dovecot-2.2: auth: Cleaned up flags in auth request. Removed tho...
dovecot at dovecot.org
dovecot at dovecot.org
Wed Jan 30 22:17:28 EET 2013
details: http://hg.dovecot.org/dovecot-2.2/rev/686f32406220
changeset: 15687:686f32406220
user: Timo Sirainen <tss at iki.fi>
date: Wed Jan 30 21:08:58 2013 +0200
description:
auth: Cleaned up flags in auth request. Removed those that already exist in extra_fields.
It's now slightly slower to check for those flags in extra_fields, but it's
going to be easier to make commit/rollback feature to extra_fields.
diffstat:
src/auth/auth-request-handler.c | 23 +++--
src/auth/auth-request.c | 148 ++++++++++++++-------------------------
src/auth/auth-request.h | 54 ++++++++------
src/auth/auth-worker-client.c | 4 +-
src/auth/db-checkpassword.c | 2 +-
src/auth/mech-gssapi.c | 3 -
src/auth/passdb-dict.c | 2 +-
src/auth/passdb-ldap.c | 2 +-
src/auth/passdb-sql.c | 2 +-
9 files changed, 106 insertions(+), 134 deletions(-)
diffs (truncated from 606 to 300 lines):
diff -r 06b41206ed4e -r 686f32406220 src/auth/auth-request-handler.c
--- a/src/auth/auth-request-handler.c Wed Jan 30 20:06:43 2013 +0200
+++ b/src/auth/auth-request-handler.c Wed Jan 30 21:08:58 2013 +0200
@@ -172,7 +172,8 @@
str_append_c(dest, '\t');
auth_fields_append(request->extra_fields, dest, FALSE);
- if (request->proxy && !request->auth_only) {
+ if (!request->auth_only &&
+ auth_fields_exists(request->extra_fields, "proxy")) {
/* we're proxying */
if (!auth_fields_exists(request->extra_fields, "pass") &&
request->mech_password != NULL) {
@@ -195,7 +196,7 @@
{
struct auth_request_handler *handler = request->handler;
- if (request->delayed_failure) {
+ if (request->in_delayed_failure_queue) {
/* we came here from flush_failures() */
handler->callback(reply, handler->context);
return;
@@ -205,7 +206,7 @@
auth_request_ref(request);
auth_request_handler_remove(handler, request);
- if (request->no_failure_delay) {
+ if (auth_fields_exists(request->extra_fields, "nodelay")) {
/* passdb specifically requested not to delay the reply. */
handler->callback(reply, handler->context);
auth_request_unref(&request);
@@ -214,7 +215,7 @@
/* failure. don't announce it immediately to avoid
a) timing attacks, b) flooding */
- request->delayed_failure = TRUE;
+ request->in_delayed_failure_queue = TRUE;
handler->refcount++;
if (auth_penalty != NULL) {
@@ -245,7 +246,9 @@
str_printfa(str, "OK\t%u\tuser=", request->id);
str_append_tabescaped(str, request->user);
auth_str_append_extra_fields(request, str);
- if (request->no_login || handler->master_callback == NULL) {
+ if (handler->master_callback == NULL ||
+ auth_fields_exists(request->extra_fields, "nologin") ||
+ auth_fields_exists(request->extra_fields, "proxy")) {
/* this request doesn't have to wait for master
process to pick it up. delete it */
auth_request_handler_remove(handler, request);
@@ -273,8 +276,10 @@
as the wanted user */
str_append(str, "\tauthz");
}
- if (request->no_failure_delay)
+ if (auth_fields_exists(request->extra_fields, "nodelay")) {
+ /* this is normally a hidden field, need to add it explicitly */
str_append(str, "\tnodelay");
+ }
auth_str_append_extra_fields(request, str);
switch (request->passdb_result) {
@@ -331,7 +336,7 @@
str_printfa(str, "CONT\t%u\t", request->id);
base64_encode(auth_reply, reply_size, str);
- request->accept_input = TRUE;
+ request->accept_cont_input = TRUE;
handler->callback(str_c(str), handler->context);
break;
case AUTH_CLIENT_RESULT_SUCCESS:
@@ -582,12 +587,12 @@
}
