patch for perl auth hook in CURRENT

Erik Klavon erik at eriq.org
Fri Oct 11 21:46:22 UTC 2002


On Wed, Oct 02, 2002 at 07:50:59PM -0700, Russ Allbery wrote:
> I like the basic idea, but I'd rather that it be done slightly
> differently.  Rather than adding the username between the return code and
> the error message, could you add it as an optional third value which,
> if not given, defaults to the username given in the authentication?
> 
> The rationale is that most people won't need to set the username, so this
> way they don't have to think about it and pass that empty string in the
> middle of their return value.
> 
> The static buffer for the new user string is rather ugly, but I guess
> there isn't a good way to do that with the current, rather horrible,
> perm.c structure.
> 
> Also, the source file for doc/hook-perl is doc/pod/hook-perl.pod; could
> you provide a patch for it instead?
> 

Here is the updated patch:

diff -ur inn/doc/pod/hook-perl.pod inn_user/doc/pod/hook-perl.pod
--- inn/doc/pod/hook-perl.pod	Sun Mar 17 11:29:13 2002
+++ inn_user/doc/pod/hook-perl.pod	Fri Oct 11 13:51:09 2002
@@ -357,14 +357,18 @@
         perl_auth: "/path/to/script/auth1.pl"
 
 The file given as argument to perl_auth should contain the same
-procedures as before. The hash global hash %attributes remains the
+procedures as before. The global hash %attributes remains the
 same, except for the removal of the "type" entry which is no longer
-needed in this modification. The return array now only contains two
-elements, the first of which is the NNTP return code. The second is an
-error string which is passed to the client if the error code indicates
-that the authentication attempt has failed. This allows a specific
-error message to be generated by the perl script in place of
-"Authentication failed".
+needed in this modification. The return array now only contains either
+two or three elements, the first of which is the NNTP return code. The
+second is an error string which is passed to the client if the error
+code indicates that the authentication attempt has failed. This allows
+a specific error message to be generated by the perl script in place of
+"Authentication failed". An optional third return element if present
+will be used to match the connection with the users: parameter in
+access groups and will also be the username logged. If this element is
+absent, the username supplied by the client during authentication will
+be used as was the previous behavior.
 
 The perl_access parameter (described below) is also new; it allows the
 dynamic generation of an access group for an incoming connection using
@@ -420,10 +424,15 @@
 C<$attributes{username}> will contain the provided username and
 C<$attributes{password}> the password.
 
-authenticate() should return a two-element array.  The first element is
-the NNTP response code to return to the client, the second element is an
-error string which is passed to the client if the response code indicates
-that the authentication attempt has failed.
+authenticate() should return a two or three element array.  The first
+element is the NNTP response code to return to the client, the second
+element is an error string which is passed to the client if the
+response code indicates that the authentication attempt has failed. An
+optional third return element if present will be used to match the
+connection with the users: parameter in access groups and will also be
+the username logged. If this element is absent, the username supplied
+by the client during authentication will be used for matching and
+logging.
 
 The NNTP response code should probably be either 281 (authentication
 successful) or 502 (authentication unsuccessful).  If the code
@@ -431,9 +440,11 @@
 authentication error message and drop the connection and exit.
 
 If authenticate() dies (either due to a Perl error or due to calling die),
-or if it returns anything other than the two-element array described
-above, an internal error will be reported to the client, the exact error
-will be logged to syslog, and nnrpd will drop the connection and exit.
+or if it returns anything other than the two or three element array
+described above, an internal error will be reported to the client, the
+exact error will be logged to syslog, and nnrpd will drop the
+connection and exit.
+
 
 =head1 Dynamic Generation of Access Groups
 
diff -ur inn/nnrpd/commands.c inn_user/nnrpd/commands.c
--- inn/nnrpd/commands.c	Mon Sep 30 14:16:29 2002
+++ inn_user/nnrpd/commands.c	Fri Oct 11 11:09:14 2002
@@ -322,9 +322,9 @@
 #endif /* DO_PYTHON */
 
