dovecot-2.2: auth: If passdb has non-matching allow_nets, don't ...

Tue May 5 11:18:21 UTC 2015

details:   http://hg.dovecot.org/dovecot-2.2/rev/5e445c659f89
changeset: 18521:5e445c659f89
user:      Timo Sirainen <tss at iki.fi>
date:      Tue May 05 14:16:31 2015 +0300
description:
auth: If passdb has non-matching allow_nets, don't fail the other passdb lookups also.
We might want to use e.g.:

passdb {
  driver = static
  args = password=secretmasterpass allow_nets=10.1.2.3
}
passdb {
  ...
}

If allow_nets didn't match in the first passdb, we should just ignore it and
continue to the next passdb.

diffstat:

 src/auth/auth-request.c |  45 ++++++++++++++++++++++++++-------------------
 1 files changed, 26 insertions(+), 19 deletions(-)

diffs (67 lines):

diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c

--- a/src/auth/auth-request.c	Tue May 05 13:35:52 2015 +0300
+++ b/src/auth/auth-request.c	Tue May 05 14:16:31 2015 +0300
@@ -552,6 +552,15 @@
 		}
 		return TRUE;
 	}
+	if (request->failed) {
+		/* The passdb didn't fail, but something inside it failed
+		   (e.g. allow_nets mismatch). Make sure we'll fail this
+		   lookup, but reset the failure so the next passdb can
+		   succeed. */
+		if (*result == PASSDB_RESULT_OK)
+			*result = PASSDB_RESULT_USER_UNKNOWN;
+		request->failed = FALSE;
+	}
 
 	/* users that exist but can't log in are special. we don't try to match
 	   any of the success/failure rules to them. they'll always fail. */
@@ -618,30 +627,28 @@
 	       auth_request_want_skip_passdb(request, next_passdb))
 		next_passdb = next_passdb->next;
 
+	if (*result == PASSDB_RESULT_OK) {
+		/* this passdb lookup succeeded, preserve its extra fields */
+		auth_fields_snapshot(request->extra_fields);
+		request->snapshot_have_userdb_prefetch_set =
+			request->userdb_prefetch_set;
+		if (request->userdb_reply != NULL)
+			auth_fields_snapshot(request->userdb_reply);
+	} else {
+		/* this passdb lookup failed, remove any extra fields it set */
+		auth_fields_rollback(request->extra_fields);
+		if (request->userdb_reply != NULL) {
+			auth_fields_rollback(request->userdb_reply);
+			request->userdb_prefetch_set =
+				request->snapshot_have_userdb_prefetch_set;
+		}
+	}
+
 	if (passdb_continue && next_passdb != NULL) {
 		/* try next passdb. */
                 request->passdb = next_passdb;
 		request->passdb_password = NULL;
 
-		if (*result == PASSDB_RESULT_OK) {
-			/* this passdb lookup succeeded, preserve its extra
-			   fields */
-			auth_fields_snapshot(request->extra_fields);
-			request->snapshot_have_userdb_prefetch_set =
-				request->userdb_prefetch_set;
-			if (request->userdb_reply != NULL)
-				auth_fields_snapshot(request->userdb_reply);
-		} else {
-			/* this passdb lookup failed, remove any extra fields
-			   it set */
-			auth_fields_rollback(request->extra_fields);
-			if (request->userdb_reply != NULL) {
-				auth_fields_rollback(request->userdb_reply);
-				request->userdb_prefetch_set =
-					request->snapshot_have_userdb_prefetch_set;
-			}
-		}
-
 		if (*result == PASSDB_RESULT_USER_UNKNOWN) {
 			/* remember that we did at least one successful
 			   passdb lookup */
