From ffd9e5f14550a4a62878192c2eef9b4c9b38f737 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Tue, 6 Feb 2018 09:48:11 +0200 Subject: [PATCH] auth: Add policy check configuration options Allows disabling before/after auth checks, or reporting. --- src/auth/auth-request-handler.c | 6 ++++-- src/auth/auth-request.c | 17 +++++++++++++---- src/auth/auth-settings.c | 6 ++++++ src/auth/auth-settings.h | 3 +++ 4 files changed, 26 insertions(+), 6 deletions(-) diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c index 684c69a0d5..d1c0bac63d 100644 --- a/src/auth/auth-request-handler.c +++ b/src/auth/auth-request-handler.c @@ -216,7 +216,8 @@ auth_request_handle_failure(struct auth_request *request, const char *reply) auth_request_ref(request); auth_request_handler_remove(handler, request); - auth_policy_report(request); + if (request->set->policy_report_after_auth) + auth_policy_report(request); if (auth_fields_exists(request->extra_fields, "nodelay")) { /* passdb specifically requested not to delay the reply. */ @@ -264,7 +265,8 @@ auth_request_handler_reply_success_finish(struct auth_request *request) str_append_tabescaped(str, request->user); auth_str_append_extra_fields(request, str); - auth_policy_report(request); + if (request->set->policy_report_after_auth) + auth_policy_report(request); if (handler->master_callback == NULL || auth_fields_exists(request->extra_fields, "nologin") || diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index 24a84ccb7d..68dc4782dd 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -158,8 +158,18 @@ void auth_request_success(struct auth_request *request, { i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); - /* perform second policy lookup here */ + if (!request->set->policy_check_after_auth) { + buffer_t buf; + buffer_create_from_const_data(&buf, "", 0); + struct auth_policy_check_ctx ctx = { + .success_data = &buf, + .request = request + }; + auth_request_policy_check_callback(0, &ctx); + return; + } + /* perform second policy lookup here */ struct auth_policy_check_ctx *ctx = p_new(request->pool, struct auth_policy_check_ctx, 1); ctx->request = request; ctx->success_data = buffer_create_dynamic(request->pool, data_size); @@ -1024,7 +1034,7 @@ void auth_request_verify_plain(struct auth_request *request, i_assert(request->mech_password == password); request->user_changed_by_lookup = FALSE; - if (request->policy_processed) { + if (request->policy_processed || !request->set->policy_check_before_auth) { auth_request_verify_plain_continue(request, callback); } else { ctx = p_new(request->pool, struct auth_policy_check_ctx, 1); @@ -1202,7 +1212,7 @@ void auth_request_lookup_credentials(struct auth_request *request, request->credentials_scheme = p_strdup(request->pool, scheme); request->user_changed_by_lookup = FALSE; - if (request->policy_processed) + if (request->policy_processed || !request->set->policy_check_before_auth) auth_request_lookup_credentials_policy_continue(request, callback); else { ctx = p_new(request->pool, struct auth_policy_check_ctx, 1); @@ -1222,7 +1232,6 @@ void auth_request_lookup_credentials_policy_continue(struct auth_request *reques enum passdb_result result; i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); - if (auth_request_is_disabled_master_user(request)) { callback(PASSDB_RESULT_USER_UNKNOWN, NULL, 0, request); return; diff --git a/src/auth/auth-settings.c b/src/auth/auth-settings.c index 6ff610b0e8..bc2e46a681 100644 --- a/src/auth/auth-settings.c +++ b/src/auth/auth-settings.c @@ -249,6 +249,9 @@ static const struct setting_define auth_setting_defines[] = { DEF(SET_STR, policy_hash_nonce), DEF(SET_STR, policy_request_attributes), DEF(SET_BOOL, policy_reject_on_fail), + DEF(SET_BOOL, policy_check_before_auth), + DEF(SET_BOOL, policy_check_after_auth), + DEF(SET_BOOL, policy_report_after_auth), DEF(SET_UINT, policy_hash_truncate), DEF(SET_BOOL, stats), @@ -302,6 +305,9 @@ static const struct auth_settings auth_default_settings = { .policy_hash_nonce = "", .policy_request_attributes = "login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s", .policy_reject_on_fail = FALSE, + .policy_check_before_auth = TRUE, + .policy_check_after_auth = TRUE, + .policy_report_after_auth = TRUE, .policy_hash_truncate = 12, .stats = FALSE, diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h index bfb71929fb..90ebb7459b 100644 --- a/src/auth/auth-settings.h +++ b/src/auth/auth-settings.h @@ -63,6 +63,9 @@ struct auth_settings { const char *policy_hash_nonce; const char *policy_request_attributes; bool policy_reject_on_fail; + bool policy_check_before_auth; + bool policy_check_after_auth; + bool policy_report_after_auth; unsigned int policy_hash_truncate; bool stats;