178
189
pool_unref(&request->pool);
181
void auth_request_export(struct auth_request *request,
182
struct auth_stream_reply *reply)
184
auth_stream_reply_add(reply, "user", request->user);
185
auth_stream_reply_add(reply, "service", request->service);
193
auth_str_add_keyvalue(string_t *dest, const char *key, const char *value)
195
str_append_c(dest, '\t');
196
str_append(dest, key);
198
str_append_c(dest, '=');
199
str_append_tabescaped(dest, value);
203
void auth_request_export(struct auth_request *request, string_t *dest)
205
str_append(dest, "user=");
206
str_append_tabescaped(dest, request->user);
208
auth_str_add_keyvalue(dest, "service", request->service);
187
210
if (request->master_user != NULL) {
188
auth_stream_reply_add(reply, "master_user",
211
auth_str_add_keyvalue(dest, "master-user",
189
212
request->master_user);
191
auth_stream_reply_add(reply, "original_username",
214
auth_str_add_keyvalue(dest, "original_username",
192
215
request->original_username);
193
auth_stream_reply_add(reply, "requested_login_user",
194
request->requested_login_user);
216
if (request->requested_login_user != NULL) {
217
auth_str_add_keyvalue(dest, "requested-login-user",
218
request->requested_login_user);
196
221
if (request->local_ip.family != 0) {
197
auth_stream_reply_add(reply, "lip",
222
auth_str_add_keyvalue(dest, "lip",
198
223
net_ip2addr(&request->local_ip));
200
225
if (request->remote_ip.family != 0) {
201
auth_stream_reply_add(reply, "rip",
226
auth_str_add_keyvalue(dest, "rip",
202
227
net_ip2addr(&request->remote_ip));
204
if (request->local_port != 0) {
205
auth_stream_reply_add(reply, "lport",
206
dec2str(request->local_port));
208
if (request->remote_port != 0) {
209
auth_stream_reply_add(reply, "rport",
210
dec2str(request->remote_port));
229
if (request->local_port != 0)
230
str_printfa(dest, "\tlport=%u", request->local_port);
231
if (request->remote_port != 0)
232
str_printfa(dest, "\trport=%u", request->remote_port);
233
if (request->real_local_ip.family != 0) {
234
auth_str_add_keyvalue(dest, "real_lip",
235
net_ip2addr(&request->real_local_ip));
237
if (request->real_remote_ip.family != 0) {
238
auth_str_add_keyvalue(dest, "real_rip",
239
net_ip2addr(&request->real_remote_ip));
241
if (request->real_local_port != 0)
242
str_printfa(dest, "\treal_lport=%u", request->real_local_port);
243
if (request->real_remote_port != 0)
244
str_printfa(dest, "\treal_rport=%u", request->real_remote_port);
212
245
if (request->secured)
213
auth_stream_reply_add(reply, "secured", "1");
246
str_append(dest, "\tsecured");
214
247
if (request->skip_password_check)
215
auth_stream_reply_add(reply, "skip_password_check", "1");
248
str_append(dest, "\tskip-password-check");
216
249
if (request->valid_client_cert)
217
auth_stream_reply_add(reply, "valid-client-cert", "1");
250
str_append(dest, "\tvalid-client-cert");
218
251
if (request->no_penalty)
219
auth_stream_reply_add(reply, "no-penalty", "1");
252
str_append(dest, "\tno-penalty");
220
253
if (request->successful)
221
auth_stream_reply_add(reply, "successful", "1");
254
str_append(dest, "\tsuccessful");
222
255
if (request->mech_name != NULL)
223
auth_stream_reply_add(reply, "mech", request->mech_name);
256
auth_str_add_keyvalue(dest, "mech", request->mech_name);
226
259
bool auth_request_import_info(struct auth_request *request,
229
262
/* authentication and user lookups may set these */
230
263
if (strcmp(key, "service") == 0)
231
264
request->service = p_strdup(request->pool, value);
232
else if (strcmp(key, "lip") == 0)
233
net_addr2ip(value, &request->local_ip);
234
else if (strcmp(key, "rip") == 0)
235
net_addr2ip(value, &request->remote_ip);
236
else if (strcmp(key, "lport") == 0)
265
else if (strcmp(key, "lip") == 0) {
266
(void)net_addr2ip(value, &request->local_ip);
267
if (request->real_local_ip.family == 0)
268
request->real_local_ip = request->local_ip;
269
} else if (strcmp(key, "rip") == 0) {
