src/auth/auth-settings.c

	auth-settings.c revision a8396081c30f2e3b793b644da10ad875cb2417f3
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen/* Copyright (c) 2005-2017 Dovecot authors, see the included COPYING file */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#include "lib.h"
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen#include "array.h"
d9fdacd5fb3e07997e5c389739d2054f0c8441d8Timo Sirainen#include "hash-method.h"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#include "settings-parser.h"
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen#include "master-service-private.h"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#include "master-service-settings.h"
5fb3bff645380804c9db2510940c41db6b8fdb01Timo Sirainen#include "service-settings.h"
5fb3bff645380804c9db2510940c41db6b8fdb01Timo Sirainen#include "auth-settings.h"
15b9759df8e4f6fb00c115353827a2aebbebfebcTimo Sirainen
15b9759df8e4f6fb00c115353827a2aebbebfebcTimo Sirainen#include <stddef.h>
15b9759df8e4f6fb00c115353827a2aebbebfebcTimo Sirainen
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainenstatic bool auth_settings_check(void *_set, pool_t pool, const char **error_r);
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainenstatic bool auth_passdb_settings_check(void *_set, pool_t pool, const char **error_r);
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainenstatic bool auth_userdb_settings_check(void *_set, pool_t pool, const char **error_r);
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen/* <settings checks> */
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainenstatic struct file_listener_settings auth_unix_listeners_array[] = {
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    { "login/login", 0666, "", "" },
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    { "token-login/tokenlogin", 0666, "", "" },
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    { "auth-login", 0600, "$default_internal_user", "" },
d6badc27cd6e8d3398877b6766cb0aaeef3a7800Timo Sirainen    { "auth-client", 0600, "$default_internal_user", "" },
d6badc27cd6e8d3398877b6766cb0aaeef3a7800Timo Sirainen    { "auth-userdb", 0666, "$default_internal_user", "" },
d6badc27cd6e8d3398877b6766cb0aaeef3a7800Timo Sirainen    { "auth-master", 0600, "", "" }
bf661a542d17273066e720b4f75868a1ff975a4cTimo Sirainen};
bf661a542d17273066e720b4f75868a1ff975a4cTimo Sirainenstatic struct file_listener_settings *auth_unix_listeners[] = {
bf661a542d17273066e720b4f75868a1ff975a4cTimo Sirainen    &auth_unix_listeners_array[0],
d9fdacd5fb3e07997e5c389739d2054f0c8441d8Timo Sirainen    &auth_unix_listeners_array[1],
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    &auth_unix_listeners_array[2],
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    &auth_unix_listeners_array[3],
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen    &auth_unix_listeners_array[4],
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    &auth_unix_listeners_array[5]
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen};
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenstatic buffer_t auth_unix_listeners_buf = {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    auth_unix_listeners, sizeof(auth_unix_listeners), { NULL, }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen};
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen/* </settings checks> */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
04ab375449dd97eed50ada88dd0df2abab01cfeeTimo Sirainenstruct service_settings auth_service_settings = {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .name = "auth",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .protocol = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .type = "",
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen    .executable = "auth",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .user = "$default_internal_user",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .group = "",
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen    .privileged_group = "",
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen    .extra_groups = "",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .chroot = "",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .drop_priv_before_exec = FALSE,
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .process_min_avail = 0,
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .process_limit = 1,
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .client_limit = 0,
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .service_count = 0,
57a8c6a95e4bce3eeaba36985adb81c07dd683ffTimo Sirainen    .idle_kill = 0,
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen    .vsz_limit = (uoff_t)-1,
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .unix_listeners = { { &auth_unix_listeners_buf,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                  sizeof(auth_unix_listeners[0]) } },
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .fifo_listeners = ARRAY_INIT,
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .inet_listeners = ARRAY_INIT,
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .process_limit_1 = TRUE
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen};
ccc895c0358108d2304239063e940b7d75f364abTimo Sirainen
ccc895c0358108d2304239063e940b7d75f364abTimo Sirainen/* <settings checks> */
8d630c15a8ed6f85553467c3a231a273defca5f6Timo Sirainenstatic struct file_listener_settings auth_worker_unix_listeners_array[] = {
d9fdacd5fb3e07997e5c389739d2054f0c8441d8Timo Sirainen    { "auth-worker", 0600, "$default_internal_user", "" }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen};
c5ab90cfad9cc3e33bcb1baeb30ffc82a7b7053aTimo Sirainenstatic struct file_listener_settings *auth_worker_unix_listeners[] = {
c5ab90cfad9cc3e33bcb1baeb30ffc82a7b7053aTimo Sirainen    &auth_worker_unix_listeners_array[0]
