Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/auth/auth-request-handler.c @ 9266:cd29b745c8dd HEAD
configure: clock_gettime()'s -lrt adding dropped everything else from $LIBS.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Mon, 27 Jul 2009 06:32:42 -0400 |
parents | ee173ea99ea6 |
children | 00cd9aacd03c |
rev | line source |
---|---|
8590
b9faf4db2a9f
Updated copyright notices to include year 2009.
Timo Sirainen <tss@iki.fi>
parents:
8574
diff
changeset
|
1 /* Copyright (c) 2005-2009 Dovecot authors, see the included COPYING file */ |
3074 | 2 |
3 #include "common.h" | |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
4 #include "ioloop.h" |
7087
a281705a2360
Converted some buffers to arrays.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
5 #include "array.h" |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
6 #include "aqueue.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
7 #include "base64.h" |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
8 #include "hash.h" |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
9 #include "str.h" |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
10 #include "str-sanitize.h" |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
11 #include "auth-request.h" |
5038
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
12 #include "auth-master-connection.h" |
3074 | 13 #include "auth-request-handler.h" |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
14 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
15 #include <stdlib.h> |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
16 |
7089
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
17 #define DEFAULT_AUTH_FAILURE_DELAY 2 |
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
18 #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
19 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
20 struct auth_request_handler { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
21 int refcount; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
22 pool_t pool; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
23 struct hash_table *requests; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
24 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
25 struct auth *auth; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
26 unsigned int connect_uid, client_pid; |
3074 | 27 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
28 auth_request_callback_t *callback; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
29 void *context; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
30 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
31 auth_request_callback_t *master_callback; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
32 }; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
33 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
34 static ARRAY_DEFINE(auth_failures_arr, struct auth_request *); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
35 static struct aqueue *auth_failures; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
36 static struct timeout *to_auth_failures; |
7089
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
37 static unsigned int auth_failure_delay; |
3074 | 38 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
39 static void auth_failure_timeout(void *context); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
40 |
4903
204d7edc7cdc
Added context parameter type safety checks for most callback APIs.
Timo Sirainen <tss@iki.fi>
parents:
4880
diff
changeset
|
41 #undef auth_request_handler_create |
3074 | 42 struct auth_request_handler * |
3518 | 43 auth_request_handler_create(struct auth *auth, |
3074 | 44 auth_request_callback_t *callback, void *context, |
3308
3f090bcaffcc
Allow multiple master connections for a single listener.
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
45 auth_request_callback_t *master_callback) |
3074 | 46 { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
47 struct auth_request_handler *handler; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
48 pool_t pool; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
49 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
50 pool = pool_alloconly_create("auth request handler", 4096); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
51 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
52 handler = p_new(pool, struct auth_request_handler, 1); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
53 handler->refcount = 1; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
54 handler->pool = pool; |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
55 handler->requests = hash_table_create(default_pool, pool, 0, NULL, NULL); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
56 handler->auth = auth; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
57 handler->callback = callback; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
58 handler->context = context; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
59 handler->master_callback = master_callback; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
60 return handler; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
61 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
62 |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
63 void auth_request_handler_unref(struct auth_request_handler **_handler) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
64 { |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
65 struct auth_request_handler *handler = *_handler; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
66 struct hash_iterate_context *iter; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
67 void *key, *value; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
68 |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
69 *_handler = NULL; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
70 i_assert(handler->refcount > 0); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
71 if (--handler->refcount > 0) |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
72 return; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
73 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
74 iter = hash_table_iterate_init(handler->requests); |
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
75 while (hash_table_iterate(iter, &key, &value)) { |
3952
d7a0354861b8
If authentication client disconnects while it still has pending requests,
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
76 struct auth_request *auth_request = value; |
d7a0354861b8
If authentication client disconnects while it still has pending requests,
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
77 |
d7a0354861b8
If authentication client disconnects while it still has pending requests,
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
78 auth_request_unref(&auth_request); |
d7a0354861b8
If authentication client disconnects while it still has pending requests,
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
79 } |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
80 hash_table_iterate_deinit(&iter); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
81 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
82 /* notify parent that we're done with all requests */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
83 handler->callback(NULL, handler->context); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
84 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
85 hash_table_destroy(&handler->requests); |
6428
7cad076906eb
pool_unref() now takes ** pointer.
