_handler_reply_success_finish(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	334 else
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	335 auth_request_handler_reply_failure_finish(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	336 auth_request_handler_unref(&handler);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	337 }
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	338
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	339 void auth_request_handler_reply(struct auth_request *request,
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	340 enum auth_client_result result,
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	341 const void *auth_reply, size_t reply_size)
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	342 {
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	343 struct auth_request_handler *handler = request->handler;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	344 string_t *str;
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	345 int ret;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	346
12212 bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	347 if (handler->destroyed) {
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	348 /* the client connection was already closed. we can't do
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	349 anything but abort this request */
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	350 request->internal_failure = TRUE;
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	351 result = AUTH_CLIENT_RESULT_FAILURE;
13488 0dffdc3bfad1 auth: Don't assert-crash if login client disconnects during multi-reply mechanism. Timo Sirainen <tss@iki.fi> parents: 12782 diff changeset	352 /* make sure this request is set to finished state
0dffdc3bfad1 auth: Don't assert-crash if login client disconnects during multi-reply mechanism. Timo Sirainen <tss@iki.fi> parents: 12782 diff changeset	353 (it's not with result=continue) */
0dffdc3bfad1 auth: Don't assert-crash if login client disconnects during multi-reply mechanism. Timo Sirainen <tss@iki.fi> parents: 12782 diff changeset	354 auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED);
12212 bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	355 }
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	356
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	357 switch (result) {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	358 case AUTH_CLIENT_RESULT_CONTINUE:
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	359 str = t_str_new(16 + MAX_BASE64_ENCODED_SIZE(reply_size));
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	360 str_printfa(str, "CONT\t%u\t", request->id);
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7384 diff changeset	361 base64_encode(auth_reply, reply_size, str);
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7384 diff changeset	362
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	363 request->accept_cont_input = TRUE;
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	364 handler->callback(str_c(str), handler->conn);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	365 break;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	366 case AUTH_CLIENT_RESULT_SUCCESS:
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	367 if (reply_size > 0) {
7388 08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7384 diff changeset	368 str = t_str_new(MAX_BASE64_ENCODED_SIZE(reply_size));
08d31d752893 Use auth-stream API to build all TAB-delimited strings to make sure strings Timo Sirainen <tss@iki.fi> parents: 7384 diff changeset	369 base64_encode(auth_reply, reply_size, str);
15685 17f5257d60c1 auth: Code cleanup: Renamed auth-stream to auth-fields. Timo Sirainen <tss@iki.fi> parents: 15684 diff changeset	370 auth_fields_add(request->extra_fields, "resp",
17f5257d60c1 auth: Code cleanup: Renamed auth-stream to auth-fields. Timo Sirainen <tss@iki.fi> parents: 15684 diff changeset	371 str_c(str), 0);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	372 }
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	373 ret = auth_request_proxy_finish(request,
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	374 auth_request_handler_proxy_callback);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	375 if (ret < 0)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	376 auth_request_handler_reply_failure_finish(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	377 else if (ret > 0)
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	378 auth_request_handler_reply_success_finish(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	379 else
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	380 return;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	381 break;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	382 case AUTH_CLIENT_RESULT_FAILURE:
14155 da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	383 auth_request_proxy_finish_failure(request);
da43dc494753 auth: Handle proxy_maybe=yes with host=hostname properly. Timo Sirainen <tss@iki.fi> parents: 14133 diff changeset	384 auth_request_handler_reply_failure_finish(request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	385 break;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	386 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	387 /* NOTE: request may be destroyed now */
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	388
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	389 auth_request_handler_unref(&handler);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	390 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	391
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	392 void auth_request_handler_reply_continue(struct auth_request *request,
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	393 const void *reply, size_t reply_size)
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	394 {
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	395 auth_request_handler_reply(request, AUTH_CLIENT_RESULT_CONTINUE,
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	396 reply, reply_size);
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	397 }
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	398
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	399 static void auth_request_handler_auth_fail(struct auth_request_handler *handler,
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	400 struct auth_request *request,
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	401 const char *reason)
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	402 {
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	403 string_t *str = t_str_new(128);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	404
