Fix bug in handling AUTHENTICATE command (imap4d). Add user/group ACLs.

The bug was introduced in commit 6e2a3758.

The ACLs allow administrators to limit access to IMAP services to
particular users or users belonging to particular groups.

* imap4d/authenticate.c (imap4d_auth_capability): Take session
pointer as argument.  Don't report authentication capabilities
if tls is required.
(imap4d_authenticate): Fix conditional.
* imap4d/capability.c (imap4d_capability): Update call to
imap4d_auth_capability.
* imap4d/imap4d.c (cb_tls_required): Set tls_mode.
(auth_deny_user_list,auth_allow_user_list)
(auth_deny_group_list,auth_allow_group_list): New statics.
(check_user_groups,imap_check_group_list): New static functions.
(imap4d_cfg_param) <allow-users,deny-users>
<allow-groups,deny-groups>: New configuration statements.
(imap4d_session_setup0): Check allow/deny lists.
* imap4d/imap4d.h (imap4d_auth_capability): Change signature.

* pop3d/pop3d.c (cb_tls_required): Set tls_mode.

* bootstrap (gnulib_extra_files): Update.

@@ -104,7 +104,6 @@ tests_base=tests
 # Extra files from gnulib, which override files from other sources.
 # Extra files from gnulib, which override files from other sources.
 gnulib_extra_files="
 gnulib_extra_files="
 	$build_aux/install-sh
 	$build_aux/install-sh
-	$build_aux/missing
 	$build_aux/mdate-sh
 	$build_aux/mdate-sh
 	$build_aux/texinfo.tex
 	$build_aux/texinfo.tex
 	$build_aux/depcomp
 	$build_aux/depcomp

@@ -78,8 +78,9 @@ _auth_try (void *item, void *data)
 }
 }
 
 
 void
 void
-imap4d_auth_capability ()
+imap4d_auth_capability (struct imap4d_session *session)
 {
 {
+  if (session->tls_mode != tls_required)
     mu_list_foreach (imap_auth_list, _auth_capa, NULL);
     mu_list_foreach (imap_auth_list, _auth_capa, NULL);
 }
 }
 
 
@@ -102,7 +103,7 @@ imap4d_authenticate (struct imap4d_session *session,
   
   
   auth_type = imap4d_tokbuf_getarg (tok, IMAP4_ARG_1);
   auth_type = imap4d_tokbuf_getarg (tok, IMAP4_ARG_1);
 
 
-  if (tls_required)
+  if (session->tls_mode == tls_required)
     return io_completion_response (command, RESP_NO,
     return io_completion_response (command, RESP_NO,
 			           "Command disabled: Use STARTTLS first");
 			           "Command disabled: Use STARTTLS first");
   
   

@@ -78,7 +78,7 @@ imap4d_capability (struct imap4d_session *session,
 
 
   mu_list_foreach (capa_list, print_capa, NULL);
   mu_list_foreach (capa_list, print_capa, NULL);
   
   
-  imap4d_auth_capability ();
+  imap4d_auth_capability (session);
   io_sendf ("\n");
   io_sendf ("\n");
 
 
   return io_completion_response (command, RESP_OK, "Completed");
   return io_completion_response (command, RESP_OK, "Completed");

@@ -287,16 +287,50 @@ cb_tls (void *data, mu_config_value_t *val)
 static int
 static int
 cb_tls_required (void *data, mu_config_value_t *val)
 cb_tls_required (void *data, mu_config_value_t *val)
 {
 {
-  int *res = data;
   int bv;
   int bv;
   
   
   if (mu_cfg_assert_value_type (val, MU_CFG_STRING))
   if (mu_cfg_assert_value_type (val, MU_CFG_STRING))
     return 1;
     return 1;
   if (mu_cfg_parse_boolean (val->v.string, &bv))
   if (mu_cfg_parse_boolean (val->v.string, &bv))
     mu_error (_("Not a boolean value"));
     mu_error (_("Not a boolean value"));
-  else
-    *res = tls_required;
+  else if (bv)
+    tls_mode = tls_required;
+  return 0;
+}
+
+static mu_list_t auth_deny_user_list, auth_allow_user_list;
+static mu_list_t auth_deny_group_list, auth_allow_group_list;
+
+static int
+check_user_groups (void *item, void *data)
+{
+  char *gname = item;
+  struct group *gp;
+  char **p;
+  
+  gp = getgrnam (gname);
+  if (!gp)
     return 0;
     return 0;
+
+  if (gp->gr_gid == auth_data->gid)
+    return MU_ERR_EXISTS;
+
+  for (p = gp->gr_mem; *p; p++)
+    if (strcmp (*p, auth_data->name) == 0)
+      return MU_ERR_EXISTS;
+
+  return 0;
+}
+
+static int
+imap_check_group_list (mu_list_t l)
+{
+  int rc = mu_list_foreach (l, check_user_groups, NULL);
+  if (rc == MU_ERR_EXISTS) 
+    return 0;
+  else if (rc == 0)
+    return MU_ERR_NOENT;
+  return rc;
 }
 }
 
