Improve auth. provider interface

The authentication provider can now provide multiple authorization identities associated with credentials. Protocols that support that (e.g. JMAP, SASL) can let the client select the wanted identity.
2025-04-06 06:27:38 +03:00 · 2020-02-27 01:22:47 +03:00 · 2020-02-27 01:22:47 +03:00 · a45c7090c4
commit a45c7090c4
parent 8f1d57293c
11 changed files with 72 additions and 65 deletions
--- a/internal/auth/external/externalauth.go
+++ b/internal/auth/external/externalauth.go
@ -71,13 +71,14 @@ func (ea *ExternalAuth) Init(cfg *config.Map) error {
 	return nil
 }

-func (ea *ExternalAuth) CheckPlain(username, password string) bool {
+func (ea *ExternalAuth) AuthPlain(username, password string) ([]string, error) {
 	accountName, ok := auth.CheckDomainAuth(username, ea.perDomain, ea.domains)
 	if !ok {
-		return false
+		return nil, module.ErrUnknownCredentials
 	}

-	return AuthUsingHelper(ea.Log, ea.helperPath, accountName, password)
+	// TODO: Extend process protocol to support multiple authorization identities.
+	return []string{username}, AuthUsingHelper(ea.helperPath, accountName, password)
 }

 func init() {
--- a/internal/auth/external/helperauth.go
+++ b/internal/auth/external/helperauth.go
@ -1,44 +1,38 @@
 package external

 import (
+	"fmt"
 	"io"
 	"os/exec"
-	"strings"

-	"github.com/foxcpp/maddy/internal/log"
+	"github.com/foxcpp/maddy/internal/module"
 )

-func AuthUsingHelper(l log.Logger, binaryPath, accountName, password string) bool {
+func AuthUsingHelper(binaryPath, accountName, password string) error {
 	cmd := exec.Command(binaryPath)
 	stdin, err := cmd.StdinPipe()
 	if err != nil {
-		l.Println("failed to obtain stdin pipe for helper process:", err)
-		return false
+		return fmt.Errorf("helperauth: stdin init: %w", err)
 	}
 	if err := cmd.Start(); err != nil {
-		l.Println("failed to start helper process:", err)
-		return false
+		return fmt.Errorf("helperauth: process start: %w", err)
 	}
 	if _, err := io.WriteString(stdin, accountName+"\n"); err != nil {
-		l.Println("failed to write stdin of helper process:", err)
-		return false
+		return fmt.Errorf("helperauth: stdin write: %w", err)
 	}
 	if _, err := io.WriteString(stdin, password+"\n"); err != nil {
-		l.Println("failed to write stdin of helper process:", err)
-		return false
+		return fmt.Errorf("helperauth: stdin write: %w", err)
 	}
 	if err := cmd.Wait(); err != nil {
-		l.Debugln(err)
 		if exitErr, ok := err.(*exec.ExitError); ok {
 			// Exit code 1 is for authentication failure.
-			// Exit code 2 is for other errors.
-			if exitErr.ExitCode() == 2 {
-				l.Println(strings.TrimSpace(string(exitErr.Stderr)))
+			if exitErr.ExitCode() != 1 {
+				return fmt.Errorf("helperauth: %w: %v", err, string(exitErr.Stderr))
 			}
+			return module.ErrUnknownCredentials
 		} else {
-			l.Println("failed to wait for helper process:", err)
+			return fmt.Errorf("helperauth: process wait: %w", err)
 		}
-		return false
 	}
-	return true
+	return nil
 }
--- a/internal/auth/pam/module.go
+++ b/internal/auth/pam/module.go
@ -61,29 +61,28 @@ func (a *Auth) Init(cfg *config.Map) error {
 	return nil
 }

-func (a *Auth) CheckPlain(username, password string) bool {
+func (a *Auth) AuthPlain(username, password string) ([]string, error) {
 	var accountName string
 	if a.expectAddress {
 		var err error
 		accountName, _, err = address.Split(username)
 		if err != nil {
-			return false
+			return nil, err
 		}
 	} else {
 		accountName = username
 	}

 	if a.useHelper {
-		return external.AuthUsingHelper(a.Log, a.helperPath, accountName, password)
+		if err := external.AuthUsingHelper(a.helperPath, accountName, password); err != nil {
+			return nil, err
+		}
 	}
 	err := runPAMAuth(accountName, password)
 	if err != nil {
-		if err == ErrInvalidCredentials {
-			a.Log.Println(err)
-		}
-		return false
+		return nil, err
 	}
-	return true
+	return []string{username}, nil
 }

 func init() {
--- a/internal/auth/shadow/module.go
+++ b/internal/auth/shadow/module.go
@ -67,43 +67,37 @@ func (a *Auth) Init(cfg *config.Map) error {
 	return nil
 }

-func (a *Auth) CheckPlain(username, password string) bool {
+func (a *Auth) AuthPlain(username, password string) ([]string, error) {
 	accountName, _, err := address.Split(username)
 	if err != nil {
-		return false
+		return nil, err
 	}

 	if a.useHelper {
-		return external.AuthUsingHelper(a.Log, a.helperPath, accountName, password)
+		return []string{username}, external.AuthUsingHelper(a.helperPath, accountName, password)
 	}

 	ent, err := Lookup(accountName)
 	if err != nil {
-		if err != ErrNoSuchUser {
-			a.Log.Error("lookup error", err, "username", username)
-		}
-		return false
+		return nil, err
 	}

 	if !ent.IsAccountValid() {
-		a.Log.Msg("account is expired", "username", username)
-		return false
+		return nil, fmt.Errorf("shadow: account is expired")
 	}

 	if !ent.IsPasswordValid() {
-		a.Log.Msg("password is expired", "username", username)
-		return false
+		return nil, fmt.Errorf("shadow: password is expired")
 	}

 	if err := ent.VerifyPassword(password); err != nil {
-		if err != ErrWrongPassword {
-			a.Log.Printf("%v", err)
+		if err == ErrWrongPassword {
+			return nil, module.ErrUnknownCredentials
 		}
-		a.Log.Msg("password verification failed", "username", username)
-		return false
+		return nil, err
 	}

-	return true
+	return []string{username}, nil
 }

 func init() {