c5ab90cfad9cc3e33bcb1baeb30ffc82a7b7053aTimo Sirainen};
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainenstatic buffer_t auth_worker_unix_listeners_buf = {
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    auth_worker_unix_listeners, sizeof(auth_worker_unix_listeners), { NULL, }
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen};
ab0155cbec1286e1cd00a0e01d78e0f3ca34cea6Timo Sirainen/* </settings checks> */
ab0155cbec1286e1cd00a0e01d78e0f3ca34cea6Timo Sirainen
ab0155cbec1286e1cd00a0e01d78e0f3ca34cea6Timo Sirainenstruct service_settings auth_worker_service_settings = {
ab0155cbec1286e1cd00a0e01d78e0f3ca34cea6Timo Sirainen    .name = "auth-worker",
ab0155cbec1286e1cd00a0e01d78e0f3ca34cea6Timo Sirainen    .protocol = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .type = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .executable = "auth -w",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .user = "",
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen    .group = "",
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen    .privileged_group = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .extra_groups = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .chroot = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .drop_priv_before_exec = FALSE,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .process_min_avail = 0,
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    .process_limit = 0,
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    .client_limit = 1,
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    .service_count = 1,
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    .idle_kill = 0,
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    .vsz_limit = (uoff_t)-1,
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen
5fb3bff645380804c9db2510940c41db6b8fdb01Timo Sirainen    .unix_listeners = { { &auth_worker_unix_listeners_buf,
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen                  sizeof(auth_worker_unix_listeners[0]) } },
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    .fifo_listeners = ARRAY_INIT,
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    .inet_listeners = ARRAY_INIT
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen};
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#undef DEF
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#define DEF(type, name) \
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    { type, #name, offsetof(struct auth_passdb_settings, name), NULL }
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
b2c1349cf07410aefab0f5b17153af9e5cfcf48fTimo Sirainenstatic const struct setting_define auth_passdb_setting_defines[] = {
b2c1349cf07410aefab0f5b17153af9e5cfcf48fTimo Sirainen    DEF(SET_STR, name),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_STR, driver),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_STR, args),
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen    DEF(SET_STR, default_fields),
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen    DEF(SET_STR, override_fields),
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen    DEF(SET_STR, mechanisms),
faed8babca9914257f34fb2e603d74016d563b2dTimo Sirainen
faed8babca9914257f34fb2e603d74016d563b2dTimo Sirainen    DEF(SET_ENUM, skip),
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen    DEF(SET_ENUM, result_success),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_ENUM, result_failure),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_ENUM, result_internalfail),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_BOOL, deny),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_BOOL, pass),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_BOOL, master),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_ENUM, auth_verbose),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen    SETTING_DEFINE_LIST_END
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen};
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenstatic const struct auth_passdb_settings auth_passdb_default_settings = {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen    .name = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .driver = "",
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen    .args = "",
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen    .default_fields = "",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .override_fields = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .mechanisms = "",
42507d758b053bb483de58fba55c73a9eb5d3fbaTimo Sirainen
42507d758b053bb483de58fba55c73a9eb5d3fbaTimo Sirainen    .skip = "never:authenticated:unauthenticated",
a3ee5ce6ecc8e228ee69300fdd562d7ac8be89a7Timo Sirainen    .result_success = "return-ok:return:return-fail:continue:continue-ok:continue-fail",
a3ee5ce6ecc8e228ee69300fdd562d7ac8be89a7Timo Sirainen    .result_failure = "continue:return:return-ok:return-fail:continue-ok:continue-fail",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .result_internalfail = "continue:return:return-ok:return-fail:continue-ok:continue-fail",
4981827cb5e32cf767b7b0e3070137e6b36f42afTimo Sirainen
4981827cb5e32cf767b7b0e3070137e6b36f42afTimo Sirainen    .deny = FALSE,
4981827cb5e32cf767b7b0e3070137e6b36f42afTimo Sirainen    .pass = FALSE,
4981827cb5e32cf767b7b0e3070137e6b36f42afTimo Sirainen    .master = FALSE,
4981827cb5e32cf767b7b0e3070137e6b36f42afTimo Sirainen    .auth_verbose = "default:yes:no"
2ebeb22b9a8a8bb7fbe2f2e2908478a220792b87Timo Sirainen};
2ebeb22b9a8a8bb7fbe2f2e2908478a220792b87Timo Sirainen
a423d985ba7261661475811c22b21b80ec765a71Timo Sirainenconst struct setting_parser_info auth_passdb_setting_parser_info = {
2ebeb22b9a8a8bb7fbe2f2e2908478a220792b87Timo Sirainen    .defines = auth_passdb_setting_defines,
a423d985ba7261661475811c22b21b80ec765a71Timo Sirainen    .defaults = &auth_passdb_default_settings,
