Mercurial > dovecot > core-2.2
annotate src/auth/auth-request-handler.c @ 22614:cf66220d281e
doveadm proxy: Don't crash if remote doesn't support log proxying
author | Timo Sirainen <timo.sirainen@dovecot.fi> |
---|---|
date | Sat, 14 Oct 2017 12:54:18 +0300 |
parents | cb967fd0910c |
children | cb108f786fb4 |
rev | line source |
---|---|
21390
2e2563132d5f
Updated copyright notices to include the year 2017.
Stephan Bosch <stephan.bosch@dovecot.fi>
parents:
20927
diff
changeset
|
1 /* Copyright (c) 2005-2017 Dovecot authors, see the included COPYING file */ |
3074 | 2 |
9219
97cdfeb57129
Renamed headers to prevent collision if they were flattened on an install.
Mark Washenberger
parents:
9002
diff
changeset
|
3 #include "auth-common.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
4 #include "ioloop.h" |
7087
a281705a2360
Converted some buffers to arrays.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
5 #include "array.h" |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
6 #include "aqueue.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
7 #include "base64.h" |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
8 #include "hash.h" |
15187
02451e967a06
Renamed network.[ch] to net.[ch].
Timo Sirainen <tss@iki.fi>
parents:
15173
diff
changeset
|
9 #include "net.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
10 #include "str.h" |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
11 #include "strescape.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
12 #include "str-sanitize.h" |
11256
e08dd68309a9
auth/login related timeouts are now in one place and they make more sense.
Timo Sirainen <tss@iki.fi>
parents:
11254
diff
changeset
|
13 #include "master-interface.h" |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
14 #include "auth-penalty.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
15 #include "auth-request.h" |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
16 #include "auth-token.h" |
5038
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
17 #include "auth-master-connection.h" |
3074 | 18 #include "auth-request-handler.h" |
20432
f1f7c73ecd45
auth: Finish policy.[ch] renaming..
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
20426
diff
changeset
|
19 #include "auth-policy.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
20 |
7089
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
21 #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
22 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
23 struct auth_request_handler { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
24 int refcount; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
25 pool_t pool; |
14923
96fd2c3bf932
Reverted "support for non-pointers" part of the hash table API changes.
Timo Sirainen <tss@iki.fi>
parents:
14920
diff
changeset
|
26 HASH_TABLE(void *, struct auth_request *) requests; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
27 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
28 unsigned int connect_uid, client_pid; |
3074 | 29 |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
30 auth_client_request_callback_t *callback; |
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
31 struct auth_client_connection *conn; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
32 |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
33 auth_master_request_callback_t *master_callback; |
12212
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
34 |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
35 unsigned int destroyed:1; |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
36 unsigned int token_auth:1; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
37 }; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
38 |
14920
a097ef0a9d6d
Array API changed: ARRAY_DEFINE(name, type) -> ARRAY(type) name
Timo Sirainen <tss@iki.fi>
parents:
14918
diff
changeset
|
39 static ARRAY(struct auth_request *) auth_failures_arr; |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
40 static struct aqueue *auth_failures; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
41 static struct timeout *to_auth_failures; |
3074 | 42 |
14629
c93ca5e46a8a
Marked functions parameters that are allowed to be NULL. Some APIs were also changed.
Timo Sirainen <tss@iki.fi>
parents:
14577
diff
changeset
|
43 static void auth_failure_timeout(void *context) ATTR_NULL(1); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
44 |
3074 | 45 struct auth_request_handler * |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
46 auth_request_handler_create(bool token_auth, auth_client_request_callback_t *callback, |
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
47 struct auth_client_connection *conn, |
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
48 auth_master_request_callback_t *master_callback) |
3074 | 49 { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
50 struct auth_request_handler *handler; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
51 pool_t pool; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
52 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
53 pool = pool_alloconly_create("auth request handler", 4096); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
54 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
55 handler = p_new(pool, struct auth_request_handler, 1); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
56 handler->refcount = 1; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
57 handler->pool = pool; |
14918
8eae4e205c82
Hash table API is now (mostly) type safe.
Timo Sirainen <tss@iki.fi>
parents:
14917
diff
changeset
|
58 hash_table_create_direct(&handler->requests, pool, 0); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
59 handler->callback = callback; |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
60 handler->conn = conn; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
61 handler->master_callback = master_callback; |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
62 handler->token_auth = token_auth; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
63 return handler; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
64 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
65 |
13722
2ecd0e90402a
auth: Log a warning if auth client disconnects while it still has pending requests.
Timo Sirainen <tss@iki.fi>
parents:
13488
diff
changeset
|
66 unsigned int |
2ecd0e90402a
auth: Log a warning if auth client disconnects while it still has pending requests.
Timo Sirainen <tss@iki.fi>
parents:
13488
diff
changeset
|
67 auth_request_handler_get_request_count(struct auth_request_handler *handler) |
2ecd0e90402a
auth: Log a warning if auth client disconnects while it still has pending requests.
Timo Sirainen <tss@iki.fi>
parents:
13488
diff
changeset
|
68 { |
2ecd0e90402a
auth: Log a warning if auth client disconnects while it still has pending requests.
Timo Sirainen <tss@iki.fi>
parents:
13488
diff
changeset
|
69 return hash_table_count(handler->requests); |
2ecd0e90402a
auth: Log a warning if auth client disconnects while it still has pending requests.
Timo Sirainen <tss@iki.fi>
parents:
13488
diff
changeset
|
70 } |
2ecd0e90402a
auth: Log a warning if auth client disconnects while it still has pending requests.
Timo Sirainen <tss@iki.fi>
parents:
13488
diff
changeset
|
71 |
11498
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
72 void auth_request_handler_abort_requests(struct auth_request_handler *handler) |
11492
fd447208ccb9
auth: Another attempt in trying to fix crashed at deinit on pending async auth request lookups.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
73 { |
fd447208ccb9
auth: Another attempt in trying to fix crashed at deinit on pending async auth request lookups.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
74 struct hash_iterate_context *iter; |
14923
96fd2c3bf932
Reverted "support for non-pointers" part of the hash table API changes.
Timo Sirainen <tss@iki.fi>
parents:
14920
diff
changeset
|
75 void *key; |
96fd2c3bf932
Reverted "support for non-pointers" part of the hash table API changes.
Timo Sirainen <tss@iki.fi>
parents:
14920
diff
changeset
|
76 struct auth_request *auth_request; |
11492
fd447208ccb9
auth: Another attempt in trying to fix crashed at deinit on pending async auth request lookups.
Timo Sirainen <tss@iki.fi>
parents:
11456
diff
changeset
|
77 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
78 iter = hash_table_iterate_init(handler->requests); |
14923
96fd2c3bf932
Reverted "support for non-pointers" part of the hash table API changes.
Timo Sirainen <tss@iki.fi>
parents:
14920
diff
changeset
|
79 while (hash_table_iterate(iter, handler->requests, &key, &auth_request)) { |
12035
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
80 switch (auth_request->state) { |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
81 case AUTH_REQUEST_STATE_NEW: |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
82 case AUTH_REQUEST_STATE_MECH_CONTINUE: |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
83 case AUTH_REQUEST_STATE_FINISHED: |
20927
12bc0868ef0e
auth: Fixed assert-crash on invalid auth-client input
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
20515
diff
changeset
|
84 auth_request->removed_from_handler = TRUE; |
12035
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
85 auth_request_unref(&auth_request); |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
86 hash_table_remove(handler->requests, key); |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
87 break; |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
88 case AUTH_REQUEST_STATE_PASSDB: |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
89 case AUTH_REQUEST_STATE_USERDB: |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
90 /* can't abort a pending passdb/userdb lookup */ |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
91 break; |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
92 case AUTH_REQUEST_STATE_MAX: |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
93 i_unreached(); |
d2b49c7d4046
auth: Crashfix when aborting auth request doing async passdb/userdb lookup.