17235 9b095cec9332 auth: Use special AUTH_SUBSYS_DB/MECH parameters as auth_request_log() subsystem. Timo Sirainen <tss@iki.fi>* parents: 17130 diff changeset	405 auth_request_log_info(request, AUTH_SUBSYS_MECH, "%s", reason);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	406
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	407 str_printfa(str, "FAIL\t%u\treason=", request->id);
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	408 str_append_tabescaped(str, reason);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	409
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	410 handler->callback(str_c(str), handler->conn);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	411 auth_request_handler_remove(handler, request);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	412 }
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	413
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	414 static void auth_request_timeout(struct auth_request *request)
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	415 {
15328 49bb6cc43d03 auth: Log a nicer message if client timeouts authentication in the middle. Timo Sirainen <tss@iki.fi> parents: 14997 diff changeset	416 unsigned int secs = (unsigned int)(time(NULL) - request->last_access);
11249 2a132661c029 auth: Log a message when auth request is removed due to timeout. Timo Sirainen <tss@iki.fi> parents: 11119 diff changeset	417
2a132661c029 auth: Log a message when auth request is removed due to timeout. Timo Sirainen <tss@iki.fi> parents: 11119 diff changeset	418 if (request->state != AUTH_REQUEST_STATE_MECH_CONTINUE) {
2a132661c029 auth: Log a message when auth request is removed due to timeout. Timo Sirainen <tss@iki.fi> parents: 11119 diff changeset	419 /* client's fault */
17235 9b095cec9332 auth: Use special AUTH_SUBSYS_DB/MECH parameters as auth_request_log() subsystem. Timo Sirainen <tss@iki.fi>* parents: 17130 diff changeset	420 auth_request_log_error(request, AUTH_SUBSYS_MECH,
15328 49bb6cc43d03 auth: Log a nicer message if client timeouts authentication in the middle. Timo Sirainen <tss@iki.fi> parents: 14997 diff changeset	421 "Request %u.%u timed out after %u secs, state=%d",
49bb6cc43d03 auth: Log a nicer message if client timeouts authentication in the middle. Timo Sirainen <tss@iki.fi> parents: 14997 diff changeset	422 request->handler->client_pid, request->id,
49bb6cc43d03 auth: Log a nicer message if client timeouts authentication in the middle. Timo Sirainen <tss@iki.fi> parents: 14997 diff changeset	423 secs, request->state);
11249 2a132661c029 auth: Log a message when auth request is removed due to timeout. Timo Sirainen <tss@iki.fi> parents: 11119 diff changeset	424 } else if (request->set->verbose) {
17235 9b095cec9332 auth: Use special AUTH_SUBSYS_DB/MECH parameters as auth_request_log() subsystem. Timo Sirainen <tss@iki.fi>* parents: 17130 diff changeset	425 auth_request_log_info(request, AUTH_SUBSYS_MECH,
15328 49bb6cc43d03 auth: Log a nicer message if client timeouts authentication in the middle. Timo Sirainen <tss@iki.fi> parents: 14997 diff changeset	426 "Request timed out waiting for client to continue authentication "
49bb6cc43d03 auth: Log a nicer message if client timeouts authentication in the middle. Timo Sirainen <tss@iki.fi> parents: 14997 diff changeset	427 "(%u secs)", secs);
11249 2a132661c029 auth: Log a message when auth request is removed due to timeout. Timo Sirainen <tss@iki.fi> parents: 11119 diff changeset	428 }
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	429 auth_request_handler_remove(request->handler, request);
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	430 }
d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	431
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	432 static void auth_request_penalty_finish(struct auth_request *request)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	433 {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	434 timeout_remove(&request->to_penalty);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	435 auth_request_initial(request);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	436 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	437
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	438 static void
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	439 auth_penalty_callback(unsigned int penalty, struct auth_request *request)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	440 {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	441 unsigned int secs;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	442
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	443 request->last_penalty = penalty;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	444
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	445 if (penalty == 0)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	446 auth_request_initial(request);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	447 else {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	448 secs = auth_penalty_to_secs(penalty);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	449 request->to_penalty = timeout_add(secs * 1000,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	450 auth_request_penalty_finish,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	451 request);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	452 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	453 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	454
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10895 diff changeset	455 bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3520 diff changeset	456 const char *args)
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	457 {
5788 bdb16967be64 Further const'ification of struct mech_module. Andrey Panin <pazke@donpac.ru> parents: 5586 diff changeset	458 const struct mech_module *mech;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	459 struct auth_request *request;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	460 const char const list, name, arg, *initial_resp;
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	461 void *initial_resp_data;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	462 unsigned int id;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	463 buffer_t *buf;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	464
12212 bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	465 i_assert(!handler->destroyed);
bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	466
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	467 /* <id> <mechanism> [...] */
22093 87ae222d49cf auth: Fix unescaping tabs in auth client input. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21954 diff changeset	468 list = t_strsplit_tabescaped(args);
