diff options
Diffstat (limited to 'src/lib-auth')
| -rw-r--r-- | src/lib-auth/Makefile.am | 46 | ||||
| -rw-r--r-- | src/lib-auth/Makefile.in | 877 | ||||
| -rw-r--r-- | src/lib-auth/auth-client-connection.c | 552 | ||||
| -rw-r--r-- | src/lib-auth/auth-client-interface.h | 43 | ||||
| -rw-r--r-- | src/lib-auth/auth-client-private.h | 88 | ||||
| -rw-r--r-- | src/lib-auth/auth-client-request.c | 366 | ||||
| -rw-r--r-- | src/lib-auth/auth-client.c | 112 | ||||
| -rw-r--r-- | src/lib-auth/auth-client.h | 124 | ||||
| -rw-r--r-- | src/lib-auth/auth-master.c | 1030 | ||||
| -rw-r--r-- | src/lib-auth/auth-master.h | 76 | ||||
| -rw-r--r-- | src/lib-auth/test-auth-master.c | 74 |
11 files changed, 3388 insertions, 0 deletions
diff --git a/src/lib-auth/Makefile.am b/src/lib-auth/Makefile.am new file mode 100644 index 0000000..4aff5f8 --- /dev/null +++ b/src/lib-auth/Makefile.am @@ -0,0 +1,46 @@ +noinst_LTLIBRARIES = libauth.la + +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/lib \ + -I$(top_srcdir)/src/lib-master \ + -I$(top_srcdir)/src/lib-test + +libauth_la_SOURCES = \ + auth-client.c \ + auth-client-request.c \ + auth-client-connection.c \ + auth-master.c + +headers = \ + auth-client.h \ + auth-client-interface.h \ + auth-client-private.h \ + auth-master.h + +pkginc_libdir=$(pkgincludedir) +pkginc_lib_HEADERS = $(headers) + +test_programs = \ + test-auth-master + +noinst_PROGRAMS = $(test_programs) + +test_libs = \ + $(noinst_LTLIBRARIES) \ + ../lib-test/libtest.la \ + ../lib/liblib.la \ + $(MODULE_LIBS) + +test_deps = \ + $(noinst_LTLIBRARIES) \ + ../lib-test/libtest.la \ + ../lib/liblib.la + +test_auth_master_SOURCES = test-auth-master.c +test_auth_master_LDADD = $(test_libs) +test_auth_master_DEPENDENCIES = $(test_deps) + +check-local: + for bin in $(test_programs); do \ + if ! $(RUN_TEST) ./$$bin; then exit 1; fi; \ + done diff --git a/src/lib-auth/Makefile.in b/src/lib-auth/Makefile.in new file mode 100644 index 0000000..6803fa9 --- /dev/null +++ b/src/lib-auth/Makefile.in @@ -0,0 +1,877 @@ +# Makefile.in generated by automake 1.16.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +noinst_PROGRAMS = $(am__EXEEXT_1) +subdir = src/lib-auth +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ac_checktype2.m4 \ + $(top_srcdir)/m4/ac_typeof.m4 $(top_srcdir)/m4/arc4random.m4 \ + $(top_srcdir)/m4/blockdev.m4 $(top_srcdir)/m4/c99_vsnprintf.m4 \ + $(top_srcdir)/m4/clock_gettime.m4 $(top_srcdir)/m4/crypt.m4 \ + $(top_srcdir)/m4/crypt_xpg6.m4 $(top_srcdir)/m4/dbqlk.m4 \ + $(top_srcdir)/m4/dirent_dtype.m4 $(top_srcdir)/m4/dovecot.m4 \ + $(top_srcdir)/m4/fd_passing.m4 $(top_srcdir)/m4/fdatasync.m4 \ + $(top_srcdir)/m4/flexible_array_member.m4 \ + $(top_srcdir)/m4/glibc.m4 $(top_srcdir)/m4/gmtime_max.m4 \ + $(top_srcdir)/m4/gmtime_tm_gmtoff.m4 \ + $(top_srcdir)/m4/ioloop.m4 $(top_srcdir)/m4/iovec.m4 \ + $(top_srcdir)/m4/ipv6.m4 $(top_srcdir)/m4/libcap.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/libwrap.m4 \ + $(top_srcdir)/m4/linux_mremap.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/mmap_write.m4 \ + $(top_srcdir)/m4/mntctl.m4 $(top_srcdir)/m4/modules.m4 \ + $(top_srcdir)/m4/notify.m4 $(top_srcdir)/m4/nsl.m4 \ + $(top_srcdir)/m4/off_t_max.m4 $(top_srcdir)/m4/pkg.m4 \ + $(top_srcdir)/m4/pr_set_dumpable.m4 \ + $(top_srcdir)/m4/q_quotactl.m4 $(top_srcdir)/m4/quota.m4 \ + $(top_srcdir)/m4/random.m4 $(top_srcdir)/m4/rlimit.m4 \ + $(top_srcdir)/m4/sendfile.m4 $(top_srcdir)/m4/size_t_signed.m4 \ + $(top_srcdir)/m4/sockpeercred.m4 $(top_srcdir)/m4/sql.m4 \ + $(top_srcdir)/m4/ssl.m4 $(top_srcdir)/m4/st_tim.m4 \ + $(top_srcdir)/m4/static_array.m4 $(top_srcdir)/m4/test_with.m4 \ + $(top_srcdir)/m4/time_t.m4 $(top_srcdir)/m4/typeof.m4 \ + $(top_srcdir)/m4/typeof_dev_t.m4 \ + $(top_srcdir)/m4/uoff_t_max.m4 $(top_srcdir)/m4/vararg.m4 \ + $(top_srcdir)/m4/want_apparmor.m4 \ + $(top_srcdir)/m4/want_bsdauth.m4 \ + $(top_srcdir)/m4/want_bzlib.m4 \ + $(top_srcdir)/m4/want_cassandra.m4 \ + $(top_srcdir)/m4/want_cdb.m4 \ + $(top_srcdir)/m4/want_checkpassword.m4 \ + $(top_srcdir)/m4/want_clucene.m4 $(top_srcdir)/m4/want_db.m4 \ + $(top_srcdir)/m4/want_gssapi.m4 $(top_srcdir)/m4/want_icu.m4 \ + $(top_srcdir)/m4/want_ldap.m4 $(top_srcdir)/m4/want_lua.m4 \ + $(top_srcdir)/m4/want_lz4.m4 $(top_srcdir)/m4/want_lzma.m4 \ + $(top_srcdir)/m4/want_mysql.m4 $(top_srcdir)/m4/want_pam.m4 \ + $(top_srcdir)/m4/want_passwd.m4 $(top_srcdir)/m4/want_pgsql.m4 \ + $(top_srcdir)/m4/want_prefetch.m4 \ + $(top_srcdir)/m4/want_shadow.m4 \ + $(top_srcdir)/m4/want_sodium.m4 $(top_srcdir)/m4/want_solr.m4 \ + $(top_srcdir)/m4/want_sqlite.m4 \ + $(top_srcdir)/m4/want_stemmer.m4 \ + $(top_srcdir)/m4/want_systemd.m4 \ + $(top_srcdir)/m4/want_textcat.m4 \ + $(top_srcdir)/m4/want_unwind.m4 $(top_srcdir)/m4/want_zlib.m4 \ + $(top_srcdir)/m4/want_zstd.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(pkginc_lib_HEADERS) \ + $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__EXEEXT_1 = test-auth-master$(EXEEXT) +PROGRAMS = $(noinst_PROGRAMS) +LTLIBRARIES = $(noinst_LTLIBRARIES) +libauth_la_LIBADD = +am_libauth_la_OBJECTS = auth-client.lo auth-client-request.lo \ + auth-client-connection.lo auth-master.lo +libauth_la_OBJECTS = $(am_libauth_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +am_test_auth_master_OBJECTS = test-auth-master.$(OBJEXT) +test_auth_master_OBJECTS = $(am_test_auth_master_OBJECTS) +am__DEPENDENCIES_1 = +am__DEPENDENCIES_2 = $(noinst_LTLIBRARIES) ../lib-test/libtest.la \ + ../lib/liblib.la $(am__DEPENDENCIES_1) +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/auth-client-connection.Plo \ + ./$(DEPDIR)/auth-client-request.Plo \ + ./$(DEPDIR)/auth-client.Plo ./$(DEPDIR)/auth-master.Plo \ + ./$(DEPDIR)/test-auth-master.Po +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libauth_la_SOURCES) $(test_auth_master_SOURCES) +DIST_SOURCES = $(libauth_la_SOURCES) $(test_auth_master_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(pkginc_libdir)" +HEADERS = $(pkginc_lib_HEADERS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ACLOCAL_AMFLAGS = @ACLOCAL_AMFLAGS@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +APPARMOR_LIBS = @APPARMOR_LIBS@ +AR = @AR@ +AUTH_CFLAGS = @AUTH_CFLAGS@ +AUTH_LIBS = @AUTH_LIBS@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BINARY_CFLAGS = @BINARY_CFLAGS@ +BINARY_LDFLAGS = @BINARY_LDFLAGS@ +BISON = @BISON@ +CASSANDRA_CFLAGS = @CASSANDRA_CFLAGS@ +CASSANDRA_LIBS = @CASSANDRA_LIBS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CDB_LIBS = @CDB_LIBS@ +CFLAGS = @CFLAGS@ +CLUCENE_CFLAGS = @CLUCENE_CFLAGS@ +CLUCENE_LIBS = @CLUCENE_LIBS@ +COMPRESS_LIBS = @COMPRESS_LIBS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DICT_LIBS = @DICT_LIBS@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FLEX = @FLEX@ +FUZZER_CPPFLAGS = @FUZZER_CPPFLAGS@ +FUZZER_LDFLAGS = @FUZZER_LDFLAGS@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +KRB5CONFIG = @KRB5CONFIG@ +KRB5_CFLAGS = @KRB5_CFLAGS@ +KRB5_LIBS = @KRB5_LIBS@ +LD = @LD@ +LDAP_LIBS = @LDAP_LIBS@ +LDFLAGS = @LDFLAGS@ +LD_NO_WHOLE_ARCHIVE = @LD_NO_WHOLE_ARCHIVE@ +LD_WHOLE_ARCHIVE = @LD_WHOLE_ARCHIVE@ +LIBCAP = @LIBCAP@ +LIBDOVECOT = @LIBDOVECOT@ +LIBDOVECOT_COMPRESS = @LIBDOVECOT_COMPRESS@ +LIBDOVECOT_DEPS = @LIBDOVECOT_DEPS@ +LIBDOVECOT_DSYNC = @LIBDOVECOT_DSYNC@ +LIBDOVECOT_LA_LIBS = @LIBDOVECOT_LA_LIBS@ +LIBDOVECOT_LDA = @LIBDOVECOT_LDA@ +LIBDOVECOT_LDAP = @LIBDOVECOT_LDAP@ +LIBDOVECOT_LIBFTS = @LIBDOVECOT_LIBFTS@ +LIBDOVECOT_LIBFTS_DEPS = @LIBDOVECOT_LIBFTS_DEPS@ +LIBDOVECOT_LOGIN = @LIBDOVECOT_LOGIN@ +LIBDOVECOT_LUA = @LIBDOVECOT_LUA@ +LIBDOVECOT_LUA_DEPS = @LIBDOVECOT_LUA_DEPS@ +LIBDOVECOT_SQL = @LIBDOVECOT_SQL@ +LIBDOVECOT_STORAGE = @LIBDOVECOT_STORAGE@ +LIBDOVECOT_STORAGE_DEPS = @LIBDOVECOT_STORAGE_DEPS@ +LIBEXTTEXTCAT_CFLAGS = @LIBEXTTEXTCAT_CFLAGS@ +LIBEXTTEXTCAT_LIBS = @LIBEXTTEXTCAT_LIBS@ +LIBICONV = @LIBICONV@ +LIBICU_CFLAGS = @LIBICU_CFLAGS@ +LIBICU_LIBS = @LIBICU_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBSODIUM_CFLAGS = @LIBSODIUM_CFLAGS@ +LIBSODIUM_LIBS = @LIBSODIUM_LIBS@ +LIBTIRPC_CFLAGS = @LIBTIRPC_CFLAGS@ +LIBTIRPC_LIBS = @LIBTIRPC_LIBS@ +LIBTOOL = @LIBTOOL@ +LIBUNWIND_CFLAGS = @LIBUNWIND_CFLAGS@ +LIBUNWIND_LIBS = @LIBUNWIND_LIBS@ +LIBWRAP_LIBS = @LIBWRAP_LIBS@ +LINKED_STORAGE_LDADD = @LINKED_STORAGE_LDADD@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +LUA_CFLAGS = @LUA_CFLAGS@ +LUA_LIBS = @LUA_LIBS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MODULE_LIBS = @MODULE_LIBS@ +MODULE_SUFFIX = @MODULE_SUFFIX@ +MYSQL_CFLAGS = @MYSQL_CFLAGS@ +MYSQL_CONFIG = @MYSQL_CONFIG@ +MYSQL_LIBS = @MYSQL_LIBS@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NOPLUGIN_LDFLAGS = @NOPLUGIN_LDFLAGS@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PANDOC = @PANDOC@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PGSQL_CFLAGS = @PGSQL_CFLAGS@ +PGSQL_LIBS = @PGSQL_LIBS@ +PG_CONFIG = @PG_CONFIG@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +QUOTA_LIBS = @QUOTA_LIBS@ +RANLIB = @RANLIB@ +RELRO_LDFLAGS = @RELRO_LDFLAGS@ +RPCGEN = @RPCGEN@ +RUN_TEST = @RUN_TEST@ +SED = @SED@ +SETTING_FILES = @SETTING_FILES@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SQLITE_CFLAGS = @SQLITE_CFLAGS@ +SQLITE_LIBS = @SQLITE_LIBS@ +SQL_CFLAGS = @SQL_CFLAGS@ +SQL_LIBS = @SQL_LIBS@ +SSL_CFLAGS = @SSL_CFLAGS@ +SSL_LIBS = @SSL_LIBS@ +STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ +VALGRIND = @VALGRIND@ +VERSION = @VERSION@ +ZSTD_CFLAGS = @ZSTD_CFLAGS@ +ZSTD_LIBS = @ZSTD_LIBS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dict_drivers = @dict_drivers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +moduledir = @moduledir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +rundir = @rundir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +sql_drivers = @sql_drivers@ +srcdir = @srcdir@ +ssldir = @ssldir@ +statedir = @statedir@ +sysconfdir = @sysconfdir@ +systemdservicetype = @systemdservicetype@ +systemdsystemunitdir = @systemdsystemunitdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +noinst_LTLIBRARIES = libauth.la +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/lib \ + -I$(top_srcdir)/src/lib-master \ + -I$(top_srcdir)/src/lib-test + +libauth_la_SOURCES = \ + auth-client.c \ + auth-client-request.c \ + auth-client-connection.c \ + auth-master.c + +headers = \ + auth-client.h \ + auth-client-interface.h \ + auth-client-private.h \ + auth-master.h + +pkginc_libdir = $(pkgincludedir) +pkginc_lib_HEADERS = $(headers) +test_programs = \ + test-auth-master + +test_libs = \ + $(noinst_LTLIBRARIES) \ + ../lib-test/libtest.la \ + ../lib/liblib.la \ + $(MODULE_LIBS) + +test_deps = \ + $(noinst_LTLIBRARIES) \ + ../lib-test/libtest.la \ + ../lib/liblib.la + +test_auth_master_SOURCES = test-auth-master.c +test_auth_master_LDADD = $(test_libs) +test_auth_master_DEPENDENCIES = $(test_deps) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/lib-auth/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/lib-auth/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libauth.la: $(libauth_la_OBJECTS) $(libauth_la_DEPENDENCIES) $(EXTRA_libauth_la_DEPENDENCIES) + $(AM_V_CCLD)$(LINK) $(libauth_la_OBJECTS) $(libauth_la_LIBADD) $(LIBS) + +test-auth-master$(EXEEXT): $(test_auth_master_OBJECTS) $(test_auth_master_DEPENDENCIES) $(EXTRA_test_auth_master_DEPENDENCIES) + @rm -f test-auth-master$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(test_auth_master_OBJECTS) $(test_auth_master_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-client-connection.