From: Timo Sirainen Date: Mon, 3 Aug 2020 12:10:35 +0000 (+0300) Subject: auth: Move auth_request_export/import*() to auth-request-fields.c X-Git-Tag: 2.3.13~336 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c5d940f75826f5ecbc221cfcdf58c034b24e9bdf;p=thirdparty%2Fdovecot%2Fcore.git auth: Move auth_request_export/import*() to auth-request-fields.c --- diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am index 8026a2637c..378e9dfd33 100644 --- a/src/auth/Makefile.am +++ b/src/auth/Makefile.am @@ -97,6 +97,7 @@ libauth_la_SOURCES = \ mech-plain-common.c \ auth-penalty.c \ auth-request.c \ + auth-request-fields.c \ auth-request-handler.c \ auth-request-stats.c \ auth-request-var-expand.c \ diff --git a/src/auth/auth-request-fields.c b/src/auth/auth-request-fields.c new file mode 100644 index 0000000000..208c7399d3 --- /dev/null +++ b/src/auth/auth-request-fields.c @@ -0,0 +1,244 @@ +/* Copyright (c) 2002-2020 Dovecot authors, see the included COPYING file */ + +#include "auth-common.h" +#include "str.h" +#include "strescape.h" +#include "auth-request.h" + +static void +auth_str_add_keyvalue(string_t *dest, const char *key, const char *value) +{ + str_append_c(dest, '\t'); + str_append(dest, key); + if (value != NULL) { + str_append_c(dest, '='); + str_append_tabescaped(dest, value); + } +} + +static void +auth_request_export_fields(string_t *dest, struct auth_fields *auth_fields, + const char *prefix) +{ + const ARRAY_TYPE(auth_field) *fields = auth_fields_export(auth_fields); + const struct auth_field *field; + + array_foreach(fields, field) { + str_printfa(dest, "\t%s%s", prefix, field->key); + if (field->value != NULL) { + str_append_c(dest, '='); + str_append_tabescaped(dest, field->value); + } + } +} + +void auth_request_export(struct auth_request *request, string_t *dest) +{ + const struct auth_request_fields *fields = &request->fields; + + str_append(dest, "user="); + str_append_tabescaped(dest, fields->user); + + auth_str_add_keyvalue(dest, "service", fields->service); + + if (fields->master_user != NULL) + auth_str_add_keyvalue(dest, "master-user", fields->master_user); + auth_str_add_keyvalue(dest, "original-username", + fields->original_username); + if (fields->requested_login_user != NULL) { + auth_str_add_keyvalue(dest, "requested-login-user", + fields->requested_login_user); + } + + if (fields->local_ip.family != 0) { + auth_str_add_keyvalue(dest, "lip", + net_ip2addr(&fields->local_ip)); + } + if (fields->remote_ip.family != 0) { + auth_str_add_keyvalue(dest, "rip", + net_ip2addr(&fields->remote_ip)); + } + if (fields->local_port != 0) + str_printfa(dest, "\tlport=%u", fields->local_port); + if (fields->remote_port != 0) + str_printfa(dest, "\trport=%u", fields->remote_port); + if (fields->real_local_ip.family != 0) { + auth_str_add_keyvalue(dest, "real_lip", + net_ip2addr(&fields->real_local_ip)); + } + if (fields->real_remote_ip.family != 0) { + auth_str_add_keyvalue(dest, "real_rip", + net_ip2addr(&fields->real_remote_ip)); + } + if (fields->real_local_port != 0) + str_printfa(dest, "\treal_lport=%u", fields->real_local_port); + if (fields->real_remote_port != 0) + str_printfa(dest, "\treal_rport=%u", fields->real_remote_port); + if (fields->local_name != 0) { + str_append(dest, "\tlocal_name="); + str_append_tabescaped(dest, fields->local_name); + } + if (fields->session_id != NULL) + str_printfa(dest, "\tsession=%s", fields->session_id); + if (event_want_debug(request->event)) + str_append(dest, "\tdebug"); + switch (fields->secured) { + case AUTH_REQUEST_SECURED_NONE: break; + case AUTH_REQUEST_SECURED: str_append(dest, "\tsecured"); break; + case AUTH_REQUEST_SECURED_TLS: str_append(dest, "\tsecured=tls"); break; + default: break; + } + if (fields->skip_password_check) + str_append(dest, "\tskip-password-check"); + if (fields->delayed_credentials != NULL) + str_append(dest, "\tdelayed-credentials"); + if (fields->valid_client_cert) + str_append(dest, "\tvalid-client-cert"); + if (fields->no_penalty) + str_append(dest, "\tno-penalty"); + if (fields->successful) + str_append(dest, "\tsuccessful"); + if (fields->mech_name != NULL) + auth_str_add_keyvalue(dest, "mech", fields->mech_name); + if (fields->client_id != NULL) + auth_str_add_keyvalue(dest, "client_id", fields->client_id); + /* export passdb extra fields */ + auth_request_export_fields(dest, fields->extra_fields, "passdb_"); + /* export any userdb fields */ + if (fields->userdb_reply != NULL) + auth_request_export_fields(dest, fields->userdb_reply, "userdb_"); +} + +bool auth_request_import_info(struct auth_request *request, + const char *key, const char *value) +{ + struct auth_request_fields *fields = &request->fields; + + i_assert(value != NULL); + + /* authentication and user lookups may set these */ + if (strcmp(key, "service") == 0) + fields->service = p_strdup(request->pool, value); + else if (strcmp(key, "lip") == 0) { + (void)net_addr2ip(value, &fields->local_ip); + if (fields->real_local_ip.family == 0) + fields->real_local_ip = fields->local_ip; + } else if (strcmp(key, "rip") == 0) { + (void)net_addr2ip(value, &fields->remote_ip); + if (fields->real_remote_ip.family == 0) + fields->real_remote_ip = fields->remote_ip; + } else if (strcmp(key, "lport") == 0) { + (void)net_str2port(value, &fields->local_port); + if (fields->real_local_port == 0) + fields->real_local_port = fields->local_port; + } else if (strcmp(key, "rport") == 0) { + (void)net_str2port(value, &fields->remote_port); + if (fields->real_remote_port == 0) + fields->real_remote_port = fields->remote_port; + } + else if (strcmp(key, "real_lip") == 0) + (void)net_addr2ip(value, &fields->real_local_ip); + else if (strcmp(key, "real_rip") == 0) + (void)net_addr2ip(value, &fields->real_remote_ip); + else if (strcmp(key, "real_lport") == 0) + (void)net_str2port(value, &fields->real_local_port); + else if (strcmp(key, "real_rport") == 0) + (void)net_str2port(value, &fields->real_remote_port); + else if (strcmp(key, "local_name") == 0) + fields->local_name = p_strdup(request->pool, value); + else if (strcmp(key, "session") == 0) + fields->session_id = p_strdup(request->pool, value); + else if (strcmp(key, "debug") == 0) + event_set_forced_debug(request->event, TRUE); + else if (strcmp(key, "client_id") == 0) + fields->client_id = p_strdup(request->pool, value); + else if (strcmp(key, "forward_fields") == 0) { + auth_fields_import_prefixed(fields->extra_fields, + "forward_", value, 0); + /* make sure the forward_ fields aren't deleted by + auth_fields_rollback() if the first passdb lookup fails. */ + auth_fields_snapshot(fields->extra_fields); + } else + return FALSE; + /* NOTE: keep in sync with auth_request_export() */ + return TRUE; +} + +bool auth_request_import_auth(struct auth_request *request, + const char *key, const char *value) +{ + struct auth_request_fields *fields = &request->fields; + + i_assert(value != NULL); + + if (auth_request_import_info(request, key, value)) + return TRUE; + + /* auth client may set these */ + if (strcmp(key, "secured") == 0) { + if (strcmp(value, "tls") == 0) + fields->secured = AUTH_REQUEST_SECURED_TLS; + else + fields->secured = AUTH_REQUEST_SECURED; + } + else if (strcmp(key, "final-resp-ok") == 0) + fields->final_resp_ok = TRUE; + else if (strcmp(key, "no-penalty") == 0) + fields->no_penalty = TRUE; + else if (strcmp(key, "valid-client-cert") == 0) + fields->valid_client_cert = TRUE; + else if (strcmp(key, "cert_username") == 0) { + if (request->set->ssl_username_from_cert && *value != '\0') { + /* get username from SSL certificate. it overrides + the username given by the auth mechanism. */ + fields->user = p_strdup(request->pool, value); + fields->cert_username = TRUE; + } + } else { + return FALSE; + } + return TRUE; +} + +bool auth_request_import(struct auth_request *request, + const char *key, const char *value) +{ + struct auth_request_fields *fields = &request->fields; + + i_assert(value != NULL); + + if (auth_request_import_auth(request, key, value)) + return TRUE; + + /* for communication between auth master and worker processes */ + if (strcmp(key, "user") == 0) + fields->user = p_strdup(request->pool, value); + else if (strcmp(key, "master-user") == 0) + fields->master_user = p_strdup(request->pool, value); + else if (strcmp(key, "original-username") == 0) + fields->original_username = p_strdup(request->pool, value); + else if (strcmp(key, "requested-login-user") == 0) + fields->requested_login_user = p_strdup(request->pool, value); + else if (strcmp(key, "successful") == 0) + fields->successful = TRUE; + else if (strcmp(key, "skip-password-check") == 0) + fields->skip_password_check = TRUE; + else if (strcmp(key, "delayed-credentials") == 0) { + /* just make passdb_handle_credentials() work identically in + auth-worker as it does in auth-master. the worker shouldn't + care about the actual contents of the credentials. */ + fields->delayed_credentials = &uchar_nul; + fields->delayed_credentials_size = 1; + } else if (strcmp(key, "mech") == 0) + fields->mech_name = p_strdup(request->pool, value); + else if (str_begins(key, "passdb_")) + auth_fields_add(fields->extra_fields, key+7, value, 0); + else if (str_begins(key, "userdb_")) { + if (fields->userdb_reply == NULL) + fields->userdb_reply = auth_fields_init(request->pool); + auth_fields_add(fields->userdb_reply, key+7, value, 0); + } else + return FALSE; + + return TRUE; +} diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index 4211664982..4dd60ef1e7 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -375,201 +375,6 @@ void auth_request_unref(struct auth_request **_request) pool_unref(&request->pool); } -static void -auth_str_add_keyvalue(string_t *dest, const char *key, const char *value) -{ - str_append_c(dest, '\t'); - str_append(dest, key); - if (value != NULL) { - str_append_c(dest, '='); - str_append_tabescaped(dest, value); - } -} - -static void -auth_request_export_fields(string_t *dest, struct auth_fields *auth_fields, - const char *prefix) -{ - const ARRAY_TYPE(auth_field) *fields = auth_fields_export(auth_fields); - const struct auth_field *field; - - array_foreach(fields, field) { - str_printfa(dest, "\t%s%s", prefix, field->key); - if (field->value != NULL) { - str_append_c(dest, '='); - str_append_tabescaped(dest, field->value); - } - } -} - -void auth_request_export(struct auth_request *request, string_t *dest) -{ - const struct auth_request_fields *fields = &request->fields; - - str_append(dest, "user="); - str_append_tabescaped(dest, fields->user); - - auth_str_add_keyvalue(dest, "service", fields->service); - - if (fields->master_user != NULL) - auth_str_add_keyvalue(dest, "master-user", fields->master_user); - auth_str_add_keyvalue(dest, "original-username", - fields->original_username); - if (fields->requested_login_user != NULL) { - auth_str_add_keyvalue(dest, "requested-login-user", - fields->requested_login_user); - } - - if (fields->local_ip.family != 