From 84f177fa6ce8dcec6836e3572c48f5a877814d21 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Mon, 5 Feb 2018 14:26:15 +0200 Subject: [PATCH] auth: Use correct username is auth policy requests When doing master authentication as first, use the username of the user, not master user, for policy lookup. --- src/auth/auth-policy.c | 23 ++++++++++++++++------- src/auth/auth-settings.c | 2 +- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/src/auth/auth-policy.c b/src/auth/auth-policy.c index 8dd73afed0..cfced8a98b 100755 --- a/src/auth/auth-policy.c +++ b/src/auth/auth-policy.c @@ -418,18 +418,23 @@ const char *auth_policy_escape_function(const char *string, static const struct var_expand_table *policy_get_var_expand_table(struct auth_request *auth_request, - const char *hashed_password) + const char *hashed_password, const char *requested_username) { struct var_expand_table *table; - unsigned int count = 1; + unsigned int count = 2; table = auth_request_get_var_expand_table_full(auth_request, auth_policy_escape_function, &count); table[0].key = '\0'; table[0].long_key = "hashed_password"; table[0].value = hashed_password; + table[1].key = '\0'; + table[1].long_key = "requested_username"; + table[1].value = requested_username; if (table[0].value != NULL) table[0].value = auth_policy_escape_function(table[0].value, auth_request); + if (table[1].value != NULL) + table[1].value = auth_policy_escape_function(table[1].value, auth_request); return table; } @@ -441,6 +446,7 @@ void auth_policy_create_json(struct policy_lookup_ctx *context, const struct var_expand_table *var_table; context->json = str_new(context->pool, 64); unsigned char *ptr; + const char *requested_username; const struct hash_method *digest = hash_method_lookup(context->set->policy_hash_mech); i_assert(digest != NULL); @@ -452,11 +458,14 @@ void auth_policy_create_json(struct policy_lookup_ctx *context, digest->loop(ctx, context->set->policy_hash_nonce, strlen(context->set->policy_hash_nonce)); - /* use +1 to make sure \0 gets included */ - if (context->request->user == NULL) - digest->loop(ctx, "\0", 1); + if (context->request->requested_login_user != NULL) + requested_username = context->request->requested_login_user; + else if (context->request->user != NULL) + requested_username = context->request->user; else - digest->loop(ctx, context->request->user, strlen(context->request->user) + 1); + requested_username = ""; + /* use +1 to make sure \0 gets included */ + digest->loop(ctx, requested_username, strlen(requested_username)+1); if (password != NULL) digest->loop(ctx, password, strlen(password)); ptr = buffer_get_modifiable_data(buffer, NULL); @@ -467,7 +476,7 @@ void auth_policy_create_json(struct policy_lookup_ctx *context, } const char *hashed_password = binary_to_hex(buffer->data, buffer->used); str_append_c(context->json, '{'); - var_table = policy_get_var_expand_table(context->request, hashed_password); + var_table = policy_get_var_expand_table(context->request, hashed_password, requested_username); auth_request_var_expand_with_table(context->json, auth_policy_json_template, context->request, var_table, auth_policy_escape_function); diff --git a/src/auth/auth-settings.c b/src/auth/auth-settings.c index d54a149127..6ff610b0e8 100644 --- a/src/auth/auth-settings.c +++ b/src/auth/auth-settings.c @@ -300,7 +300,7 @@ static const struct auth_settings auth_default_settings = { .policy_server_timeout_msecs = 2000, .policy_hash_mech = "sha256", .policy_hash_nonce = "", - .policy_request_attributes = "login=%{orig_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s", + .policy_request_attributes = "login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s", .policy_reject_on_fail = FALSE, .policy_hash_truncate = 12,