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-client-request.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-client.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-master.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-auth-master.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-pkginc_libHEADERS: $(pkginc_lib_HEADERS) + @$(NORMAL_INSTALL) + @list='$(pkginc_lib_HEADERS)'; test -n "$(pkginc_libdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkginc_libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkginc_libdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(pkginc_libdir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(pkginc_libdir)" || exit $$?; \ + done + +uninstall-pkginc_libHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(pkginc_lib_HEADERS)'; test -n "$(pkginc_libdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(pkginc_libdir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-local +check: check-am +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(pkginc_libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-noinstPROGRAMS mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/auth-client-connection.Plo + -rm -f ./$(DEPDIR)/auth-client-request.Plo + -rm -f ./$(DEPDIR)/auth-client.Plo + -rm -f ./$(DEPDIR)/auth-master.Plo + -rm -f ./$(DEPDIR)/test-auth-master.Po + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pkginc_libHEADERS + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/auth-client-connection.Plo + -rm -f ./$(DEPDIR)/auth-client-request.Plo + -rm -f ./$(DEPDIR)/auth-client.Plo + -rm -f ./$(DEPDIR)/auth-master.Plo + -rm -f ./$(DEPDIR)/test-auth-master.Po + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pkginc_libHEADERS + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am \ + check-local clean clean-generic clean-libtool \ + clean-noinstLTLIBRARIES clean-noinstPROGRAMS cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pkginc_libHEADERS install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ + uninstall-pkginc_libHEADERS + +.PRECIOUS: Makefile + + +check-local: + for bin in $(test_programs); do \ + if ! $(RUN_TEST) ./$$bin; then exit 1; fi; \ + done + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/lib-auth/auth-client-connection.c b/src/lib-auth/auth-client-connection.c new file mode 100644 index 0000000..3a1e82c --- /dev/null +++ b/src/lib-auth/auth-client-connection.c @@ -0,0 +1,552 @@ +/* Copyright (c) 2003-2018 Dovecot authors, see the included COPYING file */ + +#include "lib.h" +#include "array.h" +#include "hash.h" +#include "hostpid.h" +#include "ioloop.h" +#include "istream.h" +#include "ostream.h" +#include "net.h" +#include "strescape.h" +#include "eacces-error.h" +#include "auth-client-private.h" + +#include <unistd.h> + +#define AUTH_SERVER_CONN_MAX_LINE_LENGTH AUTH_CLIENT_MAX_LINE_LENGTH +#define AUTH_SERVER_RECONNECT_TIMEOUT_SECS 5 + +static void auth_client_connection_connected(struct connection *_conn, + bool success); +static int +auth_client_connection_input_line(struct connection *_conn, + const char *line); +static int +auth_client_connection_handshake_line(struct connection *_conn, + const char *line); +static void auth_client_connection_handshake_ready(struct connection *_conn); +static void auth_client_connection_destroy(struct connection *_conn); +static void +auth_client_connection_reconnect(struct auth_client_connection *conn, + const char *disconnect_reason); + +static const struct connection_vfuncs auth_client_connection_vfuncs = { + .destroy = auth_client_connection_destroy, + .handshake_line = auth_client_connection_handshake_line, + .handshake_ready = auth_client_connection_handshake_ready, + .input_line = auth_client_connection_input_line, + .client_connected = auth_client_connection_connected, +}; + +static const struct connection_settings auth_client_connection_set = { + .dont_send_version = TRUE, + .service_name_in = "auth-client", + .service_name_out = "auth-client", + .major_version = AUTH_CLIENT_PROTOCOL_MAJOR_VERSION, + .minor_version = AUTH_CLIENT_PROTOCOL_MINOR_VERSION, + .unix_client_connect_msecs = 1000, + .input_max_size = AUTH_SERVER_CONN_MAX_LINE_LENGTH, + .output_max_size = SIZE_MAX, + .client = TRUE, +}; + +struct connection_list * +auth_client_connection_list_init(void) +{ + return connection_list_init(&auth_client_connection_set, + &auth_client_connection_vfuncs); +} + +static int +auth_server_input_mech(struct auth_client_connection *conn, + const char *const *args) +{ + struct auth_mech_desc mech_desc; + + if (args[0] == NULL) { + e_error(conn->conn.event, + "BUG: Authentication server sent broken MECH line"); + return -1; + } + + i_zero(&mech_desc); + mech_desc.name = p_strdup(conn->pool, args[0]); + + if (strcmp(mech_desc.name, "PLAIN") == 0) + conn->has_plain_mech = TRUE; + + for (args++; *args != NULL; args++) { + if (strcmp(*args, "private") == 0) + mech_desc.flags |= MECH_SEC_PRIVATE; + else if (strcmp(*args, "anonymous") == 0) + mech_desc.flags |= MECH_SEC_ANONYMOUS; + else if (strcmp(*args, "plaintext") == 0) + mech_desc.flags |= MECH_SEC_PLAINTEXT; + else if (strcmp(*args, "dictionary") == 0) + mech_desc.flags |= MECH_SEC_DICTIONARY; + else if (strcmp(*args, "active") == 0) + mech_desc.flags |= MECH_SEC_ACTIVE; + else if (strcmp(*args, "forward-secrecy") == 0) + mech_desc.flags |= MECH_SEC_FORWARD_SECRECY; + else if (strcmp(*args, "mutual-auth") == 0) + mech_desc.flags |= MECH_SEC_MUTUAL_AUTH; + } + array_push_back(&conn->available_auth_mechs, &mech_desc); + return 0; +} + +static int +auth_server_input_spid(struct auth_client_connection *conn, + const char *const *args) +{ + if (str_to_uint(args[0], &conn->server_pid) < 0) { + e_error(conn->conn.event, + "BUG: Authentication server sent invalid PID"); + return -1; + } + return 0; +} + +static int +auth_server_input_cuid(struct auth_client_connection *conn, + const char *const *args) +{ + if (args[0] == NULL || + str_to_uint(args[0], &conn->connect_uid) < 0) { + e_error(conn->conn.event, + "BUG: Authentication server sent broken CUID line"); + return -1; + } + return 0; +} + +static int +auth_server_input_cookie(struct auth_client_connection *conn, + const char *const *args) +{ + if (conn->cookie != NULL) { + e_error(conn->conn.event, + "BUG: Authentication server already sent cookie"); + return -1; + } + conn->cookie = p_strdup(conn->pool, args[0]); + return 0; +} + +static int auth_server_input_done(struct auth_client_connection *conn) +{ + if (array_count(&conn->available_auth_mechs) == 0) { + e_error(conn->conn.event, + "BUG: Authentication server returned no mechanisms"); + return -1; + } + if (conn->cookie == NULL) { + e_error(conn->conn.event, + "BUG: Authentication server didn't send a cookie"); + return -1; + } + return 1; +} + +static int +auth_client_connection_handshake_line(struct connection *_conn, + const char *line) +{ + struct auth_client_connection *conn = + container_of(_conn, struct auth_client_connection, conn); + unsigned int major_version, minor_version; + const char *const *args; + + args = t_strsplit_tabescaped(line); + if (strcmp(args[0], "VERSION") == 0 && + args[1] != NULL && args[2] != NULL) { + if (str_to_uint(args[1], &major_version) < 0 || + str_to_uint(args[2], &minor_version) < 0) { + e_error(conn->conn.event, + "Auth server sent invalid version line: %s", + line); + return -1; + } + + if (connection_verify_version(_conn, "auth-client", + major_version, + minor_version) < 0) { + return -1; + } + + return 0; + } else if (strcmp(args[0], "MECH") == 0) { + return auth_server_input_mech(conn, args + 1); + } else if (strcmp(args[0], "SPID") == 0) { + return auth_server_input_spid(conn, args + 1); + } else if (strcmp(args[0], "CUID") == 0) { + return auth_server_input_cuid(conn, args + 1); + } else if (strcmp(args[0], "COOKIE") == 0) { + return auth_server_input_cookie(conn, args + 1); + } else if (strcmp(args[0], "DONE") == 0) { + return auth_server_input_done(conn); + } + + e_error(conn->conn.event, "Auth server sent unknown handshake: %s", line); + return -1; +} + +static void auth_client_connection_handshake_ready(struct connection *_conn) +{ + struct auth_client_connection *conn = + container_of(_conn, struct auth_client_connection, conn); + + timeout_remove(&conn->to); + if (conn->client->connect_notify_callback != NULL) { + conn->client->connect_notify_callback(conn->client, TRUE, + conn->client->connect_notify_context); + } +} + +static int +auth_server_lookup_request(struct auth_client_connection *conn, + const char *id_arg, bool remove, + struct auth_client_request **request_r) +{ + struct auth_client_request *request; + unsigned int id; + + if (id_arg == NULL || str_to_uint(id_arg, &id) < 0) { + e_error(conn->conn.event, + "BUG: Authentication server input missing ID"); + return -1; + } + + request = hash_table_lookup(conn->requests, POINTER_CAST(id)); + if (request == NULL) { + e_error(conn->conn.event, + "Authentication server sent unknown id %u", id); + return 0; + } + if (remove || auth_client_request_is_aborted(request)) + hash_table_remove(conn->requests, POINTER_CAST(id)); + + *request_r = request; + return 1; +} + +static int +auth_server_input_ok(struct auth_client_connection *conn, + const char *const *args) +{ + struct auth_client_request *request; + int ret; + + if ((ret = auth_server_lookup_request(conn, args[0], TRUE, &request)) <= 0) + return ret; + auth_client_request_server_input(request, AUTH_REQUEST_STATUS_OK, + args + 1); + return 0; +} + +static int auth_server_input_cont(struct auth_client_connection *conn, + const char *const *args) +{ + struct auth_client_request *request; + int ret; + + if (str_array_length(args) < 2) { + e_error(conn->conn.event, + "BUG: Authentication server sent broken CONT line"); + return -1; + } + + if ((ret = auth_server_lookup_request(conn, args[0], FALSE, &request)) <= 0) + return ret; + auth_client_request_server_input(request, AUTH_REQUEST_STATUS_CONTINUE, + args + 1); + return 0; +} + +static int auth_server_input_fail(struct auth_client_connection *conn, + const char *const *args) +{ + struct auth_client_request *request; + int ret; + + if ((ret = auth_server_lookup_request(conn, args[0], TRUE, &request)) <= 