bcb4e51a409d94ae670de96afb8483a4f7855294Stephan Bosch/* Copyright (c) 2009-2018 Dovecot authors, see the included COPYING file */
3b22894b8805b186c73d8b754001e8d7e944be85Timo Sirainen master_login_failure_callback_t *failure_callback;
e871bfe83e8c5cc7768de30afe0127a3c4373adeTimo Sirainenstatic void master_login_conn_close(struct master_login_connection *conn);
4e56e6408815c04f2e5b904a648a366a2dcbd408Timo Sirainenstatic void master_login_conn_unref(struct master_login_connection **_conn);
53dff078a5f49e9d28d6c81d3437755e27526e3eTimo Sirainenmaster_login_init(struct master_service *service,
53dff078a5f49e9d28d6c81d3437755e27526e3eTimo Sirainen i_assert(set->postlogin_socket_path == NULL ||
53dff078a5f49e9d28d6c81d3437755e27526e3eTimo Sirainen login->failure_callback = set->failure_callback;
ab90f702ceedb7ba445a9a592be0b213b27cbafaStephan Bosch login->auth = master_login_auth_init(set->auth_socket_path,
53dff078a5f49e9d28d6c81d3437755e27526e3eTimo Sirainen login->postlogin_socket_path = i_strdup(set->postlogin_socket_path);
53dff078a5f49e9d28d6c81d3437755e27526e3eTimo Sirainen login->postlogin_timeout_secs = set->postlogin_timeout_secs;
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainenvoid master_login_deinit(struct master_login **_login)
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen struct master_login_connection *conn = login->conns;
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainenmaster_login_conn_read_request(struct master_login_connection *conn,
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen unsigned char data[MASTER_AUTH_MAX_DATA_SIZE],
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen ret = fd_read(conn->fd, req_r, sizeof(*req_r), client_fd_r);
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen /* disconnected */
f89e92a6ff4125dc35b4a0cb976da98b3702395cTimo Sirainen i_error("Login client disconnected too early");
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen } else if (ret > 0) {
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen /* request wasn't fully read */
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen if (req_r->data_size > MASTER_AUTH_MAX_DATA_SIZE) {
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen /* @UNSAFE */
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen /* disconnected */
f89e92a6ff4125dc35b4a0cb976da98b3702395cTimo Sirainen i_error("Login client disconnected too early "
f89e92a6ff4125dc35b4a0cb976da98b3702395cTimo Sirainen "(while reading data)");
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen } else if (ret > 0) {
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen /* request wasn't fully read */
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen i_error("Auth request missing a file descriptor");
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen i_error("Auth request inode mismatch: %s != %s",
4e56e6408815c04f2e5b904a648a366a2dcbd408Timo Sirainenstatic void master_login_client_free(struct master_login_client **_client)
4e56e6408815c04f2e5b904a648a366a2dcbd408Timo Sirainen struct master_login_client *client = *_client;
a7bbdb8faa0dd2c4e9bb094e06fe705856e39cbfTimo Sirainen /* this client failed (login callback wasn't called).
a7bbdb8faa0dd2c4e9bb094e06fe705856e39cbfTimo Sirainen reset prefix to default. */
ca4526e3b5fbf5ea3dd477a2098522a44c9ac52cTimo Sirainen i_set_failure_prefix("%s: ", client->conn->login->service->name);
e871bfe83e8c5cc7768de30afe0127a3c4373adeTimo Sirainen /* FIXME: currently we create a separate connection for each request,
e871bfe83e8c5cc7768de30afe0127a3c4373adeTimo Sirainen so close the connection after we're done with this client */
35283613d4c04ce18836e9fc431582c87b3710a0Timo Sirainen if (!master_login_conn_is_closed(client->conn)) {
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainenstatic void master_login_auth_finish(struct master_login_client *client,
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen const char *const *auth_args)
e871bfe83e8c5cc7768de30afe0127a3c4373adeTimo Sirainen struct master_login *login = client->conn->login;
7891c8e6debdcfec552cb1beea2a0230fe89957bTimo Sirainen struct master_service *service = login->service;
7891c8e6debdcfec552cb1beea2a0230fe89957bTimo Sirainen close_sockets = service->master_status.available_count == 0 &&
7891c8e6debdcfec552cb1beea2a0230fe89957bTimo Sirainen login->callback(client, auth_args[0], auth_args+1);
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen /* we're dying as soon as this connection closes. */
7891c8e6debdcfec552cb1beea2a0230fe89957bTimo Sirainen i_assert(master_login_auth_request_count(login->auth) == 0);
7891c8e6debdcfec552cb1beea2a0230fe89957bTimo Sirainen /* try stopping again */
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainenstatic void master_login_postlogin_free(struct master_login_postlogin *pl)
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainenstatic void master_login_postlogin_input(struct master_login_postlogin *pl)
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen while ((ret = fd_read(pl->fd, buf, sizeof(buf), &fd)) > 0) {
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen /* post-login script replaced fd */
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen if (len > 0 && str_c(pl->input)[len-1] == '\n') {
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen /* finished reading the input */
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainen i_error("fd_read(%s) failed: %m", pl->socket_path);
f633c533a2c793ae188bff21e173e2ff63ba35f9Timo Sirainen i_info("Post-login script denied access to user %s",
ef0c36aa8114feee80aa696d9cb8106140371243Timo Sirainen auth_args = t_strsplit_tabescaped(str_c(pl->input));
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen master_login_auth_finish(pl->client, auth_args);