11086 260e190306b0 Started using str_to_() functions instead of libc's ones. Timo Sirainen <tss@iki.fi>* parents: 11039 diff changeset	469 if (list[0] == NULL \|\| list[1] == NULL \|\|
12212 bc782780d0fe auth: Don't assert-crash if a request still succeeds after its client connection is gone. Timo Sirainen <tss@iki.fi> parents: 12211 diff changeset	470 str_to_uint(list[0], &id) < 0) {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	471 i_error("BUG: Authentication client %u "
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	472 "sent broken AUTH request", handler->client_pid);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	473 return FALSE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	474 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	475
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	476 if (handler->token_auth) {
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	477 mech = &mech_dovecot_token;
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	478 if (strcmp(list[1], mech->mech_name) != 0) {
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	479 /* unsupported mechanism */
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	480 i_error("BUG: Authentication client %u requested invalid "
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	481 "authentication mechanism %s (DOVECOT-TOKEN required)",
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	482 handler->client_pid, str_sanitize(list[1], MAX_MECH_NAME_LEN));
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	483 return FALSE;
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	484 }
19157 d482a8097362 auth: The mechanisms configured using the auth_mechanisms setting were not enforced. Stephan Bosch <stephan@rename-it.nl> parents: 18387 diff changeset	485 } else {
d482a8097362 auth: The mechanisms configured using the auth_mechanisms setting were not enforced. Stephan Bosch <stephan@rename-it.nl> parents: 18387 diff changeset	486 struct auth *auth_default = auth_default_service();
d482a8097362 auth: The mechanisms configured using the auth_mechanisms setting were not enforced. Stephan Bosch <stephan@rename-it.nl> parents: 18387 diff changeset	487 mech = mech_register_find(auth_default->reg, list[1]);
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	488 if (mech == NULL) {
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	489 /* unsupported mechanism */
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	490 i_error("BUG: Authentication client %u requested unsupported "
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	491 "authentication mechanism %s", handler->client_pid,
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	492 str_sanitize(list[1], MAX_MECH_NAME_LEN));
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	493 return FALSE;
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	494 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	495 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	496
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	497 request = auth_request_new(mech);
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	498 request->handler = handler;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	499 request->connect_uid = handler->connect_uid;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	500 request->client_pid = handler->client_pid;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	501 request->id = id;
15173 ff66315076ce auth: Don't add proxy/pass fields when we're only authenticating (not logging in). Timo Sirainen <tss@iki.fi> parents: 15079 diff changeset	502 request->auth_only = handler->master_callback == NULL;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	503
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	504 /* parse optional parameters */
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	505 initial_resp = NULL;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	506 for (list += 2; *list != NULL; list++) {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	507 arg = strchr(*list, '=');
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	508 if (arg == NULL) {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	509 name = *list;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	510 arg = "";
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	511 } else {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	512 name = t_strdup_until(*list, arg);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	513 arg++;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	514 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	515
13728 9a6aa717bc46 auth: Don't allow auth clients to set internal auth request fields. Timo Sirainen <tss@iki.fi> parents: 13722 diff changeset	516 if (auth_request_import_auth(request, name, arg))
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3308 diff changeset	517 ;
4682 bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	518 else if (strcmp(name, "resp") == 0) {
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	519 initial_resp = arg;
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	520 /* this must be the last parameter */
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	521 list++;
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	522 break;
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	523 }
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	524 }
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	525
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	526 if (*list != NULL) {
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	527 i_error("BUG: Authentication client %u "
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	528 "sent AUTH parameters after 'resp'",
bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	529 handler->client_pid);
10758 fa8a0f453774 auth: Don't leak memory if auth client sends a buggy request. Timo Sirainen <tss@iki.fi> parents: 10757 diff changeset	530 auth_request_unref(&request);
4682 bc071307fc2a Require that the "resp" parameter for AUTH command is the last. Timo Sirainen <tss@iki.fi> parents: 4532 diff changeset	531 return FALSE;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	532 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	533
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	534 if (request->service == NULL) {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	535 i_error("BUG: Authentication client %u "
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	536 "didn't specify service in request",
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	537 handler->client_pid);
10758 fa8a0f453774 auth: Don't leak memory if auth client sends a buggy request. Timo Sirainen <tss@iki.fi> parents: 10757 diff changeset	538 auth_request_unref(&request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	539 return FALSE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	540 }
