Mercurial > dovecot > core-2.2
changeset 22834:d2dc1b6e46ab
auth: Add policy check configuration options
Allows disabling before/after auth checks, or reporting.
author | Aki Tuomi <aki.tuomi@dovecot.fi> |
---|---|
date | Tue, 06 Feb 2018 09:48:11 +0200 |
parents | 3fa6e10877c7 |
children | a21208a433c1 |
files | src/auth/auth-request-handler.c src/auth/auth-request.c src/auth/auth-settings.c src/auth/auth-settings.h |
diffstat | 4 files changed, 26 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-request-handler.c Mon Feb 05 14:26:15 2018 +0200 +++ b/src/auth/auth-request-handler.c Tue Feb 06 09:48:11 2018 +0200 @@ -216,7 +216,8 @@ auth_request_ref(request); auth_request_handler_remove(handler, request); - auth_policy_report(request); + if (request->set->policy_report_after_auth) + auth_policy_report(request); if (auth_fields_exists(request->extra_fields, "nodelay")) { /* passdb specifically requested not to delay the reply. */ @@ -264,7 +265,8 @@ str_append_tabescaped(str, request->user); auth_str_append_extra_fields(request, str); - auth_policy_report(request); + if (request->set->policy_report_after_auth) + auth_policy_report(request); if (handler->master_callback == NULL || auth_fields_exists(request->extra_fields, "nologin") ||
--- a/src/auth/auth-request.c Mon Feb 05 14:26:15 2018 +0200 +++ b/src/auth/auth-request.c Tue Feb 06 09:48:11 2018 +0200 @@ -158,8 +158,18 @@ { i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); + if (!request->set->policy_check_after_auth) { + buffer_t buf; + buffer_create_from_const_data(&buf, "", 0); + struct auth_policy_check_ctx ctx = { + .success_data = &buf, + .request = request + }; + auth_request_policy_check_callback(0, &ctx); + return; + } + /* perform second policy lookup here */ - struct auth_policy_check_ctx *ctx = p_new(request->pool, struct auth_policy_check_ctx, 1); ctx->request = request; ctx->success_data = buffer_create_dynamic(request->pool, data_size); @@ -1024,7 +1034,7 @@ i_assert(request->mech_password == password); request->user_changed_by_lookup = FALSE; - if (request->policy_processed) { + if (request->policy_processed || !request->set->policy_check_before_auth) { auth_request_verify_plain_continue(request, callback); } else { ctx = p_new(request->pool, struct auth_policy_check_ctx, 1); @@ -1202,7 +1212,7 @@ request->credentials_scheme = p_strdup(request->pool, scheme); request->user_changed_by_lookup = FALSE; - if (request->policy_processed) + if (request->policy_processed || !request->set->policy_check_before_auth) auth_request_lookup_credentials_policy_continue(request, callback); else { ctx = p_new(request->pool, struct auth_policy_check_ctx, 1); @@ -1222,7 +1232,6 @@ enum passdb_result result; i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); - if (auth_request_is_disabled_master_user(request)) { callback(PASSDB_RESULT_USER_UNKNOWN, NULL, 0, request); return;
--- a/src/auth/auth-settings.c Mon Feb 05 14:26:15 2018 +0200 +++ b/src/auth/auth-settings.c Tue Feb 06 09:48:11 2018 +0200 @@ -249,6 +249,9 @@ DEF(SET_STR, policy_hash_nonce), DEF(SET_STR, policy_request_attributes), DEF(SET_BOOL, policy_reject_on_fail), + DEF(SET_BOOL, policy_check_before_auth), + DEF(SET_BOOL, policy_check_after_auth), + DEF(SET_BOOL, policy_report_after_auth), DEF(SET_UINT, policy_hash_truncate), DEF(SET_BOOL, stats), @@ -302,6 +305,9 @@ .policy_hash_nonce = "", .policy_request_attributes = "login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s", .policy_reject_on_fail = FALSE, + .policy_check_before_auth = TRUE, + .policy_check_after_auth = TRUE, + .policy_report_after_auth = TRUE, .policy_hash_truncate = 12, .stats = FALSE,
--- a/src/auth/auth-settings.h Mon Feb 05 14:26:15 2018 +0200 +++ b/src/auth/auth-settings.h Tue Feb 06 09:48:11 2018 +0200 @@ -63,6 +63,9 @@ const char *policy_hash_nonce; const char *policy_request_attributes; bool policy_reject_on_fail; + bool policy_check_before_auth; + bool policy_check_after_auth; + bool policy_report_after_auth; unsigned int policy_hash_truncate; bool stats;