/* accept input only once after mechanism has sent a CONT reply */
- if (!request->accept_input) {
+ if (!request->accept_cont_input) {
auth_request_handler_auth_fail(handler, request,
"Unexpected continuation");
return TRUE;
}
- request->accept_input = FALSE;
+ request->accept_cont_input = FALSE;
data_len = strlen(data);
buf = buffer_create_dynamic(pool_datastack_create(),
diff -r 06b41206ed4e -r 686f32406220 src/auth/auth-request.c
--- a/src/auth/auth-request.c Wed Jan 30 20:06:43 2013 +0200
+++ b/src/auth/auth-request.c Wed Jan 30 21:08:58 2013 +0200
@@ -61,6 +61,7 @@
request->set = global_auth_settings;
request->mech = mech;
request->mech_name = mech == NULL ? NULL : mech->mech_name;
+ request->extra_fields = auth_fields_init(request->pool);
return request;
}
@@ -117,7 +118,7 @@
{
i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
- if (request->passdb_failure) {
+ if (request->failed) {
/* password was valid, but some other check failed. */
auth_request_fail(request);
return;
@@ -316,8 +317,6 @@
request->original_username = p_strdup(request->pool, value);
else if (strcmp(key, "requested_login_user") == 0)
request->requested_login_user = p_strdup(request->pool, value);
- else if (strcmp(key, "nologin") == 0)
- request->no_login = TRUE;
else if (strcmp(key, "successful") == 0)
request->successful = TRUE;
else if (strcmp(key, "skip_password_check") == 0) {
@@ -390,7 +389,8 @@
return;
}
- if (!request->no_password && request->passdb_password == NULL) {
+ if (request->passdb_password == NULL &&
+ !auth_fields_exists(request->extra_fields, "nopassword")) {
/* passdb didn't provide the correct password */
if (result != PASSDB_RESULT_OK ||
request->mech_password == NULL)
@@ -437,7 +437,7 @@
{
struct auth_passdb *passdb;
- if (request->passdb_failure)
+ if (request->failed)
return TRUE;
/* master login successful. update user and master_user variables. */
@@ -507,8 +507,6 @@
}
}
} else if (*result == PASSDB_RESULT_PASS_EXPIRED) {
- if (request->extra_fields == NULL)
- request->extra_fields = auth_fields_init(request->pool);
auth_fields_add(request->extra_fields, "reason",
"Password expired", 0);
} else if (request->passdb->next != NULL &&
@@ -517,25 +515,20 @@
request->passdb = request->passdb->next;
request->passdb_password = NULL;
- request->proxy = FALSE;
- request->proxy_maybe = FALSE;
- request->proxy_always = FALSE;
-
if (*result == PASSDB_RESULT_USER_UNKNOWN) {
/* remember that we did at least one successful
passdb lookup */
- request->passdb_user_unknown = TRUE;
+ request->passdbs_seen_user_unknown = TRUE;
} else if (*result == PASSDB_RESULT_INTERNAL_FAILURE) {
/* remember that we have had an internal failure. at
the end return internal failure if we couldn't
successfully login. */
- request->passdb_internal_failure = TRUE;
+ request->passdbs_seen_internal_failure = TRUE;
}
- if (request->extra_fields != NULL)
- auth_fields_reset(request->extra_fields);
+ auth_fields_reset(request->extra_fields);
return FALSE;
- } else if (request->passdb_internal_failure) {
+ } else if (request->passdbs_seen_internal_failure) {
/* last passdb lookup returned internal failure. it may have
had the correct password, so return internal failure
instead of plain failure. */
@@ -693,7 +686,7 @@
binary_to_hex(credentials, size));
}
if (result == PASSDB_RESULT_SCHEME_NOT_AVAILABLE &&
- request->passdb_user_unknown) {
+ request->passdbs_seen_user_unknown) {
/* one of the passdbs accepted the scheme,
but the user was unknown there */
result = PASSDB_RESULT_USER_UNKNOWN;
@@ -882,7 +875,7 @@