Timo Sirainen <tss@iki.fi>
parents:
6417
diff
changeset
|
86 pool_unref(&handler->pool); |
3077
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
87 } |
3074 | 88 |
3077
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
89 void auth_request_handler_set(struct auth_request_handler *handler, |
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
90 unsigned int connect_uid, |
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
91 unsigned int client_pid) |
eb46a5dee02d
Changed the way multiple auth processes are handled. It no longer uses a pid
Timo Sirainen <tss@iki.fi>
parents:
3074
diff
changeset
|
92 { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
93 handler->connect_uid = connect_uid; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
94 handler->client_pid = client_pid; |
3074 | 95 } |
96 | |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
97 static void auth_request_handler_remove(struct auth_request_handler *handler, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
98 struct auth_request *request) |
3074 | 99 { |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
100 hash_table_remove(handler->requests, POINTER_CAST(request->id)); |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
101 auth_request_unref(&request); |
3074 | 102 } |
103 | |
104 void auth_request_handler_check_timeouts(struct auth_request_handler *handler) | |
105 { | |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
106 struct hash_iterate_context *iter; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
107 void *key, *value; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
108 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
109 iter = hash_table_iterate_init(handler->requests); |
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
110 while (hash_table_iterate(iter, &key, &value)) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
111 struct auth_request *request = value; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
112 |
5586
dad0e22b735a
Changed auth_request->created to last_access and update it a bit more often.
Timo Sirainen <tss@iki.fi>
parents:
5089
diff
changeset
|
113 if (request->last_access + AUTH_REQUEST_TIMEOUT < ioloop_time) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
114 auth_request_handler_remove(handler, request); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
115 } |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
116 hash_table_iterate_deinit(&iter); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
117 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
118 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
119 static void get_client_extra_fields(struct auth_request *request, |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
120 struct auth_stream_reply *reply) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
121 { |
3520 | 122 const char **fields, *extra_fields; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
123 unsigned int src, dest; |
4758
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
124 bool seen_pass = FALSE; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
125 |
5085 | 126 if (auth_stream_is_empty(request->extra_fields)) |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
127 return; |
5085 | 128 |
129 extra_fields = auth_stream_reply_export(request->extra_fields); | |
3520 | 130 |
3432
079ec5c2d665
Last change caused user-given passwords to be cached, and later the password
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
131 if (!request->proxy) { |
079ec5c2d665
Last change caused user-given passwords to be cached, and later the password
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
132 /* we only wish to remove all fields prefixed with "userdb_" */ |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
133 if (strstr(extra_fields, "userdb_") == NULL) { |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
134 auth_stream_reply_import(reply, extra_fields); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
135 return; |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
136 } |
3432
079ec5c2d665
Last change caused user-given passwords to be cached, and later the password
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
137 } |
079ec5c2d665
Last change caused user-given passwords to be cached, and later the password
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
138 |
4758
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
139 fields = t_strsplit(extra_fields, "\t"); |
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
140 for (src = dest = 0; fields[src] != NULL; src++) { |
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
141 if (strncmp(fields[src], "userdb_", 7) != 0) { |
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
142 if (!seen_pass && strncmp(fields[src], "pass=", 5) == 0) |
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
143 seen_pass = TRUE; |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
144 auth_stream_reply_import(reply, fields[src]); |
4758
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
145 } |
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
146 } |
2fc38c1e48c4
Don't send "pass" back if it's already set, or if it's not known.
