Page MenuHomeWMGMC Issues
Files F15808

No OneTemporary
Actions

View Options

diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index be9dd4d4..a7936bf2 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -1,420 +1,419 @@
#!/bin/bash
set -e
# Wait for MySQL to warm-up
while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
echo "Waiting for database to come up..."
sleep 2
done
until dig +short mailcow.email > /dev/null; do
echo "Waiting for DNS..."
sleep 1
done
# Do not attempt to write to slave
if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
else
REDIS_CMDLINE="redis-cli -h redis -p 6379"
fi
until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
echo "Waiting for Redis..."
sleep 2
done
${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
# Create missing directories
[[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
[[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
[[ ! -d /var/volatile ]] && mkdir -p /var/volatile
# Set Dovecot sql config parameters, escape " in db password
DBPASS=$(echo ${DBPASS} | sed 's/"/\\"/g')
# Create quota dict for Dovecot
if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
QUOTA_TABLE=quota2
else
QUOTA_TABLE=quota2replica
fi
cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf
# Autogenerated by mailcow
connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
map {
pattern = priv/quota/storage
table = ${QUOTA_TABLE}
username_field = username
value_field = bytes
}
map {
pattern = priv/quota/messages
table = ${QUOTA_TABLE}
username_field = username
value_field = messages
}
EOF
# Create dict used for sieve pre and postfilters
cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
# Autogenerated by mailcow
connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
map {
pattern = priv/sieve/name/\$script_name
table = sieve_before
username_field = username
value_field = id
fields {
script_name = \$script_name
}
}
map {
pattern = priv/sieve/data/\$id
table = sieve_before
username_field = username
value_field = script_data
fields {
id = \$id
}
}
EOF
cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
# Autogenerated by mailcow
connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
map {
pattern = priv/sieve/name/\$script_name
table = sieve_after
username_field = username
value_field = id
fields {
script_name = \$script_name
}
}
map {
pattern = priv/sieve/data/\$id
table = sieve_after
username_field = username
value_field = script_data
fields {
id = \$id
}
}
EOF
echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication' > /etc/dovecot/mail_plugins
echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
else
echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_solr listescape replication' > /etc/dovecot/mail_plugins
echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_solr listescape replication' > /etc/dovecot/mail_plugins_imap
echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_solr notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
fi
chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
# Autogenerated by mailcow
driver = mysql
connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
EOF
cat <<EOF > /etc/dovecot/lua/passwd-verify.lua
function auth_password_verify(request, password)
if request.domain == nil then
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
end
json = require "json"
ltn12 = require "ltn12"
https = require "ssl.https"
https.TIMEOUT = 5
mysql = require "luasql.mysql"
env = mysql.mysql()
con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
local req = {
username = request.user,
password = password
}
local req_json = json.encode(req)
local res = {}
-- check against mailbox passwds
local b, c = https.request {
method = "POST",
url = "https://nginx/api/v1/process/login",
source = ltn12.source.string(req_json),
headers = {
["content-type"] = "application/json",
["content-length"] = tostring(#req_json)
},
sink = ltn12.sink.table(res)
}
local api_response = json.decode(table.concat(res))
if api_response.role == 'user' then
con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
VALUES ("%s", 0, "%s", "%s")]], con:escape(request.service), con:escape(request.user), con:escape(request.real_rip)))
con:close()
return dovecot.auth.PASSDB_RESULT_OK, "password=" .. password
end
-- check against app passwds for imap and smtp
-- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
if request.service == "smtp" or request.service == "imap" or request.service == "sieve" or request.service == "pop3" then
+ skip_sasl_log = true
req.protocol = {}
- req.protocol[request.service] = true
- req_json = json.encode(req)
-
- req.protocol.ignore_hasaccess = false
- if tostring(req.real_rip) == "__IPV4_SOGO__" then
- req.protocol.ignore_hasaccess = true
+ if tostring(req.real_rip) != "__IPV4_SOGO__" then
+ skip_sasl_log = false
+ req.protocol[request.service] = true
end
+ req_json = json.encode(req)
local b, c = https.request {
method = "POST",
url = "https://nginx/api/v1/process/login",
source = ltn12.source.string(req_json),
headers = {
["content-type"] = "application/json",
["content-length"] = tostring(#req_json)
},
sink = ltn12.sink.table(res)
}
local api_response = json.decode(table.concat(res))
if api_response.role == 'user' then
- if req.protocol.ignore_hasaccess == false then
+ if skip_sasl_log == true then
con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
end
con:close()
return dovecot.auth.PASSDB_RESULT_OK, "password=" .. password
end
end
con:close()
return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
end
function auth_passdb_lookup(req)
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
end
EOF
# Replace patterns in app-passdb.lua
sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua
sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua
sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua
sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua
# Migrate old sieve_after file
[[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
# Create global sieve scripts
cat /etc/dovecot/global_sieve_after > /var/vmail/sieve/global_sieve_after.sieve
cat /etc/dovecot/global_sieve_before > /var/vmail/sieve/global_sieve_before.sieve