 	    if (EQ(User, PERMuser) && EQ(Password, PERMpass)) {
-		syslog(L_NOTICE, "%s user %s", ClientHost, User);
+		syslog(L_NOTICE, "%s user %s", ClientHost, PERMuser);
 		if (LLOGenable) {
-			fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, User);
+			fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, PERMuser);
 			fflush(locallog);
 		}
 		Reply("%d Ok\r\n", NNTP_AUTH_OK_VAL);
@@ -338,9 +338,9 @@
             PERMlogin(User, Password, errorstr);
 	    PERMgetpermissions();
 	    if (!PERMneedauth) {
-		syslog(L_NOTICE, "%s user %s", ClientHost, User);
+		syslog(L_NOTICE, "%s user %s", ClientHost, PERMuser);
 		if (LLOGenable) {
-			fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, User);
+			fprintf(locallog, "%s user (%s):%s\n", ClientHost, Username, PERMuser);
 			fflush(locallog);
 		}
 		Reply("%d Ok\r\n", NNTP_AUTH_OK_VAL);
diff -ur inn/nnrpd/nnrpd.h inn_user/nnrpd/nnrpd.h
--- inn/nnrpd/nnrpd.h	Sun Sep 29 20:27:59 2002
+++ inn_user/nnrpd/nnrpd.h	Fri Oct 11 11:09:14 2002
@@ -274,7 +274,7 @@
 #ifdef  DO_PERL
 extern void loadPerl(void);
 extern void perlAccess(char *clientHost, char *clientIpString, char *serverHost, char *user, struct vector *access_vec);
-extern int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring);
+extern int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring, char*newUser);
 extern void perlAuthInit(void);
 #endif /* DO_PERL */
 
diff -ur inn/nnrpd/perl.c inn_user/nnrpd/perl.c
--- inn/nnrpd/perl.c	Mon Sep 30 14:16:30 2002
+++ inn_user/nnrpd/perl.c	Fri Oct 11 14:02:18 2002
@@ -310,7 +310,7 @@
     
 }
 
-int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring) {
+int perlAuthenticate(char *clientHost, char *clientIpString, char *serverHost, char *user, char *passwd, char *errorstring, char *newUser) {
     dSP;
     HV              *attribs;
     int             rc;
@@ -347,14 +347,20 @@
 	ExitWithStats(1, FALSE);
     }
 
-    if (rc != 2) {
+    if ((rc != 3) && (rc != 2)) {
 	syslog(L_ERROR, "Perl function authenticate returned wrong number of results: %d", rc);
 	Reply("%d Internal Error (2).  Goodbye\r\n", NNTP_ACCESS_VAL);
 	ExitWithStats(1, FALSE);
     }
 
+    if (rc == 3) {
+      p = POPp;
+      strcpy(newUser, p);
+    } 
+
     p = POPp;
     strcpy(errorstring, p);
+
     code = POPi;
 
     if ((code == NNTP_POSTOK_VAL) || (code == NNTP_NOPOSTOK_VAL))
diff -ur inn/nnrpd/perm.c inn_user/nnrpd/perm.c
--- inn/nnrpd/perm.c	Mon Sep 30 14:16:30 2002
+++ inn_user/nnrpd/perm.c	Fri Oct 11 11:09:14 2002
@@ -2143,6 +2143,7 @@
     char *resdir;
     char *tmp;
     char *perl_path;
+    char newUser[BIG_BUFFER];
     EXECSTUFF *foo;
     int done	    = 0;
     int code;
@@ -2156,6 +2157,7 @@
     free(tmp);
 
     ubuf[0] = '\0';
+    newUser[0] = '\0';
     for (i = 0; auth->auth_methods[i]; i++) {
 #ifdef DO_PERL
       if (auth->auth_methods[i]->type == PERMperl_auth) {
@@ -2171,16 +2173,20 @@
                 free(perl_path);
                 perlAuthInit();
           
-                code = perlAuthenticate(ClientHost, ClientIpString, ServerHost, username, password, errorstr);
+                code = perlAuthenticate(ClientHost, ClientIpString, ServerHost, username, password, errorstr, newUser);
                 if (code == NNTP_AUTH_OK_VAL) {
-                    syslog(L_NOTICE, "%s user %s", ClientHost, username);
+                    /* Set the value of ubuf to the right username */
+                    if (newUser[0] != '\0') {
+                      strcpy(ubuf, newUser);
+                    } else {
+                      strcpy(ubuf, username);
+                    }
+
+                    syslog(L_NOTICE, "%s user %s", ClientHost, ubuf);
                     if (LLOGenable) {
-                        fprintf(locallog, "%s user %s\n", ClientHost, username);
+                        fprintf(locallog, "%s user %s\n", ClientHost, ubuf);
                         fflush(locallog);
                     }
-              
-                    /* save these values in case you need them later */
-                    strcpy(ubuf, username);
                     break;
                 } else {
                     syslog(L_NOTICE, "%s bad_auth", ClientHost);


-- 
erik         | "It is idle to think that, by means of words, | Maurice
  kl at von     | any real communication can ever pass | Maeterlinck
    eriq.org | from one [human] to another." | Silence


More information about the inn-workers mailing list