7x31
/
mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Web] allow mbox sso_token login for mailcow and sogo

This commit is contained in:
FreddleSpl0it 2023-06-16 08:53:25 +02:00
parent 06cce79806
commit eb33166f3e
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
6 changed files with 122 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
data/Dockerfiles/dovecot/docker-entrypoint.sh
View File

@ -315,8 +315,14 @@ remote ${IPV4_NETWORK}.248 {
} }
EOF EOF
# Create random master Password for SOGo SSO # Set SOGo SSO master Password
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1) if [ -z "$SOGO_SSO_PASS" ]; then
# Set from env var
RAND_PASS=$SOGO_SSO_PASS
else
# Create random master Password
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
fi
echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
cat <<EOF > /etc/dovecot/sogo-sso.conf cat <<EOF > /etc/dovecot/sogo-sso.conf
# Autogenerated by mailcow # Autogenerated by mailcow

61
data/web/inc/functions.mailbox.inc.php
View File

@ -5303,3 +5303,64 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
update_sogo_static_view(); update_sogo_static_view();
} }
} }
function mailbox_sso($_action, $_data) {
global $pdo;
switch ($_action) {
case 'check':
$token = $_data;
$stmt = $pdo->prepare("SELECT `t1`.`username` FROM `mailbox_sso` AS `t1` JOIN `mailbox` AS `t2` ON `t1`.`username` = `t2`.`username` WHERE `t1`.`token` = :token AND `t1`.`created` > DATE_SUB(NOW(), INTERVAL '30' SECOND) AND `t2`.`active` = 1;");
$stmt->execute(array(
':token' => preg_replace('/[^a-zA-Z0-9-]/', '', $token)
));
$return = $stmt->fetch(PDO::FETCH_ASSOC);
return empty($return['username']) ? false : $return['username'];
case 'issue':
if ($_SESSION['mailcow_cc_role'] != "admin") {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_data),
'msg' => 'access_denied'
);
return false;
}
$username = $_data['username'];
$stmt = $pdo->prepare("SELECT `username` FROM `mailbox`
WHERE `username` = :username");
$stmt->execute(array(':username' => $username));
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
if ($num_results < 1) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_data),
'msg' => array('object_doesnt_exist', htmlspecialchars($username))
);
return false;
}
$token = implode('-', array(
strtoupper(bin2hex(random_bytes(3))),
strtoupper(bin2hex(random_bytes(3))),
strtoupper(bin2hex(random_bytes(3))),
strtoupper(bin2hex(random_bytes(3))),
strtoupper(bin2hex(random_bytes(3)))
));
$stmt = $pdo->prepare("INSERT INTO `mailbox_sso` (`username`, `token`)
VALUES (:username, :token)");
$stmt->execute(array(
':username' => $username,
':token' => $token
));
// perform cleanup
$pdo->query("DELETE FROM `mailbox_sso` WHERE created < DATE_SUB(NOW(), INTERVAL '30' SECOND);");
return ['token' => $token];
break;
}
}

15
data/web/inc/init_db.inc.php
View File

@ -3,7 +3,7 @@ function init_db_schema() {
try { try {
global $pdo; global $pdo;
$db_version = "14022023_1000"; $db_version = "15062023_2057";
$stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@ -361,6 +361,19 @@ function init_db_schema() {
), ),
"attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC" "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
), ),
"mailbox_sso" => array(
"cols" => array(
"username" => "VARCHAR(255) NOT NULL",
"token" => "VARCHAR(255) NOT NULL",
"created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
),
"keys" => array(
"primary" => array(
"" => array("token", "created")
),
),
"attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
),
"tags_mailbox" => array( "tags_mailbox" => array(
"cols" => array( "cols" => array(
"tag_name" => "VARCHAR(255) NOT NULL", "tag_name" => "VARCHAR(255) NOT NULL",

11
data/web/inc/triggers.inc.php
View File

@ -1,13 +1,20 @@
<?php <?php
// SSO Domain Admin
if (!empty($_GET['sso_token'])) { if (!empty($_GET['sso_token'])) {
// SSO Domain Admin
$username = domain_admin_sso('check', $_GET['sso_token']); $username = domain_admin_sso('check', $_GET['sso_token']);
if ($username !== false) { if ($username !== false) {
$_SESSION['mailcow_cc_username'] = $username; $_SESSION['mailcow_cc_username'] = $username;
$_SESSION['mailcow_cc_role'] = 'domainadmin'; $_SESSION['mailcow_cc_role'] = 'domainadmin';
header('Location: /mailbox'); header('Location: /mailbox');
} }
// SSO Mailbox User
$username = mailbox_sso('check', $_GET['sso_token']);
if ($username !== false) {
$_SESSION['mailcow_cc_username'] = $username;
$_SESSION['mailcow_cc_role'] = 'user';
header('Location: /mailbox');
}
} }
if (isset($_POST["verify_tfa_login"])) { if (isset($_POST["verify_tfa_login"])) {

32
data/web/json_api.php
View File

@ -288,18 +288,26 @@ if (isset($_GET['query'])) {
case "domain-admin": case "domain-admin":
process_add_return(domain_admin('add', $attr)); process_add_return(domain_admin('add', $attr));
break; break;
case "sso": case "sso":
switch ($object) { switch ($object) {
case "domain-admin": case "domain-admin":
$data = domain_admin_sso('issue', $attr); $data = domain_admin_sso('issue', $attr);
if($data) { if($data) {
echo json_encode($data); echo json_encode($data);
exit(0); exit(0);
} }
process_add_return($data); process_add_return($data);
break; break;
} case "mailbox":
break; $data = mailbox_sso('issue', $attr);
if($data) {
echo json_encode($data);
exit(0);
}
process_add_return($data);
break;
}
break;
case "admin": case "admin":
process_add_return(admin('add', $attr)); process_add_return(admin('add', $attr));
break; break;

11
data/web/sogo-auth.php
View File

@ -39,10 +39,19 @@ if (isset($_SERVER['PHP_AUTH_USER'])) {
elseif (isset($_GET['login'])) { elseif (isset($_GET['login'])) {
// load prerequisites only when required // load prerequisites only when required
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
$login = html_entity_decode(rawurldecode($_GET["login"]));
if (!empty($_GET['sso_token'])) {
$login = mailbox_sso('check', $_GET['sso_token']);
if ($login !== false) {
$_SESSION['mailcow_cc_username'] = $login;
$_SESSION['mailcow_cc_role'] = 'user';
}
}
// check if dual_login is active // check if dual_login is active
$is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
// check permissions (if dual_login is active, deny sso when acl is not given) // check permissions (if dual_login is active, deny sso when acl is not given)
$login = html_entity_decode(rawurldecode($_GET["login"]));
if (isset($_SESSION['mailcow_cc_role']) && if (isset($_SESSION['mailcow_cc_role']) &&
(($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) { (($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
if (filter_var($login, FILTER_VALIDATE_EMAIL)) { if (filter_var($login, FILTER_VALIDATE_EMAIL)) {