dovecot-2.0: login processes: Added initial support for per-conn...
dovecot at dovecot.org
dovecot at dovecot.org
Fri May 15 02:01:34 EEST 2009
details: http://hg.dovecot.org/dovecot-2.0/rev/02721ba17309
changeset: 9283:02721ba17309
user: Timo Sirainen <tss at iki.fi>
date: Thu May 14 19:01:28 2009 -0400
description:
login processes: Added initial support for per-connection configuration.
diffstat:
17 files changed, 148 insertions(+), 89 deletions(-)
src/imap-login/client-authenticate.c | 16 +++++++++-------
src/imap-login/client-authenticate.h | 2 +-
src/imap-login/client.c | 33 +++++++++++++++++++--------------
src/imap-login/imap-proxy.c | 4 ++--
src/login-common/client-common.c | 16 ++++++++--------
src/login-common/client-common.h | 8 ++++++--
src/login-common/common.h | 2 +-
src/login-common/login-proxy.c | 1 +
src/login-common/login-settings.c | 26 ++++++++++++++++++++------
src/login-common/login-settings.h | 7 +++++--
src/login-common/main.c | 34 ++++++++++++++++++++++++----------
src/login-common/sasl-server.c | 8 ++++----
src/login-common/ssl-proxy-openssl.c | 19 +++++++++++++------
src/login-common/ssl-proxy.h | 5 ++++-
src/pop3-login/client-authenticate.c | 27 ++++++++++++++-------------
src/pop3-login/client.c | 27 ++++++++++++++++-----------
src/pop3-login/pop3-proxy.c | 2 +-
diffs (truncated from 834 to 300 lines):
diff -r 6bb773332683 -r 02721ba17309 src/imap-login/client-authenticate.c
--- a/src/imap-login/client-authenticate.c Thu May 14 18:52:54 2009 -0400
+++ b/src/imap-login/client-authenticate.c Thu May 14 19:01:28 2009 -0400
@@ -22,7 +22,7 @@
#define IMAP_SERVICE_NAME "imap"
-const char *client_authenticate_get_capabilities(bool secured)
+const char *client_authenticate_get_capabilities(struct imap_client *client)
{
const struct auth_mech_desc *mech;
unsigned int i, count;
@@ -36,7 +36,8 @@ const char *client_authenticate_get_capa
c) we allow insecure authentication
*/
if ((mech[i].flags & MECH_SEC_PRIVATE) == 0 &&
- (secured || !login_settings->disable_plaintext_auth ||
+ (client->common.secured ||
+ !client->common.set->disable_plaintext_auth ||
(mech[i].flags & MECH_SEC_PLAINTEXT) == 0)) {
str_append_c(str, ' ');
str_append(str, "AUTH=");
@@ -165,7 +166,7 @@ static bool client_handle_args(struct im
master_user = value;
else if (strcmp(key, "user") == 0) {
/* already handled in login-common */
- } else if (login_settings->auth_debug)
+ } else if (client->common.set->auth_debug)
i_info("Ignoring unknown passdb extra field: %s", key);
}
@@ -353,8 +354,8 @@ int cmd_authenticate(struct imap_client
}
if (!client->common.secured &&
- strcmp(login_settings->ssl, "required") == 0) {
- if (login_settings->verbose_auth) {
+ strcmp(client->common.set->ssl, "required") == 0) {
+ if (client->common.set->verbose_auth) {
client_syslog(&client->common, "Login failed: "
"SSL required for authentication");
}
@@ -387,8 +388,9 @@ int cmd_login(struct imap_client *client
user = IMAP_ARG_STR(&args[0]);
pass = IMAP_ARG_STR(&args[1]);
- if (!client->common.secured && login_settings->disable_plaintext_auth) {
- if (login_settings->verbose_auth) {
+ if (!client->common.secured &&
+ client->common.set->disable_plaintext_auth) {
+ if (client->common.set->verbose_auth) {
client_syslog(&client->common, "Login failed: "
"Plaintext authentication disabled");
}
diff -r 6bb773332683 -r 02721ba17309 src/imap-login/client-authenticate.h
--- a/src/imap-login/client-authenticate.h Thu May 14 18:52:54 2009 -0400
+++ b/src/imap-login/client-authenticate.h Thu May 14 19:01:28 2009 -0400
@@ -8,7 +8,7 @@ struct imap_arg;
#define IMAP_AUTHZ_FAILED_MSG \
"["IMAP_RESP_CODE_AUTHZFAILED"] Authorization failed"
-const char *client_authenticate_get_capabilities(bool secured);
+const char *client_authenticate_get_capabilities(struct imap_client *client);
int cmd_login(struct imap_client *client, const struct imap_arg *args);
int cmd_authenticate(struct imap_client *client, const struct imap_arg *args);
diff -r 6bb773332683 -r 02721ba17309 src/imap-login/client.c
--- a/src/imap-login/client.c Thu May 14 18:52:54 2009 -0400
+++ b/src/imap-login/client.c Thu May 14 19:01:28 2009 -0400
@@ -56,8 +56,8 @@ static void client_set_title(struct imap
{
const char *addr;
- if (!login_settings->verbose_proctitle ||
- !login_settings->login_process_per_connection)
+ if (!client->common.set->verbose_proctitle ||
+ !client->common.set->login_process_per_connection)
return;
addr = net_ip2addr(&client->common.ip);
@@ -100,12 +100,12 @@ static const char *get_capability(struct
{
const char *auths;
- auths = client_authenticate_get_capabilities(client->common.secured);
- return t_strconcat(full ? login_settings->capability_string :
+ auths = client_authenticate_get_capabilities(client);
+ return t_strconcat(full ? client->common.set->capability_string :
CAPABILITY_BANNER_STRING,
(ssl_initialized && !client->common.tls) ?