Timo Sirainen <tss@iki.fi>
parents:
11501
diff
changeset
|
94 } |
3952
d7a0354861b8
If authentication client disconnects while it still has pending requests,
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
95 } |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
96 hash_table_iterate_deinit(&iter); |
3077
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
97 } |
3074 | 98 |
11498
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
99 void auth_request_handler_unref(struct auth_request_handler **_handler) |
11441
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11354
diff
changeset
|
100 { |
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11354
diff
changeset
|
101 struct auth_request_handler *handler = *_handler; |
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11354
diff
changeset
|
102 |
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11354
diff
changeset
|
103 *_handler = NULL; |
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11354
diff
changeset
|
104 |
11498
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
105 i_assert(handler->refcount > 0); |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
106 if (--handler->refcount > 0) |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
107 return; |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
108 |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
109 i_assert(hash_table_count(handler->requests) == 0); |
11441
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11354
diff
changeset
|
110 |
11498
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
111 /* notify parent that we're done with all requests */ |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
112 handler->callback(NULL, handler->conn); |
11498
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
113 |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
114 hash_table_destroy(&handler->requests); |
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
115 pool_unref(&handler->pool); |
11441
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11354
diff
changeset
|
116 } |
3ef582c3fb72
auth: Aborting pending async requests on deinit caused crashes.
Timo Sirainen <tss@iki.fi>
parents:
11354
diff
changeset
|
117 |
12212
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
118 void auth_request_handler_destroy(struct auth_request_handler **_handler) |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
119 { |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
120 struct auth_request_handler *handler = *_handler; |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
121 |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
122 *_handler = NULL; |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
123 |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
124 i_assert(!handler->destroyed); |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
125 |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
126 handler->destroyed = TRUE; |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
127 auth_request_handler_unref(&handler); |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
128 } |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
129 |
3077
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
130 void auth_request_handler_set(struct auth_request_handler *handler, |
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
131 unsigned int connect_uid, |
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
132 unsigned int client_pid) |
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
133 { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
134 handler->connect_uid = connect_uid; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
135 handler->client_pid = client_pid; |
3074 | 136 } |
137 | |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
138 static void auth_request_handler_remove(struct auth_request_handler *handler, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
139 struct auth_request *request) |
3074 | 140 { |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
141 i_assert(request->handler == handler); |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
142 |
12211
dfa2b49d8298
auth: Avoid crashing when finishing failed requests that already timed out.
Timo Sirainen <tss@iki.fi>
parents:
12035
diff
changeset
|
143 if (request->removed_from_handler) { |
dfa2b49d8298
auth: Avoid crashing when finishing failed requests that already timed out.
Timo Sirainen <tss@iki.fi>
parents:
12035
diff
changeset
|
144 /* already removed it */ |
dfa2b49d8298
auth: Avoid crashing when finishing failed requests that already timed out.
Timo Sirainen <tss@iki.fi>
parents:
12035
diff
changeset
|
145 return; |
dfa2b49d8298
auth: Avoid crashing when finishing failed requests that already timed out.
Timo Sirainen <tss@iki.fi>
parents:
12035
diff
changeset
|
146 } |
dfa2b49d8298
auth: Avoid crashing when finishing failed requests that already timed out.
Timo Sirainen <tss@iki.fi>
parents:
12035
diff
changeset
|
147 request->removed_from_handler = TRUE; |
dfa2b49d8298
auth: Avoid crashing when finishing failed requests that already timed out.
Timo Sirainen <tss@iki.fi>
parents:
12035
diff
changeset
|
148 |
11254
83b4020d1edf
auth: Don't crash when auth requests timeout.
Timo Sirainen <tss@iki.fi>
parents:
11251
diff
changeset
|
149 /* if db lookup is stuck, this call doesn't actually free the auth |
83b4020d1edf
auth: Don't crash when auth requests timeout.
Timo Sirainen <tss@iki.fi>
parents:
11251
diff
changeset
|
150 request, so make sure we don't get back here. */ |
83b4020d1edf
auth: Don't crash when auth requests timeout.
Timo Sirainen <tss@iki.fi>
parents:
11251
diff
changeset
|
151 timeout_remove(&request->to_abort); |
83b4020d1edf
auth: Don't crash when auth requests timeout.
Timo Sirainen <tss@iki.fi>
parents:
11251
diff
changeset
|
152 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
153 hash_table_remove(handler->requests, POINTER_CAST(request->id)); |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
154 auth_request_unref(&request); |
3074 | 155 } |
156 | |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
157 static void |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
158 auth_str_add_keyvalue(string_t *dest, const char *key, const char *value) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
159 { |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
160 str_append_c(dest, '\t'); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
161 str_append(dest, key); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
162 str_append_c(dest, '='); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
163 str_append_tabescaped(dest, value); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
164 } |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
165 |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
166 static void |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
167 auth_str_append_extra_fields(struct auth_request *request, string_t *dest) |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
168 { |
17099
61142fbbecf0
auth: Send original_user to auth client also when there aren't any extra fields.
Timo Sirainen <tss@iki.fi>
parents:
17042
diff
changeset
|
169 if (!auth_fields_is_empty(request->extra_fields)) { |
61142fbbecf0
auth: Send original_user to auth client also when there aren't any extra fields.
Timo Sirainen <tss@iki.fi>
parents:
17042
diff
changeset
|
170 str_append_c(dest, '\t'); |
61142fbbecf0
auth: Send original_user to auth client also when there aren't any extra fields.
Timo Sirainen <tss@iki.fi>
parents:
17042
diff
changeset
|
171 auth_fields_append(request->extra_fields, dest, |
61142fbbecf0
auth: Send original_user to auth client also when there aren't any extra fields.
Timo Sirainen <tss@iki.fi>
parents:
17042
diff
changeset
|
172 AUTH_FIELD_FLAG_HIDDEN, 0); |
61142fbbecf0
auth: Send original_user to auth client also when there aren't any extra fields.
Timo Sirainen <tss@iki.fi>
parents:
17042
diff
changeset
|
173 } |
4758
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
174 |
16924 | 175 if (request->original_username != NULL && |
18387
0540c2834f68
auth: Don't add original_user or auth_user to passdb reply if they already exist.
Timo Sirainen <tss@iki.fi>
parents:
18137
diff
changeset
|
176 null_strcmp(request->original_username, request->user) != 0 && |
0540c2834f68
auth: Don't add original_user or auth_user to passdb reply if they already exist.
Timo Sirainen <tss@iki.fi>
parents:
18137
diff
changeset
|
177 !auth_fields_exists(request->extra_fields, "original_user")) { |
16802
a32eea97afc1
*-login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables.
Timo Sirainen <tss@iki.fi>
parents:
16033
diff
changeset
|
178 auth_str_add_keyvalue(dest, "original_user", |
a32eea97afc1
*-login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables.
