7x31/mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Web] Do not allow to add domain admin for non existing domain

Browse Source 
[Web] oAuth2 implementation (wip)
This commit is contained in:
andryyy
2019-10-02 19:00:36 +02:00
parent 9f66b83a34
commit 1c35002505
20 changed files with 478 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
data/web/inc/footer.inc.php
View File

@@ -175,11 +175,11 @@ $(document).ready(function() {
});
</script>
<?php
if (!empty($UI_TEXTS['ui_impress'])):
if (!empty($UI_TEXTS['ui_footer'])):
?>
<div class="container" style="margin-bottom:20px;color:#959595;">
<hr>
<?=$UI_TEXTS['ui_impress'];?>
<?=$UI_TEXTS['ui_footer'];?>
</div>
<?php
endif;

10
data/web/inc/functions.customize.inc.php
View File

@@ -112,13 +112,13 @@ function customize($_action, $_item, $_data = null) {
$main_name = $_data['main_name'];
$apps_name = $_data['apps_name'];
$help_text = $_data['help_text'];
$ui_impress = $_data['ui_impress'];
$ui_footer = $_data['ui_footer'];
try {
$redis->set('TITLE_NAME', htmlspecialchars($title_name));
$redis->set('MAIN_NAME', htmlspecialchars($main_name));
$redis->set('APPS_NAME', htmlspecialchars($apps_name));
$redis->set('HELP_TEXT', $help_text);
$redis->set('UI_IMPRESS', $ui_impress);
$redis->set('UI_FOOTER', $ui_footer);
}
catch (RedisException $e) {
$_SESSION['return'][] = array(
@@ -203,7 +203,11 @@ function customize($_action, $_item, $_data = null) {
$data['main_name'] = ($main_name = $redis->get('MAIN_NAME')) ? $main_name : 'mailcow UI';
$data['apps_name'] = ($apps_name = $redis->get('APPS_NAME')) ? $apps_name : 'mailcow Apps';
$data['help_text'] = ($help_text = $redis->get('HELP_TEXT')) ? $help_text : false;
$data['ui_impress'] = ($ui_impress = $redis->get('UI_IMPRESS')) ? $ui_impress : false;
if (!empty($redis->get('UI_IMPRESS'))) {
$redis->set('UI_FOOTER', $redis->get('UI_IMPRESS'));
$redis->del('UI_IMPRESS');
}
$data['ui_footer'] = ($ui_footer = $redis->get('UI_FOOTER')) ? $ui_footer : false;
return $data;
}
catch (RedisException $e) {

46
data/web/inc/functions.domain_admin.inc.php
View File

@@ -83,15 +83,17 @@ function domain_admin($_action, $_data = null) {
return false;
}
$password_hashed = hash_password($password);
$valid_domains = 0;
foreach ($domains as $domain) {
if (!is_valid_domain_name($domain)) {
if (!is_valid_domain_name($domain) || mailbox('get', 'domain_details', $domain) === false) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_data_log),
'msg' => 'domain_invalid'
'msg' => array('domain_invalid', htmlspecialchars($domain))
);
return false;
continue;
}
$valid_domains++;
$stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
VALUES (:username, :domain, :created, :active)");
$stmt->execute(array(
@@ -101,13 +103,15 @@ function domain_admin($_action, $_data = null) {
':active' => $active
));
}
$stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
VALUES (:username, :password_hashed, '0', :active)");
$stmt->execute(array(
':username' => $username,
':password_hashed' => $password_hashed,
':active' => $active
));
if ($valid_domains != 0) {
$stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
VALUES (:username, :password_hashed, '0', :active)");
$stmt->execute(array(
':username' => $username,
':password_hashed' => $password_hashed,
':active' => $active
));
}
}
else {
$_SESSION['return'][] = array(
@@ -117,15 +121,17 @@ function domain_admin($_action, $_data = null) {
);
return false;
}
$stmt = $pdo->prepare("INSERT INTO `da_acl` (`username`) VALUES (:username)");
$stmt->execute(array(
':username' => $username
));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_data_log),
'msg' => array('domain_admin_added', htmlspecialchars($username))
);
if ($valid_domains != 0) {
$stmt = $pdo->prepare("INSERT INTO `da_acl` (`username`) VALUES (:username)");
$stmt->execute(array(
':username' => $username
));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_data_log),
'msg' => array('domain_admin_added', htmlspecialchars($username))
);
}
break;
case 'edit':
if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
@@ -165,7 +171,7 @@ function domain_admin($_action, $_data = null) {
$password2 = $_data['password2'];
if (!empty($domains)) {
foreach ($domains as $domain) {
if (!is_valid_domain_name($domain)) {
if (!is_valid_domain_name($domain) || mailbox('get', 'domain_details', $domain) === false) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_data_log),