12491 6c9bc37fcf41 auth: Fail if auth client tries to use a duplicate ID. Timo Sirainen <tss@iki.fi> parents: 12212 diff changeset	541 if (hash_table_lookup(handler->requests, POINTER_CAST(id)) != NULL) {
6c9bc37fcf41 auth: Fail if auth client tries to use a duplicate ID. Timo Sirainen <tss@iki.fi> parents: 12212 diff changeset	542 i_error("BUG: Authentication client %u "
6c9bc37fcf41 auth: Fail if auth client tries to use a duplicate ID. Timo Sirainen <tss@iki.fi> parents: 12212 diff changeset	543 "sent a duplicate ID %u", handler->client_pid, id);
6c9bc37fcf41 auth: Fail if auth client tries to use a duplicate ID. Timo Sirainen <tss@iki.fi> parents: 12212 diff changeset	544 auth_request_unref(&request);
6c9bc37fcf41 auth: Fail if auth client tries to use a duplicate ID. Timo Sirainen <tss@iki.fi> parents: 12212 diff changeset	545 return FALSE;
6c9bc37fcf41 auth: Fail if auth client tries to use a duplicate ID. Timo Sirainen <tss@iki.fi> parents: 12212 diff changeset	546 }
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10895 diff changeset	547 auth_request_init(request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	548
11256 e08dd68309a9 auth/login related timeouts are now in one place and they make more sense. Timo Sirainen <tss@iki.fi> parents: 11254 diff changeset	549 request->to_abort = timeout_add(MASTER_AUTH_SERVER_TIMEOUT_SECS * 1000,
10757 d3697efd18f3 auth: Don't loop through active requests every 5 seconds, looking for timeouts. Timo Sirainen <tss@iki.fi> parents: 10589 diff changeset	550 auth_request_timeout, request);
8573 f9166a09423a Renamed hash_() to hash_table_() to avoid conflicts with OSX's strhash.h Timo Sirainen <tss@iki.fi> parents: 8546 diff changeset	551 hash_table_insert(handler->requests, POINTER_CAST(id), request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	552
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10895 diff changeset	553 if (request->set->ssl_require_client_cert &&
8320 d49aa6720fb2 Added %k variable to display valid-client-cert status. It expands to "valid" or empty. Timo Sirainen <tss@iki.fi> parents: 7388 diff changeset	554 !request->valid_client_cert) {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	555 /* we fail without valid certificate */
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	556 auth_request_handler_auth_fail(handler, request,
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	557 "Client didn't present valid SSL certificate");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	558 return TRUE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	559 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	560
9562 90f8e2d091b5 auth: Ignore empty initial response strings. Timo Sirainen <tss@iki.fi> parents: 9219 diff changeset	561 /* Empty initial response is a "=" base64 string. Completely empty
90f8e2d091b5 auth: Ignore empty initial response strings. Timo Sirainen <tss@iki.fi> parents: 9219 diff changeset	562 string shouldn't really be sent, but at least Exim does it,
90f8e2d091b5 auth: Ignore empty initial response strings. Timo Sirainen <tss@iki.fi> parents: 9219 diff changeset	563 so just allow it for backwards compatibility.. */
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	564 if (initial_resp != NULL && *initial_resp != '\0') {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	565 size_t len = strlen(initial_resp);
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	566
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	567 buf = buffer_create_dynamic(pool_datastack_create(),
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	568 MAX_BASE64_DECODED_SIZE(len));
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	569 if (base64_decode(initial_resp, len, NULL, buf) < 0) {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	570 auth_request_handler_auth_fail(handler, request,
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	571 "Invalid base64 data in initial response");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	572 return TRUE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	573 }
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	574 initial_resp_data =
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	575 p_malloc(request->pool, I_MAX(buf->used, 1));
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	576 memcpy(initial_resp_data, buf->data, buf->used);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	577 request->initial_response = initial_resp_data;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	578 request->initial_response_len = buf->used;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	579 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	580
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	581 /* handler is referenced until auth_request_handler_reply()
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	582 is called. */
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	583 handler->refcount++;
10301 fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	584
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address. Timo Sirainen <tss@iki.fi> parents: 9562 diff changeset	585 /* before we start authenticating, see if we need to wait first */
11501 149d57c1a9c0 auth: Abort pending penalty lookups earlier in deinit. Timo Sirainen <tss@iki.fi> parents: 11498 diff changeset	586 auth_penalty_lookup(auth_penalty, request, auth_penalty_callback);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	587 return TRUE;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	588 }
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	589
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3520 diff changeset	590 bool auth_request_handler_auth_continue(struct auth_request_handler *handler,
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3520 diff changeset	591 const char *args)
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	592 {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	593 struct auth_request *request;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	594 const char *data;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	595 size_t data_len;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	596 buffer_t *buf;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	597 unsigned int id;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	598
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	599 data = strchr(args, '\t');
11119 23e87e78c66e auth: Fixed SASL authentication broken by recent changes. Timo Sirainen <tss@iki.fi> parents: 11086 diff changeset	600 if (data == NULL \|\| str_to_uint(t_strdup_until(args, data), &id) < 0) {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	601 i_error("BUG: Authentication client sent broken CONT request");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	602 return FALSE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	603 }
