Merge pull request #5400 from cero1988/nightly

Update sogo-auth.php

.github/workflows/check_prs_if_on_staging.yml

@@ -10,7 +10,7 @@ jobs:
     if: github.event.pull_request.base.ref != 'staging' #check if the target branch is not staging
     steps:
       - name: Send message
-        uses: thollander/actions-comment-pull-request@v2.3.1
+        uses: thollander/actions-comment-pull-request@v2.4.2
         with:
           GITHUB_TOKEN: ${{ secrets.CHECKIFPRISSTAGING_ACTION_PAT }}
           message: |

.github/workflows/close_old_issues_and_prs.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v7.0.0
+        uses: actions/stale@v8.0.0
         with:
           repo-token: ${{ secrets.STALE_ACTION_PAT }}
           days-before-stale: 60

.github/workflows/pr_to_nightly.yml

@@ -12,7 +12,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Run the Action
-        uses: devops-infra/action-pull-request@v0.5.3
+        uses: devops-infra/action-pull-request@v0.5.5
         with:
           github_token: ${{ secrets.PRTONIGHTLY_ACTION_PAT }}
           title: Automatic PR to nightly from ${{ github.event.repository.updated_at}}

.github/workflows/rebuild_backup_image.yml

@@ -26,7 +26,7 @@ jobs:
           password: ${{ secrets.BACKUPIMAGEBUILD_ACTION_DOCKERHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: data/Dockerfiles/backup/Dockerfile

.github/workflows/tweet-trigger-publish-release.yml

@@ -1,20 +0,0 @@
-name: "Tweet trigger release"
-on:
-  release:
-    types: [published]
-
-jobs:
-  tweet:
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Get Release Tag"
-        run:  |
-          RELEASE_TAG=$(curl https://api.github.com/repos/mailcow/mailcow-dockerized/releases/latest | jq -r '.tag_name')
-      - name: Tweet-trigger-publish-release
-        uses: mugi111/tweet-trigger-release@v1.2
-        with:
-          consumer_key: ${{ secrets.CONSUMER_KEY }}
-          consumer_secret: ${{ secrets.CONSUMER_SECRET }}
-          access_token_key: ${{ secrets.ACCESS_TOKEN_KEY }}
-          access_token_secret: ${{ secrets.ACCESS_TOKEN_SECRET }}
-          tweet_body: 'A new mailcow update has just been released! Checkout the GitHub Page for changelog and more informations: https://github.com/mailcow/mailcow-dockerized/releases/latest'

.github/workflows/update_postscreen_access_list.yml

@@ -0,0 +1,39 @@
+name: Update postscreen_access.cidr
+
+on:
+  schedule:
+    # Monthly
+    - cron: "0 0 1 * *"
+  workflow_dispatch: # Allow to run workflow manually
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+  
+  
+jobs:
+  Update-postscreen_access_cidr:
+   runs-on: ubuntu-latest
+   steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Generate postscreen_access.cidr
+      run: |
+          bash helper-scripts/update_postscreen_whitelist.sh
+
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v5
+      with:
+        token: ${{ secrets.mailcow_action_Update_postscreen_access_cidr_pat }}
+        commit-message: update postscreen_access.cidr
+        committer: milkmaker <milkmaker@mailcow.de>
+        author: milkmaker <milkmaker@mailcow.de>
+        signoff: false
+        branch: update/postscreen_access.cidr
+        base: staging
+        delete-branch: true
+        add-paths: |
+          data/conf/postfix/postscreen_access.cidr
+        title: '[Postfix] update postscreen_access.cidr'
+        body: |
+          This PR updates the postscreen_access.cidr using GitHub Actions and [helper-scripts/update_postscreen_whitelist.sh](https://github.com/mailcow/mailcow-dockerized/blob/master/helper-scripts/update_postscreen_whitelist.sh)

.gitignore

@@ -36,6 +36,8 @@ data/conf/postfix/extra.cf
 data/conf/postfix/sni.map
 data/conf/postfix/sni.map.db
 data/conf/postfix/sql
+data/conf/postfix/dns_blocklists.cf
+data/conf/postfix/dnsbl_reply.map
 data/conf/rspamd/custom/*
 data/conf/rspamd/local.d/*
 data/conf/rspamd/override.d/*
@@ -66,3 +68,4 @@ rebuild-images.sh
 refresh_images.sh
 update_diffs/
 create_cold_standby.sh
+!data/conf/nginx/mailcow_auth.conf

data/Dockerfiles/acme/Dockerfile

@@ -1,6 +1,6 @@
 FROM alpine:3.17
 
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 RUN apk upgrade --no-cache \
   && apk add --update --no-cache \

data/Dockerfiles/clamd/Dockerfile

@@ -1,12 +1,14 @@
-FROM clamav/clamav:1.0_base
+FROM alpine:3.18
 
-LABEL maintainer "André Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 RUN apk upgrade --no-cache \
   && apk add --update --no-cache \
   rsync \
+  clamav \
   bind-tools \
-  bash 
+  bash \
+  tini
 
 # init
 COPY clamd.sh /clamd.sh
@@ -14,7 +16,9 @@ RUN chmod +x /sbin/tini
 
 # healthcheck
 COPY healthcheck.sh /healthcheck.sh
+COPY clamdcheck.sh /usr/local/bin
 RUN chmod +x /healthcheck.sh
+RUN chmod +x /usr/local/bin/clamdcheck.sh
 HEALTHCHECK --start-period=6m CMD "/healthcheck.sh"
 
 ENTRYPOINT []

data/Dockerfiles/clamd/clamdcheck.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -eu
+
+if [ "${CLAMAV_NO_CLAMD:-}" != "false" ]; then
+	if [ "$(echo "PING" | nc localhost 3310)" != "PONG" ]; then
+		echo "ERROR: Unable to contact server"
+		exit 1
+	fi
+
+	echo "Clamd is up"
+fi
+
+exit 0

data/Dockerfiles/dockerapi/Dockerfile

@@ -1,6 +1,6 @@
 FROM alpine:3.17
 
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 WORKDIR /app
 
@@ -14,9 +14,12 @@ RUN apk add --update --no-cache python3 \
   uvicorn \
   aiodocker \
   docker \
-  redis 
+  aioredis 
+RUN mkdir /app/modules
 
 COPY docker-entrypoint.sh /app/
-COPY dockerapi.py /app/
+COPY main.py /app/main.py
+COPY modules/ /app/modules/
 
 ENTRYPOINT ["/bin/sh", "/app/docker-entrypoint.sh"]
+CMD exec python main.py

data/Dockerfiles/dockerapi/docker-entrypoint.sh

@@ -6,4 +6,4 @@
   -subj /CN=dockerapi/O=mailcow \
   -addext subjectAltName=DNS:dockerapi`
 
-`uvicorn --host 0.0.0.0 --port 443 --ssl-certfile=/app/dockerapi_cert.pem --ssl-keyfile=/app/dockerapi_key.pem dockerapi:app`
+exec "$@"

data/Dockerfiles/dockerapi/dockerapi.py

@@ -1,539 +0,0 @@
-from fastapi import FastAPI, Response, Request
-import aiodocker
-import docker
-import psutil
-import sys
-import re
-import time
-import os
-import json
-import asyncio
-import redis
-from datetime import datetime
-import logging
-from logging.config import dictConfig
-
-
-log_config = {
-    "version": 1,
-    "disable_existing_loggers": False,
-    "formatters": {
-        "default": {
-            "()": "uvicorn.logging.DefaultFormatter",
-            "fmt": "%(levelprefix)s %(asctime)s %(message)s",
-            "datefmt": "%Y-%m-%d %H:%M:%S",
-
-        },
-    },
-    "handlers": {
-        "default": {
-            "formatter": "default",
-            "class": "logging.StreamHandler",
-            "stream": "ext://sys.stderr",
-        },
-    },
-    "loggers": {
-        "api-logger": {"handlers": ["default"], "level": "INFO"},
-    },
-}
-dictConfig(log_config)
-
-containerIds_to_update = []
-host_stats_isUpdating = False
-app = FastAPI()
-logger = logging.getLogger('api-logger')
-
-
-@app.get("/host/stats")
-async def get_host_update_stats():
-  global host_stats_isUpdating
-
-  if host_stats_isUpdating == False:
-    asyncio.create_task(get_host_stats())
-    host_stats_isUpdating = True
-
-  while True:
-    if redis_client.exists('host_stats'):
-      break
-    await asyncio.sleep(1.5)
-
-
-  stats = json.loads(redis_client.get('host_stats'))
-  return Response(content=json.dumps(stats, indent=4), media_type="application/json")
-
-@app.get("/containers/{container_id}/json")
-async def get_container(container_id : str):
-  if container_id and container_id.isalnum():
-    try:
-      for container in (await async_docker_client.containers.list()):
-        if container._id == container_id:
-          container_info = await container.show()
-          return Response(content=json.dumps(container_info, indent=4), media_type="application/json")
-     
-      res = {
-        "type": "danger",
-        "msg": "no container found"
-      }
-      return Response(content=json.dumps(res, indent=4), media_type="application/json")
-    except Exception as e:
-      res = {
-        "type": "danger",
-        "msg": str(e)
-      }
-      return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  else:
-    res = {
-      "type": "danger",
-      "msg": "no or invalid id defined"
-    }
-    return Response(content=json.dumps(res, indent=4), media_type="application/json")
-
-@app.get("/containers/json")
-async def get_containers():
-  containers = {}
-  try:
-    for container in (await async_docker_client.containers.list()):
-      container_info = await container.show()
-      containers.update({container_info['Id']: container_info})
-    return Response(content=json.dumps(containers, indent=4), media_type="application/json")
-  except Exception as e:
-    res = {
-      "type": "danger",
-      "msg": str(e)
-    }
-    return Response(content=json.dumps(res, indent=4), media_type="application/json")
-
-@app.post("/containers/{container_id}/{post_action}")
-async def post_containers(container_id : str, post_action : str, request: Request):
-  try : 
-    request_json = await request.json()
-  except Exception as err:
-    request_json = {}
-
-  if container_id and container_id.isalnum() and post_action:
-    try:
-      """Dispatch container_post api call"""
-      if post_action == 'exec':
-        if not request_json or not 'cmd' in request_json:
-          res = {
-            "type": "danger",
-            "msg": "cmd is missing"
-          }
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-        if not request_json or not 'task' in request_json:
-          res = {
-            "type": "danger",
-            "msg": "task is missing"
-          }
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-
-        api_call_method_name = '__'.join(['container_post', str(post_action), str(request_json['cmd']), str(request_json['task']) ])
-      else:
-        api_call_method_name = '__'.join(['container_post', str(post_action) ])
-
-      docker_utils = DockerUtils(sync_docker_client)
-      api_call_method = getattr(docker_utils, api_call_method_name, lambda container_id: Response(content=json.dumps({'type': 'danger', 'msg':'container_post - unknown api call' }, indent=4), media_type="application/json"))
-
-
-      logger.info("api call: %s, container_id: %s" % (api_call_method_name, container_id))
-      return api_call_method(container_id, request_json)
-    except Exception as e:
-      logger.error("error - container_post: %s" % str(e))
-      res = {
-        "type": "danger",
-        "msg": str(e)
-      }
-      return Response(content=json.dumps(res, indent=4), media_type="application/json")
-
-  else:
-    res = {
-      "type": "danger",
-      "msg": "invalid container id or missing action"
-    }
-    return Response(content=json.dumps(res, indent=4), media_type="application/json")
-
-@app.post("/container/{container_id}/stats/update")
-async def post_container_update_stats(container_id : str):
-  global containerIds_to_update
-
-  # start update task for container if no task is running
-  if container_id not in containerIds_to_update:
-    asyncio.create_task(get_container_stats(container_id))
-    containerIds_to_update.append(container_id)
-
-  while True:
-    if redis_client.exists(container_id + '_stats'):
-      break
-    await asyncio.sleep(1.5)
-
-  stats = json.loads(redis_client.get(container_id + '_stats'))
-  return Response(content=json.dumps(stats, indent=4), media_type="application/json")
-
-
-
-
-class DockerUtils:
-  def __init__(self, docker_client):
-    self.docker_client = docker_client
-
-  # api call: container_post - post_action: stop
-  def container_post__stop(self, container_id, request_json):
-    for container in self.docker_client.containers.list(all=True, filters={"id": container_id}):
-      container.stop()
-
-    res = { 'type': 'success', 'msg': 'command completed successfully'}
-    return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  # api call: container_post - post_action: start
-  def container_post__start(self, container_id, request_json):
-    for container in self.docker_client.containers.list(all=True, filters={"id": container_id}):
-      container.start()
-
-    res = { 'type': 'success', 'msg': 'command completed successfully'}
-    return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  # api call: container_post - post_action: restart
-  def container_post__restart(self, container_id, request_json):
-    for container in self.docker_client.containers.list(all=True, filters={"id": container_id}):
-      container.restart()
-
-    res = { 'type': 'success', 'msg': 'command completed successfully'}
-    return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  # api call: container_post - post_action: top
-  def container_post__top(self, container_id, request_json):
-    for container in self.docker_client.containers.list(all=True, filters={"id": container_id}):
-      res = { 'type': 'success', 'msg': container.top()}
-      return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  # api call: container_post - post_action: stats
-  def container_post__stats(self, container_id, request_json):
-    for container in self.docker_client.containers.list(all=True, filters={"id": container_id}):
-      for stat in container.stats(decode=True, stream=True):
-        res = { 'type': 'success', 'msg': stat}
-        return Response(content=json.dumps(res, indent=4), media_type="application/json")
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: delete
-  def container_post__exec__mailq__delete(self, container_id, request_json):
-    if 'items' in request_json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request_json['items'])
-      if filtered_qids:
-        flagged_qids = ['-d %s' % i for i in filtered_qids]
-        sanitized_string = str(' '.join(flagged_qids));
-        for container in self.docker_client.containers.list(filters={"id": container_id}):
-          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
-          return exec_run_handler('generic', postsuper_r)
-
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: hold
-  def container_post__exec__mailq__hold(self, container_id, request_json):
-    if 'items' in request_json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request_json['items'])
-      if filtered_qids:
-        flagged_qids = ['-h %s' % i for i in filtered_qids]
-        sanitized_string = str(' '.join(flagged_qids));
-        for container in self.docker_client.containers.list(filters={"id": container_id}):
-          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
-          return exec_run_handler('generic', postsuper_r)
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: cat
-  def container_post__exec__mailq__cat(self, container_id, request_json):
-    if 'items' in request_json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request_json['items'])
-      if filtered_qids:
-        sanitized_string = str(' '.join(filtered_qids));
-
-        for container in self.docker_client.containers.list(filters={"id": container_id}):
-          postcat_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postcat -q " + sanitized_string], user='postfix')
-        if not postcat_return:
-          postcat_return = 'err: invalid'
-        return exec_run_handler('utf8_text_only', postcat_return)
-
-   # api call: container_post - post_action: exec - cmd: mailq - task: unhold
-  def container_post__exec__mailq__unhold(self, container_id, request_json):
-    if 'items' in request_json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request_json['items'])
-      if filtered_qids:
-        flagged_qids = ['-H %s' % i for i in filtered_qids]
-        sanitized_string = str(' '.join(flagged_qids));
-        for container in self.docker_client.containers.list(filters={"id": container_id}):
-          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
-          return exec_run_handler('generic', postsuper_r)
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: deliver
-  def container_post__exec__mailq__deliver(self, container_id, request_json):
-    if 'items' in request_json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request_json['items'])
-      if filtered_qids:
-        flagged_qids = ['-i %s' % i for i in filtered_qids]
-        for container in self.docker_client.containers.list(filters={"id": container_id}):
-          for i in flagged_qids:
-            postqueue_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postqueue " + i], user='postfix')
-            # todo: check each exit code
-          res = { 'type': 'success', 'msg': 'Scheduled immediate delivery'}
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-          
-  # api call: container_post - post_action: exec - cmd: mailq - task: list
-  def container_post__exec__mailq__list(self, container_id, request_json):
-    for container in self.docker_client.containers.list(filters={"id": container_id}):
-      mailq_return = container.exec_run(["/usr/sbin/postqueue", "-j"], user='postfix')
-      return exec_run_handler('utf8_text_only', mailq_return)
-  # api call: container_post - post_action: exec - cmd: mailq - task: flush
-  def container_post__exec__mailq__flush(self, container_id, request_json):
-    for container in self.docker_client.containers.list(filters={"id": container_id}):
-      postqueue_r = container.exec_run(["/usr/sbin/postqueue", "-f"], user='postfix')
-      return exec_run_handler('generic', postqueue_r)
-  # api call: container_post - post_action: exec - cmd: mailq - task: super_delete
-  def container_post__exec__mailq__super_delete(self, container_id, request_json):
-    for container in self.docker_client.containers.list(filters={"id": container_id}):
-      postsuper_r = container.exec_run(["/usr/sbin/postsuper", "-d", "ALL"])
-      return exec_run_handler('generic', postsuper_r)
-  # api call: container_post - post_action: exec - cmd: system - task: fts_rescan
-  def container_post__exec__system__fts_rescan(self, container_id, request_json):
-    if 'username' in request_json:
-      for container in self.docker_client.containers.list(filters={"id": container_id}):
-        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -u '" + request_json['username'].replace("'", "'\\''") + "'"], user='vmail')
-        if rescan_return.exit_code == 0:
-          res = { 'type': 'success', 'msg': 'fts_rescan: rescan triggered'}
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-        else:
-          res = { 'type': 'warning', 'msg': 'fts_rescan error'}
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-    if 'all' in request_json:
-      for container in self.docker_client.containers.list(filters={"id": container_id}):
-        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -A"], user='vmail')
-        if rescan_return.exit_code == 0:
-          res = { 'type': 'success', 'msg': 'fts_rescan: rescan triggered'}
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-        else:
-          res = { 'type': 'warning', 'msg': 'fts_rescan error'}
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  # api call: container_post - post_action: exec - cmd: system - task: df
-  def container_post__exec__system__df(self, container_id, request_json):
-    if 'dir' in request_json:
-      for container in self.docker_client.containers.list(filters={"id": container_id}):
-        df_return = container.exec_run(["/bin/bash", "-c", "/bin/df -H '" + request_json['dir'].replace("'", "'\\''") + "' | /usr/bin/tail -n1 | /usr/bin/tr -s [:blank:] | /usr/bin/tr ' ' ','"], user='nobody')
-        if df_return.exit_code == 0:
-          return df_return.output.decode('utf-8').rstrip()
-        else:
-          return "0,0,0,0,0,0"
-  # api call: container_post - post_action: exec - cmd: system - task: mysql_upgrade
-  def container_post__exec__system__mysql_upgrade(self, container_id, request_json):
-    for container in self.docker_client.containers.list(filters={"id": container_id}):
-      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_upgrade -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "'\n"], user='mysql')
-      if sql_return.exit_code == 0:
-        matched = False
-        for line in sql_return.output.decode('utf-8').split("\n"):
-          if 'is already upgraded to' in line:
-            matched = True
-        if matched:
-          res = { 'type': 'success', 'msg':'mysql_upgrade: already upgraded', 'text': sql_return.output.decode('utf-8')}
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-        else:
-          container.restart()
-          res = { 'type': 'warning', 'msg':'mysql_upgrade: upgrade was applied', 'text': sql_return.output.decode('utf-8')}
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-      else:
-        res = { 'type': 'error', 'msg': 'mysql_upgrade: error running command', 'text': sql_return.output.decode('utf-8')}
-        return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  # api call: container_post - post_action: exec - cmd: system - task: mysql_tzinfo_to_sql
-  def container_post__exec__system__mysql_tzinfo_to_sql(self, container_id, request_json):
-    for container in self.docker_client.containers.list(filters={"id": container_id}):
-      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_tzinfo_to_sql /usr/share/zoneinfo | /bin/sed 's/Local time zone must be set--see zic manual page/FCTY/' | /usr/bin/mysql -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "' mysql \n"], user='mysql')
-      if sql_return.exit_code == 0:
-        res = { 'type': 'info', 'msg': 'mysql_tzinfo_to_sql: command completed successfully', 'text': sql_return.output.decode('utf-8')}
-        return Response(content=json.dumps(res, indent=4), media_type="application/json")
-      else:
-        res = { 'type': 'error', 'msg': 'mysql_tzinfo_to_sql: error running command', 'text': sql_return.output.decode('utf-8')}
-        return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  # api call: container_post - post_action: exec - cmd: reload - task: dovecot
-  def container_post__exec__reload__dovecot(self, container_id, request_json):
-    for container in self.docker_client.containers.list(filters={"id": container_id}):
-      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/dovecot reload"])
-      return exec_run_handler('generic', reload_return)
-  # api call: container_post - post_action: exec - cmd: reload - task: postfix
-  def container_post__exec__reload__postfix(self, container_id, request_json):
-    for container in self.docker_client.containers.list(filters={"id": container_id}):
-      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postfix reload"])
-      return exec_run_handler('generic', reload_return)
-  # api call: container_post - post_action: exec - cmd: reload - task: nginx
-  def container_post__exec__reload__nginx(self, container_id, request_json):
-    for container in self.docker_client.containers.list(filters={"id": container_id}):
-      reload_return = container.exec_run(["/bin/sh", "-c", "/usr/sbin/nginx -s reload"])
-      return exec_run_handler('generic', reload_return)
-  # api call: container_post - post_action: exec - cmd: sieve - task: list
-  def container_post__exec__sieve__list(self, container_id, request_json):
-    if 'username' in request_json:
-      for container in self.docker_client.containers.list(filters={"id": container_id}):
-        sieve_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm sieve list -u '" + request_json['username'].replace("'", "'\\''") + "'"])
-        return exec_run_handler('utf8_text_only', sieve_return)
-  # api call: container_post - post_action: exec - cmd: sieve - task: print
-  def container_post__exec__sieve__print(self, container_id, request_json):
-    if 'username' in request.json and 'script_name' in request_json:
-      for container in self.docker_client.containers.list(filters={"id": container_id}):
-        cmd = ["/bin/bash", "-c", "/usr/bin/doveadm sieve get -u '" + request_json['username'].replace("'", "'\\''") + "' '" + request_json['script_name'].replace("'", "'\\''") + "'"]  
-        sieve_return = container.exec_run(cmd)
-        return exec_run_handler('utf8_text_only', sieve_return)
-  # api call: container_post - post_action: exec - cmd: maildir - task: cleanup
-  def container_post__exec__maildir__cleanup(self, container_id, request_json):
-    if 'maildir' in request_json:
-      for container in self.docker_client.containers.list(filters={"id": container_id}):
-        sane_name = re.sub(r'\W+', '', request_json['maildir'])
-        cmd = ["/bin/bash", "-c", "if [[ -d '/var/vmail/" + request_json['maildir'].replace("'", "'\\''") + "' ]]; then /bin/mv '/var/vmail/" + request_json['maildir'].replace("'", "'\\''") + "' '/var/vmail/_garbage/" + str(int(time.time())) + "_" + sane_name + "'; fi"]
-        maildir_cleanup = container.exec_run(cmd, user='vmail')
-        return exec_run_handler('generic', maildir_cleanup)
-  # api call: container_post - post_action: exec - cmd: rspamd - task: worker_password
-  def container_post__exec__rspamd__worker_password(self, container_id, request_json):
-    if 'raw' in request_json:
-      for container in self.docker_client.containers.list(filters={"id": container_id}):
-        cmd = "/usr/bin/rspamadm pw -e -p '" + request_json['raw'].replace("'", "'\\''") + "' 2> /dev/null"
-        cmd_response = exec_cmd_container(container, cmd, user="_rspamd")
-
-        matched = False
-        for line in cmd_response.split("\n"):
-          if '$2$' in line:
-            hash = line.strip()
-            hash_out = re.search('\$2\$.+$', hash).group(0)
-            rspamd_passphrase_hash = re.sub('[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
-            rspamd_password_filename = "/etc/rspamd/override.d/worker-controller-password.inc"
-            cmd = '''/bin/echo 'enable_password = "%s";' > %s && cat %s''' % (rspamd_passphrase_hash, rspamd_password_filename, rspamd_password_filename)
-            cmd_response = exec_cmd_container(container, cmd, user="_rspamd")
-            if rspamd_passphrase_hash.startswith("$2$") and rspamd_passphrase_hash in cmd_response:
-              container.restart()
-              matched = True
-        if matched:
-          res = { 'type': 'success', 'msg': 'command completed successfully' }
-          logger.info('success changing Rspamd password')
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-        else:
-          logger.error('failed changing Rspamd password')
-          res = { 'type': 'danger', 'msg': 'command did not complete' }
-          return Response(content=json.dumps(res, indent=4), media_type="application/json")
-
-
-def exec_cmd_container(container, cmd, user, timeout=2, shell_cmd="/bin/bash"):
-
-  def recv_socket_data(c_socket, timeout):
-    c_socket.setblocking(0)
-    total_data=[]
-    data=''
-    begin=time.time()
-    while True:
-      if total_data and time.time()-begin > timeout:
-        break
-      elif time.time()-begin > timeout*2:
-        break
-      try:
-        data = c_socket.recv(8192)
-        if data:
-          total_data.append(data.decode('utf-8'))
-          #change the beginning time for measurement
-          begin=time.time()
-        else:
-          #sleep for sometime to indicate a gap
-          time.sleep(0.1)
-          break
-      except:
-        pass
-    return ''.join(total_data)
-    
-
-  try :
-    socket = container.exec_run([shell_cmd], stdin=True, socket=True, user=user).output._sock
-    if not cmd.endswith("\n"):
-      cmd = cmd + "\n"
-    socket.send(cmd.encode('utf-8'))
-    data = recv_socket_data(socket, timeout)
-    socket.close()
-    return data
-  except Exception as e:
-    logger.error("error - exec_cmd_container: %s" % str(e))
-    traceback.print_exc(file=sys.stdout)
-def exec_run_handler(type, output):
-  if type == 'generic':
-    if output.exit_code == 0:
-      res = { 'type': 'success', 'msg': 'command completed successfully' }
-      return Response(content=json.dumps(res, indent=4), media_type="application/json")
-    else:
-      res = { 'type': 'danger', 'msg': 'command failed: ' + output.output.decode('utf-8') }
-      return Response(content=json.dumps(res, indent=4), media_type="application/json")
-  if type == 'utf8_text_only':
-    return Response(content=output.output.decode('utf-8'), media_type="text/plain")
-
-async def get_host_stats(wait=5):
-  global host_stats_isUpdating
-
-  try:
-    system_time = datetime.now()
-    host_stats = {
-      "cpu": {
-        "cores": psutil.cpu_count(),
-        "usage": psutil.cpu_percent()
-      },
-      "memory": {
-        "total": psutil.virtual_memory().total,
-        "usage": psutil.virtual_memory().percent,
-        "swap": psutil.swap_memory()
-      },
-      "uptime": time.time() - psutil.boot_time(),
-      "system_time": system_time.strftime("%d.%m.%Y %H:%M:%S")
-    }
-
-    redis_client.set('host_stats', json.dumps(host_stats), ex=10)
-  except Exception as e:
-    res = {
-      "type": "danger",
-      "msg": str(e)
-    }
-
-  await asyncio.sleep(wait)
-  host_stats_isUpdating = False
-  
-async def get_container_stats(container_id, wait=5, stop=False):
-  global containerIds_to_update
-
-  if container_id and container_id.isalnum():
-    try:
-      for container in (await async_docker_client.containers.list()):
-        if container._id == container_id:
-          res = await container.stats(stream=False)
-
-          if redis_client.exists(container_id + '_stats'):
-            stats = json.loads(redis_client.get(container_id + '_stats'))
-          else:
-            stats = []
-          stats.append(res[0])
-          if len(stats) > 3:
-            del stats[0]
-          redis_client.set(container_id + '_stats', json.dumps(stats), ex=60)
-    except Exception as e:
-      res = {
-        "type": "danger",
-        "msg": str(e)
-      }
-  else:
-    res = {
-      "type": "danger",
-      "msg": "no or invalid id defined"
-    }
-
-  await asyncio.sleep(wait)
-  if stop == True:
-    # update task was called second time, stop
-    containerIds_to_update.remove(container_id)
-  else:
-    # call update task a second time
-    await get_container_stats(container_id, wait=0, stop=True)
-
-
-
-if os.environ['REDIS_SLAVEOF_IP'] != "":
-  redis_client = redis.Redis(host=os.environ['REDIS_SLAVEOF_IP'], port=os.environ['REDIS_SLAVEOF_PORT'], db=0)
-else:
-  redis_client = redis.Redis(host='redis-mailcow', port=6379, db=0)
-
-sync_docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
-async_docker_client = aiodocker.Docker(url='unix:///var/run/docker.sock')
-
-logger.info('DockerApi started')

