Mercurial > dovecot > core-2.2
changeset 22833:3fa6e10877c7
auth: Use correct username is auth policy requests
When doing master authentication as first, use
the username of the user, not master user, for policy lookup.
author | Aki Tuomi <aki.tuomi@dovecot.fi> |
---|---|
date | Mon, 05 Feb 2018 14:26:15 +0200 |
parents | 2bff47454113 |
children | d2dc1b6e46ab |
files | src/auth/auth-policy.c src/auth/auth-settings.c |
diffstat | 2 files changed, 17 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-policy.c Fri Dec 01 13:49:31 2017 +0200 +++ b/src/auth/auth-policy.c Mon Feb 05 14:26:15 2018 +0200 @@ -418,18 +418,23 @@ static const struct var_expand_table *policy_get_var_expand_table(struct auth_request *auth_request, - const char *hashed_password) + const char *hashed_password, const char *requested_username) { struct var_expand_table *table; - unsigned int count = 1; + unsigned int count = 2; table = auth_request_get_var_expand_table_full(auth_request, auth_policy_escape_function, &count); table[0].key = '\0'; table[0].long_key = "hashed_password"; table[0].value = hashed_password; + table[1].key = '\0'; + table[1].long_key = "requested_username"; + table[1].value = requested_username; if (table[0].value != NULL) table[0].value = auth_policy_escape_function(table[0].value, auth_request); + if (table[1].value != NULL) + table[1].value = auth_policy_escape_function(table[1].value, auth_request); return table; } @@ -441,6 +446,7 @@ const struct var_expand_table *var_table; context->json = str_new(context->pool, 64); unsigned char *ptr; + const char *requested_username; const struct hash_method *digest = hash_method_lookup(context->set->policy_hash_mech); i_assert(digest != NULL); @@ -452,11 +458,14 @@ digest->loop(ctx, context->set->policy_hash_nonce, strlen(context->set->policy_hash_nonce)); + if (context->request->requested_login_user != NULL) + requested_username = context->request->requested_login_user; + else if (context->request->user != NULL) + requested_username = context->request->user; + else + requested_username = ""; /* use +1 to make sure \0 gets included */ - if (context->request->user == NULL) - digest->loop(ctx, "\0", 1); - else - digest->loop(ctx, context->request->user, strlen(context->request->user) + 1); + digest->loop(ctx, requested_username, strlen(requested_username)+1); if (password != NULL) digest->loop(ctx, password, strlen(password)); ptr = buffer_get_modifiable_data(buffer, NULL); @@ -467,7 +476,7 @@ } const char *hashed_password = binary_to_hex(buffer->data, buffer->used); str_append_c(context->json, '{'); - var_table = policy_get_var_expand_table(context->request, hashed_password); + var_table = policy_get_var_expand_table(context->request, hashed_password, requested_username); auth_request_var_expand_with_table(context->json, auth_policy_json_template, context->request, var_table, auth_policy_escape_function);
--- a/src/auth/auth-settings.c Fri Dec 01 13:49:31 2017 +0200 +++ b/src/auth/auth-settings.c Mon Feb 05 14:26:15 2018 +0200 @@ -300,7 +300,7 @@ .policy_server_timeout_msecs = 2000, .policy_hash_mech = "sha256", .policy_hash_nonce = "", - .policy_request_attributes = "login=%{orig_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s", + .policy_request_attributes = "login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s", .policy_reject_on_fail = FALSE, .policy_hash_truncate = 12,