# Check permissions of vmail/index/garbage directories.
# Do not do this every start-up, it may take a very long time. So we use a stat check here.
if [[ $(stat -c %U /var/vmail/) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail ; fi
if [[ $(stat -c %U /var/vmail/_garbage) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail/_garbage ; fi
if [[ $(stat -c %U /var/vmail_index) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail_index ; fi
# Cleanup random user maildirs
rm -rf /var/vmail/mailcow.local/*
# Cleanup PIDs
[[ -f /tmp/quarantine_notify.pid ]] && rm /tmp/quarantine_notify.pid
# create sni configuration
echo "" > /etc/dovecot/sni.conf
for cert_dir in /etc/ssl/mail/*/ ; do
if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
continue
fi
domains=($(cat ${cert_dir}domains))
for domain in ${domains[@]}; do
echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
echo ' ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
echo ' ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
echo '}' >> /etc/dovecot/sni.conf;
done
done
# Create random master for SOGo sieve features
RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1)
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
if [[ ! -z ${DOVECOT_MASTER_USER} ]] && [[ ! -z ${DOVECOT_MASTER_PASS} ]]; then
RAND_USER=${DOVECOT_MASTER_USER}
RAND_PASS=${DOVECOT_MASTER_PASS}
fi
echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{print $1}'):::::: > /etc/dovecot/dovecot-master.passwd
echo ${RAND_USER}@mailcow.local::5000:5000:::: > /etc/dovecot/dovecot-master.userdb
echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
if [[ -z ${MAILDIR_SUB} ]]; then
MAILDIR_SUB_SHARED=
else
MAILDIR_SUB_SHARED=/${MAILDIR_SUB}
fi
cat <<EOF > /etc/dovecot/shared_namespace.conf
# Autogenerated by mailcow
namespace {
type = shared
separator = /
prefix = Shared/%%u/
location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u
subscriptions = no
list = children
}
EOF
cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf
# Autogenerated by mailcow
remote ${IPV4_NETWORK}.248 {
disable_plaintext_auth = no
}
EOF
# Create random master Password for SOGo SSO
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
cat <<EOF > /etc/dovecot/sogo-sso.conf
# Autogenerated by mailcow
passdb {
driver = static
args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
}
EOF
if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
# Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
cat <<'EOF' > /usr/local/bin/quota_notify.py
#!/usr/bin/python3
import sys
sys.exit()
EOF
fi
# Set mail_replica for HA setups
if [[ -n ${MAILCOW_REPLICA_IP} && -n ${DOVEADM_REPLICA_PORT} ]]; then
cat <<EOF > /etc/dovecot/mail_replica.conf
# Autogenerated by mailcow
mail_replica = tcp:${MAILCOW_REPLICA_IP}:${DOVEADM_REPLICA_PORT}
EOF
fi
# 401 is user dovecot
if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem
chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
else
chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
fi
# Compile sieve scripts
sievec /var/vmail/sieve/global_sieve_before.sieve
sievec /var/vmail/sieve/global_sieve_after.sieve
sievec /usr/lib/dovecot/sieve/report-spam.sieve
sievec /usr/lib/dovecot/sieve/report-ham.sieve
for file in /var/vmail/*/*/sieve/*.sieve ; do
if [[ "$file" == "/var/vmail/*/*/sieve/*.sieve" ]]; then
continue
fi
sievec "$file" "$(dirname "$file")/../.dovecot.svbin"
chown vmail:vmail "$(dirname "$file")/../.dovecot.svbin"
done
# Fix permissions
chown root:root /etc/dovecot/sql/*.conf
chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua
chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua
chown -R vmail:vmail /var/vmail/sieve
chown -R vmail:vmail /var/volatile
chown -R vmail:vmail /var/vmail_index
adduser vmail tty
chmod g+rw /dev/console
chown root:tty /dev/console
chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \
/usr/lib/dovecot/sieve/rspamd-pipe-spam \
/usr/local/bin/imapsync_runner.pl \
/usr/local/bin/imapsync \
/usr/local/bin/trim_logs.sh \
/usr/local/bin/sa-rules.sh \
/usr/local/bin/clean_q_aged.sh \
/usr/local/bin/maildir_gc.sh \
/usr/local/sbin/stop-supervisor.sh \
/usr/local/bin/quota_notify.py \
/usr/local/bin/repl_health.sh
# Prepare environment file for cronjobs
printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