" STARTTLS" : "",
- login_settings->disable_plaintext_auth &&
+ client->common.set->disable_plaintext_auth &&
!client->common.secured ?
" LOGINDISABLED" : "", auths, NULL);
}
@@ -128,7 +128,7 @@ static void client_start_tls(struct imap
return;
fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip,
- &client->common.proxy);
+ client->common.set, &client->common.proxy);
if (fd_ssl == -1) {
client_send_line(client, "* BYE TLS initialization failed.");
client_destroy(client,
@@ -431,7 +431,8 @@ void client_input(struct imap_client *cl
void client_destroy_oldest(void)
{
- unsigned int max_connections = login_settings->login_max_connections;
+ unsigned int max_connections =
+ global_login_settings->login_max_connections;
struct client *client;
struct imap_client *destroy_buf[CLIENT_DESTROY_OLDEST_COUNT];
unsigned int i, destroy_count;
@@ -474,7 +475,7 @@ static void client_send_greeting(struct
greet = t_str_new(128);
str_append(greet, "* OK ");
str_printfa(greet, "[CAPABILITY %s] ", get_capability(client, FALSE));
- str_append(greet, login_settings->login_greeting);
+ str_append(greet, client->common.set->login_greeting);
client_send_line(client, str_c(greet));
client->greeting_sent = TRUE;
@@ -501,14 +502,16 @@ void client_set_auth_waiting(struct imap
client_auth_waiting_timeout, client);
}
-struct client *client_create(int fd, bool ssl, const struct ip_addr *local_ip,
- const struct ip_addr *ip)
+struct client *client_create(int fd, bool ssl, pool_t pool,
+ const struct login_settings *set,
+ const struct ip_addr *local_ip,
+ const struct ip_addr *remote_ip)
{
struct imap_client *client;
i_assert(fd != -1);
- if (clients_get_count() >= login_settings->login_max_connections) {
+ if (clients_get_count() >= set->login_max_connections) {
/* reached max. users count, kill few of the
oldest connections */
client_destroy_oldest();
@@ -517,17 +520,19 @@ struct client *client_create(int fd, boo
/* always use nonblocking I/O */
net_set_nonblock(fd, TRUE);
- client = i_new(struct imap_client, 1);
+ client = p_new(pool, struct imap_client, 1);
client->created = ioloop_time;
client->refcount = 1;
+ client->common.pool = pool;
+ client->common.set = set;
client->common.local_ip = *local_ip;
- client->common.ip = *ip;
+ client->common.ip = *remote_ip;
client->common.fd = fd;
client->common.tls = ssl;
client->common.trusted = client_is_trusted(&client->common);
client->common.secured = ssl || client->common.trusted ||
- net_ip_compare(ip, local_ip);
+ net_ip_compare(remote_ip, local_ip);
client_open_streams(client, fd);
client->io = io_add(fd, IO_READ, client_input, client);
diff -r 6bb773332683 -r 02721ba17309 src/imap-login/imap-proxy.c
--- a/src/imap-login/imap-proxy.c Thu May 14 18:52:54 2009 -0400
+++ b/src/imap-login/imap-proxy.c Thu May 14 19:01:28 2009 -0400
@@ -128,7 +128,7 @@ client_send_capability_if_needed(struct
backend_capabilities =
capabilities_strip_prelogin(t_strsplit(capability, " "));
proxy_capabilities =
- capabilities_strip_prelogin(t_strsplit(login_settings->capability_string, " "));
+ capabilities_strip_prelogin(t_strsplit(client->common.set->capability_string, " "));
if (str_array_icmp(backend_capabilities, proxy_capabilities))
return;
@@ -290,7 +290,7 @@ static int proxy_input_line(struct imap_
return 1;
} else if (strncmp(line, "L ", 2) == 0) {
line += 2;
- if (login_settings->verbose_auth) {
+ if (client->common.set->verbose_auth) {
str = t_str_new(128);
str_printfa(str, "proxy(%s): Login failed to %s:%u",
client->common.virtual_user,
diff -r 6bb773332683 -r 02721ba17309 src/login-common/client-common.c
--- a/src/login-common/client-common.c Thu May 14 18:52:54 2009 -0400
+++ b/src/login-common/client-common.c Thu May 14 19:01:28 2009 -0400
