summaryrefslogtreecommitdiffstats
path: root/src/login-common/main.c
blob: d5622d9cfabea40704ef093932e65d65a48a576c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
/* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */

#include "login-common.h"
#include "ioloop.h"
#include "array.h"
#include "str.h"
#include "randgen.h"
#include "module-dir.h"
#include "process-title.h"
#include "restrict-access.h"
#include "restrict-process-size.h"
#include "master-auth.h"
#include "master-service.h"
#include "master-interface.h"
#include "iostream-ssl.h"
#include "client-common.h"
#include "access-lookup.h"
#include "anvil-client.h"
#include "auth-client.h"
#include "dsasl-client.h"
#include "master-service-ssl-settings.h"
#include "login-proxy.h"

#include <unistd.h>
#include <syslog.h>

#define AUTH_CLIENT_IDLE_TIMEOUT_MSECS (1000*60)

struct login_access_lookup {
	struct master_service_connection conn;
	struct io *io;

	char **sockets, **next_socket;
	struct access_lookup *access;
};

struct event *event_auth;
static struct event_category event_category_auth = {
	.name = "auth",
};

struct login_binary *login_binary;
struct auth_client *auth_client;
struct master_auth *master_auth;
bool closing_down, login_debug;
struct anvil_client *anvil;
const char *login_rawlog_dir = NULL;
unsigned int initial_service_count;
struct login_module_register login_module_register;
ARRAY_TYPE(string) global_alt_usernames;
bool login_ssl_initialized;

const struct login_settings *global_login_settings;
const struct master_service_ssl_settings *global_ssl_settings;
const struct master_service_ssl_server_settings *global_ssl_server_settings;
void **global_other_settings;

static ARRAY(struct ip_addr) login_source_ips_array;
const struct ip_addr *login_source_ips;
unsigned int login_source_ips_idx, login_source_ips_count;

static struct module *modules;
static struct timeout *auth_client_to;
static const char *post_login_socket;
static bool shutting_down = FALSE;
static bool ssl_connections = FALSE;
static bool auth_connected_once = FALSE;

static void login_access_lookup_next(struct login_access_lookup *lookup);

static bool get_first_client(struct client **client_r)
{
	struct client *client = clients;

	if (client == NULL)
		client = login_proxies_get_first_detached_client();
	if (client == NULL)
		client = clients_get_first_fd_proxy();
	*client_r = client;
	return client != NULL;
}

void login_refresh_proctitle(void)
{
	struct client *client;
	const char *addr;

	if (!global_login_settings->verbose_proctitle)
		return;

	/* clients_get_count() includes all the clients being served.
	   Inside that there are 3 groups:
	   1. pre-login clients
	   2. post-login clients being proxied to remote hosts
	   3. post-login clients being proxied to post-login processes
	   Currently the post-login proxying is done only for SSL/TLS
	   connections, so we're assuming that they're the same. */
	string_t *str = t_str_new(64);
	if (clients_get_count() == 0) {
		/* no clients */
	} else if (clients_get_count() > 1 || !get_first_client(&client)) {
		str_printfa(str, "[%u pre-login", clients_get_count() -
			    login_proxies_get_detached_count() -
			    clients_get_fd_proxies_count());
		if (login_proxies_get_detached_count() > 0) {
			/* show detached proxies only if they exist, so
			   non-proxy servers don't unnecessarily show them. */
			str_printfa(str, " + %u proxies",
				    login_proxies_get_detached_count());
		}
		if (clients_get_fd_proxies_count() > 0) {
			/* show post-login proxies only if they exist, so
			   proxy-only servers don't unnecessarily show them. */
			str_printfa(str, " + %u TLS proxies",
				    clients_get_fd_proxies_count());
		}
		str_append_c(str, ']');
	} else {
		str_append_c(str, '[');
		addr = net_ip2addr(&client->ip);
		if (addr[0] != '\0')
			str_printfa(str, "%s ", addr);
		if (client->fd_proxying)
			str_append(str, "TLS proxy");
		else if (client->destroyed)
			str_append(str, "proxy");
		else
			str_append(str, "pre-login");
		str_append_c(str, ']');
	}
	process_title_set(str_c(str));
}

static void auth_client_idle_timeout(struct auth_client *auth_client)
{
	i_assert(clients == NULL);

	auth_client_disconnect(auth_client, "idle disconnect");
	timeout_remove(&auth_client_to);
}