0) + return ret; + auth_client_request_server_input(request, AUTH_REQUEST_STATUS_FAIL, + args + 1); + return 0; +} + +static int +auth_client_connection_handle_line(struct auth_client_connection *conn, + const char *line) +{ + const char *const *args; + + e_debug(conn->conn.event, "auth input: %s", line); + + args = t_strsplit_tabescaped(line); + if (args[0] == NULL) { + e_error(conn->conn.event, "Auth server sent empty line"); + return -1; + } + if (strcmp(args[0], "OK") == 0) + return auth_server_input_ok(conn, args + 1); + else if (strcmp(args[0], "CONT") == 0) + return auth_server_input_cont(conn, args + 1); + else if (strcmp(args[0], "FAIL") == 0) + return auth_server_input_fail(conn, args + 1); + else { + e_error(conn->conn.event, + "Auth server sent unknown response: %s", args[0]); + return -1; + } +} + +static int +auth_client_connection_input_line(struct connection *_conn, + const char *line) +{ + struct auth_client_connection *conn = + container_of(_conn, struct auth_client_connection, conn); + int ret; + + ret = auth_client_connection_handle_line(conn, line); + if (ret < 0) { + auth_client_connection_disconnect(conn, t_strdup_printf( + "Received broken input: %s", line)); + return -1; + } + return 1; +} + +struct auth_client_connection * +auth_client_connection_init(struct auth_client *client) +{ + struct auth_client_connection *conn; + pool_t pool; + + pool = pool_alloconly_create("auth server connection", 1024); + conn = p_new(pool, struct auth_client_connection, 1); + conn->pool = pool; + + conn->client = client; + + conn->conn.event_parent = client->event; + connection_init_client_unix(client->clist, &conn->conn, + client->auth_socket_path); + + hash_table_create_direct(&conn->requests, pool, 100); + i_array_init(&conn->available_auth_mechs, 8); + return conn; +} + +static void +auth_client_connection_remove_requests(struct auth_client_connection *conn, + const char *disconnect_reason) +{ + static const char *const temp_failure_args[] = { "temp", NULL }; + struct hash_iterate_context *iter; + void *key; + struct auth_client_request *request; + time_t created, oldest = 0; + unsigned int request_count = 0; + + if (hash_table_count(conn->requests) == 0) + return; + + iter = hash_table_iterate_init(conn->requests); + while (hash_table_iterate(iter, conn->requests, &key, &request)) { + if (!auth_client_request_is_aborted(request)) { + request_count++; + created = auth_client_request_get_create_time(request); + if (oldest > created || oldest == 0) + oldest = created; + } + + auth_client_request_server_input(request, + AUTH_REQUEST_STATUS_INTERNAL_FAIL, + temp_failure_args); + } + hash_table_iterate_deinit(&iter); + hash_table_clear(conn->requests, FALSE); + + if (request_count > 0) { + e_warning(conn->conn.event, + "Auth connection closed with %u pending requests " + "(max %u secs, pid=%s, %s)", request_count, + (unsigned int)(ioloop_time - oldest), + my_pid, disconnect_reason); + } +} + +void auth_client_connection_disconnect(struct auth_client_connection *conn, + const char *reason) ATTR_NULL(2) +{ + if (reason == NULL) + reason = "Disconnected from auth server, aborting"; + + if (conn->connected) + connection_disconnect(&conn->conn); + conn->connected = FALSE; + + conn->has_plain_mech = FALSE; + conn->server_pid = 0; + conn->connect_uid = 0; + conn->cookie = NULL; + array_clear(&conn->available_auth_mechs); + + timeout_remove(&conn->to); + + auth_client_connection_remove_requests(conn, reason); + + if (conn->client->connect_notify_callback != NULL) { + conn->client->connect_notify_callback(conn->client, FALSE, + conn->client->connect_notify_context); + } +} + +static void auth_client_connection_destroy(struct connection *_conn) +{ + struct auth_client_connection *conn = + container_of(_conn, struct auth_client_connection, conn); + + switch (_conn->disconnect_reason) { + case CONNECTION_DISCONNECT_HANDSHAKE_FAILED: + auth_client_connection_disconnect( + conn, "Handshake with auth service failed"); + break; + case CONNECTION_DISCONNECT_BUFFER_FULL: + /* buffer full - can't happen unless auth is buggy */ + e_error(conn->conn.event, + "BUG: Auth server sent us more than %d bytes of data", + AUTH_SERVER_CONN_MAX_LINE_LENGTH); + auth_client_connection_disconnect(conn, "Buffer full"); + break; + default: + /* disconnected */ + auth_client_connection_reconnect( + conn, (conn->conn.input->stream_errno != 0 ? + strerror(conn->conn.input->stream_errno) : + "EOF")); + } +} + +static void auth_server_reconnect_timeout(struct auth_client_connection *conn) +{ + (void)auth_client_connection_connect(conn); +} + +static void +auth_client_connection_reconnect(struct auth_client_connection *conn, + const char *disconnect_reason) +{ + time_t next_connect; + + auth_client_connection_disconnect(conn, disconnect_reason); + + next_connect = conn->last_connect + AUTH_SERVER_RECONNECT_TIMEOUT_SECS; + conn->to = timeout_add(ioloop_time >= next_connect ? 0 : + (next_connect - ioloop_time) * 1000, + auth_server_reconnect_timeout, conn); +} + +void auth_client_connection_deinit(struct auth_client_connection **_conn) +{ + struct auth_client_connection *conn = *_conn; + + *_conn = NULL; + + auth_client_connection_disconnect(conn, "deinitializing"); + i_assert(hash_table_count(conn->requests) == 0); + hash_table_destroy(&conn->requests); + timeout_remove(&conn->to); + array_free(&conn->available_auth_mechs); + connection_deinit(&conn->conn); + pool_unref(&conn->pool); +} + +static void auth_client_handshake_timeout(struct auth_client_connection *conn) +{ + e_error(conn->conn.event, "Timeout waiting for handshake from auth server. " + "my pid=%u, input bytes=%"PRIuUOFF_T, + conn->client->client_pid, conn->conn.input->v_offset); + auth_client_connection_reconnect(conn, "auth server timeout"); +} + +static void +auth_client_connection_connected(struct connection *_conn, bool success) +{ + struct auth_client_connection *conn = + container_of(_conn, struct auth_client_connection, conn); + + /* Cannot get here unless connect() was successful */ + i_assert(success); + + conn->connected = TRUE; +} + +int auth_client_connection_connect(struct auth_client_connection *conn) +{ + const char *handshake; + + i_assert(!conn->connected); + + conn->last_connect = ioloop_time; + timeout_remove(&conn->to); + + /* max. 1 second wait here. */ + if (connection_client_connect(&conn->conn) < 0) { + if (errno == EACCES) { + e_error(conn->conn.event, "%s", + eacces_error_get("connect", + conn->client->auth_socket_path)); + } else { + e_error(conn->conn.event, "connect(%s) failed: %m", + conn->client->auth_socket_path); + }; + return -1; + } + + handshake = t_strdup_printf("VERSION\t%u\t%u\nCPID\t%u\n", + AUTH_CLIENT_PROTOCOL_MAJOR_VERSION, + AUTH_CLIENT_PROTOCOL_MINOR_VERSION, + conn->client->client_pid); + if (o_stream_send_str(conn->conn.output, handshake) < 0) { + e_warning(conn->conn.event, + "Error sending handshake to auth server: %s", + o_stream_get_error(conn->conn.output)); + auth_client_connection_disconnect(conn, + o_stream_get_error(conn->conn.output)); + return -1; + } + + conn->to = timeout_add(conn->client->connect_timeout_msecs, + auth_client_handshake_timeout, conn); + return 0; +} + +unsigned int +auth_client_connection_add_request(struct auth_client_connection *conn, + struct auth_client_request *request) +{ + unsigned int id; + + i_assert(conn->conn.handshake_received); + + id = ++conn->client->request_id_counter; + if (id == 0) { + /* wrapped - ID 0 not allowed */ + id = ++conn->client->request_id_counter; + } + i_assert(hash_table_lookup(conn->requests, POINTER_CAST(id)) == NULL); + hash_table_insert(conn->requests, POINTER_CAST(id), request); + return id; +} + +void auth_client_connection_remove_request(struct auth_client_connection *conn, + unsigned int id) +{ + i_assert(conn->conn.handshake_received); + hash_table_remove(conn->requests, POINTER_CAST(id)); +} diff --git a/src/lib-auth/auth-client-interface.h b/src/lib-auth/auth-client-interface.h new file mode 100644 index 0000000..2367a00 --- /dev/null +++ b/src/lib-auth/auth-client-interface.h @@ -0,0 +1,43 @@ +#ifndef AUTH_CLIENT_INTERFACE_H +#define AUTH_CLIENT_INTERFACE_H + +/* Major version changes are not backwards compatible, + minor version numbers can be ignored. */ +#define AUTH_CLIENT_PROTOCOL_MAJOR_VERSION 1 +#define AUTH_CLIENT_PROTOCOL_MINOR_VERSION 2 + +/* GSSAPI can use quite large packets */ +#define AUTH_CLIENT_MAX_LINE_LENGTH 16384 + +enum mech_security_flags { + /* Don't advertise this as available SASL mechanism (eg. APOP) */ + MECH_SEC_PRIVATE = 0x0001, + /* Anonymous authentication */ + MECH_SEC_ANONYMOUS = 0x0002, + /* Transfers plaintext passwords */ + MECH_SEC_PLAINTEXT = 0x0004, + /* Subject to passive (dictionary) attack */ + MECH_SEC_DICTIONARY = 0x0008, + /* Subject to active (non-dictionary) attack */ + MECH_SEC_ACTIVE = 0x0010, + /* Provides forward secrecy between sessions */ + MECH_SEC_FORWARD_SECRECY = 0x0020, + /* Provides mutual authentication */ + MECH_SEC_MUTUAL_AUTH = 0x0040, + /* Allow NULs in input data */ + MECH_SEC_ALLOW_NULS = 0x0080, +}; + +/* auth failure codes */ +#define AUTH_CLIENT_FAIL_CODE_AUTHZFAILED "authz_fail" +#define AUTH_CLIENT_FAIL_CODE_TEMPFAIL "temp_fail" +#define AUTH_CLIENT_FAIL_CODE_USER_DISABLED "user_disabled" +#define AUTH_CLIENT_FAIL_CODE_PASS_EXPIRED "pass_expired" +#define AUTH_CLIENT_FAIL_CODE_INVALID_BASE64 "invalid_base64" + +/* not actually returned from auth service */ +#define AUTH_CLIENT_FAIL_CODE_MECH_INVALID "auth_mech_invalid" +#define AUTH_CLIENT_FAIL_CODE_MECH_SSL_REQUIRED "auth_mech_ssl_required" +#define AUTH_CLIENT_FAIL_CODE_ANONYMOUS_DENIED "anonymous_denied" + +#endif diff --git a/src/lib-auth/auth-client-private.h b/src/lib-auth/auth-client-private.h new file mode 100644 index 0000000..36b2463 --- /dev/null +++ b/src/lib-auth/auth-client-private.h @@ -0,0 +1,88 @@ +#ifndef AUTH_CLIENT_PRIVATE_H +#define AUTH_CLIENT_PRIVATE_H + +#include "connection.h" + +#include "auth-client.h" + +#define AUTH_CONNECT_TIMEOUT_MSECS (30*1000) + +struct auth_client_request { + pool_t pool; + struct event *event; + + struct auth_client_connection *conn; + unsigned int id; + time_t created; + + auth_request_callback_t *callback; + void *context; +}; + +struct auth_client_connection { + struct connection conn; + pool_t pool; + + struct auth_client *client; + time_t last_connect; + + struct timeout *to; + + unsigned int server_pid; + unsigned int connect_uid; + char *cookie; + + ARRAY(struct auth_mech_desc) available_auth_mechs; + + /* id => request */ + HASH_TABLE(void *, struct auth_client_request *) requests; + + bool has_plain_mech:1; + bool connected:1; +}; + +struct auth_client { + char *auth_socket_path; + unsigned int client_pid; + struct event *event; + + struct connection_list *clist; + struct