dovecot/core-2.2: src/auth/auth-request.c annotate

annotate src/auth/auth-request.c @ 7122:fb03422c0760 HEAD

Added "proxy_maybe" field. If it's used instead of "proxy" and the proxy destination matches the current connection, the user is logged in normally instead of the login failing with "Proxying loops".

author	Timo Sirainen <tss@iki.fi>
date	Sun, 06 Jan 2008 03:13:20 +0200
parents	1bd8b17bfabe
children	25e7c37c7c10

rev	line source
7086 7ed926ed7aa4 Updated copyright notices to include year 2008. Timo Sirainen <tss@iki.fi> parents: 6940 diff changeset	1 /* Copyright (c) 2002-2008 Dovecot authors, see the included COPYING file */
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	2
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	3 #include "common.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	4 #include "ioloop.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	5 #include "buffer.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	6 #include "hash.h"
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	7 #include "hex-binary.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	8 #include "str.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	9 #include "safe-memset.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	10 #include "str-sanitize.h"
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	11 #include "strescape.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	12 #include "var-expand.h"
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	13 #include "auth-cache.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	14 #include "auth-request.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	15 #include "auth-client-connection.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	16 #include "auth-master-connection.h"
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	17 #include "passdb.h"
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	18 #include "passdb-blocking.h"
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	19 #include "userdb-blocking.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	20 #include "passdb-cache.h"
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	21 #include "password-scheme.h"
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	22
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	23 #include <stdlib.h>
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	24 #include <sys/stat.h>
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	25
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	26 struct auth_request *
5788 bdb16967be64 Further const'ification of struct mech_module. Andrey Panin <pazke@donpac.ru> parents: 5619 diff changeset	27 auth_request_new(struct auth auth, const struct mech_module mech,
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	28 mech_callback_t callback, void context)
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	29 {
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	30 struct auth_request *request;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	31
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	32 request = mech->auth_new();
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	33 request->state = AUTH_REQUEST_STATE_NEW;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	34 request->passdb = auth->passdbs;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	35 request->userdb = auth->userdbs;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	36
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	37 request->refcount = 1;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	38 request->last_access = ioloop_time;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	39
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	40 request->auth = auth;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	41 request->mech = mech;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	42 request->callback = callback;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	43 request->context = context;
3072 289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	44 return request;
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	45 }
289a98ba5d95 Another try with API cleanup. Timo Sirainen <tss@iki.fi> parents: 3071 diff changeset	46
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	47 struct auth_request auth_request_new_dummy(struct auth auth)
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	48 {
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	49 struct auth_request *auth_request;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	50 pool_t pool;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	51
3695 4f8598b0ca62 Use a bit larger initial pool sizes Timo Sirainen <tss@iki.fi> parents: 3687 diff changeset	52 pool = pool_alloconly_create("auth_request", 1024);
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	53 auth_request = p_new(pool, struct auth_request, 1);
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	54 auth_request->pool = pool;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	55
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	56 auth_request->refcount = 1;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	57 auth_request->last_access = ioloop_time;
3185 3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	58 auth_request->auth = auth;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	59 auth_request->passdb = auth->passdbs;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	60 auth_request->userdb = auth->userdbs;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	61
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	62 return auth_request;
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	63 }
3089083e1d47 Handle USER requests from master connections. Timo Sirainen <tss@iki.fi> parents: 3183 diff changeset	64
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	65 void auth_request_success(struct auth_request *request,
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	66 const void *data, size_t data_size)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	67 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	68 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	69
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	70 if (request->passdb_failure) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	71 /* password was valid, but some other check failed. */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	72 auth_request_fail(request);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	73 return;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	74 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	75
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	76 request->state = AUTH_REQUEST_STATE_FINISHED;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	77 request->successful = TRUE;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	78 request->last_access = ioloop_time;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	79 request->callback(request, AUTH_CLIENT_RESULT_SUCCESS,
3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	80 data, data_size);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	81 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	82
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	83 void auth_request_fail(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	84 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	85 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	86
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	87 request->state = AUTH_REQUEST_STATE_FINISHED;
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	88 request->last_access = ioloop_time;
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	89 request->callback(request, AUTH_CLIENT_RESULT_FAILURE, NULL, 0);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	90 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	91
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	92 void auth_request_internal_failure(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	93 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	94 request->internal_failure = TRUE;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	95 auth_request_fail(request);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	96 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	97
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	98 void auth_request_ref(struct auth_request *request)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	99 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	100 request->refcount++;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	101 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	102
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	103 void auth_request_unref(struct auth_request **_request)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	104 {
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	105 struct auth_request request = _request;
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	106
928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	107 *_request = NULL;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	108 i_assert(request->refcount > 0);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	109 if (--request->refcount > 0)
3879 928229f8b3e6 deinit, unref, destroy, close, free, etc. functions now take a pointer to Timo Sirainen <tss@iki.fi> parents: 3863 diff changeset	110 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	111
3386 e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	112 if (request->mech != NULL)
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	113 request->mech->auth_free(request);
e4b84d82c685 Master connection's USER command was leaking memory (with deliver binary). Timo Sirainen <tss@iki.fi> parents: 3338 diff changeset	114 else
6428 7cad076906eb pool_unref() now takes ** pointer. Timo Sirainen <tss@iki.fi> parents: 6411 diff changeset	115 pool_unref(&request->pool);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	116 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	117
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	118 void auth_request_export(struct auth_request request, string_t str)
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	119 {
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	120 str_append(str, "user=");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	121 str_append(str, request->user);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	122 str_append(str, "\tservice=");
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	123 str_append(str, request->service);
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	124
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	125 if (request->master_user != NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	126 str_append(str, "master_user=");
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	127 str_append(str, request->master_user);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	128 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	129
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	130 if (request->local_ip.family != 0) {
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	131 str_append(str, "\tlip=");
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	132 str_append(str, net_ip2addr(&request->local_ip));
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	133 }
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	134 if (request->remote_ip.family != 0) {
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	135 str_append(str, "\trip=");
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	136 str_append(str, net_ip2addr(&request->remote_ip));
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	137 }
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	138 if (request->local_port != 0) {
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	139 str_append(str, "\tlport=");
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	140 str_printfa(str, "%u", request->local_port);
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	141 }
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	142 if (request->remote_port != 0) {
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	143 str_append(str, "\trport=");
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	144 str_printfa(str, "%u", request->remote_port);
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	145 }
5585 e33158bc72b0 %c wasn't exported to auth worker processes. Patch by Andrey Panin Timo Sirainen <tss@iki.fi> parents: 5475 diff changeset	146 if (request->secured)
e33158bc72b0 %c wasn't exported to auth worker processes. Patch by Andrey Panin Timo Sirainen <tss@iki.fi> parents: 5475 diff changeset	147 str_append(str, "\tsecured=1");
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	148 }
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	149
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	150 bool auth_request_import(struct auth_request *request,
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	151 const char key, const char value)
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	152 {
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	153 if (strcmp(key, "user") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	154 request->user = p_strdup(request->pool, value);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	155 else if (strcmp(key, "master_user") == 0)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	156 request->master_user = p_strdup(request->pool, value);
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	157 else if (strcmp(key, "cert_username") == 0) {
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	158 if (request->auth->ssl_username_from_cert) {
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	159 /* get username from SSL certificate. it overrides
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	160 the username given by the auth mechanism. */
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	161 request->user = p_strdup(request->pool, value);
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	162 request->cert_username = TRUE;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	163 }
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3609 diff changeset	164 } else if (strcmp(key, "service") == 0)
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	165 request->service = p_strdup(request->pool, value);
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	166 else if (strcmp(key, "lip") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	167 net_addr2ip(value, &request->local_ip);
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	168 else if (strcmp(key, "rip") == 0)
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	169 net_addr2ip(value, &request->remote_ip);
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	170 else if (strcmp(key, "lport") == 0)
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	171 request->local_port = atoi(value);
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	172 else if (strcmp(key, "rport") == 0)
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	173 request->remote_port = atoi(value);
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	174 else if (strcmp(key, "secured") == 0)
0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	175 request->secured = TRUE;
7106 1bd8b17bfabe If AUTH has "nologin" parameter, the request is freed when authentication is Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	176 else if (strcmp(key, "nologin") == 0)
1bd8b17bfabe If AUTH has "nologin" parameter, the request is freed when authentication is Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	177 request->no_login = TRUE;
3338 e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	178 else
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	179 return FALSE;
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	180
e5ce49c8524a USER auth command requires now service parameter and supports also others Timo Sirainen <tss@iki.fi> parents: 3318 diff changeset	181 return TRUE;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	182 }
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	183
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	184 void auth_request_initial(struct auth_request *request,
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	185 const unsigned char *data, size_t data_size)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	186 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	187 i_assert(request->state == AUTH_REQUEST_STATE_NEW);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	188
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	189 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	190 request->mech->auth_initial(request, data, data_size);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	191 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	192
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	193 void auth_request_continue(struct auth_request *request,
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	194 const unsigned char *data, size_t data_size)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	195 {
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	196 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	197
5586 dad0e22b735a Changed auth_request->created to last_access and update it a bit more often. Timo Sirainen <tss@iki.fi> parents: 5585 diff changeset	198 request->last_access = ioloop_time;
3071 c7db6b291daa API cleanup Timo Sirainen <tss@iki.fi> parents: 3069 diff changeset	199 request->mech->auth_continue(request, data, data_size);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	200 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	201
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	202 static void auth_request_save_cache(struct auth_request *request,
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	203 enum passdb_result result)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	204 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	205 struct passdb_module *passdb = request->passdb->passdb;
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	206 const char *extra_fields;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	207 string_t *str;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	208
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	209 switch (result) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	210 case PASSDB_RESULT_USER_UNKNOWN:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	211 case PASSDB_RESULT_PASSWORD_MISMATCH:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	212 case PASSDB_RESULT_OK:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	213 case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	214 /* can be cached */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	215 break;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	216 case PASSDB_RESULT_USER_DISABLED:
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	217 case PASSDB_RESULT_PASS_EXPIRED:
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	218 /* FIXME: we can't cache this now, or cache lookup would
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	219 return success. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	220 return;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	221 case PASSDB_RESULT_INTERNAL_FAILURE:
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	222 i_unreached();
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	223 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	224
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	225 extra_fields = request->extra_fields == NULL ? NULL :
e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	226 auth_stream_reply_export(request->extra_fields);
3432 079ec5c2d665 Last change caused user-given passwords to be cached, and later the password Timo Sirainen <tss@iki.fi> parents: 3431 diff changeset	227
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	228 if (passdb_cache == NULL)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	229 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	230
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	231 if (passdb->cache_key == NULL)
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	232 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	233
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	234 if (result < 0) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	235 /* lookup failed. */
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	236 if (result == PASSDB_RESULT_USER_UNKNOWN) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	237 auth_cache_insert(passdb_cache, request,
4658 3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	238 passdb->cache_key, "", FALSE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	239 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	240 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	241 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	242
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	243 if (!request->no_password && request->passdb_password == NULL) {
3656 fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	244 /* passdb didn't provide the correct password */
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	245 if (result != PASSDB_RESULT_OK \|\|
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	246 request->mech_password == NULL)
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	247 return;
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	248
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	249 /* we can still cache valid password lookups though.