Timo Sirainen <tss@iki.fi>
parents:
16033
diff
changeset
|
179 request->original_username); |
a32eea97afc1
*-login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables.
Timo Sirainen <tss@iki.fi>
parents:
16033
diff
changeset
|
180 } |
18387
0540c2834f68
auth: Don't add original_user or auth_user to passdb reply if they already exist.
Timo Sirainen <tss@iki.fi>
parents:
18137
diff
changeset
|
181 if (request->master_user != NULL && |
0540c2834f68
auth: Don't add original_user or auth_user to passdb reply if they already exist.
Timo Sirainen <tss@iki.fi>
parents:
18137
diff
changeset
|
182 !auth_fields_exists(request->extra_fields, "auth_user")) |
17100
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
183 auth_str_add_keyvalue(dest, "auth_user", request->master_user); |
16802
a32eea97afc1
*-login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables.
Timo Sirainen <tss@iki.fi>
parents:
16033
diff
changeset
|
184 |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
185 if (!request->auth_only && |
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
186 auth_fields_exists(request->extra_fields, "proxy")) { |
8546
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
187 /* we're proxying */ |
15685
17f5257d60c1
auth: Code cleanup: Renamed auth-stream to auth-fields.
Timo Sirainen <tss@iki.fi>
parents:
15684
diff
changeset
|
188 if (!auth_fields_exists(request->extra_fields, "pass") && |
15681
3fac9306be3e
auth: Code cleanup: Removed unnecessary userdb_ prefix checks.
Timo Sirainen <tss@iki.fi>
parents:
15500
diff
changeset
|
189 request->mech_password != NULL) { |
8546
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
190 /* send back the password that was sent by user |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
191 (not the password in passdb). */ |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
192 auth_str_add_keyvalue(dest, "pass", |
8546
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
193 request->mech_password); |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
194 } |
14997
1bc8f7b823e7
auth: Don't add "master" to passdb reply if the passdb itself already added it.
Timo Sirainen <tss@iki.fi>
parents:
14565
diff
changeset
|
195 if (request->master_user != NULL && |
15685
17f5257d60c1
auth: Code cleanup: Renamed auth-stream to auth-fields.
Timo Sirainen <tss@iki.fi>
parents:
15684
diff
changeset
|
196 !auth_fields_exists(request->extra_fields, "master")) { |
8546
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
197 /* the master username needs to be forwarded */ |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
198 auth_str_add_keyvalue(dest, "master", |
8546
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
199 request->master_user); |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
200 } |
3432
079ec5c2d665
Last change caused user-given passwords to be cached, and later the password
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
201 } |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
202 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
203 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
204 static void |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
205 auth_request_handle_failure(struct auth_request *request, const char *reply) |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
206 { |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
207 struct auth_request_handler *handler = request->handler; |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
208 |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
209 if (request->in_delayed_failure_queue) { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
210 /* we came here from flush_failures() */ |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
211 handler->callback(reply, handler->conn); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
212 return; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
213 } |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
214 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
215 /* remove the request from requests-list */ |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
216 auth_request_ref(request); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
217 auth_request_handler_remove(handler, request); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
218 |
20420
5b48cdd7b54c
auth-policy: Hook auth policy to auth code
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
19925
diff
changeset
|
219 auth_policy_report(request); |
5b48cdd7b54c
auth-policy: Hook auth policy to auth code
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
19925
diff
changeset
|
220 |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
221 if (auth_fields_exists(request->extra_fields, "nodelay")) { |
11498
190a5278e58b
auth: Changed how auth deinitilization works.
Timo Sirainen <tss@iki.fi>
parents:
11497
diff
changeset
|
222 /* passdb specifically requested not to delay the reply. */ |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
223 handler->callback(reply, handler->conn); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
224 auth_request_unref(&request); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
225 return; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
226 } |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
227 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
228 /* failure. don't announce it immediately to avoid |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
229 a) timing attacks, b) flooding */ |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
230 request->in_delayed_failure_queue = TRUE; |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
231 handler->refcount++; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
232 |
11501
149d57c1a9c0
auth: Abort pending penalty lookups earlier in deinit.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
233 if (auth_penalty != NULL) { |
149d57c1a9c0
auth: Abort pending penalty lookups earlier in deinit.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
234 auth_penalty_update(auth_penalty, request, |
149d57c1a9c0
auth: Abort pending penalty lookups earlier in deinit.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
235 request->last_penalty + 1); |
149d57c1a9c0
auth: Abort pending penalty lookups earlier in deinit.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
236 } |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
237 |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
238 auth_request_refresh_last_access(request); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
239 aqueue_append(auth_failures, &request); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
240 if (to_auth_failures == NULL) { |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
241 to_auth_failures = |
14577
a47c95872745
Use timeout_add_short() for sub-second timeouts. Fail at compile time if timeout_add() is <1s.
Timo Sirainen <tss@iki.fi>
parents:
14565
diff
changeset
|
242 timeout_add_short(AUTH_FAILURE_DELAY_CHECK_MSECS, |
15079
925d4a890a9b
Fixed compiling with OSes where NULL isn't defined as void pointer (e.g. Solaris).
Timo Sirainen <tss@iki.fi>
parents:
15049
diff
changeset
|
243 auth_failure_timeout, (void *)NULL); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
244 } |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
245 } |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
246 |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
247 static void |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
248 auth_request_handler_reply_success_finish(struct auth_request *request) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
249 { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
250 struct auth_request_handler *handler = request->handler; |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
251 string_t *str = t_str_new(128); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
252 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
253 if (request->last_penalty != 0 && auth_penalty != NULL) { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
254 /* reset penalty */ |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
255 auth_penalty_update(auth_penalty, request, 0); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
256 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
257 |
16033
d7d7cbcc2b67
auth: Return "nologin" and "proxy" fields to login process without "=value".
Timo Sirainen <tss@iki.fi>
parents:
15715
diff
changeset
|
258 /* sanitize these fields, since the login code currently assumes they |
d7d7cbcc2b67
auth: Return "nologin" and "proxy" fields to login process without "=value".
Timo Sirainen <tss@iki.fi>
parents:
15715
diff
changeset
|
259 are exactly in this format. */ |
d7d7cbcc2b67
auth: Return "nologin" and "proxy" fields to login process without "=value".
Timo Sirainen <tss@iki.fi>
parents:
15715
diff
changeset
|
260 auth_fields_booleanize(request->extra_fields, "nologin"); |
d7d7cbcc2b67
auth: Return "nologin" and "proxy" fields to login process without "=value".
Timo Sirainen <tss@iki.fi>
parents:
15715
diff
changeset
|
261 auth_fields_booleanize(request->extra_fields, "proxy"); |
d7d7cbcc2b67
auth: Return "nologin" and "proxy" fields to login process without "=value".
