From 6f37609dbda4c7794729d086cbcbe8b0d76db081 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Jul 2023 08:52:54 +0200
Subject: [PATCH] [Web] add curl timeouts to oidc requests

---
 data/web/inc/functions.auth.inc.php |  7 +++++++
 data/web/inc/functions.inc.php      | 16 ++++++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index f7a2a351..db0da00d 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -299,6 +299,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
   $queryParams = array('email' => $user, 'exact' => true);
   $queryString = http_build_query($queryParams);
   $curl = curl_init();
+  curl_setopt($curl, CURLOPT_TIMEOUT, 7);
   curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
   curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
   curl_setopt($curl, CURLOPT_HTTPHEADER, array(
@@ -311,6 +312,12 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
   if ($code != 200) {
     return false;
   }
+  if (!isset($user_res['attributes']['mailcow_password']) || !is_array($user_res['attributes']['mailcow_password'])){
+    return false;
+  }
+  if (empty($user_res['attributes']['mailcow_password'][0])){
+    return false;
+  }
 
   // validate mailcow_password
   $mailcow_password = $user_res['attributes']['mailcow_password'][0];
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 7c242e15..bb632304 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1953,12 +1953,17 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       }
 
       if ($_data['authsource'] == "keycloak") {
+        $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
         $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
-        $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
-        $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
-        $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
+        $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
+        $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
+        $_data['sync_interval']     = isset($_data['sync_interval']) ? intval($_data['sync_interval']) : 15;
+        $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
       } else if ($_data['authsource'] == "generic-oidc") {
-        $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
+        $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? rtrim($_data['authorize_url'], '/') : null;
+        $_data['token_url']         = (!empty($_data['token_url'])) ? rtrim($_data['token_url'], '/') : null;
+        $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? rtrim($_data['userinfo_url'], '/') : null;
+        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
       }
       
       $pdo->beginTransaction();
@@ -2036,6 +2041,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       ));
       $curl = curl_init();
       curl_setopt($curl, CURLOPT_URL, $url);
+      curl_setopt($curl, CURLOPT_TIMEOUT, 7);
       curl_setopt($curl, CURLOPT_POST, 1);
       curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
       curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
@@ -2243,6 +2249,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         ));
         $curl = curl_init();
         curl_setopt($curl, CURLOPT_URL, $url);
+        curl_setopt($curl, CURLOPT_TIMEOUT, 7);
         curl_setopt($curl, CURLOPT_POST, 1);
         curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
         curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
@@ -2265,6 +2272,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       ));
       $curl = curl_init();
       curl_setopt($curl, CURLOPT_URL, $url);
+      curl_setopt($curl, CURLOPT_TIMEOUT, 7);
       curl_setopt($curl, CURLOPT_POST, 1);
       curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
       curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));