Timo Sirainen <tss@iki.fi>
parents:
4739
diff
changeset
|
147 |
8546
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
148 if (request->proxy) { |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
149 /* we're proxying */ |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
150 if (!seen_pass && request->mech_password != NULL) { |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
151 /* send back the password that was sent by user |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
152 (not the password in passdb). */ |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
153 auth_stream_reply_add(reply, "pass", |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
154 request->mech_password); |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
155 } |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
156 if (request->master_user != NULL) { |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
157 /* the master username needs to be forwarded */ |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
158 auth_stream_reply_add(reply, "master", |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
159 request->master_user); |
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
160 } |
3432
079ec5c2d665
Last change caused user-given passwords to be cached, and later the password
Timo Sirainen <tss@iki.fi>
parents:
3338
diff
changeset
|
161 } |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
162 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
163 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
164 static void |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
165 auth_request_handle_failure(struct auth_request *request, |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
166 struct auth_stream_reply *reply) |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
167 { |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
168 struct auth_request_handler *handler = request->context; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
169 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
170 if (request->delayed_failure) { |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
171 /* we came here from flush_failures() */ |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
172 handler->callback(reply, handler->context); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
173 return; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
174 } |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
175 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
176 /* remove the request from requests-list */ |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
177 auth_request_ref(request); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
178 auth_request_handler_remove(handler, request); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
179 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
180 if (request->no_failure_delay) { |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
181 /* passdb specifically requested not to delay the |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
182 reply. */ |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
183 handler->callback(reply, handler->context); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
184 auth_request_unref(&request); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
185 return; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
186 } |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
187 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
188 /* failure. don't announce it immediately to avoid |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
189 a) timing attacks, b) flooding */ |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
190 request->delayed_failure = TRUE; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
191 handler->refcount++; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
192 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
193 request->last_access = ioloop_time; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
194 aqueue_append(auth_failures, &request); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
195 if (to_auth_failures == NULL) { |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
196 to_auth_failures = |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
197 timeout_add(AUTH_FAILURE_DELAY_CHECK_MSECS, |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
198 auth_failure_timeout, NULL); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
199 } |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
200 } |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
201 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
202 static void auth_callback(struct auth_request *request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
203 enum auth_client_result result, |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
204 const void *auth_reply, size_t reply_size) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
205 { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
206 struct auth_request_handler *handler = request->context; |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
207 struct auth_stream_reply *reply; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
208 string_t *str; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
209 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
210 reply = auth_stream_reply_init(pool_datastack_create()); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
211 switch (result) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
212 case AUTH_CLIENT_RESULT_CONTINUE: |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
213 auth_stream_reply_add(reply, "CONT", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
214 auth_stream_reply_add(reply, NULL, dec2str(request->id)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
215 |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
216 str = t_str_new(MAX_BASE64_ENCODED_SIZE(reply_size)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
217 base64_encode(auth_reply, reply_size, str); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
218 auth_stream_reply_add(reply, NULL, str_c(str)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
219 |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
220 request->accept_input = TRUE; |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
221 handler->callback(reply, handler->context); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
222 break; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
223 case AUTH_CLIENT_RESULT_SUCCESS: |
7123
25e7c37c7c10
If proxy user has a password and authentication fails, don't return the
Timo Sirainen <tss@iki.fi>
parents:
7122
diff
changeset
|
224 auth_request_proxy_finish(request, TRUE); |
7122
fb03422c0760
Added "proxy_maybe" field. If it's used instead of "proxy" and the
Timo Sirainen <tss@iki.fi>
parents:
7089
diff
changeset
|
225 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
226 auth_stream_reply_add(reply, "OK", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
227 auth_stream_reply_add(reply, NULL, dec2str(request->id)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
228 auth_stream_reply_add(reply, "user", request->user); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
229 if (reply_size > 0) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
230 str = t_str_new(MAX_BASE64_ENCODED_SIZE(reply_size)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
231 base64_encode(auth_reply, reply_size, str); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
232 auth_stream_reply_add(reply, "resp", str_c(str)); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
233 } |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
234 get_client_extra_fields(request, reply); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
235 if (request->no_login || handler->master_callback == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
236 /* this request doesn't have to wait for master |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
237 process to pick it up. delete it */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
238 auth_request_handler_remove(handler, request); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
239 } |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
240 handler->callback(reply, handler->context); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
241 break; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
242 case AUTH_CLIENT_RESULT_FAILURE: |
7123
25e7c37c7c10
If proxy user has a password and authentication fails, don't return the
Timo Sirainen <tss@iki.fi>
parents:
7122
diff
changeset
|
243 auth_request_proxy_finish(request, FALSE); |
25e7c37c7c10
If proxy user has a password and authentication fails, don't return the
