diff options
Diffstat (limited to '')
-rw-r--r-- | src/auth/auth-request.h | 394 |
1 files changed, 394 insertions, 0 deletions
diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h new file mode 100644 index 0000000..6a458d9 --- /dev/null +++ b/src/auth/auth-request.h @@ -0,0 +1,394 @@ +#ifndef AUTH_REQUEST_H +#define AUTH_REQUEST_H + +#ifndef AUTH_REQUEST_FIELDS_CONST +# define AUTH_REQUEST_FIELDS_CONST const +#endif + +#include "array.h" +#include "net.h" +#include "var-expand.h" +#include "mech.h" +#include "userdb.h" +#include "passdb.h" +#include "auth-request-var-expand.h" +#include "password-scheme.h" + +#define AUTH_REQUEST_USER_KEY_IGNORE " " + +struct auth_client_connection; + +enum auth_request_state { + AUTH_REQUEST_STATE_NEW, + AUTH_REQUEST_STATE_PASSDB, + AUTH_REQUEST_STATE_MECH_CONTINUE, + AUTH_REQUEST_STATE_FINISHED, + AUTH_REQUEST_STATE_USERDB, + + AUTH_REQUEST_STATE_MAX +}; + +enum auth_request_secured { + AUTH_REQUEST_SECURED_NONE, + AUTH_REQUEST_SECURED, + AUTH_REQUEST_SECURED_TLS, +}; + +enum auth_request_cache_result { + AUTH_REQUEST_CACHE_NONE, + AUTH_REQUEST_CACHE_MISS, + AUTH_REQUEST_CACHE_HIT, +}; + +/* All auth request fields are exported to auth-worker process. */ +struct auth_request_fields { + /* user contains the user who is being authenticated. + When master user is logging in as someone else, it gets more + complicated. Initially user is set to master's username and the + requested_login_user is set to destination username. After masterdb + has validated user as a valid master user, master_user is set to + user and user is set to requested_login_user. */ + char *user, *requested_login_user, *master_user; + /* original_username contains the username exactly as given by the + client. this is needed at least with DIGEST-MD5 for password + verification. however with master logins the master username has + been dropped from it. */ + const char *original_username; + /* the username after doing all internal translations, but before + being changed by a db lookup */ + const char *translated_username; + /* realm for the request, may be specified by some auth mechanisms */ + const char *realm; + + const char *service, *mech_name, *session_id, *local_name, *client_id; + struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip; + in_port_t local_port, remote_port, real_local_port, real_remote_port; + + /* extra_fields are returned in authentication reply. Fields prefixed + with "userdb_" are automatically placed to userdb_reply instead. */ + struct auth_fields *extra_fields; + /* the whole userdb result reply */ + struct auth_fields *userdb_reply; + + /* Credentials from the first successful passdb lookup. These are used + as the final credentials, unless overridden by later passdb + lookups. Note that the requests in auth-worker processes see these + only as 1 byte sized \0 strings. */ + const unsigned char *delayed_credentials; + size_t delayed_credentials_size; + + enum auth_request_secured secured; + + /* Authentication was successfully finished, including policy checks + and such. There may still be some final delay or final SASL + response. */ + bool successful:1; + /* Password was verified successfully by a passdb. The following + passdbs shouldn't attempt to verify the password again. Note that + this differs from passdb_success, which may be set to FALSE due to + the result_* rules. */ + bool skip_password_check:1; + + /* flags received from auth client: */ + bool final_resp_ok:1; + bool no_penalty:1; + bool valid_client_cert:1; + bool cert_username:1; +}; + +struct auth_request { + int refcount; + + pool_t pool; + + struct event *event; + struct event *mech_event; + ARRAY(struct event *) authdb_event; + + enum auth_request_state state; + char *mech_password; /* set if verify_plain() is called */ + char *passdb_password; /* set after password lookup if successful */ + struct auth_request_proxy_dns_lookup_ctx *dns_lookup_ctx; + /* The final result of passdb lookup (delayed due to asynchronous + proxy DNS lookups) */ + enum passdb_result passdb_result; + + const struct mech_module *mech; + const struct auth_settings *set; + struct auth_passdb *passdb; + struct auth_userdb *userdb; + + struct stats *stats; + + /* passdb lookups have a handler, userdb lookups don't */ + struct auth_request_handler *handler; + struct auth_master_connection *master; + + /* FIXME: Remove this once mech-oauth2 correctly does the processing */ + const char *openid_config_url; + + unsigned int connect_uid; + unsigned int client_pid; + unsigned int id; + time_t last_access; + time_t delay_until; + pid_t session_pid; + + /* These are const for most of the code, so they don't try to modify + the fields directly. Only auth-request-fields.c and unit tests have + the fields writable. This way it's more difficult to make them + out-of-sync with events. */ + AUTH_REQUEST_FIELDS_CONST struct auth_request_fields fields; + + struct timeout *to_abort, *to_penalty; + unsigned int policy_penalty; + unsigned int last_penalty; + size_t initial_response_len; + const unsigned char *initial_response; + + union { + verify_plain_callback_t *verify_plain; + lookup_credentials_callback_t *lookup_credentials; + set_credentials_callback_t *set_credentials; + userdb_callback_t *userdb; + } private_callback; + /* Used by passdb's credentials lookup to determine which scheme is + wanted by the caller. For example CRAM-MD5 SASL mechanism wants + CRAM-MD5 scheme for passwords. + + When doing a PASS lookup (without authenticating), this is set to "" + to imply that caller accepts any kind of credentials. After the + credentials lookup is finished, this is set to the scheme that was + actually received. + + Otherwise, this is kept as NULL. */ + const char *wanted_credentials_scheme; + + void *context; + + enum auth_request_cache_result passdb_cache_result; + enum auth_request_cache_result userdb_cache_result; + + /* this is a lookup on auth socket (not login socket). + skip any proxying stuff if enabled. */ + bool auth_only:1; + /* we're doing a userdb lookup now (we may have done passdb lookup + earlier) */ + bool userdb_lookup:1; + /* DIGEST-MD5 kludge */ + bool domain_is_realm:1; + + bool request_auth_token:1; + + /* success/failure states: */ + bool failed:1; /* overrides any other success */ + bool internal_failure:1; + bool passdbs_seen_user_unknown:1; + bool passdbs_seen_internal_failure:1; + bool userdbs_seen_internal_failure:1; + + /* current state: */ + bool handler_pending_reply:1; + bool accept_cont_input:1; + bool prefer_plain_credentials:1; + bool in_delayed_failure_queue:1; + bool removed_from_handler:1; + bool snapshot_have_userdb_prefetch_set:1; + /* username was changed by this passdb/userdb lookup. Used by + auth-workers to determine whether to send back a changed username. */ + bool user_changed_by_lookup:1; + /* each passdb lookup can update the current success-status using the + result_* rules. the authentication succeeds only if this is TRUE + at the end. mechanisms that don't require passdb, but do a passdb + lookup anyway (e.g. GSSAPI) need to set this to TRUE by default. */ + bool passdb_success:1; + /* userdb equivalent of passdb_success */ + bool userdb_success:1; + /* the last userdb lookup failed either due to "tempfail" extra field + or because one of the returned uid/gid fields couldn't be translated + to a number */ + bool userdb_lookup_tempfailed:1; + /* userdb_* fields have been set by the passdb lookup, userdb prefetch + will work. */ + bool userdb_prefetch_set:1; + bool stats_sent:1; + bool policy_refusal:1; + bool policy_processed:1; + + bool event_finished_sent:1; + + /* ... mechanism specific data ... */ +}; + +typedef void auth_request_proxy_cb_t(bool success, struct auth_request *); + +extern unsigned int auth_request_state_count[AUTH_REQUEST_STATE_MAX]; + +extern const char auth_default_subsystems[2]; +#define AUTH_SUBSYS_DB &auth_default_subsystems[0] +#define AUTH_SUBSYS_MECH &auth_default_subsystems[1] + +struct auth_request * +auth_request_new(const struct mech_module *mech, struct event *parent_event); +struct auth_request *auth_request_new_dummy(struct event *parent_event); +void auth_request_init(struct auth_request *request); +struct auth *auth_request_get_auth(struct auth_request *request); + +void auth_request_set_state(struct auth_request *request, + enum auth_request_state state); + +void auth_request_ref(struct auth_request *request); +void auth_request_unref(struct auth_request **request); + +void auth_request_success(struct auth_request *request, + const void *data, size_t data_size); +void auth_request_fail(struct auth_request *request); +void auth_request_internal_failure(struct auth_request *request); + +void auth_request_export(struct auth_request *request, string_t *dest); +bool auth_request_import(struct auth_request *request, + const char *key, const char *value); +bool auth_request_import_info(struct auth_request *request, + const char *key, const char *value); +bool auth_request_import_auth(struct auth_request *request, + const char *key, const char *value); +bool auth_request_import_master(struct auth_request *request, + const char *key, const char *value); + +void auth_request_initial(struct auth_request *request); +void auth_request_continue(struct auth_request *request, + const unsigned char *data, size_t data_size); + +void auth_request_verify_plain(struct auth_request *request, + const char *password, + verify_plain_callback_t *callback); +void auth_request_lookup_credentials(struct auth_request *request, + const char *scheme, + lookup_credentials_callback_t *callback); +void auth_request_lookup_user(struct auth_request *request, + userdb_callback_t *callback); + +bool auth_request_set_username(struct auth_request *request, + const char *username, const char **error_r); +/* Change the username without any translations or checks. */ +void auth_request_set_username_forced(struct auth_request *request, + const char *username); +bool auth_request_set_login_username(struct auth_request *request, + const char *username, + const char **error_r); +/* Change the login username without any translations or checks. */ +void auth_request_set_login_username_forced(struct auth_request *request, + const char *username); +void