0) { - auth_str_add_keyvalue(dest, "lip", - net_ip2addr(&fields->local_ip)); - } - if (fields->remote_ip.family != 0) { - auth_str_add_keyvalue(dest, "rip", - net_ip2addr(&fields->remote_ip)); - } - if (fields->local_port != 0) - str_printfa(dest, "\tlport=%u", fields->local_port); - if (fields->remote_port != 0) - str_printfa(dest, "\trport=%u", fields->remote_port); - if (fields->real_local_ip.family != 0) { - auth_str_add_keyvalue(dest, "real_lip", - net_ip2addr(&fields->real_local_ip)); - } - if (fields->real_remote_ip.family != 0) { - auth_str_add_keyvalue(dest, "real_rip", - net_ip2addr(&fields->real_remote_ip)); - } - if (fields->real_local_port != 0) - str_printfa(dest, "\treal_lport=%u", fields->real_local_port); - if (fields->real_remote_port != 0) - str_printfa(dest, "\treal_rport=%u", fields->real_remote_port); - if (fields->local_name != 0) { - str_append(dest, "\tlocal_name="); - str_append_tabescaped(dest, fields->local_name); - } - if (fields->session_id != NULL) - str_printfa(dest, "\tsession=%s", fields->session_id); - if (event_want_debug(request->event)) - str_append(dest, "\tdebug"); - switch (fields->secured) { - case AUTH_REQUEST_SECURED_NONE: break; - case AUTH_REQUEST_SECURED: str_append(dest, "\tsecured"); break; - case AUTH_REQUEST_SECURED_TLS: str_append(dest, "\tsecured=tls"); break; - default: break; - } - if (fields->skip_password_check) - str_append(dest, "\tskip-password-check"); - if (fields->delayed_credentials != NULL) - str_append(dest, "\tdelayed-credentials"); - if (fields->valid_client_cert) - str_append(dest, "\tvalid-client-cert"); - if (fields->no_penalty) - str_append(dest, "\tno-penalty"); - if (fields->successful) - str_append(dest, "\tsuccessful"); - if (fields->mech_name != NULL) - auth_str_add_keyvalue(dest, "mech", fields->mech_name); - if (fields->client_id != NULL) - auth_str_add_keyvalue(dest, "client_id", fields->client_id); - /* export passdb extra fields */ - auth_request_export_fields(dest, fields->extra_fields, "passdb_"); - /* export any userdb fields */ - if (fields->userdb_reply != NULL) - auth_request_export_fields(dest, fields->userdb_reply, "userdb_"); -} - -bool auth_request_import_info(struct auth_request *request, - const char *key, const char *value) -{ - struct auth_request_fields *fields = &request->fields; - - i_assert(value != NULL); - - /* authentication and user lookups may set these */ - if (strcmp(key, "service") == 0) - fields->service = p_strdup(request->pool, value); - else if (strcmp(key, "lip") == 0) { - (void)net_addr2ip(value, &fields->local_ip); - if (fields->real_local_ip.family == 0) - fields->real_local_ip = fields->local_ip; - } else if (strcmp(key, "rip") == 0) { - (void)net_addr2ip(value, &fields->remote_ip); - if (fields->real_remote_ip.family == 0) - fields->real_remote_ip = fields->remote_ip; - } else if (strcmp(key, "lport") == 0) { - (void)net_str2port(value, &fields->local_port); - if (fields->real_local_port == 0) - fields->real_local_port = fields->local_port; - } else if (strcmp(key, "rport") == 0) { - (void)net_str2port(value, &fields->remote_port); - if (fields->real_remote_port == 0) - fields->real_remote_port = fields->remote_port; - } - else if (strcmp(key, "real_lip") == 0) - (void)net_addr2ip(value, &fields->real_local_ip); - else if (strcmp(key, "real_rip") == 0) - (void)net_addr2ip(value, &fields->real_remote_ip); - else if (strcmp(key, "real_lport") == 0) - (void)net_str2port(value, &fields->real_local_port); - else if (strcmp(key, "real_rport") == 0) - (void)net_str2port(value, &fields->real_remote_port); - else if (strcmp(key, "local_name") == 0) - fields->local_name = p_strdup(request->pool, value); - else