12
data/web/inc/functions.mailbox.inc.php
View File

@@ -3806,6 +3806,18 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$stmt->execute(array(
':username' => $username
));
$stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens` WHERE `user_id` = :username");
$stmt->execute(array(
':username' => $username
));
$stmt = $pdo->prepare("DELETE FROM `oauth_refresh_tokens` WHERE `user_id` = :username");
$stmt->execute(array(
':username' => $username
));
$stmt = $pdo->prepare("DELETE FROM `oauth_authorization_codes` WHERE `user_id` = :username");
$stmt->execute(array(
':username' => $username
));
$stmt = $pdo->prepare("SELECT `address`, `goto` FROM `alias`
WHERE `goto` REGEXP :username");
$stmt->execute(array(':username' => '(^|,)'.$username.'($|,)'));

152
data/web/inc/functions.oauth2.inc.php
View File

@@ -4,9 +4,10 @@ function oauth2($_action, $_type, $_data = null) {
global $redis;
global $lang;
if ($_SESSION['mailcow_cc_role'] != "admin") {
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'access_denied'
);
return false;
}
@@ -14,30 +15,26 @@ function oauth2($_action, $_type, $_data = null) {
case 'add':
switch ($_type) {
case 'client':
$client_id = $_data['client_id'];
$client_secret = $_data['client_secret'];
$client_id = bin2hex(random_bytes(6));
$client_secret = bin2hex(random_bytes(12));
$redirect_uri = $_data['redirect_uri'];
$scope = 'profile';
// For future use
// $grant_type = isset($_data['grant_type']) ? $_data['grant_type'] : 'authorization_code';
// $scope = isset($_data['scope']) ? $_data['scope'] : 'profile';
if ($grant_type != "authorization_code" && $grant_type != "password") {
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
);
return false;
}
// For future use
// if ($grant_type != "authorization_code" && $grant_type != "password") {
// $_SESSION['return'][] = array(
// 'type' => 'danger',
// 'log' => array(__FUNCTION__, $_action, $_type, $_data),
// 'msg' => 'access_denied'
// );
// return false;
// }
if ($scope != "profile") {
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
);
return false;
}
if (!ctype_alnum($client_id) || !ctype_alnum($client_secret)) {
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'Invalid scope'
);
return false;
}
@@ -46,21 +43,24 @@ function oauth2($_action, $_type, $_data = null) {
$stmt->execute(array(':client_id' => $client_id));
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
if ($num_results != 0) {
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'Client ID exists'
);
return false;
}
$stmt = $pdo->prepare("INSERT INTO `oauth_clients` (`client_id`, `client_secret` ,`redirect_uri`)
VALUES (:client_id, :client_secret, :redirect_uri)");
$stmt = $pdo->prepare("INSERT INTO `oauth_clients` (`client_id`, `client_secret`, `redirect_uri`, `scope`)
VALUES (:client_id, :client_secret, :redirect_uri, :scope)");
$stmt->execute(array(
':client_id' => $client_id,
':client_secret' => $client_secret,
':redirect_uri' => $redirect_uri
':redirect_uri' => $redirect_uri,
':scope' => $scope
));
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'Added client access'
);
break;
@@ -73,47 +73,73 @@ function oauth2($_action, $_type, $_data = null) {
foreach ($ids as $id) {
$is_now = oauth2('details', 'client', $id);
if (!empty($is_now)) {
$client_id = (!empty($_data['client_id'])) ? $_data['client_id'] : $is_now['client_id'];
$client_secret = (!empty($_data['client_secret'])) ? $_data['client_secret'] : $is_now['client_secret'];
$redirect_uri = (!empty($_data['redirect_uri'])) ? $_data['redirect_uri'] : $is_now['redirect_uri'];
$redirect_uri = (!empty($_data['redirect_uri'])) ? $_data['redirect_uri'] : $is_now['redirect_uri'];
}
else {
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'access_denied'
);
return false;
}
if (!ctype_alnum($client_id) || !ctype_alnum($client_secret)) {
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => 'Client ID and secret must be alphanumeric'
if (isset($_data['revoke_tokens'])) {
$stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens`
WHERE `client_id` IN (
SELECT `client_id` FROM `oauth_clients` WHERE `id` = :id
)");
$stmt->execute(array(
':id' => $id
));
$stmt = $pdo->prepare("DELETE FROM `oauth_refresh_tokens`
WHERE `client_id` IN (
SELECT `client_id` FROM `oauth_clients` WHERE `id` = :id
)");
$stmt->execute(array(
':id' => $id
));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => array('object_modified', htmlspecialchars($id))
);
return false;
continue;
}
if (isset($_data['renew_secret'])) {
$client_secret = bin2hex(random_bytes(12));
$stmt = $pdo->prepare("UPDATE `oauth_clients` SET `client_secret` = :client_secret WHERE `id` = :id");
$stmt->execute(array(
':client_secret' => $client_secret,
':id' => $id
));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => array('object_modified', htmlspecialchars($id))
);
continue;
}
if (empty($redirect_uri)) {
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'Redirect/Callback URL cannot be empty'
);
return false;
continue;
}
$stmt = $pdo->prepare("UPDATE `oauth_clients` SET
`client_id` = :client_id,
`client_secret` = :client_secret,
`redirect_uri` = :redirect_uri
WHERE `id` = :id");
$stmt->execute(array(
':id' => $id,
':client_id' => $client_id,
':client_secret' => $client_secret,
':redirect_uri' => $redirect_uri
));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => array('object_modified', htmlspecialchars($id))
);
}
$_SESSION['return'] = array(
'type' => 'success',
'msg' => sprintf($lang['success']['object_modified'], htmlspecialchars(implode(', ', $ids)))
);
break;
}
break;
@@ -123,39 +149,45 @@ function oauth2($_action, $_type, $_data = null) {
(array)$ids = $_data['id'];
foreach ($ids as $id) {
if (!is_numeric($id)) {
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'access_denied'
);
return false;
continue;
}
$stmt = $pdo->prepare("DELETE FROM `oauth_clients` WHERE `id` = :id");
$stmt = $pdo->prepare("DELETE FROM `oauth_clients`
WHERE `id` = :id");
$stmt->execute(array(
':id' => $id
));
}
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'success',
'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $ids))
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => array('items_deleted', htmlspecialchars($id))
);
break;
case 'access_token':
(array)$access_tokens = $_data['access_token'];
foreach ($access_tokens as $access_token) {
if (!ctype_alnum($access_token)) {
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'access_denied'
);
return false;
}
$stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens` WHERE `access_token` = :access_token");
$stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens`
WHERE `access_token` = :access_token");
$stmt->execute(array(
':access_token' => $access_token
));
}
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $access_tokens))
);
break;
@@ -163,9 +195,10 @@ function oauth2($_action, $_type, $_data = null) {
(array)$refresh_tokens = $_data['refresh_token'];
foreach ($refresh_tokens as $refresh_token) {
if (!ctype_alnum($refresh_token)) {
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => 'access_denied'
);
return false;
}
@@ -174,8 +207,9 @@ function oauth2($_action, $_type, $_data = null) {
':refresh_token' => $refresh_token
));
}
$_SESSION['return'] = array(
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_type, $_data),
'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $refresh_tokens))
);
break;