270
(void)net_addr2ip(value, &request->remote_ip);
271
if (request->real_remote_ip.family == 0)
272
request->real_remote_ip = request->remote_ip;
273
} else if (strcmp(key, "lport") == 0) {
237
274
request->local_port = atoi(value);
238
else if (strcmp(key, "rport") == 0)
275
if (request->real_local_port == 0)
276
request->real_local_port = request->local_port;
277
} else if (strcmp(key, "rport") == 0) {
239
278
request->remote_port = atoi(value);
279
if (request->real_remote_port == 0)
280
request->real_remote_port = request->remote_port;
282
else if (strcmp(key, "real_lip") == 0)
283
(void)net_addr2ip(value, &request->real_local_ip);
284
else if (strcmp(key, "real_rip") == 0)
285
(void)net_addr2ip(value, &request->real_remote_ip);
286
else if (strcmp(key, "real_lport") == 0)
287
request->real_local_port = atoi(value);
288
else if (strcmp(key, "real_rport") == 0)
289
request->real_remote_port = atoi(value);
240
290
else if (strcmp(key, "session") == 0)
241
291
request->session_id = p_strdup(request->pool, value);
281
345
/* for communication between auth master and worker processes */
282
346
if (strcmp(key, "user") == 0)
283
347
request->user = p_strdup(request->pool, value);
284
else if (strcmp(key, "master_user") == 0)
348
else if (strcmp(key, "master-user") == 0)
285
349
request->master_user = p_strdup(request->pool, value);
286
else if (strcmp(key, "original_username") == 0)
350
else if (strcmp(key, "original-username") == 0)
287
351
request->original_username = p_strdup(request->pool, value);
288
else if (strcmp(key, "requested_login_user") == 0)
352
else if (strcmp(key, "requested-login-user") == 0)
289
353
request->requested_login_user = p_strdup(request->pool, value);
290
else if (strcmp(key, "nologin") == 0)
291
request->no_login = TRUE;
292
354
else if (strcmp(key, "successful") == 0)
293
355
request->successful = TRUE;
294
else if (strcmp(key, "skip_password_check") == 0)
356
else if (strcmp(key, "skip-password-check") == 0)
295
357
request->skip_password_check = TRUE;
296
358
else if (strcmp(key, "mech") == 0)
297
359
request->mech_name = p_strdup(request->pool, value);
398
458
str_append(str, request->passdb_password);
401
if (extra_fields != NULL && *extra_fields != '\0') {
461
if (!auth_fields_is_empty(request->extra_fields)) {
402
462
str_append_c(str, '\t');
403
str_append(str, extra_fields);
405
if (request->extra_cache_fields != NULL) {
407
auth_stream_reply_export(request->extra_cache_fields);
408
if (*extra_fields != '\0') {
409
str_append_c(str, '\t');
410
str_append(str, extra_fields);
463
/* add only those extra fields to cache that were set by this
464
passdb lookup. the CHANGED flag does this, because we
465
snapshotted the extra_fields before the current passdb
467
auth_fields_append(request->extra_fields, str,
468
AUTH_FIELD_FLAG_CHANGED,
469
AUTH_FIELD_FLAG_CHANGED);
413
471
auth_cache_insert(passdb_cache, request, passdb->cache_key, str_c(str),
414
472
result == PASSDB_RESULT_OK);
417
static void auth_request_userdb_reply_update_user(struct auth_request *request)
421
str = t_strdup(auth_stream_reply_export(request->userdb_reply));
423
/* reset the reply and add the new username */
424
auth_stream_reply_reset(request->userdb_reply);
425
auth_stream_reply_add(request->userdb_reply, NULL, request->user);
428
p = strchr(str, '\t');
430
auth_stream_reply_import(request->userdb_reply, p + 1);
433
static bool auth_request_master_lookup_finish(struct auth_request *request)
435
struct auth_passdb *passdb;
437
if (request->passdb_failure)
475
static void auth_request_master_lookup_finish(struct auth_request *request)
440
480
/* master login successful. update user and master_user variables. */
441
481
auth_request_log_info(request, "passdb", "Master user logging in as %s",
444
484
request->master_user = request->user;
445
485
request->user = request->requested_login_user;
446
486
request->requested_login_user = NULL;