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	250 strdup() it so that mech_password doesn't get
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	251 cleared too early. */
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	252 request->passdb_password =
5039 953f02db95dc auth cache: If passdb didn't provide the password, we used the user-given Timo Sirainen <tss@iki.fi> parents: 5036 diff changeset	253 p_strconcat(request->pool, "{plain}",
953f02db95dc auth cache: If passdb didn't provide the password, we used the user-given Timo Sirainen <tss@iki.fi> parents: 5036 diff changeset	254 request->mech_password, NULL);
3645 81180ca12997 We were caching failed blocking requests wrong. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	255 }
81180ca12997 We were caching failed blocking requests wrong. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	256
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	257 /* save all except the currently given password in cache */
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	258 str = t_str_new(256);
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	259 if (request->passdb_password != NULL) {
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	260 if (*request->passdb_password != '{') {
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	261 /* cached passwords must have a known scheme */
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	262 str_append_c(str, '{');
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	263 str_append(str, passdb->default_pass_scheme);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	264 str_append_c(str, '}');
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	265 }
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	266 if (strchr(request->passdb_password, '\t') != NULL)
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	267 i_panic("%s: Password contains TAB", request->user);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	268 if (strchr(request->passdb_password, '\n') != NULL)
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	269 i_panic("%s: Password contains LF", request->user);
09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	270 str_append(str, request->passdb_password);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	271 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	272
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	273 if (extra_fields != NULL && *extra_fields != '\0') {
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	274 str_append_c(str, '\t');
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	275 str_append(str, extra_fields);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	276 }
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	277 if (request->extra_cache_fields != NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	278 extra_fields =
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	279 auth_stream_reply_export(request->extra_cache_fields);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	280 if (*extra_fields != '\0') {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	281 str_append_c(str, '\t');
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	282 str_append(str, extra_fields);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	283 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	284 }
4658 3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	285 auth_cache_insert(passdb_cache, request, passdb->cache_key, str_c(str),
3b49b9ec87dc auth_cache: Try to handle changing passwords automatically: If password Timo Sirainen <tss@iki.fi> parents: 4575 diff changeset	286 result == PASSDB_RESULT_OK);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	287 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	288
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	289 static bool auth_request_master_lookup_finish(struct auth_request *request)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	290 {
4534 dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	291 if (request->passdb_failure)
dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	292 return TRUE;
dee19849654b If master login failed because of non-password failure (eg. allow_nets) Timo Sirainen <tss@iki.fi> parents: 4533 diff changeset	293
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	294 /* master login successful. update user and master_user variables. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	295 auth_request_log_info(request, "passdb", "Master user logging in as %s",
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	296 request->requested_login_user);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	297
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	298 request->master_user = request->user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	299 request->user = request->requested_login_user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	300 request->requested_login_user = NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	301
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	302 request->skip_password_check = TRUE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	303 request->passdb_password = NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	304
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	305 if (!request->passdb->pass) {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	306 /* skip the passdb lookup, we're authenticated now. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	307 return TRUE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	308 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	309
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	310 /* the authentication continues with passdb lookup for the
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	311 requested_login_user. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	312 request->passdb = request->auth->passdbs;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	313 return FALSE;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	314 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	315
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	316 static bool
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	317 auth_request_handle_passdb_callback(enum passdb_result *result,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	318 struct auth_request *request)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	319 {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	320 if (request->passdb_password != NULL) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	321 safe_memset(request->passdb_password, 0,
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	322 strlen(request->passdb_password));
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	323 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	324
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	325 if (request->passdb->deny && *result != PASSDB_RESULT_USER_UNKNOWN) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	326 /* deny passdb. we can get through this step only if the
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	327 lookup returned that user doesn't exist in it. internal
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	328 errors are fatal here. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	329 if (*result != PASSDB_RESULT_INTERNAL_FAILURE) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	330 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	331 "User found from deny passdb");
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	332 *result = PASSDB_RESULT_USER_DISABLED;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	333 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	334 } else if (*result == PASSDB_RESULT_OK) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	335 /* success */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	336 if (request->requested_login_user != NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	337 /* this was a master user lookup. */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	338 if (!auth_request_master_lookup_finish(request))
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	339 return FALSE;
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	340 } else {
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	341 if (request->passdb->pass) {
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	342 /* this wasn't the final passdb lookup,
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	343 continue to next passdb */
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	344 request->passdb = request->passdb->next;
4402 8846e6be0e02 If multiple passdbs were configured and we tried to authenticate as user Timo Sirainen <tss@iki.fi> parents: 4374 diff changeset	345 request->passdb_password = NULL;
4104 77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	346 return FALSE;
77e10f1d2cb2 Removed master_no_passdb setting. Added pass setting which can be used to do Timo Sirainen <tss@iki.fi> parents: 4078 diff changeset	347 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	348 }
4374 96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	349 } else if (*result == PASSDB_RESULT_PASS_EXPIRED) {
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	350 if (request->extra_fields == NULL)
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	351 request->extra_fields = auth_stream_reply_init(request);
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	352 auth_stream_reply_add(request->extra_fields, "reason",
96fd7a3f9bfe If password is expired, give "Password expired" error. Currently works only Timo Sirainen <tss@iki.fi> parents: 4295 diff changeset	353 "Password expired");
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	354 } else if (request->passdb->next != NULL &&
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	355 *result != PASSDB_RESULT_USER_DISABLED) {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	356 /* try next passdb. */
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	357 request->passdb = request->passdb->next;
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	358 request->passdb_password = NULL;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	359
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	360 if (*result == PASSDB_RESULT_INTERNAL_FAILURE) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	361 /* remember that we have had an internal failure. at
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	362 the end return internal failure if we couldn't
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	363 successfully login. */
3606 8a8352cda514 If passdb lookup fails with internal error, try other passdbs anyway before Timo Sirainen <tss@iki.fi> parents: 3520 diff changeset	364 request->passdb_internal_failure = TRUE;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	365 }
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	366 if (request->extra_fields != NULL)
769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	367 auth_stream_reply_reset(request->extra_fields);
769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	368
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	369 return FALSE;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	370 } else if (request->passdb_internal_failure) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	371 /* last passdb lookup returned internal failure. it may have
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	372 had the correct password, so return internal failure
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	373 instead of plain failure. */
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	374 *result = PASSDB_RESULT_INTERNAL_FAILURE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	375 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	376
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	377 return TRUE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	378 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	379
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	380 static void
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	381 auth_request_verify_plain_callback_finish(enum passdb_result result,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	382 struct auth_request *request)
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	383 {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	384 if (!auth_request_handle_passdb_callback(&result, request)) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	385 /* try next passdb */
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	386 auth_request_verify_plain(request, request->mech_password,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	387 request->private_callback.verify_plain);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	388 } else {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	389 auth_request_ref(request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	390 request->private_callback.verify_plain(result, request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	391 safe_memset(request->mech_password, 0,
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	392 strlen(request->mech_password));
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	393 auth_request_unref(&request);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	394 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	395 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	396
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	397 void auth_request_verify_plain_callback(enum passdb_result result,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	398 struct auth_request *request)
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	399 {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	400 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	401
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	402 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	403
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	404 if (result != PASSDB_RESULT_INTERNAL_FAILURE)
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	405 auth_request_save_cache(request, result);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	406 else {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	407 /* lookup failed. if we're looking here only because the
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	408 request was expired in cache, fallback to using cached
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	409 expired record. */
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	410 const char *cache_key = request->passdb->passdb->cache_key;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	411
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	412 if (passdb_cache_verify_plain(request, cache_key,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	413 request->mech_password,