13
data/web/inc/init_db.inc.php
View File

@@ -3,7 +3,7 @@ function init_db_schema() {
try {
global $pdo;
$db_version = "27092019_1040";
$db_version = "29092019_1040";
$stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -1055,6 +1055,17 @@ BEGIN
DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP();
END;
//
DELIMITER ;';
$events[] = 'DROP EVENT IF EXISTS clean_oauth2;
DELIMITER //
CREATE EVENT clean_oauth2
ON SCHEDULE EVERY 1 DAY DO
BEGIN
DELETE FROM oauth_refresh_tokens WHERE expires < NOW();
DELETE FROM oauth_access_tokens WHERE expires < NOW();
DELETE FROM oauth_authorization_codes WHERE expires < NOW();
END;
//
DELIMITER ;';
foreach ($events as $event) {
$pdo->exec($event);

8
data/web/inc/prerequisites.inc.php
View File

@@ -105,13 +105,15 @@ class mailcowPdo extends OAuth2\Storage\Pdo {
$oauth2_scope_storage = new OAuth2\Storage\Memory(array('default_scope' => 'profile', 'supported_scopes' => array('profile')));
$oauth2_storage = new mailcowPdo(array('dsn' => $dsn, 'username' => $database_user, 'password' => $database_pass));
$oauth2_server = new OAuth2\Server($oauth2_storage, array(
'always_issue_new_refresh_token' => true,
'refresh_token_lifetime' => 2678400,
'refresh_token_lifetime' => $REFRESH_TOKEN_LIFETIME,
'access_lifetime' => $ACCESS_TOKEN_LIFETIME,
));
$oauth2_server->setScopeUtil(new OAuth2\Scope($oauth2_scope_storage));
$oauth2_server->addGrantType(new OAuth2\GrantType\AuthorizationCode($oauth2_storage));
$oauth2_server->addGrantType(new OAuth2\GrantType\UserCredentials($oauth2_storage));
$oauth2_server->addGrantType(new OAuth2\GrantType\RefreshToken($oauth2_storage));
$oauth2_server->addGrantType(new OAuth2\GrantType\RefreshToken($oauth2_storage, array(
'always_issue_new_refresh_token' => true
)));
function exception_handler($e) {
if ($e instanceof PDOException) {

4
data/web/inc/vars.inc.php
View File

@@ -129,6 +129,10 @@ $DOCKER_TIMEOUT = 60;
// Anonymize IPs logged via UI
$ANONYMIZE_IPS = true;
// OAuth2 settings
$REFRESH_TOKEN_LIFETIME = 2678400;
$ACCESS_TOKEN_LIFETIME = 86400;
// MAILBOX_DEFAULT_ATTRIBUTES define default attributes for new mailboxes
// These settings will not change existing mailboxes