dovecot-2.2: auth, login, mail: Added %{auth_user}, %{auth_usern...

Tue Jan 14 03:25:13 EET 2014

details:   http://hg.dovecot.org/dovecot-2.2/rev/5350000a999b
changeset: 17100:5350000a999b
user:      Timo Sirainen <tss at iki.fi>
date:      Tue Jan 14 03:24:47 2014 +0200
description:
auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain}
They expand to the SASL authentication ID. So if master user login is done,
it expands to the master user. If username changes during authentication, it
expands to the original username. Otherwise %{user} and %{auth_user} are
equal.

diffstat:

 src/auth/auth-request-handler.c        |  68 ++++++++++++++++++++-------------
 src/lib-storage/mail-storage-service.c |  31 ++++++++++++---
 src/lib-storage/mail-user.c            |  12 ++++++
 src/lib-storage/mail-user.h            |   2 +-
 src/login-common/client-common.c       |  49 +++++++++++++++---------
 src/login-common/client-common.h       |   2 +-
 src/login-common/sasl-server.c         |  10 +++++
 7 files changed, 119 insertions(+), 55 deletions(-)

diffs (truncated from 379 to 300 lines):

diff -r 61142fbbecf0 -r 5350000a999b src/auth/auth-request-handler.c

--- a/src/auth/auth-request-handler.c	Tue Jan 14 02:43:09 2014 +0200
+++ b/src/auth/auth-request-handler.c	Tue Jan 14 03:24:47 2014 +0200
@@ -177,6 +177,8 @@
 		auth_str_add_keyvalue(dest, "original_user",
 				      request->original_username);
 	}
+	if (request->master_user != NULL)
+		auth_str_add_keyvalue(dest, "auth_user", request->master_user);
 
 	if (!request->auth_only &&
 	    auth_fields_exists(request->extra_fields, "proxy")) {
@@ -621,6 +623,44 @@
 	return TRUE;
 }
 
+static void auth_str_append_userdb_extra_fields(struct auth_request *request,
+						string_t *dest)
+{
+	str_append_c(dest, '\t');
+	auth_fields_append(request->userdb_reply, dest,
+			   AUTH_FIELD_FLAG_HIDDEN, 0);
+
+	if (request->master_user != NULL &&
+	    !auth_fields_exists(request->userdb_reply, "master_user")) {
+		auth_str_add_keyvalue(dest, "master_user",
+				      request->master_user);
+	}
+	if (*request->set->anonymous_username != '\0' &&
+	    strcmp(request->user, request->set->anonymous_username) == 0) {
+		/* this is an anonymous login, either via ANONYMOUS
+		   SASL mechanism or simply logging in as the anonymous
+		   user via another mechanism */
+		str_append(dest, "\tanonymous");
+	}
+	/* generate auth_token when master service provided session_pid */
+	if (request->request_auth_token &&
+	    request->session_pid != (pid_t)-1) {
+		const char *auth_token =
+			auth_token_get(request->service,
+				       dec2str(request->session_pid),
+				       request->user,
+				       request->session_id);
+		auth_str_add_keyvalue(dest, "auth_token", auth_token);
+	}
+	if (request->master_user != NULL) {
+		auth_str_add_keyvalue(dest, "auth_user", request->master_user);
+	} else if (request->original_username != NULL &&
+		   strcmp(request->original_username, request->user) != 0) {
+		auth_str_add_keyvalue(dest, "auth_user",
+				      request->original_username);
+	}
+}
+
 static void userdb_callback(enum userdb_result result,
 			    struct auth_request *request)
 {
@@ -651,33 +691,7 @@
 	case USERDB_RESULT_OK:
 		str_printfa(str, "USER\t%u\t", request->id);
 		str_append_tabescaped(str, request->user);
-		str_append_c(str, '\t');
-		auth_fields_append(request->userdb_reply, str,
-				   AUTH_FIELD_FLAG_HIDDEN, 0);
-
-		if (request->master_user != NULL &&
-		    !auth_fields_exists(request->userdb_reply, "master_user")) {
-			auth_str_add_keyvalue(str, "master_user",
-					      request->master_user);
-		}
-		if (*request->set->anonymous_username != '\0' &&
-		    strcmp(request->user,
-			   request->set->anonymous_username) == 0) {
-			/* this is an anonymous login, either via ANONYMOUS
-			   SASL mechanism or simply logging in as the anonymous
-			   user via another mechanism */
-			str_append(str, "\tanonymous");
-		}
-		/* generate auth_token when master service provided session_pid */
-		if (request->request_auth_token &&
-		    request->session_pid != (pid_t)-1) {
-			const char *auth_token =
-				auth_token_get(request->service,
-					       dec2str(request->session_pid),
-					       request->user,
-					       request->session_id);
-			auth_str_add_keyvalue(str, "auth_token", auth_token);
-		}
+		auth_str_append_userdb_extra_fields(request, str);
 		break;
 	}
 	handler->master_callback(str_c(str), request->master);
diff -r 61142fbbecf0 -r 5350000a999b src/lib-storage/mail-storage-service.c
--- a/src/lib-storage/mail-storage-service.c	Tue Jan 14 02:43:09 2014 +0200
+++ b/src/lib-storage/mail-storage-service.c	Tue Jan 14 03:24:47 2014 +0200
@@ -75,7 +75,7 @@
 	enum mail_storage_service_flags flags;
 