if (result != USERDB_RESULT_OK && request->userdb->next != NULL) {
/* try next userdb. */
if (result == USERDB_RESULT_INTERNAL_FAILURE)
- request->userdb_internal_failure = TRUE;
+ request->userdbs_seen_internal_failure = TRUE;
request->userdb = request->userdb->next;
auth_request_lookup_user(request,
@@ -892,7 +885,7 @@
if (result == USERDB_RESULT_OK)
userdb_template_export(userdb->override_fields_tmpl, request);
- else if (request->userdb_internal_failure) {
+ else if (request->userdbs_seen_internal_failure) {
/* one of the userdb lookups failed. the user might have been
in there, so this is an internal failure */
result = USERDB_RESULT_INTERNAL_FAILURE;
@@ -1111,7 +1104,7 @@
/* IP not known */
auth_request_log_info(request, "passdb",
"allow_nets check failed: Remote IP not known");
- request->passdb_failure = TRUE;
+ request->failed = TRUE;
return;
}
@@ -1134,7 +1127,7 @@
auth_request_log_info(request, "passdb",
"allow_nets check failed: IP not in allowed networks");
}
- request->passdb_failure = !found;
+ request->failed = !found;
}
static void
@@ -1162,38 +1155,6 @@
}
}
-static void auth_request_set_reply_field(struct auth_request *request,
- const char *name, const char *value)
-{
- if (strcmp(name, "nologin") == 0) {
- /* user can't actually login - don't keep this
- reply for master */
- request->no_login = TRUE;
- value = NULL;
- } else if (strcmp(name, "proxy") == 0) {
- /* we're proxying authentication for this user. send
- password back if using plaintext authentication. */
- request->proxy = TRUE;
- value = NULL;
- } else if (strcmp(name, "proxy_always") == 0) {
- /* when proxy_maybe=yes and proxying wouldn't normally be done,
- with this enabled proxy=y is still returned without host.
- this can be used to make director set the host. */
- request->proxy_always = TRUE;
- value = NULL;
- } else if (strcmp(name, "proxy_maybe") == 0) {
- /* like "proxy", but log in normally if we're proxying to
- ourself */
- request->proxy = TRUE;
- request->proxy_maybe = TRUE;
- value = NULL;
- }
-
- if (request->extra_fields == NULL)
- request->extra_fields = auth_fields_init(request->pool);
- auth_fields_add(request->extra_fields, name, value, 0);
-}
-
static const char *
get_updated_username(const char *old_username,
const char *name, const char *value)
@@ -1270,7 +1231,6 @@
to cache. */
} else if (strcmp(name, "nodelay") == 0) {
/* don't delay replying to client of the failure */
- request->no_failure_delay = TRUE;
} else if (strcmp(name, "nopassword") == 0) {
/* NULL password - anything goes */
const char *password = request->passdb_password;
@@ -1285,7 +1245,6 @@
return;
}
}
- request->no_password = TRUE;
request->passdb_password = NULL;
} else if (strcmp(name, "allow_nets") == 0) {
auth_request_validate_networks(request, value);
@@ -1296,7 +1255,7 @@
auth_request_set_userdb_field(request, name + 7, value);
} else {
/* these fields are returned to client */
- auth_request_set_reply_field(request, name, value);
+ auth_fields_add(request->extra_fields, name, value, 0);
return;
}
@@ -1450,9 +1409,6 @@
{
const char *port = NULL;
- if (!request->proxy_host_is_self)
- return FALSE;
-
/* check if the port is the same */
port = auth_fields_find(request->extra_fields, "port");
if (port != NULL && !str_uint_equals(port, request->local_port))
@@ -1483,27 +1439,32 @@
return FALSE;
}
-static void auth_request_proxy_finish_ip(struct auth_request *request)
+static void
+auth_request_proxy_finish_ip(struct auth_request *request,
More information about the dovecot-cvs
mailing list