[Web] functions.auth.inc.php corrections

This commit is contained in:
FreddleSpl0it 2023-05-16 12:47:47 +02:00
parent 910eb40ce7
commit a0319b3cdf
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
1 changed files with 113 additions and 160 deletions

View File

@ -14,74 +14,51 @@ function check_login($user, $pass, $app_passwd_data = false, $is_internal = fals
// Validate admin // Validate admin
$result = mailcow_admin_login($user, $pass); $result = mailcow_admin_login($user, $pass);
if ($result){ if ($result !== false) return $result;
return $result;
}
// Validate domain admin // Validate domain admin
$result = mailcow_domainadmin_login($user, $pass); $result = mailcow_domainadmin_login($user, $pass);
if ($result){ if ($result !== false) return $result;
return $result;
}
// Validate mailbox user // Validate mailbox user
// check authsource // check authsource
$stmt = $pdo->prepare("SELECT authsource FROM `mailbox` $stmt = $pdo->prepare("SELECT authsource, mailbox.active AS mailbox_active, domain.active AS domain_active FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain INNER JOIN domain on mailbox.domain = domain.domain
WHERE `kind` NOT REGEXP 'location|thing|group' WHERE `kind` NOT REGEXP 'location|thing|group'
AND `mailbox`.`active`='1'
AND `domain`.`active`='1'
AND `username` = :user"); AND `username` = :user");
$stmt->execute(array(':user' => $user)); $stmt->execute(array(':user' => $user));
$row = $stmt->fetch(PDO::FETCH_ASSOC); $row = $stmt->fetch(PDO::FETCH_ASSOC);
if (!$row){ if (!$row && $row['domain_active'] == 1){
// mbox does not exist, call keycloak login and create mbox if possible // mbox does not exist, call keycloak login and create mbox if possible via rest flow
$identity_provider_settings = identity_provider('get'); $iam_settings = identity_provider('get');
if ($identity_provider_settings['login_flow'] == 'ropc'){ if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailboxpassword_flow']) == 1){
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal, true); $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal, true);
} else { if ($result !== false) return $result;
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal, true);
} }
if ($result){ } else if ($row && $row['mailbox_active'] == 1 && $row['domain_active'] == 1) {
return $result; // mbox does exist and is active
} if (isset($app_passwd_data)){
} else if ($row['authsource'] == 'keycloak'){
if ($app_passwd_data){
// first check if password is app_password // first check if password is app_password
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal); $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){ if ($result !== false) return $result;
return $result;
}
} }
$identity_provider_settings = identity_provider('get'); if ($row['authsource'] == 'mailcow') {
if ($identity_provider_settings['login_flow'] == 'ropc'){ // mbox authsource is mailcow
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal); $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
} else { if ($result !== false) return $result;
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal); } else if ($row['authsource'] == 'keycloak'){
} // mbox authsource is keycloak, try using via rest flow
if ($result){ $iam_settings = identity_provider('get');
return $result; if (intval($iam_settings['mailboxpassword_flow']) == 1){
} $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal);
} else { if ($result !== false) return $result;
if ($app_passwd_data){
// first check if password is app_password
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){
return $result;
} }
} }
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){
return $result;
}
} }
// skip log and only return false if it's an internal request // skip log and only return false if it's an internal request
if ($is_internal){ if ($is_internal == true) return false;
return false;
}
if (!isset($_SESSION['ldelay'])) { if (!isset($_SESSION['ldelay'])) {
$_SESSION['ldelay'] = "0"; $_SESSION['ldelay'] = "0";
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']); $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
@ -102,53 +79,44 @@ function check_login($user, $pass, $app_passwd_data = false, $is_internal = fals
return false; return false;
} }
function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){ function mailcow_admin_login($user, $pass){
global $pdo; global $pdo;
$stmt = $pdo->prepare("SELECT * FROM `mailbox` $user = strtolower(trim($user));
INNER JOIN domain on mailbox.domain = domain.domain $stmt = $pdo->prepare("SELECT `password` FROM `admin`
WHERE `kind` NOT REGEXP 'location|thing|group' WHERE `superadmin` = '1'
AND `mailbox`.`active`='1' AND `active` = '1'
AND `domain`.`active`='1' AND `username` = :user");
AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
AND `username` = :user");
$stmt->execute(array(':user' => $user)); $stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
foreach ($rows as $row) {
// verify password // verify password
if (verify_hash($row['password'], $pass) !== false) { if (verify_hash($row['password'], $pass)) {
if (!array_key_exists("app_passwd_id", $row)){ // check for tfa authenticators
// password is not a app password $authenticators = get_tfa($user);
// check for tfa authenticators if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
$authenticators = get_tfa($user); // active tfa authenticators found, set pending user login
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) { $_SESSION['pending_mailcow_cc_username'] = $user;
// authenticators found, init TFA flow $_SESSION['pending_mailcow_cc_role'] = "admin";
$_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
$_SESSION['pending_mailcow_cc_role'] = "user"; unset($_SESSION['ldelay']);
$_SESSION['pending_tfa_methods'] = $authenticators['additional']; $_SESSION['return'][] = array(
unset($_SESSION['ldelay']); 'type' => 'info',
$_SESSION['return'][] = array( 'log' => array(__FUNCTION__, $user, '*'),
'type' => 'success', 'msg' => 'awaiting_tfa_confirmation'
'log' => array(__FUNCTION__, $user, '*'), );
'msg' => array('logged_in_as', $user) return "pending";
); } else {
return "pending"; unset($_SESSION['ldelay']);
} else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) { // Reactivate TFA if it was set to "deactivate TFA for next login"
// no authenticators found, login successfull $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