# Clean old PID if any
[[ -f /var/run/dovecot/master.pid ]] && rm /var/run/dovecot/master.pid
# Clean stopped imapsync jobs
rm -f /tmp/imapsync_busy.lock
IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
[[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
# Envsubst maildir_gc
echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh
# GUID generation
while [[ ${VERSIONS_OK} != 'OK' ]]; do
if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
VERSIONS_OK=OK
else
echo "Waiting for versions table to be created..."
sleep 3
fi
done
PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key | cut -d '<' -f2)
if [ -f ${PUBKEY_MCRYPT} ]; then
GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ")
if [ ${#GUID} -eq 64 ]; then
mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}");
EOF
else
mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID");
EOF
fi
fi
# Collect SA rules once now
/usr/local/bin/sa-rules.sh
# Run hooks
for file in /hooks/*; do
if [ -x "${file}" ]; then
echo "Running hook ${file}"
"${file}"
fi
done
# For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
# May be related to something inside Docker, I seriously don't know
touch /etc/dovecot/lua/passwd-verify.lua
if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
fi
exec "$@"
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 6a0cafa8..c125b5d6 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -1,556 +1,671 @@
<?php
function unset_auth_session(){
unset($_SESSION['keycloak_token']);
unset($_SESSION['keycloak_refresh_token']);
unset($_SESSION['mailcow_cc_username']);
unset($_SESSION['mailcow_cc_role']);
unset($_SESSION['oauth2state']);
unset($_SESSION['pending_mailcow_cc_username']);
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_methods']);
}
function check_login($user, $pass, $app_passwd_data = false) {
global $pdo;
global $redis;
if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => 'malformed_username'
);
return false;
}
// Validate admin
$result = mailcow_admin_login($user, $pass);
if ($result){
return $result;
}
// Validate domain admin
$result = mailcow_domainadmin_login($user, $pass);
if ($result){
return $result;
}
// Validate mailbox user
// skip log & ldelay if requests comes from dovecot
$is_dovecot = false;
- $request_ip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
+ $request_ip = $_SERVER['REMOTE_ADDR'];
if ($request_ip == getenv('IPV4_NETWORK').'.250'){
$is_dovecot = true;
}
// check authsource
$stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain
WHERE `kind` NOT REGEXP 'location|thing|group'
AND `mailbox`.`active`='1'
AND `domain`.`active`='1'
AND `username` = :user");
$stmt->execute(array(':user' => $user));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (!$row){
// mbox does not exist, call keycloak login and create mbox if possible
- $result = keycloak_mbox_login($user, $pass, $is_dovecot, true);
+ $result = keycloak_mbox_login_rest($user, $pass, $is_dovecot, true);
if ($result){
return $result;
}
} else if ($row['authsource'] == 'keycloak'){
- $result = keycloak_mbox_login($user, $pass, $is_dovecot);
+ if ($app_passwd_data){
+ // first check if password is app_password
+ $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
+ if ($result){
+ return $result;
+ }
+ }
+
+ $result = keycloak_mbox_login_rest($user, $pass, $is_dovecot);
if ($result){
return $result;
}
} else {
+ if ($app_passwd_data){
+ // first check if password is app_password
+ $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
+ if ($result){
+ return $result;
+ }
+ }
+
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_dovecot);
if ($result){
return $result;
}
}
// skip log and only return false
// netfilter uses dovecot error log for banning
if ($is_dovecot){
return false;
}
if (!isset($_SESSION['ldelay'])) {
$_SESSION['ldelay'] = "0";
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
}
elseif (!isset($_SESSION['mailcow_cc_username'])) {
$_SESSION['ldelay'] = $_SESSION['ldelay']+0.5;
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
}
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => 'login_failed'
);
sleep($_SESSION['ldelay']);
return false;
}
function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){
global $pdo;
$stmt = $pdo->prepare("SELECT * FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain
WHERE `kind` NOT REGEXP 'location|thing|group'
