Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
auth: Add mechanism filter for passdbs
  • Loading branch information
cmouse authored and GitLab committed Feb 17, 2017
1 parent cc52a2c commit cdf00f5
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 0 deletions.
10 changes: 10 additions & 0 deletions src/auth/auth-request.c
Expand Up @@ -614,6 +614,16 @@ static bool
auth_request_want_skip_passdb(struct auth_request *request,
struct auth_passdb *passdb)
{
/* if mechanism is not supported, skip */
const char *const *mech = passdb->passdb->mechanisms;

/* if request->mech == NULL it means we are doing
lookup without authentication and should not match this */
if (mech != NULL && (request->mech == NULL ||
!str_array_icase_find(mech, request->mech->mech_name))) {
return TRUE;
}

/* skip_password_check basically specifies if authentication is
finished */
bool authenticated = request->skip_password_check;
Expand Down
2 changes: 2 additions & 0 deletions src/auth/auth-settings.c
Expand Up @@ -113,6 +113,7 @@ static const struct setting_define auth_passdb_setting_defines[] = {
DEF(SET_STR, args),
DEF(SET_STR, default_fields),
DEF(SET_STR, override_fields),
DEF(SET_STR, mechanisms),

DEF(SET_ENUM, skip),
DEF(SET_ENUM, result_success),
Expand All @@ -133,6 +134,7 @@ static const struct auth_passdb_settings auth_passdb_default_settings = {
.args = "",
.default_fields = "",
.override_fields = "",
.mechanisms = "",

.skip = "never:authenticated:unauthenticated",
.result_success = "return-ok:return:return-fail:continue:continue-ok:continue-fail",
Expand Down
1 change: 1 addition & 0 deletions src/auth/auth-settings.h
Expand Up @@ -10,6 +10,7 @@ struct auth_passdb_settings {
const char *args;
const char *default_fields;
const char *override_fields;
const char *mechanisms;

const char *skip;
const char *result_success;
Expand Down
7 changes: 7 additions & 0 deletions src/auth/passdb.c
Expand Up @@ -223,6 +223,13 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set)
passdb->id = ++auth_passdb_id;
passdb->iface = *iface;
passdb->args = p_strdup(pool, set->args);
if (*set->mechanisms == '\0') {
passdb->mechanisms = NULL;
} else if (strcasecmp(set->mechanisms, "none") == 0) {
passdb->mechanisms = (const char *const[]){NULL};
} else {
passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
}

array_append(&passdb_modules, &passdb, 1);
return passdb;
Expand Down
3 changes: 3 additions & 0 deletions src/auth/passdb.h
Expand Up @@ -62,6 +62,9 @@ struct passdb_module {
/* Default password scheme for this module.
If cache_key is set, must not be NULL. */
const char *default_pass_scheme;
/* Supported authentication mechanisms, NULL is all, [NULL] is none*/
const char *const *mechanisms;

/* If blocking is set to TRUE, use child processes to access
this passdb. */
bool blocking;
Expand Down

0 comments on commit cdf00f5

Please sign in to comment.