 	struct ioloop_context *ioloop_ctx;
-	const char *log_prefix, *auth_token;
+	const char *log_prefix, *auth_token, *auth_user;
 
 	const char *system_groups_user, *uid_source, *gid_source;
 	const struct mail_user_settings *user_set;
@@ -278,6 +278,8 @@
 #endif
 		} else if (strncmp(line, "auth_token=", 11) == 0) {
 			user->auth_token = p_strdup(user->pool, line+11);
+		} else if (strncmp(line, "auth_user=", 10) == 0) {
+			user->auth_user = p_strdup(user->pool, line+10);
 		} else if (strncmp(line, "admin=", 6) == 0) {
 			user->admin = line[6] == 'y' || line[6] == 'Y' ||
 				line[6] == '1';
@@ -376,6 +378,7 @@
 
 static const struct var_expand_table *
 get_var_expand_table(struct master_service *service,
+		     struct mail_storage_service_user *user,
 		     struct mail_storage_service_input *input,
 		     struct mail_storage_service_privileges *priv)
 {
@@ -390,6 +393,9 @@
 		{ 'i', NULL, "uid" },
 		{ '\0', NULL, "gid" },
 		{ '\0', NULL, "session" },
+		{ '\0', NULL, "auth_user" },
+		{ '\0', NULL, "auth_username" },
+		{ '\0', NULL, "auth_domain" },
 		{ '\0', NULL, NULL }
 	};
 	struct var_expand_table *tab;
@@ -408,6 +414,15 @@
 	tab[7].value = dec2str(priv->uid == (uid_t)-1 ? geteuid() : priv->uid);
 	tab[8].value = dec2str(priv->gid == (gid_t)-1 ? getegid() : priv->gid);
 	tab[9].value = input->session_id;
+	if (user == NULL || user->auth_user == NULL) {
+		tab[10].value = tab[0].value;
+		tab[11].value = tab[1].value;
+		tab[12].value = tab[2].value;
+	} else {
+		tab[10].value = user->auth_user;
+		tab[11].value = t_strcut(user->auth_user, '@');
+		tab[12].value = strchr(user->auth_user, '@');
+	}
 	return tab;
 }
 
@@ -420,12 +435,12 @@
 	memset(&priv, 0, sizeof(priv));
 	priv.uid = (uid_t)-1;
 	priv.gid = (gid_t)-1;
-	return get_var_expand_table(ctx->service, input, &priv);
+	return get_var_expand_table(ctx->service, NULL, input, &priv);
 }
 
 static const char *
 user_expand_varstr(struct master_service *service,
-		   struct mail_storage_service_input *input,
+		   struct mail_storage_service_user *user,
 		   struct mail_storage_service_privileges *priv,
 		   const char *str)
 {
@@ -437,7 +452,8 @@
 	i_assert(*str == SETTING_STRVAR_UNEXPANDED[0]);
 
 	ret = t_str_new(256);
-	var_expand(ret, str + 1, get_var_expand_table(service, input, priv));
+	var_expand(ret, str + 1,
+		   get_var_expand_table(service, user, &user->input, priv));
 	return str_c(ret);
 }
 
@@ -492,9 +508,9 @@
 
 	/* variable strings are expanded in mail_user_init(),
 	   but we need the home and chroot sooner so do them separately here. */
-	priv_r->home = user_expand_varstr(ctx->service, &user->input, priv_r,
+	priv_r->home = user_expand_varstr(ctx->service, user, priv_r,
 					  user->user_set->mail_home);
-	priv_r->chroot = user_expand_varstr(ctx->service, &user->input, priv_r,
+	priv_r->chroot = user_expand_varstr(ctx->service, user, priv_r,
 					    user->user_set->mail_chroot);
 	return 0;
 }
@@ -627,6 +643,7 @@
 	mail_user->anonymous = user->anonymous;
 	mail_user->admin = user->admin;
 	mail_user->auth_token = p_strdup(mail_user->pool, user->auth_token);
+	mail_user->auth_user = p_strdup(mail_user->pool, user->auth_user);
 	
 	mail_set = mail_user_set_get_storage_set(mail_user);
 
