[Web] functions.auth.inc.php corrections
This commit is contained in:
parent
910eb40ce7
commit
a0319b3cdf
|
@ -14,74 +14,51 @@ function check_login($user, $pass, $app_passwd_data = false, $is_internal = fals
|
||||||
|
|
||||||
// Validate admin
|
// Validate admin
|
||||||
$result = mailcow_admin_login($user, $pass);
|
$result = mailcow_admin_login($user, $pass);
|
||||||
if ($result){
|
if ($result !== false) return $result;
|
||||||
return $result;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Validate domain admin
|
// Validate domain admin
|
||||||
$result = mailcow_domainadmin_login($user, $pass);
|
$result = mailcow_domainadmin_login($user, $pass);
|
||||||
if ($result){
|
if ($result !== false) return $result;
|
||||||
return $result;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Validate mailbox user
|
// Validate mailbox user
|
||||||
// check authsource
|
// check authsource
|
||||||
$stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
|
$stmt = $pdo->prepare("SELECT authsource, mailbox.active AS mailbox_active, domain.active AS domain_active FROM `mailbox`
|
||||||
INNER JOIN domain on mailbox.domain = domain.domain
|
INNER JOIN domain on mailbox.domain = domain.domain
|
||||||
WHERE `kind` NOT REGEXP 'location|thing|group'
|
WHERE `kind` NOT REGEXP 'location|thing|group'
|
||||||
AND `mailbox`.`active`='1'
|
|
||||||
AND `domain`.`active`='1'
|
|
||||||
AND `username` = :user");
|
AND `username` = :user");
|
||||||
$stmt->execute(array(':user' => $user));
|
$stmt->execute(array(':user' => $user));
|
||||||
$row = $stmt->fetch(PDO::FETCH_ASSOC);
|
$row = $stmt->fetch(PDO::FETCH_ASSOC);
|
||||||
if (!$row){
|
if (!$row && $row['domain_active'] == 1){
|
||||||
// mbox does not exist, call keycloak login and create mbox if possible
|
// mbox does not exist, call keycloak login and create mbox if possible via rest flow
|
||||||
$identity_provider_settings = identity_provider('get');
|
$iam_settings = identity_provider('get');
|
||||||
if ($identity_provider_settings['login_flow'] == 'ropc'){
|
if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailboxpassword_flow']) == 1){
|
||||||
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal, true);
|
$result = keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal, true);
|
||||||
} else {
|
if ($result !== false) return $result;
|
||||||
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal, true);
|
|
||||||
}
|
}
|
||||||
if ($result){
|
} else if ($row && $row['mailbox_active'] == 1 && $row['domain_active'] == 1) {
|
||||||
return $result;
|
// mbox does exist and is active
|
||||||
}
|
if (isset($app_passwd_data)){
|
||||||
} else if ($row['authsource'] == 'keycloak'){
|
|
||||||
if ($app_passwd_data){
|
|
||||||
// first check if password is app_password
|
// first check if password is app_password
|
||||||
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
|
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
|
||||||
if ($result){
|
if ($result !== false) return $result;
|
||||||
return $result;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$identity_provider_settings = identity_provider('get');
|
if ($row['authsource'] == 'mailcow') {
|
||||||
if ($identity_provider_settings['login_flow'] == 'ropc'){
|
// mbox authsource is mailcow
|
||||||
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal);
|
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
|
||||||
} else {
|
if ($result !== false) return $result;
|
||||||
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal);
|
} else if ($row['authsource'] == 'keycloak'){
|
||||||
}
|
// mbox authsource is keycloak, try using via rest flow
|
||||||
if ($result){
|
$iam_settings = identity_provider('get');
|
||||||
return $result;
|
if (intval($iam_settings['mailboxpassword_flow']) == 1){
|
||||||
}
|
$result = keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal);
|
||||||
} else {
|
if ($result !== false) return $result;
|
||||||
if ($app_passwd_data){
|
|
||||||
// first check if password is app_password
|
|
||||||
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
|
|
||||||
if ($result){
|
|
||||||
return $result;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
|
|
||||||
if ($result){
|
|
||||||
return $result;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// skip log and only return false if it's an internal request
|
// skip log and only return false if it's an internal request
|
||||||
if ($is_internal){
|
if ($is_internal == true) return false;
|
||||||
return false;
|
|
||||||
}
|
|
||||||
if (!isset($_SESSION['ldelay'])) {
|
if (!isset($_SESSION['ldelay'])) {
|
||||||
$_SESSION['ldelay'] = "0";
|
$_SESSION['ldelay'] = "0";
|
||||||
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
|
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
|
||||||
|
@ -102,53 +79,44 @@ function check_login($user, $pass, $app_passwd_data = false, $is_internal = fals
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){
|
function mailcow_admin_login($user, $pass){
|
||||||
global $pdo;
|
global $pdo;
|
||||||
|
|
||||||
$stmt = $pdo->prepare("SELECT * FROM `mailbox`
|
$user = strtolower(trim($user));
|
||||||
INNER JOIN domain on mailbox.domain = domain.domain
|
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