5089 18559c7e3a15 Cleanups and minor fixes Timo Sirainen <tss@iki.fi> parents: 5085 diff changeset	604 data++;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	605
8573 f9166a09423a Renamed hash_() to hash_table_() to avoid conflicts with OSX's strhash.h Timo Sirainen <tss@iki.fi> parents: 8546 diff changeset	606 request = hash_table_lookup(handler->requests, POINTER_CAST(id));
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	607 if (request == NULL) {
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	608 const char *reply = t_strdup_printf(
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	609 "FAIL\t%u\treason=Authentication request timed out", id);
19925 1b966650aef9 auth: Code cleanup - avoid using void context Timo Sirainen <timo.sirainen@dovecot.fi>* parents: 19552 diff changeset	610 handler->callback(reply, handler->conn);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	611 return TRUE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	612 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	613
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	614 /* accept input only once after mechanism has sent a CONT reply */
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	615 if (!request->accept_cont_input) {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	616 auth_request_handler_auth_fail(handler, request,
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	617 "Unexpected continuation");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	618 return TRUE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	619 }
15687 686f32406220 auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields. Timo Sirainen <tss@iki.fi> parents: 15685 diff changeset	620 request->accept_cont_input = FALSE;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	621
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	622 data_len = strlen(data);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	623 buf = buffer_create_dynamic(pool_datastack_create(),
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	624 MAX_BASE64_DECODED_SIZE(data_len));
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	625 if (base64_decode(data, data_len, NULL, buf) < 0) {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	626 auth_request_handler_auth_fail(handler, request,
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	627 "Invalid base64 data in continued response");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	628 return TRUE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	629 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	630
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	631 /* handler is referenced until auth_request_handler_reply()
94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	632 is called. */
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	633 handler->refcount++;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	634 auth_request_continue(request, buf->data, buf->used);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	635 return TRUE;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	636 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	637
17100 5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	638 static void auth_str_append_userdb_extra_fields(struct auth_request *request,
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	639 string_t *dest)
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	640 {
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	641 str_append_c(dest, '\t');
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	642 auth_fields_append(request->userdb_reply, dest,
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	643 AUTH_FIELD_FLAG_HIDDEN, 0);
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	644
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	645 if (request->master_user != NULL &&
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	646 !auth_fields_exists(request->userdb_reply, "master_user")) {
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	647 auth_str_add_keyvalue(dest, "master_user",
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	648 request->master_user);
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	649 }
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	650 if (*request->set->anonymous_username != '\0' &&
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	651 strcmp(request->user, request->set->anonymous_username) == 0) {
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	652 /* this is an anonymous login, either via ANONYMOUS
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	653 SASL mechanism or simply logging in as the anonymous
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	654 user via another mechanism */
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	655 str_append(dest, "\tanonymous");
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	656 }
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	657 /* generate auth_token when master service provided session_pid */
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	658 if (request->request_auth_token &&
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	659 request->session_pid != (pid_t)-1) {
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	660 const char *auth_token =
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	661 auth_token_get(request->service,
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	662 dec2str(request->session_pid),
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	663 request->user,
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	664 request->session_id);
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	665 auth_str_add_keyvalue(dest, "auth_token", auth_token);
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	666 }
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	667 if (request->master_user != NULL) {
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	668 auth_str_add_keyvalue(dest, "auth_user", request->master_user);
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	669 } else if (request->original_username != NULL &&
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	670 strcmp(request->original_username, request->user) != 0) {
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	671 auth_str_add_keyvalue(dest, "auth_user",
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	672 request->original_username);
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	673 }
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	674 }
5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	675
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4767 diff changeset	676 static void userdb_callback(enum userdb_result result,