data/Dockerfiles/dockerapi/main.py

@@ -0,0 +1,260 @@
+import os
+import sys
+import uvicorn
+import json
+import uuid
+import async_timeout
+import asyncio
+import aioredis
+import aiodocker
+import docker
+import logging
+from logging.config import dictConfig
+from fastapi import FastAPI, Response, Request
+from modules.DockerApi import DockerApi
+
+dockerapi = None
+app = FastAPI()
+
+# Define Routes
+@app.get("/host/stats")
+async def get_host_update_stats():
+  global dockerapi
+
+  if dockerapi.host_stats_isUpdating == False:
+    asyncio.create_task(dockerapi.get_host_stats())
+    dockerapi.host_stats_isUpdating = True
+
+  while True:
+    if await dockerapi.redis_client.exists('host_stats'):
+      break
+    await asyncio.sleep(1.5)
+
+  stats = json.loads(await dockerapi.redis_client.get('host_stats'))
+  return Response(content=json.dumps(stats, indent=4), media_type="application/json")
+
+@app.get("/containers/{container_id}/json")
+async def get_container(container_id : str):
+  global dockerapi
+
+  if container_id and container_id.isalnum():
+    try:
+      for container in (await dockerapi.async_docker_client.containers.list()):
+        if container._id == container_id:
+          container_info = await container.show()
+          return Response(content=json.dumps(container_info, indent=4), media_type="application/json")
+     
+      res = {
+        "type": "danger",
+        "msg": "no container found"
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    except Exception as e:
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  else:
+    res = {
+      "type": "danger",
+      "msg": "no or invalid id defined"
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.get("/containers/json")
+async def get_containers():
+  global dockerapi
+
+  containers = {}
+  try:
+    for container in (await dockerapi.async_docker_client.containers.list()):
+      container_info = await container.show()
+      containers.update({container_info['Id']: container_info})
+    return Response(content=json.dumps(containers, indent=4), media_type="application/json")
+  except Exception as e:
+    res = {
+      "type": "danger",
+      "msg": str(e)
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.post("/containers/{container_id}/{post_action}")
+async def post_containers(container_id : str, post_action : str, request: Request):
+  global dockerapi
+
+  try : 
+    request_json = await request.json()
+  except Exception as err:
+    request_json = {}
+
+  if container_id and container_id.isalnum() and post_action:
+    try:
+      """Dispatch container_post api call"""
+      if post_action == 'exec':
+        if not request_json or not 'cmd' in request_json:
+          res = {
+            "type": "danger",
+            "msg": "cmd is missing"
+          }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        if not request_json or not 'task' in request_json:
+          res = {
+            "type": "danger",
+            "msg": "task is missing"
+          }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+        api_call_method_name = '__'.join(['container_post', str(post_action), str(request_json['cmd']), str(request_json['task']) ])
+      else:
+        api_call_method_name = '__'.join(['container_post', str(post_action) ])
+
+      api_call_method = getattr(dockerapi, api_call_method_name, lambda container_id: Response(content=json.dumps({'type': 'danger', 'msg':'container_post - unknown api call' }, indent=4), media_type="application/json"))
+
+      dockerapi.logger.info("api call: %s, container_id: %s" % (api_call_method_name, container_id))
+      return api_call_method(request_json, container_id=container_id)
+    except Exception as e:
+      dockerapi.logger.error("error - container_post: %s" % str(e))
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+  else:
+    res = {
+      "type": "danger",
+      "msg": "invalid container id or missing action"
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.post("/container/{container_id}/stats/update")
+async def post_container_update_stats(container_id : str):
+  global dockerapi
+
+  # start update task for container if no task is running
+  if container_id not in dockerapi.containerIds_to_update:
+    asyncio.create_task(dockerapi.get_container_stats(container_id))
+    dockerapi.containerIds_to_update.append(container_id)
+
+  while True:
+    if await dockerapi.redis_client.exists(container_id + '_stats'):
+      break
+    await asyncio.sleep(1.5)
+
+  stats = json.loads(await dockerapi.redis_client.get(container_id + '_stats'))
+  return Response(content=json.dumps(stats, indent=4), media_type="application/json")
+
+# Events
+@app.on_event("startup")
+async def startup_event():
+  global dockerapi
+
+  # Initialize a custom logger
+  logger = logging.getLogger("dockerapi")
+  logger.setLevel(logging.INFO)
+  # Configure the logger to output logs to the terminal
+  handler = logging.StreamHandler()
+  handler.setLevel(logging.INFO)
+  formatter = logging.Formatter("%(levelname)s:     %(message)s")
+  handler.setFormatter(formatter)
+  logger.addHandler(handler)
+
+  logger.info("Init APP")
+
+  # Init redis client
+  if os.environ['REDIS_SLAVEOF_IP'] != "":
+    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0")
+  else:
+    redis_client = redis = await aioredis.from_url("redis://redis-mailcow:6379/0")
+
+  # Init docker clients
+  sync_docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
+  async_docker_client = aiodocker.Docker(url='unix:///var/run/docker.sock')
+
+  dockerapi = DockerApi(redis_client, sync_docker_client, async_docker_client, logger)
+
+  logger.info("Subscribe to redis channel")
+  # Subscribe to redis channel
+  dockerapi.pubsub = redis.pubsub()
+  await dockerapi.pubsub.subscribe("MC_CHANNEL")
+  asyncio.create_task(handle_pubsub_messages(dockerapi.pubsub))
+
+@app.on_event("shutdown")
+async def shutdown_event():
+  global dockerapi
+
+  # Close docker connections
+  dockerapi.sync_docker_client.close()
+  await dockerapi.async_docker_client.close()
+
+  # Close redis
+  await dockerapi.pubsub.unsubscribe("MC_CHANNEL")
+  await dockerapi.redis_client.close()
+
+# PubSub Handler
+async def handle_pubsub_messages(channel: aioredis.client.PubSub):
+  global dockerapi
+
+  while True:
+    try:
+      async with async_timeout.timeout(1):
+        message = await channel.get_message(ignore_subscribe_messages=True)
+        if message is not None:
+          # Parse message
+          data_json = json.loads(message['data'].decode('utf-8'))
+          dockerapi.logger.info(f"PubSub Received - {json.dumps(data_json)}")
+
+          # Handle api_call
+          if 'api_call' in data_json:
+            # api_call: container_post
+            if data_json['api_call'] == "container_post":
+              if 'post_action' in data_json and 'container_name' in data_json:
+                try:
+                  """Dispatch container_post api call"""
+                  request_json = {}
+                  if data_json['post_action'] == 'exec':
+                    if 'request' in data_json:
+                      request_json = data_json['request']
+                      if 'cmd' in request_json:
+                        if 'task' in request_json:
+                          api_call_method_name = '__'.join(['container_post', str(data_json['post_action']), str(request_json['cmd']), str(request_json['task']) ])
+                        else:
+                          dockerapi.logger.error("api call: task missing")
+                      else:
+                        dockerapi.logger.error("api call: cmd missing")
+                    else:
+                      dockerapi.logger.error("api call: request missing")
+                  else:
+                    api_call_method_name = '__'.join(['container_post', str(data_json['post_action'])])
+
+                  if api_call_method_name:
+                    api_call_method = getattr(dockerapi, api_call_method_name)
+                    if api_call_method:
+                      dockerapi.logger.info("api call: %s, container_name: %s" % (api_call_method_name, data_json['container_name']))
+                      api_call_method(request_json, container_name=data_json['container_name'])
+                    else:
+                      dockerapi.logger.error("api call not found: %s, container_name: %s" % (api_call_method_name, data_json['container_name']))
+                except Exception as e:
+                  dockerapi.logger.error("container_post: %s" % str(e))
+              else:
+                dockerapi.logger.error("api call: missing container_name, post_action or request")
+            else:
+              dockerapi.logger.error("Unknwon PubSub recieved - %s" % json.dumps(data_json))
+          else:
+            dockerapi.logger.error("Unknwon PubSub recieved - %s" % json.dumps(data_json))
+              
+        await asyncio.sleep(0.01)
+    except asyncio.TimeoutError:
+      pass
+
+if __name__ == '__main__':
+  uvicorn.run(
+    app,
+    host="0.0.0.0",
+    port=443,
+    ssl_certfile="/app/dockerapi_cert.pem",
+    ssl_keyfile="/app/dockerapi_key.pem",
+    log_level="info",
+    loop="none"
+  )

