From cdf00f56f959c078dc5201d60e6bb88f3a7263af Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Mon, 6 Feb 2017 12:56:27 +0200 Subject: [PATCH] auth: Add mechanism filter for passdbs --- src/auth/auth-request.c | 10 ++++++++++ src/auth/auth-settings.c | 2 ++ src/auth/auth-settings.h | 1 + src/auth/passdb.c | 7 +++++++ src/auth/passdb.h | 3 +++ 5 files changed, 23 insertions(+) diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index aefa0ad217..4ba7069ed2 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -614,6 +614,16 @@ static bool auth_request_want_skip_passdb(struct auth_request *request, struct auth_passdb *passdb) { + /* if mechanism is not supported, skip */ + const char *const *mech = passdb->passdb->mechanisms; + + /* if request->mech == NULL it means we are doing + lookup without authentication and should not match this */ + if (mech != NULL && (request->mech == NULL || + !str_array_icase_find(mech, request->mech->mech_name))) { + return TRUE; + } + /* skip_password_check basically specifies if authentication is finished */ bool authenticated = request->skip_password_check; diff --git a/src/auth/auth-settings.c b/src/auth/auth-settings.c index 00a815c095..101a4b2c9d 100644 --- a/src/auth/auth-settings.c +++ b/src/auth/auth-settings.c @@ -113,6 +113,7 @@ static const struct setting_define auth_passdb_setting_defines[] = { DEF(SET_STR, args), DEF(SET_STR, default_fields), DEF(SET_STR, override_fields), + DEF(SET_STR, mechanisms), DEF(SET_ENUM, skip), DEF(SET_ENUM, result_success), @@ -133,6 +134,7 @@ static const struct auth_passdb_settings auth_passdb_default_settings = { .args = "", .default_fields = "", .override_fields = "", + .mechanisms = "", .skip = "never:authenticated:unauthenticated", .result_success = "return-ok:return:return-fail:continue:continue-ok:continue-fail", diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h index 1daf9c18b5..f7839643d0 100644 --- a/src/auth/auth-settings.h +++ b/src/auth/auth-settings.h @@ -10,6 +10,7 @@ struct auth_passdb_settings { const char *args; const char *default_fields; const char *override_fields; + const char *mechanisms; const char *skip; const char *result_success; diff --git a/src/auth/passdb.c b/src/auth/passdb.c index f33034c7c5..112bdc95fb 100644 --- a/src/auth/passdb.c +++ b/src/auth/passdb.c @@ -223,6 +223,13 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set) passdb->id = ++auth_passdb_id; passdb->iface = *iface; passdb->args = p_strdup(pool, set->args); + if (*set->mechanisms == '\0') { + passdb->mechanisms = NULL; + } else if (strcasecmp(set->mechanisms, "none") == 0) { + passdb->mechanisms = (const char *const[]){NULL}; + } else { + passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,"); + } array_append(&passdb_modules, &passdb, 1); return passdb; diff --git a/src/auth/passdb.h b/src/auth/passdb.h index 922ec00912..636537b8af 100644 --- a/src/auth/passdb.h +++ b/src/auth/passdb.h @@ -62,6 +62,9 @@ struct passdb_module { /* Default password scheme for this module. If cache_key is set, must not be NULL. */ const char *default_pass_scheme; + /* Supported authentication mechanisms, NULL is all, [NULL] is none*/ + const char *const *mechanisms; + /* If blocking is set to TRUE, use child processes to access this passdb. */ bool blocking; -- 2.47.3