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	414 &result, TRUE)) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	415 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	416 "Fallbacking to expired data from cache");
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	417 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	418 }
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	419
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	420 auth_request_verify_plain_callback_finish(result, request);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	421 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	422
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	423 void auth_request_verify_plain(struct auth_request *request,
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	424 const char *password,
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	425 verify_plain_callback_t *callback)
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	426 {
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	427 struct passdb_module *passdb;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	428 enum passdb_result result;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	429 const char *cache_key;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	430
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	431 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	432
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	433 if (request->passdb == NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	434 /* no masterdbs, master logins not supported */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	435 i_assert(request->requested_login_user != NULL);
4139 68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	436 auth_request_log_info(request, "passdb",
68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	437 "Attempted master login with no master passdbs");
68c2ad5e4f85 Master login attempts weren't logged if no master passdbs were defined. Timo Sirainen <tss@iki.fi> parents: 4136 diff changeset	438 callback(PASSDB_RESULT_USER_UNKNOWN, request);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	439 return;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	440 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	441
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	442 passdb = request->passdb->passdb;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	443 if (request->mech_password == NULL)
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	444 request->mech_password = p_strdup(request->pool, password);
3656 fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	445 else
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too. Timo Sirainen <tss@iki.fi> parents: 3655 diff changeset	446 i_assert(request->mech_password == password);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	447 request->private_callback.verify_plain = callback;
3164 da9e4ffef09f Last changes broke proxying when user was in auth cache. Timo Sirainen <tss@iki.fi> parents: 3161 diff changeset	448
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	449 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
3728 64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	450 if (passdb_cache_verify_plain(request, cache_key, password,
64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	451 &result, FALSE)) {
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	452 auth_request_verify_plain_callback_finish(result, request);
3728 64ed35c97678 Don't crash if cache key isn't set but cache is enabled. Timo Sirainen <tss@iki.fi> parents: 3695 diff changeset	453 return;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	454 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	455
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	456 request->state = AUTH_REQUEST_STATE_PASSDB;
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	457 request->credentials_scheme = NULL;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	458
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	459 if (passdb->blocking)
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	460 passdb_blocking_verify_plain(request);
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	461 else {
3771 4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	462 passdb->iface.verify_plain(request, password,
4b6d962485b9 Added authentication bind support. Patch by J.M. Maurer. Timo Sirainen <tss@iki.fi> parents: 3728 diff changeset	463 auth_request_verify_plain_callback);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	464 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	465 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	466
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	467 static void
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	468 auth_request_lookup_credentials_finish(enum passdb_result result,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	469 const unsigned char *credentials,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	470 size_t size,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	471 struct auth_request *request)
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	472 {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	473 if (!auth_request_handle_passdb_callback(&result, request)) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	474 /* try next passdb */
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	475 auth_request_lookup_credentials(request,
f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	476 request->credentials_scheme,
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	477 request->private_callback.lookup_credentials);
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	478 } else {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	479 if (request->auth->verbose_debug_passwords &&
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	480 result == PASSDB_RESULT_OK) {
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	481 auth_request_log_debug(request, "password",
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	482 "Credentials: %s",
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	483 binary_to_hex(credentials, size));
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	484 }
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	485 request->private_callback.
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	486 lookup_credentials(result, credentials, size, request);
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	487 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	488 }
ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	489
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	490 void auth_request_lookup_credentials_callback(enum passdb_result result,
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	491 const unsigned char *credentials,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	492 size_t size,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	493 struct auth_request *request)
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	494 {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	495 const char cache_cred, cache_scheme;
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	496
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	497 i_assert(request->state == AUTH_REQUEST_STATE_PASSDB);
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	498
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	499 request->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	500
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	501 if (result != PASSDB_RESULT_INTERNAL_FAILURE)
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	502 auth_request_save_cache(request, result);
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	503 else {
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	504 /* lookup failed. if we're looking here only because the
97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	505 request was expired in cache, fallback to using cached
97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	506 expired record. */
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	507 const char *cache_key = request->passdb->passdb->cache_key;
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	508
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	509 if (passdb_cache_lookup_credentials(request, cache_key,
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	510 &cache_cred, &cache_scheme,
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	511 &result, TRUE)) {
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	512 auth_request_log_info(request, "passdb",
62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	513 "Fallbacking to expired data from cache");
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	514 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	515 if (result == PASSDB_RESULT_OK) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	516 if (!passdb_get_credentials(request, cache_cred,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	517 cache_scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	518 &credentials, &size))
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	519 result = PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
3167 97f53e0cce63 Fallback to using expired records from auth cache if database lookups fail. Timo Sirainen <tss@iki.fi> parents: 3166 diff changeset	520 }
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	521 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	522
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	523 auth_request_lookup_credentials_finish(result, credentials, size,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	524 request);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	525 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	526
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	527 void auth_request_lookup_credentials(struct auth_request *request,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	528 const char *scheme,
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	529 lookup_credentials_callback_t *callback)
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	530 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	531 struct passdb_module *passdb = request->passdb->passdb;
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	532 const char cache_key, cache_cred, *cache_scheme;
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	533 const unsigned char *credentials;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	534 size_t size;
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	535 enum passdb_result result;
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	536
8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	537 i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	538
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	539 request->credentials_scheme = p_strdup(request->pool, scheme);
5233 359a8f31aa9b Fixed a crash when non-plaintext mechanism used auth_cache. Timo Sirainen <tss@iki.fi> parents: 5170 diff changeset	540 request->private_callback.lookup_credentials = callback;
3682 0207808033ad Non-plaintext authentication and passdb cache didn't work together. Patch by Timo Sirainen <tss@iki.fi> parents: 3669 diff changeset	541
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	542 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	543 if (cache_key != NULL) {
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	544 if (passdb_cache_lookup_credentials(request, cache_key,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	545 &cache_cred, &cache_scheme,
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	546 &result, FALSE)) {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	547 if (result == PASSDB_RESULT_OK &&
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	548 !passdb_get_credentials(request, cache_cred,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	549 cache_scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	550 &credentials, &size))
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	551 result = PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	552 auth_request_lookup_credentials_finish(
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	553 result, credentials, size, request);
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	554 return;
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	555 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	556 }
6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	557
3171 8a3b57385eca Added state variable for auth_request and several assertions to make sure Timo Sirainen <tss@iki.fi> parents: 3167 diff changeset	558 request->state = AUTH_REQUEST_STATE_PASSDB;
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	559
6243 f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	560 if (passdb->iface.lookup_credentials == NULL) {
3655 62fc6883faeb Fixes and cleanups to credentials handling. Also fixed auth caching to work Timo Sirainen <tss@iki.fi> parents: 3645 diff changeset	561 /* this passdb doesn't support credentials */
5475 769aaaee6821 Reverted accidental commit. This code isn't ready yet. Timo Sirainen <tss@iki.fi> parents: 5462 diff changeset	562 auth_request_lookup_credentials_callback(
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	563 PASSDB_RESULT_SCHEME_NOT_AVAILABLE, NULL, 0, request);
6243 f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	564 } else if (passdb->blocking) {
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	565 passdb_blocking_lookup_credentials(request);
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	566 } else {
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	567 passdb->iface.lookup_credentials(request,
f4739631ce87 Don't crash if blocking passdb doesn't support credential lookups. Timo Sirainen <tss@iki.fi> parents: 5988 diff changeset	568 auth_request_lookup_credentials_callback);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	569 }
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	570 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	571
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	572 void auth_request_set_credentials(struct auth_request *request,
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	573 const char scheme, const char data,
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	574 set_credentials_callback_t *callback)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	575 {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	576 struct passdb_module *passdb = request->passdb->passdb;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	577 const char cache_key, new_credentials;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	578