a423d985ba7261661475811c22b21b80ec765a71Timo Sirainen
345212e8f61ebf14ff4f80df26df9e655eb5121eTimo Sirainen    .type_offset = offsetof(struct auth_passdb_settings, name),
c13f3df87bc8ec1fb279fc0ffa6e8517f74dc07cTimo Sirainen    .struct_size = sizeof(struct auth_passdb_settings),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .parent_offset = (size_t)-1,
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen    .parent = &auth_setting_parser_info,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .check_func = auth_passdb_settings_check
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen};
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen#undef DEF
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen#define DEF(type, name) \
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    { type, #name, offsetof(struct auth_userdb_settings, name), NULL }
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainenstatic const struct setting_define auth_userdb_setting_defines[] = {
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, name),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, driver),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, args),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, default_fields),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, override_fields),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
42507d758b053bb483de58fba55c73a9eb5d3fbaTimo Sirainen    DEF(SET_ENUM, skip),
42507d758b053bb483de58fba55c73a9eb5d3fbaTimo Sirainen    DEF(SET_ENUM, result_success),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_ENUM, result_failure),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_ENUM, result_internalfail),
5fb3bff645380804c9db2510940c41db6b8fdb01Timo Sirainen
5fb3bff645380804c9db2510940c41db6b8fdb01Timo Sirainen    DEF(SET_ENUM, auth_verbose),
5fb3bff645380804c9db2510940c41db6b8fdb01Timo Sirainen
5fb3bff645380804c9db2510940c41db6b8fdb01Timo Sirainen    SETTING_DEFINE_LIST_END
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen};
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainenstatic const struct auth_userdb_settings auth_userdb_default_settings = {
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    /* NOTE: when adding fields, update also auth.c:userdb_dummy_set */
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .name = "",
a12399903f415a7e14c2816cffa2f7a09dcbb097Timo Sirainen    .driver = "",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .args = "",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .default_fields = "",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .override_fields = "",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .skip = "never:found:notfound",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .result_success = "return-ok:return:return-fail:continue:continue-ok:continue-fail",
90adcaa0a00eba29b7fbd50ca66be11c8d086d6aTimo Sirainen    .result_failure = "continue:return:return-ok:return-fail:continue-ok:continue-fail",
90adcaa0a00eba29b7fbd50ca66be11c8d086d6aTimo Sirainen    .result_internalfail = "continue:return:return-ok:return-fail:continue-ok:continue-fail",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .auth_verbose = "default:yes:no"
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen};
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainenconst struct setting_parser_info auth_userdb_setting_parser_info = {
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .defines = auth_userdb_setting_defines,
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen    .defaults = &auth_userdb_default_settings,
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .type_offset = offsetof(struct auth_userdb_settings, name),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .struct_size = sizeof(struct auth_userdb_settings),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .parent_offset = (size_t)-1,
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .parent = &auth_setting_parser_info,
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    .check_func = auth_userdb_settings_check
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen};
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen/* we're kind of kludging here to avoid "auth_" prefix in the struct fields */
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen#undef DEF
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen#undef DEF_NOPREFIX
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen#undef DEFLIST
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen#define DEF(type, name) \
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    { type, "auth_"#name, offsetof(struct auth_settings, name), NULL }
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen#define DEF_NOPREFIX(type, name) \
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    { type, #name, offsetof(struct auth_settings, name), NULL }
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen#define DEFLIST(field, name, defines) \
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    { SET_DEFLIST, name, offsetof(struct auth_settings, field), defines }
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainenstatic const struct setting_define auth_setting_defines[] = {
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, mechanisms),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, realms),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, default_realm),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_SIZE, cache_size),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_TIME, cache_ttl),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_TIME, cache_negative_ttl),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_STR, username_chars),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_STR, username_translation),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_STR, username_format),