Timo Sirainen <tss@iki.fi>
parents:
7122
diff
changeset
|
244 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
245 auth_stream_reply_add(reply, "FAIL", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
246 auth_stream_reply_add(reply, NULL, dec2str(request->id)); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
247 if (request->user != NULL) |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
248 auth_stream_reply_add(reply, "user", request->user); |
8413
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
249 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
250 if (request->internal_failure) |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
251 auth_stream_reply_add(reply, "temp", NULL); |
8413
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
252 else if (request->master_user != NULL) { |
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
253 /* authentication succeeded, but we can't log in |
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
254 as the wanted user */ |
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
255 auth_stream_reply_add(reply, "authz", NULL); |
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8320
diff
changeset
|
256 } |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8573
diff
changeset
|
257 if (request->no_failure_delay) |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8573
diff
changeset
|
258 auth_stream_reply_add(reply, "nodelay", NULL); |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
259 get_client_extra_fields(request, reply); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
260 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
261 auth_request_handle_failure(request, reply); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
262 break; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
263 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
264 /* NOTE: request may be destroyed now */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
265 |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
266 auth_request_handler_unref(&handler); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
267 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
268 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
269 static void auth_request_handler_auth_fail(struct auth_request_handler *handler, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
270 struct auth_request *request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
271 const char *reason) |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
272 { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
273 struct auth_stream_reply *reply; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
274 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
275 auth_request_log_info(request, request->mech->mech_name, "%s", reason); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
276 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
277 reply = auth_stream_reply_init(pool_datastack_create()); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
278 auth_stream_reply_add(reply, "FAIL", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
279 auth_stream_reply_add(reply, NULL, dec2str(request->id)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
280 auth_stream_reply_add(reply, "reason", reason); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
281 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
282 handler->callback(reply, handler->context); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
283 auth_request_handler_remove(handler, request); |
3074 | 284 } |
285 | |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
286 bool auth_request_handler_auth_begin(struct auth_request_handler *handler, |
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
287 const char *args) |
3074 | 288 { |
5788
bdb16967be64
Further const'ification of struct mech_module.
Andrey Panin <pazke@donpac.ru>
parents:
5586
diff
changeset
|
289 const struct mech_module *mech; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
290 struct auth_request *request; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
291 const char *const *list, *name, *arg, *initial_resp; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
292 const void *initial_resp_data; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
293 size_t initial_resp_len; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
294 unsigned int id; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
295 buffer_t *buf; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
296 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
297 /* <id> <mechanism> [...] */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
298 list = t_strsplit(args, "\t"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
299 if (list[0] == NULL || list[1] == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
300 i_error("BUG: Authentication client %u " |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
301 "sent broken AUTH request", handler->client_pid); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
302 return FALSE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
303 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
304 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
305 id = (unsigned int)strtoul(list[0], NULL, 10); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
306 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
307 mech = mech_module_find(list[1]); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
308 if (mech == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
309 /* unsupported mechanism */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
310 i_error("BUG: Authentication client %u requested unsupported " |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
311 "authentication mechanism %s", handler->client_pid, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
312 str_sanitize(list[1], MAX_MECH_NAME_LEN)); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
313 return FALSE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
314 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
315 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
316 request = auth_request_new(handler->auth, mech, auth_callback, handler); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
317 request->connect_uid = handler->connect_uid; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
318 request->client_pid = handler->client_pid; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
319 request->id = id; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
320 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
321 /* parse optional parameters */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
322 initial_resp = NULL; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
323 for (list += 2; *list != NULL; list++) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
324 arg = strchr(*list, '='); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
325 if (arg == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
326 name = *list; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
327 arg = ""; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
328 } else { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
329 name = t_strdup_until(*list, arg); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
330 arg++; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
331 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
332 |
3338
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3308
diff
changeset
|
333 if (auth_request_import(request, name, arg)) |
e5ce49c8524a
USER auth command requires now service parameter and supports also others
Timo Sirainen <tss@iki.fi>
parents:
3308
diff
changeset
|
334 ; |
4682
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
335 else if (strcmp(name, "resp") == 0) { |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
336 initial_resp = arg; |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
337 /* this must be the last parameter */ |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
338 list++; |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
339 break; |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
340 } |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
341 } |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
342 |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
343 if (*list != NULL) { |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
344 i_error("BUG: Authentication client %u " |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
345 "sent AUTH parameters after 'resp'", |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
346 handler->client_pid); |
bc071307fc2a
Require that the "resp" parameter for AUTH command is the last.