data/Dockerfiles/dockerapi/modules/DockerApi.py

@@ -0,0 +1,487 @@
+import psutil
+import sys
+import os
+import re
+import time
+import json
+import asyncio
+import platform
+from datetime import datetime
+from fastapi import FastAPI, Response, Request
+
+class DockerApi:
+  def __init__(self, redis_client, sync_docker_client, async_docker_client, logger):
+    self.redis_client = redis_client
+    self.sync_docker_client = sync_docker_client
+    self.async_docker_client = async_docker_client
+    self.logger = logger
+
+    self.host_stats_isUpdating = False
+    self.containerIds_to_update = []
+
+  # api call: container_post - post_action: stop
+  def container_post__stop(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.stop()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: start
+  def container_post__start(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.start()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: restart
+  def container_post__restart(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.restart()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: top
+  def container_post__top(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      res = { 'type': 'success', 'msg': container.top()}
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: stats
+  def container_post__stats(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      for stat in container.stats(decode=True, stream=True):
+        res = { 'type': 'success', 'msg': stat}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: mailq - task: delete
+  def container_post__exec__mailq__delete(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-d %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: hold
+  def container_post__exec__mailq__hold(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-h %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: cat
+  def container_post__exec__mailq__cat(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        sanitized_string = str(' '.join(filtered_qids))
+
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postcat_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postcat -q " + sanitized_string], user='postfix')
+        if not postcat_return:
+          postcat_return = 'err: invalid'
+        return self.exec_run_handler('utf8_text_only', postcat_return)
+  # api call: container_post - post_action: exec - cmd: mailq - task: unhold
+  def container_post__exec__mailq__unhold(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-H %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: deliver
+  def container_post__exec__mailq__deliver(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-i %s' % i for i in filtered_qids]
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          for i in flagged_qids:
+            postqueue_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postqueue " + i], user='postfix')
+            # todo: check each exit code
+          res = { 'type': 'success', 'msg': 'Scheduled immediate delivery'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")        
+  # api call: container_post - post_action: exec - cmd: mailq - task: list
+  def container_post__exec__mailq__list(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      mailq_return = container.exec_run(["/usr/sbin/postqueue", "-j"], user='postfix')
+      return self.exec_run_handler('utf8_text_only', mailq_return)
+  # api call: container_post - post_action: exec - cmd: mailq - task: flush
+  def container_post__exec__mailq__flush(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      postqueue_r = container.exec_run(["/usr/sbin/postqueue", "-f"], user='postfix')
+      return self.exec_run_handler('generic', postqueue_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: super_delete
+  def container_post__exec__mailq__super_delete(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      postsuper_r = container.exec_run(["/usr/sbin/postsuper", "-d", "ALL"])
+      return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: system - task: fts_rescan
+  def container_post__exec__system__fts_rescan(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -u '" + request_json['username'].replace("'", "'\\''") + "'"], user='vmail')
+        if rescan_return.exit_code == 0:
+          res = { 'type': 'success', 'msg': 'fts_rescan: rescan triggered'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          res = { 'type': 'warning', 'msg': 'fts_rescan error'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    if 'all' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -A"], user='vmail')
+        if rescan_return.exit_code == 0:
+          res = { 'type': 'success', 'msg': 'fts_rescan: rescan triggered'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          res = { 'type': 'warning', 'msg': 'fts_rescan error'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: system - task: df
+  def container_post__exec__system__df(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'dir' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        df_return = container.exec_run(["/bin/bash", "-c", "/bin/df -H '" + request_json['dir'].replace("'", "'\\''") + "' | /usr/bin/tail -n1 | /usr/bin/tr -s [:blank:] | /usr/bin/tr ' ' ','"], user='nobody')
+        if df_return.exit_code == 0:
+          return df_return.output.decode('utf-8').rstrip()
+        else:
+          return "0,0,0,0,0,0"
+  # api call: container_post - post_action: exec - cmd: system - task: mysql_upgrade
+  def container_post__exec__system__mysql_upgrade(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_upgrade -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "'\n"], user='mysql')
+      if sql_return.exit_code == 0:
+        matched = False
+        for line in sql_return.output.decode('utf-8').split("\n"):
+          if 'is already upgraded to' in line:
+            matched = True
+        if matched:
+          res = { 'type': 'success', 'msg':'mysql_upgrade: already upgraded', 'text': sql_return.output.decode('utf-8')}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          container.restart()
+          res = { 'type': 'warning', 'msg':'mysql_upgrade: upgrade was applied', 'text': sql_return.output.decode('utf-8')}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'error', 'msg': 'mysql_upgrade: error running command', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: system - task: mysql_tzinfo_to_sql
+  def container_post__exec__system__mysql_tzinfo_to_sql(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_tzinfo_to_sql /usr/share/zoneinfo | /bin/sed 's/Local time zone must be set--see zic manual page/FCTY/' | /usr/bin/mysql -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "' mysql \n"], user='mysql')
+      if sql_return.exit_code == 0:
+        res = { 'type': 'info', 'msg': 'mysql_tzinfo_to_sql: command completed successfully', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'error', 'msg': 'mysql_tzinfo_to_sql: error running command', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: reload - task: dovecot
+  def container_post__exec__reload__dovecot(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/dovecot reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: reload - task: postfix
+  def container_post__exec__reload__postfix(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postfix reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: reload - task: nginx
+  def container_post__exec__reload__nginx(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/sh", "-c", "/usr/sbin/nginx -s reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: sieve - task: list
+  def container_post__exec__sieve__list(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        sieve_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm sieve list -u '" + request_json['username'].replace("'", "'\\''") + "'"])
+        return self.exec_run_handler('utf8_text_only', sieve_return)
+  # api call: container_post - post_action: exec - cmd: sieve - task: print
+  def container_post__exec__sieve__print(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json and 'script_name' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        cmd = ["/bin/bash", "-c", "/usr/bin/doveadm sieve get -u '" + request_json['username'].replace("'", "'\\''") + "' '" + request_json['script_name'].replace("'", "'\\''") + "'"]  
+        sieve_return = container.exec_run(cmd)
+        return self.exec_run_handler('utf8_text_only', sieve_return)
+  # api call: container_post - post_action: exec - cmd: maildir - task: cleanup
+  def container_post__exec__maildir__cleanup(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'maildir' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        sane_name = re.sub(r'\W+', '', request_json['maildir'])
+        vmail_name = request_json['maildir'].replace("'", "'\\''")
+        cmd_vmail = "if [[ -d '/var/vmail/" + vmail_name + "' ]]; then /bin/mv '/var/vmail/" + vmail_name + "' '/var/vmail/_garbage/" + str(int(time.time())) + "_" + sane_name + "'; fi"
+        index_name = request_json['maildir'].split("/")
+        if len(index_name) > 1:
+          index_name = index_name[1].replace("'", "'\\''") + "@" + index_name[0].replace("'", "'\\''")
+          cmd_vmail_index = "if [[ -d '/var/vmail_index/" + index_name + "' ]]; then /bin/mv '/var/vmail_index/" + index_name + "' '/var/vmail/_garbage/" + str(int(time.time())) + "_" + sane_name + "_index'; fi"
+          cmd = ["/bin/bash", "-c", cmd_vmail + " && " + cmd_vmail_index]
+        else:
+          cmd = ["/bin/bash", "-c", cmd_vmail]
+        maildir_cleanup = container.exec_run(cmd, user='vmail')
+        return self.exec_run_handler('generic', maildir_cleanup)
+  # api call: container_post - post_action: exec - cmd: rspamd - task: worker_password
+  def container_post__exec__rspamd__worker_password(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'raw' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        cmd = "/usr/bin/rspamadm pw -e -p '" + request_json['raw'].replace("'", "'\\''") + "' 2> /dev/null"
+        cmd_response = self.exec_cmd_container(container, cmd, user="_rspamd")
+
+        matched = False
+        for line in cmd_response.split("\n"):
+          if '$2$' in line:
+            hash = line.strip()
+            hash_out = re.search('\$2\$.+$', hash).group(0)
+            rspamd_passphrase_hash = re.sub('[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
+            rspamd_password_filename = "/etc/rspamd/override.d/worker-controller-password.inc"
+            cmd = '''/bin/echo 'enable_password = "%s";' > %s && cat %s''' % (rspamd_passphrase_hash, rspamd_password_filename, rspamd_password_filename)
+            cmd_response = self.exec_cmd_container(container, cmd, user="_rspamd")
+            if rspamd_passphrase_hash.startswith("$2$") and rspamd_passphrase_hash in cmd_response:
+              container.restart()
+              matched = True
+        if matched:
+          res = { 'type': 'success', 'msg': 'command completed successfully' }
+          self.logger.info('success changing Rspamd password')
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          self.logger.error('failed changing Rspamd password')
+          res = { 'type': 'danger', 'msg': 'command did not complete' }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+  # Collect host stats
+  async def get_host_stats(self, wait=5):
+    try:
+      system_time = datetime.now()
+      host_stats = {
+        "cpu": {
+          "cores": psutil.cpu_count(),
+          "usage": psutil.cpu_percent()
+        },
+        "memory": {
+          "total": psutil.virtual_memory().total,
+          "usage": psutil.virtual_memory().percent,
+          "swap": psutil.swap_memory()
+        },
+        "uptime": time.time() - psutil.boot_time(),
+        "system_time": system_time.strftime("%d.%m.%Y %H:%M:%S"),
+        "architecture": platform.machine()
+      }
+
+      await self.redis_client.set('host_stats', json.dumps(host_stats), ex=10)
+    except Exception as e:
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+
+    await asyncio.sleep(wait)
+    self.host_stats_isUpdating = False
+  # Collect container stats
+  async def get_container_stats(self, container_id, wait=5, stop=False):
+    if container_id and container_id.isalnum():
+      try:
+        for container in (await self.async_docker_client.containers.list()):
+          if container._id == container_id:
+            res = await container.stats(stream=False)
+
+            if await self.redis_client.exists(container_id + '_stats'):
+              stats = json.loads(await self.redis_client.get(container_id + '_stats'))
+            else:
+              stats = []
+            stats.append(res[0])
+            if len(stats) > 3:
+              del stats[0]
+            await self.redis_client.set(container_id + '_stats', json.dumps(stats), ex=60)
+      except Exception as e:
+        res = {
+          "type": "danger",
+          "msg": str(e)
+        }
+    else:
+      res = {
+        "type": "danger",
+        "msg": "no or invalid id defined"
+      }
+
+    await asyncio.sleep(wait)
+    if stop == True:
+      # update task was called second time, stop
+      self.containerIds_to_update.remove(container_id)
+    else:
+      # call update task a second time
+      await self.get_container_stats(container_id, wait=0, stop=True)
+
+  def exec_cmd_container(self, container, cmd, user, timeout=2, shell_cmd="/bin/bash"):
+    def recv_socket_data(c_socket, timeout):
+      c_socket.setblocking(0)
+      total_data=[]
+      data=''
+      begin=time.time()
+      while True:
+        if total_data and time.time()-begin > timeout:
+          break
+        elif time.time()-begin > timeout*2:
+          break
+        try:
+          data = c_socket.recv(8192)
+          if data:
+            total_data.append(data.decode('utf-8'))
+            #change the beginning time for measurement
+            begin=time.time()
+          else:
+            #sleep for sometime to indicate a gap
+            time.sleep(0.1)
+            break
+        except:
+          pass
+      return ''.join(total_data)
+      
+    try :
+      socket = container.exec_run([shell_cmd], stdin=True, socket=True, user=user).output._sock
+      if not cmd.endswith("\n"):
+        cmd = cmd + "\n"
+      socket.send(cmd.encode('utf-8'))
+      data = recv_socket_data(socket, timeout)
+      socket.close()
+      return data
+    except Exception as e:
+      self.logger.error("error - exec_cmd_container: %s" % str(e))
+      traceback.print_exc(file=sys.stdout)
+
+  def exec_run_handler(self, type, output):
+    if type == 'generic':
+      if output.exit_code == 0:
+        res = { 'type': 'success', 'msg': 'command completed successfully' }
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'danger', 'msg': 'command failed: ' + output.output.decode('utf-8') }
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    if type == 'utf8_text_only':
+      return Response(content=output.output.decode('utf-8'), media_type="text/plain")

data/Dockerfiles/dovecot/Dockerfile

@@ -1,115 +1,128 @@
-FROM debian:bullseye-slim
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+FROM alpine:3.18
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
-ARG DEBIAN_FRONTEND=noninteractive
-# renovate: datasource=github-tags depName=dovecot/core versioning=semver-coerced
-ARG DOVECOT=2.3.20
-# renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced
 ARG GOSU_VERSION=1.16
-ENV LC_ALL C
 
+ENV LANG C.UTF-8
+ENV LC_ALL C.UTF-8
 
 # Add groups and users before installing Dovecot to not break compatibility
-RUN groupadd -g 5000 vmail \
-  && groupadd -g 401 dovecot \
-  && groupadd -g 402 dovenull \
-  && groupadd -g 999 sogo \
-  && usermod -a -G sogo nobody \
-  && useradd -g vmail -u 5000 vmail -d /var/vmail \
-  && useradd -c "Dovecot unprivileged user" -d /dev/null -u 401 -g dovecot -s /bin/false dovecot \
-  && useradd -c "Dovecot login user" -d /dev/null -u 402 -g dovenull -s /bin/false dovenull \
-  && touch /etc/default/locale \
-  && apt-get update \
-  && apt-get -y --no-install-recommends install \
-  apt-transport-https \
+RUN addgroup -g 5000 vmail \
+  && addgroup -g 401 dovecot \
+  && addgroup -g 402 dovenull \
+  && sed -i "s/999/99/" /etc/group \
+  && addgroup -g 999 sogo \
+  && addgroup nobody sogo \
+  && adduser -D -u 5000 -G vmail -h /var/vmail vmail \
+  && adduser -D -G dovecot -u 401 -h /dev/null -s /sbin/nologin dovecot \
+  && adduser -D -G dovenull -u 402 -h /dev/null -s /sbin/nologin dovenull \
+  && apk add --no-cache --update \
+  build-base \
+  bash \
+  bind-tools \
   ca-certificates \
-  cpanminus \
   curl \
-  dnsutils \
-  dirmngr \
-  gettext \
-  gnupg2 \
+  cyrus-sasl-dev \
+  gcc \
+  gettext-dev \
+  gnupg \
+  gnupg-dirmngr \
   jq \
-  libauthen-ntlm-perl \
-  libcgi-pm-perl \
-  libcrypt-openssl-rsa-perl \
-  libcrypt-ssleay-perl \
-  libdata-uniqid-perl \
-  libdbd-mysql-perl \
-  libdbi-perl \
-  libdigest-hmac-perl \
-  libdist-checkconflicts-perl \
-  libencode-imaputf7-perl \
-  libfile-copy-recursive-perl \
-  libfile-tail-perl \
-  libhtml-parser-perl \
-  libio-compress-perl \
-  libio-socket-inet6-perl \
-  libio-socket-ssl-perl \
-  libio-tee-perl \
-  libipc-run-perl \
-  libjson-webtoken-perl \
-  liblockfile-simple-perl \
-  libmail-imapclient-perl \
-  libmodule-implementation-perl \
-  libmodule-scandeps-perl \
-  libnet-ssleay-perl \
-  libpackage-stash-perl \
-  libpackage-stash-xs-perl \
-  libpar-packer-perl \
-  libparse-recdescent-perl \
-  libproc-processtable-perl \
-  libreadonly-perl \
-  libregexp-common-perl \
-  libsys-meminfo-perl \
-  libterm-readkey-perl \
-  libtest-deep-perl \
-  libtest-fatal-perl \
-  libtest-mock-guard-perl \
-  libtest-mockobject-perl \
-  libtest-nowarnings-perl \
-  libtest-pod-perl \
-  libtest-requires-perl \
-  libtest-simple-perl \
-  libtest-warn-perl \
-  libtry-tiny-perl \
-  libunicode-string-perl \
-  liburi-perl \
-  libwww-perl \
-  lua-sql-mysql \
+  libintl \
+  libssl1.1 \
+  libstdc++ \
+  libxml2-dev \
+  lua \
+  lua-cjson \
   lua-socket \
+  lua-sec \
+  lua-sql-mysql \
+  lua5.3-sql-mysql \
+  make \
+  mariadb-connector-c \
+  mariadb-dev \
+  glib-dev \
+  gcompat \
   mariadb-client \
+# libressl-dev \
+  openssl-dev \
+  pcre-dev \
+  perl \
+  perl-dev \
+  perl-ntlm \
+  perl-cgi \
+  perl-crypt-openssl-rsa \
+  perl-utils \
+  perl-crypt-ssleay \
+  perl-data-uniqid \
+  perl-dbd-mysql \
+  perl-dbi \
+  perl-digest-hmac \
+  perl-dist-checkconflicts \
+  perl-encode-imaputf7 \
+  perl-file-copy-recursive \
+  perl-file-tail \
+  perl-io-socket-inet6 \
+  perl-io-gzip \
+  perl-io-socket-ssl \
+  perl-io-tee \
+  perl-ipc-run \
+  perl-json-webtoken \
+  perl-mail-imapclient \
+  perl-module-implementation \
+  perl-module-scandeps \
+  perl-net-ssleay \
+  perl-package-stash \
+  perl-package-stash-xs \
+  perl-par-packer \
+  perl-parse-recdescent \
+  libproc \
+  perl-readonly \
+  perl-regexp-common \
+  perl-sys-meminfo \
+  perl-term-readkey \
+  perl-test-deep \
+  perl-test-fatal \
+  perl-test-mockobject \
+  perl-test-mock-guard \
+  perl-test-pod \
+  perl-test-requires \
+  perl-test-simple \
+  perl-test-warn \
+  perl-try-tiny \
+  perl-unicode-string \
+  perl-proc-processtable \
+  perl-app-cpanminus \
   procps \
-  python3-pip \
-  redis-server \
-  supervisor \
+  python3 \
+  python3-dev \
+  py3-pip \
+  redis \
   syslog-ng \
-  syslog-ng-core \
-  syslog-ng-mod-redis \
+  syslog-ng-redis \
+  syslog-ng-json \
+  supervisor \
+  tzdata \
   wget \
-  && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
-  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
-  && chmod +x /usr/local/bin/gosu \
-  && gosu nobody true \
-  && apt-key adv --fetch-keys https://repo.dovecot.org/DOVECOT-REPO-GPG \
-  && echo "deb https://repo.dovecot.org/ce-${DOVECOT}/debian/bullseye bullseye main" > /etc/apt/sources.list.d/dovecot.list \
-  && apt-get update \
-  && apt-get -y --no-install-recommends install \
-  dovecot-lua \
-  dovecot-managesieved \
-  dovecot-sieve \
+  dovecot \
+  dovecot-dev \
   dovecot-lmtpd \
+  dovecot-lua \
   dovecot-ldap \
   dovecot-mysql \
-  dovecot-core \
+  dovecot-sql \
+  dovecot-submissiond \
+  dovecot-pigeonhole-plugin \
   dovecot-pop3d \
-  dovecot-imapd \
-  dovecot-solr \
-  && pip3 install mysql-connector-python html2text jinja2 redis \
-  && apt-get autoremove --purge -y \
-  && apt-get autoclean \
-  && rm -rf /var/lib/apt/lists/* \
-  && rm -rf /tmp/* /var/tmp/* /root/.cache/
+  dovecot-fts-solr \
+  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
+  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \
+  && chmod +x /usr/local/bin/gosu \
+  && gosu nobody true
+
+RUN cpan LockFile::Simple
+
+RUN pip3 install mysql-connector-python html2text jinja2 redis
 
