[Web] Feature: Allow app passwords for imap/smtp, allow to set acl permission for app passwords (domain admin [when logged in as user] and user)

2019-12-02 11:02:19 +01:00
parent 0e6dfdd0fe
commit 653c058e33
13 changed files with 490 additions and 3 deletions
--- a/data/web/inc/functions.app_passwd.inc.php
+++ b/data/web/inc/functions.app_passwd.inc.php
@@ -0,0 +1,210 @@
+<?php
+function app_passwd($_action, $_data = null) {
+	global $pdo;
+	global $lang;
+  $_data_log = $_data;
+  if (isset($_data['username']) && filter_var($_data['username'], FILTER_VALIDATE_EMAIL)) {
+    if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data['username'])) {
+      $_SESSION['return'][] = array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $_action, $_data_log),
+        'msg' => 'access_denied'
+      );
+      return false;
+    }
+    else {
+      $username = $_data['username'];
+    }
+  }
+  else {
+    $username = $_SESSION['mailcow_cc_username'];
+  }
+  switch ($_action) {
+    case 'add':
+      $name = trim($_data['name']);
+      $password     = $_data['password'];
+      $password2    = $_data['password2'];
+      $active = intval($_data['active']);
+      $domain = mailbox('get', 'mailbox_details', $username)['domain'];
+      if (empty($domain)) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      if (!empty($password) && !empty($password2)) {
+        if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => 'password_complexity'
+          );
+          return false;
+        }
+        if ($password != $password2) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => 'password_mismatch'
+          );
+          return false;
+        }
+        $password_hashed = hash_password($password);
+      }
+      if (empty($name)) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'app_name_empty'
+        );
+        return false;
+      }
+      try {
+        $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`)
+          VALUES (:name, :mailbox, :domain, :password, :active)");
+        $stmt->execute(array(
+          ':name' => $name,
+          ':mailbox' => $mailbox,
+          ':domain' => $domain,
+          ':password' => $password,
+          ':active' => $active
+        ));
+      }
+      catch (PDOException $e) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => array('mysql_error', $e)
+        );
+        return false;
+      }
+      $_SESSION['return'][] = array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $_data_log),
+        'msg' => 'app_passwd_added'
+      );
+    break;
+    case 'edit':
+      $ids = (array)$_data['id'];
+      foreach ($ids as $id) {
+        $is_now = app_passwd('details', $id);
+        if (!empty($is_now)) {
+          $name = (!empty($_data['name'])) ? $_data['name'] : $is_now['name'];
+          $password = (!empty($_data['password'])) ? $_data['password'] : null;
+          $password2 = (!empty($_data['password2'])) ? $_data['password2'] : null;
+          $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
+        }
+        else {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => array('settings_map_invalid', $id)
+          );
+          continue;
+        }
+        $name = trim($name);
+        if (!empty($password) && !empty($password2)) {
+          if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => 'password_complexity'
+            );
+            continue;
+          }
+          if ($password != $password2) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => 'password_mismatch'
+            );
+            continue;
+          }
+          $password_hashed = hash_password($password);
+          $stmt = $pdo->prepare("UPDATE `app_passwd` SET
+              `password` = :password_hashed
+                WHERE `mailbox` = :username AND `id` = :id");
+          $stmt->execute(array(
+            ':password_hashed' => $password_hashed,
+            ':username' => $username,
+            ':id' => $id
+          ));
+        }
+        try {
+          $stmt = $pdo->prepare("UPDATE `app_passwd` SET
+            `name` = :name,
+            `mailbox` = :username,
+            `active` = :active
+              WHERE `id` = :id");
+          $stmt->execute(array(
+            ':name' => $name,
+            ':username' => $username,
+            ':active' => $active,
+            ':id' => $id
+          ));
+        }
+        catch (PDOException $e) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => array('mysql_error', $e)
+          );
+          continue;
+        }
+        $_SESSION['return'][] = array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => array('object_modified', htmlspecialchars($ids))
+        );
+      }
+    break;
+    case 'delete':
+      $ids = (array)$_data['id'];
+      foreach ($ids as $id) {
+        try {
+          $stmt = $pdo->prepare("DELETE FROM `app_passwd` WHERE `id`= :id AND `mailbox`= :username");
+          $stmt->execute(array(':id' => $id, ':username' => $username));
+        }
+        catch (PDOException $e) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => array('mysql_error', $e)
+          );
+          return false;
+        }
+        $_SESSION['return'][] = array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => array('app_passwd_removed', htmlspecialchars($id))
+        );
+      }
+    break;
+    case 'get':
+      $app_passwds = array();
+      $stmt = $pdo->prepare("SELECT `id`, `name` FROM `app_passwd` WHERE `mailbox` = :username");
+      $stmt->execute(array(':username' => $username));
+      $app_passwds = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      return $app_passwds;
+    break;
+    case 'details':
+      $app_passwd_data = array();
+      $stmt = $pdo->prepare("SELECT `id`,
+        `name`,
+        `mailbox`,
+        `domain`,
+        `created`,
+        `modified`,
+        `active` AS `active_int`,
+        CASE `active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `active`
+          FROM `app_passwd`
+            WHERE `id` = :id
+              AND `mailbox` = :username");
+      $stmt->execute(array(':id' => $_data, ':username' => $username));
+      $app_passwd_data = $stmt->fetch(PDO::FETCH_ASSOC);
+      return $app_passwd_data;
+    break;
+  }
+}
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1260,17 +1260,20 @@ function license($action, $data = null) {
          $_SESSION['gal']['valid'] = "true";
          $_SESSION['gal']['c'] = $json_return['c'];
          $_SESSION['gal']['s'] = $json_return['s'];
-                  }
+          $_SESSION['gal']['m'] = str_repeat('🐄', substr_count($json_return['m'], 'o'));
+        }
        elseif ($json_return['response'] === "invalid") {
          $_SESSION['gal']['valid'] = "false";
          $_SESSION['gal']['c'] = $lang['mailbox']['no'];
          $_SESSION['gal']['s'] = $lang['mailbox']['no'];
+          $_SESSION['gal']['m'] = $lang['mailbox']['no'];
        }
      }
      else {
        $_SESSION['gal']['valid'] = "false";
        $_SESSION['gal']['c'] = $lang['danger']['temp_error'];
        $_SESSION['gal']['s'] = $lang['danger']['temp_error'];
+        $_SESSION['gal']['m'] = $lang['danger']['temp_error'];
      }
      try {
        // json_encode needs "true"/"false" instead of true/false, to not encode it to 0 or 1
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
  try {
    global $pdo;

-    $db_version = "06112019_1840";
+    $db_version = "01122019_0755";

    $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
    $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -321,6 +321,37 @@ function init_db_schema() {
        ),
        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
      ),
+      "app_passwd" => array(
+        "cols" => array(
+          "id" => "INT NOT NULL AUTO_INCREMENT",
+          "name" => "VARCHAR(255) NOT NULL",
+          "mailbox" => "VARCHAR(255) NOT NULL",
+          "domain" => "VARCHAR(255) NOT NULL",
+          "password" => "VARCHAR(255) NOT NULL",
+          "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
+          "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP",
+          "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("id")
+          ),
+          "key" => array(
+            "mailbox" => array("mailbox"),
+            "password" => array("password"),
+            "domain" => array("domain"),
+          ),
+          "fkey" => array(
+            "fk_username_app_passwd" => array(
+              "col" => "mailbox",
+              "ref" => "mailbox.username",
+              "delete" => "CASCADE",
+              "update" => "NO ACTION"
+            )
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
      "user_acl" => array(
        "cols" => array(
          "username" => "VARCHAR(255) NOT NULL",
@@ -335,6 +366,7 @@ function init_db_schema() {
          "quarantine" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "quarantine_attachments" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "quarantine_notification" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "app_passwds" => "TINYINT(1) NOT NULL DEFAULT '1'",
          ),
        "keys" => array(
          "primary" => array(
@@ -475,6 +507,7 @@ function init_db_schema() {
          "quarantine" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "login_as" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "sogo_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "app_passwds" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "bcc_maps" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "filters" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "ratelimit" => "TINYINT(1) NOT NULL DEFAULT '1'",
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -205,6 +205,7 @@ if(file_exists($langFile)) {

 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.acl.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.app_passwd.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.mailbox.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.customize.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.address_rewriting.inc.php';