From 960f232a7dabbcc9601310dd9a6359c3d0d09f87 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 31 Mar 2023 14:55:05 +0200
Subject: [PATCH] [Web] IAM - add delete option & fix test connection

---
 data/web/inc/functions.inc.php | 48 +++++++++++++++++++++++++---------
 data/web/js/site/admin.js      | 12 +++++++--
 data/web/json_api.php          | 21 +++++----------
 3 files changed, 52 insertions(+), 29 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 37db833e..e2f833e5 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1997,15 +1997,21 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       );
       return true;
     break;
-    case 'test':  
-      $identity_provider_settings = identity_provider('get');
-      $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+    case 'test':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+
+      $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
       $req = http_build_query(array(
-        'grant_type'    => 'password',
-        'client_id'     => $identity_provider_settings['client_id'],
-        'client_secret' => $identity_provider_settings['client_secret'],
-        'username'      => "test",
-        'password'      => "test",
+        'grant_type'    => 'client_credentials',
+        'client_id'     => $_data['client_id'],
+        'client_secret' => $_data['client_secret']
       ));
       $curl = curl_init();
       curl_setopt($curl, CURLOPT_URL, $url);
@@ -2013,13 +2019,29 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
       curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
       curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
-      $res = json_decode(curl_exec($curl), true);
+      $res = curl_exec($curl);
+      $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
       curl_close ($curl);
-
-      if ($res["error"] && $res["error"] === 'invalid_grant'){
-        return true;
+      
+      if ($code != 200) {
+        return false;
       }
-      return false;
+      return true;
+    break;
+    case "delete":
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      
+      $stmt = $pdo->prepare("DELETE FROM identity_provider;");
+      $stmt->execute();
+
+      return true;
     break;
   }
 }
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 8fdd2136..c026d56c 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -752,14 +752,22 @@ jQuery(function($){
   // IAM test connection
   $('#iam_test_connection').click(async function(e){
     e.preventDefault();
-    var res = await fetch("/api/v1/get/status/identity-provider", { method:'GET', cache:'no-cache' });
+    var data = { attr: $('form[data-id="iam_sso"]').serializeObject() };
+    var res = await fetch("/api/v1/edit/identity-provider-test", { 
+      headers: {
+        "Content-Type": "application/json",
+      },
+      method:'POST', 
+      cache:'no-cache', 
+      body: JSON.stringify(data) 
+    });
     res = await res.json();
-    console.log(res);
     if (res.type === 'success'){
       return mailcow_alert_box(lang_success.iam_test_connection, 'success');
     }
     return mailcow_alert_box(lang_danger.iam_test_connection, 'danger');
   });
+
   $('#iam_rolemap_add').click(async function(e){
     e.preventDefault();
 
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 3923054c..ceeefdcd 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1608,19 +1608,6 @@ if (isset($_GET['query'])) {
                     'version' => $GLOBALS['MAILCOW_GIT_VERSION']
                   ));
                 break;
-                case "identity-provider":
-                  if (identity_provider('test')){
-                    echo json_encode(array(
-                      'type' => 'success',
-                      'msg' => 'connection successfull'
-                    ));
-                  } else {
-                    echo json_encode(array(
-                      'type' => 'error',
-                      'msg' => 'connection failed'
-                    ));
-                  }
-                break;
               }
             }
           break;
@@ -1778,6 +1765,9 @@ if (isset($_GET['query'])) {
         case "rlhash":
           echo ratelimit('delete', null, implode($items));
         break;
+        case "identity-provider":
+          process_delete_return(identity_provider('delete'));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);
@@ -1980,9 +1970,12 @@ if (isset($_GET['query'])) {
             process_edit_return(edit_user_account($attr));
           }
         break;
-        case "identity_provider":
+        case "identity-provider":
           process_edit_return(identity_provider('edit', $attr));
         break;
+        case "identity-provider-test":
+          process_edit_return(identity_provider('test', $attr));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);