From 3de7a07d917955f0fd6d0ca12cf4fbb899332b07 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Mon, 18 Mar 2024 10:04:17 +0200 Subject: [PATCH] auth: Always use grant password with passdb oauth2 --- src/auth/auth-worker-server.c | 2 +- src/auth/db-oauth2.c | 18 +++++++----------- src/auth/db-oauth2.h | 4 +--- src/auth/mech-oauth2.c | 2 +- src/auth/passdb-oauth2.c | 10 ++-------- 5 files changed, 12 insertions(+), 24 deletions(-) diff --git a/src/auth/auth-worker-server.c b/src/auth/auth-worker-server.c index c893dc11fe..36025a306a 100644 --- a/src/auth/auth-worker-server.c +++ b/src/auth/auth-worker-server.c @@ -812,7 +812,7 @@ auth_worker_handler_oauth2_token(struct auth_worker_command *cmd, unsigned int i } if (cmd->server->oauth2 == NULL) { - if (db_oauth2_init(cmd->event, &cmd->server->oauth2, &error) < 0) { + if (db_oauth2_init(cmd->event, FALSE, &cmd->server->oauth2, &error) < 0) { e_error(cmd->event, "%s", error); auth_worker_handle_token_continue(db_req, PASSDB_RESULT_INTERNAL_FAILURE, error, diff --git a/src/auth/db-oauth2.c b/src/auth/db-oauth2.c index 3028fe76a6..2874354147 100644 --- a/src/auth/db-oauth2.c +++ b/src/auth/db-oauth2.c @@ -39,7 +39,6 @@ static const struct setting_define auth_oauth2_setting_defines[] = { DEF(STR, openid_configuration_url), DEF(BOOL, force_introspection), DEF(BOOL, send_auth_headers), - DEF(BOOL, use_grant_password), DEF(BOOL, use_worker_with_mech), { .type = SET_FILTER_NAME, .key = "oauth2_local_validation", .required_setting = "dict", }, @@ -63,7 +62,6 @@ static const struct auth_oauth2_settings auth_oauth2_default_settings = { .issuers = ARRAY_INIT, .openid_configuration_url = "", .send_auth_headers = FALSE, - .use_grant_password = FALSE, .use_worker_with_mech = FALSE, }; @@ -197,7 +195,6 @@ static int db_oauth2_setup(struct db_oauth2 *db, const char **error_r) db->oauth2_set.client_id = db->set->client_id; db->oauth2_set.client_secret = db->set->client_secret; db->oauth2_set.send_auth_headers = db->set->send_auth_headers; - db->oauth2_set.use_grant_password = db->set->use_grant_password; if (!array_is_empty(&db->set->scope)) { db->oauth2_set.scope = p_array_const_string_join(db->pool, &db->set->scope, " "); @@ -268,7 +265,7 @@ static int db_oauth2_setup(struct db_oauth2 *db, const char **error_r) return 0; } -int db_oauth2_init(struct event *event, struct db_oauth2 **db_r, +int db_oauth2_init(struct event *event, bool use_grant_password, struct db_oauth2 **db_r, const char **error_r) { struct db_oauth2 *db; @@ -283,8 +280,11 @@ int db_oauth2_init(struct event *event, struct db_oauth2 **db_r, } for (db = db_oauth2_head; db != NULL; db = db->next) { + /* Ensure we do not match a db with one that is using + grant password, as that does not work with mech oauth2. */ if (settings_equal(&auth_oauth2_setting_parser_info, db->set, - db_set, NULL)) + db_set, NULL) && + use_grant_password == db->oauth2_set.use_grant_password) break; } @@ -306,6 +306,7 @@ int db_oauth2_init(struct event *event, struct db_oauth2 **db_r, db_oauth2_free(&db); return -1; } + db->oauth2_set.use_grant_password = use_grant_password; *db_r = db; return 0; @@ -802,7 +803,7 @@ void db_oauth2_lookup(struct db_oauth2 *db, struct db_oauth2_request *req, input.protocol = req->auth_request->fields.protocol; if (db->oauth2_set.introspection_mode == INTROSPECTION_MODE_LOCAL && - !db_oauth2_uses_password_grant(db)) { + !db->oauth2_set.use_grant_password) { /* try to validate token locally */ e_debug(authdb_event(req->auth_request), "Attempting to locally validate token"); @@ -836,11 +837,6 @@ void db_oauth2_lookup(struct db_oauth2 *db, struct db_oauth2_request *req, DLLIST_PREPEND(&db->head, req); } -bool db_oauth2_uses_password_grant(const struct db_oauth2 *db) -{ - return db->set->use_grant_password; -} - bool db_oauth2_use_worker(const struct db_oauth2 *db) { return db->set->use_worker_with_mech; diff --git a/src/auth/db-oauth2.h b/src/auth/db-oauth2.h index f5e6079b26..59bb99246e 100644 --- a/src/auth/db-oauth2.h +++ b/src/auth/db-oauth2.h @@ -47,7 +47,6 @@ struct auth_oauth2_settings { bool force_introspection; /* Should we send service and local/remote endpoints as X-Dovecot-Auth headers */ bool send_auth_headers; - bool use_grant_password; bool use_worker_with_mech; }; @@ -81,10 +80,9 @@ struct db_oauth2_request { }; -int db_oauth2_init(struct event *event, struct db_oauth2 **db_r, +int db_oauth2_init(struct event *event, bool use_grant_password, struct db_oauth2 **db_r, const char **error_r); -bool db_oauth2_uses_password_grant(const struct db_oauth2 *db); bool db_oauth2_use_worker(const struct db_oauth2 *db); const char *db_oauth2_get_openid_configuration_url(const struct db_oauth2 *db); diff --git a/src/auth/mech-oauth2.c b/src/auth/mech-oauth2.c index 864c58524f..c5c1f02bb2 100644 --- a/src/auth/mech-oauth2.c +++ b/src/auth/mech-oauth2.c @@ -424,7 +424,7 @@ void mech_oauth2_initialize(void) array_foreach_elem(&global_auth_settings->mechanisms, mech) { if (strcasecmp(mech, mech_xoauth2.mech_name) == 0 || strcasecmp(mech, mech_oauthbearer.mech_name) == 0) { - if (db_oauth2_init(auth_event, &db_oauth2, &error) < 0) + if (db_oauth2_init(auth_event, FALSE, &db_oauth2, &error) < 0) i_fatal("Cannot initialize oauth2: %s", error); } } diff --git a/src/auth/passdb-oauth2.c b/src/auth/passdb-oauth2.c index e0a3a39c4d..d771600fd4 100644 --- a/src/auth/passdb-oauth2.c +++ b/src/auth/passdb-oauth2.c @@ -50,16 +50,10 @@ oauth2_preinit(pool_t pool, struct event *event, struct passdb_module **module_r struct oauth2_passdb_module *module; module = p_new(pool, struct oauth2_passdb_module, 1); - if (db_oauth2_init(event, &module->db, error_r) < 0) + if (db_oauth2_init(event, TRUE, &module->db, error_r) < 0) return -1; module->module.default_pass_scheme = "PLAIN"; - - if (db_oauth2_uses_password_grant(module->db)) { - module->module.default_cache_key = "%u"; - } else { - module->module.default_cache_key = "%u%w"; - } - + module->module.default_cache_key = "%u"; *module_r = &module->module; return 0; } -- 2.47.3