src/login-common/login-settings.c

	login-settings.c revision 5733207dc3ec10e6e5a6e0a8b30fbd1b061062b9
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen/* Copyright (c) 2005-2012 Dovecot authors, see the included COPYING file */
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include "login-common.h"
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include "hostpid.h"
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include "var-expand.h"
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include "settings-parser.h"
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include "master-service.h"
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include "master-service-settings.h"
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include "master-service-settings-cache.h"
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include "login-settings.h"
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include <stddef.h>
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#include <unistd.h>
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainenstatic bool login_settings_check(void *_set, pool_t pool, const char **error_r);
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen#undef DEF
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen#define DEF(type, name) \
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen    { type, #name, offsetof(struct login_settings, name), NULL }
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainenstatic const struct setting_define login_setting_defines[] = {
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen    DEF(SET_STR, login_trusted_networks),
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen    DEF(SET_STR_VARS, login_greeting),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, login_log_format_elements),
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainen    DEF(SET_STR, login_log_format),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, login_access_sockets),
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen    DEF(SET_STR, director_username_hash),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_ENUM, ssl),
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen    DEF(SET_STR, ssl_ca),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, ssl_cert),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, ssl_key),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, ssl_key_password),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, ssl_cipher_list),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, ssl_protocols),
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen    DEF(SET_STR, ssl_cert_username_field),
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen    DEF(SET_STR, ssl_client_cert),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, ssl_client_key),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_STR, ssl_crypto_device),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_BOOL, ssl_verify_client_cert),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_BOOL, auth_ssl_require_client_cert),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_BOOL, auth_ssl_username_from_cert),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_BOOL, verbose_ssl),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_BOOL, disable_plaintext_auth),
01cbf4ac5d44137ab434791be7f838d98d0fcf3bTimo Sirainen    DEF(SET_BOOL, auth_verbose),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_BOOL, auth_debug),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_BOOL, verbose_proctitle),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    DEF(SET_UINT, mail_max_userip_connections),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    SETTING_DEFINE_LIST_END
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen};
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainenstatic const struct login_settings login_default_settings = {
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .login_trusted_networks = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .login_greeting = PACKAGE_NAME" ready.",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .login_log_format = "%$: %s",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .login_access_sockets = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .director_username_hash = "%u",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl = "yes:no:required",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_ca = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_cert = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_key = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_key_password = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_protocols = "!SSLv2",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_cert_username_field = "commonName",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_client_cert = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_client_key = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_crypto_device = "",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .ssl_verify_client_cert = FALSE,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .auth_ssl_require_client_cert = FALSE,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .auth_ssl_username_from_cert = FALSE,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .verbose_ssl = FALSE,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .disable_plaintext_auth = TRUE,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .auth_verbose = FALSE,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .auth_debug = FALSE,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .verbose_proctitle = FALSE,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .mail_max_userip_connections = 10
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen};
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainenconst struct setting_parser_info login_setting_parser_info = {
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .module_name = "login",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .defines = login_setting_defines,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .defaults = &login_default_settings,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .type_offset = (size_t)-1,
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainen    .struct_size = sizeof(struct login_settings),
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .parent_offset = (size_t)-1,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    .check_func = login_settings_check
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen};
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainen
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainenstatic const struct setting_parser_info *default_login_set_roots[] = {
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainen    &login_setting_parser_info,
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainen    NULL
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainen};
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainen
b2ecd50bb98c44816cb07c17aa17fae2b425f941Timo Sirainenconst struct setting_parser_info **login_set_roots = default_login_set_roots;
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainenstatic struct master_service_settings_cache *set_cache;
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen/* <settings checks> */
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainenstatic int ssl_settings_check(void *_set ATTR_UNUSED, const char **error_r)
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen{
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    struct login_settings *set = _set;
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#ifndef HAVE_SSL
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    *error_r = t_strdup_printf("SSL support not compiled in but ssl=%s",
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen                   set->ssl);
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    return FALSE;
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen#else
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    if (*set->ssl_cert == '\0') {
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen        *error_r = "ssl enabled, but ssl_cert not set";
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen        return FALSE;
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    }
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen    if (*set->ssl_key == '\0') {
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen        *error_r = "ssl enabled, but ssl_key not set";
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen        return FALSE;
    }
    if (set->ssl_verify_client_cert && *set->ssl_ca == '\0') {
        *error_r = "ssl_verify_client_cert set, but ssl_ca not";
        return FALSE;
    }
    return TRUE;
#endif
}