447
if (request->userdb_reply != NULL)
448
auth_request_userdb_reply_update_user(request);
450
request->skip_password_check = TRUE;
451
request->passdb_password = NULL;
453
if (!request->passdb->set->pass) {
454
/* skip the passdb lookup, we're authenticated now. */
458
/* the authentication continues with passdb lookup for the
459
requested_login_user. */
460
request->passdb = auth_request_get_auth(request)->passdbs;
462
for (passdb = request->passdb; passdb != NULL; passdb = passdb->next) {
463
if (passdb->passdb->iface.lookup_credentials != NULL)
466
if (passdb == NULL) {
467
auth_request_log_error(request, "passdb",
468
"No passdbs support skipping password verification - "
469
"pass=yes can't be used in master passdb");
490
auth_request_want_skip_passdb(struct auth_request *request,
491
struct auth_passdb *passdb)
493
/* skip_password_check basically specifies if authentication is
495
bool authenticated = request->skip_password_check;
497
switch (passdb->skip) {
498
case AUTH_PASSDB_SKIP_NEVER:
500
case AUTH_PASSDB_SKIP_AUTHENTICATED:
501
return authenticated;
502
case AUTH_PASSDB_SKIP_UNAUTHENTICATED:
503
return !authenticated;
475
509
auth_request_handle_passdb_callback(enum passdb_result *result,
476
510
struct auth_request *request)
512
struct auth_passdb *next_passdb;
513
enum auth_passdb_rule result_rule;
514
bool passdb_continue = FALSE;
478
516
if (request->passdb_password != NULL) {
479
517
safe_memset(request->passdb_password, 0,
480
518
strlen(request->passdb_password));
490
528
"User found from deny passdb");
491
529
*result = PASSDB_RESULT_USER_DISABLED;
493
} else if (*result == PASSDB_RESULT_OK) {
495
if (request->requested_login_user != NULL) {
496
/* this was a master user lookup. */
497
if (!auth_request_master_lookup_finish(request))
500
if (request->passdb->set->pass) {
501
/* this wasn't the final passdb lookup,
502
continue to next passdb */
503
request->passdb = request->passdb->next;
504
request->passdb_password = NULL;
508
} else if (*result == PASSDB_RESULT_PASS_EXPIRED) {
509
if (request->extra_fields == NULL) {
510
request->extra_fields =
511
auth_stream_reply_init(request->pool);
513
auth_stream_reply_add(request->extra_fields, "reason",
515
} else if (request->passdb->next != NULL &&
516
*result != PASSDB_RESULT_USER_DISABLED) {
534
/* users that exist but can't log in are special. we don't try to match
535
any of the success/failure rules to them. they'll always fail. */
537
case PASSDB_RESULT_USER_DISABLED:
539
case PASSDB_RESULT_PASS_EXPIRED:
540
auth_request_set_field(request, "reason",
541
"Password expired", NULL);
544
case PASSDB_RESULT_OK:
545
result_rule = request->passdb->result_success;
547
case PASSDB_RESULT_INTERNAL_FAILURE:
548
result_rule = request->passdb->result_internalfail;
550
case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
551
case PASSDB_RESULT_USER_UNKNOWN:
552
case PASSDB_RESULT_PASSWORD_MISMATCH:
554
result_rule = request->passdb->result_failure;
558
switch (result_rule) {
559
case AUTH_PASSDB_RULE_RETURN:
561
case AUTH_PASSDB_RULE_RETURN_OK:
562
request->passdb_success = TRUE;
564
case AUTH_PASSDB_RULE_RETURN_FAIL:
565
request->passdb_success = FALSE;
567
case AUTH_PASSDB_RULE_CONTINUE:
568
passdb_continue = TRUE;
570
case AUTH_PASSDB_RULE_CONTINUE_OK:
571
passdb_continue = TRUE;
572
request->passdb_success = TRUE;
574
case AUTH_PASSDB_RULE_CONTINUE_FAIL:
575
passdb_continue = TRUE;
576
request->passdb_success = FALSE;
580
if (*result == PASSDB_RESULT_OK && passdb_continue) {
581
/* password was successfully verified. don't bother
582
checking it again. */
583
request->skip_password_check = TRUE;
586
if (request->requested_login_user != NULL &&
587
*result == PASSDB_RESULT_OK) {
588
auth_request_master_lookup_finish(request);
589
/* if the passdb lookup continues, it continues with non-master
590
passdbs for the requested_login_user. */
591