Timo Sirainen <tss@iki.fi>
parents:
4532
diff
changeset
|
347 return FALSE; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
348 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
349 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
350 if (request->service == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
351 i_error("BUG: Authentication client %u " |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
352 "didn't specify service in request", |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
353 handler->client_pid); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
354 return FALSE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
355 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
356 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
357 hash_table_insert(handler->requests, POINTER_CAST(id), request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
358 |
8320
d49aa6720fb2
Added %k variable to display valid-client-cert status. It expands to "valid" or empty.
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
359 if (request->auth->ssl_require_client_cert && |
d49aa6720fb2
Added %k variable to display valid-client-cert status. It expands to "valid" or empty.
Timo Sirainen <tss@iki.fi>
parents:
7388
diff
changeset
|
360 !request->valid_client_cert) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
361 /* we fail without valid certificate */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
362 auth_request_handler_auth_fail(handler, request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
363 "Client didn't present valid SSL certificate"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
364 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
365 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
366 |
9189
ee173ea99ea6
auth: Ignore empty initial response strings.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
367 /* Empty initial response is a "=" base64 string. Completely empty |
ee173ea99ea6
auth: Ignore empty initial response strings.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
368 string shouldn't really be sent, but at least Exim does it, |
ee173ea99ea6
auth: Ignore empty initial response strings.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
369 so just allow it for backwards compatibility.. */ |
ee173ea99ea6
auth: Ignore empty initial response strings.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
370 if (initial_resp == NULL || *initial_resp == '\0') { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
371 initial_resp_data = NULL; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
372 initial_resp_len = 0; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
373 } else { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
374 size_t len = strlen(initial_resp); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
375 buf = buffer_create_dynamic(pool_datastack_create(), |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
376 MAX_BASE64_DECODED_SIZE(len)); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
377 if (base64_decode(initial_resp, len, NULL, buf) < 0) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
378 auth_request_handler_auth_fail(handler, request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
379 "Invalid base64 data in initial response"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
380 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
381 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
382 initial_resp_data = buf->data; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
383 initial_resp_len = buf->used; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
384 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
385 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
386 /* handler is referenced until auth_callback is called. */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
387 handler->refcount++; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
388 auth_request_initial(request, initial_resp_data, initial_resp_len); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
389 return TRUE; |
3074 | 390 } |
391 | |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
392 bool auth_request_handler_auth_continue(struct auth_request_handler *handler, |
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3520
diff
changeset
|
393 const char *args) |
3074 | 394 { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
395 struct auth_request *request; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
396 const char *data; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
397 size_t data_len; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
398 buffer_t *buf; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
399 unsigned int id; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
400 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
401 data = strchr(args, '\t'); |
5089 | 402 if (data == NULL) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
403 i_error("BUG: Authentication client sent broken CONT request"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
404 return FALSE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
405 } |
5089 | 406 data++; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
407 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
408 id = (unsigned int)strtoul(args, NULL, 10); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
409 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
410 request = hash_table_lookup(handler->requests, POINTER_CAST(id)); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
411 if (request == NULL) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
412 struct auth_stream_reply *reply; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
413 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
414 reply = auth_stream_reply_init(pool_datastack_create()); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
415 auth_stream_reply_add(reply, "FAIL", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
416 auth_stream_reply_add(reply, NULL, dec2str(id)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
417 auth_stream_reply_add(reply, "reason", "Timeouted"); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
418 handler->callback(reply, handler->context); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
419 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
420 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
421 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
422 /* accept input only once after mechanism has sent a CONT reply */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
423 if (!request->accept_input) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
424 auth_request_handler_auth_fail(handler, request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
425 "Unexpected continuation"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
426 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
427 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
428 request->accept_input = FALSE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
429 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
430 data_len = strlen(data); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
431 buf = buffer_create_dynamic(pool_datastack_create(), |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
432 MAX_BASE64_DECODED_SIZE(data_len)); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
433 if (base64_decode(data, data_len, NULL, buf) < 0) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
434 auth_request_handler_auth_fail(handler, request, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
435 "Invalid base64 data in continued response"); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
436 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
437 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
438 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
439 /* handler is referenced until auth_callback is called. */ |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
440 handler->refcount++; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
441 auth_request_continue(request, buf->data, buf->used); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
442 return TRUE; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
443 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
444 |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
445 static void userdb_callback(enum userdb_result result, |
3520 | 446 struct auth_request *request) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
447 { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
448 struct auth_request_handler *handler = request->context; |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
449 struct auth_stream_reply *reply; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
450 |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
451 i_assert(request->state == AUTH_REQUEST_STATE_USERDB); |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
452 |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
453 request->state = AUTH_REQUEST_STATE_FINISHED; |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
454 |
5872
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
455 if (request->userdb_lookup_failed) |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
456 result = USERDB_RESULT_INTERNAL_FAILURE; |
93bd157917ca
Changed userdb callback API. Don't require uid/gid to be returned by userdb.