AND `mailbox`.`active`='1'
AND `domain`.`active`='1'
AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
AND `username` = :user");
$stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
- // check if password is app password
- $is_app_passwd = false;
- if ($app_passwd_data['eas']){
- $is_app_passwd = 'eas';
- } else if ($app_passwd_data['dav']){
- $is_app_passwd = 'dav';
- } else if ($app_passwd_data['smtp']){
- $is_app_passwd = 'smtp';
- } else if ($app_passwd_data['imap']){
- $is_app_passwd = 'imap';
- } else if ($app_passwd_data['sieve']){
- $is_app_passwd = 'sieve';
- } else if ($app_passwd_data['pop3']){
- $is_app_passwd = 'pop3';
- }
- if ($is_app_passwd){
- // fetch app password data
- $app_passwd_query = "SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
- INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
- INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
- WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
- AND `mailbox`.`active` = '1'
- AND `domain`.`active` = '1'
- AND `app_passwd`.`active` = '1'
- AND `app_passwd`.`mailbox` = :user";
- // check if app password has protocol access
- // skip if $app_passwd_data['ignore_hasaccess'] is true and the call is not external
- if (!$is_internal || ($is_internal && !$app_passwd_data['ignore_hasaccess'])){
- $app_passwd_query = $app_passwd_query . " AND `app_passwd`.`" . $is_app_passwd . "_access` = '1'";
- }
- // fetch password data
- $stmt = $pdo->prepare($app_passwd_query);
- $stmt->execute(array(':user' => $user));
- $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
- }
-
foreach ($rows as $row) {
// verify password
if (verify_hash($row['password'], $pass) !== false) {
if (!array_key_exists("app_passwd_id", $row)){
// password is not a app password
// check for tfa authenticators
$authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
// authenticators found, init TFA flow
$_SESSION['pending_mailcow_cc_username'] = $user;
$_SESSION['pending_mailcow_cc_role'] = "user";
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
unset($_SESSION['ldelay']);
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
return "pending";
} else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
// no authenticators found, login successfull
if (!$is_internal){
unset($_SESSION['ldelay']);
// Reactivate TFA if it was set to "deactivate TFA for next login"
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
$stmt->execute(array(':user' => $user));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
}
return "user";
}
- } elseif ($is_app_passwd) {
- // password is a app password
- if ($is_internal){
- // skip log
- return "user";
- }
-
- $service = strtoupper($is_app_passwd);
- $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
- $stmt->execute(array(
- ':service' => $service,
- ':app_id' => $row['app_passwd_id'],
- ':username' => $user,
- ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
- ));
-
- unset($_SESSION['ldelay']);
- return "user";
- }
- }
- }
-
- foreach ($rows as $row) {
- // verify password
- if (verify_hash($row['password'], $pass) !== false) {
- if (!array_key_exists("app_passwd_id", $row)){
- // password is not a app password
- // check for tfa authenticators
- $authenticators = get_tfa($user);
- if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 &&
- $app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true) {
- // authenticators found, init TFA flow
- $_SESSION['pending_mailcow_cc_username'] = $user;
- $_SESSION['pending_mailcow_cc_role'] = "user";
- $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
- unset($_SESSION['ldelay']);
- $_SESSION['return'][] = array(
- 'type' => 'success',
- 'log' => array(__FUNCTION__, $user, '*'),
- 'msg' => array('logged_in_as', $user)
- );
- return "pending";
- } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
- // no authenticators found, login successfull
- // Reactivate TFA if it was set to "deactivate TFA for next login"
- $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
- $stmt->execute(array(':user' => $user));
-
- unset($_SESSION['ldelay']);
- return "user";
- }
- } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
- // password is a app password
- $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
- $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