next_passdb = auth_request_get_auth(request)->passdbs;
593
next_passdb = request->passdb->next;
595
while (next_passdb != NULL &&
596
auth_request_want_skip_passdb(request, next_passdb))
597
next_passdb = next_passdb->next;
599
if (passdb_continue && next_passdb != NULL) {
517
600
/* try next passdb. */
518
request->passdb = request->passdb->next;
601
request->passdb = next_passdb;
519
602
request->passdb_password = NULL;
521
request->proxy = FALSE;
522
request->proxy_maybe = FALSE;
523
request->proxy_always = FALSE;
604
if (*result == PASSDB_RESULT_OK) {
605
/* this passdb lookup succeeded, preserve its extra
607
auth_fields_snapshot(request->extra_fields);
608
request->snapshot_has_userdb_reply =
609
request->userdb_reply != NULL;
610
if (request->userdb_reply != NULL)
611
auth_fields_snapshot(request->userdb_reply);
613
/* this passdb lookup failed, remove any extra fields
615
auth_fields_rollback(request->extra_fields);
616
if (request->userdb_reply == NULL)
618
else if (!request->snapshot_has_userdb_reply)
619
request->userdb_reply = NULL;
621
auth_fields_rollback(request->userdb_reply);
525
624
if (*result == PASSDB_RESULT_USER_UNKNOWN) {
526
625
/* remember that we did at least one successful
528
request->passdb_user_unknown = TRUE;
627
request->passdbs_seen_user_unknown = TRUE;
529
628
} else if (*result == PASSDB_RESULT_INTERNAL_FAILURE) {
530
629
/* remember that we have had an internal failure. at
531
630
the end return internal failure if we couldn't
532
631
successfully login. */
533
request->passdb_internal_failure = TRUE;
632
request->passdbs_seen_internal_failure = TRUE;
535
if (request->extra_fields != NULL)
536
auth_stream_reply_reset(request->extra_fields);
539
} else if (request->passdb_internal_failure) {
635
} else if (request->passdbs_seen_internal_failure) {
540
636
/* last passdb lookup returned internal failure. it may have
541
637
had the correct password, so return internal failure
542
638
instead of plain failure. */
543
639
*result = PASSDB_RESULT_INTERNAL_FAILURE;
640
} else if (request->passdb_success) {
641
/* either this or a previous passdb lookup succeeded. */
642
*result = PASSDB_RESULT_OK;
821
920
enum userdb_result result)
823
922
struct userdb_module *userdb = request->userdb->userdb;
924
const char *cache_value;
826
926
if (passdb_cache == NULL || userdb->cache_key == NULL ||
827
927
request->master_user != NULL)
830
str = result == USERDB_RESULT_USER_UNKNOWN ? "" :
831
auth_stream_reply_export(request->userdb_reply);
930
if (result == USERDB_RESULT_USER_UNKNOWN)
933
str = t_str_new(128);
934
auth_fields_append(request->userdb_reply, str,
935
AUTH_FIELD_FLAG_CHANGED,
936
AUTH_FIELD_FLAG_CHANGED);
937
if (str_len(str) == 0) {
938
/* no userdb fields. but we can't save an empty string,
939
since that means "user unknown". */
940
str_append(str, AUTH_REQUEST_USER_KEY_IGNORE);
942
cache_value = str_c(str);
832
944
/* last_success has no meaning with userdb */
833
auth_cache_insert(passdb_cache, request, userdb->cache_key, str, FALSE);
945
auth_cache_insert(passdb_cache, request, userdb->cache_key,
836
949
static bool auth_request_lookup_user_cache(struct auth_request *request,
838
struct auth_stream_reply **reply_r,
951
struct auth_fields **reply_r,
839
952
enum userdb_result *result_r,
840
953
bool use_expired)
1159
static void auth_request_set_reply_field(struct auth_request *request,
1160
const char *name, const char *value)
1162
if (strcmp(name, "nologin") == 0) {
1163
/* user can't actually login - don't keep this
1165
request->no_login = TRUE;
1167
} else if (strcmp(name, "proxy") == 0) {
1168
/* we're proxying authentication for this user. send
1169
password back if using plaintext authentication. */
1170
request->proxy = TRUE;
1172
} else if (strcmp(name, "proxy_always") == 0) {
1173
/* when proxy_maybe=yes and proxying wouldn't normally be done,
1174
with this enabled proxy=y is still returned without host.
