patch for perl auth hook in CURRENT
Erik Klavon
erik at eriq.org
Wed Oct 2 22:49:20 UTC 2002
Greetings
Below is a patch for the perl authenticate hook in CURRENT. It
modifies nnrpd so as to require a three-element array be returned from
authenticate. The first element is the response code, the third an
error string as before. The second is a string containing the username
to be associated with the connection; it will be used to match the
connection with the users: parameter in access groups and will be
logged. If this string is empty, the username supplied by the client
during authentication will be used instead.
The necessary modifications to the documentation and wrapper scripts
are included.
Erik
diff -ur inn/doc/hook-perl inn_user/doc/hook-perl
--- inn/doc/hook-perl Sun Mar 17 11:29:12 2002
+++ inn_user/doc/hook-perl Wed Oct 2 15:12:05 2002
@@ -348,11 +348,16 @@
The file given as argument to perl_auth should contain the same
procedures as before. The hash global hash %attributes remains the same,
except for the removal of the "type" entry which is no longer needed in
- this modification. The return array now only contains two elements, the
- first of which is the NNTP return code. The second is an error string
- which is passed to the client if the error code indicates that the
- authentication attempt has failed. This allows a specific error message
- to be generated by the perl script in place of "Authentication failed".
+ this modification. The return array now only contains three elements, the
+ first of which is the NNTP return code. The second is a string
+ containing the username to be associated with the connection; it
+ will be used to match the connection with the users: parameter in
+ access groups and will be logged. If this string is empty, the
+ username supplied by the client during authentication will be used
+ instead. The third is an error string which is passed to the client if
+ the error code indicates that the authentication attempt has
+ failed. This allows a specific error message to be generated by
+ the perl script in place of "Authentication failed".
The perl_access parameter (described below) is also new; it allows the
dynamic generation of an access group for an incoming connection using a
@@ -405,10 +410,14 @@
connected on, $attributes{username} will contain the provided username
and $attributes{password} the password.
- authenticate() should return a two-element array. The first element is
- the NNTP response code to return to the client, the second element is an
- error string which is passed to the client if the response code
- indicates that the authentication attempt has failed.
+ authenticate() should return a three-element array. The first element is
+ the NNTP response code to return to the client. The second is a string
+ containing the username to be associated with the connection; it
+ will be used to match the connection with the users: parameter in
+ access groups and will be logged. If this string is empty, the
+ username supplied by the client during authentication will be used
+ instead. The third is an error string which is passed to the client if
+ the error code indicates that the authentication attempt has failed.
The NNTP response code should probably be either 281 (authentication
successful) or 502 (authentication unsuccessful). If the code returned
@@ -416,7 +425,7 @@
message and drop the connection and exit.
If authenticate() dies (either due to a Perl error or due to calling
- die), or if it returns anything other than the two-element array
+ die), or if it returns anything other than the three-element array
described above, an internal error will be reported to the client, the
exact error will be logged to syslog, and nnrpd will drop the connection
and exit.
diff -ur inn/nnrpd/commands.c inn_user/nnrpd/commands.c
--- inn/nnrpd/commands.c Mon Sep 30 14:16:29 2002
+++ inn_user/nnrpd/commands.c Wed Oct 2 15:00:20 2002
@@ -322,9 +322,9 @@
#endif /* DO_PYTHON */
if (EQ(User, PERMuser) && EQ(Password, PERMpass)) {
- syslog(L_NOTICE, "%s user %s", ClientHost, User);
+ syslog(L_NOTICE, "%s user %s", ClientHost, PERMuser);
if (LLOGenable) {
- fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, User);
+ fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, PERMuser);
fflush(locallog);
}
Reply("%d Ok\r\n", NNTP_AUTH_OK_VAL);
@@ -338,9 +338,9 @@
PERMlogin(User, Password, errorstr);
PERMgetpermissions();
if (!PERMneedauth) {
- syslog(L_NOTICE, "%s user %s", ClientHost, User);
+ syslog(L_NOTICE, "%s user %s", ClientHost, PERMuser);
if (LLOGenable) {
- fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, User);
+ fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, PERMuser);
fflush(locallog);
}
Reply("%d Ok\r\n", NNTP_AUTH_OK_VAL);
diff -ur inn/nnrpd/nnrpd.h inn_user/nnrpd/nnrpd.h
--- inn/nnrpd/nnrpd.h Sun Sep 29 20:27:59 2002
+++ inn_user/nnrpd/nnrpd.h Wed Oct 2 15:00:20 2002
@@ -274,7 +274,7 @@
#ifdef DO_PERL
extern void loadPerl(void);
extern void perlAccess(char *clientHost, char *clientIpString, char *serverHost, char *user, struct vector *access_vec);
-extern int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring);
+extern int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring, char*newUser);
extern void perlAuthInit(void);
#endif /* DO_PERL */
diff -ur inn/nnrpd/perl.c inn_user/nnrpd/perl.c
--- inn/nnrpd/perl.c Mon Sep 30 14:16:30 2002
+++ inn_user/nnrpd/perl.c Wed Oct 2 15:00:20 2002
@@ -310,7 +310,7 @@
}
-int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring) {
+int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring, char *newUser) {
dSP;
HV *attribs;
int rc;
@@ -347,7 +347,7 @@
ExitWithStats(1, FALSE);
}
- if (rc != 2) {
+ if (rc != 3) {
syslog(L_ERROR, "Perl function authenticate returned wrong number of results: %d", rc);
Reply("%d Internal Error (2). Goodbye\r\n", NNTP_ACCESS_VAL);
ExitWithStats(1, FALSE);
@@ -355,6 +355,10 @@
p = POPp;
strcpy(errorstring, p);
+
+ p = POPp;
+ strcpy(newUser, p);
+
code = POPi;
if ((code == NNTP_POSTOK_VAL) || (code == NNTP_NOPOSTOK_VAL))
diff -ur inn/nnrpd/perm.c inn_user/nnrpd/perm.c
--- inn/nnrpd/perm.c Mon Sep 30 14:16:30 2002
+++ inn_user/nnrpd/perm.c Wed Oct 2 15:00:20 2002
@@ -2143,6 +2143,7 @@
char *resdir;
char *tmp;
char *perl_path;
+ char newUser[BIG_BUFFER];
EXECSTUFF *foo;
int done = 0;
int code;
@@ -2156,6 +2157,7 @@
free(tmp);
ubuf[0] = '\0';
+ newUser[0] = '\0';
for (i = 0; auth->auth_methods[i]; i++) {
#ifdef DO_PERL
if (auth->auth_methods[i]->type == PERMperl_auth) {
@@ -2171,16 +2173,20 @@
free(perl_path);
perlAuthInit();
- code = perlAuthenticate(ClientHost, ClientIpString, ServerHost, username, password, errorstr);
+ code = perlAuthenticate(ClientHost, ClientIpString, ServerHost, username, password, errorstr, newUser);
if (code == NNTP_AUTH_OK_VAL) {
- syslog(L_NOTICE, "%s user %s", ClientHost, username);
+ /* Set the value of ubuf to the right username */
+ if (newUser[0] != '\0') {
+ strcpy(ubuf, newUser);
+ } else {
+ strcpy(ubuf, username);
+ }
+
+ syslog(L_NOTICE, "%s user %s", ClientHost, ubuf);
if (LLOGenable) {
- fprintf(locallog, "%s user %s\n", ClientHost, username);
+ fprintf(locallog, "%s user %s\n", ClientHost, ubuf);
fflush(locallog);
}
-
- /* save these values in case you need them later */
- strcpy(ubuf, username);
break;
} else {
syslog(L_NOTICE, "%s bad_auth", ClientHost);
diff -ur inn/samples/nnrpd_access_wrapper.pl.in inn_user/samples/nnrpd_access_wrapper.pl.in
--- inn/samples/nnrpd_access_wrapper.pl.in Sun Mar 17 11:29:13 2002
+++ inn_user/samples/nnrpd_access_wrapper.pl.in Wed Oct 2 15:14:26 2002
@@ -2,7 +2,7 @@
# fixscript will replace this line with require innshellvars.pl
# Example wrapper nnrpd_access.pl for support of old perl authentication
-# scripts, by Erik Klavon.
+# scripts, by Erik Klavon <erik at eriq.org>.
# This file contains a sample perl script which can be used to
# duplicate the behavior of the old nnrpperlauth functionality. This
diff -ur inn/samples/nnrpd_auth_wrapper.pl.in inn_user/samples/nnrpd_auth_wrapper.pl.in
--- inn/samples/nnrpd_auth_wrapper.pl.in Sun Mar 17 11:29:13 2002
+++ inn_user/samples/nnrpd_auth_wrapper.pl.in Wed Oct 2 15:13:56 2002
@@ -2,7 +2,7 @@
# fixscript will replace this line with require innshellvars.pl
# Example wrapper nnrpd_auth.pl for support of old perl authentication
-# scripts, by Erik Klavon.
+# scripts, by Erik Klavon <erik at eriq.org>.
# This file contains a sample perl script which can be used to
# duplicate the behavior of the old nnrpperlauth functionality. This
@@ -37,13 +37,19 @@
# copy return code
$return_array[0] = $auth_array[0];
+ # null user string (nnrpd will use authentication username)
+ $return_array[1] = "";
+
# simple error report
if ($auth_array[0] != 281) {
- $return_array[1] = "Perl authentication error!";
+ $return_array[2] = "Perl authentication error!";
return @return_array;
} else {
- $return_array[1] = "";
+ $return_array[2] = "";
}
return @return_array;
}
+
+
+
--
erik | "It is idle to think that, by means of words, | Maurice
kl at von | any real communication can ever pass | Maeterlinck
eriq.org | from one [human] to another." | Silence
More information about the inn-workers
mailing list