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	579 cache_key = passdb_cache == NULL ? NULL : passdb->cache_key;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	580 if (cache_key != NULL)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	581 auth_cache_remove(passdb_cache, request, cache_key);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	582
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	583 request->private_callback.set_credentials = callback;
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	584
5593 f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This Timo Sirainen <tss@iki.fi> parents: 5586 diff changeset	585 new_credentials = t_strdup_printf("{%s}%s", scheme, data);
4782 2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	586 if (passdb->blocking)
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	587 passdb_blocking_set_credentials(request, new_credentials);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	588 else if (passdb->iface.set_credentials != NULL) {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	589 passdb->iface.set_credentials(request, new_credentials,
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	590 callback);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	591 } else {
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	592 /* this passdb doesn't support credentials update */
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	593 callback(PASSDB_RESULT_INTERNAL_FAILURE, request);
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	594 }
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	595 }
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and Timo Sirainen <tss@iki.fi> parents: 4756 diff changeset	596
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	597 static void auth_request_userdb_save_cache(struct auth_request *request,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	598 enum userdb_result result)
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	599 {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	600 struct userdb_module *userdb = request->userdb->userdb;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	601 const char *str;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	602
4983 8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	603 if (passdb_cache == NULL \|\| userdb->cache_key == NULL)
8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	604 return;
8089e7461519 We crashed if auth cache was disabled. Patch by Andrey Panin. Timo Sirainen <tss@iki.fi> parents: 4955 diff changeset	605
5069 005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	606 str = result == USERDB_RESULT_USER_UNKNOWN ? "" :
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	607 auth_stream_reply_export(request->userdb_reply);
5069 005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	608 /* last_success has no meaning with userdb */
005ad2165d08 If auth_cache was enabled and userdb returned "user unknown" (typically only Timo Sirainen <tss@iki.fi> parents: 5039 diff changeset	609 auth_cache_insert(passdb_cache, request, userdb->cache_key, str, FALSE);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	610 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	611
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	612 static bool auth_request_lookup_user_cache(struct auth_request *request,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	613 const char *key,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	614 struct auth_stream_reply **reply_r,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	615 enum userdb_result *result_r,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	616 bool use_expired)
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	617 {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	618 const char *value;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	619 struct auth_cache_node *node;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	620 bool expired;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	621
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	622 value = auth_cache_lookup(passdb_cache, request, key, &node,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	623 &expired);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	624 if (value == NULL \|\| (expired && !use_expired))
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	625 return FALSE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	626
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	627 if (*value == '\0') {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	628 /* negative cache entry */
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	629 *result_r = USERDB_RESULT_USER_UNKNOWN;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	630 *reply_r = auth_stream_reply_init(request);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	631 return TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	632 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	633
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	634 *result_r = USERDB_RESULT_OK;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	635 *reply_r = auth_stream_reply_init(request);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	636 auth_stream_reply_import(*reply_r, value);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	637 return TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	638 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	639
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	640 void auth_request_userdb_callback(enum userdb_result result,
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	641 struct auth_request *request)
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	642 {
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	643 struct userdb_module *userdb = request->userdb->userdb;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	644
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	645 if (result != USERDB_RESULT_OK && request->userdb->next != NULL) {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	646 /* try next userdb. */
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	647 if (result == USERDB_RESULT_INTERNAL_FAILURE)
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	648 request->userdb_internal_failure = TRUE;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	649
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	650 request->userdb = request->userdb->next;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	651 auth_request_lookup_user(request,
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	652 request->private_callback.userdb);
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	653 return;
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	654 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	655
4880 4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	656 if (request->userdb_internal_failure && result != USERDB_RESULT_OK) {
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	657 /* one of the userdb lookups failed. the user might have been
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	658 in there, so this is an internal failure */
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	659 result = USERDB_RESULT_INTERNAL_FAILURE;
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	660 } else if (result == USERDB_RESULT_USER_UNKNOWN &&
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	661 request->client_pid != 0) {
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	662 /* this was an actual login attempt, the user should
4ec6a4def05b We treated internal userdb lookup errors as "user unknown" errors. In such Timo Sirainen <tss@iki.fi> parents: 4872 diff changeset	663 have been found. */
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	664 auth_request_log_error(request, "userdb",
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	665 "user not found from userdb");
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	666 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	667
5302 db232a079106 If unknown user was found from auth cache, we returned an invalid value Timo Sirainen <tss@iki.fi> parents: 5260 diff changeset	668 if (result != USERDB_RESULT_INTERNAL_FAILURE)
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	669 auth_request_userdb_save_cache(request, result);
5036 df93cf66022a If request fails with internal failure, don't crash if auth cache is Timo Sirainen <tss@iki.fi> parents: 4983 diff changeset	670 else if (passdb_cache != NULL && userdb->cache_key != NULL) {
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	671 /* lookup failed. if we're looking here only because the
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	672 request was expired in cache, fallback to using cached
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	673 expired record. */
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	674 const char *cache_key = userdb->cache_key;
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	675 struct auth_stream_reply *reply;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	676
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	677 if (auth_request_lookup_user_cache(request, cache_key, &reply,
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	678 &result, TRUE)) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	679 request->userdb_reply = reply;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	680 auth_request_log_info(request, "userdb",
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	681 "Fallbacking to expired data from cache");
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	682 }
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	683 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	684
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	685 request->private_callback.userdb(result, request);
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	686 }
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	687
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	688 void auth_request_lookup_user(struct auth_request *request,
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	689 userdb_callback_t *callback)
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	690 {
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	691 struct userdb_module *userdb = request->userdb->userdb;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	692 const char *cache_key;
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	693
16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	694 request->private_callback.userdb = callback;
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	695 request->userdb_lookup = TRUE;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	696
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	697 /* (for now) auth_cache is shared between passdb and userdb */
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	698 cache_key = passdb_cache == NULL ? NULL : userdb->cache_key;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	699 if (cache_key != NULL) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	700 struct auth_stream_reply *reply;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	701 enum userdb_result result;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	702
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	703 if (auth_request_lookup_user_cache(request, cache_key, &reply,
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	704 &result, FALSE)) {
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	705 request->userdb_reply = reply;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	706 request->private_callback.userdb(result, request);
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	707 return;
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	708 }
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	709 }
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	710
e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	711 if (userdb->blocking)
3183 16ea551957ed Replaced userdb/passdb settings with blocks so it's possible to give Timo Sirainen <tss@iki.fi> parents: 3171 diff changeset	712 userdb_blocking_lookup(request);
3166 e6a487d80288 Restructuring of auth code. Balancer auth processes were a bad idea. Usually Timo Sirainen <tss@iki.fi> parents: 3164 diff changeset	713 else
3658 fc4622b1c1ef Separated userdb_module's interface and the actual data struct. Timo Sirainen <tss@iki.fi> parents: 3657 diff changeset	714 userdb->iface->lookup(request, auth_request_userdb_callback);
3068 b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	715 }
b01a8fa09f94 Cleanups. Timo Sirainen <tss@iki.fi> parents: 3065 diff changeset	716
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	717 static char *
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	718 auth_request_fix_username(struct auth_request request, const char username,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	719 const char **error_r)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	720 {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	721 unsigned char *p;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	722 char *user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	723
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	724 if (strchr(username, '@') == NULL &&
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	725 request->auth->default_realm != NULL) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	726 user = p_strconcat(request->pool, username, "@",
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	727 request->auth->default_realm, NULL);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	728 } else {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	729 user = p_strdup(request->pool, username);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	730 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	731
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	732 for (p = (unsigned char )user; p != '\0'; p++) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	733 if (request->auth->username_translation[*p & 0xff] != 0)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	734 p = request->auth->username_translation[p & 0xff];
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	735 if (request->auth->username_chars[*p & 0xff] == 0) {
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	736 *error_r = t_strdup_printf(
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	737 "Username contains disallowed character: "
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	738 "0x%02x", *p);
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	739 return NULL;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	740 }
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	741 }
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	742
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	743 if (request->auth->username_format != NULL) {
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	744 /* username format given, put it through variable expansion.