|
||||||
WHERE `kind` NOT REGEXP 'location|thing|group'
|
WHERE `superadmin` = '1'
|
||||||
AND `mailbox`.`active`='1'
|
AND `active` = '1'
|
||||||
AND `domain`.`active`='1'
|
AND `username` = :user");
|
||||||
AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
|
|
||||||
AND `username` = :user");
|
|
||||||
$stmt->execute(array(':user' => $user));
|
$stmt->execute(array(':user' => $user));
|
||||||
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||||
|
foreach ($rows as $row) {
|
||||||
foreach ($rows as $row) {
|
|
||||||
// verify password
|
// verify password
|
||||||
if (verify_hash($row['password'], $pass) !== false) {
|
if (verify_hash($row['password'], $pass)) {
|
||||||
if (!array_key_exists("app_passwd_id", $row)){
|
// check for tfa authenticators
|
||||||
// password is not a app password
|
$authenticators = get_tfa($user);
|
||||||
// check for tfa authenticators
|
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
|
||||||
$authenticators = get_tfa($user);
|
// active tfa authenticators found, set pending user login
|
||||||
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
|
$_SESSION['pending_mailcow_cc_username'] = $user;
|
||||||
// authenticators found, init TFA flow
|
$_SESSION['pending_mailcow_cc_role'] = "admin";
|
||||||
$_SESSION['pending_mailcow_cc_username'] = $user;
|
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
|
||||||
$_SESSION['pending_mailcow_cc_role'] = "user";
|
unset($_SESSION['ldelay']);
|
||||||
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
|
$_SESSION['return'][] = array(
|
||||||
unset($_SESSION['ldelay']);
|
'type' => 'info',
|
||||||
$_SESSION['return'][] = array(
|
'log' => array(__FUNCTION__, $user, '*'),
|
||||||
'type' => 'success',
|
'msg' => 'awaiting_tfa_confirmation'
|
||||||
'log' => array(__FUNCTION__, $user, '*'),
|
);
|
||||||
'msg' => array('logged_in_as', $user)
|
return "pending";
|
||||||
);
|
} else {
|
||||||
return "pending";
|
unset($_SESSION['ldelay']);
|
||||||
} else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
|
// Reactivate TFA if it was set to "deactivate TFA for next login"
|
||||||
// no authenticators found, login successfull
|
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
|
||||||
if (!$is_internal){
|
$stmt->execute(array(':user' => $user));
|
||||||
unset($_SESSION['ldelay']);
|
$_SESSION['return'][] = array(
|
||||||
// Reactivate TFA if it was set to "deactivate TFA for next login"
|
'type' => 'success',
|
||||||
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
|
'log' => array(__FUNCTION__, $user, '*'),
|
||||||
$stmt->execute(array(':user' => $user));
|
'msg' => array('logged_in_as', $user)
|
||||||
$_SESSION['return'][] = array(
|
);
|
||||||
'type' => 'success',
|
return "admin";
|
||||||
'log' => array(__FUNCTION__, $user, '*'),
|
|
||||||
'msg' => array('logged_in_as', $user)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
return "user";
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -198,44 +166,53 @@ function mailcow_domainadmin_login($user, $pass){
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
function mailcow_admin_login($user, $pass){
|
function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){
|
||||||
global $pdo;
|
global $pdo;
|
||||||
|
|
||||||
$user = strtolower(trim($user));
|
$stmt = $pdo->prepare("SELECT * FROM `mailbox`
|
||||||
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
|
INNER JOIN domain on mailbox.domain = domain.domain
|
||||||
WHERE `superadmin` = '1'
|
WHERE `kind` NOT REGEXP 'location|thing|group'
|
||||||
AND `active` = '1'
|
AND `mailbox`.`active`='1'
|
||||||
AND `username` = :user");
|
AND `domain`.`active`='1'
|
||||||
|
AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
|
||||||
|
AND `username` = :user");
|
||||||
$stmt->execute(array(':user' => $user));
|
$stmt->execute(array(':user' => $user));
|
||||||
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||||
foreach ($rows as $row) {
|
|
||||||
|
foreach ($rows as $row) {
|
||||||
// verify password
|
// verify password
|
||||||
if (verify_hash($row['password'], $pass)) {
|
if (verify_hash($row['password'], $pass) !== false) {
|
||||||
// check for tfa authenticators
|
if (!array_key_exists("app_passwd_id", $row)){
|
||||||
$authenticators = get_tfa($user);
|
// password is not a app password
|
||||||
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
|
// check for tfa authenticators
|
||||||
// active tfa authenticators found, set pending user login
|
$authenticators = get_tfa($user);
|
||||||
$_SESSION['pending_mailcow_cc_username'] = $user;
|
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
|
||||||
$_SESSION['pending_mailcow_cc_role'] = "admin";
|
// authenticators found, init TFA flow
|
||||||
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
|
$_SESSION['pending_mailcow_cc_username'] = $user;
|
||||||
unset($_SESSION['ldelay']);
|
$_SESSION['pending_mailcow_cc_role'] = "user";
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
|
||||||
'type' => 'info',
|
unset($_SESSION['ldelay']);
|
||||||
'log' => array(__FUNCTION__, $user, '*'),
|
$_SESSION['return'][] = array(
|
||||||
'msg' => 'awaiting_tfa_confirmation'
|
'type' => 'success',
|
||||||
);
|
'log' => array(__FUNCTION__, $user, '*'),