Timo Sirainen <tss@iki.fi>
parents:
15715
diff
changeset
|
262 |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
263 str_printfa(str, "OK\t%u\tuser=", request->id); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
264 str_append_tabescaped(str, request->user); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
265 auth_str_append_extra_fields(request, str); |
20426
3a12f30c03d5
auth-policy: Report success earlier
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
20420
diff
changeset
|
266 |
3a12f30c03d5
auth-policy: Report success earlier
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
20420
diff
changeset
|
267 auth_policy_report(request); |
3a12f30c03d5
auth-policy: Report success earlier
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
20420
diff
changeset
|
268 |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
269 if (handler->master_callback == NULL || |
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
270 auth_fields_exists(request->extra_fields, "nologin") || |
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
271 auth_fields_exists(request->extra_fields, "proxy")) { |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
272 /* this request doesn't have to wait for master |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
273 process to pick it up. delete it */ |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
274 auth_request_handler_remove(handler, request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
275 } |
20420
5b48cdd7b54c
auth-policy: Hook auth policy to auth code
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
19925
diff
changeset
|
276 |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
277 handler->callback(str_c(str), handler->conn); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
278 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
279 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
280 static void |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
281 auth_request_handler_reply_failure_finish(struct auth_request *request) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
282 { |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
283 string_t *str = t_str_new(128); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
284 |
17323
3a5304b63f88
auth: If authentication fails, never send back "nologin" field.
Timo Sirainen <tss@iki.fi>
parents:
17235
diff
changeset
|
285 auth_fields_remove(request->extra_fields, "nologin"); |
3a5304b63f88
auth: If authentication fails, never send back "nologin" field.
Timo Sirainen <tss@iki.fi>
parents:
17235
diff
changeset
|
286 |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
287 str_printfa(str, "FAIL\t%u", request->id); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
288 if (request->user != NULL) |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
289 auth_str_add_keyvalue(str, "user", request->user); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
290 else if (request->original_username != NULL) { |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
291 auth_str_add_keyvalue(str, "user", |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
292 request->original_username); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
293 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
294 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
295 if (request->internal_failure) |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
296 str_append(str, "\ttemp"); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
297 else if (request->master_user != NULL) { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
298 /* authentication succeeded, but we can't log in |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
299 as the wanted user */ |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
300 str_append(str, "\tauthz"); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
301 } |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
302 if (auth_fields_exists(request->extra_fields, "nodelay")) { |
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
303 /* this is normally a hidden field, need to add it explicitly */ |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
304 str_append(str, "\tnodelay"); |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
305 } |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
306 auth_str_append_extra_fields(request, str); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
307 |
14565
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
308 switch (request->passdb_result) { |
20515
84cd7e08e8d6
auth: Skip authentication with noauthenticate
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
20432
diff
changeset
|
309 case PASSDB_RESULT_NEXT: |
14565
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
310 case PASSDB_RESULT_INTERNAL_FAILURE: |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
311 case PASSDB_RESULT_SCHEME_NOT_AVAILABLE: |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
312 case PASSDB_RESULT_USER_UNKNOWN: |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
313 case PASSDB_RESULT_PASSWORD_MISMATCH: |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
314 case PASSDB_RESULT_OK: |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
315 break; |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
316 case PASSDB_RESULT_USER_DISABLED: |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
317 str_append(str, "\tuser_disabled"); |
14565
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
318 break; |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
319 case PASSDB_RESULT_PASS_EXPIRED: |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
320 str_append(str, "\tpass_expired"); |
14565
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
321 break; |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
322 } |
d6f06ce44b0b
auth: If user is disabled or password expired, tell about it to auth-client.
Timo Sirainen <tss@iki.fi>
parents:
14514
diff
changeset
|
323 |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
324 auth_request_handle_failure(request, str_c(str)); |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
325 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
326 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
327 static void |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
328 auth_request_handler_proxy_callback(bool success, struct auth_request *request) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
329 { |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
330 struct auth_request_handler *handler = request->handler; |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
331 |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
332 if (success) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
333 auth_request_handler_reply_success_finish(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
334 else |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
335 auth_request_handler_reply_failure_finish(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
336 auth_request_handler_unref(&handler); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
337 } |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
338 |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
339 void auth_request_handler_reply(struct auth_request *request, |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
340 enum auth_client_result result, |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
341 const void *auth_reply, size_t reply_size) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
342 { |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
343 struct auth_request_handler *handler = request->handler; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
344 string_t *str; |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
345 int ret; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
346 |
12212
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
347 if (handler->destroyed) { |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
348 /* the client connection was already closed. we can't do |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
349 anything but abort this request */ |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
350 request->internal_failure = TRUE; |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
351 result = AUTH_CLIENT_RESULT_FAILURE; |
13488
0dffdc3bfad1
auth: Don't assert-crash if login client disconnects during multi-reply mechanism.
Timo Sirainen <tss@iki.fi>
parents:
12782
diff
changeset
|
352 /* make sure this request is set to finished state |
0dffdc3bfad1
auth: Don't assert-crash if login client disconnects during multi-reply mechanism.
Timo Sirainen <tss@iki.fi>
parents:
12782
diff
changeset
|
353 (it's not with result=continue) */ |
0dffdc3bfad1
auth: Don't assert-crash if login client disconnects during multi-reply mechanism.
Timo Sirainen <tss@iki.fi>
parents:
12782
diff
changeset
|
354 auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED); |
12212
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
355 } |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
356 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
357 switch (result) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
358 case AUTH_CLIENT_RESULT_CONTINUE: |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
359 str = t_str_new(16 + MAX_BASE64_ENCODED_SIZE(reply_size)); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
360 str_printfa(str, "CONT\t%u\t", request->id); |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
361 base64_encode(auth_reply, reply_size, str); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
362 |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
363 request->accept_cont_input = TRUE; |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
364 handler->callback(str_c(str), handler->conn); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
365 break; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
366 case AUTH_CLIENT_RESULT_SUCCESS: |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
367 if (reply_size > 0) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
368 str = t_str_new(MAX_BASE64_ENCODED_SIZE(reply_size)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
369 base64_encode(auth_reply, reply_size, str); |
15685
17f5257d60c1
auth: Code cleanup: Renamed auth-stream to auth-fields.
Timo Sirainen <tss@iki.fi>
parents:
15684
diff
changeset
|
370 auth_fields_add(request->extra_fields, "resp", |
17f5257d60c1
auth: Code cleanup: Renamed auth-stream to auth-fields.
Timo Sirainen <tss@iki.fi>
parents:
15684
diff
changeset
|
371 str_c(str), 0); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
372 } |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
373 ret = auth_request_proxy_finish(request, |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
374 auth_request_handler_proxy_callback); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
375 if (ret < 0) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
376 auth_request_handler_reply_failure_finish(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
377 else if (ret > 0) |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
378 auth_request_handler_reply_success_finish(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
379 else |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
380 return; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
381 break; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
382 case AUTH_CLIENT_RESULT_FAILURE: |
14155
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
383 auth_request_proxy_finish_failure(request); |
da43dc494753
auth: Handle proxy_maybe=yes with host=hostname properly.
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
384 auth_request_handler_reply_failure_finish(request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
385 break; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
386 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
387 /* NOTE: request may be destroyed now */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
388 |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
389 auth_request_handler_unref(&handler); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
390 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
391 |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
392 void auth_request_handler_reply_continue(struct auth_request *request, |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
393 const void *reply, size_t reply_size) |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
394 { |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
395 auth_request_handler_reply(request, AUTH_CLIENT_RESULT_CONTINUE, |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
396 reply, reply_size); |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
397 } |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
398 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
399 static void auth_request_handler_auth_fail(struct auth_request_handler *handler, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
400 struct auth_request *request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
401 const char *reason) |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
402 { |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
403 string_t *str = t_str_new(128); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
404 |
17235
9b095cec9332
auth: Use special AUTH_SUBSYS_DB/MECH parameters as auth_request_log*() subsystem.