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3518 diff changeset	677 struct auth_request *request)
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	678 {
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	679 struct auth_request_handler *handler = request->handler;
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	680 string_t *str;
11019 b40ec803421e auth: If userdb lookup returns tempfail, return reason field (if any). Timo Sirainen <tss@iki.fi> parents: 10903 diff changeset	681 const char *value;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	682
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	683 i_assert(request->state == AUTH_REQUEST_STATE_USERDB);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	684
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11250 diff changeset	685 auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED);
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	686
17042 eeadb7b5045b auth: Added userdb result_success/failure/tempfail and skip settings, similar to passdb's. Timo Sirainen <tss@iki.fi> parents: 16986 diff changeset	687 if (request->userdb_lookup_tempfailed)
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	688 result = USERDB_RESULT_INTERNAL_FAILURE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	689
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	690 str = t_str_new(128);
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4767 diff changeset	691 switch (result) {
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4767 diff changeset	692 case USERDB_RESULT_INTERNAL_FAILURE:
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	693 str_printfa(str, "FAIL\t%u", request->id);
17042 eeadb7b5045b auth: Added userdb result_success/failure/tempfail and skip settings, similar to passdb's. Timo Sirainen <tss@iki.fi> parents: 16986 diff changeset	694 if (request->userdb_lookup_tempfailed) {
15685 17f5257d60c1 auth: Code cleanup: Renamed auth-stream to auth-fields. Timo Sirainen <tss@iki.fi> parents: 15684 diff changeset	695 value = auth_fields_find(request->userdb_reply, "reason");
11019 b40ec803421e auth: If userdb lookup returns tempfail, return reason field (if any). Timo Sirainen <tss@iki.fi> parents: 10903 diff changeset	696 if (value != NULL)
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	697 auth_str_add_keyvalue(str, "reason", value);
11019 b40ec803421e auth: If userdb lookup returns tempfail, return reason field (if any). Timo Sirainen <tss@iki.fi> parents: 10903 diff changeset	698 }
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4767 diff changeset	699 break;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4767 diff changeset	700 case USERDB_RESULT_USER_UNKNOWN:
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	701 str_printfa(str, "NOTFOUND\t%u", request->id);
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4767 diff changeset	702 break;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4767 diff changeset	703 case USERDB_RESULT_OK:
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	704 str_printfa(str, "USER\t%u\t", request->id);
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	705 str_append_tabescaped(str, request->user);
17100 5350000a999b auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} Timo Sirainen <tss@iki.fi> parents: 17099 diff changeset	706 auth_str_append_userdb_extra_fields(request, str);
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4767 diff changeset	707 break;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	708 }
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	709 handler->master_callback(str_c(str), request->master);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	710
5038 b2921478f94f Several fixes to handling deinitialization without crashing. Timo Sirainen <tss@iki.fi> parents: 5005 diff changeset	711 auth_master_connection_unref(&request->master);
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	712 auth_request_unref(&request);
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	713 auth_request_handler_unref(&handler);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	714 }
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	715
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	716 static bool
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	717 auth_master_request_failed(struct auth_request_handler *handler,
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	718 struct auth_master_connection *master,
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	719 unsigned int id)
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	720 {
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	721 if (handler->master_callback == NULL)
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	722 return FALSE;
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	723 handler->master_callback(t_strdup_printf("FAIL\t%u", id), master);
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	724 return TRUE;
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	725 }
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	726
11285 1a3c9bd45b11 auth: Separate auth and login connections. Non-login requests are freed immediately after auth finished. Timo Sirainen <tss@iki.fi> parents: 11256 diff changeset	727 bool auth_request_handler_master_request(struct auth_request_handler *handler,
3308 3f090bcaffcc Allow multiple master connections for a single listener. Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	728 struct auth_master_connection *master,
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	729 unsigned int id, unsigned int client_id,
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	730 const char const params)
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	731 {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	732 struct auth_request *request;
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	733 struct net_unix_cred cred;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	734
8573 f9166a09423a Renamed hash_() to hash_table_() to avoid conflicts with OSX's strhash.h Timo Sirainen <tss@iki.fi> parents: 8546 diff changeset	735 request = hash_table_lookup(handler->requests, POINTER_CAST(client_id));
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	736 if (request == NULL) {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	737 i_error("Master request %u.%u not found",
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	738 handler->client_pid, client_id);
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	739 return auth_master_request_failed(handler, master, id);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	740 }
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	741