- $stmt->execute(array(
- ':service' => $service,
- ':app_id' => $row['app_passwd_id'],
- ':username' => $user,
- ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
- ));
-
- unset($_SESSION['ldelay']);
- return "user";
}
}
}
return false;
}
function mailcow_domainadmin_login($user, $pass){
global $pdo;
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
WHERE `superadmin` = '0'
AND `active`='1'
AND `username` = :user");
$stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
// verify password
if (verify_hash($row['password'], $pass) !== false) {
// check for tfa authenticators
$authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
$_SESSION['pending_mailcow_cc_username'] = $user;
$_SESSION['pending_mailcow_cc_role'] = "domainadmin";
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
unset($_SESSION['ldelay']);
$_SESSION['return'][] = array(
'type' => 'info',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => 'awaiting_tfa_confirmation'
);
return "pending";
}
else {
unset($_SESSION['ldelay']);
// Reactivate TFA if it was set to "deactivate TFA for next login"
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
$stmt->execute(array(':user' => $user));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
return "domainadmin";
}
}
}
return false;
}
function mailcow_admin_login($user, $pass){
global $pdo;
$user = strtolower(trim($user));
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
WHERE `superadmin` = '1'
AND `active` = '1'
AND `username` = :user");
$stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
// verify password
if (verify_hash($row['password'], $pass)) {
// check for tfa authenticators
$authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
// active tfa authenticators found, set pending user login
$_SESSION['pending_mailcow_cc_username'] = $user;
$_SESSION['pending_mailcow_cc_role'] = "admin";
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
unset($_SESSION['ldelay']);
$_SESSION['return'][] = array(
'type' => 'info',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => 'awaiting_tfa_confirmation'
);
return "pending";
} else {
unset($_SESSION['ldelay']);
// Reactivate TFA if it was set to "deactivate TFA for next login"
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
$stmt->execute(array(':user' => $user));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
return "admin";
}
}
}
return false;
}
+function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal = false){
+ global $pdo;
+
+ $protocol = false;
+ if ($app_passwd_data['eas']){
+ $protocol = 'eas';
+ } else if ($app_passwd_data['dav']){
+ $protocol = 'dav';
+ } else if ($app_passwd_data['smtp']){
+ $protocol = 'smtp';
+ } else if ($app_passwd_data['imap']){
+ $protocol = 'imap';
+ } else if ($app_passwd_data['sieve']){
+ $protocol = 'sieve';
+ } else if ($app_passwd_data['pop3']){
+ $protocol = 'pop3';
+ }
+
+ // fetch app password data
+ $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
+ INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
+ INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
+ WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
+ AND `mailbox`.`active` = '1'
+ AND `domain`.`active` = '1'
+ AND `app_passwd`.`active` = '1'
+ AND `app_passwd`.`mailbox` = :user
+ :has_access_query"
+ );
+ // check if app password has protocol access
+ // skip if protocol is false and the call is not external
+ $has_access_query = '';
+ if (!$is_internal || ($is_internal && !empty($protocol))){
+ $has_access_query = " AND `app_passwd`.`" . $protocol . "_access` = '1'";
+ }
+ // fetch password data
+ $stmt->execute(array(
+ ':user' => $user,
+ ':has_access_query' => $has_access_query
+ ));
+ $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
+
+ foreach ($rows as $row) {
+ // verify password
+ if (verify_hash($row['password'], $pass) !== false) {
+ if ($is_internal){
+ // skip sasl_log, dovecot does the job
+ return "user";
+ }
+
+ $service = strtoupper($is_app_passwd);
+ $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
+ $stmt->execute(array(
+ ':service' => $service,
+ ':app_id' => $row['app_passwd_id'],
+ ':username' => $user,
+ ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
+ ));
+
+ unset($_SESSION['ldelay']);
+ return "user";
+ }
+ }
+
+ return false;
+}
-function keycloak_mbox_login($user, $pass, $is_internal = false, $create = false){
