patch for perl auth hook in CURRENT
Erik Klavon
erik at eriq.org
Fri Oct 11 21:46:22 UTC 2002
On Wed, Oct 02, 2002 at 07:50:59PM -0700, Russ Allbery wrote:
> I like the basic idea, but I'd rather that it be done slightly
> differently. Rather than adding the username between the return code and
> the error message, could you add it as an optional third value which,
> if not given, defaults to the username given in the authentication?
>
> The rationale is that most people won't need to set the username, so this
> way they don't have to think about it and pass that empty string in the
> middle of their return value.
>
> The static buffer for the new user string is rather ugly, but I guess
> there isn't a good way to do that with the current, rather horrible,
> perm.c structure.
>
> Also, the source file for doc/hook-perl is doc/pod/hook-perl.pod; could
> you provide a patch for it instead?
>
Here is the updated patch:
diff -ur inn/doc/pod/hook-perl.pod inn_user/doc/pod/hook-perl.pod
--- inn/doc/pod/hook-perl.pod Sun Mar 17 11:29:13 2002
+++ inn_user/doc/pod/hook-perl.pod Fri Oct 11 13:51:09 2002
@@ -357,14 +357,18 @@
perl_auth: "/path/to/script/auth1.pl"
The file given as argument to perl_auth should contain the same
-procedures as before. The hash global hash %attributes remains the
+procedures as before. The global hash %attributes remains the
same, except for the removal of the "type" entry which is no longer
-needed in this modification. The return array now only contains two
-elements, the first of which is the NNTP return code. The second is an
-error string which is passed to the client if the error code indicates
-that the authentication attempt has failed. This allows a specific
-error message to be generated by the perl script in place of
-"Authentication failed".
+needed in this modification. The return array now only contains either
+two or three elements, the first of which is the NNTP return code. The
+second is an error string which is passed to the client if the error
+code indicates that the authentication attempt has failed. This allows
+a specific error message to be generated by the perl script in place of
+"Authentication failed". An optional third return element if present
+will be used to match the connection with the users: parameter in
+access groups and will also be the username logged. If this element is
+absent, the username supplied by the client during authentication will
+be used as was the previous behavior.
The perl_access parameter (described below) is also new; it allows the
dynamic generation of an access group for an incoming connection using
@@ -420,10 +424,15 @@
C<$attributes{username}> will contain the provided username and
C<$attributes{password}> the password.
-authenticate() should return a two-element array. The first element is
-the NNTP response code to return to the client, the second element is an
-error string which is passed to the client if the response code indicates
-that the authentication attempt has failed.
+authenticate() should return a two or three element array. The first
+element is the NNTP response code to return to the client, the second
+element is an error string which is passed to the client if the
+response code indicates that the authentication attempt has failed. An
+optional third return element if present will be used to match the
+connection with the users: parameter in access groups and will also be
+the username logged. If this element is absent, the username supplied
+by the client during authentication will be used for matching and
+logging.
The NNTP response code should probably be either 281 (authentication
successful) or 502 (authentication unsuccessful). If the code
@@ -431,9 +440,11 @@
authentication error message and drop the connection and exit.
If authenticate() dies (either due to a Perl error or due to calling die),
-or if it returns anything other than the two-element array described
-above, an internal error will be reported to the client, the exact error
-will be logged to syslog, and nnrpd will drop the connection and exit.
+or if it returns anything other than the two or three element array
+described above, an internal error will be reported to the client, the
+exact error will be logged to syslog, and nnrpd will drop the
+connection and exit.