if (!$is_internal){ $stmt->execute(array(':user' => $user));
unset($_SESSION['ldelay']); $_SESSION['return'][] = array(
// Reactivate TFA if it was set to "deactivate TFA for next login" 'type' => 'success',
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); 'log' => array(__FUNCTION__, $user, '*'),
$stmt->execute(array(':user' => $user)); 'msg' => array('logged_in_as', $user)
$_SESSION['return'][] = array( );
'type' => 'success', return "admin";
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
}
return "user";
}
} }
} }
} }
@ -198,44 +166,53 @@ function mailcow_domainadmin_login($user, $pass){
return false; return false;
} }
function mailcow_admin_login($user, $pass){ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){
global $pdo; global $pdo;
$user = strtolower(trim($user)); $stmt = $pdo->prepare("SELECT * FROM `mailbox`
$stmt = $pdo->prepare("SELECT `password` FROM `admin` INNER JOIN domain on mailbox.domain = domain.domain
WHERE `superadmin` = '1' WHERE `kind` NOT REGEXP 'location|thing|group'
AND `active` = '1' AND `mailbox`.`active`='1'
AND `username` = :user"); AND `domain`.`active`='1'
AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
AND `username` = :user");
$stmt->execute(array(':user' => $user)); $stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
foreach ($rows as $row) {
// verify password // verify password
if (verify_hash($row['password'], $pass)) { if (verify_hash($row['password'], $pass) !== false) {
// check for tfa authenticators if (!array_key_exists("app_passwd_id", $row)){
$authenticators = get_tfa($user); // password is not a app password
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { // check for tfa authenticators
// active tfa authenticators found, set pending user login $authenticators = get_tfa($user);
$_SESSION['pending_mailcow_cc_username'] = $user; if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
$_SESSION['pending_mailcow_cc_role'] = "admin"; // authenticators found, init TFA flow
$_SESSION['pending_tfa_methods'] = $authenticators['additional']; $_SESSION['pending_mailcow_cc_username'] = $user;
unset($_SESSION['ldelay']); $_SESSION['pending_mailcow_cc_role'] = "user";
$_SESSION['return'][] = array( $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
'type' => 'info', unset($_SESSION['ldelay']);
'log' => array(__FUNCTION__, $user, '*'), $_SESSION['return'][] = array(
'msg' => 'awaiting_tfa_confirmation' 'type' => 'success',
); 'log' => array(__FUNCTION__, $user, '*'),
return "pending"; 'msg' => array('logged_in_as', $user)
} else { );
unset($_SESSION['ldelay']); return "pending";
// Reactivate TFA if it was set to "deactivate TFA for next login" } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); // no authenticators found, login successfull
$stmt->execute(array(':user' => $user)); if (!$is_internal){
$_SESSION['return'][] = array( unset($_SESSION['ldelay']);
'type' => 'success', // Reactivate TFA if it was set to "deactivate TFA for next login"
'log' => array(__FUNCTION__, $user, '*'), $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
'msg' => array('logged_in_as', $user) $stmt->execute(array(':user' => $user));
); $_SESSION['return'][] = array(
return "admin"; 'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
}
return "user";
}
} }
} }
} }
@ -315,24 +292,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
global $pdo; global $pdo;
// get access_token for service account of mailcow client // get access_token for service account of mailcow client
$url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token"; $admin_token = identity_provider("get-keycloak-admin-token");
$req = http_build_query(array(
'grant_type' => 'client_credentials',
'client_id' => $iam_settings['client_id'],
'client_secret' => $iam_settings['client_secret']
));
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$mcclient_res = json_decode(curl_exec($curl), true);
$code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close ($curl);
if ($code != 200) {
return false;
}
// get the mailcow_password attribute from keycloak user // get the mailcow_password attribute from keycloak user
$url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users"; $url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users";
@ -342,7 +302,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString); curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, array( curl_setopt($curl, CURLOPT_HTTPHEADER, array(
'Authorization: Bearer ' . $mcclient_res['access_token'], 'Authorization: Bearer ' . $admin_token,
'Content-Type: application/json' 'Content-Type: application/json'
)); ));
$user_res = json_decode(curl_exec($curl), true)[0]; $user_res = json_decode(curl_exec($curl), true)[0];
@ -352,8 +312,6 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
return false; return false;
} }
// validate mailcow_password // validate mailcow_password
$mailcow_password = $user_res['attributes']['mailcow_password'][0]; $mailcow_password = $user_res['attributes']['mailcow_password'][0];
if (!verify_hash($mailcow_password, $pass)) { if (!verify_hash($mailcow_password, $pass)) {
@ -388,24 +346,19 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
// no matching template found // no matching template found
return false; return false;
} }
$stmt = $pdo->prepare("SELECT * FROM `templates`
WHERE `template` = :template AND type = 'mailbox'");
$stmt->execute(array(
":template" => $mbox_template
));
$mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
if (empty($mbox_template_data)){
return false;
}
$mbox_template_data = json_decode($mbox_template_data["attributes"], true); // create mailbox
$mbox_template_data['domain'] = explode('@', $user)[1]; $create_res = mailbox('add', 'mailbox_from_template', array(
$mbox_template_data['local_part'] = explode('@', $user)[0]; 'domain' => explode('@', $user)[1],
$mbox_template_data['authsource'] = 'keycloak'; 'local_part' => explode('@', $user)[0],
$_SESSION['iam_create_login'] = true; 'authsource' => 'keycloak',
$create_res = mailbox('add', 'mailbox', $mbox_template_data); 'template' => $mbox_template
$_SESSION['iam_create_login'] = false; ));
if (!$create_res){ if (!$create_res) return false;
// check if created mailbox from template is even active
// maybe dont even create it if active != 1
if ($mailbox_attributes['active'] != 1){
return false; return false;
} }