e4c90f0b88e40a8f92b8f5e1f1a3ea701e5c965cTimo Sirainen    DEF(SET_STR, master_user_separator),
defb12ecd360df672ffb2f4dbf4d1218a0a9549cTimo Sirainen    DEF(SET_STR, anonymous_username),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_STR, krb5_keytab),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_STR, gssapi_hostname),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_STR, winbind_helper_path),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_STR, proxy_self),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_TIME, failure_delay),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_STR, policy_server_url),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_STR, policy_server_api_header),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_UINT, policy_server_timeout_msecs),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_STR, policy_hash_mech),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_STR, policy_hash_nonce),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_STR, policy_request_attributes),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_BOOL, policy_reject_on_fail),
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_UINT, policy_hash_truncate),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_BOOL, stats),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEF(SET_BOOL, verbose),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen    DEF(SET_BOOL, debug),
e63bdfedcf61e1a9ee21990140cbd0d0638da7e1Timo Sirainen    DEF(SET_BOOL, debug_passwords),
e63bdfedcf61e1a9ee21990140cbd0d0638da7e1Timo Sirainen    DEF(SET_STR, verbose_passwords),
e63bdfedcf61e1a9ee21990140cbd0d0638da7e1Timo Sirainen    DEF(SET_BOOL, ssl_require_client_cert),
e63bdfedcf61e1a9ee21990140cbd0d0638da7e1Timo Sirainen    DEF(SET_BOOL, ssl_username_from_cert),
e63bdfedcf61e1a9ee21990140cbd0d0638da7e1Timo Sirainen    DEF(SET_BOOL, use_winbind),
a3ee5ce6ecc8e228ee69300fdd562d7ac8be89a7Timo Sirainen
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    DEF(SET_UINT, worker_max_count),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    DEFLIST(passdbs, "passdb", &auth_passdb_setting_parser_info),
a423d985ba7261661475811c22b21b80ec765a71Timo Sirainen    DEFLIST(userdbs, "userdb", &auth_userdb_setting_parser_info),
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
2ebeb22b9a8a8bb7fbe2f2e2908478a220792b87Timo Sirainen    DEF_NOPREFIX(SET_STR, base_dir),
a423d985ba7261661475811c22b21b80ec765a71Timo Sirainen    DEF_NOPREFIX(SET_BOOL, verbose_proctitle),
a423d985ba7261661475811c22b21b80ec765a71Timo Sirainen    DEF_NOPREFIX(SET_UINT, first_valid_uid),
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    DEF_NOPREFIX(SET_UINT, last_valid_uid),
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    DEF_NOPREFIX(SET_UINT, first_valid_gid),
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen    DEF_NOPREFIX(SET_UINT, last_valid_gid),
d756ebcfa96bd7cff02097c8f26df9df368b81b1Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen    DEF_NOPREFIX(SET_STR, ssl_client_ca_dir),
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen    DEF_NOPREFIX(SET_STR, ssl_client_ca_file),
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen    SETTING_DEFINE_LIST_END
d6badc27cd6e8d3398877b6766cb0aaeef3a7800Timo Sirainen};
d6badc27cd6e8d3398877b6766cb0aaeef3a7800Timo Sirainen
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainenstatic const struct auth_settings auth_default_settings = {
d6badc27cd6e8d3398877b6766cb0aaeef3a7800Timo Sirainen    .mechanisms = "plain",
d6badc27cd6e8d3398877b6766cb0aaeef3a7800Timo Sirainen    .realms = "",
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .default_realm = "",
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .cache_size = 0,
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .cache_ttl = 60*60,
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .cache_negative_ttl = 60*60,
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@",
8e371a3ce32bd64288786855b8ce0cb63f19f7d1Timo Sirainen    .username_translation = "",
d6badc27cd6e8d3398877b6766cb0aaeef3a7800Timo Sirainen    .username_format = "%Lu",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .master_user_separator = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .anonymous_username = "anonymous",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .krb5_keytab = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .gssapi_hostname = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .winbind_helper_path = "/usr/bin/ntlm_auth",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .proxy_self = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .failure_delay = 2,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .policy_server_url = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .policy_server_api_header = "",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .policy_server_timeout_msecs = 2000,
b3b4f3875850099c9292ad74d08bb385c3988f8fTimo Sirainen    .policy_hash_mech = "sha256",
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen    .policy_hash_nonce = "",
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen    .policy_request_attributes = "login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} device_id=%{client_id} protocol=%s",
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen    .policy_reject_on_fail = FALSE,
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen    .policy_hash_truncate = 12,
b039dabf4c53f72454e795930e7643b6e0e625f9Timo Sirainen
b3b4f3875850099c9292ad74d08bb385c3988f8fTimo Sirainen    .stats = FALSE,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    .verbose = FALSE,
    .debug = FALSE,
    .debug_passwords = FALSE,
    .verbose_passwords = "no",
    .ssl_require_client_cert = FALSE,
    .ssl_username_from_cert = FALSE,
    .ssl_client_ca_dir = "",
    .ssl_client_ca_file = "",

    .use_winbind = FALSE,

    .worker_max_count = 30,

    .passdbs = ARRAY_INIT,
    .userdbs = ARRAY_INIT,

    .base_dir = PKG_RUNDIR,
    .verbose_proctitle = FALSE,
    .first_valid_uid = 500,
    .last_valid_uid = 0,
    .first_valid_gid = 1,
    .last_valid_gid = 0,
};

const struct setting_parser_info auth_setting_parser_info = {
    .module_name = "auth",
    .defines = auth_setting_defines,
    .defaults = &auth_default_settings,

    .type_offset = (size_t)-1,
    .struct_size = sizeof(struct auth_settings),

    .parent_offset = (size_t)-1,

    .check_func = auth_settings_check
};

/* <settings checks> */
static bool
auth_settings_set_self_ips(struct auth_settings *set, pool_t pool,
               const char **error_r)
{
    const char *const *tmp;
    ARRAY(struct ip_addr) ips_array;
    struct ip_addr *ips;
    unsigned int ips_count;
    int ret;

    if (*set->proxy_self == '\0') {
        set->proxy_self_ips = p_new(pool, struct ip_addr, 1);
        return TRUE;
    }

    p_array_init(&ips_array, pool, 4);
    tmp = t_strsplit_spaces(set->proxy_self, " ");
    for (; *tmp != NULL; tmp++) {
        ret = net_gethostbyname(*tmp, &ips, &ips_count);
        if (ret != 0) {
            *error_r = t_strdup_printf("auth_proxy_self_ips: "
                "gethostbyname(%s) failed: %s",
                *tmp, net_gethosterror(ret));
        }
        array_append(&ips_array, ips, ips_count);
    }
    array_append_zero(&ips_array);
    set->proxy_self_ips = array_idx(&ips_array, 0);
    return TRUE;
}

static bool
auth_verify_verbose_password(struct auth_settings *set,
                 const char **error_r)
{
    const char *p, *value = set->verbose_passwords;
    unsigned int num;

    p = strchr(value, ':');
    if (p != NULL) {
        if (str_to_uint(p+1, &num) < 0 || num == 0) {
            *error_r = t_strdup_printf("auth_verbose_passwords: "
                "Invalid truncation number: '%s'", p+1);
            return FALSE;
        }
        value = t_strdup_until(value, p);
    }
    if (strcmp(value, "no") == 0)
        return TRUE;
    else if (strcmp(value, "plain") == 0)
        return TRUE;
    else if (strcmp(value, "sha1") == 0)
        return TRUE;
    else if (strcmp(value, "yes") == 0) {
        /* just use it as alias for "plain" */
        set->verbose_passwords = "plain";
        return TRUE;
    } else {
        *error_r = "auth_verbose_passwords: Invalid value";
        return FALSE;
    }
}

static bool auth_settings_check(void *_set, pool_t pool,
                const char **error_r)
{
    struct auth_settings *set = _set;
    const char *p;

    if (set->debug_passwords)
        set->debug = TRUE;
    if (set->debug)
        set->verbose = TRUE;

    if (set->worker_max_count == 0) {
        *error_r = "auth_worker_max_count must be above zero";
        return FALSE;
    }

    if (set->cache_size > 0 && set->cache_size < 1024) {
        /* probably a configuration error.
           older versions used megabyte numbers */
        *error_r = t_strdup_printf("auth_cache_size value is too small "
                       "(%"PRIuUOFF_T" bytes)",
                       set->cache_size);
        return FALSE;
    }

    if (!auth_verify_verbose_password(set, error_r))
        return FALSE;

    if (*set->username_chars == '\0') {
        /* all chars are allowed */
        memset(set->username_chars_map, 1,
               sizeof(set->username_chars_map));
    } else {
        for (p = set->username_chars; *p != '\0'; p++)
            set->username_chars_map[(int)(uint8_t)*p] = 1;
    }

    if (*set->username_translation != '\0') {
        p = set->username_translation;
        for (; *p != '\0' && p[1] != '\0'; p += 2)
            set->username_translation_map[(int)(uint8_t)*p] = p[1];
    }
    set->realms_arr =
        (const char *const *)p_strsplit_spaces(pool, set->realms, " ");

    if (*set->policy_server_url != '\0') {
        if (*set->policy_hash_nonce == '\0') {

            *error_r = "auth_policy_hash_nonce must be set when policy server is used";
            return FALSE;
        }
        const struct hash_method *digest = hash_method_lookup(set->policy_hash_mech);
        if (digest == NULL) {
            *error_r = "invalid auth_policy_hash_mech given";
            return FALSE;
        }
        if (set->policy_hash_truncate > 0 && set->policy_hash_truncate >= digest->digest_size*8) {
            *error_r = t_strdup_printf("policy_hash_truncate is not smaller than digest size (%u >= %u)",
                set->policy_hash_truncate,
                digest->digest_size*8);
            return FALSE;
        }
    }

    if (!auth_settings_set_self_ips(set, pool, error_r))
        return FALSE;
    return TRUE;
}

static bool
auth_passdb_settings_check(void *_set, pool_t pool ATTR_UNUSED,
               const char **error_r)
{
    struct auth_passdb_settings *set = _set;

    if (set->driver == NULL || *set->driver == '\0') {
        *error_r = "passdb is missing driver";
        return FALSE;
    }
    if (set->pass && strcmp(set->result_success, "return-ok") != 0) {
        *error_r = "Obsolete pass=yes setting mixed with non-default result_success";
        return FALSE;
    }
    return TRUE;
}

static bool
auth_userdb_settings_check(void *_set, pool_t pool ATTR_UNUSED,
               const char **error_r)
{
    struct auth_userdb_settings *set = _set;

    if (set->driver == NULL || *set->driver == '\0') {
        *error_r = "userdb is missing driver";
        return FALSE;
    }
    return TRUE;
}
/* </settings checks> */

struct auth_settings *global_auth_settings;

struct auth_settings *
auth_settings_read(const char *service, pool_t pool,
           struct master_service_settings_output *output_r)
{
    static const struct setting_parser_info *set_roots[] = {
        &auth_setting_parser_info,
        NULL
    };
    struct master_service_settings_input input;
    struct setting_parser_context *set_parser;
    const char *error;
    void **sets;

    i_zero(&input);
    input.roots = set_roots;
    input.module = "auth";
    input.service = service;
    if (master_service_settings_read(master_service, &input,
                     output_r, &error) < 0)
        i_fatal("Error reading configuration: %s", error);

    pool_ref(pool);
    set_parser = settings_parser_dup(master_service->set_parser, pool);
    if (!settings_parser_check(set_parser, pool, &error))
        i_unreached();

    sets = master_service_settings_parser_get_others(master_service,
                             set_parser);
    settings_parser_deinit(&set_parser);
    return sets[0];
}