Timo Sirainen <tss@iki.fi>
parents:
5788
diff
changeset
|
457 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
458 reply = auth_stream_reply_init(pool_datastack_create()); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
459 switch (result) { |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
460 case USERDB_RESULT_INTERNAL_FAILURE: |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
461 auth_stream_reply_add(reply, "FAIL", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
462 auth_stream_reply_add(reply, NULL, dec2str(request->id)); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
463 break; |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
464 case USERDB_RESULT_USER_UNKNOWN: |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
465 auth_stream_reply_add(reply, "NOTFOUND", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
466 auth_stream_reply_add(reply, NULL, dec2str(request->id)); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
467 break; |
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
468 case USERDB_RESULT_OK: |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
469 auth_stream_reply_add(reply, "USER", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
470 auth_stream_reply_add(reply, NULL, dec2str(request->id)); |
4532
d83f2a6e1f45
When logging in as master user, send it as "master_user" field to master
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
471 if (request->master_user != NULL) { |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
472 auth_stream_reply_add(request->userdb_reply, |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
473 "master_user", |
4532
d83f2a6e1f45
When logging in as master user, send it as "master_user" field to master
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
474 request->master_user); |
d83f2a6e1f45
When logging in as master user, send it as "master_user" field to master
Timo Sirainen <tss@iki.fi>
parents:
4451
diff
changeset
|
475 } |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
476 auth_stream_reply_import(reply, |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
477 auth_stream_reply_export(request->userdb_reply)); |
4880
4ec6a4def05b
We treated internal userdb lookup errors as "user unknown" errors. In such
Timo Sirainen <tss@iki.fi>
parents:
4767
diff
changeset
|
478 break; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
479 } |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
480 handler->master_callback(reply, request->master); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
481 |
5038
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
482 auth_master_connection_unref(&request->master); |
3879
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
483 auth_request_unref(&request); |
928229f8b3e6
deinit, unref, destroy, close, free, etc. functions now take a pointer to
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
484 auth_request_handler_unref(&handler); |
3074 | 485 } |
486 | |
487 void auth_request_handler_master_request(struct auth_request_handler *handler, | |
3308
3f090bcaffcc
Allow multiple master connections for a single listener.
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
488 struct auth_master_connection *master, |
3074 | 489 unsigned int id, |
490 unsigned int client_id) | |
491 { | |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
492 struct auth_request *request; |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
493 struct auth_stream_reply *reply; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
494 |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
495 reply = auth_stream_reply_init(pool_datastack_create()); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
496 |
8573
f9166a09423a
Renamed hash_*() to hash_table_*() to avoid conflicts with OSX's strhash.h
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
497 request = hash_table_lookup(handler->requests, POINTER_CAST(client_id)); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
498 if (request == NULL) { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
499 i_error("Master request %u.%u not found", |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
500 handler->client_pid, client_id); |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
501 auth_stream_reply_add(reply, "NOTFOUND", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
502 auth_stream_reply_add(reply, NULL, dec2str(id)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
503 handler->master_callback(reply, master); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
504 return; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
505 } |
3074 | 506 |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
507 auth_request_ref(request); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
508 auth_request_handler_remove(handler, request); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
509 |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
510 if (request->state != AUTH_REQUEST_STATE_FINISHED || |
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
511 !request->successful) { |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
512 i_error("Master requested unfinished authentication request " |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
513 "%u.%u", handler->client_pid, client_id); |
7388
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
514 auth_stream_reply_add(reply, "NOTFOUND", NULL); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
515 auth_stream_reply_add(reply, NULL, dec2str(id)); |
08d31d752893
Use auth-stream API to build all TAB-delimited strings to make sure strings
Timo Sirainen <tss@iki.fi>
parents:
7384
diff
changeset
|
516 handler->master_callback(reply, master); |
4401
10cdcfe98cfc
Fixed memory leak in error handling.
