[Web, Dovecot] Allow to define scope of services for app passwords
This commit is contained in:
andryyy
@@ -807,10 +807,17 @@ function verify_hash($hash, $password) {
|
||||
}
|
||||
return false;
|
||||
}
|
||||
function check_login($user, $pass, $allow_app_passwords = false) {
|
||||
function check_login($user, $pass, $app_passwd_data = false) {
|
||||
global $pdo;
|
||||
global $redis;
|
||||
global $imap_server;
|
||||
|
||||
if ($app_passwd_data === false) {
|
||||
$app_passwd_data['eas'] = false;
|
||||
$app_passwd_data['dav'] = false;
|
||||
$app_passwd_data['proxyauth'] = false;
|
||||
}
|
||||
|
||||
if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
@@ -819,6 +826,8 @@ function check_login($user, $pass, $allow_app_passwords = false) {
|
||||
);
|
||||
return false;
|
||||
}
|
||||
|
||||
// Validate admin
|
||||
$user = strtolower(trim($user));
|
||||
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
|
||||
WHERE `superadmin` = '1'
|
||||
@@ -854,6 +863,8 @@ function check_login($user, $pass, $allow_app_passwords = false) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Validate domain admin
|
||||
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
|
||||
WHERE `superadmin` = '0'
|
||||
AND `active`='1'
|
||||
@@ -888,6 +899,8 @@ function check_login($user, $pass, $allow_app_passwords = false) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Validate mailbox user
|
||||
$stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
|
||||
INNER JOIN domain on mailbox.domain = domain.domain
|
||||
WHERE `kind` NOT REGEXP 'location|thing|group'
|
||||
@@ -896,7 +909,7 @@ function check_login($user, $pass, $allow_app_passwords = false) {
|
||||
AND `username` = :user");
|
||||
$stmt->execute(array(':user' => $user));
|
||||
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||
if ($allow_app_passwords === true) {
|
||||
if ($app_passwd_data['eas'] === true) {
|
||||
$stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
|
||||
INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
|
||||
INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
|
||||
@@ -904,6 +917,20 @@ function check_login($user, $pass, $allow_app_passwords = false) {
|
||||
AND `mailbox`.`active` = '1'
|
||||
AND `domain`.`active` = '1'
|
||||
AND `app_passwd`.`active` = '1'
|
||||
AND `app_passwd`.`eas_access` = '1'
|
||||
AND `app_passwd`.`mailbox` = :user");
|
||||
$stmt->execute(array(':user' => $user));
|
||||
$rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
|
||||
}
|
||||
elseif ($app_passwd_data['dav'] === true) {
|
||||
$stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
|
||||
INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
|
||||
INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
|
||||
WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
|
||||
AND `mailbox`.`active` = '1'
|
||||
AND `domain`.`active` = '1'
|
||||
AND `app_passwd`.`active` = '1'
|
||||
AND `app_passwd`.`dav_access` = '1'
|
||||
AND `app_passwd`.`mailbox` = :user");
|
||||
$stmt->execute(array(':user' => $user));
|
||||
$rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
|
||||
@@ -916,9 +943,20 @@ function check_login($user, $pass, $allow_app_passwords = false) {
|
||||
'log' => array(__FUNCTION__, $user, '*'),
|
||||
'msg' => array('logged_in_as', $user)
|
||||
);
|
||||
if ($app_passwd_data['proxyauth'] === true) {
|
||||
$service = ($app_passwd_data['eas'] === true) ? 'EAS' : (($app_passwd_data['dav'] === true) ? 'DAV' : 'SSO');
|
||||
$stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
|
||||
$stmt->execute(array(
|
||||
':service' => $service,
|
||||
':app_id' => $row['app_passwd_id'],
|
||||
':username' => $user,
|
||||
':remote_addr' => $_SERVER['REMOTE_ADDR']
|
||||
));
|
||||
}
|
||||
return "user";
|
||||
}
|
||||
}
|
||||
|
||||
if (!isset($_SESSION['ldelay'])) {
|
||||
$_SESSION['ldelay'] = "0";
|
||||
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
|
||||
@@ -929,11 +967,13 @@ function check_login($user, $pass, $allow_app_passwords = false) {
|
||||
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
|
||||
error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
|
||||
}
|
||||
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $user, '*'),
|
||||
'msg' => 'login_failed'
|
||||
);
|
||||
|
||||
sleep($_SESSION['ldelay']);
|
||||
return false;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user