[Web] manage keycloak identity provider

2023-03-12 19:08:09 +01:00
parent 638a81c58c
commit 0a78c742d7
7 changed files with 170 additions and 0 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1899,6 +1899,74 @@ function rspamd_ui($action, $data = null) {
    break;
  }
 }
+function identity_provider($_action, $_data = null) {
+  global $pdo;
+
+  if ($_SESSION['mailcow_cc_role'] != "admin") {
+    $_SESSION['return'][] = array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $_action, $_data),
+      'msg' => 'access_denied'
+    );
+    return false;
+  }
+
+  switch ($_action) {
+    case 'get':
+      $settings = array();
+      $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");
+      $stmt->execute();
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      foreach($rows as $row){
+        $settings[$row["key"]] = $row["value"];
+      }
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $settings),
+        'msg' => 'admin_api_modified'
+      );
+      return $settings;
+    case 'edit':
+      $required_settings = array('server_url', 'authsource', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version');
+      foreach($required_settings as $setting){
+        if (!$_data[$setting]){
+          return false;
+        }
+      }
+      try {
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => '2'
+        );
+        $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => '3'
+        );
+      } catch (Exception $e){
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data, $e->getMessage()),
+          'msg' => 'post'
+        );
+        return;
+      }
+
+      foreach($_data as $key => $value){
+        if (!in_array($key, $required_settings)){
+          continue;
+        }
+
+        $stmt->bindParam(':key', $key);
+        $stmt->bindParam(':value', $value);
+        $stmt->execute();
+      }
+      return true;
+    break;
+  }
+}

 function get_logs($application, $lines = false) {
  if ($lines === false) {
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -552,6 +552,20 @@ function init_db_schema() {
        ),
        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
      ),
+      "identity_provider" => array(
+        "cols" => array(
+          "key" => "VARCHAR(255) NOT NULL",
+          "value" => "VARCHAR(255) NOT NULL",
+          "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
+          "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP"
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("key")
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
      "logs" => array(
        "cols" => array(
          "id" => "INT NOT NULL AUTO_INCREMENT",
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -176,6 +176,24 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';

+// Init Keycloak Provider
+$identity_provider_settings = identity_provider('get');
+$keycloak_provider = null;
+if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
+    $identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
+  $keycloak_provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+    'authServerUrl'         => $identity_provider_settings['server_url'],
+    'realm'                 => $identity_provider_settings['realm'],
+    'clientId'              => $identity_provider_settings['client_id'],
+    'clientSecret'          => $identity_provider_settings['client_secret'],
+    'redirectUri'           => $identity_provider_settings['redirect_url'],
+    'version'               => $identity_provider_settings['version'],                            
+    // 'encryptionAlgorithm'   => 'RS256',                             // optional
+    // 'encryptionKeyPath'     => '../key.pem'                         // optional
+    // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+  ]);
+}
+
 // IMAP lib
 // use Ddeboer\Imap\Server;
 // $imap_server = new Server('dovecot', 143, '/imap/tls/novalidate-cert');