Timo Sirainen <tss@iki.fi>
parents:
17130
diff
changeset
|
405 auth_request_log_info(request, AUTH_SUBSYS_MECH, "%s", reason); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
406 |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
407 str_printfa(str, "FAIL\t%u\treason=", request->id); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
408 str_append_tabescaped(str, reason); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
409 |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
410 handler->callback(str_c(str), handler->conn); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
411 auth_request_handler_remove(handler, request); |
3074 | 412 } |
413 | |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
414 static void auth_request_timeout(struct auth_request *request) |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
415 { |
15328
49bb6cc43d03
auth: Log a nicer message if client timeouts authentication in the middle.
Timo Sirainen <tss@iki.fi>
parents:
14997
diff
changeset
|
416 unsigned int secs = (unsigned int)(time(NULL) - request->last_access); |
11249
2a132661c029
auth: Log a message when auth request is removed due to timeout.
Timo Sirainen <tss@iki.fi>
parents:
11119
diff
changeset
|
417 |
2a132661c029
auth: Log a message when auth request is removed due to timeout.
Timo Sirainen <tss@iki.fi>
parents:
11119
diff
changeset
|
418 if (request->state != AUTH_REQUEST_STATE_MECH_CONTINUE) { |
2a132661c029
auth: Log a message when auth request is removed due to timeout.
Timo Sirainen <tss@iki.fi>
parents:
11119
diff
changeset
|
419 /* client's fault */ |
17235
9b095cec9332
auth: Use special AUTH_SUBSYS_DB/MECH parameters as auth_request_log*() subsystem.
Timo Sirainen <tss@iki.fi>
parents:
17130
diff
changeset
|
420 auth_request_log_error(request, AUTH_SUBSYS_MECH, |
15328
49bb6cc43d03
auth: Log a nicer message if client timeouts authentication in the middle.
Timo Sirainen <tss@iki.fi>
parents:
14997
diff
changeset
|
421 "Request %u.%u timed out after %u secs, state=%d", |
49bb6cc43d03
auth: Log a nicer message if client timeouts authentication in the middle.
Timo Sirainen <tss@iki.fi>
parents:
14997
diff
changeset
|
422 request->handler->client_pid, request->id, |
49bb6cc43d03
auth: Log a nicer message if client timeouts authentication in the middle.
Timo Sirainen <tss@iki.fi>
parents:
14997
diff
changeset
|
423 secs, request->state); |
11249
2a132661c029
auth: Log a message when auth request is removed due to timeout.
Timo Sirainen <tss@iki.fi>
parents:
11119
diff
changeset
|
424 } else if (request->set->verbose) { |
17235
9b095cec9332
auth: Use special AUTH_SUBSYS_DB/MECH parameters as auth_request_log*() subsystem.
Timo Sirainen <tss@iki.fi>
parents:
17130
diff
changeset
|
425 auth_request_log_info(request, AUTH_SUBSYS_MECH, |
15328
49bb6cc43d03
auth: Log a nicer message if client timeouts authentication in the middle.
Timo Sirainen <tss@iki.fi>
parents:
14997
diff
changeset
|
426 "Request timed out waiting for client to continue authentication " |
49bb6cc43d03
auth: Log a nicer message if client timeouts authentication in the middle.
Timo Sirainen <tss@iki.fi>
parents:
14997
diff
changeset
|
427 "(%u secs)", secs); |
11249
2a132661c029
auth: Log a message when auth request is removed due to timeout.
Timo Sirainen <tss@iki.fi>
parents:
11119
diff
changeset
|
428 } |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
429 auth_request_handler_remove(request->handler, request); |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
430 } |
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
431 |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
432 static void auth_request_penalty_finish(struct auth_request *request) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
433 { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
434 timeout_remove(&request->to_penalty); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
435 auth_request_initial(request); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
436 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
437 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
438 static void |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
439 auth_penalty_callback(unsigned int penalty, struct auth_request *request) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
440 { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
441 unsigned int secs; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
442 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
443 request->last_penalty = penalty; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
444 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
445 if (penalty == 0) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
446 auth_request_initial(request); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
447 else { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
448 secs = auth_penalty_to_secs(penalty); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
449 request->to_penalty = timeout_add(secs * 1000, |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
450 auth_request_penalty_finish, |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
451 request); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
452 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
453 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
454 |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10895
diff
changeset
|
455 bool auth_request_handler_auth_begin(struct auth_request_handler *handler, |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
456 const char *args) |
3074 | 457 { |
5788
bdb16967be64
Further const'ification of struct mech_module.
Andrey Panin <pazke@donpac.ru>
parents:
5586
diff
changeset
|
458 const struct mech_module *mech; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
459 struct auth_request *request; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
460 const char *const *list, *name, *arg, *initial_resp; |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
461 void *initial_resp_data; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
462 unsigned int id; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
463 buffer_t *buf; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
464 |
12212
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
465 i_assert(!handler->destroyed); |
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
466 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
467 /* <id> <mechanism> [...] */ |
22093
87ae222d49cf
auth: Fix unescaping tabs in auth client input.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21954
diff
changeset
|
468 list = t_strsplit_tabescaped(args); |
11086
260e190306b0
Started using str_to_*() functions instead of libc's ones.
Timo Sirainen <tss@iki.fi>
parents:
11039
diff
changeset
|
469 if (list[0] == NULL || list[1] == NULL || |
12212
bc782780d0fe
auth: Don't assert-crash if a request still succeeds after its client connection is gone.
Timo Sirainen <tss@iki.fi>
parents:
12211
diff
changeset
|
470 str_to_uint(list[0], &id) < 0) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
471 i_error("BUG: Authentication client %u " |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
472 "sent broken AUTH request", handler->client_pid); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
473 return FALSE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
474 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
475 |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
476 if (handler->token_auth) { |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
477 mech = &mech_dovecot_token; |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
478 if (strcmp(list[1], mech->mech_name) != 0) { |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
479 /* unsupported mechanism */ |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
480 i_error("BUG: Authentication client %u requested invalid " |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
481 "authentication mechanism %s (DOVECOT-TOKEN required)", |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
482 handler->client_pid, str_sanitize(list[1], MAX_MECH_NAME_LEN)); |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
483 return FALSE; |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
484 } |
19157
d482a8097362
auth: The mechanisms configured using the auth_mechanisms setting were not enforced.
Stephan Bosch <stephan@rename-it.nl>
parents:
18387
diff
changeset
|
485 } else { |
d482a8097362
auth: The mechanisms configured using the auth_mechanisms setting were not enforced.
Stephan Bosch <stephan@rename-it.nl>
parents:
18387
diff
changeset
|
486 struct auth *auth_default = auth_default_service(); |
d482a8097362
auth: The mechanisms configured using the auth_mechanisms setting were not enforced.
Stephan Bosch <stephan@rename-it.nl>
parents:
18387
diff
changeset
|
487 mech = mech_register_find(auth_default->reg, list[1]); |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
488 if (mech == NULL) { |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
489 /* unsupported mechanism */ |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
490 i_error("BUG: Authentication client %u requested unsupported " |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
491 "authentication mechanism %s", handler->client_pid, |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
492 str_sanitize(list[1], MAX_MECH_NAME_LEN)); |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
493 return FALSE; |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
494 } |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
495 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
496 |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
497 request = auth_request_new(mech); |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
498 request->handler = handler; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
499 request->connect_uid = handler->connect_uid; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
500 request->client_pid = handler->client_pid; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
501 request->id = id; |
15173
ff66315076ce
auth: Don't add proxy/pass fields when we're only authenticating (not logging in).
