Mercurial > dovecot > core-2.2

--- a/src/auth/auth-request-handler.c	Mon Feb 05 14:26:15 2018 +0200
+++ b/src/auth/auth-request-handler.c	Tue Feb 06 09:48:11 2018 +0200
@@ -216,7 +216,8 @@
 	auth_request_ref(request);
 	auth_request_handler_remove(handler, request);

-	auth_policy_report(request);
+	if (request->set->policy_report_after_auth)
+		auth_policy_report(request);

 	if (auth_fields_exists(request->extra_fields, "nodelay")) {
 		/* passdb specifically requested not to delay the reply. */
@@ -264,7 +265,8 @@
 	str_append_tabescaped(str, request->user);
 	auth_str_append_extra_fields(request, str);

-	auth_policy_report(request);
+	if (request->set->policy_report_after_auth)
+		auth_policy_report(request);

 	if (handler->master_callback == NULL ||
 	    auth_fields_exists(request->extra_fields, "nologin") ||
--- a/src/auth/auth-request.c	Mon Feb 05 14:26:15 2018 +0200
+++ b/src/auth/auth-request.c	Tue Feb 06 09:48:11 2018 +0200
@@ -158,8 +158,18 @@
 {
 	i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);

+	if (!request->set->policy_check_after_auth) {
+		buffer_t buf;
+		buffer_create_from_const_data(&buf, "", 0);
+		struct auth_policy_check_ctx ctx = {
+			.success_data = &buf,
+			.request = request
+		};
+		auth_request_policy_check_callback(0, &ctx);
+		return;
+	}
+
 	/* perform second policy lookup here */
-
 	struct auth_policy_check_ctx *ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
 	ctx->request = request;
 	ctx->success_data = buffer_create_dynamic(request->pool, data_size);
@@ -1024,7 +1034,7 @@
 		i_assert(request->mech_password == password);
 	request->user_changed_by_lookup = FALSE;

-	if (request->policy_processed) {
+	if (request->policy_processed || !request->set->policy_check_before_auth) {
 		auth_request_verify_plain_continue(request, callback);
 	} else {
 		ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
@@ -1202,7 +1212,7 @@
 		request->credentials_scheme = p_strdup(request->pool, scheme);
 	request->user_changed_by_lookup = FALSE;

-	if (request->policy_processed)
+	if (request->policy_processed || !request->set->policy_check_before_auth)
 		auth_request_lookup_credentials_policy_continue(request, callback);
 	else {
 		ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
@@ -1222,7 +1232,6 @@
 	enum passdb_result result;

 	i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
-
 	if (auth_request_is_disabled_master_user(request)) {
 		callback(PASSDB_RESULT_USER_UNKNOWN, NULL, 0, request);
 		return;
--- a/src/auth/auth-settings.c	Mon Feb 05 14:26:15 2018 +0200
+++ b/src/auth/auth-settings.c	Tue Feb 06 09:48:11 2018 +0200
@@ -249,6 +249,9 @@
 	DEF(SET_STR, policy_hash_nonce),
 	DEF(SET_STR, policy_request_attributes),
 	DEF(SET_BOOL, policy_reject_on_fail),
+	DEF(SET_BOOL, policy_check_before_auth),
+	DEF(SET_BOOL, policy_check_after_auth),
+	DEF(SET_BOOL, policy_report_after_auth),
 	DEF(SET_UINT, policy_hash_truncate),

 	DEF(SET_BOOL, stats),
@@ -302,6 +305,9 @@
 	.policy_hash_nonce = "",
 	.policy_request_attributes = "login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s",
 	.policy_reject_on_fail = FALSE,
+	.policy_check_before_auth = TRUE,
+	.policy_check_after_auth = TRUE,
+	.policy_report_after_auth = TRUE,
 	.policy_hash_truncate = 12,

 	.stats = FALSE,
--- a/src/auth/auth-settings.h	Mon Feb 05 14:26:15 2018 +0200
+++ b/src/auth/auth-settings.h	Tue Feb 06 09:48:11 2018 +0200
@@ -63,6 +63,9 @@
 	const char *policy_hash_nonce;
 	const char *policy_request_attributes;
 	bool policy_reject_on_fail;
+	bool policy_check_before_auth;
+	bool policy_check_after_auth;
+	bool policy_report_after_auth;
 	unsigned int policy_hash_truncate;

 	bool stats;