 COPY trim_logs.sh /usr/local/bin/trim_logs.sh
 COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
@@ -131,4 +144,4 @@ COPY quota_notify.py /usr/local/bin/quota_notify.py
 COPY repl_health.sh /usr/local/bin/repl_health.sh
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -28,7 +28,7 @@ ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
 
 # Create missing directories
 [[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
-[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
+[[ ! -d /etc/dovecot/auth/ ]] && mkdir -p /etc/dovecot/auth/
 [[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
 [[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
 [[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
@@ -128,124 +128,6 @@ user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format
 iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
 EOF
 
-cat <<EOF > /etc/dovecot/lua/passwd-verify.lua
-function auth_password_verify(req, pass)
-
-  if req.domain == nil then
-    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
-  end
-
-  if cur == nil then
-    script_init()
-  end
-
-  if req.user == nil then
-    req.user = ''
-  end
-
-  respbody = {}
-
-  -- check against mailbox passwds
-  local cur,errorString = con:execute(string.format([[SELECT password FROM mailbox
-    WHERE username = '%s'
-      AND active = '1'
-      AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')), 1) = '1']], con:escape(req.user), con:escape(req.domain), con:escape(req.service)))
-  local row = cur:fetch ({}, "a")
-  while row do
-    if req.password_verify(req, row.password, pass) == 1 then
-      con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-        VALUES ("%s", 0, "%s", "%s")]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip)))
-      cur:close()
-      con:close()
-      return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
-    end
-    row = cur:fetch (row, "a")
-  end
-
-  -- check against app passwds for imap and smtp
-  -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
-  if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then
-    local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, %s_access AS has_prot_access, app_passwd.password FROM app_passwd
-      INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
-      WHERE mailbox = '%s'
-        AND app_passwd.active = '1'
-        AND mailbox.active = '1'
-        AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.service), con:escape(req.user), con:escape(req.domain)))
-    local row = cur:fetch ({}, "a")
-    while row do
-      if req.password_verify(req, row.password, pass) == 1 then
-        -- if password is valid and protocol access is 1 OR real_rip matches SOGo, proceed
-        if tostring(req.real_rip) == "__IPV4_SOGO__" then
-          cur:close()
-          con:close()
-          return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
-        elseif row.has_prot_access == "1" then
-          con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-            VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
-          cur:close()
-          con:close()
-          return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
-        end
-      end
-      row = cur:fetch (row, "a")
-    end
-  end
-
-  cur:close()
-  con:close()
-
-  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
-
-  -- PoC
-  -- local reqbody = string.format([[{
-  --   "success":0,
-  --   "service":"%s",
-  --   "app_password":false,
-  --   "username":"%s",
-  --   "real_rip":"%s"
-  -- }]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip))
-  -- http.request {
-  --   method = "POST",
-  --   url = "http://nginx:8081/sasl_log.php",
-  --   source = ltn12.source.string(reqbody),
-  --   headers = {
-  --     ["content-type"] = "application/json",
-  --     ["content-length"] = tostring(#reqbody)
-  --   },
-  --   sink = ltn12.sink.table(respbody)
-  -- }
-
-end
-
-function auth_passdb_lookup(req)
-   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
-end
-
-function script_init()
-  mysql = require "luasql.mysql"
-  http = require "socket.http"
-  http.TIMEOUT = 5
-  ltn12 = require "ltn12"
-  env  = mysql.mysql()
-  con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
-  return 0
-end
-
-function script_deinit()
-  con:close()
-  env:close()
-end
-EOF
-
-# Replace patterns in app-passdb.lua
-sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua
-
-
 # Migrate old sieve_after file
 [[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
 # Create global sieve scripts
@@ -360,8 +242,8 @@ done
 
 # Fix permissions
 chown root:root /etc/dovecot/sql/*.conf
-chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua
-chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua
+chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/auth/passwd-verify.lua
+chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/auth/passwd-verify.lua
 chown -R vmail:vmail /var/vmail/sieve
 chown -R vmail:vmail /var/volatile
 chown -R vmail:vmail /var/vmail_index
@@ -430,6 +312,6 @@ done
 
 # For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
 # May be related to something inside Docker, I seriously don't know
-touch /etc/dovecot/lua/passwd-verify.lua
+touch /etc/dovecot/auth/passwd-verify.lua
 
 exec "$@"

data/Dockerfiles/dovecot/imapsync

@@ -8492,6 +8492,7 @@ sub xoauth2
         require HTML::Entities ;
         require JSON ;
         require JSON::WebToken::Crypt::RSA ;
+        require Crypt::OpenSSL::PKCS12;
         require Crypt::OpenSSL::RSA ;
         require Encode::Byte ;
         require IO::Socket::SSL ;
@@ -8532,8 +8533,9 @@ sub xoauth2
 
             $sync->{ debug } and myprint( "Service account: $iss\nKey file: $keyfile\nKey password: $keypass\n");
 
-            # Get private key from p12 file (would be better in perl...)
-            $key = `openssl pkcs12 -in "$keyfile" -nodes -nocerts -passin pass:$keypass -nomacver`;
+            # Get private key from p12 file
+            my $pkcs12 = Crypt::OpenSSL::PKCS12->new_from_file($keyfile);
+            $key = $pkcs12->private_key($keypass);
 
             $sync->{ debug } and myprint( "Private key:\n$key\n");
         }

data/Dockerfiles/dovecot/supervisord.conf

@@ -13,6 +13,10 @@ autostart=true
 
 [program:dovecot]
 command=/usr/sbin/dovecot -F
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autorestart=true
 
 [eventlistener:processes]

data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 4.1
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -6,11 +6,11 @@ options {
   use_dns(no);
   use_fqdn(no);
   owner("root"); group("adm"); perm(0640);
-  stats_freq(0);
+  stats(freq(0));
   bad_hostname("^gconfd$");
 };
-source s_src {
-  unix-stream("/dev/log");
+source s_dgram {
+  unix-dgram("/dev/log");
   internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
@@ -36,7 +36,7 @@ filter f_replica {
   not match("Error: sync: Unknown user in remote" value("MESSAGE"));
 };
 log {
-  source(s_src);
+  source(s_dgram);
   filter(f_replica);
   destination(d_stdout);
   filter(f_mail);

data/Dockerfiles/dovecot/syslog-ng.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 4.1
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -6,11 +6,11 @@ options {
   use_dns(no);
   use_fqdn(no);
   owner("root"); group("adm"); perm(0640);
-  stats_freq(0);
+  stats(freq(0));
   bad_hostname("^gconfd$");
 };
-source s_src {
-  unix-stream("/dev/log");
+source s_dgram {
+  unix-dgram("/dev/log");
   internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
@@ -36,7 +36,7 @@ filter f_replica {
   not match("Error: sync: Unknown user in remote" value("MESSAGE"));
 };
 log {
-  source(s_src);
+  source(s_dgram);
   filter(f_replica);
   destination(d_stdout);
   filter(f_mail);

data/Dockerfiles/dovecot/trim_logs.sh

@@ -23,3 +23,4 @@ catch_non_zero "${REDIS_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM CRON_LOG 0 ${LOG_LINES}"

data/Dockerfiles/netfilter/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:3.17
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 ENV XTABLES_LIBDIR /usr/lib/xtables
 ENV PYTHON_IPTABLES_XTABLES_VERSION 12

data/Dockerfiles/netfilter/server.py

@@ -64,28 +64,40 @@ def refreshF2boptions():
   global f2boptions
   global quit_now
   global exit_code
+
+  f2boptions = {}
+
   if not r.get('F2B_OPTIONS'):
-    f2boptions = {}
-    f2boptions['ban_time'] = int
-    f2boptions['max_attempts'] = int
-    f2boptions['retry_window'] = int
-    f2boptions['netban_ipv4'] = int
-    f2boptions['netban_ipv6'] = int
-    f2boptions['ban_time'] = r.get('F2B_BAN_TIME') or 1800
-    f2boptions['max_attempts'] = r.get('F2B_MAX_ATTEMPTS') or 10
-    f2boptions['retry_window'] = r.get('F2B_RETRY_WINDOW') or 600
-    f2boptions['netban_ipv4'] = r.get('F2B_NETBAN_IPV4') or 32
-    f2boptions['netban_ipv6'] = r.get('F2B_NETBAN_IPV6') or 128
-    r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))
+    f2boptions['ban_time'] = r.get('F2B_BAN_TIME')
+    f2boptions['max_ban_time'] = r.get('F2B_MAX_BAN_TIME')
+    f2boptions['ban_time_increment'] = r.get('F2B_BAN_TIME_INCREMENT')
+    f2boptions['max_attempts'] = r.get('F2B_MAX_ATTEMPTS')
+    f2boptions['retry_window'] = r.get('F2B_RETRY_WINDOW')
+    f2boptions['netban_ipv4'] = r.get('F2B_NETBAN_IPV4')
+    f2boptions['netban_ipv6'] = r.get('F2B_NETBAN_IPV6')
   else:
     try:
-      f2boptions = {}
       f2boptions = json.loads(r.get('F2B_OPTIONS'))
     except ValueError:
       print('Error loading F2B options: F2B_OPTIONS is not json')
       quit_now = True
       exit_code = 2
 
+  verifyF2boptions(f2boptions)
+  r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))
+
+def verifyF2boptions(f2boptions):
+  verifyF2boption(f2boptions,'ban_time', 1800)
+  verifyF2boption(f2boptions,'max_ban_time', 10000)
+  verifyF2boption(f2boptions,'ban_time_increment', True)
+  verifyF2boption(f2boptions,'max_attempts', 10)
+  verifyF2boption(f2boptions,'retry_window', 600)
+  verifyF2boption(f2boptions,'netban_ipv4', 32)
+  verifyF2boption(f2boptions,'netban_ipv6', 128)
+
+def verifyF2boption(f2boptions, f2boption, f2bdefault):
+  f2boptions[f2boption] = f2boptions[f2boption] if f2boption in f2boptions and f2boptions[f2boption] is not None else f2bdefault
+
 def refreshF2bregex():
   global f2bregex
   global quit_now
@@ -147,6 +159,7 @@ def ban(address):
   global lock
   refreshF2boptions()
   BAN_TIME = int(f2boptions['ban_time'])
+  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
   MAX_ATTEMPTS = int(f2boptions['max_attempts'])
   RETRY_WINDOW = int(f2boptions['retry_window'])
   NETBAN_IPV4 = '/' + str(f2boptions['netban_ipv4'])
@@ -174,20 +187,16 @@ def ban(address):
   net = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)
   net = str(net)
 
-  if not net in bans or time.time() - bans[net]['last_attempt'] > RETRY_WINDOW:
-    bans[net] = { 'attempts': 0 }
-    active_window = RETRY_WINDOW
-  else:
-    active_window = time.time() - bans[net]['last_attempt']
+  if not net in bans:
+    bans[net] = {'attempts': 0, 'last_attempt': 0, 'ban_counter': 0}
 
   bans[net]['attempts'] += 1
   bans[net]['last_attempt'] = time.time()
 
-  active_window = time.time() - bans[net]['last_attempt']
-
   if bans[net]['attempts'] >= MAX_ATTEMPTS:
     cur_time = int(round(time.time()))
-    logCrit('Banning %s for %d minutes' % (net, BAN_TIME / 60))
+    NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']
+    logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))
     if type(ip) is ipaddress.IPv4Address:
       with lock:
         chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
@@ -206,7 +215,7 @@ def ban(address):
         rule.target = target
         if rule not in chain.rules:
           chain.insert_rule(rule)
-    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + BAN_TIME)
+    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
   else:
     logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
 
@@ -238,7 +247,8 @@ def unban(net):
   r.hdel('F2B_ACTIVE_BANS', '%s' % net)
   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
   if net in bans:
-    del bans[net]
+    bans[net]['attempts'] = 0
+    bans[net]['ban_counter'] += 1
 
 def permBan(net, unban=False):
   global lock
@@ -332,7 +342,7 @@ def watch():
               logWarn('%s matched rule id %s (%s)' % (addr, rule_id, item['data']))
               ban(addr)
     except Exception as ex:
-      logWarn('Error reading log line from pubsub')
+      logWarn('Error reading log line from pubsub: %s' % ex)
       quit_now = True
       exit_code = 2
 
@@ -359,21 +369,30 @@ def snat4(snat_target):
         chain = iptc.Chain(table, 'POSTROUTING')
         table.autocommit = False
         new_rule = get_snat4_rule()
-        for position, rule in enumerate(chain.rules):
-          match = all((
-            new_rule.get_src() == rule.get_src(),
-            new_rule.get_dst() == rule.get_dst(),
-            new_rule.target.parameters == rule.target.parameters,
-            new_rule.target.name == rule.target.name
-          ))
-          if position == 0:
-            if not match:
-              logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}')
-              chain.insert_rule(new_rule)
-          else:
-            if match:
-              logInfo(f'Remove rule for source network {new_rule.src} to SNAT target {snat_target} from POSTROUTING chain at position {position}')
-              chain.delete_rule(rule)
+
+        if not chain.rules:
+          # if there are no rules in the chain, insert the new rule directly
+          logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}')
+          chain.insert_rule(new_rule)
+        else:
+          for position, rule in enumerate(chain.rules):
+            if not hasattr(rule.target, 'parameter'):
+                continue
+            match = all((
+              new_rule.get_src() == rule.get_src(),
+              new_rule.get_dst() == rule.get_dst(),
+              new_rule.target.parameters == rule.target.parameters,
+              new_rule.target.name == rule.target.name
+            ))
+            if position == 0:
+              if not match:
+                logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}')
+                chain.insert_rule(new_rule)
+            else:
+              if match:
+                logInfo(f'Remove rule for source network {new_rule.src} to SNAT target {snat_target} from POSTROUTING chain at position {position}')
+                chain.delete_rule(rule)
+
         table.commit()
         table.autocommit = True
       except:
@@ -418,6 +437,8 @@ def autopurge():
     time.sleep(10)
     refreshF2boptions()
     BAN_TIME = int(f2boptions['ban_time'])
+    MAX_BAN_TIME = int(f2boptions['max_ban_time'])
+    BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
     MAX_ATTEMPTS = int(f2boptions['max_attempts'])
     QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
     if QUEUE_UNBAN:
@@ -425,7 +446,9 @@ def autopurge():
         unban(str(net))
     for net in bans.copy():
       if bans[net]['attempts'] >= MAX_ATTEMPTS:
-        if time.time() - bans[net]['last_attempt'] > BAN_TIME:
+        NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']
+        TIME_SINCE_LAST_ATTEMPT = time.time() - bans[net]['last_attempt']
+        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME or TIME_SINCE_LAST_ATTEMPT > MAX_BAN_TIME:
           unban(net)
 
 def isIpNetwork(address):

data/Dockerfiles/olefy/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:3.17
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 WORKDIR /app
 

data/Dockerfiles/phpfpm/Dockerfile

@@ -1,5 +1,5 @@
-FROM php:8.1-fpm-alpine3.17
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+FROM php:8.2-fpm-alpine3.17
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced
 ARG APCU_PECL_VERSION=5.1.22
@@ -12,7 +12,7 @@ ARG MEMCACHED_PECL_VERSION=3.2.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced
 ARG REDIS_PECL_VERSION=5.3.7
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced
-ARG COMPOSER_VERSION=2.5.1
+ARG COMPOSER_VERSION=2.5.5
 
 RUN apk add -U --no-cache autoconf \
   aspell-dev \
@@ -52,6 +52,7 @@ RUN apk add -U --no-cache autoconf \
   libxpm-dev \
   libzip \
   libzip-dev \
+  linux-headers \
   make \
   mysql-client \
   openldap-dev \
@@ -75,7 +76,7 @@ RUN apk add -U --no-cache autoconf \
     --with-webp \
     --with-xpm \
     --with-avif \
-  && docker-php-ext-install -j 4 exif gd gettext intl ldap opcache pcntl pdo pdo_mysql pspell soap sockets zip bcmath gmp \
+  && docker-php-ext-install -j 4 exif gd gettext intl ldap opcache pcntl pdo pdo_mysql pspell soap sockets sysvsem zip bcmath gmp \
   && docker-php-ext-configure imap --with-imap --with-imap-ssl \
   && docker-php-ext-install -j 4 imap \
   && curl --silent --show-error https://getcomposer.org/installer | php -- --version=${COMPOSER_VERSION} \
@@ -99,6 +100,7 @@ RUN apk add -U --no-cache autoconf \
     libxml2-dev \
     libxpm-dev \
     libzip-dev \
+    linux-headers \
     make \
     openldap-dev \
     pcre-dev \

data/Dockerfiles/phpfpm/docker-entrypoint.sh

@@ -172,6 +172,24 @@ BEGIN
 END;
 //
 DELIMITER ;
+DROP EVENT IF EXISTS clean_sasl_log;
+DELIMITER //
+CREATE EVENT clean_sasl_log
+ON SCHEDULE EVERY 1 DAY DO
+BEGIN
+  DELETE sasl_log.* FROM sasl_log
+    LEFT JOIN (
+      SELECT username, service, MAX(datetime) AS lastdate
+      FROM sasl_log
+      GROUP BY username, service
+    ) AS last ON sasl_log.username = last.username AND sasl_log.service = last.service
+    WHERE datetime < DATE_SUB(NOW(), INTERVAL 31 DAY) AND datetime < lastdate;
+  DELETE FROM sasl_log
+    WHERE username NOT IN (SELECT username FROM mailbox) AND
+    datetime < DATE_SUB(NOW(), INTERVAL 31 DAY);
+END;
+//
+DELIMITER ;
 EOF
 fi
 

data/Dockerfiles/postfix/Dockerfile

@@ -1,5 +1,5 @@
 FROM debian:bullseye-slim
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
 ENV LC_ALL C
@@ -17,10 +17,10 @@ RUN groupadd -g 102 postfix \
 	ca-certificates \
 	curl \
 	dirmngr \
-  dnsutils \
+  	dnsutils \
 	gnupg \
 	libsasl2-modules \
-  mariadb-client \
+  	mariadb-client \
 	perl \
 	postfix \
 	postfix-mysql \
@@ -32,7 +32,7 @@ RUN groupadd -g 102 postfix \
 	syslog-ng \
 	syslog-ng-core \
 	syslog-ng-mod-redis \
-  tzdata \
+  	tzdata \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& touch /etc/default/locale \
   && printf '#!/bin/bash\n/usr/sbin/postconf -c /opt/postfix/conf "$@"' > /usr/local/sbin/postconf \

data/Dockerfiles/postfix/postfix.sh

@@ -393,12 +393,101 @@ query = SELECT goto FROM spamalias
     AND validity >= UNIX_TIMESTAMP()
 EOF
 