Timo Sirainen <tss@iki.fi>
parents:
15079
diff
changeset
|
502 request->auth_only = handler->master_callback == NULL; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
503 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
504 /* parse optional parameters */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
505 initial_resp = NULL; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
506 for (list += 2; *list != NULL; list++) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
507 arg = strchr(*list, '='); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
508 if (arg == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
509 name = *list; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
510 arg = ""; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
511 } else { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
512 name = t_strdup_until(*list, arg); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
513 arg++; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
514 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
515 |
13728
9a6aa717bc46
auth: Don't allow auth clients to set internal auth request fields.
Timo Sirainen <tss@iki.fi>
parents:
13722
diff
changeset
|
516 if (auth_request_import_auth(request, name, arg)) |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3308
diff
changeset
|
517 ; |
4682
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
518 else if (strcmp(name, "resp") == 0) { |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
519 initial_resp = arg; |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
520 /* this must be the last parameter */ |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
521 list++; |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
522 break; |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
523 } |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
524 } |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
525 |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
526 if (*list != NULL) { |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
527 i_error("BUG: Authentication client %u " |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
528 "sent AUTH parameters after 'resp'", |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
529 handler->client_pid); |
10758
fa8a0f453774
auth: Don't leak memory if auth client sends a buggy request.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
530 auth_request_unref(&request); |
4682
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
531 return FALSE; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
532 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
533 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
534 if (request->service == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
535 i_error("BUG: Authentication client %u " |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
536 "didn't specify service in request", |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
537 handler->client_pid); |
10758
fa8a0f453774
auth: Don't leak memory if auth client sends a buggy request.
Timo Sirainen <tss@iki.fi>
parents:
10757
diff
changeset
|
538 auth_request_unref(&request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
539 return FALSE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
540 } |
12491
6c9bc37fcf41
auth: Fail if auth client tries to use a duplicate ID.
Timo Sirainen <tss@iki.fi>
parents:
12212
diff
changeset
|
541 if (hash_table_lookup(handler->requests, POINTER_CAST(id)) != NULL) { |
6c9bc37fcf41
auth: Fail if auth client tries to use a duplicate ID.
Timo Sirainen <tss@iki.fi>
parents:
12212
diff
changeset
|
542 i_error("BUG: Authentication client %u " |
6c9bc37fcf41
auth: Fail if auth client tries to use a duplicate ID.
Timo Sirainen <tss@iki.fi>
parents:
12212
diff
changeset
|
543 "sent a duplicate ID %u", handler->client_pid, id); |
6c9bc37fcf41
auth: Fail if auth client tries to use a duplicate ID.
Timo Sirainen <tss@iki.fi>
parents:
12212
diff
changeset
|
544 auth_request_unref(&request); |
6c9bc37fcf41
auth: Fail if auth client tries to use a duplicate ID.
Timo Sirainen <tss@iki.fi>
parents:
12212
diff
changeset
|
545 return FALSE; |
6c9bc37fcf41
auth: Fail if auth client tries to use a duplicate ID.
Timo Sirainen <tss@iki.fi>
parents:
12212
diff
changeset
|
546 } |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10895
diff
changeset
|
547 auth_request_init(request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
548 |
11256
e08dd68309a9
auth/login related timeouts are now in one place and they make more sense.
Timo Sirainen <tss@iki.fi>
parents:
11254
diff
changeset
|
549 request->to_abort = timeout_add(MASTER_AUTH_SERVER_TIMEOUT_SECS * 1000, |
10757
d3697efd18f3
auth: Don't loop through active requests every 5 seconds, looking for timeouts.
Timo Sirainen <tss@iki.fi>
parents:
10589
diff
changeset
|
550 auth_request_timeout, request); |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
551 hash_table_insert(handler->requests, POINTER_CAST(id), request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
552 |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10895
diff
changeset
|
553 if (request->set->ssl_require_client_cert && |
8320
d49aa6720fb2
Added %k variable to display valid-client-cert status. It expands to "valid" or empty.
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
554 !request->valid_client_cert) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
555 /* we fail without valid certificate */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
556 auth_request_handler_auth_fail(handler, request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
557 "Client didn't present valid SSL certificate"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
558 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
559 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
560 |
9562
90f8e2d091b5
auth: Ignore empty initial response strings.
Timo Sirainen <tss@iki.fi>
parents:
9219
diff
changeset
|
561 /* Empty initial response is a "=" base64 string. Completely empty |
90f8e2d091b5
auth: Ignore empty initial response strings.
Timo Sirainen <tss@iki.fi>
parents:
9219
diff
changeset
|
562 string shouldn't really be sent, but at least Exim does it, |
90f8e2d091b5
auth: Ignore empty initial response strings.
Timo Sirainen <tss@iki.fi>
parents:
9219
diff
changeset
|
563 so just allow it for backwards compatibility.. */ |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
564 if (initial_resp != NULL && *initial_resp != '\0') { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
565 size_t len = strlen(initial_resp); |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
566 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
567 buf = buffer_create_dynamic(pool_datastack_create(), |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
568 MAX_BASE64_DECODED_SIZE(len)); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
569 if (base64_decode(initial_resp, len, NULL, buf) < 0) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
570 auth_request_handler_auth_fail(handler, request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
571 "Invalid base64 data in initial response"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
572 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
573 } |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
574 initial_resp_data = |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
575 p_malloc(request->pool, I_MAX(buf->used, 1)); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
576 memcpy(initial_resp_data, buf->data, buf->used); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
577 request->initial_response = initial_resp_data; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
578 request->initial_response_len = buf->used; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
579 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
580 |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
581 /* handler is referenced until auth_request_handler_reply() |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
582 is called. */ |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
583 handler->refcount++; |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
584 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
9562
diff
changeset
|
585 /* before we start authenticating, see if we need to wait first */ |
11501
149d57c1a9c0
auth: Abort pending penalty lookups earlier in deinit.
Timo Sirainen <tss@iki.fi>
parents:
11498
diff
changeset
|
586 auth_penalty_lookup(auth_penalty, request, auth_penalty_callback); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
587 return TRUE; |
3074 | 588 } |
589 | |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
590 bool auth_request_handler_auth_continue(struct auth_request_handler *handler, |
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
591 const char *args) |
3074 | 592 { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
593 struct auth_request *request; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
594 const char *data; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
595 size_t data_len; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
596 buffer_t *buf; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
597 unsigned int id; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
598 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
599 data = strchr(args, '\t'); |
11119
23e87e78c66e
auth: Fixed SASL authentication broken by recent changes.