+// ROPC Flow (deprecated oAuth2.1)
+// uses direct user credentials for UI, IMAP and SMTP Auth
+function keycloak_mbox_login_ropc($user, $pass, $is_internal = false, $create = false){
global $pdo;
$identity_provider_settings = identity_provider('get');
$url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
$req = http_build_query(array(
'grant_type' => 'password',
'client_id' => $identity_provider_settings['client_id'],
'client_secret' => $identity_provider_settings['client_secret'],
'username' => $user,
'password' => $pass,
));
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$res = json_decode(curl_exec($curl), true);
$code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close ($curl);
if ($code == 200) {
// decode jwt
$user_data = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $res['access_token'])[1]))), true);
if ($user != $user_data['email']){
// check if $user is email address, only accept email address as username
return false;
}
- if ($create && !empty($identity_provider_settings['roles'])){
+ if ($create && !empty($identity_provider_settings['mappers'])){
// try to create mbox on successfull login
$user_roles = $user_data['realm_access']['roles'];
$mbox_template = null;
// check if matching rolemapping exist
foreach ($user_roles as $index => $role){
if (in_array($role, $identity_provider_settings['roles'])) {
$mbox_template = $identity_provider_settings['templates'][$index];
break;
}
}
if ($mbox_template){
$stmt = $pdo->prepare("SELECT * FROM `templates`
WHERE `template` = :template AND type = 'mailbox'");
$stmt->execute(array(
":template" => $mbox_template
));
$mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
if (!empty($mbox_template_data)){
$mbox_template_data = json_decode($mbox_template_data["attributes"], true);
$mbox_template_data['domain'] = explode('@', $user)[1];
$mbox_template_data['local_part'] = explode('@', $user)[0];
$mbox_template_data['authsource'] = 'keycloak';
$_SESSION['iam_create_login'] = true;
$create_res = mailbox('add', 'mailbox', $mbox_template_data);
$_SESSION['iam_create_login'] = false;
if (!$create_res){
return false;
}
}
}
}
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
return 'user';
} else {
return false;
}
}
+// Keycloak REST Api Flow - auth user by mailcow_password attribute
+// This password will be used for direct UI, IMAP and SMTP Auth
+// To use direct user credentials, only Authorization Code Flow is valid
+function keycloak_mbox_login_rest($user, $pass, $is_internal = false, $create = false){
+ global $pdo;
+
+ $identity_provider_settings = identity_provider('get');
+
+ // get access_token for service account of mailcow client
+ $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+ $req = http_build_query(array(
+ 'grant_type' => 'client_credentials',
+ 'client_id' => $identity_provider_settings['client_id'],
+ 'client_secret' => $identity_provider_settings['client_secret']
+ ));
+ $curl = curl_init();
+ curl_setopt($curl, CURLOPT_URL, $url);
+ curl_setopt($curl, CURLOPT_POST, 1);
+ curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+ curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+ curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+ $mcclient_res = json_decode(curl_exec($curl), true);
+ $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+ curl_close ($curl);
+ if ($code != 200) {
+ return false;
+ }
+
+ // get the mailcow_password attribute from keycloak user
+ $url = "{$identity_provider_settings['server_url']}/admin/realms/{$identity_provider_settings['realm']}/users";
+ $queryParams = array('email' => $user, 'exact' => true);
+ $queryString = http_build_query($queryParams);
+ $curl = curl_init();
+ curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
+ curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+ curl_setopt($curl, CURLOPT_HTTPHEADER, array(
+ 'Authorization: Bearer ' . $mcclient_res['access_token'],
+ 'Content-Type: application/json'
+ ));
+ $user_res = json_decode(curl_exec($curl), true)[0];
+ $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+ curl_close($curl);
+ if ($code != 200) {
+ return false;
+ }
+
+
+
+ // validate mailcow_password
+ $mailcow_password = $user_res['attributes']['mailcow_password'][0];
+ if (!verify_hash($mailcow_password, $pass)) {
+ return false;