@@ -90,7 +90,6 @@ get_var_expand_table(struct client *clie
tab[12].value = ssl_proxy_get_security_string(client->proxy);
}
tab[13].value = dec2str(client->mail_pid);
-
return tab;
}
@@ -119,7 +118,8 @@ client_get_log_str(struct client *client
};
const struct var_expand_table *var_expand_table;
struct var_expand_table *tab;
- const char *p, *const *e;
+ const char *p;
+ char *const *e;
string_t *str;
var_expand_table = get_var_expand_table(client);
@@ -128,7 +128,7 @@ client_get_log_str(struct client *client
memcpy(tab, static_tab, sizeof(static_tab));
str = t_str_new(256);
- for (e = login_settings->log_format_elements_split; *e != NULL; e++) {
+ for (e = client->set->log_format_elements_split; *e != NULL; e++) {
for (p = *e; *p != '\0'; p++) {
if (*p != '%' || p[1] == '\0')
continue;
@@ -147,7 +147,7 @@ client_get_log_str(struct client *client
tab[1].value = msg;
str_truncate(str, 0);
- var_expand(str, login_settings->login_log_format, tab);
+ var_expand(str, client->set->login_log_format, tab);
return str_c(str);
}
@@ -171,10 +171,10 @@ bool client_is_trusted(struct client *cl
struct ip_addr net_ip;
unsigned int bits;
- if (login_settings->login_trusted_networks == NULL)
+ if (client->set->login_trusted_networks == NULL)
return FALSE;
- net = t_strsplit_spaces(login_settings->login_trusted_networks, ", ");
+ net = t_strsplit_spaces(client->set->login_trusted_networks, ", ");
for (; *net != NULL; net++) {
if (net_parse_range(*net, &net_ip, &bits) < 0) {
i_error("login_trusted_networks: "
@@ -190,7 +190,7 @@ bool client_is_trusted(struct client *cl
const char *client_get_extra_disconnect_reason(struct client *client)
{
- if (login_settings->ssl_require_client_cert && client->proxy != NULL) {
+ if (client->set->ssl_require_client_cert && client->proxy != NULL) {
if (ssl_proxy_has_broken_client_cert(client->proxy))
return "(client sent an invalid cert)";
if (!ssl_proxy_has_valid_client_cert(client->proxy))
@@ -203,7 +203,7 @@ const char *client_get_extra_disconnect_
/* some auth attempts without SSL/TLS */
if (client->auth_tried_disabled_plaintext)
return "(tried to use disabled plaintext auth)";
- if (login_settings->ssl_require_client_cert)
+ if (client->set->ssl_require_client_cert)
return "(cert required, client didn't start TLS)";
return t_strdup_printf("(auth failed, %u attempts)",
diff -r 6bb773332683 -r 02721ba17309 src/login-common/client-common.h
--- a/src/login-common/client-common.h Thu May 14 18:52:54 2009 -0400
+++ b/src/login-common/client-common.h Thu May 14 19:01:28 2009 -0400
@@ -14,11 +14,13 @@
struct client {
struct client *prev, *next;
+ pool_t pool;
struct ip_addr local_ip;
struct ip_addr ip;
unsigned int local_port, remote_port;
struct ssl_proxy *proxy;
+ const struct login_settings *set;
int fd;
struct istream *input;
@@ -45,8 +47,10 @@ struct client {
extern struct client *clients;
-struct client *client_create(int fd, bool ssl, const struct ip_addr *local_ip,
- const struct ip_addr *ip);
+struct client *client_create(int fd, bool ssl, pool_t pool,
+ const struct login_settings *set,
+ const struct ip_addr *local_ip,
+ const struct ip_addr *remote_ip);
void client_link(struct client *client);
void client_unlink(struct client *client);
diff -r 6bb773332683 -r 02721ba17309 src/login-common/common.h
--- a/src/login-common/common.h Thu May 14 18:52:54 2009 -0400
+++ b/src/login-common/common.h Thu May 14 19:01:28 2009 -0400
@@ -19,6 +19,6 @@ extern int anvil_fd;
extern int anvil_fd;
extern struct master_service *service;
-extern struct login_settings *login_settings;
+extern const struct login_settings *global_login_settings;
#endif
diff -r 6bb773332683 -r 02721ba17309 src/login-common/login-proxy.c
More information about the dovecot-cvs
mailing list