+
=head1 Dynamic Generation of Access Groups
diff -ur inn/nnrpd/commands.c inn_user/nnrpd/commands.c
--- inn/nnrpd/commands.c Mon Sep 30 14:16:29 2002
+++ inn_user/nnrpd/commands.c Fri Oct 11 11:09:14 2002
@@ -322,9 +322,9 @@
#endif /* DO_PYTHON */
if (EQ(User, PERMuser) && EQ(Password, PERMpass)) {
- syslog(L_NOTICE, "%s user %s", ClientHost, User);
+ syslog(L_NOTICE, "%s user %s", ClientHost, PERMuser);
if (LLOGenable) {
- fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, User);
+ fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, PERMuser);
fflush(locallog);
}
Reply("%d Ok\r\n", NNTP_AUTH_OK_VAL);
@@ -338,9 +338,9 @@
PERMlogin(User, Password, errorstr);
PERMgetpermissions();
if (!PERMneedauth) {
- syslog(L_NOTICE, "%s user %s", ClientHost, User);
+ syslog(L_NOTICE, "%s user %s", ClientHost, PERMuser);
if (LLOGenable) {
- fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, User);
+ fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, PERMuser);
fflush(locallog);
}
Reply("%d Ok\r\n", NNTP_AUTH_OK_VAL);
diff -ur inn/nnrpd/nnrpd.h inn_user/nnrpd/nnrpd.h
--- inn/nnrpd/nnrpd.h Sun Sep 29 20:27:59 2002
+++ inn_user/nnrpd/nnrpd.h Fri Oct 11 11:09:14 2002
@@ -274,7 +274,7 @@
#ifdef DO_PERL
extern void loadPerl(void);
extern void perlAccess(char *clientHost, char *clientIpString, char *serverHost, char *user, struct vector *access_vec);
-extern int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring);
+extern int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring, char*newUser);
extern void perlAuthInit(void);
#endif /* DO_PERL */
diff -ur inn/nnrpd/perl.c inn_user/nnrpd/perl.c
--- inn/nnrpd/perl.c Mon Sep 30 14:16:30 2002
+++ inn_user/nnrpd/perl.c Fri Oct 11 14:02:18 2002
@@ -310,7 +310,7 @@
}
-int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring) {
+int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring, char *newUser) {
dSP;
HV *attribs;
int rc;
@@ -347,14 +347,20 @@
ExitWithStats(1, FALSE);
}
- if (rc != 2) {
+ if ((rc != 3) && (rc != 2)) {
syslog(L_ERROR, "Perl function authenticate returned wrong number of results: %d", rc);
Reply("%d Internal Error (2). Goodbye\r\n", NNTP_ACCESS_VAL);
ExitWithStats(1, FALSE);
}
+ if (rc == 3) {
+ p = POPp;
+ strcpy(newUser, p);
+ }
+
p = POPp;
strcpy(errorstring, p);
+
code = POPi;
if ((code == NNTP_POSTOK_VAL) || (code == NNTP_NOPOSTOK_VAL))
diff -ur inn/nnrpd/perm.c inn_user/nnrpd/perm.c
--- inn/nnrpd/perm.c Mon Sep 30 14:16:30 2002
+++ inn_user/nnrpd/perm.c Fri Oct 11 11:09:14 2002
@@ -2143,6 +2143,7 @@
char *resdir;
char *tmp;
char *perl_path;
+ char newUser[BIG_BUFFER];
EXECSTUFF *foo;
int done = 0;
int code;
@@ -2156,6 +2157,7 @@
free(tmp);
ubuf[0] = '\0';
+ newUser[0] = '\0';
for (i = 0; auth->auth_methods[i]; i++) {
#ifdef DO_PERL
if (auth->auth_methods[i]->type == PERMperl_auth) {
@@ -2171,16 +2173,20 @@
free(perl_path);
perlAuthInit();
- code = perlAuthenticate(ClientHost, ClientIpString, ServerHost, username, password, errorstr);
+ code = perlAuthenticate(ClientHost, ClientIpString, ServerHost, username, password, errorstr, newUser);
if (code == NNTP_AUTH_OK_VAL) {
- syslog(L_NOTICE, "%s user %s", ClientHost, username);
+ /* Set the value of ubuf to the right username */
+ if (newUser[0] != '\0') {
+ strcpy(ubuf, newUser);
+ } else {
+ strcpy(ubuf, username);
+ }
+
+ syslog(L_NOTICE, "%s user %s", ClientHost, ubuf);
if (LLOGenable) {
- fprintf(locallog, "%s user %s\n", ClientHost, username);
+ fprintf(locallog, "%s user %s\n", ClientHost, ubuf);
fflush(locallog);
}
-
- /* save these values in case you need them later */
- strcpy(ubuf, username);
break;
} else {
syslog(L_NOTICE, "%s bad_auth", ClientHost);
--
erik | "It is idle to think that, by means of words, | Maurice
kl at von | any real communication can ever pass | Maeterlinck
eriq.org | from one [human] to another." | Silence
More information about the inn-workers
mailing list