auth_request_set_realm(struct auth_request *request, const char *realm); +/* Request was fully successfully authenticated, including policy checks etc. */ +void auth_request_set_auth_successful(struct auth_request *request); +/* Password was successfully verified by a passdb. */ +void auth_request_set_password_verified(struct auth_request *request); +/* Save credentials from a successful passdb lookup. */ +void auth_request_set_delayed_credentials(struct auth_request *request, + const unsigned char *credentials, + size_t size); + +void auth_request_set_field(struct auth_request *request, + const char *name, const char *value, + const char *default_scheme) ATTR_NULL(4); +void auth_request_set_null_field(struct auth_request *request, const char *name); +void auth_request_set_field_keyvalue(struct auth_request *request, + const char *field, + const char *default_scheme) ATTR_NULL(3); +void auth_request_set_fields(struct auth_request *request, + const char *const *fields, + const char *default_scheme) ATTR_NULL(3); + +void auth_request_init_userdb_reply(struct auth_request *request, + bool add_default_fields); +void auth_request_set_userdb_field(struct auth_request *request, + const char *name, const char *value); +void auth_request_set_userdb_field_values(struct auth_request *request, + const char *name, + const char *const *values); +/* returns -1 = failed, 0 = callback is called later, 1 = finished */ +int auth_request_proxy_finish(struct auth_request *request, + auth_request_proxy_cb_t *callback); +void auth_request_proxy_finish_failure(struct auth_request *request); + +void auth_request_log_password_mismatch(struct auth_request *request, + const char *subsystem); +int auth_request_password_verify(struct auth_request *request, + const char *plain_password, + const char *crypted_password, + const char *scheme, const char *subsystem); +int auth_request_password_verify_log(struct auth_request *request, + const char *plain_password, + const char *crypted_password, + const char *scheme, const char *subsystem, + bool log_password_mismatch); +enum passdb_result auth_request_password_missing(struct auth_request *request); + +void auth_request_get_log_prefix(string_t *str, struct auth_request *auth_request, + const char *subsystem); + +void auth_request_log_debug(struct auth_request *auth_request, + const char *subsystem, + const char *format, ...) ATTR_FORMAT(3, 4); +void auth_request_log_info(struct auth_request *auth_request, + const char *subsystem, + const char *format, ...) ATTR_FORMAT(3, 4); +void auth_request_log_warning(struct auth_request *auth_request, + const char *subsystem, + const char *format, ...) ATTR_FORMAT(3, 4); +void auth_request_log_error(struct auth_request *auth_request, + const char *subsystem, + const char *format, ...) ATTR_FORMAT(3, 4); +void auth_request_log_unknown_user(struct auth_request *auth_request, + const char *subsystem); + +void auth_request_log_login_failure(struct auth_request *request, + const char *subsystem, + const char *message); +void +auth_request_verify_plain_callback_finish(enum passdb_result result, + struct auth_request *request); +void auth_request_verify_plain_callback(enum passdb_result result, + struct auth_request *request); +void auth_request_lookup_credentials_callback(enum passdb_result result, + const unsigned char *credentials, + size_t size, + struct auth_request *request); +void auth_request_set_credentials(struct auth_request *request, + const char *scheme, const char *data, + set_credentials_callback_t *callback); +void auth_request_userdb_callback(enum userdb_result result, + struct auth_request *request); +void auth_request_default_verify_plain_continue(struct auth_request *request, + verify_plain_callback_t *callback); + +void auth_request_refresh_last_access(struct auth_request *request); +void auth_str_append(string_t *dest, const char *key, const char *value); +bool auth_request_username_accepted(const char *const *filter, const char *username); +struct event_passthrough * +auth_request_finished_event(struct auth_request *request, struct event *event); +void auth_request_log_finished(struct auth_request *request); +void auth_request_master_user_login_finish(struct auth_request *request); +const char *auth_request_get_log_prefix_db(struct auth_request *auth_request); +void auth_request_fields_init(struct auth_request *request); + +void auth_request_passdb_lookup_begin(struct auth_request *request); +void auth_request_passdb_lookup_end(struct auth_request *request, + enum passdb_result result); +void auth_request_userdb_lookup_begin(struct auth_request *request); +void auth_request_userdb_lookup_end(struct auth_request *request, + enum userdb_result result); + +/* Fetches the current authdb event, this is done because + some lookups can recurse into new lookups, requiring new event, + which will be returned here. */ +static inline struct event *authdb_event(const struct auth_request *request) +{ + if (array_count(&request->authdb_event) == 0) + return request->event; + struct event **e = array_back_modifiable(&request->authdb_event); + return *e; +} + +#endif |