Timo Sirainen <tss@iki.fi>
parents:
3952
diff
changeset
|
517 auth_request_unref(&request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
518 } else { |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
519 /* the request isn't being referenced anywhere anymore, |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
520 so we can do a bit of kludging.. replace the request's |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
521 old client_id with master's id. */ |
3171
8a3b57385eca
Added state variable for auth_request and several assertions to make sure
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
522 request->state = AUTH_REQUEST_STATE_USERDB; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
523 request->id = id; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
524 request->context = handler; |
3308
3f090bcaffcc
Allow multiple master connections for a single listener.
Timo Sirainen <tss@iki.fi>
parents:
3171
diff
changeset
|
525 request->master = master; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
526 |
5038
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
527 /* master and handler are referenced until userdb_callback i |
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
528 s called. */ |
b2921478f94f
Several fixes to handling deinitialization without crashing.
Timo Sirainen <tss@iki.fi>
parents:
5005
diff
changeset
|
529 auth_master_connection_ref(master); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
530 handler->refcount++; |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
531 auth_request_lookup_user(request, userdb_callback); |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
532 } |
3074 | 533 } |
534 | |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
535 void auth_request_handler_flush_failures(bool flush_all) |
3074 | 536 { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
537 struct auth_request **auth_requests, *auth_request; |
7087
a281705a2360
Converted some buffers to arrays.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
538 unsigned int i, count; |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
539 time_t diff; |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
540 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
541 count = aqueue_count(auth_failures); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
542 if (count == 0) { |
7089
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
543 if (to_auth_failures != NULL) |
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
544 timeout_remove(&to_auth_failures); |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
545 return; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
546 } |
3074 | 547 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
548 auth_requests = array_idx_modifiable(&auth_failures_arr, 0); |
7087
a281705a2360
Converted some buffers to arrays.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
549 for (i = 0; i < count; i++) { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
550 auth_request = auth_requests[aqueue_idx(auth_failures, 0)]; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
551 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
552 diff = ioloop_time - auth_request->last_access; |
7384 | 553 if (diff < (time_t)auth_failure_delay && !flush_all) |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
554 break; |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
555 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
556 aqueue_delete_tail(auth_failures); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
557 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
558 i_assert(auth_request->state == AUTH_REQUEST_STATE_FINISHED); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
559 auth_request->callback(auth_request, |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
560 AUTH_CLIENT_RESULT_FAILURE, NULL, 0); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
561 auth_request_unref(&auth_request); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
562 } |
3074 | 563 } |
564 | |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
5872
diff
changeset
|
565 static void auth_failure_timeout(void *context ATTR_UNUSED) |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
566 { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
567 auth_request_handler_flush_failures(FALSE); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
568 } |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
569 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
570 void auth_request_handler_init(void) |
3074 | 571 { |
7089
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
572 const char *env; |
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
573 |
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
574 env = getenv("FAILURE_DELAY"); |
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
575 auth_failure_delay = env != NULL ? atoi(env) : |
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
576 DEFAULT_AUTH_FAILURE_DELAY; |
10d49a20b04e
Added auth_failure_delay setting.
Timo Sirainen <tss@iki.fi>
parents:
7088
diff
changeset
|
577 |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
578 i_array_init(&auth_failures_arr, 128); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
579 auth_failures = aqueue_init(&auth_failures_arr.arr); |
3074 | 580 } |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
581 |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
582 void auth_request_handler_deinit(void) |
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
583 { |
7088
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
584 auth_request_handler_flush_failures(TRUE); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
585 array_free(&auth_failures_arr); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
586 aqueue_deinit(&auth_failures); |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
587 |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
588 if (to_auth_failures != NULL) |
958500009336
Make sure failed auth requests stay in failure buffer for at least a second.
Timo Sirainen <tss@iki.fi>
parents:
7087
diff
changeset
|
589 timeout_remove(&to_auth_failures); |
3166
e6a487d80288
Restructuring of auth code. Balancer auth processes were a bad idea. Usually
Timo Sirainen <tss@iki.fi>
parents:
3077
diff
changeset
|
590 } |