From: Timo Sirainen <tss@iki.fi>
Date: Fri, 4 Mar 2011 16:51:46 +0000 (+0200)
Subject: auth: Allow clients to specify that they want to skip auth penalty check.
X-Git-Tag: 2.0.10~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d8702d15ee7721ed1fcfc8f00a589970bd6b3598;p=thirdparty%2Fdovecot%2Fcore.git

auth: Allow clients to specify that they want to skip auth penalty check.
This is "safe", because the clients specify the IP for the penalty check
anyway.
---

diff --git a/src/auth/auth-penalty.c b/src/auth/auth-penalty.c
index 51b104559b..0b135fb1bc 100644
--- a/src/auth/auth-penalty.c
+++ b/src/auth/auth-penalty.c
@@ -123,7 +123,7 @@ void auth_penalty_lookup(struct auth_penalty *penalty,
 	const char *ident;
 
 	ident = auth_penalty_get_ident(auth_request);
-	if (penalty->disabled || ident == NULL) {
+	if (penalty->disabled || ident == NULL || auth_request->no_penalty) {
 		callback(0, auth_request);
 		return;
 	}
@@ -155,7 +155,7 @@ void auth_penalty_update(struct auth_penalty *penalty,
 	const char *ident;
 
 	ident = auth_penalty_get_ident(auth_request);
-	if (penalty->disabled || ident == NULL)
+	if (penalty->disabled || ident == NULL || auth_request->no_penalty)
 		return;
 
 	if (value > AUTH_PENALTY_MAX_PENALTY) {
diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index aa8bc580f7..0d9866bead 100644
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -197,6 +197,8 @@ void auth_request_export(struct auth_request *request,
 		auth_stream_reply_add(reply, "skip_password_check", "1");
 	if (request->valid_client_cert)
 		auth_stream_reply_add(reply, "valid-client-cert", "1");
+	if (request->no_penalty)
+		auth_stream_reply_add(reply, "no-penalty", "1");
 	if (request->mech_name != NULL)
 		auth_stream_reply_add(reply, "mech", request->mech_name);
 }
@@ -235,6 +237,8 @@ bool auth_request_import(struct auth_request *request,
 		request->no_login = TRUE;
 	else if (strcmp(key, "valid-client-cert") == 0)
 		request->valid_client_cert = TRUE;
+	else if (strcmp(key, "no-penalty") == 0)
+		request->no_penalty = TRUE;
 	else if (strcmp(key, "skip_password_check") == 0) {
 		i_assert(request->master_user !=  NULL);
 		request->skip_password_check = TRUE;
diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h
index 081112ec41..048c60a4ef 100644
--- a/src/auth/auth-request.h
+++ b/src/auth/auth-request.h
@@ -106,6 +106,7 @@ struct auth_request {
 	unsigned int proxy:1;
 	unsigned int proxy_maybe:1;
 	unsigned int valid_client_cert:1;
+	unsigned int no_penalty:1;
 	unsigned int cert_username:1;
 	unsigned int userdb_lookup:1;
 	unsigned int userdb_lookup_failed:1;
diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
index ab2f765066..565189fc20 100644
--- a/src/lib-auth/auth-client-request.c
+++ b/src/lib-auth/auth-client-request.c
@@ -36,6 +36,8 @@ static void auth_server_send_new_request(struct auth_server_connection *conn,
 
 	if ((info->flags & AUTH_REQUEST_FLAG_SECURED) != 0)
 		str_append(str, "\tsecured");
+	if ((info->flags & AUTH_REQUEST_FLAG_NO_PENALTY) != 0)
+		str_append(str, "\tno-penalty");
 	if ((info->flags & AUTH_REQUEST_FLAG_VALID_CLIENT_CERT) != 0)
 		str_append(str, "\tvalid-client-cert");
 
diff --git a/src/lib-auth/auth-client.h b/src/lib-auth/auth-client.h
index 3ece6f1070..e6f79525e6 100644
--- a/src/lib-auth/auth-client.h
+++ b/src/lib-auth/auth-client.h
@@ -9,7 +9,9 @@ struct auth_client_request;
 
 enum auth_request_flags {
 	AUTH_REQUEST_FLAG_SECURED		= 0x01,
-	AUTH_REQUEST_FLAG_VALID_CLIENT_CERT	= 0x02
+	AUTH_REQUEST_FLAG_VALID_CLIENT_CERT	= 0x02,
+	/* Skip penalty checks for this request */
+	AUTH_REQUEST_FLAG_NO_PENALTY		= 0x04
 };
 
 enum auth_request_status {