Timo Sirainen <tss@iki.fi>
parents:
11086
diff
changeset
|
600 if (data == NULL || str_to_uint(t_strdup_until(args, data), &id) < 0) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
601 i_error("BUG: Authentication client sent broken CONT request"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
602 return FALSE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
603 } |
5089 | 604 data++; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
605 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
606 request = hash_table_lookup(handler->requests, POINTER_CAST(id)); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
607 if (request == NULL) { |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
608 const char *reply = t_strdup_printf( |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
609 "FAIL\t%u\treason=Authentication request timed out", id); |
19925
1b966650aef9
auth: Code cleanup - avoid using void *context
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
19552
diff
changeset
|
610 handler->callback(reply, handler->conn); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
611 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
612 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
613 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
614 /* accept input only once after mechanism has sent a CONT reply */ |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
615 if (!request->accept_cont_input) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
616 auth_request_handler_auth_fail(handler, request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
617 "Unexpected continuation"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
618 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
619 } |
15687
686f32406220
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
Timo Sirainen <tss@iki.fi>
parents:
15685
diff
changeset
|
620 request->accept_cont_input = FALSE; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
621 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
622 data_len = strlen(data); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
623 buf = buffer_create_dynamic(pool_datastack_create(), |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
624 MAX_BASE64_DECODED_SIZE(data_len)); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
625 if (base64_decode(data, data_len, NULL, buf) < 0) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
626 auth_request_handler_auth_fail(handler, request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
627 "Invalid base64 data in continued response"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
628 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
629 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
630 |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
631 /* handler is referenced until auth_request_handler_reply() |
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
632 is called. */ |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
633 handler->refcount++; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
634 auth_request_continue(request, buf->data, buf->used); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
635 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
636 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
637 |
17100
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
638 static void auth_str_append_userdb_extra_fields(struct auth_request *request, |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
639 string_t *dest) |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
640 { |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
641 str_append_c(dest, '\t'); |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
642 auth_fields_append(request->userdb_reply, dest, |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
643 AUTH_FIELD_FLAG_HIDDEN, 0); |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
644 |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
645 if (request->master_user != NULL && |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
646 !auth_fields_exists(request->userdb_reply, "master_user")) { |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
647 auth_str_add_keyvalue(dest, "master_user", |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
648 request->master_user); |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
649 } |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
650 if (*request->set->anonymous_username != '\0' && |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
651 strcmp(request->user, request->set->anonymous_username) == 0) { |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
652 /* this is an anonymous login, either via ANONYMOUS |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
653 SASL mechanism or simply logging in as the anonymous |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
654 user via another mechanism */ |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
655 str_append(dest, "\tanonymous"); |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
656 } |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
657 /* generate auth_token when master service provided session_pid */ |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
658 if (request->request_auth_token && |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
659 request->session_pid != (pid_t)-1) { |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
660 const char *auth_token = |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
661 auth_token_get(request->service, |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
662 dec2str(request->session_pid), |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
663 request->user, |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
664 request->session_id); |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
665 auth_str_add_keyvalue(dest, "auth_token", auth_token); |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
666 } |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
667 if (request->master_user != NULL) { |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
668 auth_str_add_keyvalue(dest, "auth_user", request->master_user); |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
669 } else if (request->original_username != NULL && |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
670 strcmp(request->original_username, request->user) != 0) { |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
671 auth_str_add_keyvalue(dest, "auth_user", |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
672 request->original_username); |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
673 } |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
674 } |
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
675 |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
676 static void userdb_callback(enum userdb_result result, |
3520 | 677 struct auth_request *request) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
678 { |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
679 struct auth_request_handler *handler = request->handler; |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
680 string_t *str; |
11019
b40ec803421e
auth: If userdb lookup returns tempfail, return reason field (if any).
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
681 const char *value; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
682 |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
683 i_assert(request->state == AUTH_REQUEST_STATE_USERDB); |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
684 |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11250
diff
changeset
|
685 auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED); |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
686 |
17042
eeadb7b5045b
auth: Added userdb result_success/failure/tempfail and skip settings, similar to passdb's.
Timo Sirainen <tss@iki.fi>
parents:
16986
diff
changeset
|
687 if (request->userdb_lookup_tempfailed) |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
688 result = USERDB_RESULT_INTERNAL_FAILURE; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
689 |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
690 str = t_str_new(128); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
691 switch (result) { |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
692 case USERDB_RESULT_INTERNAL_FAILURE: |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
693 str_printfa(str, "FAIL\t%u", request->id); |
17042
eeadb7b5045b
auth: Added userdb result_success/failure/tempfail and skip settings, similar to passdb's.
Timo Sirainen <tss@iki.fi>
parents:
16986
diff
changeset
|
694 if (request->userdb_lookup_tempfailed) { |
15685
17f5257d60c1
auth: Code cleanup: Renamed auth-stream to auth-fields.
Timo Sirainen <tss@iki.fi>
parents:
15684
diff
changeset
|
695 value = auth_fields_find(request->userdb_reply, "reason"); |
11019
b40ec803421e
auth: If userdb lookup returns tempfail, return reason field (if any).
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
696 if (value != NULL) |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
697 auth_str_add_keyvalue(str, "reason", value); |
11019
b40ec803421e
auth: If userdb lookup returns tempfail, return reason field (if any).
Timo Sirainen <tss@iki.fi>
parents:
10903
diff
changeset
|
698 } |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
699 break; |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
700 case USERDB_RESULT_USER_UNKNOWN: |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
701 str_printfa(str, "NOTFOUND\t%u", request->id); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
702 break; |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
703 case USERDB_RESULT_OK: |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
704 str_printfa(str, "USER\t%u\t", request->id); |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
705 str_append_tabescaped(str, request->user); |
17100
5350000a999b
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
Timo Sirainen <tss@iki.fi>
parents:
17099
diff
changeset
|
706 auth_str_append_userdb_extra_fields(request, str); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
707 break; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
708 } |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
709 handler->master_callback(str_c(str), request->master); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
710 |
5038
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
711 auth_master_connection_unref(&request->master); |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
712 auth_request_unref(&request); |
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
713 auth_request_handler_unref(&handler); |
3074 | 714 } |
715 | |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
716 static bool |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
717 auth_master_request_failed(struct auth_request_handler *handler, |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
718 struct auth_master_connection *master, |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
719 unsigned int id) |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
720 { |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
721 if (handler->master_callback == NULL) |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
722 return FALSE; |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
723 handler->master_callback(t_strdup_printf("FAIL\t%u", id), master); |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
724 return TRUE; |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
725 } |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
726 |
11285
1a3c9bd45b11
auth: Separate auth and login connections. Non-login requests are freed immediately after auth finished.
Timo Sirainen <tss@iki.fi>
parents:
11256
diff
changeset
|
727 bool auth_request_handler_master_request(struct auth_request_handler *handler, |
3308
3f090bcaffcc
Allow multiple master connections for a single listener.
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
728 struct auth_master_connection *master, |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
729 unsigned int id, unsigned int client_id, |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
730 const char *const *params) |
3074 | 731 { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
732 struct auth_request *request; |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
733 struct net_unix_cred cred; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
734 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
735 request = hash_table_lookup(handler->requests, POINTER_CAST(client_id)); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
736 if (request == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
737 i_error("Master request %u.%u not found", |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
738 handler->client_pid, client_id); |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
739 return auth_master_request_failed(handler, master, id); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
740 } |
3074 | 741 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
742 auth_request_ref(request); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
743 auth_request_handler_remove(handler, request); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
744 |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
745 for (; *params != NULL; params++) { |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
746 const char *name, *param = strchr(*params, '='); |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
747 |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
748 if (param == NULL) { |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
749 name = *params; |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
750 param = ""; |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
751 } else { |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
752 name = t_strdup_until(*params, param); |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
753 param++; |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
754 } |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
755 |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
756 (void)auth_request_import_master(request, name, param); |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
757 } |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
758 |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
759 /* verify session pid if specified and possible */ |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
760 if (request->session_pid != (pid_t)-1 && |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
761 net_getunixcred(master->fd, &cred) == 0 && |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
762 cred.pid != (pid_t)-1 && request->session_pid != cred.pid) { |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
763 i_error("Session pid %ld provided by master for request %u.%u " |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
764 "did not match peer credentials (pid=%ld, uid=%ld)", |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
765 (long)request->session_pid, |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
766 handler->client_pid, client_id, |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
767 (long)cred.pid, (long)cred.uid); |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
768 return auth_master_request_failed(handler, master, id); |
15049
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
769 } |
aa6027a0a78e
Added support to perform token-based service process authentication.