 
 static struct mu_cfg_param imap4d_srv_param[] = {
 static struct mu_cfg_param imap4d_srv_param[] = {
@@ -309,6 +343,19 @@ static struct mu_cfg_param imap4d_srv_param[] = {
 };
 };
 
 
 static struct mu_cfg_param imap4d_cfg_param[] = {
 static struct mu_cfg_param imap4d_cfg_param[] = {
+  { "allow-users", MU_CFG_LIST_OF(mu_cfg_string), &auth_allow_user_list,
+    0, NULL, 
+    N_("Allow access to users from this list.") },
+  { "deny-users", MU_CFG_LIST_OF(mu_cfg_string), &auth_deny_user_list,
+    0, NULL, 
+    N_("Deny access to users from this list.") },
+  { "allow-groups", MU_CFG_LIST_OF(mu_cfg_string), &auth_allow_group_list,
+    0, NULL, 
+    N_("Allow access if the user group is in this list.") },
+  { "deny-groups", MU_CFG_LIST_OF(mu_cfg_string), &auth_deny_group_list,
+    0, NULL, 
+    N_("Deny access if the user group is in this list.") },
+  
   { "homedir", mu_cfg_string, &modify_homedir, 0, NULL,
   { "homedir", mu_cfg_string, &modify_homedir, 0, NULL,
     N_("Modify home directory.") },
     N_("Modify home directory.") },
   { "personal-namespace", MU_CFG_LIST_OF(mu_cfg_string), &namespace[NS_PRIVATE],
   { "personal-namespace", MU_CFG_LIST_OF(mu_cfg_string), &namespace[NS_PRIVATE],
@@ -367,6 +414,31 @@ static struct mu_cfg_param imap4d_cfg_param[] = {
 int
 int
 imap4d_session_setup0 ()
 imap4d_session_setup0 ()
 {
 {
+  if (auth_deny_user_list &&
+      mu_list_locate (auth_deny_user_list, auth_data->name, NULL) == 0)
+    {
+      mu_error (_("%s is in deny-users, rejecting"), auth_data->name);
+      return 1;
+    }
+  if (auth_allow_user_list &&
+      mu_list_locate (auth_allow_user_list, auth_data->name, NULL))
+    {
+      mu_error (_("%s is not in allow-users, rejecting"), auth_data->name);
+      return 1;
+    }
+  if (auth_deny_group_list &&
+      imap_check_group_list (auth_deny_group_list) == 0)
+    {
+      mu_error (_("%s is in deny-groups, rejecting"), auth_data->name);
+      return 1;
+    }
+  if (auth_allow_group_list &&
+      imap_check_group_list (auth_allow_group_list))
+    {
+      mu_error (_("%s is not in allow-groups, rejecting"), auth_data->name);
+      return 1;
+    }
+
   real_homedir = mu_normalize_path (mu_strdup (auth_data->dir));
   real_homedir = mu_normalize_path (mu_strdup (auth_data->dir));
   if (imap4d_check_home_dir (real_homedir, auth_data->uid, auth_data->gid))
   if (imap4d_check_home_dir (real_homedir, auth_data->uid, auth_data->gid))
     return 1;
     return 1;

@@ -293,7 +293,7 @@ extern int  imap4d_append (struct imap4d_session *,
 			   struct imap4d_command *, imap4d_tokbuf_t);
 			   struct imap4d_command *, imap4d_tokbuf_t);
 extern int  imap4d_authenticate (struct imap4d_session *,
 extern int  imap4d_authenticate (struct imap4d_session *,
 				 struct imap4d_command *, imap4d_tokbuf_t);
 				 struct imap4d_command *, imap4d_tokbuf_t);
-extern void imap4d_auth_capability (void);
+extern void imap4d_auth_capability (struct imap4d_session *);
 extern int  imap4d_capability (struct imap4d_session *,
 extern int  imap4d_capability (struct imap4d_session *,
 			       struct imap4d_command *, imap4d_tokbuf_t);
 			       struct imap4d_command *, imap4d_tokbuf_t);
 extern int  imap4d_check (struct imap4d_session *,
 extern int  imap4d_check (struct imap4d_session *,

@@ -176,15 +176,14 @@ cb_tls (void *data, mu_config_value_t *val)
 static int
 static int
 cb_tls_required (void *data, mu_config_value_t *val)
 cb_tls_required (void *data, mu_config_value_t *val)
 {
 {
-  int *res = data;
   int bv;
   int bv;
   
   
   if (mu_cfg_assert_value_type (val, MU_CFG_STRING))
   if (mu_cfg_assert_value_type (val, MU_CFG_STRING))
     return 1;
     return 1;
   if (mu_cfg_parse_boolean (val->v.string, &bv))
   if (mu_cfg_parse_boolean (val->v.string, &bv))
     mu_error (_("Not a boolean value"));
     mu_error (_("Not a boolean value"));
-  else
-    *res = tls_required;
+  else if (bv)
+    tls_mode = tls_required;
   return 0;
   return 0;
 }
 }