-sed -i '/User overrides/q' /opt/postfix/conf/main.cf
+if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then
+  cat <<EOF > /opt/postfix/conf/dns_blocklists.cf
+# This file can be edited. 
+# Delete this file and restart postfix container to revert any changes.
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+  hostkarma.junkemailfilter.com=127.0.0.1*-2
+  list.dnswl.org=127.0.[0..255].0*-2
+  list.dnswl.org=127.0.[0..255].1*-4
+  list.dnswl.org=127.0.[0..255].2*-6
+  list.dnswl.org=127.0.[0..255].3*-8
+  ix.dnsbl.manitu.net*2
+  bl.spamcop.net*2
+  bl.suomispam.net*2
+  hostkarma.junkemailfilter.com=127.0.0.2*3
+  hostkarma.junkemailfilter.com=127.0.0.4*2
+  hostkarma.junkemailfilter.com=127.0.1.2*1
+  backscatter.spameatingmonkey.net*2
+  bl.ipv6.spameatingmonkey.net*2
+  bl.spameatingmonkey.net*2
+  b.barracudacentral.org=127.0.0.2*7
+  bl.mailspike.net=127.0.0.2*5
+  bl.mailspike.net=127.0.0.[10;11;12]*4
+  dnsbl.sorbs.net=127.0.0.10*8
+  dnsbl.sorbs.net=127.0.0.5*6
+  dnsbl.sorbs.net=127.0.0.7*3
+  dnsbl.sorbs.net=127.0.0.8*2
+  dnsbl.sorbs.net=127.0.0.6*2
+  dnsbl.sorbs.net=127.0.0.9*2
+EOF
+fi
+DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S')
+
+if [ ! -z "$DNSBL_CONFIG" ]; then
+  echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m"
+  if [ -n "$SPAMHAUS_DQS_KEY" ]; then
+    echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m"
+    echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m"
+    SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[4..7]*6
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[10;11]*8
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.3*4
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3
+postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply.map
+EOF
+
+  cat <<EOF > /opt/postfix/conf/dnsbl_reply.map
+# Autogenerated by mailcow, using Spamhaus DQS reply domains
+${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net     sbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net     xbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net     pbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net     zen.spamhaus.org
+${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net     dbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net     zrd.spamhaus.org
+EOF
+    )
+  else
+    if [ -f "/opt/postfix/conf/dnsbl_reply.map" ]; then
+      rm /opt/postfix/conf/dnsbl_reply.map
+    fi
+    response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
+    if [ "$response" -eq 503 ]; then
+      echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m"
+      echo -e "\e[33mNo SPAMHAUS_DQS_KEY found... Skipping Spamhaus blocklists entirely!\e[0m"
+      SPAMHAUS_DNSBL_CONFIG=""
+    elif [ "$response" -eq 200 ]; then
+      echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m"
+      echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m"
+      SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
+  zen.spamhaus.org=127.0.0.[10;11]*8
+  zen.spamhaus.org=127.0.0.[4..7]*6
+  zen.spamhaus.org=127.0.0.3*4
+  zen.spamhaus.org=127.0.0.2*3
+EOF
+      )
+
+    else
+      echo -e "\e[31mWe couldn't determine your AS... (maybe DNS/Network issue?) Response Code: $response\e[0m"
+      echo -e "\e[33mDeactivating Spamhaus DNS Blocklists to be on the safe site!\e[0m"
+      SPAMHAUS_DNSBL_CONFIG=""
+    fi
+  fi
+fi
+
+# Reset main.cf
+sed -i '/Overrides/q' /opt/postfix/conf/main.cf
 echo >> /opt/postfix/conf/main.cf
+# Append postscreen dnsbl sites to main.cf
+if [ ! -z "$DNSBL_CONFIG" ]; then
+  echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf
+fi
+# Append user overrides
+echo -e "\n# User Overrides" >> /opt/postfix/conf/main.cf
 touch /opt/postfix/conf/extra.cf
 sed -i '/myhostname/d' /opt/postfix/conf/extra.cf
 echo -e "myhostname = ${MAILCOW_HOSTNAME}\n$(cat /opt/postfix/conf/extra.cf)" > /opt/postfix/conf/extra.cf
-
 cat /opt/postfix/conf/extra.cf >> /opt/postfix/conf/main.cf
 
 if [ ! -f /opt/postfix/conf/custom_transport.pcre ]; then

data/Dockerfiles/rspamd/Dockerfile

@@ -1,19 +1,19 @@
-FROM debian:bullseye-slim
-LABEL maintainer "Andre Peters <andre.peters@tinc.gmbh>"
+FROM debian:bookworm-slim
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG CODENAME=bullseye
+ARG CODENAME=bookworm
 ENV LC_ALL C
 
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
   tzdata \
   ca-certificates \
   gnupg2 \
   apt-transport-https \
   dnsutils \
-  netcat \
+  netcat-traditional \
   && apt-key adv --fetch-keys https://rspamd.com/apt-stable/gpg.key \
-  && echo "deb [arch=amd64] https://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list \
+  && echo "deb https://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list \
   && apt-get update \
   && apt-get --no-install-recommends -y install rspamd redis-tools procps nano \
   && rm -rf /var/lib/apt/lists/* \

data/Dockerfiles/sogo/Dockerfile

@@ -1,8 +1,8 @@
 FROM debian:bullseye-slim
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG SOGO_DEBIAN_REPOSITORY=http://packages.sogo.nu/nightly/5/debian/
+ARG SOGO_DEBIAN_REPOSITORY=http://www.axis.cz/linux/debian
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced
 ARG GOSU_VERSION=1.16
 ENV LC_ALL C
@@ -32,7 +32,7 @@ RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
   && mkdir /usr/share/doc/sogo \
   && touch /usr/share/doc/sogo/empty.sh \
   && apt-key adv --keyserver keys.openpgp.org --recv-key 74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9 \
-  && echo "deb ${SOGO_DEBIAN_REPOSITORY} bullseye bullseye" > /etc/apt/sources.list.d/sogo.list \
+  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} bullseye sogo-v5" > /etc/apt/sources.list.d/sogo.list \
   && apt-get update && apt-get install -y --no-install-recommends \
     sogo \
     sogo-activesync \

data/Dockerfiles/sogo/bootstrap-sogo.sh

@@ -24,110 +24,6 @@ while [[ "${DBV_NOW}" != "${DBV_NEW}" ]]; do
 done
 echo "DB schema is ${DBV_NOW}"
 
-# Recreate view
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing sogo_view..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP VIEW IF EXISTS sogo_view"
-  while [[ ${VIEW_OK} != 'OK' ]]; do
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-CREATE VIEW sogo_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) AS 
-SELECT
-   mailbox.username,
-   mailbox.domain,
-   mailbox.username,
-   IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) = '0', IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.sogo_access')) = 1, password, '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'), '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
-   mailbox.name,
-   mailbox.username,
-   IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''),
-   IFNULL(gda.ad_alias, ''),
-   IFNULL(external_acl.send_as_acl, ''),
-   mailbox.kind,
-   mailbox.multiple_bookings
-FROM
-   mailbox
-   LEFT OUTER JOIN
-      grouped_mail_aliases ga
-      ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)')
-   LEFT OUTER JOIN
-      grouped_domain_alias_address gda
-      ON gda.username = mailbox.username
-   LEFT OUTER JOIN
-      grouped_sender_acl_external external_acl
-      ON external_acl.username = mailbox.username
-WHERE
-   mailbox.active = '1'
-GROUP BY
-   mailbox.username;
-EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
-      VIEW_OK=OK
-    else
-      echo "Will retry to setup SOGo view in 3s..."
-      sleep 3
-    fi
-  done
-else
-  while [[ ${VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
-      VIEW_OK=OK
-    else
-      echo "Waiting for SOGo view to be created by master..."
-      sleep 3
-    fi
-  done
-fi
-
-# Wait for static view table if missing after update and update content
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing _sogo_static_view..."
-  while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
-      STATIC_VIEW_OK=OK
-      echo "Updating _sogo_static_view content..."
-      # If changed, also update init_db.inc.php
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "REPLACE INTO _sogo_static_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) SELECT c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings from sogo_view;"
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "DELETE FROM _sogo_static_view WHERE c_uid NOT IN (SELECT username FROM mailbox WHERE active = '1')"
-    else
-      echo "Waiting for database initialization..."
-      sleep 3
-    fi
-  done
-else
-  while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
-      STATIC_VIEW_OK=OK
-    else
-      echo "Waiting for database initialization by master..."
-      sleep 3
-    fi
-  done
-fi
-
-
-# Recreate password update trigger
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing update trigger..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
-  while [[ ${TRIGGER_OK} != 'OK' ]]; do
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DELIMITER -
-CREATE TRIGGER sogo_update_password AFTER UPDATE ON _sogo_static_view
-FOR EACH ROW
-BEGIN
-UPDATE mailbox SET password = NEW.c_password WHERE NEW.c_uid = username;
-END;
--
-DELIMITER ;
-EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TRIGGERS WHERE TRIGGER_NAME = 'sogo_update_password'") ]]; then
-      TRIGGER_OK=OK
-    else
-      echo "Will retry to setup SOGo password update trigger in 3s"
-      sleep 3
-    fi
-  done
-fi
-
 # cat /dev/urandom seems to hang here occasionally and is not recommended anyway, better use openssl
 RAND_PASS=$(openssl rand -base64 16 | tr -dc _A-Z-a-z-0-9)
 

data/Dockerfiles/solr/Dockerfile

@@ -1,4 +1,5 @@
 FROM solr:7.7-slim
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 USER root
 

data/Dockerfiles/unbound/Dockerfile

@@ -1,6 +1,6 @@
 FROM alpine:3.17
 
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 RUN apk add --update --no-cache \
 	curl \

data/Dockerfiles/watchdog/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:3.17
-LABEL maintainer "André Peters <andre.peters@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 # Installation
 RUN apk add --update \

data/assets/nextcloud/nextcloud.conf

@@ -24,7 +24,7 @@ server {
   add_header X-Download-Options "noopen" always;
   add_header X-Frame-Options "SAMEORIGIN" always;
   add_header X-Permitted-Cross-Domain-Policies "none" always;
-  add_header X-Robots-Tag "none" always;
+  add_header X-Robots-Tag "noindex, nofollow" always;
   add_header X-XSS-Protection "1; mode=block" always;
 
   fastcgi_hide_header X-Powered-By;

data/conf/dovecot/auth/mailcowauth.php

@@ -0,0 +1,74 @@
+<?php
+ini_set('error_reporting', 0);
+header('Content-Type: application/json');
+
+$post = trim(file_get_contents('php://input'));
+if ($post) {
+  $post = json_decode($post, true);
+}
+
+
+$return = array("success" => false);
+if(!isset($post['username']) || !isset($post['password']) || !isset($post['real_rip'])){
+  error_log("MAILCOWAUTH: Bad Request");
+  http_response_code(400); // Bad Request
+  echo json_encode($return); 
+  exit();
+}
+
+require_once('../../../web/inc/vars.inc.php');
+if (file_exists('../../../web/inc/vars.local.inc.php')) {
+  include_once('../../../web/inc/vars.local.inc.php');
+}
+require_once '../../../web/inc/lib/vendor/autoload.php';
+
+// Init database
+$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+try {
+  $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+}
+catch (PDOException $e) {
+  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
+  http_response_code(500); // Internal Server Error
+  echo json_encode($return); 
+  exit;
+}
+
+// Load core functions first
+require_once 'functions.inc.php';
+require_once 'functions.auth.inc.php';
+require_once 'sessions.inc.php';
+
+// Init provider
+$iam_provider = identity_provider('init');
+
+
+$protocol = $post['protocol'];
+if ($post['real_rip'] == getenv('IPV4_NETWORK') . '.248') {
+  $protocol = null;
+}
+$result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
+if ($result === false){
+  $result = apppass_login($post['username'], $post['password'], $protocol, array(
+    'is_internal' => true,
+    'remote_addr' => $post['real_rip']
+  ));
+}
+
+if ($result) {
+  http_response_code(200); // OK
+  $return['success'] = true;
+} else {
+  error_log("MAILCOWAUTH: Login failed for user " . $post['username']);
+  http_response_code(401); // Unauthorized
+}
+
+
+echo json_encode($return); 
+session_destroy();
+exit;

data/conf/dovecot/auth/passwd-verify.lua

@@ -0,0 +1,42 @@
+function auth_password_verify(request, password)
+  if request.domain == nil then
+    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
+  end
+
+  json = require "cjson"
+  ltn12 = require "ltn12"
+  https = require "ssl.https"
+  https.TIMEOUT = 5
+
+  local req = {
+    username = request.user,
+    password = password,
+    real_rip = request.real_rip,
+    protocol = {}
+  }
+  req.protocol[request.service] = true
+  local req_json = json.encode(req)
+  local res = {} 
+  
+  local b, c = https.request {
+    method = "POST",
+    url = "https://nginx:9082",
+    source = ltn12.source.string(req_json),
+    headers = {
+      ["content-type"] = "application/json",
+      ["content-length"] = tostring(#req_json)
+    },
+    sink = ltn12.sink.table(res),
+    insecure = true
+  }
+  local api_response = json.decode(table.concat(res))
+  if api_response.success == true then
+    return dovecot.auth.PASSDB_RESULT_OK, ""
+  end
+  
+  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
+end
+
+function auth_passdb_lookup(req)
+   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
+end

data/conf/dovecot/dovecot.conf

@@ -24,6 +24,11 @@ mail_plugins = </etc/dovecot/mail_plugins
 mail_attachment_fs = crypt:set_prefix=mail_crypt_global:posix:
 mail_attachment_dir = /var/attachments
 mail_attachment_min_size = 128k
+# Significantly speeds up very large mailboxes, but is only safe to enable if
+# you do not manually modify the files in the `cur` directories in
+# mailcowdockerized_vmail-vol-1.
+# https://docs.mailcow.email/manual-guides/Dovecot/u_e-dovecot-performance/
+maildir_very_dirty_syncs = yes
 
 # Dovecot 2.2
 #ssl_protocols = !SSLv3
@@ -47,7 +52,7 @@ mail_shared_explicit_inbox = yes
 mail_prefetch_count = 30
 passdb {
   driver = lua
-  args = file=/etc/dovecot/lua/passwd-verify.lua blocking=yes
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
   result_success = return-ok
   result_failure = continue
   result_internalfail = continue
@@ -63,7 +68,7 @@ passdb {
 # a return of the following passdb is mandatory
 passdb {
   driver = lua
-  args = file=/etc/dovecot/lua/passwd-verify.lua blocking=yes
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
 }
 # Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing)
 service doveadm {
@@ -236,8 +241,8 @@ plugin {
   mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem
   mail_crypt_save_version = 2
 
-  # Enable compression while saving, lz4 Dovecot v2.2.11+
-  zlib_save = lz4
+  # Enable compression while saving, zstd Dovecot v2.3.17+
+  zlib_save = zstd
 
   mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
   mail_log_fields = uid box msgid size

data/conf/nginx/includes/site-defaults.conf

@@ -114,7 +114,7 @@
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_redirect off;
-      error_page 403 /_rspamderror.php;
+      error_page 401 /_rspamderror.php;
     }
     proxy_pass       http://rspamd:11334/;
     proxy_set_header Host      $http_host;

data/conf/nginx/mailcow_auth.conf

@@ -0,0 +1,23 @@
+server {
+  listen 9082 ssl http2;
+
+  ssl_certificate /etc/ssl/mail/cert.pem;
+  ssl_certificate_key /etc/ssl/mail/key.pem;
+
+  index mailcowauth.php;
+  server_name _;
+  error_log  /var/log/nginx/error.log;
+  access_log /var/log/nginx/access.log;
+  root /mailcowauth;
+  client_max_body_size 10M;
+
+  location ~ \.php$ {
+    client_max_body_size 10M;
+    try_files $uri =404;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass phpfpm:9001;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+  }
+}

data/conf/phpfpm/crons/keycloak-sync.php

@@ -0,0 +1,222 @@
+<?php
+
+require_once(__DIR__ . '/../web/inc/vars.inc.php');
+if (file_exists(__DIR__ . '/../web/inc/vars.local.inc.php')) {
+  include_once(__DIR__ . '/../web/inc/vars.local.inc.php');
+}
+require_once __DIR__ . '/../web/inc/lib/vendor/autoload.php';
+
+// Init database
+//$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
+$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+try {
+  $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+}
+catch (PDOException $e) {
+  logMsg("danger", $e->getMessage());
+  session_destroy();
+  exit;
+}
+
+// Init Redis
+$redis = new Redis();
+try {
+  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
+    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  }
+  else {
+    $redis->connect('redis-mailcow', 6379);
+  }
+}
+catch (Exception $e) {
+  echo "Exiting: " . $e->getMessage();
+  session_destroy();
+  exit;
+}
+
+function logMsg($priority, $message, $task = "Keycloak Sync") {
+  global $redis;
+
+  $finalMsg = array(
+    "time" => time(),
+    "priority" => $priority,
+    "task" => $task,
+    "message" => $message
+  );
+  $redis->lPush('CRON_LOG', json_encode($finalMsg));
+}
+
+// Load core functions first
+require_once __DIR__ . '/../web/inc/functions.inc.php';
+require_once __DIR__ . '/../web/inc/functions.auth.inc.php';
+require_once __DIR__ . '/../web/inc/sessions.inc.php';
+require_once __DIR__ . '/../web/inc/functions.mailbox.inc.php';
+require_once __DIR__ . '/../web/inc/functions.ratelimit.inc.php';
+require_once __DIR__ . '/../web/inc/functions.acl.inc.php';
+
+$_SESSION['mailcow_cc_username'] = "admin";
+$_SESSION['mailcow_cc_role'] = "admin";
+$_SESSION['acl']['tls_policy'] = "1";
+$_SESSION['acl']['quarantine_notification'] = "1";
+$_SESSION['acl']['quarantine_category'] = "1";
+$_SESSION['acl']['ratelimit'] = "1";
+$_SESSION['acl']['sogo_access'] = "1";
+$_SESSION['acl']['protocol_access'] = "1";
+$_SESSION['acl']['mailbox_relayhost'] = "1";
+
+// Init Keycloak Provider
+$iam_provider = identity_provider('init');
+$iam_settings = identity_provider('get');
+if (intval($iam_settings['periodic_sync']) != 1 && $iam_settings['import_users'] != 1) {
+  session_destroy();
+  exit;
+}
+
+// Set pagination variables
+$start = 0;
+$max = 25;
+
+// lock sync if already running
+$lock_file = '/tmp/iam-sync.lock';
+if (file_exists($lock_file)) {
+  $lock_file_parts = explode("\n", file_get_contents($lock_file));
+  $pid = $lock_file_parts[0];
+  if (count($lock_file_parts) > 1){
+    $last_execution = $lock_file_parts[1];
+    $elapsed_time = (time() - $last_execution) / 60;
+    if ($elapsed_time < intval($iam_settings['sync_interval'])) {
+      logMsg("warning", "Sync not ready (".number_format((float)$elapsed_time, 2, '.', '')."min / ".$iam_settings['sync_interval']."min)");
+      session_destroy();
+      exit;
+    }
+  }
+
+  if (posix_kill($pid, 0)) {
+    logMsg("warning", "Sync is already running");
+    session_destroy();
+    exit;
+  } else {
+    unlink($lock_file);
+  }
+}
+$lock_file_handle = fopen($lock_file, 'w');
+fwrite($lock_file_handle, getmypid());
+fclose($lock_file_handle);
+
+// Loop until all users have been retrieved
+while (true) {
+  // Get admin access token
+  $admin_token = identity_provider("get-keycloak-admin-token");
+  
+  // Make the API request to retrieve the users
+  $url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users?first=$start&max=$max";
+  $ch = curl_init();
+  curl_setopt($ch, CURLOPT_URL, $url);
+  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+  curl_setopt($ch, CURLOPT_HTTPHEADER, [
+    "Content-Type: application/json",
+    "Authorization: Bearer " . $admin_token
+  ]);
+  $response = curl_exec($ch);
+  $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+  curl_close($ch);
+  
+  if ($code != 200){
+    logMsg("danger", "Recieved HTTP {$code}");
+    session_destroy();
+    exit;
+  }
+  try {
+    $response = json_decode($response, true);
+  } catch (Exception $e) {
+    logMsg("danger", $e->getMessage());
+    break;
+  }
+  if (!is_array($response)){
+    logMsg("danger", "Recieved malformed response from keycloak api");
+    break;
+  }
+  if (count($response) == 0) {
+    break;
+  }
+
+  // Process the batch of users
+  foreach ($response as $user) {
+    if (empty($user['email'])){
+      logMsg("warning", "No email address in keycloak found for user " . $user['name']);
+      continue;
+    }
+    if (!isset($user['attributes'])){
+      logMsg("warning", "No attributes in keycloak found for user " . $user['email']);
+      continue;
+    }
+    if (!isset($user['attributes']['mailcow_template']) || 
+        !is_array($user['attributes']['mailcow_template']) || 
+        count($user['attributes']['mailcow_template']) == 0) {
+      logMsg("warning", "No mailcow_template in keycloak found for user " . $user['email']);
+      continue;
+    }
+    $mailcow_template = $user['attributes']['mailcow_template'];
+
+    // try get mailbox user
+    $stmt = $pdo->prepare("SELECT `mailbox`.* FROM `mailbox`
+    INNER JOIN domain on mailbox.domain = domain.domain
+    WHERE `kind` NOT REGEXP 'location|thing|group'
+      AND `domain`.`active`='1'
+      AND `username` = :user");
+    $stmt->execute(array(':user' => $user['email']));
+    $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+    // check if matching attribute mapping exists
+    $mbox_template = null;
+    foreach ($iam_settings['mappers'] as $index => $mapper){
+      if (in_array($mapper, $user['attributes']['mailcow_template'])) {
+        $mbox_template = $mapper;
+        break;
+      }
+    }
+    if (!$mbox_template){
+      logMsg("warning", "No matching mapper found for mailbox_template");
+      continue;
+    }
+
+    if (!$row && intval($iam_settings['import_users']) == 1){
+      // mailbox user does not exist, create...
+      logMsg("info", "Creating user " . $user['email']);
+      mailbox('add', 'mailbox_from_template', array(
+        'domain' => explode('@', $user['email'])[1],
+        'local_part' => explode('@', $user['email'])[0],
+        'authsource' => 'keycloak',
+        'template' => $mbox_template
+      ));
+    } else if ($row) {
+      // mailbox user does exist, sync attribtues...
+      logMsg("info", "Syncing attributes for user " . $user['email']);
+      mailbox('edit', 'mailbox_from_template', array(
+        'username' => $user['email'],
+        'template' => $mbox_template
+      ));
+    } else {
+      // skip mailbox user
+      logMsg("info", "Skipping user " . $user['email']);
+    }
+
+    sleep(0.025);
+  }
+  
+  // Update the pagination variables for the next batch
+  $start += $max;
+  sleep(1);
+}
+
+logMsg("info", "DONE!");
+// add last execution time to lock file
+$lock_file_handle = fopen($lock_file, 'w');
+fwrite($lock_file_handle, getmypid() . "\n" . time());
+fclose($lock_file_handle);
+session_destroy();

data/conf/postfix/main.cf

@@ -40,34 +40,6 @@ postscreen_blacklist_action = drop
 postscreen_cache_cleanup_interval = 24h
 postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
 postscreen_dnsbl_action = enforce
-postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
-  hostkarma.junkemailfilter.com=127.0.0.1*-2
-  list.dnswl.org=127.0.[0..255].0*-2
-  list.dnswl.org=127.0.[0..255].1*-4
-  list.dnswl.org=127.0.[0..255].2*-6
-  list.dnswl.org=127.0.[0..255].3*-8
-  ix.dnsbl.manitu.net*2
-  bl.spamcop.net*2
-  bl.suomispam.net*2
-  hostkarma.junkemailfilter.com=127.0.0.2*3
-  hostkarma.junkemailfilter.com=127.0.0.4*2
-  hostkarma.junkemailfilter.com=127.0.1.2*1
-  backscatter.spameatingmonkey.net*2
-  bl.ipv6.spameatingmonkey.net*2
-  bl.spameatingmonkey.net*2
-  b.barracudacentral.org=127.0.0.2*7
-  bl.mailspike.net=127.0.0.2*5
-  bl.mailspike.net=127.0.0.[10;11;12]*4
-  dnsbl.sorbs.net=127.0.0.10*8
-  dnsbl.sorbs.net=127.0.0.5*6
-  dnsbl.sorbs.net=127.0.0.7*3
-  dnsbl.sorbs.net=127.0.0.8*2
-  dnsbl.sorbs.net=127.0.0.6*2
-  dnsbl.sorbs.net=127.0.0.9*2
-  zen.spamhaus.org=127.0.0.[10;11]*8
-  zen.spamhaus.org=127.0.0.[4..7]*6
-  zen.spamhaus.org=127.0.0.3*4
-  zen.spamhaus.org=127.0.0.2*3
 postscreen_dnsbl_threshold = 6
 postscreen_dnsbl_ttl = 5m
 postscreen_greet_action = enforce
@@ -197,4 +169,4 @@ smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients
 
 # DO NOT EDIT ANYTHING BELOW #
-# User overrides #
+# Overrides #

data/conf/postfix/postscreen_access.cidr

@@ -1,15 +1,20 @@
-# Whitelist generated by Postwhite v3.4 on Mon 21 Mar 2022 06:50:26 PM CET
+# Whitelist generated by Postwhite v3.4 on Mon Jul 31 10:06:06 UTC 2023
 # https://github.com/stevejenkins/postwhite/
-# 1898 total rules
+# 2043 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
-2a01:111:f403::/48	permit
-2a01:4180:4050:0400::/64	permit
-2a01:4180:4050:0800::/64	permit
-2a01:4180:4051:0400::/64	permit
-2a01:4180:4051:0800::/64	permit
+2a01:111:f403:8000::/50	permit
+2a01:111:f403::/49	permit
+2a01:111:f403:c000::/51	permit
+2a01:111:f403:f000::/52	permit
 2a02:a60:0:5::/64	permit
 2c0f:fb50:4000::/36	permit
+2.207.151.53	permit
+3.14.230.16	permit
+3.70.123.177	permit
+3.93.157.0/24	permit
+3.129.120.190	permit
+3.210.190.0/24	permit
 8.20.114.31	permit
 8.25.194.0/23	permit
 8.25.196.0/23	permit
@@ -19,41 +24,53 @@
 13.70.32.43	permit
 13.72.50.45	permit
 13.74.143.28	permit
-13.77.161.179	permit
 13.78.233.182	permit
 13.92.31.129	permit
 13.110.208.0/21	permit
+13.110.209.0/24	permit
 13.110.216.0/22	permit
 13.110.224.0/20	permit
 13.111.0.0/16	permit
-17.41.0.0/16	permit
+15.200.21.50	permit
+15.200.44.248	permit
+15.200.201.185	permit
 17.57.155.0/24	permit
 17.57.156.0/24	permit
 17.58.0.0/16	permit
-17.110.0.0/15	permit
-17.142.0.0/15	permit
-17.162.0.0/15	permit
-17.164.0.0/16	permit
-17.171.37.0/24	permit
-17.172.0.0/16	permit
-17.179.168.0/23	permit
+18.156.89.250	permit
+18.157.243.190	permit
 18.194.95.56	permit
 18.198.96.88	permit
-20.47.149.138	permit
-20.48.0.0/12	permit
+18.208.124.128/25	permit
+18.216.232.154	permit
+18.234.1.244	permit
+18.236.40.242	permit
+20.51.6.32/30	permit
 20.52.52.2	permit
 20.52.128.133	permit
+20.59.80.4/30	permit
 20.63.210.192/28	permit
-20.64.0.0/10	permit
+20.69.8.108/30	permit
+20.70.246.20	permit
+20.76.201.171	permit
+20.83.222.104/30	permit
+20.88.157.184/30	permit
 20.94.180.64/28	permit
+20.97.34.220/30	permit
+20.98.148.156/30	permit
+20.98.194.68/30	permit
+20.105.209.76/30	permit
+20.107.239.64/30	permit
+20.112.250.133	permit
+20.118.139.208/30	permit
 20.185.213.160/27	permit
 20.185.213.224/27	permit
 20.185.214.0/27	permit
 20.185.214.2	permit
 20.185.214.32/27	permit
 20.185.214.64/27	permit
-20.192.0.0/10	permit
-23.100.85.1	permit
+20.231.239.246	permit
+20.236.44.162	permit
 23.103.224.0/19	permit
 23.249.208.0/20	permit
 23.251.224.0/19	permit
@@ -78,46 +95,38 @@
 27.123.206.56/29	permit
 27.123.206.76/30	permit
 27.123.206.80/28	permit
-34.194.25.167	permit
-34.194.144.120	permit
+31.25.48.222	permit
+34.195.217.107	permit
+34.202.239.6	permit
 34.212.163.75	permit
+34.215.104.144	permit
 34.225.212.172	permit
 34.247.168.44	permit
+35.161.32.253	permit
+35.167.93.243	permit
 35.176.132.251	permit
 35.190.247.0/24	permit
 35.191.0.0/16	permit
-37.188.97.188	permit
 37.218.248.47	permit
 37.218.249.47	permit
 37.218.251.62	permit
 39.156.163.64/29	permit
 40.71.187.0/24	permit
-40.76.4.15	permit
-40.77.102.222	permit
 40.92.0.0/15	permit
-40.97.116.82	permit
-40.97.128.194	permit
-40.97.148.226	permit
-40.97.153.146	permit
-40.97.156.114	permit
-40.97.160.2	permit
-40.97.161.50	permit
-40.97.164.146	permit
 40.107.0.0/16	permit
 40.112.65.63	permit
-40.112.72.205	permit
-40.113.200.201	permit
 40.117.80.0/24	permit
-40.121.71.46	permit
 41.74.192.0/22	permit
 41.74.196.0/22	permit
 41.74.200.0/23	permit
 41.74.204.0/23	permit
 41.74.206.0/24	permit
-42.159.163.81	permit
-42.159.163.82	permit
-42.159.163.83	permit
 43.228.184.0/22	permit
+44.206.138.57	permit
+44.209.42.157	permit
+44.236.56.93	permit
+44.238.220.251	permit
+46.19.168.0/23	permit
 46.226.48.0/21	permit
 46.228.36.37	permit
 46.228.36.38/31	permit
@@ -167,6 +176,8 @@
 46.243.88.175	permit
 46.243.88.176	permit
 46.243.88.177	permit
+46.243.95.179	permit
+46.243.95.180	permit
 50.18.45.249	permit
 50.18.121.236	permit
 50.18.121.248	permit
@@ -178,11 +189,6 @@
 50.31.32.0/19	permit
 50.31.156.96/27	permit
 50.31.205.0/24	permit
-51.4.71.62	permit
-51.4.72.0/24	permit
-51.4.80.0/27	permit
-51.5.72.0/24	permit
-51.5.80.0/27	permit
 51.137.58.21	permit
 51.140.75.55	permit
 51.144.100.179	permit
@@ -191,17 +197,28 @@
 52.5.230.59	permit
 52.27.5.72	permit
 52.27.28.47	permit
-52.33.191.91	permit
+52.28.63.81	permit
 52.36.138.31	permit
 52.37.142.146	permit
-52.38.191.253	permit
-52.41.64.145	permit
+52.58.216.183	permit
+52.59.143.3	permit
 52.60.41.5	permit
 52.60.115.116	permit
+52.61.91.9	permit
+52.71.0.205	permit
 52.82.172.0/22	permit
 52.94.124.0/28	permit
 52.95.48.152/29	permit
 52.95.49.88/29	permit
+52.96.91.34	permit
+52.96.111.82	permit
+52.96.172.98	permit
+52.96.214.50	permit
+52.96.222.194	permit
+52.96.222.226	permit
+52.96.223.2	permit
+52.96.228.130	permit
+52.96.229.242	permit
 52.100.0.0/14	permit
 52.119.213.144/28	permit
 52.160.39.140	permit
@@ -214,23 +231,29 @@
 52.222.73.83	permit
 52.222.73.120	permit
 52.222.75.85	permit
+52.222.89.228	permit
 52.234.172.96/28	permit
 52.236.28.240/28	permit
-52.237.141.173	permit
 52.244.206.214	permit
 52.247.53.144	permit
 52.250.107.196	permit
 52.250.126.174	permit
-52.251.55.143	permit
 54.90.148.255	permit
-54.156.255.69	permit
 54.172.97.247	permit
+54.174.52.0/24	permit
+54.174.53.128/30	permit
+54.174.57.0/24	permit
+54.174.59.0/24	permit
+54.174.60.0/23	permit
+54.174.63.0/24	permit
 54.186.193.102	permit
-54.191.223.5	permit
+54.191.223.56	permit
 54.194.61.95	permit
 54.195.113.45	permit
+54.213.20.246	permit
 54.214.39.184	permit
 54.216.77.168	permit
+54.221.227.204	permit
 54.240.0.0/18	permit
 54.240.64.0/19	permit
 54.240.96.0/19	permit
@@ -238,7 +261,9 @@
 54.244.54.130	permit
 54.244.242.0/24	permit
 54.246.232.180	permit
+54.255.61.23	permit
 62.13.128.0/24	permit
+62.13.128.150	permit
 62.13.129.128/25	permit
 62.13.136.0/22	permit
 62.13.140.0/22	permit
@@ -249,22 +274,29 @@
 62.17.146.128/26	permit
 62.140.7.0/24	permit
 62.140.10.21	permit
+62.179.121.0/24	permit
+62.201.172.0/27	permit
+62.201.172.32/27	permit
+62.253.227.114	permit
 63.32.13.159	permit
 63.80.14.0/23	permit
+63.111.28.137	permit
 63.128.21.0/24	permit
 63.143.57.128/25	permit
 63.143.59.128/25	permit
 64.18.0.0/20	permit
 64.20.241.45	permit
-64.34.47.128/27	permit
-64.34.57.192/26	permit
+64.69.212.0/24	permit
 64.71.149.160/28	permit
 64.79.155.0/24	permit
+64.79.155.192	permit
+64.79.155.193	permit
+64.79.155.205	permit
+64.79.155.206	permit
 64.89.44.85	permit
 64.89.45.80	permit
 64.89.45.194	permit
 64.89.45.196	permit
-64.95.144.196	permit
 64.127.115.252	permit
 64.132.88.0/23	permit
 64.132.92.0/24	permit
@@ -290,6 +322,7 @@
 64.207.219.71	permit
 64.207.219.72	permit
 64.207.219.73	permit
+64.207.219.75	permit
 64.207.219.77	permit
 64.207.219.78	permit
 64.207.219.79	permit
@@ -300,9 +333,6 @@
 64.207.219.142	permit
 64.207.219.143	permit
 64.233.160.0/19	permit
-65.38.115.76	permit
-65.38.115.84	permit
-65.39.215.0/24	permit
 65.52.80.137	permit
 65.54.51.64/26	permit
 65.54.61.64/26	permit
@@ -342,6 +372,10 @@
 66.111.4.225	permit
 66.111.4.229	permit
 66.111.4.230	permit
+66.119.150.192/26	permit
+66.135.202.0/27	permit
+66.135.215.0/24	permit
+66.135.222.1	permit
 66.162.193.226/31	permit
 66.163.184.0/21	permit
 66.163.184.0/24	permit
@@ -373,7 +407,8 @@
 66.196.81.234	permit
 66.211.168.230/31	permit
 66.211.170.86/31	permit
-66.211.170.88/30	permit
+66.211.170.88/29	permit
+66.211.184.0/23	permit
 66.218.74.64/30	permit
 66.218.74.68/31	permit
 66.218.75.112/30	permit
@@ -445,6 +480,8 @@
 68.142.230.72/30	permit
 68.142.230.76/31	permit
 68.142.230.78	permit
+68.232.140.138	permit
+68.232.157.143	permit
 68.232.192.0/20	permit
 69.63.178.128/25	permit
 69.63.181.0/24	permit
@@ -452,6 +489,10 @@
 69.65.42.195	permit
 69.65.49.192/29	permit
 69.72.32.0/20	permit
+69.72.40.93	permit
+69.72.40.94/31	permit
+69.72.40.96/30	permit
+69.72.47.205	permit
 69.147.84.227	permit
 69.162.98.0/24	permit
 69.169.224.0/20	permit
@@ -460,7 +501,7 @@
 70.37.151.128/25	permit
 70.42.149.0/24	permit
 70.42.149.35	permit
-72.3.185.0/24	permit
+72.3.237.64/28	permit
 72.14.192.0/18	permit
 72.21.192.0/19	permit
 72.21.217.142	permit
@@ -522,15 +563,11 @@
 72.30.239.228/31	permit
 72.30.239.244/30	permit
 72.30.239.248/31	permit
-72.32.154.0/24	permit
-72.32.217.0/24	permit
-72.32.243.0/24	permit
 72.34.168.76	permit
 72.34.168.80	permit
 72.34.168.85	permit
 72.34.168.86	permit
 72.52.72.32/28	permit
-72.52.72.36	permit
 74.6.128.0/21	permit
 74.6.128.0/24	permit
 74.6.129.0/24	permit
@@ -558,8 +595,11 @@
 74.112.67.243	permit
 74.125.0.0/16	permit
 74.202.227.40	permit
+74.208.4.192/26	permit
+74.208.5.64/26	permit
+74.208.122.0/26	permit
 74.209.250.0/24	permit
-74.209.250.12	permit
+76.223.128.0/19	permit
 76.223.176.0/20	permit
 77.238.176.0/22	permit
 77.238.176.0/24	permit
@@ -583,7 +623,13 @@
 77.238.189.146/31	permit
 77.238.189.148/30	permit
 81.223.46.0/27	permit
-84.16.77.1	permit
+82.165.159.0/24	permit
+82.165.159.0/26	permit
+82.165.229.31	permit
+82.165.229.130	permit
+82.165.230.21	permit
+82.165.230.22	permit
+84.116.36.0/24	permit
 85.158.136.0/21	permit
 86.61.88.25	permit
 87.198.219.130	permit
@@ -624,11 +670,11 @@
 87.248.117.201	permit
 87.248.117.202	permit
 87.248.117.205	permit
-87.252.219.254	permit
 87.253.232.0/21	permit
 89.22.108.0/24	permit
+91.194.248.0/23	permit
+91.211.240.0/22	permit
 91.220.42.0/24	permit
-94.236.119.0/26	permit
 94.245.112.0/27	permit
 94.245.112.10/31	permit
 95.131.104.0/21	permit
@@ -638,6 +684,7 @@
 96.43.148.64/28	permit
 96.43.148.64/31	permit
 96.43.151.64/28	permit
+98.97.248.0/21	permit
 98.136.44.181	permit
 98.136.44.182/31	permit
 98.136.44.184	permit
@@ -1142,23 +1189,21 @@
 98.139.245.212/31	permit
 99.78.197.208/28	permit
 103.2.140.0/22	permit
-103.9.8.121	permit
-103.9.8.122	permit
-103.9.8.123	permit
 103.9.96.0/22	permit
 103.13.69.0/24	permit
+103.28.42.0/24	permit
 103.47.204.0/22	permit
 103.96.21.0/24	permit
+103.96.22.0/24	permit
 103.96.23.0/24	permit
 103.151.192.0/23	permit
-103.237.104.0/22	permit
+103.168.172.128/27	permit
 104.43.243.237	permit
+104.44.112.128/25	permit
 104.47.0.0/17	permit
 104.130.96.0/28	permit
 104.130.122.0/23	permit
 104.214.25.77	permit
-104.215.148.63	permit
-104.215.186.3	permit
 104.245.209.192/26	permit
 106.10.144.64/27	permit
 106.10.144.100/31	permit
@@ -1320,6 +1365,8 @@
 117.120.16.0/21	permit
 119.42.242.52/31	permit
 119.42.242.156	permit
+121.244.91.48	permit
+122.15.156.182	permit
 123.126.78.64/29	permit
 124.47.150.0/24	permit
 124.47.189.0/24	permit
@@ -1335,20 +1382,35 @@
 128.127.70.0/26	permit
 128.245.0.0/20	permit
 128.245.64.0/20	permit
+128.245.176.0/20	permit
+128.245.242.0/24	permit
+128.245.242.16	permit
+128.245.242.17	permit
+128.245.242.18	permit
+128.245.243.0/24	permit
+128.245.244.0/24	permit
+128.245.245.0/24	permit
+128.245.246.0/24	permit
+128.245.247.0/24	permit
 129.41.77.70	permit
 129.41.169.249	permit
+129.80.5.164	permit
+129.80.67.121	permit
+129.146.88.28	permit
+129.146.147.105	permit
 129.146.236.58	permit
+129.151.67.221	permit
+129.153.62.216	permit
+129.153.104.71	permit
+129.153.168.146	permit
+129.153.190.200	permit
 129.153.194.228	permit
 129.159.87.137	permit
+129.213.195.191	permit
 130.61.9.72	permit
 130.211.0.0/22	permit
-130.248.172.0/24	permit
-130.248.173.0/24	permit
-131.107.0.0/16	permit
 131.253.30.0/24	permit
 131.253.121.0/26	permit
-131.253.121.20	permit
-131.253.121.52	permit
 132.145.13.209	permit
 132.226.26.225	permit
 132.226.49.32	permit
@@ -1358,9 +1420,13 @@
 134.170.141.64/26	permit
 134.170.143.0/24	permit
 134.170.174.0/24	permit
-135.84.80.192/26	permit
+135.84.80.0/24	permit
+135.84.81.0/24	permit
 135.84.82.0/24	permit
+135.84.83.0/24	permit
 135.84.216.0/22	permit
+136.143.160.0/24	permit
+136.143.161.0/24	permit
 136.143.182.0/23	permit
 136.143.184.0/24	permit
 136.143.188.0/24	permit
@@ -1369,34 +1435,53 @@
 136.147.176.0/20	permit
 136.147.176.0/24	permit
 136.147.182.0/24	permit
+136.179.50.206	permit
 138.91.172.26	permit
 139.60.152.0/22	permit
-139.178.64.159	permit
-139.178.64.195	permit
+139.138.35.44	permit
+139.138.46.121	permit
+139.138.46.176	permit
+139.138.46.219	permit
+139.138.57.55	permit
+139.138.58.119	permit
+139.180.17.0/24	permit
+141.148.159.229	permit
 141.193.32.0/23	permit
 143.55.224.0/21	permit
 143.55.232.0/22	permit
 143.55.236.0/22	permit
+143.244.80.0/20	permit
+144.24.6.140	permit
+144.34.8.247	permit
+144.34.9.247	permit
+144.34.32.247	permit
+144.34.33.247	permit
 144.178.36.0/24	permit
 144.178.38.0/24	permit
+145.253.228.160/29	permit
+145.253.239.128/29	permit
 146.20.112.0/26	permit
 146.20.113.0/24	permit
 146.20.191.0/24	permit
 146.20.215.0/24	permit
+146.20.215.182	permit
+146.88.28.0/24	permit
 146.101.78.0/24	permit
-147.75.65.173	permit
-147.75.65.174	permit
-147.75.98.190	permit
+147.28.36.0/24	permit
 147.160.158.0/24	permit
 147.243.1.47	permit
 147.243.1.48	permit
 147.243.1.153	permit
 147.243.128.24	permit
 147.243.128.26	permit
-148.105.0.14	permit
+148.105.0.0/16	permit
 148.105.8.0/21	permit
 149.72.0.0/16	permit
+149.97.173.180	permit
+150.230.98.160	permit
 152.67.105.195	permit
+152.69.200.236	permit
+155.248.208.51	permit
 157.55.0.192/26	permit
 157.55.1.128/26	permit
 157.55.2.0/25	permit
@@ -1412,32 +1497,43 @@
 157.56.232.0/21	permit
 157.56.240.0/20	permit
 157.56.248.0/21	permit
+157.58.30.128/25	permit
 157.58.196.96/29	permit
 157.58.249.3	permit
 157.151.208.65	permit
 157.255.1.64/29	permit
+158.101.211.207	permit
+158.120.80.0/21	permit
+158.247.16.0/20	permit
 159.92.157.0/24	permit
+159.92.157.16	permit
+159.92.157.17	permit
+159.92.157.18	permit
 159.92.158.0/24	permit
 159.92.159.0/24	permit
 159.92.160.0/24	permit
 159.92.161.0/24	permit
 159.92.162.0/24	permit
+159.112.240.0/20	permit
+159.112.242.162	permit
 159.135.132.128/25	permit
 159.135.140.80/29	permit
 159.135.224.0/20	permit
+159.135.228.10	permit
 159.183.0.0/16	permit
+160.1.62.192	permit
 161.38.192.0/20	permit
 161.38.204.0/22	permit
 161.71.32.0/19	permit
 161.71.64.0/20	permit
-162.208.119.181	permit
 162.247.216.0/22	permit
+163.47.180.0/22	permit
 163.47.180.0/23	permit
 163.114.130.16	permit
 163.114.132.120	permit
+165.173.128.0/24	permit
 166.78.68.0/22	permit
 166.78.68.221	permit
-166.78.69.146	permit
 166.78.69.169	permit
 166.78.69.170	permit
 166.78.71.131	permit
@@ -1457,10 +1553,13 @@
 167.216.129.210	permit
 167.216.131.180	permit
 167.220.67.232/29	permit
-167.220.67.238	permit
 168.138.5.36	permit
+168.138.73.51	permit
 168.245.0.0/17	permit
+169.148.129.0/24	permit
+169.148.131.0/24	permit
 170.10.68.0/22	permit
+170.10.128.0/24	permit
 170.10.129.0/24	permit
 170.10.133.0/24	permit
 172.217.0.0/19	permit
@@ -1475,10 +1574,8 @@
 173.194.0.0/16	permit
 173.203.79.182	permit
 173.203.81.39	permit
-173.224.160.128/25	permit
-173.224.160.188	permit
 173.224.161.128/25	permit
-173.228.155.0/24	permit
+173.224.165.0/26	permit
 174.36.84.8/29	permit
 174.36.84.16/29	permit
 174.36.84.32/29	permit
@@ -1491,6 +1588,7 @@
 174.36.114.152/29	permit
 174.37.67.28/30	permit
 174.129.203.189	permit
+175.41.215.51	permit
 176.32.105.0/24	permit
 176.32.127.0/24	permit
 178.236.10.128/26	permit
@@ -1498,8 +1596,9 @@
 182.50.76.0/22	permit
 182.50.78.64/28	permit
 183.240.219.64/29	permit
+185.4.120.0/23	permit
+185.4.122.0/24	permit
 185.12.80.0/22	permit
-185.28.196.0/22	permit
 185.58.84.93	permit
 185.58.85.0/24	permit
 185.58.86.0/24	permit
@@ -1509,9 +1608,13 @@
 185.80.93.204	permit
 185.80.93.227	permit
 185.80.95.31	permit
+185.90.20.0/22	permit
 185.189.236.0/22	permit
 185.211.120.0/22	permit
 185.250.236.0/22	permit
+185.250.239.148	permit
+185.250.239.168	permit
+185.250.239.190	permit
 188.125.68.132	permit
 188.125.68.152/31	permit
 188.125.68.156	permit
@@ -1563,7 +1666,7 @@
 188.125.85.238	permit
 188.172.128.0/20	permit
 192.0.64.0/18	permit
-192.28.128.0/18	permit
+192.18.139.154	permit
 192.30.252.0/22	permit
 192.64.236.0/24	permit
 192.64.237.0/24	permit
@@ -1579,16 +1682,21 @@
 192.254.113.10	permit
 192.254.113.101	permit
 192.254.114.176	permit
-192.254.118.63	permit
 193.7.206.0/25	permit
 193.7.207.0/25	permit
 193.109.254.0/23	permit
 193.122.128.100	permit
+194.64.234.128/27	permit
 194.64.234.129	permit
 194.104.109.0/24	permit
+194.104.110.21	permit
+194.104.110.240/28	permit
 194.104.111.0/24	permit
 194.106.220.0/23	permit
+194.113.24.0/22	permit
 194.154.193.192/27	permit
+195.4.92.0/23	permit
+195.54.172.0/23	permit
 195.130.217.0/24	permit
 195.234.109.226	permit
 195.245.230.0/23	permit
@@ -1605,19 +1713,23 @@
 198.37.144.0/20	permit
 198.37.152.186	permit
 198.61.254.0/23	permit
+198.61.254.21	permit
 198.61.254.231	permit
-198.74.56.28	permit
 198.178.234.57	permit
+198.244.48.0/20	permit
+198.244.60.0/22	permit
 198.245.80.0/20	permit
 198.245.81.0/24	permit
 199.15.176.173	permit
-199.15.212.0/22	permit
 199.15.213.187	permit
 199.15.226.37	permit
 199.16.156.0/22	permit
 199.33.145.1	permit
 199.33.145.32	permit
 199.59.148.0/22	permit
+199.67.84.0/24	permit
+199.67.86.0/24	permit
+199.67.88.0/24	permit
 199.101.161.130	permit
 199.101.162.0/25	permit
 199.122.120.0/21	permit
@@ -1630,8 +1742,10 @@
 202.177.148.110	permit
 203.31.36.0/22	permit
 203.32.4.25	permit
+203.55.21.0/24	permit
 203.81.17.0/24	permit
 203.122.32.250	permit
+203.145.57.160/27	permit
 203.188.194.32	permit
 203.188.194.151	permit
 203.188.194.203	permit
@@ -1666,28 +1780,31 @@
 203.209.230.76/31	permit
 204.11.168.0/21	permit
 204.13.11.48/29	permit
+204.13.11.48/30	permit
 204.14.232.0/21	permit
 204.14.232.64/28	permit
 204.14.234.64/28	permit
 204.29.186.0/23	permit
+204.75.142.0/24	permit
 204.79.197.212	permit
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
 204.141.32.0/23	permit
 204.141.42.0/23	permit
-204.153.121.0/24	permit
 204.232.168.0/24	permit
 205.139.110.0/24	permit
 205.201.128.0/20	permit
 205.201.131.128/25	permit
 205.201.134.128/25	permit
 205.201.136.0/23	permit
+205.201.137.229	permit
 205.201.139.0/24	permit
 205.207.104.0/22	permit
-205.207.104.108	permit
 205.220.167.17	permit
+205.220.167.98	permit
 205.220.179.17	permit
+205.220.179.98	permit
 205.251.233.32	permit
 205.251.233.36	permit
 206.25.247.143	permit
@@ -1723,6 +1840,7 @@
 207.211.31.0/25	permit
 207.211.41.113	permit
 207.218.90.0/24	permit
+207.218.90.122	permit
 207.250.68.0/24	permit
 208.40.232.70	permit
 208.43.21.28/30	permit
@@ -1758,8 +1876,10 @@
 208.71.42.212/31	permit
 208.71.42.214	permit
 208.72.249.240/29	permit
+208.74.204.0/22	permit
 208.74.204.9	permit
 208.75.120.0/22	permit
+208.75.121.246	permit
 208.75.122.246	permit
 208.82.237.96/29	permit
 208.82.237.104/31	permit
@@ -1773,14 +1893,13 @@
 209.46.117.168	permit
 209.46.117.179	permit
 209.61.151.0/24	permit
+209.61.151.236	permit
+209.61.151.249	permit
+209.61.151.251	permit
 209.67.98.46	permit
 209.67.98.59	permit
 209.85.128.0/17	permit
 212.4.136.0/26	permit
-212.25.240.80	permit
-212.25.240.83	permit
-212.25.240.84/31	permit
-212.25.240.88	permit
 212.82.96.0/24	permit
 212.82.96.32/27	permit
 212.82.96.64/29	permit
@@ -1821,6 +1940,12 @@
 212.82.111.228/31	permit
 212.82.111.230	permit
 212.123.28.40	permit
+212.227.15.0/24	permit
+212.227.15.0/25	permit
+212.227.17.0/27	permit
+212.227.126.128/25	permit
+213.46.255.0/24	permit
+213.165.64.0/23	permit
 213.167.75.0/25	permit
 213.167.81.0/25	permit
 213.199.128.139	permit
@@ -1861,6 +1986,10 @@
 216.46.168.0/24	permit
 216.58.192.0/19	permit
 216.66.217.240/29	permit
+216.71.138.33	permit
+216.71.152.207	permit
+216.71.154.29	permit
+216.71.155.89	permit
 216.74.162.13	permit
 216.74.162.14	permit
 216.82.240.0/20	permit
@@ -1870,33 +1999,49 @@
 216.109.114.0/24	permit
 216.109.114.32/27	permit
 216.109.114.64/29	permit
+216.113.160.0/24	permit
+216.113.172.0/25	permit
+216.113.175.0/24	permit
 216.128.126.97	permit
 216.136.162.65	permit
 216.136.162.120/29	permit
 216.136.168.80/28	permit
+216.145.217.0/24	permit
+216.145.221.0/24	permit
 216.198.0.0/18	permit
 216.203.30.55	permit
 216.203.33.178/31	permit
 216.205.24.0/24	permit
 216.239.32.0/19	permit
+217.72.192.64/26	permit
+217.72.192.248/29	permit
+217.72.207.0/27	permit
 217.77.141.52	permit
 217.77.141.59	permit
+217.175.194.0/24	permit
 222.73.195.64/29	permit
 223.165.113.0/24	permit
 223.165.115.0/24	permit
 223.165.118.0/23	permit
 223.165.120.0/23	permit
+2001:0868:0100:0600::/64	permit
 2001:4860:4000::/36	permit
+2001:748:100:40::2:0/112	permit
 2404:6800:4000::/36	permit
+2603:1010:3:3::5b	permit
+2603:1020:201:10::10f	permit
+2603:1030:20e:3::23c	permit
+2603:1030:b:3::152	permit
+2603:1030:c02:8::14	permit
 2607:f8b0:4000::/36	permit
-2620:109:c003:104::215	permit
 2620:109:c003:104::/64	permit
-2620:109:c006:104::215	permit
+2620:109:c003:104::215	permit
 2620:109:c006:104::/64	permit
+2620:109:c006:104::215	permit
 2620:109:c00d:104::/64	permit
 2620:10d:c090:450::120	permit
-2620:10d:c091:450::16	permit
-2620:119:50c0:207::215	permit
+2620:10d:c091:400::8:1	permit
 2620:119:50c0:207::/64	permit
+2620:119:50c0:207::215	permit
 2800:3f0:4000::/36	permit
 194.25.134.0/24 permit # t-online.de