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	745 we'll have to temporarily replace request->user to get
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	746 %u to be the wanted username */
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	747 const struct var_expand_table *table;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	748 char *old_username;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	749 string_t *dest;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	750
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	751 old_username = request->user;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	752 request->user = user;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	753
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	754 dest = t_str_new(256);
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	755 table = auth_request_get_var_expand_table(request,
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	756 auth_request_str_escape);
4168 3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	757 var_expand(dest, request->auth->username_format, table);
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	758 user = p_strdup(request->pool, str_c(dest));
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	759
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	760 request->user = old_username;
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	761 }
3f27bf7832a2 Added auth_username_format setting. Timo Sirainen <tss@iki.fi> parents: 4164 diff changeset	762
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	763 return user;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	764 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	765
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	766 bool auth_request_set_username(struct auth_request *request,
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3771 diff changeset	767 const char username, const char *error_r)
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	768 {
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	769 const char p, login_username = NULL;
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	770
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	771 if (request->auth->master_user_separator != '\0' &&
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	772 !request->userdb_lookup) {
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	773 /* check if the username contains a master user */
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	774 p = strchr(username, request->auth->master_user_separator);
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	775 if (p != NULL) {
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	776 /* it does, set it. */
4140 52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	777 login_username = t_strdup_until(username, p);
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	778
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	779 /* username is the master user */
52a2e6f35acf The login and master usernames were reversed when using Timo Sirainen <tss@iki.fi> parents: 4139 diff changeset	780 username = p + 1;
4108 e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	781 }
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	782 }
e1774d677536 Added auth_master_user_separator setting which allows giving the master username inside the normal username. Timo Sirainen <timo.sirainen@movial.fi> parents: 4104 diff changeset	783
6619 2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	784 if (request->original_username == NULL) {
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	785 /* the username may change later, but we need to use this
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	786 username when verifying at least DIGEST-MD5 password. */
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	787 request->original_username = p_strdup(request->pool, username);
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	788 }
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	789 if (request->cert_username) {
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	790 /* cert_username overrides the username given by
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	791 authentication mechanism. */
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	792 return TRUE;
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	793 }
2a36e7d9ddb6 Don't keep master username in original_username. Timo Sirainen <tss@iki.fi> parents: 6575 diff changeset	794
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	795 if (*username == '\0') {
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	796 /* Some PAM plugins go nuts with empty usernames */
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	797 *error_r = "Empty username";
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	798 return FALSE;
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	799 }
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	800
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	801 request->user = auth_request_fix_username(request, username, error_r);
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	802 if (request->user == NULL) {
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	803 auth_request_log_debug(request, "auth",
679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	804 "Invalid username: %s", str_sanitize(username, 128));
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	805 return FALSE;
4834 679c9326741c When invalid character is found from username, say what character it is in Timo Sirainen <tss@iki.fi> parents: 4825 diff changeset	806 }
6658 d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	807 if (request->translated_username == NULL) {
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	808 /* similar to original_username, but after translations */
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	809 request->translated_username = request->user;
d22888a77a1e Auth cache didn't work for usernames that got translated internally. Timo Sirainen <tss@iki.fi> parents: 6619 diff changeset	810 }
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	811
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	812 if (login_username != NULL) {
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	813 if (!auth_request_set_login_username(request,
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	814 login_username,
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	815 error_r))
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	816 return FALSE;
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	817 }
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	818 return TRUE;
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	819 }
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	820
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	821 bool auth_request_set_login_username(struct auth_request *request,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	822 const char *username,
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	823 const char **error_r)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	824 {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	825 i_assert(*username != '\0');
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	826
4164 d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	827 if (strcmp(username, request->user) == 0) {
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	828 /* The usernames are the same, we don't really wish to log
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	829 in as someone else */
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	830 return TRUE;
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	831 }
d38dd6312be1 Master login fixes, PLAIN authentication was still broken.. Timo Sirainen <tss@iki.fi> parents: 4146 diff changeset	832
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	833 /* lookup request->user from masterdb first */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	834 request->passdb = request->auth->masterdbs;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	835
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	836 request->requested_login_user =
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	837 auth_request_fix_username(request, username, error_r);
4136 f7731e6eec7e If master login username is the same as the normal username, we don't want Timo Sirainen <tss@iki.fi> parents: 4108 diff changeset	838 return request->requested_login_user != NULL;
3065 29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	839 }
29d83a8bb50d Reorganized the code to have less global/static variables. Timo Sirainen <tss@iki.fi> parents: 3064 diff changeset	840
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	841 static int is_ip_in_network(const char network, const struct ip_addr ip)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	842 {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	843 const uint32_t ip1, ip2;
4685 dc5875c28aac When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual Timo Sirainen <tss@iki.fi> parents: 4658 diff changeset	844 struct ip_addr src_ip, net_ip;
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	845 const char *p;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	846 unsigned int max_bits, bits, pos, i;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	847 uint32_t mask;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	848
4685 dc5875c28aac When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual Timo Sirainen <tss@iki.fi> parents: 4658 diff changeset	849 if (net_ipv6_mapped_ipv4_convert(ip, &src_ip) == 0)
dc5875c28aac When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual Timo Sirainen <tss@iki.fi> parents: 4658 diff changeset	850 ip = &src_ip;
dc5875c28aac When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses to actual Timo Sirainen <tss@iki.fi> parents: 4658 diff changeset	851
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	852 max_bits = IPADDR_IS_V4(ip) ? 32 : 128;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	853 p = strchr(network, '/');
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	854 if (p == NULL) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	855 /* full IP address must match */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	856 bits = max_bits;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	857 } else {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	858 /* get the network mask */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	859 network = t_strdup_until(network, p);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	860 bits = strtoul(p+1, NULL, 10);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	861 if (bits > max_bits)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	862 bits = max_bits;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	863 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	864
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	865 if (net_addr2ip(network, &net_ip) < 0)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	866 return -1;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	867
4533 92199dcb4018 If we logged in with IPv6 address and allow_nets contained IPv4 address, we Timo Sirainen <tss@iki.fi> parents: 4420 diff changeset	868 if (IPADDR_IS_V4(ip) != IPADDR_IS_V4(&net_ip)) {
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	869 /* one is IPv6 and one is IPv4 */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	870 return 0;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	871 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	872 i_assert(IPADDR_IS_V6(ip) == IPADDR_IS_V6(&net_ip));
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	873
5984 74a6130211c2 Changed struct ip_addr to use union for ipv4/ipv6 structs so we don't have Timo Sirainen <tss@iki.fi> parents: 5882 diff changeset	874 if (IPADDR_IS_V4(ip)) {
74a6130211c2 Changed struct ip_addr to use union for ipv4/ipv6 structs so we don't have Timo Sirainen <tss@iki.fi> parents: 5882 diff changeset	875 ip1 = &ip->u.ip4.s_addr;
74a6130211c2 Changed struct ip_addr to use union for ipv4/ipv6 structs so we don't have Timo Sirainen <tss@iki.fi> parents: 5882 diff changeset	876 ip2 = &net_ip.u.ip4.s_addr;
74a6130211c2 Changed struct ip_addr to use union for ipv4/ipv6 structs so we don't have Timo Sirainen <tss@iki.fi> parents: 5882 diff changeset	877 } else {
5988 42e56c396bfb Compile without IPv6 Timo Sirainen <tss@iki.fi> parents: 5984 diff changeset	878 #ifdef HAVE_IPV6
5984 74a6130211c2 Changed struct ip_addr to use union for ipv4/ipv6 structs so we don't have Timo Sirainen <tss@iki.fi> parents: 5882 diff changeset	879 ip1 = (const void *)&ip->u.ip6;
74a6130211c2 Changed struct ip_addr to use union for ipv4/ipv6 structs so we don't have Timo Sirainen <tss@iki.fi> parents: 5882 diff changeset	880 ip2 = (const void *)&net_ip.u.ip6;
5988 42e56c396bfb Compile without IPv6 Timo Sirainen <tss@iki.fi> parents: 5984 diff changeset	881 #else
42e56c396bfb Compile without IPv6 Timo Sirainen <tss@iki.fi> parents: 5984 diff changeset	882 /* shouldn't get here */
42e56c396bfb Compile without IPv6 Timo Sirainen <tss@iki.fi> parents: 5984 diff changeset	883 return -1;
42e56c396bfb Compile without IPv6 Timo Sirainen <tss@iki.fi> parents: 5984 diff changeset	884 #endif
5984 74a6130211c2 Changed struct ip_addr to use union for ipv4/ipv6 structs so we don't have Timo Sirainen <tss@iki.fi> parents: 5882 diff changeset	885 }
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	886
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	887 /* check first the full 32bit ints */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	888 for (pos = 0, i = 0; pos + 32 <= bits; pos += 32, i++) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	889 if (ip1[i] != ip2[i])
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	890 return 0;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	891 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	892
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	893 /* check the last full bytes */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	894 for (mask = 0xff; pos + 8 <= bits; pos += 8, mask <<= 8) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	895 if ((ip1[i] & mask) != (ip2[i] & mask))
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	896 return 0;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	897 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	898
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	899 /* check the last bits, they're reversed in bytes */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	900 bits -= pos;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	901 for (mask = 0x80 << (pos % 32); bits > 0; bits--, mask >>= 1) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	902 if ((ip1[i] & mask) != (ip2[i] & mask))
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	903 return 0;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	904 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	905 return 1;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	906 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	907
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	908 static void auth_request_validate_networks(struct auth_request *request,
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	909 const char *networks)
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	910 {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	911 const char const net;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	912 bool found = FALSE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	913
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	914 if (request->remote_ip.family == 0) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	915 /* IP not known */
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	916 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	917 "allow_nets check failed: Remote IP not known");
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	918 request->passdb_failure = TRUE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	919 return;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	920 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	921
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	922 for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) {
4420 1174e508593d auth_debug: If allow_nets is given, print debug messages when matching Timo Sirainen <tss@iki.fi> parents: 4402 diff changeset	923 auth_request_log_debug(request, "auth",
1174e508593d auth_debug: If allow_nets is given, print debug messages when matching Timo Sirainen <tss@iki.fi> parents: 4402 diff changeset	924 "allow_nets: Matching for network %s", *net);
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	925 switch (is_ip_in_network(*net, &request->remote_ip)) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	926 case 1:
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	927 found = TRUE;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	928 break;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	929 case -1:
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	930 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	931 "allow_nets: Invalid network '%s'", *net);
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	932 break;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	933 default:
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	934 break;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	935 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	936 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	937
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	938 if (!found) {
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	939 auth_request_log_info(request, "passdb",
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	940 "allow_nets check failed: IP not in allowed networks");
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	941 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	942 request->passdb_failure = !found;
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	943 }
265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	944
6855 5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	945 static void
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	946 auth_request_set_password(struct auth_request request, const char value,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	947 const char *default_scheme, bool noscheme)
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	948 {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	949 if (request->passdb_password != NULL) {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	950 auth_request_log_error(request,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	951 request->passdb->passdb->iface.name,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	952 "Multiple password values not supported");
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	953 return;
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	954 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	955
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	956 /* if the password starts with '{' it most likely contains
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	957 also '}'. check it anyway to make sure, because we
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	958 assert-crash later if it doesn't exist. this could happen
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	959 if plaintext passwords are used. */
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	960 if (*value == '{' && !noscheme && strchr(value, '}') != NULL)
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	961 request->passdb_password = p_strdup(request->pool, value);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	962 else {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	963 i_assert(default_scheme != NULL);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	964 request->passdb_password =
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	965 p_strdup_printf(request->pool, "{%s}%s",
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	966 default_scheme, value);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	967 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	968 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	969
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	970 static void auth_request_set_reply_field(struct auth_request *request,
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	971 const char name, const char value)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	972 {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	973 if (strcmp(name, "nologin") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	974 /* user can't actually login - don't keep this
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	975 reply for master */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	976 request->no_login = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	977 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	978 } else if (strcmp(name, "proxy") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	979 /* we're proxying authentication for this user. send
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	980 password back if using plaintext authentication. */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	981 request->proxy = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	982 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	983 } else if (strcmp(name, "proxy_maybe") == 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	984 /* like "proxy", but log in normally if we're proxying to
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	985 ourself */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	986 request->proxy = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	987 request->proxy_maybe = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	988 name = "proxy";
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	989 value = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	990 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	991
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	992 if (request->extra_fields == NULL)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	993 request->extra_fields = auth_stream_reply_init(request);
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	994 auth_stream_reply_add(request->extra_fields, name, value);
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	995 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	996
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	997 void auth_request_set_field(struct auth_request *request,
3272 36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	998 const char name, const char value,
36db3285f4a7 Try to keep scheme always included in auth_request->passdb_password. Timo Sirainen <tss@iki.fi> parents: 3257 diff changeset	999 const char *default_scheme)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1000 {
6575 d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1001 const char *p;
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1002
4017 e2d267e6f930 Check that we don't pass around key=value pairs with empty keys. Timo Sirainen <tss@iki.fi> parents: 3918 diff changeset	1003 i_assert(*name != '\0');
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1004 i_assert(value != NULL);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1005
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1006 if (strcmp(name, "password") == 0) {
6855 5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1007 auth_request_set_password(request, value,
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1008 default_scheme, FALSE);
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1009 return;
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1010 }
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1011 if (strcmp(name, "password_noscheme") == 0) {
5c514ebda66a Added "password_noscheme" field which assumes the password is in the default Timo Sirainen <tss@iki.fi> parents: 6854 diff changeset	1012 auth_request_set_password(request, value, default_scheme, TRUE);
3397 2db396230881 auth_request_set_field() shouldn't save password to extra_fields. Fixes a Timo Sirainen <tss@iki.fi> parents: 3386 diff changeset	1013 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1014 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1015
6575 d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1016 if (strcmp(name, "user") == 0 \|\|
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1017 strcmp(name, "username") == 0 \|\| strcmp(name, "domain") == 0) {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1018 /* update username */
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1019 if (strcmp(name, "username") == 0 &&
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1020 strchr(value, '@') == NULL &&
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1021 (p = strchr(request->user, '@')) != NULL) {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1022 /* preserve the current @domain */
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1023 value = t_strconcat(value, p, NULL);
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1024 } else if (strcmp(name, "domain") == 0) {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1025 p = strchr(request->user, '@');
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1026 if (p == NULL) {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1027 /* add the domain */
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1028 value = t_strconcat(request->user, "@",
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1029 value, NULL);
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1030 } else {
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1031 /* replace the existing domain */
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1032 p = t_strdup_until(request->user, p + 1);
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1033 value = t_strconcat(p, value, NULL);
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1034 }
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1035 }
d573bc2a967d Added "username" and "domain" fields for modifying the username. Timo Sirainen <tss@iki.fi> parents: 6429 diff changeset	1036
3427 3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1037 if (strcmp(request->user, value) != 0) {
5131 172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	1038 /* remember the original username for cache */
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	1039 if (request->original_username == NULL) {
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	1040 request->original_username =
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	1041 p_strdup(request->pool, request->user);
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	1042 }
172fb23d3c8f If user is changed with "user=x" in extra_fields, cache the entry with the Timo Sirainen <tss@iki.fi> parents: 5130 diff changeset	1043
3427 3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1044 auth_request_log_debug(request, "auth",
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1045 "username changed %s -> %s",
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1046 request->user, value);
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1047 request->user = p_strdup(request->pool, value);
3f7575e43202 If username changes, log the change if debugging is enabled. Timo Sirainen <tss@iki.fi> parents: 3397 diff changeset	1048 }
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1049 } else if (strcmp(name, "nodelay") == 0) {
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1050 /* don't delay replying to client of the failure */
3161 6a3254e3c3de Moved cache handling from sql/ldap-specific code to generic auth-request Timo Sirainen <tss@iki.fi> parents: 3158 diff changeset	1051 request->no_failure_delay = TRUE;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1052 } else if (strcmp(name, "nopassword") == 0) {
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	1053 /* NULL password - anything goes */
5619 121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1054 const char *password = request->passdb_password;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1055
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1056 if (password != NULL) {
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1057 (void)password_get_scheme(&password);
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1058 if (*password != '\0') {
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1059 auth_request_log_error(request,
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1060 request->passdb->passdb->iface.name,
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1061 "nopassword set but password is "
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1062 "non-empty");
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1063 return;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1064 }
5412 79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	1065 }
3669 09b5e002ad8a If passdb returned NULL password (ie. no password needed), it wasn't cached Timo Sirainen <tss@iki.fi> parents: 3668 diff changeset	1066 request->no_password = TRUE;
5412 79187982328f If "nopassword" is set, don't crash if password is non-NULL. However give an Timo Sirainen <tss@iki.fi> parents: 5302 diff changeset	1067 request->passdb_password = NULL;
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1068 } else if (strcmp(name, "allow_nets") == 0) {
4078 265655f270df Added "allow_nets" extra field. If set, the user can log in only from Timo Sirainen <timo.sirainen@movial.fi> parents: 4054 diff changeset	1069 auth_request_validate_networks(request, value);
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1070 } else if (strncmp(name, "userdb_", 7) == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1071 /* for prefetch userdb */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1072 if (request->userdb_reply == NULL)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1073 auth_request_init_userdb_reply(request);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1074 auth_request_set_userdb_field(request, name + 7, value);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1075 } else {
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1076 /* these fields are returned to client */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1077 auth_request_set_reply_field(request, name, value);
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1078 return;
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1079 }
3520 e2fe8222449d s/occured/occurred/ Timo Sirainen <tss@iki.fi> parents: 3432 diff changeset	1080
5129 9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1081 if (passdb_cache != NULL &&
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1082 request->passdb->passdb->cache_key != NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1083 /* we'll need to get this field stored into cache */
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1084 if (request->extra_cache_fields == NULL) {
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1085 request->extra_cache_fields =
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1086 auth_stream_reply_init(request);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1087 }
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1088 auth_stream_reply_add(request->extra_cache_fields, name, value);
9b1a90eddfd0 Special extra_fields weren't saved to auth cache. This was especially Timo Sirainen <tss@iki.fi> parents: 5069 diff changeset	1089 }
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1090 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1091
5153 83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1092 void auth_request_set_fields(struct auth_request *request,
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1093 const char const fields,
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1094 const char *default_scheme)
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1095 {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1096 const char key, value;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1097
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1098 for (; *fields != NULL; fields++) {
5163 39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1099 if (**fields == '\0')
39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1100 continue;
39d3fca337a5 auth_request_set_fields(): Don't crash with empty fields. Timo Sirainen <tss@iki.fi> parents: 5153 diff changeset	1101
5153 83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1102 value = strchr(*fields, '=');
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1103 if (value == NULL) {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1104 key = *fields;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1105 value = "";
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1106 } else {
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1107 key = t_strdup_until(*fields, value);
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1108 value++;
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1109 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1110 auth_request_set_field(request, key, value, default_scheme);
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1111 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1112 }
83f361144a8a Added auth_request_set_fields() and used it instead of duplicating the code Timo Sirainen <tss@iki.fi> parents: 5134 diff changeset	1113
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1114 void auth_request_init_userdb_reply(struct auth_request *request)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1115 {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1116 request->userdb_reply = auth_stream_reply_init(request);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1117 auth_stream_reply_add(request->userdb_reply, NULL, request->user);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1118 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1119
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1120 static void
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1121 auth_request_change_userdb_user(struct auth_request request, const char user)
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1122 {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1123 const char *str;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1124
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1125 /* replace the username in userdb_reply if it changed */
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1126 if (strcmp(user, request->user) == 0)
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1127 return;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1128
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1129 str = t_strdup(auth_stream_reply_export(request->userdb_reply));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1130
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1131 /* reset the reply and add the new username */
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1132 auth_request_set_field(request, "user", user, NULL);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1133 auth_stream_reply_reset(request->userdb_reply);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1134 auth_stream_reply_add(request->userdb_reply,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1135 NULL, request->user);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1136
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1137 /* add the rest */
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1138 str = strchr(str, '\t');
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1139 i_assert(str != NULL);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1140 auth_stream_reply_import(request->userdb_reply, str + 1);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1141 }
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1142
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1143 static void auth_request_set_uidgid_file(struct auth_request *request,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1144 const char *path_template)
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1145 {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1146 string_t *path;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1147 struct stat st;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1148
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1149 path = t_str_new(256);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1150 var_expand(path, path_template,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1151 auth_request_get_var_expand_table(request, NULL));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1152 if (stat(str_c(path), &st) < 0) {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1153 auth_request_log_error(request, "uidgid_file",
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1154 "stat(%s) failed: %m", str_c(path));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1155 } else {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1156 auth_stream_reply_add(request->userdb_reply,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1157 "uid", dec2str(st.st_uid));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1158 auth_stream_reply_add(request->userdb_reply,
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1159 "gid", dec2str(st.st_gid));
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1160 }
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1161 }
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1162
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1163 void auth_request_set_userdb_field(struct auth_request *request,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1164 const char name, const char value)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1165 {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1166 uid_t uid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1167 gid_t gid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1168
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1169 if (strcmp(name, "uid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1170 uid = userdb_parse_uid(request, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1171 if (uid == (uid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1172 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1173 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1174 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1175 value = dec2str(uid);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1176 } else if (strcmp(name, "gid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1177 gid = userdb_parse_gid(request, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1178 if (gid == (gid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1179 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1180 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1181 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1182 value = dec2str(gid);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1183 } else if (strcmp(name, "user") == 0) {
5879 f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1184 auth_request_change_userdb_user(request, value);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1185 return;
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1186 } else if (strcmp(name, "uidgid_file") == 0) {
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1187 auth_request_set_uidgid_file(request, value);
f7cdede45a88 If uidgid_file=<template_path> is set, the uid and gid are looked up by Timo Sirainen <tss@iki.fi> parents: 5872 diff changeset	1188 return;
5872 93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1189 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1190
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1191 auth_stream_reply_add(request->userdb_reply, name, value);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1192 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1193
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1194 void auth_request_set_userdb_field_values(struct auth_request *request,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1195 const char *name,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1196 const char const values)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1197 {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1198 if (*values == NULL)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1199 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1200
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1201 if (strcmp(name, "uid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1202 /* there can be only one. use the first one. */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1203 auth_request_set_userdb_field(request, name, *values);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1204 } else if (strcmp(name, "gid") == 0) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1205 /* convert gids to comma separated list */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1206 string_t *value;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1207 gid_t gid;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1208
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1209 value = t_str_new(128);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1210 for (; *values != NULL; values++) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1211 gid = userdb_parse_gid(request, *values);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1212 if (gid == (gid_t)-1) {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1213 request->userdb_lookup_failed = TRUE;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1214 return;
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1215 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1216
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1217 if (str_len(value) > 0)
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1218 str_append_c(value, ',');
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1219 str_append(value, dec2str(gid));
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1220 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1221 auth_stream_reply_add(request->userdb_reply, name,
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1222 str_c(value));
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1223 } else {
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1224 /* add only one */
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1225 auth_request_set_userdb_field(request, name, *values);
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1226 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1227 }
93bd157917ca Changed userdb callback API. Don't require uid/gid to be returned by userdb. Timo Sirainen <tss@iki.fi> parents: 5788 diff changeset	1228
7122 fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1229 static bool auth_request_proxy_is_self(struct auth_request *request)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1230 {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1231 const char const tmp, host = NULL, port = NULL, *destuser = NULL;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1232 struct ip_addr ip;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1233
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1234 tmp = auth_stream_split(request->extra_fields);
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1235 for (; *tmp != NULL; tmp++) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1236 if (strncmp(*tmp, "host=", 5) == 0)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1237 host = *tmp + 5;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1238 else if (strncmp(*tmp, "port=", 5) == 0)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1239 port = *tmp + 5;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1240 if (strncmp(*tmp, "destuser=", 9) == 0)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1241 destuser = *tmp + 9;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1242 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1243
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1244 if (host == NULL \|\| net_addr2ip(host, &ip) < 0) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1245 /* broken setup */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1246 return FALSE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1247 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1248 if (!net_ip_compare(&ip, &request->local_ip))
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1249 return FALSE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1250
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1251 if (port != NULL && (unsigned int)atoi(port) != request->local_port)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1252 return FALSE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1253 return destuser == NULL \|\|
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1254 strcmp(destuser, request->original_username) == 0;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1255 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1256
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1257 void auth_request_proxy_finish(struct auth_request *request)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1258 {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1259 if (!request->proxy_maybe \|\| request->no_login)
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1260 return;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1261
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1262 if (!auth_request_proxy_is_self(request)) {
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1263 request->no_login = TRUE;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1264 return;
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1265 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1266
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1267 /* proxying to ourself - log in without proxying by dropping all the
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1268 proxying fields. */
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1269 auth_stream_reply_remove(request->extra_fields, "proxy");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1270 auth_stream_reply_remove(request->extra_fields, "host");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1271 auth_stream_reply_remove(request->extra_fields, "port");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1272 auth_stream_reply_remove(request->extra_fields, "destuser");
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1273 }
fb03422c0760 Added "proxy_maybe" field. If it's used instead of "proxy" and the Timo Sirainen <tss@iki.fi> parents: 7106 diff changeset	1274
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1275 int auth_request_password_verify(struct auth_request *request,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1276 const char *plain_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1277 const char *crypted_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1278 const char scheme, const char subsystem)
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1279 {
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1280 const unsigned char *raw_password;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1281 size_t raw_password_size;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1282 const char *user;
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1283 int ret;
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1284
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1285 if (request->skip_password_check) {
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1286 /* currently this can happen only with master logins */
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1287 i_assert(request->master_user != NULL);
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1288 return 1;
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1289 }
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1290
4689 80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1291 if (request->passdb->deny) {
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1292 /* this is a deny database, we don't care about the password */
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1293 return 0;
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1294 }
80023f898ddd Don't even try to verify password with deny=yes passdbs. Timo Sirainen <tss@iki.fi> parents: 4686 diff changeset	1295
5619 121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1296 if (request->no_password) {
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1297 auth_request_log_info(request, subsystem, "No password");
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1298 return 1;
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1299 }
121af23cfc65 Empty password doesn't anymore allow user to log in with any password, Timo Sirainen <tss@iki.fi> parents: 5598 diff changeset	1300
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1301 ret = password_decode(crypted_password, scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1302 &raw_password, &raw_password_size);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1303 if (ret <= 0) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1304 if (ret < 0) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1305 auth_request_log_error(request, subsystem,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1306 "Invalid password format for scheme %s",
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1307 scheme);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1308 } else {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1309 auth_request_log_error(request, subsystem,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1310 "Unknown scheme %s", scheme);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1311 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1312 return -1;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1313 }
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1314
4872 07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1315 /* If original_username is set, use it. It may be important for some
07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1316 password schemes (eg. digest-md5). Otherwise the username is used
07bdc78ce38e Don't crash if plain-md5, plain-md4 or sha1 password is invalid and we're Timo Sirainen <tss@iki.fi> parents: 4834 diff changeset	1317 only for logging purposes. */
5598 971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1318 user = request->original_username != NULL ?
