From: Steve Mokris <steve@kosada.com>
Date: Tue, 17 May 2022 19:19:49 +0000 (-0400)
Subject: auth: db-oauth2 - Fail login if active_attribute is missing
X-Git-Tag: 2.4.0~2668
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70a423b6eb90ab50cdd0b0c9618eae87d9a9433f;p=thirdparty%2Fdovecot%2Fcore.git

auth: db-oauth2 - Fail login if active_attribute is missing

If active_attribute is required by config, we should fail to
login when it's missing.
---

diff --git a/src/auth/db-oauth2.c b/src/auth/db-oauth2.c
index 8a86dcc198..5333e15078 100644
--- a/src/auth/db-oauth2.c
+++ b/src/auth/db-oauth2.c
@@ -609,12 +609,31 @@ db_oauth2_user_is_enabled(struct db_oauth2_request *req,
 	    *req->db->set.active_value != '\0') {
 		const char *active_value =
 			auth_fields_find(req->fields, req->db->set.active_attribute);
-		if (active_value != NULL &&
-		    strcmp(req->db->set.active_value, active_value) != 0) {
-			*error_r = "Provided token is not valid";
+		if (active_value != NULL) {
+			if (strcmp(req->db->set.active_value, active_value) == 0) {
+				e_debug(authdb_event(req->auth_request),
+					"oauth2 active_attribute check succeeded");
+			} else {
+				e_debug(authdb_event(req->auth_request),
+					"oauth2 active_attribute check failed: expected %s=\"%s\" but got \"%s\"",
+					req->db->set.active_attribute,
+					req->db->set.active_value,
+					active_value);
+				*error_r = "Provided token is not valid";
+				*result_r = PASSDB_RESULT_PASSWORD_MISMATCH;
+				return FALSE;
+			}
+		} else {
+			e_debug(authdb_event(req->auth_request),
+				"oauth2 active_attribute \"%s\" not found in oauth2 server's response",
+				req->db->set.active_attribute);
+			*error_r = "Missing active_attribute from token";
 			*result_r = PASSDB_RESULT_PASSWORD_MISMATCH;
 			return FALSE;
 		}
+	} else {
+		e_debug(authdb_event(req->auth_request),
+			"oauth2 active_attribute is not configured; skipping the check");
 	}
 	return TRUE;
 }