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	742 auth_request_ref(request);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	743 auth_request_handler_remove(handler, request);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	744
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	745 for (; *params != NULL; params++) {
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	746 const char name, param = strchr(*params, '=');
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	747
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	748 if (param == NULL) {
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	749 name = *params;
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	750 param = "";
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	751 } else {
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	752 name = t_strdup_until(*params, param);
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	753 param++;
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	754 }
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	755
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	756 (void)auth_request_import_master(request, name, param);
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	757 }
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	758
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	759 /* verify session pid if specified and possible */
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	760 if (request->session_pid != (pid_t)-1 &&
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	761 net_getunixcred(master->fd, &cred) == 0 &&
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	762 cred.pid != (pid_t)-1 && request->session_pid != cred.pid) {
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	763 i_error("Session pid %ld provided by master for request %u.%u "
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	764 "did not match peer credentials (pid=%ld, uid=%ld)",
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	765 (long)request->session_pid,
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	766 handler->client_pid, client_id,
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	767 (long)cred.pid, (long)cred.uid);
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	768 return auth_master_request_failed(handler, master, id);
15049 aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	769 }
aa6027a0a78e Added support to perform token-based service process authentication. Stephan Bosch <stephan@rename-it.nl> parents: 15005 diff changeset	770
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	771 if (request->state != AUTH_REQUEST_STATE_FINISHED \|\|
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	772 !request->successful) {
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	773 i_error("Master requested unfinished authentication request "
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	774 "%u.%u", handler->client_pid, client_id);
15682 526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	775 handler->master_callback(t_strdup_printf("FAIL\t%u", id),
526aa986d534 auth: Code cleanup: Avoid using auth_stream_reply as temporary strings. Timo Sirainen <tss@iki.fi> parents: 15681 diff changeset	776 master);
4401 10cdcfe98cfc Fixed memory leak in error handling. Timo Sirainen <tss@iki.fi> parents: 3952 diff changeset	777 auth_request_unref(&request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	778 } else {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	779 /* the request isn't being referenced anywhere anymore,
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	780 so we can do a bit of kludging.. replace the request's
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	781 old client_id with master's id. */
11251 6243376eff60 auth: If verbose_proctitle=yes, show auth request counts in ps. Timo Sirainen <tss@iki.fi> parents: 11250 diff changeset	782 auth_request_set_state(request, AUTH_REQUEST_STATE_USERDB);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	783 request->id = id;
3308 3f090bcaffcc Allow multiple master connections for a single listener. Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	784 request->master = master;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	785
5038 b2921478f94f Several fixes to handling deinitialization without crashing. Timo Sirainen <tss@iki.fi> parents: 5005 diff changeset	786 /* master and handler are referenced until userdb_callback i
b2921478f94f Several fixes to handling deinitialization without crashing. Timo Sirainen <tss@iki.fi> parents: 5005 diff changeset	787 s called. */
b2921478f94f Several fixes to handling deinitialization without crashing. Timo Sirainen <tss@iki.fi> parents: 5005 diff changeset	788 auth_master_connection_ref(master);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	789 handler->refcount++;
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	790 auth_request_lookup_user(request, userdb_callback);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	791 }
11285 1a3c9bd45b11 auth: Separate auth and login connections. Non-login requests are freed immediately after auth finished. Timo Sirainen <tss@iki.fi> parents: 11256 diff changeset	792 return TRUE;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	793 }
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	794
11354 f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	795 void auth_request_handler_cancel_request(struct auth_request_handler *handler,
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	796 unsigned int client_id)
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	797 {
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	798 struct auth_request *request;
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	799
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	800 request = hash_table_lookup(handler->requests, POINTER_CAST(client_id));
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	801 if (request != NULL)
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	802 auth_request_handler_remove(handler, request);
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	803 }
f70433791464 login: Tell auth process to free aborted auth requests. Timo Sirainen <tss@iki.fi> parents: 11285 diff changeset	804
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	805 void auth_request_handler_flush_failures(bool flush_all)
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	806 {
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	807 struct auth_request *auth_requests, auth_request;
21954 1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	808 unsigned int i, j, count;
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	809 time_t diff;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	810