@@ -699,7 +716,7 @@
 
 		str = t_str_new(256);
 		var_expand(str, user->user_set->mail_log_prefix,
-			   get_var_expand_table(ctx->service, &user->input, priv));
+			   get_var_expand_table(ctx->service, user, &user->input, priv));
 		user->log_prefix = p_strdup(user->pool, str_c(str));
 	} T_END;
 
diff -r 61142fbbecf0 -r 5350000a999b src/lib-storage/mail-user.c
--- a/src/lib-storage/mail-user.c	Tue Jan 14 02:43:09 2014 +0200
+++ b/src/lib-storage/mail-user.c	Tue Jan 14 03:24:47 2014 +0200
@@ -207,6 +207,9 @@
 		{ 'p', NULL, "pid" },
 		{ 'i', NULL, "uid" },
 		{ '\0', NULL, "gid" },
+		{ '\0', NULL, "auth_user" },
+		{ '\0', NULL, "auth_username" },
+		{ '\0', NULL, "auth_domain" },
 		{ '\0', NULL, NULL }
 	};
 	struct var_expand_table *tab;
@@ -232,6 +235,15 @@
 	tab[7].value = my_pid;
 	tab[8].value = p_strdup(user->pool, dec2str(user->uid));
 	tab[9].value = p_strdup(user->pool, dec2str(user->gid));
+	if (user->auth_user == NULL) {
+		tab[10].value = tab[0].value;
+		tab[11].value = tab[1].value;
+		tab[12].value = tab[2].value;
+	} else {
+		tab[10].value = user->auth_user;
+		tab[11].value = t_strcut(user->auth_user, '@');
+		tab[12].value = strchr(user->auth_user, '@');
+	}
 
 	user->var_expand_table = tab;
 	return user->var_expand_table;
diff -r 61142fbbecf0 -r 5350000a999b src/lib-storage/mail-user.h
--- a/src/lib-storage/mail-user.h	Tue Jan 14 02:43:09 2014 +0200
+++ b/src/lib-storage/mail-user.h	Tue Jan 14 03:24:47 2014 +0200
@@ -24,7 +24,7 @@
 	gid_t gid;
 	const char *service;
 	struct ip_addr *local_ip, *remote_ip;
-	const char *auth_token;
+	const char *auth_token, *auth_user;
 
 	const struct var_expand_table *var_expand_table;
 	/* If non-NULL, fail the user initialization with this error.
diff -r 61142fbbecf0 -r 5350000a999b src/login-common/client-common.c
--- a/src/login-common/client-common.c	Tue Jan 14 02:43:09 2014 +0200
+++ b/src/login-common/client-common.c	Tue Jan 14 03:24:47 2014 +0200
@@ -273,6 +273,7 @@
 	i_free(client->proxy_master_user);
 	i_free(client->virtual_user);
 	i_free(client->virtual_user_orig);
+	i_free(client->virtual_auth_user);
 	i_free(client->auth_mech_name);
 	i_free(client->master_data_prefix);
 	pool_unref(&client->pool);
@@ -474,28 +475,37 @@
 	{ '\0', NULL, "orig_user" },
 	{ '\0', NULL, "orig_username" },
 	{ '\0', NULL, "orig_domain" },
+	{ '\0', NULL, "auth_user" },
+	{ '\0', NULL, "auth_username" },
+	{ '\0', NULL, "auth_domain" },
 	{ '\0', NULL, NULL }
 };
 
+static void
+get_var_expand_users(struct var_expand_table *tab, const char *user)
+{
+	unsigned int i;
+
+	tab[0].value = user;
+	tab[1].value = t_strcut(user, '@');
+	tab[2].value = strchr(user, '@');
+	if (tab[2].value != NULL) tab[2].value++;
+
+	for (i = 0; i < 3; i++)
+		tab[i].value = str_sanitize(tab[i].value, 80);
+}
+
 static const struct var_expand_table *
 get_var_expand_table(struct client *client)
 {
 	struct var_expand_table *tab;
-	unsigned int i;
 
 	tab = t_malloc(sizeof(login_var_expand_empty_tab));
 	memcpy(tab, login_var_expand_empty_tab,
 	       sizeof(login_var_expand_empty_tab));
 
-	if (client->virtual_user != NULL) {
-		tab[0].value = client->virtual_user;
-		tab[1].value = t_strcut(client->virtual_user, '@');
-		tab[2].value = strchr(client->virtual_user, '@');
-		if (tab[2].value != NULL) tab[2].value++;
-
-		for (i = 0; i < 3; i++)
-			tab[i].value = str_sanitize(tab[i].value, 80);
-	}
+	if (client->virtual_user != NULL)
+		get_var_expand_users(tab, client->virtual_user);
 	tab[3].value = login_binary->protocol;
 	tab[4].value = getenv("HOME");