1175
this can be used to make director set the host. */
1176
request->proxy_always = TRUE;
1178
} else if (strcmp(name, "proxy_maybe") == 0) {
1179
/* like "proxy", but log in normally if we're proxying to
1181
request->proxy = TRUE;
1182
request->proxy_maybe = TRUE;
1186
if (request->extra_fields == NULL)
1187
request->extra_fields = auth_stream_reply_init(request->pool);
1188
auth_stream_reply_remove(request->extra_fields, name);
1189
auth_stream_reply_add(request->extra_fields, name, value);
1192
1272
static const char *
1193
1273
get_updated_username(const char *old_username,
1194
1274
const char *name, const char *value)
1277
1355
if (auth_request_try_update_username(request, name, value)) {
1278
1356
/* don't change the original value so it gets saved correctly
1280
} else if (strcmp(name, "nodelay") == 0) {
1281
/* don't delay replying to client of the failure */
1282
request->no_failure_delay = TRUE;
1358
} else if (strcmp(name, "allow_nets") == 0) {
1359
auth_request_validate_networks(request, value);
1360
} else if (strncmp(name, "userdb_", 7) == 0) {
1361
/* for prefetch userdb */
1362
if (request->userdb_reply == NULL)
1363
auth_request_init_userdb_reply(request);
1364
auth_request_set_userdb_field(request, name + 7, value);
1283
1365
} else if (strcmp(name, "nopassword") == 0) {
1284
1366
/* NULL password - anything goes */
1285
1367
const char *password = request->passdb_password;
1297
request->no_password = TRUE;
1298
1379
request->passdb_password = NULL;
1299
} else if (strcmp(name, "allow_nets") == 0) {
1300
auth_request_validate_networks(request, value);
1380
auth_fields_add(request->extra_fields, name, value, 0);
1301
1382
} else if (strcmp(name, "passdb_import") == 0) {
1302
1383
auth_request_passdb_import(request, value, "", default_scheme);
1304
} else if (strncmp(name, "userdb_", 7) == 0) {
1305
/* for prefetch userdb */
1306
1385
if (strcmp(name, "userdb_userdb_import") == 0) {
1307
1386
/* we need can't put the whole userdb_userdb_import
1308
1387
value to extra_cache_fields or it doesn't work
1325
1401
/* we'll need to get this field stored into cache,
1326
1402
or we're a worker and we'll need to send this to the main
1327
1403
auth process that can store it in the cache. */
1328
if (request->extra_cache_fields == NULL) {
1329
request->extra_cache_fields =
1330
auth_stream_reply_init(request->pool);
1332
auth_stream_reply_add(request->extra_cache_fields, name, value);
1404
auth_fields_add(request->extra_fields, name, value,
1405
AUTH_FIELD_FLAG_HIDDEN);
1409
void auth_request_set_null_field(struct auth_request *request, const char *name)
1411
if (strncmp(name, "userdb_", 7) == 0) {
1412
/* make sure userdb prefetch is used even if all the fields
1413
were returned as NULL. */
1414
if (request->userdb_reply == NULL)
1415
auth_request_init_userdb_reply(request);
1494
1575
static bool auth_request_proxy_is_self(struct auth_request *request)
1496
const char *const *tmp, *port = NULL, *destuser = NULL;
1498
if (!request->proxy_host_is_self)
1501
tmp = auth_stream_split(request->extra_fields);
1502
for (; *tmp != NULL; tmp++) {
1503
if (strncmp(*tmp, "port=", 5) == 0)
1505
else if (strncmp(*tmp, "destuser=", 9) == 0)
1506
destuser = *tmp + 9;
1577
const char *port = NULL;