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1319 request->original_username : request->user;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1320 ret = password_verify(plain_password, user, scheme,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1321 raw_password, raw_password_size);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1322 i_assert(ret >= 0);
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is Timo Sirainen <tss@iki.fi> parents: 5593 diff changeset	1323 if (ret == 0) {
3918 40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1324 auth_request_log_info(request, subsystem,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1325 "Password mismatch");
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1326 if (request->auth->verbose_debug_passwords) {
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1327 auth_request_log_debug(request, subsystem,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1328 "%s(%s) != '%s'", scheme,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1329 plain_password,
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1330 crypted_password);
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1331 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1332 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1333 return ret;
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1334 }
40a461d554e6 Added auth_debug_passwords setting. If it's not enabled, hide all password Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	1335
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1336 static const char *
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1337 escape_none(const char *string,
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6243 diff changeset	1338 const struct auth_request *request ATTR_UNUSED)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1339 {
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1340 return string;
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1341 }
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1342
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1343 const char *
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1344 auth_request_str_escape(const char *string,
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6243 diff changeset	1345 const struct auth_request *request ATTR_UNUSED)
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1346 {
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1347 return str_escape(string);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1348 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1349
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1350 const struct var_expand_table *
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1351 auth_request_get_var_expand_table(const struct auth_request *auth_request,
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1352 auth_request_escape_func_t *escape_func)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1353 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1354 static struct var_expand_table static_tab[] = {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1355 { 'u', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1356 { 'n', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1357 { 'd', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1358 { 's', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1359 { 'h', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1360 { 'l', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1361 { 'r', NULL },
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1362 { 'p', NULL },
3687 629ffe1a3874 %w contains now password Timo Sirainen <tss@iki.fi> parents: 3682 diff changeset	1363 { 'w', NULL },
4686 ba802ac3b743 auth cache didn't work properly with multiple passdbs. Timo Sirainen <tss@iki.fi> parents: 4685 diff changeset	1364 { '!', NULL },
5251 c1d7e9493f08 Added %m = mechanism name Timo Sirainen <tss@iki.fi> parents: 5233 diff changeset	1365 { 'm', NULL },
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	1366 { 'c', NULL },
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	1367 { 'a', NULL },
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	1368 { 'b', NULL },
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1369 { '\0', NULL }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1370 };
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1371 struct var_expand_table *tab;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1372
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1373 if (escape_func == NULL)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1374 escape_func = escape_none;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1375
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1376 tab = t_malloc(sizeof(static_tab));
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1377 memcpy(tab, static_tab, sizeof(static_tab));
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1378
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1379 tab[0].value = escape_func(auth_request->user, auth_request);
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1380 tab[1].value = escape_func(t_strcut(auth_request->user, '@'),
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1381 auth_request);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1382 tab[2].value = strchr(auth_request->user, '@');
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1383 if (tab[2].value != NULL)
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1384 tab[2].value = escape_func(tab[2].value+1, auth_request);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1385 tab[3].value = auth_request->service;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1386 /* tab[4] = we have no home dir */
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1387 if (auth_request->local_ip.family != 0)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1388 tab[5].value = net_ip2addr(&auth_request->local_ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1389 if (auth_request->remote_ip.family != 0)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1390 tab[6].value = net_ip2addr(&auth_request->remote_ip);
3074 3feb38ff17f5 Moving code around. Timo Sirainen <tss@iki.fi> parents: 3072 diff changeset	1391 tab[7].value = dec2str(auth_request->client_pid);
4295 4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1392 if (auth_request->mech_password != NULL) {
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1393 tab[8].value = escape_func(auth_request->mech_password,
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1394 auth_request);
4fc637010202 Escape SQL strings using sql_escape_string(). Fixes the problems with Timo Sirainen <tss@iki.fi> parents: 4168 diff changeset	1395 }
4955 f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1396 if (auth_request->userdb_lookup) {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1397 tab[9].value = auth_request->userdb == NULL ? "" :
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1398 dec2str(auth_request->userdb->num);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1399 } else {
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1400 tab[9].value = auth_request->passdb == NULL ? "" :
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1401 dec2str(auth_request->passdb->id);
f0cc5486696e Authentication cache caches now also userdb data. Code by Tommi Saviranta. Timo Sirainen <timo.sirainen@movial.fi> parents: 4914 diff changeset	1402 }
5251 c1d7e9493f08 Added %m = mechanism name Timo Sirainen <tss@iki.fi> parents: 5233 diff changeset	1403 tab[10].value = auth_request->mech == NULL ? "" :
c1d7e9493f08 Added %m = mechanism name Timo Sirainen <tss@iki.fi> parents: 5233 diff changeset	1404 auth_request->mech->mech_name;
5260 0d72eb2ed8af Added %c variable which expands to "secured" with SSL/TLS/localhost. Timo Sirainen <tss@iki.fi> parents: 5251 diff changeset	1405 tab[11].value = auth_request->secured ? "secured" : "";
5882 40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	1406 tab[12].value = dec2str(auth_request->local_port);
40ce533c88f9 Send local/remote ports to dovecot-auth. They're now in %a and %b variables. Timo Sirainen <tss@iki.fi> parents: 5879 diff changeset	1407 tab[13].value = dec2str(auth_request->remote_port);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1408 return tab;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1409 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1410
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6243 diff changeset	1411 static const char * ATTR_FORMAT(3, 0)
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1412 get_log_str(struct auth_request auth_request, const char subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1413 const char *format, va_list va)
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1414 {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1415 #define MAX_LOG_USERNAME_LEN 64
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1416 const char *ip;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1417 string_t *str;
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1418
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1419 str = t_str_new(128);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1420 str_append(str, subsystem);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1421 str_append_c(str, '(');
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1422
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1423 if (auth_request->user == NULL)
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1424 str_append(str, "?");
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1425 else {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1426 str_sanitize_append(str, auth_request->user,
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1427 MAX_LOG_USERNAME_LEN);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1428 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1429
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1430 ip = net_ip2addr(&auth_request->remote_ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1431 if (ip != NULL) {
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1432 str_append_c(str, ',');
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1433 str_append(str, ip);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1434 }
4030 faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1435 if (auth_request->requested_login_user != NULL)
faf83f3e19b5 Added support for "master users" who can log in as other people. Currently works only with SASL PLAIN authentication by giving it authorization ID string. Timo Sirainen <timo.sirainen@movial.fi> parents: 4017 diff changeset	1436 str_append(str, ",master");
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1437 str_append(str, "): ");
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1438 str_vprintfa(str, format, va);
3064 2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1439 return str_c(str);
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1440 }
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c Timo Sirainen <tss@iki.fi> parents: diff changeset	1441
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1442 void auth_request_log_debug(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1443 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1444 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1445 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1446 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1447
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1448 if (!auth_request->auth->verbose_debug)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1449 return;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1450
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1451 va_start(va, format);
6940 414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1452 T_FRAME(
414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1453 i_info("%s", get_log_str(auth_request, subsystem, format, va));
414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1454 );
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1455 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1456 }
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1457
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1458 void auth_request_log_info(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1459 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1460 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1461 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1462 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1463
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1464 if (!auth_request->auth->verbose)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1465 return;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1466
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1467 va_start(va, format);
6940 414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1468 T_FRAME(
414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1469 i_info("%s", get_log_str(auth_request, subsystem, format, va));
414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1470 );
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1471 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1472 }
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1473
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1474 void auth_request_log_error(struct auth_request *auth_request,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1475 const char *subsystem,
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1476 const char *format, ...)
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1477 {
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1478 va_list va;
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1479
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1480 va_start(va, format);
6940 414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1481 T_FRAME(
414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1482 i_error("%s", get_log_str(auth_request, subsystem, format, va));
414c9d631a81 Replaced t_push/t_pop calls with T_FRAME() macros. Timo Sirainen <tss@iki.fi>* parents: 6855 diff changeset	1483 );
3069 131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1484 va_end(va);
131151e25e4b Added auth_request_log_(). Timo Sirainen <tss@iki.fi>* parents: 3068 diff changeset	1485 }

Mercurial > dovecot > core-2.2

annotate src/auth/auth-request.c @ 7122:fb03422c0760 HEAD