+ }
+
+ // get mapped template, if not set return false
+ // also return false if no mappers were defined
+ $user_template = $user_data['attributes']['mailcow_template'][0];
+ if ($create && (empty($identity_provider_settings['mappers']) || $user_template)){
+ return false;
+ } else if (!$create) {
+ // login success - dont create mailbox
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $user, '*'),
+ 'msg' => array('logged_in_as', $user)
+ );
+ return 'user';
+ }
+
+ // try to create mbox on successfull login
+ $mbox_template = null;
+ // check if matching rolemapping exist
+ foreach ($identity_provider_settings['mappers'] as $index => $mapper){
+ if (in_array($mapper, $identity_provider_settings['mappers'])) {
+ $mbox_template = $identity_provider_settings['templates'][$index];
+ break;
+ }
+ }
+ if (!$mbox_template){
+ // no matching template found
+ return false;
+ }
+ $stmt = $pdo->prepare("SELECT * FROM `templates`
+ WHERE `template` = :template AND type = 'mailbox'");
+ $stmt->execute(array(
+ ":template" => $mbox_template
+ ));
+ $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+ if (empty($mbox_template_data)){
+ return false;
+ }
+
+ $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+ $mbox_template_data['domain'] = explode('@', $user)[1];
+ $mbox_template_data['local_part'] = explode('@', $user)[0];
+ $mbox_template_data['authsource'] = 'keycloak';
+ $_SESSION['iam_create_login'] = true;
+ $create_res = mailbox('add', 'mailbox', $mbox_template_data);
+ $_SESSION['iam_create_login'] = false;
+ if (!$create_res){
+ return false;
+ }
+
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $user, '*'),
+ 'msg' => array('logged_in_as', $user)
+ );
+ return 'user';
+}
+// Authorization Code Flow
function keycloak_verify_token(){
global $keycloak_provider;
global $pdo;
try {
$token = $keycloak_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
} catch (Exception $e) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__),
'msg' => array('login_failed', $e->getMessage())
);
- die($e->getMessage() . " - " . $_GET['code'] . " - " . $_SESSION['oauth2state']);
return false;
}
- $login = false;
$_SESSION['keycloak_token'] = $token->getToken();
$_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
// decode jwt data
$info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $token->getToken())[1]))), true);
- if (in_array("mailbox", $info['realm_access']['roles']) && $info['email']){
- // token valid, get mailbox
- $stmt = $pdo->prepare("SELECT * FROM `mailbox`
- INNER JOIN domain on mailbox.domain = domain.domain
- WHERE `kind` NOT REGEXP 'location|thing|group'
- AND `mailbox`.`active`='1'
- AND `domain`.`active`='1'
- AND `username` = :user
- AND `authsource`='keycloak'");
- $stmt->execute(array(':user' => $info['email']));
- $row = $stmt->fetch(PDO::FETCH_ASSOC);
-
- if ($row){
- $_SESSION['mailcow_cc_username'] = $info['email'];
- $_SESSION['mailcow_cc_role'] = "user";
- $login = true;
- } else {
- $identity_provider_settings = identity_provider('get');
- if (!empty($identity_provider_settings['roles'])){
- // try to create mbox on successfull login
- $user_roles = $info['realm_access']['roles'];
- $mbox_template = null;
- // check if matching rolemapping exist
- foreach ($user_roles as $index => $role){
- if (in_array($role, $identity_provider_settings['roles'])) {
- $mbox_template = $identity_provider_settings['templates'][$index];
- break;
- }
- }
- if ($mbox_template){
- $stmt = $pdo->prepare("SELECT * FROM `templates`
- WHERE `template` = :template AND type = 'mailbox'");
- $stmt->execute(array(
- ":template" => $mbox_template
- ));
- $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
-
- if (!empty($mbox_template_data)){
- $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
- $mbox_template_data['domain'] = explode('@', $info['email'])[1];
- $mbox_template_data['local_part'] = explode('@', $info['email'])[0];
- $mbox_template_data['authsource'] = 'keycloak';
- $_SESSION['iam_create_login'] = true;
- $create_res = mailbox('add', 'mailbox', $mbox_template_data);
- $_SESSION['iam_create_login'] = false;
- if ($create_res){
- $_SESSION['mailcow_cc_username'] = $info['email'];
- $_SESSION['mailcow_cc_role'] = "user";
- $login = true;
- }
- }
- }
- }
- }
- }
+ // check if email address is given
+ if (!$info['email']){
