auth: Move all final SASL response handling to login-common

Success response was still handled in auth service, which makes little sense.

diff --git a/src/auth/auth-request-fields.c b/src/auth/auth-request-fields.c
index 22cc1cccd6581fa6ef0150bdbd0a91a925afc069..4e57fa4175b99b54732a6b4488ebe87727673437 100644 (file)
--- a/src/auth/auth-request-fields.c
+++ b/src/auth/auth-request-fields.c
@@ -226,8 +226,6 @@ bool auth_request_import_auth(struct auth_request *request,
                        event_add_str(request->event, "transport", "secured");
                }
        }
-       else if (strcmp(key, "final-resp-ok") == 0)
-               fields->final_resp_ok = TRUE;
        else if (strcmp(key, "no-penalty") == 0)
                fields->no_penalty = TRUE;
        else if (strcmp(key, "valid-client-cert") == 0)

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index a40158cfc57412846ec32f62454a7f8973ec96c0..dabb8bd02b7772453158c6eefdea9c9dfe2e50bc 100644 (file)
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -271,14 +271,6 @@ void auth_request_success_continue(struct auth_policy_check_ctx *ctx)
                return;
        }
 
-       if (ctx->success_data->used > 0 && !request->fields.final_resp_ok) {
-               /* we'll need one more SASL round, since client doesn't support
-                  the final SASL response */
-               auth_request_handler_reply_continue(request,
-                       ctx->success_data->data, ctx->success_data->used);
-               return;
-       }
-
        auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED);
        auth_request_refresh_last_access(request);
        auth_request_handler_reply(request, AUTH_CLIENT_RESULT_SUCCESS,

diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h
index a394112893ae2e17bfa9f8fdb0771de8c0d0dea3..d19c4296f760c981bf12695cdb0825901c940edc 100644 (file)
--- a/src/auth/auth-request.h
+++ b/src/auth/auth-request.h
@@ -91,7 +91,6 @@ struct auth_request_fields {
        bool skip_password_check:1;
 
        /* flags received from auth client: */
-       bool final_resp_ok:1;
        bool no_penalty:1;
        bool valid_client_cert:1;
        bool cert_username:1;

diff --git a/src/lib-auth-client/auth-client-request.c b/src/lib-auth-client/auth-client-request.c
index 6f6e749b581df9545ae751f0e62ca969c72087d1..de879e73c36d37d08ec063ae962c759e7efab8de 100644 (file)
--- a/src/lib-auth-client/auth-client-request.c
+++ b/src/lib-auth-client/auth-client-request.c
@@ -25,8 +25,6 @@ static void auth_server_send_new_request(struct auth_client_connection *conn,
        event_add_str(request->event, "mechanism", info->mech);
        event_add_str(request->event, "service", info->service);
 
-       if ((info->flags & AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP) != 0)
-               str_append(str, "\tfinal-resp-ok");
        if ((info->flags & AUTH_REQUEST_FLAG_CONN_SECURED) != 0) {
                str_append(str, "\tsecured");
                if ((info->flags & AUTH_REQUEST_FLAG_CONN_SECURED_TLS) != 0) {

diff --git a/src/lib-auth-client/auth-client.h b/src/lib-auth-client/auth-client.h
index d54448e79cd24ab2b090b26301ea7f40175d7769..79b23bd848bd6b070bfb174f2b745f22ee800888 100644 (file)
--- a/src/lib-auth-client/auth-client.h
+++ b/src/lib-auth-client/auth-client.h
@@ -17,8 +17,6 @@ enum auth_request_flags {
        AUTH_REQUEST_FLAG_VALID_CLIENT_CERT     = 0x02,
        /* Skip penalty checks for this request */
        AUTH_REQUEST_FLAG_NO_PENALTY            = 0x04,
-       /* Support final SASL response */
-       AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP    = 0x08,
        /* Enable auth_debug=yes logging for this request */
        AUTH_REQUEST_FLAG_DEBUG                 = 0x10,
        /* Connection from the previous hop is secured by TLS. */

diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index cb0370884ae9c15009ed366bed5dfa0489e45109..147474fc699c5968329b13d2e4ed02fa19834b74 100644 (file)
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -113,8 +113,6 @@ client_get_auth_flags(struct client *client)
                auth_flags |= AUTH_REQUEST_FLAG_CONN_SECURED_TLS;
        if (client->connection_secured)
                auth_flags |= AUTH_REQUEST_FLAG_CONN_SECURED;
-       if (login_binary->sasl_support_final_reply)
-               auth_flags |= AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP;
        return auth_flags;
 }
 
@@ -345,6 +343,7 @@ authenticate_callback(struct auth_client_request *request,
                      const char *const *args, void *context)
 {
        struct client *client = context;
+       const char *sasl_final_delayed_resp;
        unsigned int i;
 
        if (!client->authenticating) {
@@ -367,6 +366,7 @@ authenticate_callback(struct auth_client_request *request,
                client->auth_passdb_args = p_strarray_dup(client->pool, args);
                client->postlogin_socket_path = NULL;
 
+               sasl_final_delayed_resp = NULL;
                for (i = 0; args[i] != NULL; i++) {
                        const char *key, *value;
                        t_split_key_value_eq(args[i], &key, &value);
@@ -385,10 +385,22 @@ authenticate_callback(struct auth_client_request *request,
                                client->auth_anonymous = TRUE;
                        } else if (str_begins(args[i], "event_", &key)) {
                                event_add_str(client->event_auth, key, value);
+                       } else if (strcmp(key, "resp") == 0) {
+                               sasl_final_delayed_resp =
+                                       p_strdup(client->preproxy_pool, value);
                        }
                }
 
-               sasl_server_auth_success_finish(client, args);
+               if (sasl_final_delayed_resp != NULL &&
+                   !login_binary->sasl_support_final_reply) {
+                       client->final_response = TRUE;
+                       client->final_args = p_strarray_dup(client->preproxy_pool, args);
+                       client->delayed_final_reply = SASL_SERVER_REPLY_SUCCESS;
+                       client->sasl_callback(client, SASL_SERVER_REPLY_CONTINUE,
+                                             sasl_final_delayed_resp, NULL);
+               } else {
+                       sasl_server_auth_success_finish(client, args);
+               }
                break;
        case AUTH_REQUEST_STATUS_INTERNAL_FAIL:
                client->auth_process_comm_fail = TRUE;
@@ -397,7 +409,7 @@ authenticate_callback(struct auth_client_request *request,
        case AUTH_REQUEST_STATUS_ABORT:
                client->auth_request = NULL;
 
-               const char *sasl_final_delayed_resp = NULL;
+               sasl_final_delayed_resp = NULL;
                if (args != NULL) {
                        /* parse our username if it's there */
                        for (i = 0; args[i] != NULL; i++) {
@@ -640,8 +652,16 @@ bool sasl_server_auth_handle_delayed_final(struct client *client)
        if (!client->final_response)
                return FALSE;
        client->final_response = FALSE;
-       client->authenticating = FALSE;
        client->auth_client_continue_pending = FALSE;
+
+       if (client->delayed_final_reply == SASL_SERVER_REPLY_SUCCESS) {
+               const char *const *args = client->final_args;
+
+               sasl_server_auth_success_finish(client, args);
+               return TRUE;
+       }
+
+       client->authenticating = FALSE;
        call_client_callback(client, client->delayed_final_reply,
                             NULL, client->final_args);