void login_client_destroyed(void)
{
	if (clients == NULL && auth_client_to == NULL) {
		auth_client_to = timeout_add(AUTH_CLIENT_IDLE_TIMEOUT_MSECS,
					     auth_client_idle_timeout,
					     auth_client);
	}
}

static void login_die(void)
{
	shutting_down = TRUE;
	login_proxy_kill_idle();

	if (!auth_client_is_connected(auth_client)) {
		/* we don't have auth client, and we might never get one */
		clients_destroy_all();
	}
}

static void
client_connected_finish(const struct master_service_connection *conn)
{
	struct client *client;
	const struct login_settings *set;
	const struct master_service_ssl_settings *ssl_set;
	const struct master_service_ssl_server_settings *ssl_server_set;
	pool_t pool;
	void **other_sets;

	pool = pool_alloconly_create("login client", 8*1024);
	set = login_settings_read(pool, &conn->local_ip,
				  &conn->remote_ip, NULL,
				  &ssl_set, &ssl_server_set, &other_sets);

	client = client_alloc(conn->fd, pool, conn, set,
			      ssl_set, ssl_server_set);
	if (ssl_connections || conn->ssl) {
		if (client_init_ssl(client) < 0) {
			client_unref(&client);
			net_disconnect(conn->fd);
			master_service_client_connection_destroyed(master_service);
			return;
		}
	}
	client_init(client, other_sets);

	timeout_remove(&auth_client_to);
}

static void login_access_lookup_free(struct login_access_lookup *lookup)
{
	io_remove(&lookup->io);
	if (lookup->access != NULL)
		access_lookup_destroy(&lookup->access);
	if (lookup->conn.fd != -1) {
		if (close(lookup->conn.fd) < 0)
			i_error("close(client) failed: %m");
		master_service_client_connection_destroyed(master_service);
	}

	p_strsplit_free(default_pool, lookup->sockets);
	i_free(lookup);
}

static void login_access_callback(bool success, void *context)
{
	struct login_access_lookup *lookup = context;

	if (!success) {
		i_info("access(%s): Client refused (rip=%s)",
		       *lookup->next_socket,
		       net_ip2addr(&lookup->conn.remote_ip));
		login_access_lookup_free(lookup);
	} else {
		lookup->next_socket++;
		login_access_lookup_next(lookup);
	}
}

static void login_access_lookup_next(struct login_access_lookup *lookup)
{
	if (*lookup->next_socket == NULL) {
		/* last one */
		io_remove(&lookup->io);
		client_connected_finish(&lookup->conn);
		lookup->conn.fd = -1;
		login_access_lookup_free(lookup);
		return;
	}
	lookup->access = access_lookup(*lookup->next_socket, lookup->conn.fd,
				       login_binary->protocol,
				       login_access_callback, lookup);
	if (lookup->access == NULL)
		login_access_lookup_free(lookup);
}

static void client_input_error(struct login_access_lookup *lookup)
{
	char c;
	int ret;

	ret = recv(lookup->conn.fd, &c, 1, MSG_PEEK);
	if (ret <= 0) {
		i_info("access(%s): Client disconnected during lookup (rip=%s)",
		       *lookup->next_socket,
		       net_ip2addr(&lookup->conn.remote_ip));
		login_access_lookup_free(lookup);
	} else {
		/* actual input. stop listening until lookup is done. */
		io_remove(&lookup->io);
	}
}

static void client_connected(struct master_service_connection *conn)
{
	const char *access_sockets =
		global_login_settings->login_access_sockets;
	struct login_access_lookup *lookup;

	master_service_client_connection_accept(conn);
	if (conn->remote_ip.family != 0) {
		/* log the connection's IP address in case we crash. it's of
		   course possible that another earlier client causes the
		   crash, but this is better than nothing. */
		i_set_failure_send_ip(&conn->remote_ip);
	}

	/* make sure we're connected (or attempting to connect) to auth */
	auth_client_connect(auth_client);

	if (*access_sockets == '\0') {
		/* no access checks */
		client_connected_finish(conn);
		return;
	}

	lookup = i_new(struct login_access_lookup, 1);
	lookup->conn = *conn;
	lookup->io = io_add(conn->fd, IO_READ, client_input_error, lookup);
	lookup->sockets = p_strsplit_spaces(default_pool, access_sockets, " ");
	lookup->next_socket = lookup->sockets;