auth_client_connection *conn; + + auth_connect_notify_callback_t *connect_notify_callback; + void *connect_notify_context; + + unsigned int request_id_counter; + + unsigned int connect_timeout_msecs; + + bool debug:1; +}; + +extern struct event_category event_category_auth_client; + +bool auth_client_request_is_aborted(struct auth_client_request *request); +time_t auth_client_request_get_create_time(struct auth_client_request *request); + +void auth_client_request_server_input(struct auth_client_request *request, + enum auth_request_status status, + const char *const *args); + +struct connection_list *auth_client_connection_list_init(void); + +struct auth_client_connection * +auth_client_connection_init(struct auth_client *client); +void auth_client_connection_deinit(struct auth_client_connection **conn); + +int auth_client_connection_connect(struct auth_client_connection *conn); +void auth_client_connection_disconnect(struct auth_client_connection *conn, + const char *reason); + +/* Queues a new request. Must not be called if connection is not connected. */ +unsigned int +auth_client_connection_add_request(struct auth_client_connection *conn, + struct auth_client_request *request); +void auth_client_connection_remove_request(struct auth_client_connection *conn, + unsigned int id); + +#endif diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c new file mode 100644 index 0000000..eb48cec --- /dev/null +++ b/src/lib-auth/auth-client-request.c @@ -0,0 +1,366 @@ +/* Copyright (c) 2003-2018 Dovecot authors, see the included COPYING file */ + +#include "lib.h" +#include "array.h" +#include "str.h" +#include "strescape.h" +#include "ostream.h" +#include "auth-client-private.h" + +static void auth_server_send_new_request(struct auth_client_connection *conn, + struct auth_client_request *request, + const struct auth_request_info *info) +{ + string_t *str; + + str = t_str_new(512); + str_printfa(str, "AUTH\t%u\t", request->id); + str_append_tabescaped(str, info->mech); + str_append(str, "\tservice="); + str_append_tabescaped(str, info->service); + + event_add_str(request->event, "mechanism", info->mech); + event_add_str(request->event, "service", info->service); + + if ((info->flags & AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP) != 0) + str_append(str, "\tfinal-resp-ok"); + if ((info->flags & AUTH_REQUEST_FLAG_SECURED) != 0) { + str_append(str, "\tsecured"); + if ((info->flags & AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS) != 0) { + str_append(str, "=tls"); + event_add_str(request->event, "transport", "TLS"); + } else { + event_add_str(request->event, "transport", "trusted"); + } + } else { + i_assert((info->flags & AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS) == 0); + event_add_str(request->event, "transport", "insecure"); + } + if ((info->flags & AUTH_REQUEST_FLAG_NO_PENALTY) != 0) + str_append(str, "\tno-penalty"); + if ((info->flags & AUTH_REQUEST_FLAG_VALID_CLIENT_CERT) != 0) + str_append(str, "\tvalid-client-cert"); + if ((info->flags & AUTH_REQUEST_FLAG_DEBUG) != 0) + str_append(str, "\tdebug"); + + if (info->session_id != NULL) { + str_append(str, "\tsession="); + str_append_tabescaped(str, info->session_id); + event_add_str(request->event, "session", info->session_id); + } + if (info->cert_username != NULL) { + str_append(str, "\tcert_username="); + str_append_tabescaped(str, info->cert_username); + event_add_str(request->event, "certificate_user", + info->cert_username); + } + if (info->local_ip.family != 0) { + str_printfa(str, "\tlip=%s", net_ip2addr(&info->local_ip)); + event_add_str(request->event, "local_ip", net_ip2addr(&info->local_ip)); + } + if (info->remote_ip.family != 0) { + str_printfa(str, "\trip=%s", net_ip2addr(&info->remote_ip)); + event_add_str(request->event, "remote_ip", net_ip2addr(&info->remote_ip)); + } + if (info->local_port != 0) { + str_printfa(str, "\tlport=%u", info->local_port); + event_add_int(request->event, "local_port", info->local_port); + } + if (info->remote_port != 0) { + str_printfa(str, "\trport=%u", info->remote_port); + event_add_int(request->event, "remote_port", info->remote_port); + } + if (info->real_local_ip.family != 0) { + event_add_str(request->event, "real_local_ip", + net_ip2addr(&info->real_local_ip)); + } + if (info->real_remote_ip.family != 0) { + event_add_str(request->event, "real_remote_ip", + net_ip2addr(&info->real_remote_ip)); + } + if (info->real_local_port != 0) { + event_add_int(request->event, "real_local_port", + info->real_local_port); + } + if (info->real_remote_port != 0) { + event_add_int(request->event, "real_remote_port", + info->real_remote_port); + } + /* send the real_* variants only when they differ from the unreal + ones */ + if (info->real_local_ip.family != 0 && + !net_ip_compare(&info->real_local_ip, &info->local_ip)) { + str_printfa(str, "\treal_lip=%s", + net_ip2addr(&info->real_local_ip)); + } + if (info->real_remote_ip.family != 0 && + !net_ip_compare(&info->real_remote_ip, &info->remote_ip)) { + str_printfa(str, "\treal_rip=%s", + net_ip2addr(&info->real_remote_ip)); + } + if (info->real_local_port != 0 && + info->real_local_port != info->local_port) + str_printfa(str, "\treal_lport=%u", info->real_local_port); + if (info->real_remote_port != 0 && + info->real_remote_port != info->remote_port) + str_printfa(str, "\treal_rport=%u", info->real_remote_port); + if (info->local_name != NULL && + *info->local_name != '\0') { + str_append(str, "\tlocal_name="); + str_append_tabescaped(str, info->local_name); + event_add_str(request->event, "local_name", info->local_name); + } + if (info->ssl_cipher_bits != 0 && info->ssl_cipher != NULL) { + event_add_str(request->event, "tls_cipher", info->ssl_cipher); + event_add_int(request->event, "tls_cipher_bits", info->ssl_cipher_bits); + if (info->ssl_pfs != NULL) { + event_add_str(request->event, "tls_pfs", info->ssl_pfs); + } + } + if (info->ssl_protocol != NULL) { + event_add_str(request->event, "tls_protocol", info->ssl_protocol); + } + if (info->client_id != NULL && + *info->client_id != '\0') { + str_append(str, "\tclient_id="); + str_append_tabescaped(str, info->client_id); + event_add_str(request->event, "client_id", info->client_id); + } + if (info->forward_fields != NULL && + *info->forward_fields != '\0') { + str_append(str, "\tforward_fields="); + str_append_tabescaped(str, info->forward_fields); + } + if (array_is_created(&info->extra_fields)) { + const char *const *fieldp; + array_foreach(&info->extra_fields, fieldp) { + str_append_c(str, '\t'); + str_append_tabescaped(str, *fieldp); + } + } + if (info->initial_resp_base64 != NULL) { + str_append(str, "\tresp="); + str_append_tabescaped(str, info->initial_resp_base64); + } + str_append_c(str, '\n'); + + struct event_passthrough *e = + event_create_passthrough(request->event)-> + set_name("auth_client_request_started"); + e_debug(e->event(), "Started request"); + + if (o_stream_send(conn->conn.output, str_data(str), str_len(str)) < 0) { + e_error(request->event, + "Error sending request to auth server: %m"); + } +} + +struct auth_client_request * +auth_client_request_new(struct auth_client *client, + const struct auth_request_info *request_info, + auth_request_callback_t *callback, void *context) +{ + struct auth_client_request *request; + pool_t pool; + + pool = pool_alloconly_create("auth client request", 512); + request = p_new(pool, struct auth_client_request, 1); + request->pool = pool; + request->conn = client->conn; + + request->callback = callback; + request->context = context; + + request->id = + auth_client_connection_add_request(request->conn, request); + request->created = ioloop_time; + + request->event = event_create(client->event); + event_add_int(request->event, "id", request->id); + event_set_append_log_prefix(request->event, + t_strdup_printf("request [%u]: ", + request->id)); + + T_BEGIN { + auth_server_send_new_request(request->conn, request, request_info); + } T_END; + return request; +} + +static void ATTR_NULL(3, 4) +call_callback(struct auth_client_request *request, + enum auth_request_status status, + const char *data_base64, + const char *const *args) +{ + auth_request_callback_t *callback = request->callback; + + if (status != AUTH_REQUEST_STATUS_CONTINUE) + request->callback = NULL; + callback(request, status, data_base64, args, request->context); +} + +static void auth_client_request_free(struct auth_client_request **_request) +{ + struct auth_client_request *request = *_request; + + *_request = NULL; + + event_unref(&request->event); + pool_unref(&request->pool); +} + +void auth_client_request_abort(struct auth_client_request **_request, + const char *reason) +{ + struct auth_client_request *request = *_request; + + *_request = NULL; + + struct event_passthrough *e = + event_create_passthrough(request->event)-> + set_name("auth_client_request_finished"); + e->add_str("error", reason); + e_debug(e->event(), "Aborted: %s", reason); + + auth_client_send_cancel(request->conn->client, request->id); + call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL); + /* remove the request */ + auth_client_connection_remove_request(request->conn, request->id); + auth_client_request_free(&request); +} + +unsigned int auth_client_request_get_id(struct auth_client_request *request) +{ + return request->id; +} + +unsigned int +auth_client_request_get_server_pid(struct auth_client_request *request) +{ + return request->conn->server_pid; +} + +const char *auth_client_request_get_cookie(struct auth_client_request *request) +{ + return request->conn->cookie; +} + +bool auth_client_request_is_aborted(struct auth_client_request *request) +{ + return request->callback == NULL; +} + +time_t auth_client_request_get_create_time(struct auth_client_request *request) +{ + return request->created; +} + +static void args_parse_user(struct auth_client_request *request, const char *arg) +{ + if (str_begins(arg, "user=")) + event_add_str(request->event, "user", arg + 5); + else if (str_begins(arg, "original_user=")) + event_add_str(request->event, "original_user", arg + 14); + else if (str_begins(arg, "auth_user=")) + event_add_str(request->event, "auth_user", arg + 10); +} + +void auth_client_request_continue(struct auth_client_request *request, + const char *data_base64) +{ + struct const_iovec iov[3]; + const char *prefix; + + prefix = t_strdup_printf("CONT\t%u\t", request->id); + + iov[0].iov_base = prefix; + iov[0].iov_len = strlen(prefix); + iov[1].iov_base = data_base64; + iov[1].iov_len = strlen(data_base64); + iov[2].iov_base = "\n"; + iov[2].iov_len = 1; + + struct event_passthrough *e = + event_create_passthrough(request->event)-> + set_name("auth_client_request_continued"); + e_debug(e->event(), "Continue request"); + + if (o_stream_sendv(request->conn->conn.output, iov, 3) < 0) { + e_error(request->event, + "Error sending continue request to auth server: %m"); + } +} + +void auth_client_request_server_input(struct auth_client_request *request, + enum auth_request_status status, + const char *const *args) +{ + const char *const *tmp, *base64_data = NULL; + struct event_passthrough *e; + + if (request->callback == NULL) { + /* aborted already */ + return; + } + + switch (status) { + case AUTH_REQUEST_STATUS_CONTINUE: + e = event_create_passthrough(request->event)-> + set_name("auth_client_request_challenged"); + break; + default: + e = event_create_passthrough(request->event)-> + set_name("auth_client_request_finished"); + break; + } + + for (tmp = args; *tmp != NULL; tmp++) { + if (str_begins(*tmp, "resp=")) { + base64_data = *tmp + 5; + } else if (str_begins(*tmp, "event_")) { + const char *key = *tmp + 6; + const char *value = strchr(key, '='); + if (value != NULL) { + event_add_str(request->event, + t_strdup_until(key, value), value+1); + } + } + args_parse_user(request, *tmp); + } + + switch (status) { + case AUTH_REQUEST_STATUS_OK: + e_debug(e->event(), "Finished"); + break; + case AUTH_REQUEST_STATUS_CONTINUE: + base64_data = args[0]; + args = NULL; + e_debug(e->event(), "Got challenge"); + break; + case AUTH_REQUEST_STATUS_FAIL: + e->add_str("error", "Authentication failed"); + e_debug(e->event(), "Finished"); + break; + case AUTH_REQUEST_STATUS_INTERNAL_FAIL: + e->add_str("error", "Internal failure"); + e_debug(e->event(), "Finished"); + break; + case AUTH_REQUEST_STATUS_ABORT: + i_unreached(); + } + + call_callback(request, status, base64_data, args); + if (status != AUTH_REQUEST_STATUS_CONTINUE) + auth_client_request_free(&request); +} + +void auth_client_send_cancel(struct auth_client *client, unsigned int id) +{ + const char *str = t_strdup_printf("CANCEL\t%u\n", id); + + if (o_stream_send_str(client->conn->conn.output, str) < 0) { + e_error(client->conn->conn.event, + "Error sending request to auth server: %m"); + } +} diff --git a/src/lib-auth/auth-client.c b/src/lib-auth/auth-client.c new file mode 100644 index 0000000..9523282 --- /dev/null +++ b/src/lib-auth/auth-client.c @@ -0,0 +1,112 @@ +/* Copyright (c) 2005-2018 Dovecot authors, see the included COPYING file */ + +#include "lib.h" +#include "array.h" +#include "auth-client-private.h" + +struct event_category event_category_auth_client = { + .name = "auth-client" +}; + +struct auth_client * +auth_client_init(const char *auth_socket_path, unsigned int client_pid, + bool debug) +{ + struct auth_client *client; + + client = i_new(struct auth_client, 1); + client->client_pid = client_pid; + client->auth_socket_path = i_strdup(auth_socket_path); + client->debug = debug; + client->connect_timeout_msecs = AUTH_CONNECT_TIMEOUT_MSECS; + client->clist = auth_client_connection_list_init(); + + client->event = event_create(NULL); + event_add_category(client->event, &event_category_auth_client); + event_set_append_log_prefix(client->event, "auth-client: "); + event_set_forced_debug(client->event, client->debug); + + client->conn = auth_client_connection_init(client); + return client; +} + +void auth_client_deinit(struct auth_client **_client) +{ + struct auth_client *client = *_client; + + *_client = NULL; + + auth_client_connection_deinit(&client->conn); + connection_list_deinit(&client->clist); + event_unref(&client->event); + i_free(client->auth_socket_path); + i_free(client); +} + +void auth_client_connect(struct auth_client *client) +{ + if (!client->conn->connected) + (void)auth_client_connection_connect(client->conn); +} + +void auth_client_disconnect(struct auth_client *client, const char *reason) +{ + auth_client_connection_disconnect(client->conn, reason); +} + +bool auth_client_is_connected(struct auth_client *client) +{ + /* handshake_received isn't unset immediately after disconnection */ + return client->conn->conn.handshake_received && + client->conn->connected; +} + +bool auth_client_is_disconnected(struct auth_client *client) +{ + return !client->conn->connected; +} + +void auth_client_set_connect_timeout(struct auth_client *client, + unsigned int msecs) +{ + client->connect_timeout_msecs = msecs; +} + +void auth_client_set_connect_notify(struct auth_client *client, + auth_connect_notify_callback_t *callback, + void *context) +{ + client->connect_notify_callback = callback; + client->connect_notify_context = context; +} + +const struct auth_mech_desc * +auth_client_get_available_mechs(struct auth_client *client, + unsigned int *mech_count) +{ + i_assert(auth_client_is_connected(client)); + + return array_get(&client->conn->available_auth_mechs, mech_count); +} + +const struct auth_mech_desc * +auth_client_find_mech(struct auth_client *client, const char *name) +{ + const struct auth_mech_desc *mech; + + array_foreach(&client->conn->available_auth_mechs, mech) { + if (strcasecmp(mech->name, name) == 0) + return mech; + } + return NULL; +} + +void auth_client_get_connect_id(struct auth_client *client, + unsigned int *server_pid_r, + unsigned int *connect_uid_r) +{ + i_assert(auth_client_is_connected(client)); + + *server_pid_r = client->conn->server_pid; + *connect_uid_r = client->conn->connect_uid; +} diff --git a/src/lib-auth/auth-client.h b/src/lib-auth/auth-client.h new file mode 100644 index 0000000..917f904 --- /dev/null +++ b/src/lib-auth/auth-client.h @@ -0,0 +1,124 @@ +#ifndef AUTH_CLIENT_H +#define AUTH_CLIENT_H + +#include "net.h" +#include "auth-client-interface.h" + +struct auth_client; +struct auth_client_request; + +enum auth_request_flags { + AUTH_REQUEST_FLAG_SECURED = 0x01, + AUTH_REQUEST_FLAG_VALID_CLIENT_CERT = 0x02, + /* Skip penalty checks for this request */ + AUTH_REQUEST_FLAG_NO_PENALTY = 0x04, + /* Support final SASL response */ + AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP = 0x08, + /* Enable auth_debug=yes logging for this request */ + AUTH_REQUEST_FLAG_DEBUG = 0x10, + /* If TLS was used */ + AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS = 0x20, +}; + +enum auth_request_status { + AUTH_REQUEST_STATUS_ABORT = -3, + AUTH_REQUEST_STATUS_INTERNAL_FAIL = -2, + AUTH_REQUEST_STATUS_FAIL = -1, + AUTH_REQUEST_STATUS_CONTINUE, + AUTH_REQUEST_STATUS_OK +}; + +struct auth_mech_desc { + char *name; + enum mech_security_flags flags; +}; + +struct auth_connect_id { + unsigned int server_pid; + unsigned int connect_uid; +}; + +struct auth_request_info { + const char *mech; + const char *service; + const char *session_id; + const char *cert_username; + const char *local_name; + const char *client_id; + const char *forward_fields; + ARRAY_TYPE(const_string) extra_fields; + + unsigned int ssl_cipher_bits; + const char *ssl_cipher; + const char *ssl_pfs; + const char *ssl_protocol; + + enum auth_request_flags flags; + + struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip; + in_port_t local_port, remote_port, real_local_port, real_remote_port; + + const char *initial_resp_base64; +}; + +typedef void auth_request_callback_t(struct auth_client_request *request, + enum auth_request_status status, + const char *data_base64, + const char *const *args, void *context); + +typedef void auth_connect_notify_callback_t(struct auth_client *client, + bool connected, void *context); + +/* Create new authentication client. */ +struct auth_client * +auth_client_init(const char *auth_socket_path, unsigned int client_pid, + bool debug); +void auth_client_deinit(struct auth_client **client); + +void auth_client_connect(struct auth_client *client); +void auth_client_disconnect(struct auth_client *client, const char *reason); +bool auth_client_is_connected(struct auth_client *client); +bool auth_client_is_disconnected(struct auth_client *client); + +void auth_client_set_connect_timeout(struct auth_client *client, + unsigned int msecs); +void auth_client_set_connect_notify(struct auth_client *client, + auth_connect_notify_callback_t *callback, + void *context) ATTR_NULL(2, 3); +const struct auth_mech_desc * +auth_client_get_available_mechs(struct auth_client *client, + unsigned int *mech_count); +const struct auth_mech_desc * +auth_client_find_mech(struct auth_client *client, const char *name); + +/* Return current connection's identifiers. */ +void auth_client_get_connect_id(struct auth_client *client, + unsigned int *server_pid_r, + unsigned int *connect_uid_r); + +/* Create a new authentication request. callback is called whenever something + happens for the request. */ +struct auth_client_request * +auth_client_request_new(struct auth_client *client, + const struct auth_request_info *request_info, + auth_request_callback_t *callback, void *context) + ATTR_NULL(4); +/* Continue authentication. Call when + reply->result == AUTH_CLIENT_REQUEST_CONTINUE */ +void auth_client_request_continue(struct auth_client_request *request, + const char *data_base64); +/* Abort ongoing authentication request. */ +void auth_client_request_abort(struct auth_client_request **request, + const char *reason) ATTR_NULL(2); +/* Return ID of this request. */ +unsigned int auth_client_request_get_id(struct auth_client_request *request); +/* Return the PID of the server that handled this request. */ +unsigned int +auth_client_request_get_server_pid(struct auth_client_request *request); +/* Return cookie of the server that handled this request. */ +const char *auth_client_request_get_cookie(struct auth_client_request *request); + +/* Tell auth process to drop specified request from memory */ +void auth_client_send_cancel(struct auth_client *client, unsigned int id); + +#endif diff --git a/src/lib-auth/auth-master.c b/src/lib-auth/auth-master.c new file mode 100644 index 0000000..57cf8d2 --- /dev/null +++ b/src/lib-auth/auth-master.c @@ -0,0 +1,1030 @@ +/* Copyright (c) 2005-2018 Dovecot authors, see the included COPYING file */ + +#include "lib.h" +#include "lib-signals.h" +#include "array.h" +#include "ioloop.h" +#include "eacces-error.h" +#include "net.h" +#include "istream.h" +#include "ostream.h" +#include "str.h" +#include "strescape.h" +#include "connection.h" +#include "master-interface.h" +#include "auth-client-private.h" +#include "auth-master.h" + +#include <unistd.h> + +#define AUTH_PROTOCOL_MAJOR 1 +#define AUTH_PROTOCOL_MINOR 0 + +#define AUTH_MASTER_IDLE_SECS 60 + +#define MAX_INBUF_SIZE 8192 +#define MAX_OUTBUF_SIZE 1024 + +struct auth_master_connection { + struct connection conn; + struct connection_list *clist; + struct event *event_parent, *event; + + char *auth_socket_path; + enum auth_master_flags flags; + + struct ioloop *ioloop, *prev_ioloop; + struct timeout *to; + + unsigned int request_counter; + + bool (*reply_callback)(const char *cmd, const char *const *args, + void *context); + void *reply_context; + + unsigned int timeout_msecs; + + bool connected:1; + bool sent_handshake:1; + bool aborted:1; +}; + +struct auth_master_lookup_ctx { + struct auth_master_connection *conn; + const char *user; + const char *expected_reply; + int return_value; + + pool_t pool; + const char **fields; +}; + +struct auth_master_user_list_ctx { + struct auth_master_connection *conn; + string_t *username; + bool finished; + bool failed; +}; + +static void auth_master_connected(struct connection *_conn, bool success); +static int +auth_master_input_args(struct connection *_conn, const char *const *args); +static int +auth_master_handshake_line(struct connection *_conn, const char *line); +static int auth_master_input_line(struct connection *_conn, const char *line); +static void auth_master_destroy(struct connection *_conn); + +static const struct connection_vfuncs auth_master_vfuncs = { + .destroy = auth_master_destroy, + .handshake_line = auth_master_handshake_line, + .input_args = auth_master_input_args, + .input_line = auth_master_input_line, + .client_connected = auth_master_connected, +}; + +static const struct connection_settings auth_master_set = { + .dont_send_version = TRUE, + .service_name_in = "auth-master", + .service_name_out = "auth-master", + .major_version = AUTH_PROTOCOL_MAJOR, + .minor_version = AUTH_PROTOCOL_MINOR, + .unix_client_connect_msecs = 1000, + .input_max_size = MAX_INBUF_SIZE, + .output_max_size = MAX_OUTBUF_SIZE, + .client = TRUE, +}; + +struct auth_master_connection * +auth_master_init(const char *auth_socket_path, enum auth_master_flags flags) +{ + struct auth_master_connection *conn; + + conn = i_new(struct auth_master_connection, 1); + conn->auth_socket_path = i_strdup(auth_socket_path); + conn->flags = flags; + conn->timeout_msecs = 1000*MASTER_AUTH_LOOKUP_TIMEOUT_SECS; + conn->clist = connection_list_init(&auth_master_set, + &auth_master_vfuncs); + + conn->event_parent = conn->event = event_create(NULL); + event_add_category(conn->event_parent, &event_category_auth_client); + event_set_append_log_prefix(conn->event_parent, "auth-master: "); + event_set_forced_debug(conn->event_parent, + HAS_ALL_BITS(flags, AUTH_MASTER_FLAG_DEBUG)); + + conn->conn.event_parent = conn->event_parent; + connection_init_client_unix(conn->clist, &conn->conn, + conn->auth_socket_path); + + return conn; +} + +static void auth_connection_close(struct auth_master_connection *conn) +{ + conn->connected = FALSE; + connection_disconnect(&conn->conn); + + timeout_remove(&conn->to); + + conn->sent_handshake = FALSE; +} + +void auth_master_deinit(struct auth_master_connection **_conn) +{ + struct auth_master_connection *conn = *_conn; + struct connection_list *clist = conn->clist; + + *_conn = NULL; + + auth_connection_close(conn); + connection_deinit(&conn->conn); + connection_list_deinit(&clist); + event_unref(&conn->event_parent); + i_free(conn->auth_socket_path); + i_free(conn); +} + +void auth_master_set_timeout(struct auth_master_connection *conn, + unsigned int msecs) +{ + conn->timeout_msecs = msecs; +} + +const char *auth_master_get_socket_path(struct auth_master_connection *conn) +{ + return conn->auth_socket_path; +} + +static void auth_request_lookup_abort(struct auth_master_connection *conn) +{ + io_loop_stop(conn->ioloop); + conn->aborted = TRUE; +} + +static void auth_master_destroy(struct connection *_conn) +{ + struct auth_master_connection *conn = + container_of(_conn, struct auth_master_connection, conn); + + if (conn->connected) + connection_disconnect(&conn->conn); + conn->connected = FALSE; + conn->sent_handshake = FALSE; + + switch (_conn->disconnect_reason) { + case CONNECTION_DISCONNECT_HANDSHAKE_FAILED: + break; + case CONNECTION_DISCONNECT_BUFFER_FULL: + e_error(conn->event, "BUG: Received more than %d bytes", + MAX_INBUF_SIZE); + break; + default: + if (!conn->aborted) + e_error(conn->event, "Disconnected unexpectedly"); + } + auth_request_lookup_abort(conn); +} + +static int +auth_master_handshake_line(struct connection *_conn, const char *line) +{ + struct auth_master_connection *conn = + container_of(_conn, struct auth_master_connection, conn); + const char *const *tmp; + unsigned int major_version, minor_version; + + tmp = t_strsplit_tabescaped(line); + if (strcmp(tmp[0], "VERSION") == 0 && + tmp[1] != NULL && tmp[2] != NULL) { + if (str_to_uint(tmp[1], &major_version) < 0 || + str_to_uint(tmp[2], &minor_version) < 0) { + e_error(conn->event, + "Auth server sent invalid version line: %s", + line); + auth_request_lookup_abort(conn); + return -1; + } + + if (connection_verify_version(_conn, "auth-master", + major_version, + minor_version) < 0) { + auth_request_lookup_abort(conn); + return -1; + } + } else if (strcmp(tmp[0], "SPID") == 0) { + return 1; + } + return 0; +} + +static int +parse_reply(struct auth_master_lookup_ctx *ctx, const char *cmd, + const char *const *args) +{ + struct auth_master_connection *conn = ctx->conn; + + if (strcmp(cmd, ctx->expected_reply) == 0) + return 1; + if (strcmp(cmd, "NOTFOUND") == 0) + return 0; + if (strcmp(cmd, "FAIL") == 0) { + if (*args == NULL) { + e_error(conn->event, "Auth %s lookup failed", + ctx->expected_reply); + } else { + e_debug(conn->event, + "Auth %s lookup returned temporary failure: %s", + ctx->expected_reply, *args); + } + return -2; + } + e_error(conn->event, "Unknown reply: %s", cmd); + return -1; +} + +static const char *const *args_hide_passwords(const char *const *args) +{ + ARRAY_TYPE(const_string) new_args; + const char *p, *p2; + unsigned int i; + + /* if there are any keys that contain "pass" string */ + for (i = 0; args[i] != NULL; i++) { + p = strstr(args[i], "pass"); + if (p != NULL && p < strchr(args[i], '=')) + break; + } + if (args[i] == NULL) + return args; + + /* there are. replace their values with <hidden> */ + t_array_init(&new_args, i + 16); + array_append(&new_args, args, i); + for (; args[i] != NULL; i++) { + p = strstr(args[i], "pass"); + p2 = strchr(args[i], '='); + if (p != NULL && p < p2) { + p = t_strconcat(t_strdup_until(args[i], p2), + "=<hidden>", NULL); + array_push_back(&new_args, &p); + } else { + array_push_back(&new_args, &args[i]); + } + } + array_append_zero(&new_args); + return array_front(&new_args); +} + +static bool auth_lookup_reply_callback(const char *cmd, const char *const *args, + void *context) +{ + struct auth_master_lookup_ctx *ctx = context; + unsigned int i, len; + + io_loop_stop(ctx->conn->ioloop); + + ctx->return_value = parse_reply(ctx, cmd, args); + + len = str_array_length(args); + i_assert(*args != NULL || len == 0); /* for static analyzer */ + if (ctx->return_value >= 0) { + ctx->fields = p_new(ctx->pool, const char *, len + 1); + for (i = 0; i < len; i++) + ctx->fields[i] = p_strdup(ctx->pool, args[i]); + } else { + /* put the reason string into first field */ + ctx->fields = p_new(ctx->pool, const char *, 2); + for (i = 0; i < len; i++) { + if (str_begins(args[i], "reason=")) { + ctx->fields[0] = + p_strdup(ctx->pool, args[i] + 7); + break; + } + } + } + args = args_hide_passwords(args); + e_debug(ctx->conn->event, "auth %s input: %s", + ctx->expected_reply, t_strarray_join(args, " ")); + return TRUE; +} + +static int +auth_master_input_args(struct connection *_conn, const char *const *args) +{ + struct auth_master_connection *conn = + container_of(_conn, struct auth_master_connection, conn); + const char *const *in_args = args; + const char *cmd, *id, *wanted_id; + + cmd = *args; args++; + if (*args == NULL) + id = ""; + else { + id = *args; + args++; + } + + wanted_id = dec2str(conn->request_counter); + if (strcmp(id, wanted_id) == 0) { + return (conn->reply_callback(cmd, args, conn->reply_context) ? + 0 : 1); + } + + if (strcmp(cmd, "CUID") == 0) { + e_error(conn->event, "%s is an auth client socket. " + "It should be a master socket.", + conn->auth_socket_path); + } else { + e_error(conn->event, "BUG: Unexpected input: %s", + t_strarray_join(in_args, "\t")); + } + auth_request_lookup_abort(conn); + return -1; +} + +static int auth_master_input_line(struct connection *_conn, const char *line) +{ + struct auth_master_connection *conn = + container_of(_conn, struct auth_master_connection, conn); + int ret; + + ret = connection_input_line_default(_conn, line); + return (io_loop_is_running(conn->ioloop) ? ret : 0); +} + +static void auth_master_connected(struct connection *_conn, bool success) +{ + struct auth_master_connection *conn = + container_of(_conn, struct auth_master_connection, conn); + + /* Cannot get here unless connect() was successful */ + i_assert(success); + + conn->connected = TRUE; +} + +static int auth_master_connect(struct auth_master_connection *conn) +{ + i_assert(!conn->connected); + + if (conn->ioloop != NULL) + connection_switch_ioloop_to(&conn->conn, conn->ioloop); + if (connection_client_connect(&conn->conn) < 0) { + if (errno == EACCES) { + e_error(conn->event, + "%s", eacces_error_get("connect", + conn->auth_socket_path)); + } else { + e_error(conn->event, "connect(%s) failed: %m", + conn->auth_socket_path); + } + return -1; + } + + connection_input_halt(&conn->conn); + return 0; +} + +static void auth_request_timeout(struct auth_master_connection *conn) +{ + if (!conn->conn.handshake_received) + e_error(conn->event, "Connecting timed out"); + else + e_error(conn->event, "Request timed out"); + auth_request_lookup_abort(conn); +} + +static void auth_idle_timeout(struct auth_master_connection *conn) +{ + auth_connection_close(conn); +} + +static void auth_master_set_io(struct auth_master_connection *conn) +{ + if (conn->ioloop != NULL) + return; + + timeout_remove(&conn->to); + + conn->prev_ioloop = current_ioloop; + conn->ioloop = io_loop_create(); + connection_switch_ioloop_to(&conn->conn, conn->ioloop); + if (conn->connected) + connection_input_resume(&conn->conn); + + conn->to = timeout_add_to(conn->ioloop, conn->timeout_msecs, + auth_request_timeout, conn); +} + +static void auth_master_unset_io(struct auth_master_connection *conn) +{ + if (conn->prev_ioloop != NULL) { + io_loop_set_current(conn->prev_ioloop); + } + if (conn->ioloop != NULL) { + io_loop_set_current(conn->ioloop); + connection_switch_ioloop_to(&conn->conn, conn->ioloop); + connection_input_halt(&conn->conn); + timeout_remove(&conn->to); + io_loop_destroy(&conn->ioloop); + } + + if ((conn->flags & AUTH_MASTER_FLAG_NO_IDLE_TIMEOUT) == 0) { + if (conn->prev_ioloop == NULL) + auth_connection_close(conn); + else { + i_assert(conn->to == NULL); + conn->to = timeout_add(1000*AUTH_MASTER_IDLE_SECS, + auth_idle_timeout, conn); + } + } +} + +static bool is_valid_string(const char *str) +{ + const char *p; + + /* make sure we're not sending any characters that have a special + meaning. */ + for (p = str; *p != '\0'; p++) { + if (*p == '\t' || *p == '\n' || *p == '\r') + return FALSE; + } + return TRUE; +} + +static int auth_master_run_cmd_pre(struct auth_master_connection *conn, + const char *cmd) +{ + auth_master_set_io(conn); + + if (!conn->connected) { + if (auth_master_connect(conn) < 0) { + auth_master_unset_io(conn); + return -1; + } + i_assert(conn->connected); + connection_input_resume(&conn->conn); + } + + o_stream_cork(conn->conn.output); + if (!conn->sent_handshake) { + const struct connection_settings *set = &conn->conn.list->set; + + o_stream_nsend_str(conn->conn.output, + t_strdup_printf("VERSION\t%u\t%u\n", + set->major_version, + set->minor_version)); + conn->sent_handshake = TRUE; + } + + o_stream_nsend_str(conn->conn.output, cmd); + o_stream_uncork(conn->conn.output); + + if (o_stream_flush(conn->conn.output) < 0) { + e_error(conn->event, "write(auth socket) failed: %s", + o_stream_get_error(conn->conn.output)); + auth_master_unset_io(conn); + auth_connection_close(conn); + return -1; + } + return 0; +} + +static int auth_master_run_cmd_post(struct auth_master_connection *conn) +{ + auth_master_unset_io(conn); + if (conn->aborted) { + conn->aborted = FALSE; + auth_connection_close(conn); + return -1; + } + return 0; +} + +static int auth_master_run_cmd(struct auth_master_connection *conn, + const char *cmd) +{ + if (auth_master_run_cmd_pre(conn, cmd) < 0) + return -1; + io_loop_run(conn->ioloop); + return auth_master_run_cmd_post(conn); +} + +static unsigned int +auth_master_next_request_id(struct auth_master_connection *conn) +{ + if (++conn->request_counter == 0) { + /* avoid zero */ + conn->request_counter++; + } + return conn->request_counter; +} + +void auth_user_info_export(string_t *str, const struct auth_user_info *info) +{ + const char *const *fieldp; + + if (info->service != NULL) { + str_append(str, "\tservice="); + str_append(str, info->service); + } + if (info->session_id != NULL) { + str_append(str, "\tsession="); + str_append_tabescaped(str, info->session_id); + } + if (info->local_name != NULL) { + str_append(str, "\tlocal_name="); + str_append_tabescaped(str, info->local_name); + } + if (info->local_ip.family != 0) + str_printfa(str, "\tlip=%s", net_ip2addr(&info->local_ip)); + if (info->local_port != 0) + str_printfa(str, "\tlport=%d", info->local_port); + if (info->remote_ip.family != 0) + str_printfa(str, "\trip=%s", net_ip2addr(&info->remote_ip)); + if (info->remote_port != 0) + str_printfa(str, "\trport=%d", info->remote_port); + if (info->real_remote_ip.family != 0 && + !net_ip_compare(&info->real_remote_ip, &info->remote_ip)) + str_printfa(str, "\treal_rip=%s", net_ip2addr(&info->real_remote_ip)); + if (info->real_local_ip.family != 0 && + !net_ip_compare(&info->real_local_ip, &info->local_ip)) + str_printfa(str, "\treal_lip=%s", net_ip2addr(&info->real_local_ip)); + if (info->real_local_port != 0 && + info->real_local_port != info->local_port) + str_printfa(str, "\treal_lport=%d", info->real_local_port); + if (info->real_remote_port != 0 && + info->real_remote_port != info->remote_port) + str_printfa(str, "\treal_rport=%d", info->real_remote_port); + if (info->debug) + str_append(str, "\tdebug"); + if (info->forward_fields != NULL && + *info->forward_fields != '\0') { + str_append(str, "\tforward_fields="); + str_append_tabescaped(str, info->forward_fields); + } + if (array_is_created(&info->extra_fields)) { + array_foreach(&info->extra_fields, fieldp) { + str_append_c(str, '\t'); + str_append_tabescaped(str, *fieldp); + } + } +} + +static void +auth_master_event_create(struct auth_master_connection *conn, + const char *prefix) +{ + i_assert(conn->event == conn->event_parent); + conn->event = event_create(conn->event_parent); + event_set_append_log_prefix(conn->event, prefix); +} + +static void +auth_master_user_event_create(struct auth_master_connection *conn, + const char *prefix, + const struct auth_user_info *info) +{ + auth_master_event_create(conn, prefix); + + if (info != NULL) { + if (info->service != NULL) + event_add_str(conn->event, "service", info->service); + if (info->session_id != NULL) + event_add_str(conn->event, "session", info->session_id); + if (info->local_name != NULL) + event_add_str(conn->event, "local_name", info->local_name); + if (info->local_ip.family != 0) { + event_add_str(conn->event, "local_ip", + net_ip2addr(&info->local_ip)); + } + if (info->local_port != 0) { + event_add_int(conn->event, "local_port", + info->local_port); + } + if (info->remote_ip.family != 0) { + event_add_str(conn->event, "remote_ip", + net_ip2addr(&info->remote_ip)); + } + if (info->remote_port != 0) { + event_add_int(conn->event, "remote_port", + info->remote_port); + } + if (info->real_local_ip.family != 0) + event_add_str(conn->event, "real_local_ip", + net_ip2addr(&info->real_local_ip)); + if (info->real_remote_ip.family != 0) + event_add_str(conn->event, "real_remote_ip", + net_ip2addr(&info->real_remote_ip)); + if (info->real_local_port != 0) + event_add_int(conn->event, "real_local_port", + info->real_local_port); + if (info->real_remote_port != 0) + event_add_int(conn->event, "real_remote_port", + info->real_remote_port); + } +} + +static void +auth_master_event_finish(struct auth_master_connection *conn) +{ + i_assert(conn->event != conn->event_parent); + event_unref(&conn->event); + conn->event = conn->event_parent; +} + +int auth_master_user_lookup(struct auth_master_connection *conn, + const char *user, const struct auth_user_info *info, + pool_t pool, const char **username_r, + const char *const **fields_r) +{ + struct auth_master_lookup_ctx ctx; + string_t *str; + + if (!is_valid_string(user) || !is_valid_string(info->service)) { + /* non-allowed characters, the user can't exist */ + *username_r = NULL; + *fields_r = NULL; + return 0; + } + + i_zero(&ctx); + ctx.conn = conn; + ctx.return_value = -1; + ctx.pool = pool; + ctx.expected_reply = "USER"; + ctx.user = user; + + conn->reply_callback = auth_lookup_reply_callback; + conn->reply_context = &ctx; + + str = t_str_new(128); + str_printfa(str, "USER\t%u\t%s", + auth_master_next_request_id(conn), user); + auth_user_info_export(str, info); + str_append_c(str, '\n'); + + auth_master_user_event_create( + conn, t_strdup_printf("userdb lookup(%s): ", user), info); + event_add_str(conn->event, "user", user); + + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_userdb_lookup_started"); + e_debug(e->event(), "Started userdb lookup"); + + (void)auth_master_run_cmd(conn, str_c(str)); + + if (ctx.return_value <= 0 || ctx.fields[0] == NULL) { + *username_r = NULL; + *fields_r = ctx.fields != NULL ? ctx.fields : + p_new(pool, const char *, 1); + + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_userdb_lookup_finished"); + + if (ctx.return_value > 0) { + e->add_str("error", "Lookup didn't return username"); + e_error(e->event(), "Userdb lookup failed: " + "Lookup didn't return username"); + ctx.return_value = -2; + } else if ((*fields_r)[0] == NULL) { + e->add_str("error", "Lookup failed"); + e_debug(e->event(), "Userdb lookup failed"); + } else { + e->add_str("error", (*fields_r)[0]); + e_debug(e->event(), "Userdb lookup failed: %s", + (*fields_r)[0]); + } + } else { + *username_r = ctx.fields[0]; + *fields_r = ctx.fields + 1; + + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_userdb_lookup_finished"); + e_debug(e->event(), "Finished userdb lookup (username=%s %s)", + *username_r, t_strarray_join(*fields_r, " ")); + } + auth_master_event_finish(conn); + + conn->reply_context = NULL; + return ctx.return_value; +} + +void auth_user_fields_parse(const char *const *fields, pool_t pool, + struct auth_user_reply *reply_r) +{ + i_zero(reply_r); + reply_r->uid = (uid_t)-1; + reply_r->gid = (gid_t)-1; + p_array_init(&reply_r->extra_fields, pool, 64); + + for (; *fields != NULL; fields++) { + if (str_begins(*fields, "uid=")) { + if (str_to_uid(*fields + 4, &reply_r->uid) < 0) + i_error("Invalid uid in reply"); + } else if (str_begins(*fields, "gid=")) { + if (str_to_gid(*fields + 4, &reply_r->gid) < 0) + i_error("Invalid gid in reply"); + } else if (str_begins(*fields, "home=")) + reply_r->home = p_strdup(pool, *fields + 5); + else if (str_begins(*fields, "chroot=")) + reply_r->chroot = p_strdup(pool, *fields + 7); + else if (strcmp(*fields, "anonymous") == 0) + reply_r->anonymous = TRUE; + else { + const char *field = p_strdup(pool, *fields); + array_push_back(&reply_r->extra_fields, &field); + } + } +} + +int auth_master_pass_lookup(struct auth_master_connection *conn, + const char *user, const struct auth_user_info *info, + pool_t pool, const char *const **fields_r) +{ + struct auth_master_lookup_ctx ctx; + string_t *str; + + if (!is_valid_string(user) || !is_valid_string(info->service)) { + /* non-allowed characters, the user can't exist */ + *fields_r = NULL; + return 0; + } + + i_zero(&ctx); + ctx.conn = conn; + ctx.return_value = -1; + ctx.pool = pool; + ctx.expected_reply = "PASS"; + ctx.user = user; + + conn->reply_callback = auth_lookup_reply_callback; + conn->reply_context = &ctx; + + str = t_str_new(128); + str_printfa(str, "PASS\t%u\t%s", + auth_master_next_request_id(conn), user); + auth_user_info_export(str, info); + str_append_c(str, '\n'); + + auth_master_user_event_create( + conn, t_strdup_printf("passdb lookup(%s): ", user), info); + event_add_str(conn->event, "user", user); + + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_passdb_lookup_started"); + e_debug(e->event(), "Started passdb lookup"); + + (void)auth_master_run_cmd(conn, str_c(str)); + + *fields_r = ctx.fields != NULL ? ctx.fields : + p_new(pool, const char *, 1); + + if (ctx.return_value <= 0) { + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_passdb_lookup_finished"); + if ((*fields_r)[0] == NULL) { + e->add_str("error", "Lookup failed"); + e_debug(e->event(), "Passdb lookup failed"); + } else { + e->add_str("error", (*fields_r)[0]); + e_debug(e->event(), "Passdb lookup failed: %s", + (*fields_r)[0]); + } + } else { + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_passdb_lookup_finished"); + e_debug(e->event(), "Finished passdb lookup (%s)", + t_strarray_join(*fields_r, " ")); + } + auth_master_event_finish(conn); + + conn->reply_context = NULL; + return ctx.return_value; +} + +struct auth_master_cache_ctx { + struct auth_master_connection *conn; + unsigned int count; + bool failed; +}; + +static bool +auth_cache_flush_reply_callback(const char *cmd, const char *const *args, + void *context) +{ + struct auth_master_cache_ctx *ctx = context; + + if (strcmp(cmd, "OK") != 0) + ctx->failed = TRUE; + else if (args[0] == NULL || str_to_uint(args[0], &ctx->count) < 0) + ctx->failed = TRUE; + + io_loop_stop(ctx->conn->ioloop); + return TRUE; +} + +int auth_master_cache_flush(struct auth_master_connection *conn, + const char *const *users, unsigned int *count_r) +{ + struct auth_master_cache_ctx ctx; + string_t *str; + + i_zero(&ctx); + ctx.conn = conn; + + conn->reply_callback = auth_cache_flush_reply_callback; + conn->reply_context = &ctx; + + str = t_str_new(128); + str_printfa(str, "CACHE-FLUSH\t%u", auth_master_next_request_id(conn)); + if (users != NULL) { + for (; *users != NULL; users++) { + str_append_c(str, '\t'); + str_append_tabescaped(str, *users); + } + } + str_append_c(str, '\n'); + + auth_master_event_create(conn, "auth cache flush: "); + + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_cache_flush_started"); + e_debug(e->event(), "Started cache flush"); + + (void)auth_master_run_cmd(conn, str_c(str)); + + if (ctx.failed) { + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_cache_flush_finished"); + e->add_str("error", "Cache flush failed"); + e_debug(e->event(), "Cache flush failed"); + } else { + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_cache_flush_finished"); + e_debug(e->event(), "Finished cache flush"); + } + auth_master_event_finish(conn); + + conn->reply_context = NULL; + *count_r = ctx.count; + return ctx.failed ? -1 : 0; +} + +static bool +auth_user_list_reply_callback(const char *cmd, const char *const *args, + void *context) +{ + struct auth_master_user_list_ctx *ctx = context; + struct auth_master_connection *conn = ctx->conn; + + timeout_reset(ctx->conn->to); + io_loop_stop(ctx->conn->ioloop); + + if (strcmp(cmd, "DONE") == 0) { + if (args[0] != NULL && strcmp(args[0], "fail") == 0) { + e_error(conn->event, "User listing returned failure"); + ctx->failed = TRUE; + } + ctx->finished = TRUE; + } else if (strcmp(cmd, "LIST") == 0 && args[0] != NULL) { + /* we'll just read all the users into memory. otherwise we'd + have to use a separate connection for listing and there's + a higher chance of a failure since the connection could be + open to dovecot-auth for a long time. */ + str_append(ctx->username, args[0]); + } else { + e_error(conn->event, "User listing returned invalid input"); + ctx->failed = TRUE; + } + return FALSE; +} + +struct auth_master_user_list_ctx * +auth_master_user_list_init(struct auth_master_connection *conn, + const char *user_mask, + const struct auth_user_info *info) +{ + struct auth_master_user_list_ctx *ctx; + string_t *str; + + ctx = i_new(struct auth_master_user_list_ctx, 1); + ctx->conn = conn; + ctx->username = str_new(default_pool, 128); + + conn->reply_callback = auth_user_list_reply_callback; + conn->reply_context = ctx; + + str = t_str_new(128); + str_printfa(str, "LIST\t%u", + auth_master_next_request_id(conn)); + if (*user_mask != '\0') + str_printfa(str, "\tuser=%s", user_mask); + if (info != NULL) + auth_user_info_export(str, info); + str_append_c(str, '\n'); + + auth_master_user_event_create(conn, "userdb list: ", info); + event_add_str(conn->event," user_mask", user_mask); + + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_userdb_list_started"); + e_debug(e->event(), "Started listing users (user_mask=%s)", user_mask); + + if (auth_master_run_cmd_pre(conn, str_c(str)) < 0) + ctx->failed = TRUE; + if (conn->prev_ioloop != NULL) + io_loop_set_current(conn->prev_ioloop); + + return ctx; +} + +static const char * +auth_master_user_do_list_next(struct auth_master_user_list_ctx *ctx) +{ + struct auth_master_connection *conn = ctx->conn; + const char *line; + + if (!conn->connected) + return NULL; + + str_truncate(ctx->username, 0); + + /* try to read already buffered input */ + line = i_stream_next_line(conn->conn.input); + if (line != NULL) { + T_BEGIN { + conn->conn.v.input_line(&conn->conn, line); + } T_END; + } + if (conn->aborted) + ctx->failed = TRUE; + if (ctx->finished || ctx->failed) + return NULL; + if (str_len(ctx->username) > 0) + return str_c(ctx->username); + + /* wait for more data */ + io_loop_set_current(conn->ioloop); + i_stream_set_input_pending(conn->conn.input, TRUE); + io_loop_run(conn->ioloop); + io_loop_set_current(conn->prev_ioloop); + + if (conn->aborted) + ctx->failed = TRUE; + if (ctx->finished || ctx->failed) + return NULL; + return str_c(ctx->username); +} + +const char *auth_master_user_list_next(struct auth_master_user_list_ctx *ctx) +{ + struct auth_master_connection *conn = ctx->conn; + const char *username; + + username = auth_master_user_do_list_next(ctx); + if (username == NULL) + return NULL; + + e_debug(conn->event, "Returned username: %s", username); + return username; +} + +int auth_master_user_list_deinit(struct auth_master_user_list_ctx **_ctx) +{ + struct auth_master_user_list_ctx *ctx = *_ctx; + struct auth_master_connection *conn = ctx->conn; + int ret = ctx->failed ? -1 : 0; + + *_ctx = NULL; + auth_master_run_cmd_post(ctx->conn); + + if (ret < 0) { + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_userdb_list_finished"); + e->add_str("error", "Listing users failed"); + e_debug(e->event(), "Listing users failed"); + } else { + struct event_passthrough *e = + event_create_passthrough(conn->event)-> + set_name("auth_client_userdb_list_finished"); + e_debug(e->event(), "Finished listing users"); + } + auth_master_event_finish(conn); + + str_free(&ctx->username); + i_free(ctx); + return ret; +} diff --git a/src/lib-auth/auth-master.h b/src/lib-auth/auth-master.h new file mode 100644 index 0000000..f62985a --- /dev/null +++ b/src/lib-auth/auth-master.h @@ -0,0 +1,76 @@ +#ifndef AUTH_MASTER_H +#define AUTH_MASTER_H + +#include "net.h" + +enum auth_master_flags { + /* Enable logging debug information */ + AUTH_MASTER_FLAG_DEBUG = 0x01, + /* Don't disconnect from auth socket when idling */ + AUTH_MASTER_FLAG_NO_IDLE_TIMEOUT = 0x02 +}; + +struct auth_user_info { + const char *service; + const char *session_id; + const char *local_name; + struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip; + in_port_t local_port, remote_port, real_local_port, real_remote_port; + const char *forward_fields; + ARRAY_TYPE(const_string) extra_fields; + bool debug; +}; + +struct auth_user_reply { + uid_t uid; + gid_t gid; + const char *home, *chroot; + ARRAY_TYPE(const_string) extra_fields; + bool anonymous:1; +}; + +struct auth_master_connection * +auth_master_init(const char *auth_socket_path, enum auth_master_flags flags); +void auth_master_deinit(struct auth_master_connection **conn); + +/* Set timeout for lookups. */ +void auth_master_set_timeout(struct auth_master_connection *conn, + unsigned int msecs); + +/* Returns the auth_socket_path */ +const char *auth_master_get_socket_path(struct auth_master_connection *conn); + +/* Do a USER lookup. Returns -2 = user-specific error, -1 = internal error, + 0 = user not found, 1 = ok. When returning -1 and fields[0] isn't NULL, it + contains an error message that should be shown to user. */ +int auth_master_user_lookup(struct auth_master_connection *conn, + const char *user, const struct auth_user_info *info, + pool_t pool, const char **username_r, + const char *const **fields_r); +/* Do a PASS lookup (the actual password isn't returned). */ +int auth_master_pass_lookup(struct auth_master_connection *conn, + const char *user, const struct auth_user_info *info, + pool_t pool, const char *const **fields_r); +/* Flush authentication cache for everyone (users=NULL) or only for specified + users. Returns number of users flushed from cache. */ +int auth_master_cache_flush(struct auth_master_connection *conn, + const char *const *users, unsigned int *count_r); + +/* Parse userdb extra fields into auth_user_reply structure. */ +void auth_user_fields_parse(const char *const *fields, pool_t pool, + struct auth_user_reply *reply_r); + +/* Iterate through all users. If user_mask is non-NULL, it contains a string + with wildcards ('*', '?') that the auth server MAY use to limit what users + are returned (but it may as well return all users anyway). */ +struct auth_master_user_list_ctx * +auth_master_user_list_init(struct auth_master_connection *conn, + const char *user_mask, + const struct auth_user_info *info) ATTR_NULL(3); +const char *auth_master_user_list_next(struct auth_master_user_list_ctx *ctx); +/* Returns -1 if anything failed, 0 if ok */ +int auth_master_user_list_deinit(struct auth_master_user_list_ctx **ctx); + +/* INTERNAL: */ +void auth_user_info_export(string_t *str, const struct auth_user_info *info); +#endif diff --git a/src/lib-auth/test-auth-master.c b/src/lib-auth/test-auth-master.c new file mode 100644 index 0000000..95c9daf --- /dev/null +++ b/src/lib-auth/test-auth-master.c @@ -0,0 +1,74 @@ +/* Copyright (c) 2019 Dovecot authors, see the included COPYING file */ + +#include "lib.h" +#include "auth-master.h" +#include "net.h" +#include "test-common.h" +#include "str.h" + +static void test_auth_user_info_export(void) +{ + string_t *str; + struct auth_user_info info; + + i_zero(&info); + + test_begin("auth_user_info_export()"); + + /* Setup info for auth_user_info_export call where the + * resulting auth request string should contain all + * real_ variables. */ + test_assert(net_addr2ip("192.168.1.1", &info.local_ip) == 0); + test_assert(net_addr2ip("192.23.42.9", &info.real_local_ip) == 0); + test_assert(net_addr2ip("10.42.3.223", &info.remote_ip) == 0); + test_assert(net_addr2ip("192.168.1.2", &info.real_remote_ip) == 0); + info.local_port = 57035; + info.remote_port = 53075; + info.real_remote_port = 64385; + info.real_local_port = 57391; + + str = t_str_new(128); + auth_user_info_export(str, &info); + + test_assert(strstr(str_c(str), "real_rip=192.168.1.2") != NULL); + test_assert(strstr(str_c(str), "real_lip=192.23.42.9") != NULL); + test_assert(strstr(str_c(str), "rip=10.42.3.223") != NULL); + test_assert(strstr(str_c(str), "lip=192.168.1.1") != NULL); + test_assert(strstr(str_c(str), "real_rport=64385") != NULL); + test_assert(strstr(str_c(str), "rport=53075") != NULL); + test_assert(strstr(str_c(str), "real_lport=57391") != NULL); + test_assert(strstr(str_c(str), "lport=57035") != NULL); + + /* Setup info for auth_user_info_export call where the + * resulting auth request string should not contain any + * real_ variables. */ + test_assert(net_addr2ip("10.42.3.223", &info.real_remote_ip) == 0); + test_assert(net_addr2ip("192.168.1.1", &info.real_local_ip) == 0); + info.real_remote_port = 53075; + info.real_local_port = 57035; + + str_truncate(str, 0); + auth_user_info_export(str, &info); + + test_assert(strstr(str_c(str), "rip=10.42.3.223") != NULL); + test_assert(strstr(str_c(str), "lip=192.168.1.1") != NULL); + test_assert(strstr(str_c(str), "lport=57035") != NULL); + test_assert(strstr(str_c(str), "rport=53075") != NULL); + /* The following fields should not be part of the string as + * they are matching with their non-real counterparts */ + test_assert(strstr(str_c(str), "real_lport") == NULL); + test_assert(strstr(str_c(str), "real_rport") == NULL); + test_assert(strstr(str_c(str), "real_rip") == NULL); + test_assert(strstr(str_c(str), "real_lip") == NULL); + + test_end(); +} + +int main(void) +{ + static void (*const test_functions[])(void) = { + test_auth_user_info_export, + NULL + }; + return test_run(test_functions); +} |