[exim.git] / src / src / auths / check_serv_cond.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2012 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"

/* This module contains the function server_condition(), which is used
by all authenticators. */


/*************************************************
*              Check server_condition            *
*************************************************/

/* This function is called from the server code of all authenticators. For
plaintext and gsasl, it is always called: the argument cannot be empty, because
for those, setting server_condition is what enables it as a server
authenticator. For all the other authenticators, this function is called after
they have authenticated, to enable additional authorization to be done.

Argument:     the authenticator's instance block

Returns:
  OK          NULL argument, or success
  DEFER       couldn't complete the check
  FAIL        authentication failed
*/

int
auth_check_serv_cond(auth_instance *ablock)
{
  return auth_check_some_cond(ablock,
      US"server_condition", ablock->server_condition, OK);
}


/*************************************************
*         Check some server condition            *
*************************************************/

/* This underlies server_condition, but is also used for some more generic
 checks.

Arguments:
  ablock     the authenticator's instance block
  label      debugging label naming the string checked
  condition  the condition string to be expanded and checked
  unset      value to return on NULL condition

Returns:
  OK          success (or unset=OK)
  DEFER       couldn't complete the check
  FAIL        authentication failed
*/

int
auth_check_some_cond(auth_instance *ablock,
    uschar *label, uschar *condition, int unset)
{
uschar *cond;

HDEBUG(D_auth)
  {
  debug_printf("%s authenticator %s:\n", ablock->name, label);
  for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
    debug_printf("  $auth%d = %s\n", i + 1, auth_vars[i]);
  for (int i = 1; i <= expand_nmax; i++)
    debug_printf("  $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
  debug_print_string(ablock->server_debug_string);    /* customized debug */
  }

/* For the plaintext authenticator, server_condition is never NULL. For the
rest, an unset condition lets everything through. */

/* For server_condition, an unset condition lets everything through.
For plaintext/gsasl authenticators, it will have been pre-checked to prevent
this.  We return the unset scenario value given to us, which for
server_condition will be OK and otherwise will typically be FAIL. */

if (!condition) return unset;
cond = expand_string(condition);

HDEBUG(D_auth)
  if (!cond)
    debug_printf("expansion failed: %s\n", expand_string_message);
  else
    debug_printf("expanded string: %s\n", cond);

/* A forced expansion failure causes authentication to fail. Other expansion
failures yield DEFER, which will cause a temporary error code to be returned to
the AUTH command. The problem is at the server end, so the client should try
again later. */

if (!cond)
  {
  if (f.expand_string_forcedfail) return FAIL;
  auth_defer_msg = expand_string_message;
  return DEFER;
  }

/* Return FAIL for empty string, "0", "no", and "false"; return OK for
"1", "yes", and "true"; return DEFER for anything else, with the string
available as an error text for the user. */

if (*cond == 0 ||
    Ustrcmp(cond, "0") == 0 ||
    strcmpic(cond, US"no") == 0 ||
    strcmpic(cond, US"false") == 0)
  return FAIL;

if (Ustrcmp(cond, "1") == 0 ||
    strcmpic(cond, US"yes") == 0 ||
    strcmpic(cond, US"true") == 0)
  return OK;

auth_defer_msg = cond;
auth_defer_user_msg = string_sprintf(": %s", cond);
return DEFER;
}

/* End of check_serv_cond.c */
Commit	Line	Data
	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* Copyright (c) University of Cambridge 1995 - 2012 */
	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	#include "../exim.h"
	9
	10	/* This module contains the function server_condition(), which is used
	11	by all authenticators. */
	12
	13
	14	/*************************************************
	15	* Check server_condition *
	16	*************************************************/
	17
	18	/* This function is called from the server code of all authenticators. For
	19	plaintext and gsasl, it is always called: the argument cannot be empty, because
	20	for those, setting server_condition is what enables it as a server
	21	authenticator. For all the other authenticators, this function is called after
	22	they have authenticated, to enable additional authorization to be done.
	23
	24	Argument: the authenticator's instance block
	25
	26	Returns:
	27	OK NULL argument, or success
	28	DEFER couldn't complete the check
	29	FAIL authentication failed
	30	*/
	31
	32	int
	33	auth_check_serv_cond(auth_instance *ablock)
	34	{
	35	return auth_check_some_cond(ablock,
	36	US"server_condition", ablock->server_condition, OK);
	37	}
	38
	39
	40	/*************************************************
	41	* Check some server condition *
	42	*************************************************/
	43
	44	/* This underlies server_condition, but is also used for some more generic
	45	checks.
	46
	47	Arguments:
	48	ablock the authenticator's instance block
	49	label debugging label naming the string checked
	50	condition the condition string to be expanded and checked
	51	unset value to return on NULL condition
	52
	53	Returns:
	54	OK success (or unset=OK)
	55	DEFER couldn't complete the check
	56	FAIL authentication failed
	57	*/
	58
	59	int
	60	auth_check_some_cond(auth_instance *ablock,
	61	uschar label, uschar condition, int unset)
	62	{
	63	uschar *cond;
	64
	65	HDEBUG(D_auth)
	66	{
	67	debug_printf("%s authenticator %s:\n", ablock->name, label);
	68	for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
	69	debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
	70	for (int i = 1; i <= expand_nmax; i++)
	71	debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
	72	debug_print_string(ablock->server_debug_string); /* customized debug */
	73	}
	74
	75	/* For the plaintext authenticator, server_condition is never NULL. For the
	76	rest, an unset condition lets everything through. */
	77
	78	/* For server_condition, an unset condition lets everything through.
	79	For plaintext/gsasl authenticators, it will have been pre-checked to prevent
	80	this. We return the unset scenario value given to us, which for
	81	server_condition will be OK and otherwise will typically be FAIL. */
	82
	83	if (!condition) return unset;
	84	cond = expand_string(condition);
	85
	86	HDEBUG(D_auth)
	87	if (!cond)
	88	debug_printf("expansion failed: %s\n", expand_string_message);
	89	else
	90	debug_printf("expanded string: %s\n", cond);
	91
	92	/* A forced expansion failure causes authentication to fail. Other expansion
	93	failures yield DEFER, which will cause a temporary error code to be returned to
	94	the AUTH command. The problem is at the server end, so the client should try
	95	again later. */
	96
	97	if (!cond)
	98	{
	99	if (f.expand_string_forcedfail) return FAIL;
	100	auth_defer_msg = expand_string_message;
	101	return DEFER;
	102	}
	103
	104	/* Return FAIL for empty string, "0", "no", and "false"; return OK for
	105	"1", "yes", and "true"; return DEFER for anything else, with the string
	106	available as an error text for the user. */
	107
	108	if (*cond == 0 \|\|
	109	Ustrcmp(cond, "0") == 0 \|\|
	110	strcmpic(cond, US"no") == 0 \|\|
	111	strcmpic(cond, US"false") == 0)
	112	return FAIL;
	113
	114	if (Ustrcmp(cond, "1") == 0 \|\|
	115	strcmpic(cond, US"yes") == 0 \|\|
	116	strcmpic(cond, US"true") == 0)
	117	return OK;
	118
	119	auth_defer_msg = cond;
	120	auth_defer_user_msg = string_sprintf(": %s", cond);
	121	return DEFER;
	122	}
	123
	124	/* End of check_serv_cond.c */