	login_access_lookup_next(lookup);
}

static void auth_connect_notify(struct auth_client *client ATTR_UNUSED,
				bool connected, void *context ATTR_UNUSED)
{
	if (connected) {
		auth_connected_once = TRUE;
		clients_notify_auth_connected();
	} else if (shutting_down)
		clients_destroy_all();
	else if (!auth_connected_once) {
		/* auth disconnected without having ever succeeded, so the
		   auth process is probably misconfigured. no point in
		   keeping the client connections hanging. */
		clients_destroy_all_reason("Auth process broken");
	}
}

static bool anvil_reconnect_callback(void)
{
	/* we got disconnected from anvil. we can't reconnect to it since we're
	   chrooted, so just die after we've finished handling the current
	   connections. */
	master_service_stop_new_connections(master_service);
	return FALSE;
}

void login_anvil_init(void)
{
	if (anvil != NULL)
		return;

	anvil = anvil_client_init("anvil", anvil_reconnect_callback, 0);
	if (anvil_client_connect(anvil, TRUE) < 0)
		i_fatal("Couldn't connect to anvil");
}

static void
parse_login_source_ips(const char *ips_str)
{
	const char *const *tmp;
	struct ip_addr *tmp_ips;
	bool skip_nonworking = FALSE;
	unsigned int i, tmp_ips_count;
	int ret;

	if (ips_str[0] == '?') {
		/* try binding to the IP immediately. if it doesn't
		   work, skip it. (this allows using the same config file for
		   all the servers.) */
		skip_nonworking = TRUE;
		ips_str++;
	}
	i_array_init(&login_source_ips_array, 4);
	for (tmp = t_strsplit_spaces(ips_str, ", "); *tmp != NULL; tmp++) {
		ret = net_gethostbyname(*tmp, &tmp_ips, &tmp_ips_count);
		if (ret != 0) {
			i_error("login_source_ips: net_gethostbyname(%s) failed: %s",
				*tmp, net_gethosterror(ret));
			continue;
		}
		for (i = 0; i < tmp_ips_count; i++) {
			if (skip_nonworking && net_try_bind(&tmp_ips[i]) < 0)
				continue;
			array_push_back(&login_source_ips_array, &tmp_ips[i]);
		}
	}

	/* make the array contents easily accessible */
	login_source_ips = array_get(&login_source_ips_array,
				     &login_source_ips_count);
}

static void login_load_modules(void)
{
	struct module_dir_load_settings mod_set;

	if (global_login_settings->login_plugins[0] == '\0')
		return;

	i_zero(&mod_set);
	mod_set.abi_version = DOVECOT_ABI_VERSION;
	mod_set.binary_name = login_binary->process_name;
	mod_set.setting_name = "login_plugins";
	mod_set.require_init_funcs = TRUE;
	mod_set.debug = login_debug;

	modules = module_dir_load(global_login_settings->login_plugin_dir,
				  global_login_settings->login_plugins,
				  &mod_set);
	module_dir_init(modules);
}

static void login_ssl_init(void)
{
	struct ssl_iostream_settings ssl_set;
	const char *error;

	if (strcmp(global_ssl_settings->ssl, "no") == 0)
		return;

	master_service_ssl_server_settings_to_iostream_set(global_ssl_settings,
		global_ssl_server_settings, pool_datastack_create(), &ssl_set);
	if (io_stream_ssl_global_init(&ssl_set, &error) < 0)
		i_fatal("Failed to initialize SSL library: %s", error);
	login_ssl_initialized = TRUE;
}

static void main_preinit(void)
{
	unsigned int max_fds;

	/* Initialize SSL proxy so it can read certificate and private
	   key file. */
	login_ssl_init();
	dsasl_clients_init();
	client_common_init();

	/* set the number of fds we want to use. it may get increased or
	   decreased. leave a couple of extra fds for auth sockets and such.

	   worst case each connection can use:

	    - 1 for client
	    - 1 for login proxy
	    - 2 for client-side ssl proxy
	    - 2 for server-side ssl proxy (with login proxy)

	   However, login process nowadays supports plugins, there are rawlogs
	   and so on. Don't enforce the fd limit anymore, but use this value
	   for optimizing the ioloop's fd table size.
	*/
	max_fds = MASTER_LISTEN_FD_FIRST + 16 +
		master_service_get_socket_count(master_service) +
		master_service_get_client_limit(master_service)*6;
	io_loop_set_max_fd_count(current_ioloop, max_fds);

	i_assert(strcmp(global_ssl_settings->ssl, "no") == 0 ||
		 login_ssl_initialized);

	if (global_login_settings->mail_max_userip_connections > 0)
		login_anvil_init();