|
||||||
return "pending";
|
'msg' => array('logged_in_as', $user)
|
||||||
} else {
|
);
|
||||||
unset($_SESSION['ldelay']);
|
return "pending";
|
||||||
// Reactivate TFA if it was set to "deactivate TFA for next login"
|
} else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
|
||||||
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
|
// no authenticators found, login successfull
|
||||||
$stmt->execute(array(':user' => $user));
|
if (!$is_internal){
|
||||||
$_SESSION['return'][] = array(
|
unset($_SESSION['ldelay']);
|
||||||
'type' => 'success',
|
// Reactivate TFA if it was set to "deactivate TFA for next login"
|
||||||
'log' => array(__FUNCTION__, $user, '*'),
|
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
|
||||||
'msg' => array('logged_in_as', $user)
|
$stmt->execute(array(':user' => $user));
|
||||||
);
|
$_SESSION['return'][] = array(
|
||||||
return "admin";
|
'type' => 'success',
|
||||||
|
'log' => array(__FUNCTION__, $user, '*'),
|
||||||
|
'msg' => array('logged_in_as', $user)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
return "user";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -315,24 +292,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
|
||||||
global $pdo;
|
global $pdo;
|
||||||
|
|
||||||
// get access_token for service account of mailcow client
|
// get access_token for service account of mailcow client
|
||||||
$url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
|
$admin_token = identity_provider("get-keycloak-admin-token");
|
||||||
$req = http_build_query(array(
|
|
||||||
'grant_type' => 'client_credentials',
|
|
||||||
'client_id' => $iam_settings['client_id'],
|
|
||||||
'client_secret' => $iam_settings['client_secret']
|
|
||||||
));
|
|
||||||
$curl = curl_init();
|
|
||||||
curl_setopt($curl, CURLOPT_URL, $url);
|
|
||||||
curl_setopt($curl, CURLOPT_POST, 1);
|
|
||||||
curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
|
|
||||||
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
|
|
||||||
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
|
|
||||||
$mcclient_res = json_decode(curl_exec($curl), true);
|
|
||||||
$code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
|
|
||||||
curl_close ($curl);
|
|
||||||
if ($code != 200) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the mailcow_password attribute from keycloak user
|
// get the mailcow_password attribute from keycloak user
|
||||||
$url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users";
|
$url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users";
|
||||||
|
@ -342,7 +302,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
|
||||||
curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
|
curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
|
||||||
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
|
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
|
||||||
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
|
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
|
||||||
'Authorization: Bearer ' . $mcclient_res['access_token'],
|
'Authorization: Bearer ' . $admin_token,
|
||||||
'Content-Type: application/json'
|
'Content-Type: application/json'
|
||||||
));
|
));
|
||||||
$user_res = json_decode(curl_exec($curl), true)[0];
|
$user_res = json_decode(curl_exec($curl), true)[0];
|
||||||
|
@ -352,8 +312,6 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
// validate mailcow_password
|
// validate mailcow_password
|
||||||
$mailcow_password = $user_res['attributes']['mailcow_password'][0];
|
$mailcow_password = $user_res['attributes']['mailcow_password'][0];
|
||||||
if (!verify_hash($mailcow_password, $pass)) {
|
if (!verify_hash($mailcow_password, $pass)) {
|
||||||
|
@ -388,24 +346,19 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
|
||||||
// no matching template found
|
// no matching template found
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
$stmt = $pdo->prepare("SELECT * FROM `templates`
|
|
||||||
WHERE `template` = :template AND type = 'mailbox'");
|
|
||||||
$stmt->execute(array(
|
|
||||||
":template" => $mbox_template
|
|
||||||
));
|
|
||||||
$mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
|
|
||||||
if (empty($mbox_template_data)){
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
$mbox_template_data = json_decode($mbox_template_data["attributes"], true);
|
// create mailbox
|
||||||
$mbox_template_data['domain'] = explode('@', $user)[1];
|
$create_res = mailbox('add', 'mailbox_from_template', array(
|
||||||
$mbox_template_data['local_part'] = explode('@', $user)[0];
|
'domain' => explode('@', $user)[1],
|
||||||
$mbox_template_data['authsource'] = 'keycloak';
|
'local_part' => explode('@', $user)[0],
|
||||||
$_SESSION['iam_create_login'] = true;
|
'authsource' => 'keycloak',
|
||||||
$create_res = mailbox('add', 'mailbox', $mbox_template_data);
|
'template' => $mbox_template
|
||||||
$_SESSION['iam_create_login'] = false;
|
));
|
||||||
if (!$create_res){
|
if (!$create_res) return false;
|
||||||
|
|
||||||
|
// check if created mailbox from template is even active
|
||||||
|
// maybe dont even create it if active != 1
|
||||||
|
if ($mailbox_attributes['active'] != 1){
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue