Merge pull request #2360 from mhofer117/allow-admin-email-login

Allow admins to login as email user (without any password)
2019-02-24 18:49:13 +01:00
parent 108e808d06 4482aee747
commit 298a8d24e9
12 changed files with 1105 additions and 991 deletions
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -118,6 +118,17 @@ default_pass_scheme = SSHA256
 password_query = SELECT password FROM mailbox WHERE active = '1' AND username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%'
 EOF

+if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    cat <<EOF > /usr/local/etc/dovecot/sogo-sso.conf
+passdb {
+  driver = static
+  args = password= allow_real_nets=${IPV4_NETWORK}.248/32
+}
+EOF
+else
+    rm -f /usr/local/etc/dovecot/sogo-sso.conf
+fi
+
 # Create global sieve_after script
 cat /usr/local/etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve

--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -389,4 +389,5 @@ auth_cache_negative_ttl = 0
 auth_cache_ttl = 30 s
 auth_cache_size = 2 M
 !include_try /usr/local/etc/dovecot/extra.conf
+!include_try /usr/local/etc/dovecot/sogo-sso.conf
 default_client_limit = 10400
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@@ -164,6 +164,17 @@ server {
    client_max_body_size 0;
  }

+  # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
+  location /sogo-auth-verify {
+    internal;
+    proxy_set_header  X-Original-URI $request_uri;
+    proxy_set_header  X-Real-IP $remote_addr;
+    proxy_set_header  Host $http_host;
+    proxy_set_header  Content-Length "";
+    proxy_pass        http://127.0.0.1:80/sogo-auth;
+    proxy_pass_request_body off;
+  }
+
  location ^~ /SOGo {
    include /etc/nginx/conf.d/sogo.active;
    proxy_set_header X-Real-IP $remote_addr;
--- a/data/conf/nginx/templates/sogo.auth_request.template.sh
+++ b/data/conf/nginx/templates/sogo.auth_request.template.sh
@@ -0,0 +1,6 @@
+if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
+    echo 'auth_request /sogo-auth-verify;
+auth_request_set $user $upstream_http_x_username;
+proxy_set_header x-webobjects-remote-user $user;
+'
+fi
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -83,4 +83,6 @@
  //SOGoUIxDebugEnabled = YES;
  //WODontZipResponse = YES;
    WOLogFile = "/dev/sogo_log";
+
+    SOGoTrustProxyAuthentication = YES;
 }
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
--- a/data/web/mailbox.php
+++ b/data/web/mailbox.php
@@ -348,6 +348,11 @@ $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? 'true' : 'false';
 echo "var role = '". $role . "';\n";
 echo "var is_dual = " . $is_dual . ";\n";
 echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";
+$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
+	"/^([yY][eE][sS]|[yY])+$/",
+    $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
+)) ? "true" : "false";
+echo "var ALLOW_ADMIN_EMAIL_LOGIN = " . $ALLOW_ADMIN_EMAIL_LOGIN . ";\n";
 ?>
 </script>
 <?php
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -0,0 +1,64 @@
+<?php
+
+/**
+* currently disabled: we could add auth_request to ningx sogo_eas.template
+* but this seems to be not required with the postfix allow_real_nets option
+*/
+/*
+if (substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 28) === "/Microsoft-Server-ActiveSync") {
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+
+  $server=print_r($_SERVER, true);
+  $username = $_SERVER['PHP_AUTH_USER'];
+  $password = $_SERVER['PHP_AUTH_PW'];
+  $login_check = check_login($username, $password);
+  if ($login_check !== 'user') {
+      header('HTTP/1.0 401 Unauthorized');
+      echo 'Invalid login';
+      exit;
+  } else {
+      echo 'Login OK';
+      exit;
+  }
+} else {
+  // other code
+}
+*/
+
+$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
+  "/^([yY][eE][sS]|[yY])+$/",
+  $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
+));
+
+$session_variable = 'sogo-sso-user';
+
+if (!$ALLOW_ADMIN_EMAIL_LOGIN) {
+  header("Location: /");
+  exit;
+}
+elseif (isset($_GET['login'])) {
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+  if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['acl']['login_as'] == "1") {
+    $login = html_entity_decode(rawurldecode($_GET["login"]));
+    if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
+      if (!empty(mailbox('get', 'mailbox_details', $login))) {
+        $_SESSION[$session_variable] = $login;
+        header("Location: /SOGo/");
+        exit;
+      }
+    }
+  }
+  header("Location: /");
+  exit;
+}
+else {
+  // this is an nginx auth_request call, we check for an existing sogo-sso-user session variable
+  session_start();
+  $username = "";
+  if (isset($_SESSION[$session_variable]) && filter_var($_SESSION[$session_variable], FILTER_VALIDATE_EMAIL)) {
+      $username = $_SESSION[$session_variable];
+  }
+  // if username is empty, SOGo will display the normal login form
+  header("X-Username: $username");
+  exit;
+}