Stephan Bosch <stephan@rename-it.nl>
parents:
15005
diff
changeset
|
770 |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
771 if (request->state != AUTH_REQUEST_STATE_FINISHED || |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
772 !request->successful) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
773 i_error("Master requested unfinished authentication request " |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
774 "%u.%u", handler->client_pid, client_id); |
15682
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
775 handler->master_callback(t_strdup_printf("FAIL\t%u", id), |
526aa986d534
auth: Code cleanup: Avoid using auth_stream_reply as temporary strings.
Timo Sirainen <tss@iki.fi>
parents:
15681
diff
changeset
|
776 master); |
4401
10cdcfe98cfc
Fixed memory leak in error handling.
Timo Sirainen <tss@iki.fi>
parents:
3952
diff
changeset
|
777 auth_request_unref(&request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
778 } else { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
779 /* the request isn't being referenced anywhere anymore, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
780 so we can do a bit of kludging.. replace the request's |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
781 old client_id with master's id. */ |
11251
6243376eff60
auth: If verbose_proctitle=yes, show auth request counts in ps.
Timo Sirainen <tss@iki.fi>
parents:
11250
diff
changeset
|
782 auth_request_set_state(request, AUTH_REQUEST_STATE_USERDB); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
783 request->id = id; |
3308
3f090bcaffcc
Allow multiple master connections for a single listener.
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
784 request->master = master; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
785 |
5038
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
786 /* master and handler are referenced until userdb_callback i |
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
787 s called. */ |
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
788 auth_master_connection_ref(master); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
789 handler->refcount++; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
790 auth_request_lookup_user(request, userdb_callback); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
791 } |
11285
1a3c9bd45b11
auth: Separate auth and login connections. Non-login requests are freed immediately after auth finished.
Timo Sirainen <tss@iki.fi>
parents:
11256
diff
changeset
|
792 return TRUE; |
3074 | 793 } |
794 | |
11354
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
795 void auth_request_handler_cancel_request(struct auth_request_handler *handler, |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
796 unsigned int client_id) |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
797 { |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
798 struct auth_request *request; |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
799 |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
800 request = hash_table_lookup(handler->requests, POINTER_CAST(client_id)); |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
801 if (request != NULL) |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
802 auth_request_handler_remove(handler, request); |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
803 } |
f70433791464
login: Tell auth process to free aborted auth requests.
Timo Sirainen <tss@iki.fi>
parents:
11285
diff
changeset
|
804 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
805 void auth_request_handler_flush_failures(bool flush_all) |
3074 | 806 { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
807 struct auth_request **auth_requests, *auth_request; |
21954
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
808 unsigned int i, j, count; |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
809 time_t diff; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
810 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
811 count = aqueue_count(auth_failures); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
812 if (count == 0) { |
7089
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
813 if (to_auth_failures != NULL) |
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
814 timeout_remove(&to_auth_failures); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
815 return; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
816 } |
3074 | 817 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
818 auth_requests = array_idx_modifiable(&auth_failures_arr, 0); |
21954
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
819 /* count the number of requests that we need to flush */ |
7087
a281705a2360
Converted some buffers to arrays.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
820 for (i = 0; i < count; i++) { |
21954
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
821 auth_request = auth_requests[aqueue_idx(auth_failures, i)]; |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
822 |
9002
9d0037a997f4
Initial commit for config rewrite.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
823 /* FIXME: assumess that failure_delay is always the same. */ |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
824 diff = ioloop_time - auth_request->last_access; |
10903
6e639833c3fc
auth: Initial support for per-protocol auth settings.
Timo Sirainen <tss@iki.fi>
parents:
10895
diff
changeset
|
825 if (diff < (time_t)auth_request->set->failure_delay && |
9002
9d0037a997f4
Initial commit for config rewrite.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
826 !flush_all) |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
827 break; |
21954
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
828 } |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
829 |
21954
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
830 /* shuffle these requests to try to prevent any kind of timing attacks |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
831 where attacker performs multiple requests in parallel and attempts |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
832 to figure out results based on the order of replies. */ |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
833 count = i; |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
834 for (i = 0; i < count; i++) { |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
835 j = random() % (count - i) + i; |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
836 auth_request = auth_requests[aqueue_idx(auth_failures, i)]; |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
837 |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
838 /* swap i & j */ |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
839 auth_requests[aqueue_idx(auth_failures, i)] = |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
840 auth_requests[aqueue_idx(auth_failures, j)]; |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
841 auth_requests[aqueue_idx(auth_failures, j)] = auth_request; |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
842 } |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
843 |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
844 /* flush the requests */ |
1c952a42bf12
auth: Shuffle failed auth requests before sending the failure replies.
Timo Sirainen <timo.sirainen@dovecot.fi>
parents:
21390
diff
changeset
|
845 for (i = 0; i < count; i++) { |
22099
cb967fd0910c
auth: Access always first entry when flushing failures
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
22093
diff
changeset
|
846 auth_request = auth_requests[aqueue_idx(auth_failures, 0)]; |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
847 aqueue_delete_tail(auth_failures); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
848 |
22099
cb967fd0910c
auth: Access always first entry when flushing failures
Aki Tuomi <aki.tuomi@dovecot.fi>
parents:
22093
diff
changeset
|
849 i_assert(auth_request != NULL); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
850 i_assert(auth_request->state == AUTH_REQUEST_STATE_FINISHED); |
11497
94f78f415811
auth: Removed unnecessary auth_request callback and context uses.
Timo Sirainen <tss@iki.fi>
parents:
11494
diff
changeset
|
851 auth_request_handler_reply(auth_request, |
14629
c93ca5e46a8a
Marked functions parameters that are allowed to be NULL. Some APIs were also changed.
Timo Sirainen <tss@iki.fi>
parents:
14577
diff
changeset
|
852 AUTH_CLIENT_RESULT_FAILURE, |
c93ca5e46a8a
Marked functions parameters that are allowed to be NULL. Some APIs were also changed.
Timo Sirainen <tss@iki.fi>
parents:
14577
diff
changeset
|
853 &uchar_nul, 0); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
854 auth_request_unref(&auth_request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
855 } |
3074 | 856 } |
857 | |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
858 static void auth_failure_timeout(void *context ATTR_UNUSED) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
859 { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
860 auth_request_handler_flush_failures(FALSE); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
861 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
862 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
863 void auth_request_handler_init(void) |
3074 | 864 { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
865 i_array_init(&auth_failures_arr, 128); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
866 auth_failures = aqueue_init(&auth_failures_arr.arr); |
3074 | 867 } |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
868 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
869 void auth_request_handler_deinit(void) |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
870 { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
871 auth_request_handler_flush_failures(TRUE); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
872 array_free(&auth_failures_arr); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
873 aqueue_deinit(&auth_failures); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
874 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
875 if (to_auth_failures != NULL) |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
876 timeout_remove(&to_auth_failures); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
877 } |