+ return false;
+ }
- if ($login){
+
+ // token valid, get mailbox
+ $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+ INNER JOIN domain on mailbox.domain = domain.domain
+ WHERE `kind` NOT REGEXP 'location|thing|group'
+ AND `mailbox`.`active`='1'
+ AND `domain`.`active`='1'
+ AND `username` = :user
+ AND `authsource`='keycloak'");
+ $stmt->execute(array(':user' => $info['email']));
+ $row = $stmt->fetch(PDO::FETCH_ASSOC);
+ if ($row){
+ // success
+ $_SESSION['mailcow_cc_username'] = $info['email'];
+ $_SESSION['mailcow_cc_role'] = "user";
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
);
- } else {
+ return true;
+ }
+ // get mapped template, if not set return false
+ // also return false if no mappers were defined
+ $identity_provider_settings = identity_provider('get');
+ $user_template = $info['mailcow_template'];
+ if (empty($identity_provider_settings['mappers']) || empty($user_template)){
+ unset_auth_session();
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+ 'msg' => 'login_failed'
+ );
+ return false;
+ }
+ $mbox_template = null;
+ // check if matching rolemapping exist
+ foreach ($identity_provider_settings['mappers'] as $index => $mapper){
+ if ($user_template == $mapper) {
+ $mbox_template = $identity_provider_settings['templates'][$index];
+ break;
+ }
+ }
+ if (!$mbox_template){
+ // no matching template found
+ unset_auth_session();
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+ 'msg' => 'login_failed'
+ );
+ return false;
+ }
+ $stmt = $pdo->prepare("SELECT * FROM `templates`
+ WHERE `template` = :template AND type = 'mailbox'");
+ $stmt->execute(array(
+ ":template" => $mbox_template
+ ));
+ $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+ if (empty($mbox_template_data)){
+ unset_auth_session();
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+ 'msg' => 'login_failed'
+ );
+ return false;
+ }
+
+ // create mailbox
+ $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+ $mbox_template_data['domain'] = explode('@', $info['email'])[1];
+ $mbox_template_data['local_part'] = explode('@', $info['email'])[0];
+ $mbox_template_data['authsource'] = 'keycloak';
+ $_SESSION['iam_create_login'] = true;
+ $create_res = mailbox('add', 'mailbox', $mbox_template_data);
+ $_SESSION['iam_create_login'] = false;
+ if (!$create_res){
unset_auth_session();
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
'msg' => 'login_failed'
);
+ return false;
}
- return $login;
+
+ $_SESSION['mailcow_cc_username'] = $info['email'];
+ $_SESSION['mailcow_cc_role'] = "user";
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+ 'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
+ );
+ return true;
}
function keycloak_refresh(){
global $keycloak_provider;
try {
$token = $keycloak_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['keycloak_refresh_token']]);
} catch (Exception $e) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__),
'msg' => array('login_failed', $e->getMessage())
);
return false;
}
-
- $refresh = false;
$_SESSION['keycloak_token'] = $token->getToken();
$_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
// decode jwt data
$info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $_SESSION['keycloak_token'])[1]))), true);
- if (in_array("mailbox", $info['realm_access']['roles']) && $info['email']){
- $_SESSION['mailcow_cc_username'] = $info['email'];
-
- $_SESSION['mailcow_cc_role'] = "user";
- $refresh = true;
- }
-
- if (!$refresh){
+ if (!$info['email']){
unset_auth_session();
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
'msg' => 'refresh_login_failed'
);
}
- return $refresh;
+ $_SESSION['mailcow_cc_username'] = $info['email'];
+ $_SESSION['mailcow_cc_role'] = "user";
+ return true;
}
function keycloak_get_redirect(){
global $keycloak_provider;
$authUrl = $keycloak_provider->getAuthorizationUrl();
$_SESSION['oauth2state'] = $keycloak_provider->getState();
return $authUrl;
}
function keycloak_get_logout(){
global $keycloak_provider;
$logoutUrl = $keycloak_provider->getLogoutUrl();
$logoutUrl = $logoutUrl . "&post_logout_redirect_uri=https://" . $_SERVER['SERVER_NAME'];
return $logoutUrl;
}

File Metadata

Mime Type
text/x-diff
Expires
9月 9 Tue, 5:39 AM (7 h, 34 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5300
默认替代文本
(47 KB)

Event Timeline

WMGMC Technical Group