Mercurial > dovecot > core-2.2

changeset 21577:5c390ae4f640

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: Add mechanism filter for passdbs
author Aki Tuomi <aki.tuomi@dovecot.fi>
date Mon, 06 Feb 2017 12:56:27 +0200
parents 41febc44474a
children 8b9d500c4917
files src/auth/auth-request.c src/auth/auth-settings.c src/auth/auth-settings.h src/auth/passdb.c src/auth/passdb.h
diffstat 5 files changed, 23 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/auth/auth-request.c	Wed Feb 08 13:06:13 2017 +0200
+++ b/src/auth/auth-request.c	Mon Feb 06 12:56:27 2017 +0200
@@ -614,6 +614,16 @@
 auth_request_want_skip_passdb(struct auth_request *request,
 			      struct auth_passdb *passdb)
 {
+	/* if mechanism is not supported, skip */
+	const char *const *mech = passdb->passdb->mechanisms;
+
+	/* if request->mech == NULL it means we are doing
+	   lookup without authentication and should not match this */
+	if (mech != NULL && (request->mech == NULL ||
+	     !str_array_icase_find(mech, request->mech->mech_name))) {
+		return TRUE;
+	}
+
 	/* skip_password_check basically specifies if authentication is
 	   finished */
 	bool authenticated = request->skip_password_check;
--- a/src/auth/auth-settings.c	Wed Feb 08 13:06:13 2017 +0200
+++ b/src/auth/auth-settings.c	Mon Feb 06 12:56:27 2017 +0200
@@ -113,6 +113,7 @@
 	DEF(SET_STR, args),
 	DEF(SET_STR, default_fields),
 	DEF(SET_STR, override_fields),
+	DEF(SET_STR, mechanisms),
 
 	DEF(SET_ENUM, skip),
 	DEF(SET_ENUM, result_success),
@@ -133,6 +134,7 @@
 	.args = "",
 	.default_fields = "",
 	.override_fields = "",
+	.mechanisms = "",
 
 	.skip = "never:authenticated:unauthenticated",
 	.result_success = "return-ok:return:return-fail:continue:continue-ok:continue-fail",
--- a/src/auth/auth-settings.h	Wed Feb 08 13:06:13 2017 +0200
+++ b/src/auth/auth-settings.h	Mon Feb 06 12:56:27 2017 +0200
@@ -10,6 +10,7 @@
 	const char *args;
 	const char *default_fields;
 	const char *override_fields;
+	const char *mechanisms;
 
 	const char *skip;
 	const char *result_success;
--- a/src/auth/passdb.c	Wed Feb 08 13:06:13 2017 +0200
+++ b/src/auth/passdb.c	Mon Feb 06 12:56:27 2017 +0200
@@ -223,6 +223,13 @@
 	passdb->id = ++auth_passdb_id;
 	passdb->iface = *iface;
 	passdb->args = p_strdup(pool, set->args);
+	if (*set->mechanisms == '\0') {
+		passdb->mechanisms = NULL;
+	} else if (strcasecmp(set->mechanisms, "none") == 0) {
+		passdb->mechanisms = (const char *const[]){NULL};
+	} else {
+		passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+	}
 
 	array_append(&passdb_modules, &passdb, 1);
 	return passdb;
--- a/src/auth/passdb.h	Wed Feb 08 13:06:13 2017 +0200
+++ b/src/auth/passdb.h	Mon Feb 06 12:56:27 2017 +0200
@@ -62,6 +62,9 @@
 	/* Default password scheme for this module.
 	   If cache_key is set, must not be NULL. */
 	const char *default_pass_scheme;
+	/* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+	const char *const *mechanisms;
+
 	/* If blocking is set to TRUE, use child processes to access
 	   this passdb. */
 	bool blocking;