Mercurial > dovecot > core-2.2
changeset 20515:84cd7e08e8d6
auth: Skip authentication with noauthenticate
author | Aki Tuomi <aki.tuomi@dovecot.fi> |
---|---|
date | Sat, 09 Jul 2016 20:11:45 +0300 |
parents | fe9ed1aa41ad |
children | 5bef6977c15e |
files | src/auth/auth-master-connection.c src/auth/auth-request-handler.c src/auth/auth-request.c src/auth/auth-worker-client.c src/auth/passdb-blocking.c src/auth/passdb-sql.c src/auth/passdb.h |
diffstat | 7 files changed, 39 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-master-connection.c Mon Jul 11 11:55:34 2016 +0300 +++ b/src/auth/auth-master-connection.c Sat Jul 09 20:11:45 2016 +0300 @@ -341,6 +341,7 @@ case PASSDB_RESULT_PASS_EXPIRED: str_printfa(str, "NOTFOUND\t%u", auth_request->id); break; + case PASSDB_RESULT_NEXT: case PASSDB_RESULT_PASSWORD_MISMATCH: case PASSDB_RESULT_INTERNAL_FAILURE: str_printfa(str, "FAIL\t%u", auth_request->id);
--- a/src/auth/auth-request-handler.c Mon Jul 11 11:55:34 2016 +0300 +++ b/src/auth/auth-request-handler.c Sat Jul 09 20:11:45 2016 +0300 @@ -305,6 +305,7 @@ auth_str_append_extra_fields(request, str); switch (request->passdb_result) { + case PASSDB_RESULT_NEXT: case PASSDB_RESULT_INTERNAL_FAILURE: case PASSDB_RESULT_SCHEME_NOT_AVAILABLE: case PASSDB_RESULT_USER_UNKNOWN:
--- a/src/auth/auth-request.c Mon Jul 11 11:55:34 2016 +0300 +++ b/src/auth/auth-request.c Sat Jul 09 20:11:45 2016 +0300 @@ -485,6 +485,7 @@ case PASSDB_RESULT_SCHEME_NOT_AVAILABLE: /* can be cached */ break; + case PASSDB_RESULT_NEXT: case PASSDB_RESULT_USER_DISABLED: case PASSDB_RESULT_PASS_EXPIRED: /* FIXME: we can't cache this now, or cache lookup would @@ -652,6 +653,11 @@ case PASSDB_RESULT_INTERNAL_FAILURE: result_rule = request->passdb->result_internalfail; break; + case PASSDB_RESULT_NEXT: + auth_request_log_debug(request, AUTH_SUBSYS_DB, + "Not performing authentication (noauthenticate set)"); + result_rule = AUTH_DB_RULE_CONTINUE; + break; case PASSDB_RESULT_SCHEME_NOT_AVAILABLE: case PASSDB_RESULT_USER_UNKNOWN: case PASSDB_RESULT_PASSWORD_MISMATCH: @@ -692,6 +698,7 @@ /* nopassword check is specific to a single passdb and shouldn't leak to the next one. we already added it to cache. */ auth_fields_remove(request->extra_fields, "nopassword"); + auth_fields_remove(request->extra_fields, "noauthenticate"); if (request->requested_login_user != NULL && *result == PASSDB_RESULT_OK) { @@ -706,7 +713,7 @@ auth_request_want_skip_passdb(request, next_passdb)) next_passdb = next_passdb->next; - if (*result == PASSDB_RESULT_OK) { + if (*result == PASSDB_RESULT_OK || *result == PASSDB_RESULT_NEXT) { /* this passdb lookup succeeded, preserve its extra fields */ auth_fields_snapshot(request->extra_fields); request->snapshot_have_userdb_prefetch_set = @@ -777,6 +784,10 @@ auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE); + if (result == PASSDB_RESULT_OK && + auth_fields_exists(request->extra_fields, "noauthenticate")) + result = PASSDB_RESULT_NEXT; + if (result != PASSDB_RESULT_INTERNAL_FAILURE) auth_request_save_cache(request, result); else { @@ -1009,6 +1020,10 @@ auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE); + if (result == PASSDB_RESULT_OK && + auth_fields_exists(request->extra_fields, "noauthenticate")) + result = PASSDB_RESULT_NEXT; + if (result != PASSDB_RESULT_INTERNAL_FAILURE) auth_request_save_cache(request, result); else { @@ -2254,7 +2269,8 @@ return 0; } - if (auth_fields_exists(request->extra_fields, "nopassword")) { + if (auth_fields_exists(request->extra_fields, "nopassword") || + auth_fields_exists(request->extra_fields, "noauthenticate")) { auth_request_log_debug(request, subsystem, "Allowing any password"); return 1;
--- a/src/auth/auth-worker-client.c Mon Jul 11 11:55:34 2016 +0300 +++ b/src/auth/auth-worker-client.c Sat Jul 09 20:11:45 2016 +0300 @@ -152,7 +152,10 @@ str_printfa(str, "%u\t", request->id); if (result == PASSDB_RESULT_OK) - str_append(str, "OK"); + if (auth_fields_exists(request->extra_fields, "noauthenticate")) + str_append(str, "NEXT"); + else + str_append(str, "OK"); else str_printfa(str, "FAIL\t%d", result); if (result != PASSDB_RESULT_INTERNAL_FAILURE) { @@ -235,10 +238,13 @@ str = t_str_new(128); str_printfa(str, "%u\t", request->id); - if (result != PASSDB_RESULT_OK) + if (result != PASSDB_RESULT_OK && result != PASSDB_RESULT_NEXT) str_printfa(str, "FAIL\t%d", result); else { - str_append(str, "OK\t"); + if (result == PASSDB_RESULT_NEXT) + str_append(str, "NEXT\t"); + else + str_append(str, "OK\t"); str_append_tabescaped(str, request->user); str_append_c(str, '\t'); if (request->credentials_scheme[0] != '\0') {
--- a/src/auth/passdb-blocking.c Mon Jul 11 11:55:34 2016 +0300 +++ b/src/auth/passdb-blocking.c Sat Jul 09 20:11:45 2016 +0300 @@ -36,6 +36,13 @@ return PASSDB_RESULT_OK; } + if (strcmp(*args, "NEXT") == 0 && args[1] != NULL) { + /* NEXT \t user [\t extra] */ + auth_request_set_field(request, "user", args[1], NULL); + auth_worker_reply_parse_args(request, args + 1); + return PASSDB_RESULT_NEXT; + } + if (strcmp(*args, "FAIL") == 0 && args[1] != NULL) { int result; /* FAIL \t result [\t user \t password [\t extra]] */
--- a/src/auth/passdb-sql.c Mon Jul 11 11:55:34 2016 +0300 +++ b/src/auth/passdb-sql.c Sat Jul 09 20:11:45 2016 +0300 @@ -99,7 +99,8 @@ auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "Password query returned multiple matches"); } else if (auth_request->passdb_password == NULL && - !auth_fields_exists(auth_request->extra_fields, "nopassword")) { + !auth_fields_exists(auth_request->extra_fields, "nopassword") && + !auth_fields_exists(auth_request->extra_fields, "noauthenticate")) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "Empty password returned without nopassword"); passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
--- a/src/auth/passdb.h Mon Jul 11 11:55:34 2016 +0300 +++ b/src/auth/passdb.h Sat Jul 09 20:11:45 2016 +0300 @@ -16,6 +16,7 @@ PASSDB_RESULT_USER_UNKNOWN = -3, PASSDB_RESULT_USER_DISABLED = -4, PASSDB_RESULT_PASS_EXPIRED = -5, + PASSDB_RESULT_NEXT = -6, PASSDB_RESULT_PASSWORD_MISMATCH = 0, PASSDB_RESULT_OK = 1