	/* read the login_source_ips before chrooting so it can access
	   /etc/hosts */
	parse_login_source_ips(global_login_settings->login_source_ips);
	if (login_source_ips_count > 0) {
		/* randomize the initial index in case service_count=1
		   (although in that case it's unlikely this setting is
		   even used..) */
		login_source_ips_idx = i_rand_limit(login_source_ips_count);
	}

	login_load_modules();

	restrict_access_by_env(0, NULL);
	if (login_debug)
		restrict_access_allow_coredumps(TRUE);
	initial_service_count = master_service_get_service_count(master_service);

	if (restrict_access_get_current_chroot() == NULL) {
		if (chdir("login") < 0)
			i_fatal("chdir(login) failed: %m");
	}

	if (login_rawlog_dir != NULL &&
	    access(login_rawlog_dir, W_OK | X_OK) < 0) {
		i_error("access(%s, wx) failed: %m - disabling rawlog",
			login_rawlog_dir);
		login_rawlog_dir = NULL;
	}
}

static void main_init(const char *login_socket)
{
	/* make sure we can't fork() */
	restrict_process_count(1);

	event_auth = event_create(NULL);
	event_set_forced_debug(event_auth, global_login_settings->auth_debug);
	event_add_category(event_auth, &event_category_auth);

	i_array_init(&global_alt_usernames, 4);
	master_service_set_avail_overflow_callback(master_service,
						   client_destroy_oldest);
	master_service_set_die_callback(master_service, login_die);

	auth_client = auth_client_init(login_socket, (unsigned int)getpid(),
				       FALSE);
	auth_client_connect(auth_client);
        auth_client_set_connect_notify(auth_client, auth_connect_notify, NULL);
	master_auth = master_auth_init(master_service, post_login_socket);

	login_binary->init();

	login_proxy_init(global_login_settings->login_proxy_notify_path);
}

static void main_deinit(void)
{
	client_destroy_fd_proxies();
	ssl_iostream_context_cache_free();
	login_proxy_deinit();

	login_binary->deinit();
	module_dir_unload(&modules);
	auth_client_deinit(&auth_client);
	master_auth_deinit(&master_auth);

	char *str;
	array_foreach_elem(&global_alt_usernames, str)
		i_free(str);
	array_free(&global_alt_usernames);

	if (anvil != NULL)
		anvil_client_deinit(&anvil);
	timeout_remove(&auth_client_to);
	client_common_deinit();
	dsasl_clients_deinit();
	login_settings_deinit();
	event_unref(&event_auth);
}

int login_binary_run(struct login_binary *binary,
		     int argc, char *argv[])
{
	enum master_service_flags service_flags =
		MASTER_SERVICE_FLAG_KEEP_CONFIG_OPEN |
		MASTER_SERVICE_FLAG_TRACK_LOGIN_STATE |
		MASTER_SERVICE_FLAG_HAVE_STARTTLS |
		MASTER_SERVICE_FLAG_NO_SSL_INIT;
	pool_t set_pool;
	const char *login_socket;
	int c;

	login_binary = binary;
	login_socket = binary->default_login_socket != NULL ?
		binary->default_login_socket : LOGIN_DEFAULT_SOCKET;
	post_login_socket = binary->protocol;

	master_service = master_service_init(login_binary->process_name,
					     service_flags, &argc, &argv,
					     "Dl:R:S");
	master_service_init_log(master_service);

	while ((c = master_getopt(master_service)) > 0) {
		switch (c) {
		case 'D':
			login_debug = TRUE;
			break;
		case 'l':
			post_login_socket = optarg;
			break;
		case 'R':
			login_rawlog_dir = optarg;
			break;
		case 'S':
			ssl_connections = TRUE;
			break;
		default:
			return FATAL_DEFAULT;
		}
	}
	if (argv[optind] != NULL)
		login_socket = argv[optind];

	login_binary->preinit();

	set_pool = pool_alloconly_create("global login settings", 4096);
	global_login_settings =
		login_settings_read(set_pool, NULL, NULL, NULL,
				    &global_ssl_settings,
				    &global_ssl_server_settings,
				    &global_other_settings);

	main_preinit();
	main_init(login_socket);

	master_service_init_finish(master_service);
	master_service_run(master_service, client_connected);
	main_deinit();
	array_free(&login_source_ips_array);
	pool_unref(&set_pool);
	master_service_deinit(&master_service);
        return 0;
}