static bool login_settings_check(void *_set, pool_t pool, const char **error_r)
{
    struct login_settings *set = _set;

    set->log_format_elements_split =
        p_strsplit(pool, set->login_log_format_elements, " ");

    if (set->auth_ssl_require_client_cert ||
        set->auth_ssl_username_from_cert) {
        /* if we require valid cert, make sure we also ask for it */
        set->ssl_verify_client_cert = TRUE;
    }

    if (set->auth_debug_passwords)
        set->auth_debug = TRUE;
    if (set->auth_debug)
        set->auth_verbose = TRUE;

    if (strcmp(set->ssl, "no") == 0) {
        /* disabled */
    } else if (strcmp(set->ssl, "yes") == 0) {
        if (!ssl_settings_check(set, error_r))
            return FALSE;
    } else if (strcmp(set->ssl, "required") == 0) {
        if (!ssl_settings_check(set, error_r))
            return FALSE;
        set->disable_plaintext_auth = TRUE;
    } else {
        *error_r = t_strdup_printf("Unknown ssl setting value: %s",
                       set->ssl);
        return FALSE;
    }
    return TRUE;
}
/* </settings checks> */

static const struct var_expand_table *
login_set_var_expand_table(const struct master_service_settings_input *input)
{
    static struct var_expand_table static_tab[] = {
        { 'l', NULL, "lip" },
        { 'r', NULL, "rip" },
        { 'p', NULL, "pid" },
        { 's', NULL, "service" },
        { '\0', NULL, NULL }
    };
    struct var_expand_table *tab;

    tab = t_malloc(sizeof(static_tab));
    memcpy(tab, static_tab, sizeof(static_tab));

    tab[0].value = net_ip2addr(&input->local_ip);
    tab[1].value = net_ip2addr(&input->remote_ip);
    tab[2].value = my_pid;
    tab[3].value = input->service;
    return tab;
}

struct login_settings *
login_settings_read(pool_t pool,
            const struct ip_addr *local_ip,
            const struct ip_addr *remote_ip,
            const char *local_name,
            void ***other_settings_r)
{
    struct master_service_settings_input input;
    const char *error;
    const struct setting_parser_context *parser;
    void *const *cache_sets;
    void **sets;
    unsigned int i, count;

    memset(&input, 0, sizeof(input));
    input.roots = login_set_roots;
    input.module = login_binary->process_name;
    input.service = login_binary->protocol;
    input.local_name = local_name;

    if (local_ip != NULL)
        input.local_ip = *local_ip;
    if (remote_ip != NULL)
        input.remote_ip = *remote_ip;

    if (set_cache == NULL) {
        set_cache = master_service_settings_cache_init(master_service,
                                   input.module,
                                   input.service);
    }

    if (master_service_settings_cache_read(set_cache, &input, NULL,
                           &parser, &error) < 0)
        i_fatal("Error reading configuration: %s", error);

    cache_sets = settings_parser_get_list(parser) + 1;
    for (count = 0; input.roots[count] != NULL; count++) ;
    i_assert(cache_sets[count] == NULL);
    sets = p_new(pool, void *, count + 1);
    for (i = 0; i < count; i++) {
        sets[i] = settings_dup(input.roots[i], cache_sets[i], pool);
        if (!settings_check(input.roots[i], pool, sets[i], &error)) {
            const char *name = input.roots[i]->module_name;
            i_fatal("settings_check(%s) failed: %s",
                name != NULL ? name : "unknown", error);
        }
    }

    settings_var_expand(&login_setting_parser_info, sets[0], pool,
                login_set_var_expand_table(&input));

    *other_settings_r = sets + 1;
    return sets[0];
}

void login_settings_deinit(void)
{
    if (set_cache != NULL)
        master_service_settings_cache_deinit(&set_cache);
}