1579
/* check if the port is the same */
1580
port = auth_fields_find(request->extra_fields, "port");
1509
1581
if (port != NULL && !str_uint_equals(port, request->local_port))
1511
return destuser == NULL ||
1512
strcmp(destuser, request->original_username) == 0;
1583
/* don't check destuser. in some systems destuser is intentionally
1584
changed to proxied connections, but that shouldn't affect the
1587
it's unlikely any systems would actually want to proxy a connection
1588
to itself only to change the username, since it can already be done
1589
without proxying by changing the "user" field. */
1531
static void auth_request_proxy_finish_ip(struct auth_request *request)
1610
auth_request_proxy_finish_ip(struct auth_request *request,
1611
bool proxy_host_is_self)
1533
if (!request->proxy_maybe) {
1613
if (!auth_fields_exists(request->extra_fields, "proxy_maybe")) {
1535
request->no_login = TRUE;
1536
} else if (!auth_request_proxy_is_self(request)) {
1615
} else if (!proxy_host_is_self ||
1616
!auth_request_proxy_is_self(request)) {
1537
1617
/* proxy destination isn't ourself - proxy */
1538
auth_stream_reply_remove(request->extra_fields, "proxy_maybe");
1539
auth_stream_reply_add(request->extra_fields, "proxy", NULL);
1540
request->no_login = TRUE;
1618
auth_fields_remove(request->extra_fields, "proxy_maybe");
1619
auth_fields_add(request->extra_fields, "proxy", NULL, 0);
1542
1621
/* proxying to ourself - log in without proxying by dropping
1543
1622
all the proxying fields. */
1544
bool proxy_always = request->proxy_always;
1623
bool proxy_always = auth_fields_exists(request->extra_fields,
1546
1626
auth_request_proxy_finish_failure(request);
1547
1627
if (proxy_always) {
1548
/* director adds the host */
1549
auth_stream_reply_add(request->extra_fields,
1551
request->proxy = TRUE;
1628
/* setup where "self" refers to the local director
1629
cluster, while "non-self" refers to remote clusters.
1631
we've matched self here, so add proxy field and
1632
let director fill the host. */
1633
auth_fields_add(request->extra_fields,
1556
struct auth_request_proxy_dns_lookup_ctx {
1557
struct auth_request *request;
1558
auth_request_proxy_cb_t *callback;
1562
1640
auth_request_proxy_dns_callback(const struct dns_lookup_result *result,
1641
struct auth_request_proxy_dns_lookup_ctx *ctx)
1565
struct auth_request_proxy_dns_lookup_ctx *ctx = context;
1566
1643
struct auth_request *request = ctx->request;
1567
1644
const char *host;
1568
1645
unsigned int i;
1570
host = auth_stream_reply_find(request->extra_fields, "host");
1646
bool proxy_host_is_self;
1648
request->dns_lookup_ctx = NULL;
1649
ctx->dns_lookup = NULL;
1651
host = auth_fields_find(request->extra_fields, "host");
1571
1652
i_assert(host != NULL);
1573
1654
if (result->ret != 0) {
1581
1662
"DNS lookup for %s took %u.%03u s",
1582
1663
host, result->msecs/1000, result->msecs % 1000);
1584
auth_stream_reply_remove(request->extra_fields, "hostip");
1585
auth_stream_reply_add(request->extra_fields, "hostip",
1586
net_ip2addr(&result->ips[0]));
1665
auth_fields_add(request->extra_fields, "hostip",
1666
net_ip2addr(&result->ips[0]), 0);
1667
proxy_host_is_self = FALSE;
1587
1668
for (i = 0; i < result->ips_count; i++) {
1588
1669
