Re: lua API and returning reason and CONTACTADMIN

Wed, 19 Feb 2025 01:30:40 -0800 

On 05/02/2025 10:20, Aki Tuomi wrote:

You can also use the array syntax to export fields, which is the

["reason"]="something"

then dovecot will treat this as an array of fields and spaces can be in the 
value.


Thanks, that works.
For lua vars not being exported on failure I'm planning to use such patch on 2.3.x series (below). 

Two things work now:
- reason is returned (array method mentioned earlier)
- returning different login (if we want user change) is possible. In case of errors to goal was to make dovecot log errors already with user changed.
(first chunk below is in auth_lua_export_passdb()_table but auth_lua_export_userdb_table() probably needs similar change) 


--- dovecot-2.3.21.1/src/auth/db-lua.c~ 2024-08-13 12:37:50.000000000 +0200
+++ dovecot-2.3.21.1/src/auth/db-lua.c  2025-02-05 12:12:49.397793033 +0100
@@ -555,14 +555,13 @@
 {
        enum passdb_result ret = lua_tointeger(L, -2);

+       auth_lua_export_table(L, req, scheme_r, password_r);
+
        if (ret != PASSDB_RESULT_OK) {
-               lua_pop(L, 2);
-               lua_gc(L, LUA_GCCOLLECT, 0);
                *error_r = "passb failed";
                return ret;
        }

-       auth_lua_export_table(L, req, scheme_r, password_r);
        return PASSDB_RESULT_OK;
 }

@@ -585,7 +584,8 @@

        if (ret != PASSDB_RESULT_OK && ret != PASSDB_RESULT_NEXT) {
                *error_r = str;
-       } else {
+       }
+       if (str != NULL) {
                auth_lua_export_fields(req, str, scheme_r, password_r);
        }





Aki


On 05/02/2025 11:14 EET Arkadiusz Miśkiewicz via dovecot <dovecot@dovecot.org> 
wrote:
On 23/01/2025 16:30, Aki Tuomi wrote: 
I was kinda hoping it would've shown bit more details. But, looks like you've 
ran into a bug. Lua passdb does not export fields in case return value is not 
OK or NEXT. I'll file this to your bug tracker.


Also it seems that the code in

src/auth/db-lua.c:auth_lua_export_fields()

splits string by space

   const char *const *fields = t_strsplit_spaces(str, " ");

so it won't be possible to return like reason="This is the reason"

Looks like another bug, right?



Aki


On 23/01/2025 17:20 EET Arkadiusz Miśkiewicz via dovecot <dovecot@dovecot.org> 
wrote:
On 23/01/2025 14:23, Aki Tuomi wrote: 
Can you post auth_debug=yes logs?



Attaching here (as quotation):


Jan 23 15:10:24 webx dovecot[10752]: auth: Debug: client in: AUTH       1       PLAIN 
  service=imap    session=qZ/XK2As7rsKFhKW        lip=10.22.18.200    
rip=10.22.18.150 lport=143       rport=48110     resp=<hidden>
Jan 23 15:10:24 webx dovecot[10752]: auth: Debug: 
lua(test,10.22.18.150,<qZ/XK2As7rsKFhKW>): Performing passdb lookup
Jan 23 15:10:24 webx dovecot[10752]: auth: Debug: 
lua(test,10.22.18.150,<qZ/XK2As7rsKFhKW>): cache miss
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10770): Debug: conn 
unix:auth-worker (pid=10801,uid=172): Server accepted connection (fd=13)
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10770): Debug: conn 
unix:auth-worker (pid=10801,uid=172): Sending version handshake
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10770): Debug: conn unix:auth-worker 
(pid=10801,uid=172): auth-worker<1>: Handling PASSV request
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10770): Debug: conn unix:auth-worker 
(pid=10801,uid=172): auth-worker<1>: lua(test,10.22.18.150,<qZ/XK2As7rsKFhKW>): 
Performing passdb lookup
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10770): Debug: conn unix:auth-worker 
(pid=10801,uid=172): auth-worker<1>: lua(test,10.22.18.150,<qZ/XK2As7rsKFhKW>): 
Calling auth_password_verify
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10770): Debug: conn unix:auth-worker 
(pid=10801,uid=172): auth-worker<1>: lua(test,10.22.18.150,<qZ/XK2As7rsKFhKW>): 
Finished passdb lookup
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10770): Debug: conn unix:auth-worker 
(pid=10801,uid=172): auth-worker<1>: Finished: user_disabled
Jan 23 15:10:24 webx dovecot[10752]: auth: Debug: 
lua(test,10.22.18.150,<qZ/XK2As7rsKFhKW>): Finished passdb lookup
Jan 23 15:10:24 webx dovecot[10752]: auth: Debug: 
auth(test,10.22.18.150,<qZ/XK2As7rsKFhKW>): Auth request finished
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10803): Debug: Loading modules 
from directory: /usr/lib64/dovecot/plugins/auth
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10803): Debug: Module loaded: 
/usr/lib64/dovecot/plugins/auth/lib20_auth_var_expand_crypt.so
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10803): Debug: Module loaded: 
/usr/lib64/dovecot/plugins/auth/libdriver_mysql.so
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10803): Debug: Module loaded: 
/usr/lib64/dovecot/plugins/auth/libdriver_pgsql.so
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10803): Debug: Module loaded: 
/usr/lib64/dovecot/plugins/auth/libdriver_sqlite.so
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10803): Debug: Loading modules 
from directory: /usr/lib64/dovecot/plugins/auth
Jan 23 15:10:24 webx dovecot[10752]: auth-worker(10803): Debug: Module loaded: 
/usr/lib64/dovecot/plugins/auth/libauthdb_lua.so
Jan 23 15:10:29 webx dovecot[10752]: auth: Debug: client passdb out: FAIL       
1       user=test       code=user_disabled
Jan 23 15:10:29 webx dovecot[10752]: imap-login: Disco





Aki


On 23/01/2025 13:26 EET Arkadiusz Miśkiewicz via dovecot <dovecot@dovecot.org> 
wrote:
Hello. 


Trying to pass reason response via lua by passing it at
dovecot.auth.PASSDB_RESULT_USER_DISABLED like:


function auth_password_verify(request, password)
      return dovecot.auth.PASSDB_RESULT_USER_DISABLED, "reason=custom_message"

end

function auth_userdb_lookup(request)
      return dovecot.auth.PASSDB_RESULT_OK, "uid=428671 gid=9726
home=/var/mail/existusertest"

end

function script_init()
      return 0
end

function script_deinit()
end


Unfortunately returned result contains no custom message and also
returns AUTHENTICATIONFAILED instead of CONTACTADMIN:

NO [AUTHENTICATIONFAILED] Authentication failed.

while I would expect something like:

NO [CONTACTADMIN] custom_message:

Any reason for such behaviour and how to get reason passed and proper
CONTACTADMIN?

Tests done on 2.3.21.1.

passdb {
      driver = lua
      mechanisms = login plain
      args = file=/etc/dovecot/lua_auth_script_test_fail.lua blocking=yes
}


userdb {
      driver = lua
      args = file=/etc/dovecot/lua_auth_script_test_fail.lua blocking=yes
}

--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org





--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org





--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org





--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to