if (strcmp(key, "session") == 0) - fields->session_id = p_strdup(request->pool, value); - else if (strcmp(key, "debug") == 0) - event_set_forced_debug(request->event, TRUE); - else if (strcmp(key, "client_id") == 0) - fields->client_id = p_strdup(request->pool, value); - else if (strcmp(key, "forward_fields") == 0) { - auth_fields_import_prefixed(fields->extra_fields, - "forward_", value, 0); - /* make sure the forward_ fields aren't deleted by - auth_fields_rollback() if the first passdb lookup fails. */ - auth_fields_snapshot(fields->extra_fields); - } else - return FALSE; - /* NOTE: keep in sync with auth_request_export() */ - return TRUE; -} - -bool auth_request_import_auth(struct auth_request *request, - const char *key, const char *value) -{ - struct auth_request_fields *fields = &request->fields; - - i_assert(value != NULL); - - if (auth_request_import_info(request, key, value)) - return TRUE; - - /* auth client may set these */ - if (strcmp(key, "secured") == 0) { - if (strcmp(value, "tls") == 0) - fields->secured = AUTH_REQUEST_SECURED_TLS; - else - fields->secured = AUTH_REQUEST_SECURED; - } - else if (strcmp(key, "final-resp-ok") == 0) - fields->final_resp_ok = TRUE; - else if (strcmp(key, "no-penalty") == 0) - fields->no_penalty = TRUE; - else if (strcmp(key, "valid-client-cert") == 0) - fields->valid_client_cert = TRUE; - else if (strcmp(key, "cert_username") == 0) { - if (request->set->ssl_username_from_cert && *value != '\0') { - /* get username from SSL certificate. it overrides - the username given by the auth mechanism. */ - fields->user = p_strdup(request->pool, value); - fields->cert_username = TRUE; - } - } else { - return FALSE; - } - return TRUE; -} - bool auth_request_import_master(struct auth_request *request, const char *key, const char *value) { @@ -588,49 +393,6 @@ bool auth_request_import_master(struct auth_request *request, return TRUE; } -bool auth_request_import(struct auth_request *request, - const char *key, const char *value) -{ - struct auth_request_fields *fields = &request->fields; - - i_assert(value != NULL); - - if (auth_request_import_auth(request, key, value)) - return TRUE; - - /* for communication between auth master and worker processes */ - if (strcmp(key, "user") == 0) - fields->user = p_strdup(request->pool, value); - else if (strcmp(key, "master-user") == 0) - fields->master_user = p_strdup(request->pool, value); - else if (strcmp(key, "original-username") == 0) - fields->original_username = p_strdup(request->pool, value); - else if (strcmp(key, "requested-login-user") == 0) - fields->requested_login_user = p_strdup(request->pool, value); - else if (strcmp(key, "successful") == 0) - fields->successful = TRUE; - else if (strcmp(key, "skip-password-check") == 0) - fields->skip_password_check = TRUE; - else if (strcmp(key, "delayed-credentials") == 0) { - /* just make passdb_handle_credentials() work identically in - auth-worker as it does in auth-master. the worker shouldn't - care about the actual contents of the credentials. */ - fields->delayed_credentials = &uchar_nul; - fields->delayed_credentials_size = 1; - } else if (strcmp(key, "mech") == 0) - fields->mech_name = p_strdup(request->pool, value); - else if (str_begins(key, "passdb_")) - auth_fields_add(fields->extra_fields, key+7, value, 0); - else if (str_begins(key, "userdb_")) { - if (fields->userdb_reply == NULL) - fields->userdb_reply = auth_fields_init(request->pool); - auth_fields_add(fields->userdb_reply, key+7, value, 0); - } else - return FALSE; - - return TRUE; -} - static bool auth_request_fail_on_nuls(struct auth_request *request, const unsigned char *data, size_t data_size) {