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	811 count = aqueue_count(auth_failures);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	812 if (count == 0) {
7089 10d49a20b04e Added auth_failure_delay setting. Timo Sirainen <tss@iki.fi> parents: 7088 diff changeset	813 if (to_auth_failures != NULL)
10d49a20b04e Added auth_failure_delay setting. Timo Sirainen <tss@iki.fi> parents: 7088 diff changeset	814 timeout_remove(&to_auth_failures);
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	815 return;
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	816 }
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	817
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	818 auth_requests = array_idx_modifiable(&auth_failures_arr, 0);
21954 1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	819 /* count the number of requests that we need to flush */
7087 a281705a2360 Converted some buffers to arrays. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	820 for (i = 0; i < count; i++) {
21954 1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	821 auth_request = auth_requests[aqueue_idx(auth_failures, i)];
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	822
9002 9d0037a997f4 Initial commit for config rewrite. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	823 /* FIXME: assumess that failure_delay is always the same. */
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	824 diff = ioloop_time - auth_request->last_access;
10903 6e639833c3fc auth: Initial support for per-protocol auth settings. Timo Sirainen <tss@iki.fi> parents: 10895 diff changeset	825 if (diff < (time_t)auth_request->set->failure_delay &&
9002 9d0037a997f4 Initial commit for config rewrite. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	826 !flush_all)
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	827 break;
21954 1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	828 }
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	829
21954 1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	830 /* shuffle these requests to try to prevent any kind of timing attacks
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	831 where attacker performs multiple requests in parallel and attempts
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	832 to figure out results based on the order of replies. */
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	833 count = i;
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	834 for (i = 0; i < count; i++) {
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	835 j = random() % (count - i) + i;
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	836 auth_request = auth_requests[aqueue_idx(auth_failures, i)];
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	837
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	838 /* swap i & j */
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	839 auth_requests[aqueue_idx(auth_failures, i)] =
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	840 auth_requests[aqueue_idx(auth_failures, j)];
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	841 auth_requests[aqueue_idx(auth_failures, j)] = auth_request;
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	842 }
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	843
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	844 /* flush the requests */
1c952a42bf12 auth: Shuffle failed auth requests before sending the failure replies. Timo Sirainen <timo.sirainen@dovecot.fi> parents: 21390 diff changeset	845 for (i = 0; i < count; i++) {
22099 cb967fd0910c auth: Access always first entry when flushing failures Aki Tuomi <aki.tuomi@dovecot.fi> parents: 22093 diff changeset	846 auth_request = auth_requests[aqueue_idx(auth_failures, 0)];
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	847 aqueue_delete_tail(auth_failures);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	848
22099 cb967fd0910c auth: Access always first entry when flushing failures Aki Tuomi <aki.tuomi@dovecot.fi> parents: 22093 diff changeset	849 i_assert(auth_request != NULL);
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	850 i_assert(auth_request->state == AUTH_REQUEST_STATE_FINISHED);
11497 94f78f415811 auth: Removed unnecessary auth_request callback and context uses. Timo Sirainen <tss@iki.fi> parents: 11494 diff changeset	851 auth_request_handler_reply(auth_request,
14629 c93ca5e46a8a Marked functions parameters that are allowed to be NULL. Some APIs were also changed. Timo Sirainen <tss@iki.fi> parents: 14577 diff changeset	852 AUTH_CLIENT_RESULT_FAILURE,
c93ca5e46a8a Marked functions parameters that are allowed to be NULL. Some APIs were also changed. Timo Sirainen <tss@iki.fi> parents: 14577 diff changeset	853 &uchar_nul, 0);
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	854 auth_request_unref(&auth_request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	855 }
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	856 }
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	857
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	858 static void auth_failure_timeout(void *context ATTR_UNUSED)
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	859 {
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	860 auth_request_handler_flush_failures(FALSE);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	861 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	862
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	863 void auth_request_handler_init(void)
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	864 {
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	865 i_array_init(&auth_failures_arr, 128);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	866 auth_failures = aqueue_init(&auth_failures_arr.arr);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: diff changeset	867 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	868
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	869 void auth_request_handler_deinit(void)
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	870 {
7088 958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	871 auth_request_handler_flush_failures(TRUE);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	872 array_free(&auth_failures_arr);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	873 aqueue_deinit(&auth_failures);
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	874
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	875 if (to_auth_failures != NULL)
958500009336 Make sure failed auth requests stay in failure buffer for at least a second. Timo Sirainen <tss@iki.fi> parents: 7087 diff changeset	876 timeout_remove(&to_auth_failures);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3077 diff changeset	877 }

Mercurial > dovecot > core-2.2

annotate src/auth/auth-request-handler.c @ 22614:cf66220d281e