Mercurial > dovecot > core-2.2

diff src/auth/auth-settings.c @ 20419:0dc214cf2e30

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth-policy: Add policy implementation
author Aki Tuomi <aki.tuomi@dovecot.fi>
date Fri, 03 Jun 2016 20:21:42 +0300
parents a7cd7cb4844c
children b3803bacf702
line wrap: on
line diff
--- a/src/auth/auth-settings.c	Fri Jun 10 14:31:00 2016 +0300
+++ b/src/auth/auth-settings.c	Fri Jun 03 20:21:42 2016 +0300
@@ -2,6 +2,7 @@
 
 #include "lib.h"
 #include "array.h"
+#include "hash-method.h"
 #include "settings-parser.h"
 #include "master-service-private.h"
 #include "master-service-settings.h"
@@ -236,6 +237,15 @@
 	DEF(SET_STR, proxy_self),
 	DEF(SET_TIME, failure_delay),
 
+	DEF(SET_STR, policy_server_url),
+	DEF(SET_STR, policy_server_api_header),
+	DEF(SET_UINT, policy_server_timeout_msecs),
+	DEF(SET_STR, policy_hash_mech),
+	DEF(SET_STR, policy_hash_nonce),
+	DEF(SET_STR, policy_request_attributes),
+	DEF(SET_BOOL, policy_reject_on_fail),
+	DEF(SET_UINT, policy_hash_truncate),
+
 	DEF(SET_BOOL, stats),
 	DEF(SET_BOOL, verbose),
 	DEF(SET_BOOL, debug),
@@ -276,6 +286,15 @@
 	.proxy_self = "",
 	.failure_delay = 2,
 
+	.policy_server_url = "",
+	.policy_server_api_header = "",
+	.policy_server_timeout_msecs = 2000,
+	.policy_hash_mech = "sha256",
+	.policy_hash_nonce = "",
+	.policy_request_attributes = "login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip}",
+	.policy_reject_on_fail = FALSE,
+	.policy_hash_truncate = 12,
+
 	.stats = FALSE,
 	.verbose = FALSE,
 	.debug = FALSE,
@@ -418,6 +437,25 @@
 	set->realms_arr =
 		(const char *const *)p_strsplit_spaces(pool, set->realms, " ");
 
+	if (*set->policy_server_url != '\0') {
+		if (*set->policy_hash_nonce == '\0') {
+
+			*error_r = "auth_policy_hash_nonce must be set when policy server is used";
+			return FALSE;
+		}
+		const struct hash_method *digest = hash_method_lookup(set->policy_hash_mech);
+		if (digest == NULL) {
+			*error_r = "invalid auth_policy_hash_mech given";
+			return FALSE;
+		}
+		if (set->policy_hash_truncate > 0 && set->policy_hash_truncate >= digest->digest_size*8) {
+			*error_r = t_strdup_printf("policy_hash_truncate is not smaller than digest size (%u >= %u)",
+				set->policy_hash_truncate,
+				digest->digest_size*8);
+			return FALSE;
+		}
+	}
+
 	if (!auth_settings_set_self_ips(set, pool, error_r))
 		return FALSE;
 	return TRUE;