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainenstatic void master_login_postlogin_timeout(struct master_login_postlogin *pl)
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen i_error("%s: Timeout waiting for post-login script to finish, aborting",
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainenstatic int master_login_postlogin(struct master_login_client *client,
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainen const char *const *auth_args,
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen struct master_login *login = client->conn->login;
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen unsigned int i;
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainen fd = net_connect_unix_with_retries(socket_path, 1000);
b52230a2649019208b13dcbc0469eecde80f76d2Timo Sirainen " - http://wiki2.dovecot.org/SocketUnavailable");
bf27c70b784ed67e324ddfe1ad4f46bf571d3a09Timo Sirainen str_printfa(str, "VERSION\tscript-login\t1\t0\n"
bf27c70b784ed67e324ddfe1ad4f46bf571d3a09Timo Sirainen "%s\t%s", net_ip2addr(&client->auth_req.local_ip),
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen ret = fd_send(fd, client->fd, str_data(str), str_len(str));
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainen i_error("write(%s) failed: partial write", socket_path);
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen pl->io = io_add(fd, IO_READ, master_login_postlogin_input, pl);
53dff078a5f49e9d28d6c81d3437755e27526e3eTimo Sirainen pl->to = timeout_add(login->postlogin_timeout_secs * 1000,
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainenstatic const char *
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainenauth_args_find_postlogin_socket(const char *const *auth_args)
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainen for (unsigned int i = 0; auth_args[i] != NULL; i++) {
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainen if (strncmp(auth_args[i], "postlogin=", 10) == 0)
3b22894b8805b186c73d8b754001e8d7e944be85Timo Sirainenmaster_login_auth_callback(const char *const *auth_args, const char *errormsg,
dfb7dad13078cc8674749ac7135436197890bcdcTimo Sirainen struct master_login_connection *conn = client->conn;
3b22894b8805b186c73d8b754001e8d7e944be85Timo Sirainen reply.status = errormsg == NULL ? MASTER_AUTH_STATUS_OK :
e2a88d59c0d47d63ce1ad5b1fd95e487124a3fd4Timo Sirainen o_stream_nsend(conn->output, &reply, sizeof(reply));
3b22894b8805b186c73d8b754001e8d7e944be85Timo Sirainen if (errormsg != NULL || auth_args[0] == NULL) {
b71f152acb8a197d20b709ca74366e6d765bd200Timo Sirainen i_error("login client: Username missing from auth reply");
3b22894b8805b186c73d8b754001e8d7e944be85Timo Sirainen errormsg = MASTER_AUTH_ERRMSG_INTERNAL_FAILURE;
dfb7dad13078cc8674749ac7135436197890bcdcTimo Sirainen conn->login->failure_callback(client, errormsg);
ca4526e3b5fbf5ea3dd477a2098522a44c9ac52cTimo Sirainen i_set_failure_prefix("%s(%s): ", client->conn->login->service->name,
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainen postlogin_socket_path = auth_args_find_postlogin_socket(auth_args);
b3d5afcc92e4ce1452db499b3c956d12447babc7Timo Sirainen postlogin_socket_path = conn->login->postlogin_socket_path;
dfb7dad13078cc8674749ac7135436197890bcdcTimo Sirainen /* we've sent the reply. the connection is no longer needed,
dfb7dad13078cc8674749ac7135436197890bcdcTimo Sirainen so disconnect it (before login process disconnects us and
dfb7dad13078cc8674749ac7135436197890bcdcTimo Sirainen logs an error) */
1d3b9fce06b466bcf64f9ab7b622f3a6e4e939baTimo Sirainen /* execute post-login scripts before finishing auth */
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainenstatic void master_login_conn_input(struct master_login_connection *conn)
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen unsigned char data[MASTER_AUTH_MAX_DATA_SIZE];
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen ret = master_login_conn_read_request(conn, &req, data, &client_fd);
b55f914c0ade77252cfd798ea8eb9a84bda56315Timo Sirainen /* extract the session ID from the request data */
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen /* @UNSAFE: we have a request. do userdb lookup for it. */
e7d0bea63a08b08c47c4b5c187d2cb7127859657Timo Sirainen client = i_malloc(MALLOC_ADD(sizeof(struct master_login_client), req.data_size));
404150692ba0f5e710600220c0dccfbdf1b1d7ccTimo Sirainen client->session_id = i_strndup(data, session_len);
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainenvoid master_login_add(struct master_login *login, int fd)
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen conn = i_new(struct master_login_connection, 1);
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen conn->io = io_add(conn->fd, IO_READ, master_login_conn_input, conn);
e93184a9055c2530366dfe617e07199603c399ddMartti Rannanjärvi conn->output = o_stream_create_fd(fd, (size_t)-1);
e2a88d59c0d47d63ce1ad5b1fd95e487124a3fd4Timo Sirainen o_stream_set_no_error_handling(conn->output, TRUE);
baca06331782e2752734199486e51a26d7c93d75Timo Sirainen /* NOTE: currently there's a separate connection for each request. */
e871bfe83e8c5cc7768de30afe0127a3c4373adeTimo Sirainenstatic void master_login_conn_close(struct master_login_connection *conn)
4e56e6408815c04f2e5b904a648a366a2dcbd408Timo Sirainenstatic void master_login_conn_unref(struct master_login_connection **_conn)
4e56e6408815c04f2e5b904a648a366a2dcbd408Timo Sirainen struct master_login_connection *conn = *_conn;
9ba5c6da815d5d4b43861387dd08fcea321a0423Timo Sirainen master_service_client_connection_destroyed(conn->login->service);
7891c8e6debdcfec552cb1beea2a0230fe89957bTimo Sirainenvoid master_login_stop(struct master_login *login)
7891c8e6debdcfec552cb1beea2a0230fe89957bTimo Sirainen if (master_login_auth_request_count(login->auth) == 0) {