if (auth_request_proxy_ip_is_self(request,
1589
1670
&result->ips[i])) {
1590
request->proxy_host_is_self = TRUE;
1671
proxy_host_is_self = TRUE;
1594
auth_request_proxy_finish_ip(request);
1675
auth_request_proxy_finish_ip(request, proxy_host_is_self);
1596
1677
if (ctx->callback != NULL)
1597
1678
ctx->callback(result->ret == 0, request);
1598
1679
auth_request_unref(&request);
1602
1682
static int auth_request_proxy_host_lookup(struct auth_request *request,
1603
1684
auth_request_proxy_cb_t *callback)
1605
1686
struct auth_request_proxy_dns_lookup_ctx *ctx;
1606
1687
struct dns_lookup_settings dns_set;
1607
const char *host, *value;
1609
1689
unsigned int secs;
1611
host = auth_stream_reply_find(request->extra_fields, "host");
1614
if (net_addr2ip(host, &ip) == 0) {
1615
if (auth_request_proxy_ip_is_self(request, &ip))
1616
request->proxy_host_is_self = TRUE;
1620
1691
/* need to do dns lookup for the host */
1621
1692
memset(&dns_set, 0, sizeof(dns_set));
1622
1693
dns_set.dns_client_socket_path = AUTH_DNS_SOCKET_PATH;
1623
1694
dns_set.timeout_msecs = AUTH_DNS_DEFAULT_TIMEOUT_MSECS;
1624
value = auth_stream_reply_find(request->extra_fields, "proxy_timeout");
1695
value = auth_fields_find(request->extra_fields, "proxy_timeout");
1625
1696
if (value != NULL) {
1626
1697
if (str_to_uint(value, &secs) < 0) {
1627
1698
auth_request_log_error(request, "proxy",
1646
1718
int auth_request_proxy_finish(struct auth_request *request,
1647
1719
auth_request_proxy_cb_t *callback)
1651
if (!request->proxy)
1654
if ((ret = auth_request_proxy_host_lookup(request, callback)) <= 0)
1657
auth_request_proxy_finish_ip(request);
1723
bool proxy_host_is_self;
1725
if (request->auth_only)
1727
if (!auth_fields_exists(request->extra_fields, "proxy") &&
1728
!auth_fields_exists(request->extra_fields, "proxy_maybe"))
1731
host = auth_fields_find(request->extra_fields, "host");
1733
/* director can set the host */
1734
proxy_host_is_self = FALSE;
1735
} else if (net_addr2ip(host, &ip) == 0) {
1736
proxy_host_is_self =
1737
auth_request_proxy_ip_is_self(request, &ip);
1739
/* asynchronous host lookup */
1740
return auth_request_proxy_host_lookup(request, host, callback);
1743
auth_request_proxy_finish_ip(request, proxy_host_is_self);
1661
1747
void auth_request_proxy_finish_failure(struct auth_request *request)
1663
if (!request->proxy)
1666
1749
/* drop all proxying fields */
1667
auth_stream_reply_remove(request->extra_fields, "proxy");
1668
auth_stream_reply_remove(request->extra_fields, "proxy_maybe");
1669
auth_stream_reply_remove(request->extra_fields, "host");
1670
auth_stream_reply_remove(request->extra_fields, "port");
1671
auth_stream_reply_remove(request->extra_fields, "destuser");
1673
request->proxy = FALSE;
1674
request->proxy_maybe = FALSE;
1675
request->proxy_always = FALSE;
1750
auth_fields_remove(request->extra_fields, "proxy");
1751
auth_fields_remove(request->extra_fields, "proxy_maybe");
1752
auth_fields_remove(request->extra_fields, "proxy_always");
1753
auth_fields_remove(request->extra_fields, "host");
1754
auth_fields_remove(request->extra_fields, "port");
1755
auth_fields_remove(request->extra_fields, "destuser");
1678
1758
static void log_password_failure(struct auth_request *request,