auth: Add policy check configuration options

Allows disabling before/after auth checks, or reporting.

diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
index 06bcb902462b80cdf5f7f61ef681d56f31ad5a65..9bde23919e185ba3965f51ccb89b262b333fc712 100644 (file)
--- a/src/auth/auth-request-handler.c
+++ b/src/auth/auth-request-handler.c
@@ -217,7 +217,8 @@ auth_request_handle_failure(struct auth_request *request, const char *reply)
        auth_request_ref(request);
        auth_request_handler_remove(handler, request);
 
-       auth_policy_report(request);
+       if (request->set->policy_report_after_auth)
+               auth_policy_report(request);
 
        if (auth_fields_exists(request->extra_fields, "nodelay")) {
                /* passdb specifically requested not to delay the reply. */
@@ -265,7 +266,8 @@ auth_request_handler_reply_success_finish(struct auth_request *request)
        str_append_tabescaped(str, request->user);
        auth_str_append_extra_fields(request, str);
 
-       auth_policy_report(request);
+       if (request->set->policy_report_after_auth)
+               auth_policy_report(request);
 
        if (handler->master_callback == NULL ||
            auth_fields_exists(request->extra_fields, "nologin") ||

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index 0340a4d32088267b2f304cf9655067064a958895..acf4d467bb415f5cd31cff209a8e4ce3086ba72d 100644 (file)
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -158,8 +158,18 @@ void auth_request_success(struct auth_request *request,
 {
        i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
 
-       /* perform second policy lookup here */
+       if (!request->set->policy_check_after_auth) {
+               buffer_t buf;
+               buffer_create_from_const_data(&buf, "", 0);
+               struct auth_policy_check_ctx ctx = {
+                       .success_data = &buf,
+                       .request = request
+               };
+               auth_request_policy_check_callback(0, &ctx);
+               return;
+       }
 
+       /* perform second policy lookup here */
        struct auth_policy_check_ctx *ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
        ctx->request = request;
        ctx->success_data = buffer_create_dynamic(request->pool, data_size);
@@ -1045,7 +1055,7 @@ void auth_request_verify_plain(struct auth_request *request,
                i_assert(request->mech_password == password);
        request->user_changed_by_lookup = FALSE;
 
-       if (request->policy_processed) {
+       if (request->policy_processed || !request->set->policy_check_before_auth) {
                auth_request_verify_plain_continue(request, callback);
        } else {
                ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
@@ -1235,7 +1245,7 @@ void auth_request_lookup_credentials(struct auth_request *request,
                request->credentials_scheme = p_strdup(request->pool, scheme);
        request->user_changed_by_lookup = FALSE;
 
-       if (request->policy_processed)
+       if (request->policy_processed || !request->set->policy_check_before_auth)
                auth_request_lookup_credentials_policy_continue(request, callback);
        else {
                ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
@@ -1255,7 +1265,6 @@ void auth_request_lookup_credentials_policy_continue(struct auth_request *reques
        enum passdb_result result;
 
        i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
-
        if (auth_request_is_disabled_master_user(request)) {
                callback(PASSDB_RESULT_USER_UNKNOWN, NULL, 0, request);
                return;

diff --git a/src/auth/auth-settings.c b/src/auth/auth-settings.c
index dc301d1195b8c14760e926e382b64c498044d075..6d350aa845fd27daf0408b9ffc3523cc18efea14 100644 (file)
--- a/src/auth/auth-settings.c
+++ b/src/auth/auth-settings.c
@@ -249,6 +249,9 @@ static const struct setting_define auth_setting_defines[] = {
        DEF(SET_STR, policy_hash_nonce),
        DEF(SET_STR, policy_request_attributes),
        DEF(SET_BOOL, policy_reject_on_fail),
+       DEF(SET_BOOL, policy_check_before_auth),
+       DEF(SET_BOOL, policy_check_after_auth),
+       DEF(SET_BOOL, policy_report_after_auth),
        DEF(SET_UINT, policy_hash_truncate),
 
        DEF(SET_BOOL, stats),
@@ -304,6 +307,9 @@ static const struct auth_settings auth_default_settings = {
        .policy_hash_nonce = "",
        .policy_request_attributes = "login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s",
        .policy_reject_on_fail = FALSE,
+       .policy_check_before_auth = TRUE,
+       .policy_check_after_auth = TRUE,
+       .policy_report_after_auth = TRUE,
        .policy_hash_truncate = 12,
 
        .stats = FALSE,

diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h
index 07ade86a62a9f82716fa77ba6e58bedcd46ad15a..968f118c0e0d5d06e3627bc4094b36608e76689d 100644 (file)
--- a/src/auth/auth-settings.h
+++ b/src/auth/auth-settings.h
@@ -63,6 +63,9 @@ struct auth_settings {
        const char *policy_hash_nonce;
        const char *policy_request_attributes;
        bool policy_reject_on_fail;
+       bool policy_check_before_auth;
+       bool policy_check_after_auth;
+       bool policy_report_after_auth;
        unsigned int policy_hash_truncate;
 
        bool stats;