dovecot-2.2: auth: Added real_[lr]ip, real_[lr]port variables.

dovecot at dovecot.org dovecot at dovecot.org
Fri Feb 22 13:05:34 EET 2013 

details:   http://hg.dovecot.org/dovecot-2.2/rev/c43fcfa2c4b4
changeset: 15888:c43fcfa2c4b4
user:      Timo Sirainen <tss at iki.fi>
date:      Fri Feb 22 13:04:45 2013 +0200
description:
auth: Added real_[lr]ip, real_[lr]port variables.
The unreal ones differ when a trusted proxy overrides them.

diffstat:

 src/auth/auth-request.c            |  47 ++++++++++++++++++++++++++++++++++---
 src/auth/auth-request.h            |   6 ++--
 src/lib-auth/auth-client-request.c |  20 ++++++++++++++++
 src/lib-auth/auth-client.h         |   4 +-
 src/login-common/client-common.c   |  13 +++++++---
 src/login-common/client-common.h   |   3 +-
 src/login-common/main.c            |   4 +-
 src/login-common/sasl-server.c     |   4 +++
 8 files changed, 85 insertions(+), 16 deletions(-)

diffs (229 lines):

diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/auth/auth-request.c
--- a/src/auth/auth-request.c	Fri Feb 22 12:42:26 2013 +0200
+++ b/src/auth/auth-request.c	Fri Feb 22 13:04:45 2013 +0200
@@ -230,6 +230,18 @@
 		str_printfa(dest, "\tlport=%u", request->local_port);
 	if (request->remote_port != 0)
 		str_printfa(dest, "\trport=%u", request->remote_port);
+	if (request->real_local_ip.family != 0) {
+		auth_str_add_keyvalue(dest, "real_lip",
+				      net_ip2addr(&request->real_local_ip));
+	}
+	if (request->real_remote_ip.family != 0) {
+		auth_str_add_keyvalue(dest, "real_rip",
+				      net_ip2addr(&request->real_remote_ip));
+	}
+	if (request->real_local_port != 0)
+		str_printfa(dest, "\treal_lport=%u", request->real_local_port);
+	if (request->real_remote_port != 0)
+		str_printfa(dest, "\treal_rport=%u", request->real_remote_port);
 	if (request->secured)
 		str_append(dest, "\tsecured");
 	if (request->skip_password_check)
@@ -250,14 +262,31 @@
 	/* authentication and user lookups may set these */
 	if (strcmp(key, "service") == 0)
 		request->service = p_strdup(request->pool, value);
-	else if (strcmp(key, "lip") == 0)
+	else if (strcmp(key, "lip") == 0) {
 		(void)net_addr2ip(value, &request->local_ip);
-	else if (strcmp(key, "rip") == 0)
+		if (request->real_local_ip.family == 0)
+			request->real_local_ip = request->local_ip;
+	} else if (strcmp(key, "rip") == 0) {
 		(void)net_addr2ip(value, &request->remote_ip);
-	else if (strcmp(key, "lport") == 0)
+		if (request->real_remote_ip.family == 0)
+			request->real_remote_ip = request->remote_ip;
+	} else if (strcmp(key, "lport") == 0) {
 		request->local_port = atoi(value);
-	else if (strcmp(key, "rport") == 0)
+		if (request->real_local_port == 0)
+			request->real_local_port = request->local_port;
+	} else if (strcmp(key, "rport") == 0) {
 		request->remote_port = atoi(value);
+		if (request->real_remote_port == 0)
+			request->real_remote_port = request->remote_port;
+	}
+	else if (strcmp(key, "real_lip") == 0)
+		(void)net_addr2ip(value, &request->real_local_ip);
+	else if (strcmp(key, "real_rip") == 0)
+		(void)net_addr2ip(value, &request->real_remote_ip);
+	else if (strcmp(key, "real_lport") == 0)
+		request->real_local_port = atoi(value);
+	else if (strcmp(key, "real_rport") == 0)
+		request->real_remote_port = atoi(value);
 	else if (strcmp(key, "session") == 0)
 		request->session_id = p_strdup(request->pool, value);
 	else
@@ -1812,6 +1841,10 @@
 	{ '\0', NULL, "login_username" },
 	{ '\0', NULL, "login_domain" },
 	{ '\0', NULL, "session" },
+	{ '\0', NULL, "real_lip" },
+	{ '\0', NULL, "real_rip" },
+	{ '\0', NULL, "real_lport" },
+	{ '\0', NULL, "real_rport" },
 	{ '\0', NULL, NULL }
 };
 
@@ -1882,6 +1915,12 @@
 	}
 	tab[18].value = auth_request->session_id == NULL ? NULL :
 		escape_func(auth_request->session_id, auth_request);
+	if (auth_request->real_local_ip.family != 0)
+		tab[19].value = net_ip2addr(&auth_request->real_local_ip);
+	if (auth_request->real_remote_ip.family != 0)
+		tab[20].value = net_ip2addr(&auth_request->real_remote_ip);
+	tab[21].value = dec2str(auth_request->real_local_port);
+	tab[22].value = dec2str(auth_request->real_remote_port);
 	return ret_tab;
 }
 
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/auth/auth-request.h
--- a/src/auth/auth-request.h	Fri Feb 22 12:42:26 2013 +0200
+++ b/src/auth/auth-request.h	Fri Feb 22 13:04:45 2013 +0200
@@ -73,8 +73,8 @@
 	pid_t session_pid;
 
 	const char *service, *mech_name, *session_id;
-	struct ip_addr local_ip, remote_ip;
-	unsigned int local_port, remote_port;
+	struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip;
+	unsigned int local_port, remote_port, real_local_port, real_remote_port;
 
 	struct timeout *to_abort, *to_penalty;
 	unsigned int last_penalty;
@@ -140,7 +140,7 @@
 #define AUTH_REQUEST_VAR_TAB_USER_IDX 0
 #define AUTH_REQUEST_VAR_TAB_USERNAME_IDX 1
 #define AUTH_REQUEST_VAR_TAB_DOMAIN_IDX 2
-#define AUTH_REQUEST_VAR_TAB_COUNT 19
+#define AUTH_REQUEST_VAR_TAB_COUNT 23
 extern const struct var_expand_table auth_request_var_expand_static_tab[];
 
 struct auth_request *
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/lib-auth/auth-client-request.c
--- a/src/lib-auth/auth-client-request.c	Fri Feb 22 12:42:26 2013 +0200
+++ b/src/lib-auth/auth-client-request.c	Fri Feb 22 13:04:45 2013 +0200
@@ -60,6 +60,26 @@
 		str_printfa(str, "\tlport=%u", info->local_port);
 	if (info->remote_port != 0)
 		str_printfa(str, "\trport=%u", info->remote_port);
+
+	/* send the real_* variants only when they differ from the unreal
+	   ones */
+	if (info->real_local_ip.family != 0 &&
+	    !net_ip_compare(&info->real_local_ip, &info->local_ip)) {
+		str_printfa(str, "\treal_lip=%s",
+			    net_ip2addr(&info->real_local_ip));
+	}
+	if (info->real_remote_ip.family != 0 &&
+	    !net_ip_compare(&info->real_remote_ip, &info->remote_ip)) {
+		str_printfa(str, "\treal_rip=%s",
+			    net_ip2addr(&info->real_remote_ip));
+	}
+	if (info->real_local_port != 0 &&
+	    info->real_local_port != info->local_port)
+		str_printfa(str, "\treal_lport=%u", info->real_local_port);
+	if (info->real_remote_port != 0 &&
+	    info->real_remote_port != info->remote_port)
+		str_printfa(str, "\treal_rport=%u", info->real_remote_port);
+
 	if (info->initial_resp_base64 != NULL) {
 		str_append(str, "\tresp=");
 		str_append_tabescaped(str, info->initial_resp_base64);
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/lib-auth/auth-client.h
--- a/src/lib-auth/auth-client.h	Fri Feb 22 12:42:26 2013 +0200
+++ b/src/lib-auth/auth-client.h	Fri Feb 22 13:04:45 2013 +0200
@@ -41,8 +41,8 @@
 	const char *cert_username;
 	enum auth_request_flags flags;
 
-	struct ip_addr local_ip, remote_ip;
-	unsigned int local_port, remote_port;
+	struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip;
+	unsigned int local_port, remote_port, real_local_port, real_remote_port;
 
 	const char *initial_resp_base64;
 };
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/login-common/client-common.c
--- a/src/login-common/client-common.c	Fri Feb 22 12:42:26 2013 +0200
+++ b/src/login-common/client-common.c	Fri Feb 22 13:04:45 2013 +0200
@@ -123,9 +123,8 @@
 	client->pool = pool;
 	client->set = set;
 	client->ssl_set = ssl_set;
-	client->local_ip = *local_ip;
-	client->ip = *remote_ip;
-	client->real_ip = *remote_ip;
+	client->real_local_ip = client->local_ip = *local_ip;
+	client->real_remote_ip = client->ip = *remote_ip;
 	client->fd = fd;
 	client->tls = ssl;
 	client->trusted = client_is_trusted(client);
@@ -463,7 +462,10 @@
 	{ 'k', NULL, "ssl_security" },
 	{ 'e', NULL, "mail_pid" },
 	{ '\0', NULL, "session" },
+	{ '\0', NULL, "real_lip" },
 	{ '\0', NULL, "real_rip" },
+	{ '\0', NULL, "real_lport" },
+	{ '\0', NULL, "real_rport" },
 	{ '\0', NULL, NULL }
 };
 
@@ -513,7 +515,10 @@
 	tab[13].value = client->mail_pid == 0 ? "" :
 		dec2str(client->mail_pid);
 	tab[14].value = client_get_session_id(client);
-	tab[15].value = net_ip2addr(&client->real_ip);
+	tab[15].value = net_ip2addr(&client->real_local_ip);
+	tab[16].value = net_ip2addr(&client->real_remote_ip);
+	tab[17].value = dec2str(client->real_local_port);
+	tab[18].value = dec2str(client->real_remote_port);
 	return tab;
 }
 
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/login-common/client-common.h
--- a/src/login-common/client-common.h	Fri Feb 22 12:42:26 2013 +0200
+++ b/src/login-common/client-common.h	Fri Feb 22 13:04:45 2013 +0200
@@ -102,8 +102,9 @@
 
 	struct ip_addr local_ip;
 	struct ip_addr ip;
-	struct ip_addr real_ip;
+	struct ip_addr real_remote_ip, real_local_ip;
 	unsigned int local_port, remote_port;
+	unsigned int real_local_port, real_remote_port;
 	struct ssl_proxy *ssl_proxy;
 	const struct login_settings *set;
 	const struct master_service_ssl_settings *ssl_set;
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/login-common/main.c
--- a/src/login-common/main.c	Fri Feb 22 12:42:26 2013 +0200
+++ b/src/login-common/main.c	Fri Feb 22 13:04:45 2013 +0200
@@ -143,8 +143,8 @@
 		ssl_proxy_start(proxy);
 	}
 
-	client->remote_port = conn->remote_port;
-	client->local_port = local_port;
+	client->real_remote_port = client->remote_port = conn->remote_port;
+	client->real_local_port = client->local_port = local_port;
 
 	if (auth_client_to != NULL)
 		timeout_remove(&auth_client_to);
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/login-common/sasl-server.c
--- a/src/login-common/sasl-server.c	Fri Feb 22 12:42:26 2013 +0200
+++ b/src/login-common/sasl-server.c	Fri Feb 22 13:04:45 2013 +0200
@@ -327,6 +327,10 @@
 	info.remote_ip = client->ip;
 	info.local_port = client->local_port;
 	info.remote_port = client->remote_port;
+	info.real_local_ip = client->real_local_ip;
+	info.real_remote_ip = client->real_remote_ip;
+	info.real_local_port = client->real_local_port;
+	info.real_remote_port = client->real_remote_port;
 	info.initial_resp_base64 = initial_resp_base64;
 
 	client->auth_request =

More information about the dovecot-cvs mailing list