auth: Add policy check configuration options

Allows disabling before/after auth checks, or reporting.

src/auth/auth-request-handler.c

@@ -216,7 +216,8 @@ auth_request_handle_failure(struct auth_request *request, const char *reply)
 	auth_request_ref(request);
 	auth_request_handler_remove(handler, request);
 
-	auth_policy_report(request);
+	if (request->set->policy_report_after_auth)
+		auth_policy_report(request);
 
 	if (auth_fields_exists(request->extra_fields, "nodelay")) {
 		/* passdb specifically requested not to delay the reply. */
@@ -264,7 +265,8 @@ auth_request_handler_reply_success_finish(struct auth_request *request)
 	str_append_tabescaped(str, request->user);
 	auth_str_append_extra_fields(request, str);
 
-	auth_policy_report(request);
+	if (request->set->policy_report_after_auth)
+		auth_policy_report(request);
 
 	if (handler->master_callback == NULL ||
 	    auth_fields_exists(request->extra_fields, "nologin") ||

src/auth/auth-request.c

@@ -158,8 +158,18 @@ void auth_request_success(struct auth_request *request,
 {
 	i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
 
-	/* perform second policy lookup here */
+	if (!request->set->policy_check_after_auth) {
+		buffer_t buf;
+		buffer_create_from_const_data(&buf, "", 0);
+		struct auth_policy_check_ctx ctx = {
+			.success_data = &buf,
+			.request = request
+		};
+		auth_request_policy_check_callback(0, &ctx);
+		return;
+	}
 
+	/* perform second policy lookup here */
 	struct auth_policy_check_ctx *ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
 	ctx->request = request;
 	ctx->success_data = buffer_create_dynamic(request->pool, data_size);
@@ -1024,7 +1034,7 @@ void auth_request_verify_plain(struct auth_request *request,
 		i_assert(request->mech_password == password);
 	request->user_changed_by_lookup = FALSE;
 
-	if (request->policy_processed) {
+	if (request->policy_processed || !request->set->policy_check_before_auth) {
 		auth_request_verify_plain_continue(request, callback);
 	} else {
 		ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
@@ -1202,7 +1212,7 @@ void auth_request_lookup_credentials(struct auth_request *request,
 		request->credentials_scheme = p_strdup(request->pool, scheme);
 	request->user_changed_by_lookup = FALSE;
 
-	if (request->policy_processed)
+	if (request->policy_processed || !request->set->policy_check_before_auth)
 		auth_request_lookup_credentials_policy_continue(request, callback);
 	else {
 		ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);
@@ -1222,7 +1232,6 @@ void auth_request_lookup_credentials_policy_continue(struct auth_request *reques
 	enum passdb_result result;
 
 	i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);
-
 	if (auth_request_is_disabled_master_user(request)) {
 		callback(PASSDB_RESULT_USER_UNKNOWN, NULL, 0, request);
 		return;

src/auth/auth-settings.c

@@ -249,6 +249,9 @@ static const struct setting_define auth_setting_defines[] = {
 	DEF(SET_STR, policy_hash_nonce),
 	DEF(SET_STR, policy_request_attributes),
 	DEF(SET_BOOL, policy_reject_on_fail),
+	DEF(SET_BOOL, policy_check_before_auth),
+	DEF(SET_BOOL, policy_check_after_auth),
+	DEF(SET_BOOL, policy_report_after_auth),
 	DEF(SET_UINT, policy_hash_truncate),
 
 	DEF(SET_BOOL, stats),
@@ -302,6 +305,9 @@ static const struct auth_settings auth_default_settings = {
 	.policy_hash_nonce = "",
 	.policy_request_attributes = "login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s",
 	.policy_reject_on_fail = FALSE,
+	.policy_check_before_auth = TRUE,
+	.policy_check_after_auth = TRUE,
+	.policy_report_after_auth = TRUE,
 	.policy_hash_truncate = 12,
 
 	.stats = FALSE,

src/auth/auth-settings.h

@@ -63,6 +63,9 @@ struct auth_settings {
 	const char *policy_hash_nonce;
 	const char *policy_request_attributes;
 	bool policy_reject_on_fail;
+	bool policy_check_before_auth;
+	bool policy_check_after_auth;
+	bool policy_report_after_auth;
 	unsigned int policy_hash_truncate;
 
 	bool stats;