Mercurial > dovecot > core-2.2
diff src/auth/auth-settings.c @ 20419:0dc214cf2e30
auth-policy: Add policy implementation
author | Aki Tuomi <aki.tuomi@dovecot.fi> |
---|---|
date | Fri, 03 Jun 2016 20:21:42 +0300 |
parents | a7cd7cb4844c |
children | b3803bacf702 |
line wrap: on
line diff
--- a/src/auth/auth-settings.c Fri Jun 10 14:31:00 2016 +0300 +++ b/src/auth/auth-settings.c Fri Jun 03 20:21:42 2016 +0300 @@ -2,6 +2,7 @@ #include "lib.h" #include "array.h" +#include "hash-method.h" #include "settings-parser.h" #include "master-service-private.h" #include "master-service-settings.h" @@ -236,6 +237,15 @@ DEF(SET_STR, proxy_self), DEF(SET_TIME, failure_delay), + DEF(SET_STR, policy_server_url), + DEF(SET_STR, policy_server_api_header), + DEF(SET_UINT, policy_server_timeout_msecs), + DEF(SET_STR, policy_hash_mech), + DEF(SET_STR, policy_hash_nonce), + DEF(SET_STR, policy_request_attributes), + DEF(SET_BOOL, policy_reject_on_fail), + DEF(SET_UINT, policy_hash_truncate), + DEF(SET_BOOL, stats), DEF(SET_BOOL, verbose), DEF(SET_BOOL, debug), @@ -276,6 +286,15 @@ .proxy_self = "", .failure_delay = 2, + .policy_server_url = "", + .policy_server_api_header = "", + .policy_server_timeout_msecs = 2000, + .policy_hash_mech = "sha256", + .policy_hash_nonce = "", + .policy_request_attributes = "login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip}", + .policy_reject_on_fail = FALSE, + .policy_hash_truncate = 12, + .stats = FALSE, .verbose = FALSE, .debug = FALSE, @@ -418,6 +437,25 @@ set->realms_arr = (const char *const *)p_strsplit_spaces(pool, set->realms, " "); + if (*set->policy_server_url != '\0') { + if (*set->policy_hash_nonce == '\0') { + + *error_r = "auth_policy_hash_nonce must be set when policy server is used"; + return FALSE; + } + const struct hash_method *digest = hash_method_lookup(set->policy_hash_mech); + if (digest == NULL) { + *error_r = "invalid auth_policy_hash_mech given"; + return FALSE; + } + if (set->policy_hash_truncate > 0 && set->policy_hash_truncate >= digest->digest_size*8) { + *error_r = t_strdup_printf("policy_hash_truncate is not smaller than digest size (%u >= %u)", + set->policy_hash_truncate, + digest->digest_size*8); + return FALSE; + } + } + if (!auth_settings_set_self_ips(set, pool, error_r)) return FALSE; return TRUE;