7x31/mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Web] move /process/login to internal endpoint

Browse Source
This commit is contained in:
FreddleSpl0it
2023-04-12 15:32:22 +02:00
parent 4b2e996c6f
commit 2f97e6efe8
10 changed files with 123 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
data/web/inc/functions.auth.inc.php
View File

@@ -9,7 +9,7 @@ function unset_auth_session(){
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_methods']);
}
function check_login($user, $pass, $app_passwd_data = false) {
function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
global $pdo;
global $redis;
@@ -35,12 +35,6 @@ function check_login($user, $pass, $app_passwd_data = false) {
}
// Validate mailbox user
// skip log & ldelay if requests comes from dovecot
$is_dovecot = false;
$request_ip = $_SERVER['REMOTE_ADDR'];
if ($request_ip == getenv('IPV4_NETWORK').'.250'){
$is_dovecot = true;
}
// check authsource
$stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain
@@ -54,9 +48,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
// mbox does not exist, call keycloak login and create mbox if possible
$identity_provider_settings = identity_provider('get');
if ($identity_provider_settings['login_flow'] == 'ropc'){
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot, true);
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal, true);
} else {
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot, true);
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal, true);
}
if ($result){
return $result;
@@ -64,7 +58,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
} else if ($row['authsource'] == 'keycloak'){
if ($app_passwd_data){
// first check if password is app_password
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){
return $result;
}
@@ -72,9 +66,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
$identity_provider_settings = identity_provider('get');
if ($identity_provider_settings['login_flow'] == 'ropc'){
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot);
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal);
} else {
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot);
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal);
}
if ($result){
return $result;
@@ -82,21 +76,20 @@ function check_login($user, $pass, $app_passwd_data = false) {
} else {
if ($app_passwd_data){
// first check if password is app_password
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){
return $result;
}
}
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_dovecot);
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){
return $result;
}
}
// skip log and only return false
// netfilter uses dovecot error log for banning
if ($is_dovecot){
// skip log and only return false if it's an internal request
if ($is_internal){
return false;
}
if (!isset($_SESSION['ldelay'])) {

19
data/web/inc/functions.inc.php
View File

@@ -2045,6 +2045,25 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
return true;
break;
case "init":
$identity_provider_settings = identity_provider('get');
$provider = null;
if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
$identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
'authServerUrl' => $identity_provider_settings['server_url'],
'realm' => $identity_provider_settings['realm'],
'clientId' => $identity_provider_settings['client_id'],
'clientSecret' => $identity_provider_settings['client_secret'],
'redirectUri' => $identity_provider_settings['redirect_url'],
'version' => $identity_provider_settings['version'],
// 'encryptionAlgorithm' => 'RS256', // optional
// 'encryptionKeyPath' => '../key.pem' // optional
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
]);
}
return $provider;
break;
}
}

17
data/web/inc/prerequisites.inc.php
View File

@@ -175,22 +175,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
// Init Keycloak Provider
$identity_provider_settings = identity_provider('get');
$keycloak_provider = null;
if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
$identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
$keycloak_provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
'authServerUrl' => $identity_provider_settings['server_url'],
'realm' => $identity_provider_settings['realm'],
'clientId' => $identity_provider_settings['client_id'],
'clientSecret' => $identity_provider_settings['client_secret'],
'redirectUri' => $identity_provider_settings['redirect_url'],
'version' => $identity_provider_settings['version'],
// 'encryptionAlgorithm' => 'RS256', // optional
// 'encryptionKeyPath' => '../key.pem' // optional
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
]);
}
$keycloak_provider = identity_provider('init');
// IMAP lib
// use Ddeboer\Imap\Server;