data/conf/rspamd/custom/bad_asn.map

@@ -27,4 +27,5 @@
 #197518 2 #Rackmarkt SL, Spain
 #197695 2 #Domain names registrar REG.RU Ltd, Russia
 #198068 2 #P.A.G.M. OU, Estonia
-#201942 5 #Soltia Consulting SL, Spain
+#201942 5 #Soltia Consulting SL, Spain
+#213373 4 #IP Connect Inc

data/conf/rspamd/local.d/composites.conf

@@ -8,7 +8,7 @@ VIRUS_FOUND {
 }
 # Bad policy from free mail providers
 FREEMAIL_POLICY_FAILURE {
-  expression = "-g+:policies & !DMARC_POLICY_ALLOW & !MAILLIST & ( FREEMAIL_ENVFROM | FREEMAIL_FROM ) & !WHITELISTED_FWD_HOST";
+  expression = "FREEMAIL_FROM & !DMARC_POLICY_ALLOW & !MAILLIST& !WHITELISTED_FWD_HOST & -g+:policies";
   score = 16.0;
 }
 # Applies to freemail with undisclosed recipients
@@ -68,3 +68,39 @@ WL_FWD_HOST {
 ENCRYPTED_CHAT {
   expression = "CHAT_VERSION_HEADER & ENCRYPTED_PGP";
 }
+
+CLAMD_SPAM_FOUND {
+  expression = "CLAM_SECI_SPAM & !MAILCOW_WHITE";
+  description = "Probably Spam, Securite Spam Flag set through ClamAV";
+  score = 5;
+}
+
+CLAMD_BAD_PDF {
+  expression = "CLAM_SECI_PDF & !MAILCOW_WHITE";
+  description = "Bad PDF Found, Securite bad PDF Flag set through ClamAV";
+  score = 8;
+}
+
+CLAMD_BAD_JPG {
+  expression = "CLAM_SECI_JPG & !MAILCOW_WHITE";
+  description = "Bad JPG Found, Securite bad JPG Flag set through ClamAV";
+  score = 8;
+}
+
+CLAMD_ASCII_MALWARE {
+  expression = "CLAM_SECI_ASCII & !MAILCOW_WHITE";
+  description = "ASCII malware found, Securite ASCII malware Flag set through ClamAV";
+  score = 8;
+}
+
+CLAMD_HTML_MALWARE {
+  expression = "CLAM_SECI_HTML & !MAILCOW_WHITE";
+  description = "HTML malware found, Securite HTML malware Flag set through ClamAV";
+  score = 8;
+}
+
+CLAMD_JS_MALWARE {
+  expression = "CLAM_SECI_JS & !MAILCOW_WHITE";
+  description = "JS malware found, Securite JS malware Flag set through ClamAV";
+  score = 8;
+}

data/conf/rspamd/local.d/multimap.conf

@@ -159,8 +159,8 @@ BAZAAR_ABUSE_CH {
 }
 
 URLHAUS_ABUSE_CH {
-  type = "url";
-  filter = "full";
+  type = "selector";
+  selector = "urls";
   map = "https://urlhaus.abuse.ch/downloads/text_online/";
   score = 10.0;
 }

data/conf/rspamd/lua/rspamd.local.lua

@@ -221,6 +221,16 @@ rspamd_config:register_symbol({
     local tagged_rcpt = task:get_symbol("TAGGED_RCPT")
     local mailcow_domain = task:get_symbol("RCPT_MAILCOW_DOMAIN")
 
+    local function remove_moo_tag()
+      local moo_tag_header = task:get_header('X-Moo-Tag', false)
+      if moo_tag_header then
+        task:set_milter_reply({
+          remove_headers = {['X-Moo-Tag'] = 0},
+        })
+      end
+      return true
+    end
+
     if tagged_rcpt and tagged_rcpt[1].options and mailcow_domain then
       local tag = tagged_rcpt[1].options[1]
       rspamd_logger.infox("found tag: %s", tag)
@@ -229,6 +239,7 @@ rspamd_config:register_symbol({
 
       if action ~= 'no action' and action ~= 'greylist' then
         rspamd_logger.infox("skipping tag handler for action: %s", action)
+        remove_moo_tag()
         return true
       end
 
@@ -243,6 +254,7 @@ rspamd_config:register_symbol({
               local function tag_callback_subfolder(err, data)
                 if err or type(data) ~= 'string' then
                   rspamd_logger.infox(rspamd_config, "subfolder tag handler for rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\")", body, data, err)
+                  remove_moo_tag()
                 else
                   rspamd_logger.infox("Add X-Moo-Tag header")
                   task:set_milter_reply({
@@ -261,6 +273,7 @@ rspamd_config:register_symbol({
               )
               if not redis_ret_subfolder then
                 rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
+                remove_moo_tag()
               end
 
             else
@@ -268,7 +281,10 @@ rspamd_config:register_symbol({
               local sbj = task:get_header('Subject')
               new_sbj = '=?UTF-8?B?' .. tostring(util.encode_base64('[' .. tag .. '] ' .. sbj)) .. '?='
               task:set_milter_reply({
-                remove_headers = {['Subject'] = 1},
+                remove_headers = {
+                  ['Subject'] = 1,
+                  ['X-Moo-Tag'] = 0
+                },
                 add_headers = {['Subject'] = new_sbj}
               })
             end
@@ -284,6 +300,7 @@ rspamd_config:register_symbol({
           )
           if not redis_ret_subject then
             rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
+            remove_moo_tag()
           end
 
         end
@@ -295,6 +312,7 @@ rspamd_config:register_symbol({
           if #rcpt_split == 2 then
             if rcpt_split[1] == 'postmaster' then
               rspamd_logger.infox(rspamd_config, "not expanding postmaster alias")
+              remove_moo_tag()
             else
               rspamd_http.request({
                 task=task,
@@ -307,7 +325,8 @@ rspamd_config:register_symbol({
           end
         end
       end
-
+    else
+      remove_moo_tag()
     end
   end,
   priority = 19
@@ -340,6 +359,10 @@ rspamd_config:register_symbol({
       if not bcc_dest then
         return -- stop
       end
+      -- dot stuff content before sending
+      local email_content = tostring(task:get_content())
+      email_content = string.gsub(email_content, "\r\n%.", "\r\n..")
+      -- send mail
       lua_smtp.sendmail({
         task = task,
         host = os.getenv("IPV4_NETWORK") .. '.253',
@@ -347,8 +370,8 @@ rspamd_config:register_symbol({
         from = task:get_from(stp)[1].addr,
         recipients = bcc_dest,
         helo = 'bcc',
-        timeout = 10,
-      }, task:get_content(), sendmail_cb)
+        timeout = 20,
+      }, email_content, sendmail_cb)
     end
 
     -- determine from

data/conf/sogo/sogo.conf

@@ -62,7 +62,7 @@
     SOGoFirstDayOfWeek = "1";
 
     SOGoSieveFolderEncoding = "UTF-8";
-    SOGoPasswordChangeEnabled = YES;
+    SOGoPasswordChangeEnabled = NO;
     SOGoSentFolderName = "Sent";
     SOGoMailShowSubscribedFoldersOnly = NO;
     NGImap4ConnectionStringSeparator = "/";

data/web/admin.php

@@ -80,6 +80,17 @@ foreach ($RSPAMD_MAPS['regex'] as $rspamd_regex_desc => $rspamd_regex_map) {
   ];
 }
 
+// identity provider
+$iam_settings = identity_provider('get');
+// mbox templates
+$mbox_templates = mailbox('get', 'mailbox_templates');
+
+// cors settings
+$cors_settings = cors('get');
+$cors_settings['allowed_origins'] = str_replace(", ", "\n", $cors_settings['allowed_origins']);
+$cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_methods']);
+
+
 $template = 'admin.twig';
 $template_data = [
   'tfa_data' => $tfa_data,
@@ -106,6 +117,9 @@ $template_data = [
   'ip_check' => customize('get', 'ip_check'),
   'password_complexity' => password_complexity('get'),
   'show_rspamd_global_filters' => @$_SESSION['show_rspamd_global_filters'],
+  'iam_settings' => $iam_settings,
+  'mbox_templates' => $mbox_templates,
+  'cors_settings' => $cors_settings,
   'lang_admin' => json_encode($lang['admin']),
   'lang_datatables' => json_encode($lang['datatables'])
 ];

data/web/api/openapi.yaml

@@ -1,4 +1,4 @@
-openapi: 3.0.0
+openapi: 3.1.0
 info:
   description: >-
     mailcow is complete e-mailing solution with advanced antispam, antivirus,
@@ -699,6 +699,38 @@ paths:
                   type: string
               type: object
       summary: Create Domain Admin user
+  /api/v1/add/sso/domain-admin:
+    post:
+      responses:
+        "401":
+          $ref: "#/components/responses/Unauthorized"
+        "200":
+          content:
+            application/json:
+              examples:
+                response:
+                  value:
+                    token: "591F6D-5C3DD2-7455CD-DAF1C1-AA4FCC"
+          description: OK
+          headers: { }
+      tags:
+        - Single Sign-On
+      description: >-
+        Using this endpoint you can issue a token for Domain Admin user. This token can be used for
+        autologin Domain Admin user by using query_string var sso_token={token}. Token expiration time is 30s
+      operationId: Issue Domain Admin SSO token
+      requestBody:
+        content:
+          application/json:
+            schema:
+              example:
+                username: testadmin
+              properties:
+                username:
+                  description: the username for the admin user
+                  type: object
+              type: object
+      summary: Issue Domain Admin SSO token
   /api/v1/edit/da-acl:
     post:
       responses:
@@ -1999,7 +2031,7 @@ paths:
                 - domain.tld
                 - domain2.tld
               properties:
-                items: 
+                items:
                   type: array
                   items:
                     type: string
@@ -2993,7 +3025,7 @@ paths:
             application/json:
               schema:
                 type: array
-                items: 
+                items:
                   type: object
                   properties:
                     log:
@@ -3144,8 +3176,10 @@ paths:
               example:
                 attr:
                   ban_time: "86400"
+                  ban_time_increment: "1"
                   blacklist: "10.100.6.5/32,10.100.8.4/32"
                   max_attempts: "5"
+                  max_ban_time: "86400"
                   netban_ipv4: "24"
                   netban_ipv6: "64"
                   retry_window: "600"
@@ -3159,11 +3193,17 @@ paths:
                       description: the backlisted ips or hostnames separated by comma
                       type: string
                     ban_time:
-                      description: the time a ip should be banned
+                      description: the time an ip should be banned
                       type: number
+                    ban_time_increment:
+                      description: if the time of the ban should increase each time
+                      type: boolean
                     max_attempts:
                       description: the maximum numbe of wrong logins before a ip is banned
                       type: number
+                    max_ban_time:
+                      description: the maximum time an ip should be banned
+                      type: number
                     netban_ipv4:
                       description: the networks mask to ban for ipv4
                       type: number
@@ -4081,10 +4121,12 @@ paths:
                 response:
                   value:
                     ban_time: 604800
+                    ban_time_increment: 1
                     blacklist: |-
                       45.82.153.37/32
                       92.118.38.52/32
                     max_attempts: 1
+                    max_ban_time: 604800
                     netban_ipv4: 32
                     netban_ipv6: 128
                     perm_bans:
@@ -5560,6 +5602,50 @@ paths:
       description: You can list all mailboxes existing in system for a specific domain.
       operationId: Get mailboxes of a domain
       summary: Get mailboxes of a domain
+  /api/v1/edit/cors:
+    post:
+      responses:
+        "401":
+          $ref: "#/components/responses/Unauthorized"
+        "200":
+          content:
+            application/json:
+              examples:
+                response:
+                  value:
+                    - type: "success"
+                      log: ["cors", "edit", {"allowed_origins": ["*", "mail.mailcow.tld"], "allowed_methods": ["POST", "GET", "DELETE", "PUT"]}]
+                      msg: "cors_headers_edited"
+          description: OK
+          headers: { }
+      tags:
+        - Cross-Origin Resource Sharing (CORS)
+      description: >-
+        This endpoint allows you to manage Cross-Origin Resource Sharing (CORS) settings for the API. 
+        CORS is a security feature implemented by web browsers to prevent unauthorized cross-origin requests. 
+        By editing the CORS settings, you can specify which domains and which methods are permitted to access the API resources from outside the mailcow domain.
+      operationId: Edit Cross-Origin Resource Sharing (CORS) settings
+      requestBody:
+        content:
+          application/json:
+            schema:
+              example:
+                attr:
+                  allowed_origins: ["*", "mail.mailcow.tld"]
+                  allowed_methods: ["POST", "GET", "DELETE", "PUT"]
+              properties:
+                attr:
+                  type: object
+                  properties:
+                    allowed_origins:
+                      type: array
+                      items:
+                        type: string
+                    allowed_methods:
+                      type: array
+                      items:
+                        type: string
+      summary: Edit Cross-Origin Resource Sharing (CORS) settings
 
 tags:
   - name: Domains
@@ -5586,6 +5672,8 @@ tags:
     description: Manage DKIM keys
   - name: Domain admin
     description: Create or udpdate domain admin users
+  - name: Single Sign-On
+    description: Issue tokens for users
   - name: Address Rewriting
     description: Create BCC maps or recipient maps
   - name: Outgoing TLS Policy Map Overrides
@@ -5602,3 +5690,5 @@ tags:
     description: Get the status of your cow
   - name: Ratelimits
     description: Edit domain ratelimits
+  - name: Cross-Origin Resource Sharing (CORS)
+    description: Manage Cross-Origin Resource Sharing (CORS) settings

data/web/api/swagger-initializer.js

@@ -1,6 +1,6 @@
 window.onload = function() {
   // Begin Swagger UI call region
-  const ui = SwaggerUIBundle({
+  window.ui = SwaggerUIBundle({
     urls: [{url: "/api/openapi.yaml", name: "mailcow API"}],
     dom_id: '#swagger-ui',
     deepLinking: true,
@@ -15,5 +15,4 @@ window.onload = function() {
   });
   // End Swagger UI call region
 
-  window.ui = ui;
 };

data/web/css/build/011-datatables.css

@@ -342,6 +342,10 @@ div.dataTables_wrapper div.dt-row {
   position: relative;
 }
 
+div.dataTables_wrapper span.sorting-value {
+  display: none;
+}
+
 div.dataTables_scrollHead table.dataTable {
   margin-bottom: 0 !important;
 }

data/web/css/build/013-datatables.css

@@ -8,9 +8,6 @@
 .dtr-details {
     width: 100%;
 }
-.table-striped>tbody>tr:nth-of-type(odd) {
-    background-color: #F2F2F2;
-}
 td.child>ul>li {
     display: flex;
 }
@@ -77,4 +74,22 @@ li .dtr-data {
 table.dataTable>tbody>tr.child span.dtr-title {
     width: 30%;
     max-width: 250px;
-}
+}
+
+
+div.dataTables_wrapper div.dataTables_filter {
+    text-align: left;
+}
+div.dataTables_wrapper div.dataTables_length {
+    text-align: right;
+}
+.dataTables_paginate, .dataTables_length, .dataTables_filter {
+    margin: 10px 0!important;
+}
+
+td.dt-text-right {
+    text-align: end !important;
+}
+th.dt-text-right {
+    text-align: end !important;
+}

data/web/css/build/014-mailcow.css

@@ -33,6 +33,13 @@
        url('/fonts/noto-sans-v12-latin_greek_cyrillic-700italic.woff2') format('woff2'),
        url('/fonts/noto-sans-v12-latin_greek_cyrillic-700italic.woff') format('woff');
 }
+
+body {
+  min-height: 100vh;
+  display: flex;
+  flex-direction: column;
+  background-color: #fbfbfb;
+}
 #maxmsgsize { min-width: 80px; }
 #slider1 .slider-selection {
 	background: #FFD700;
@@ -78,6 +85,19 @@
 .navbar-fixed-top .navbar-collapse {
   max-height: 1000px
 }
+.nav-tabs .nav-link, .nav-tabs .nav-link.disabled, .nav-tabs .nav-link.disabled:hover, .nav-tabs .nav-link.disabled:focus {
+  border-color: #dfdfdf;
+}
+.nav-tabs .nav-link.active, .nav-tabs .nav-item.show .nav-link {
+  border-color: #dfdfdf;
+  border-bottom: 1px solid #ffffff;
+}
+.nav-tabs .nav-link:hover, .nav-tabs .nav-link:focus {
+  border-color: #dfdfdf;
+}
+.nav-tabs {
+  border-bottom: 1px solid #dfdfdf;
+}
 .bi {
   display: inline-block;
   font-size: 12pt;
@@ -365,19 +385,9 @@ button[aria-expanded='true'] > .caret {
     background-color: #f0f0f0;
 }
 .btn.btn-outline-secondary {
+  color: #000000 !important;
   border-color: #cfcfcf !important;  
 }
 .btn-check:checked+.btn-outline-secondary, .btn-check:active+.btn-outline-secondary, .btn-outline-secondary:active, .btn-outline-secondary.active, .btn-outline-secondary.dropdown-toggle.show {
     background-color: #f0f0f0 !important;
 }
-
-
-div.dataTables_wrapper div.dataTables_filter {
-  text-align: left;
-}
-div.dataTables_wrapper div.dataTables_length {
-  text-align: right;
-}
-.dataTables_paginate, .dataTables_length, .dataTables_filter {
-  margin: 10px 0!important;
-}

data/web/css/build/015-responsive.css

@@ -203,6 +203,9 @@
     text-align: left;
   }
 
+  .senders-mw220 {
+    max-width: 100% !important;
+  }
 }
 
 @media (max-width: 350px) {

data/web/css/site/mailbox.css

@@ -66,4 +66,6 @@ table tbody tr td input[type="checkbox"] {
   padding: .2em .4em .3em !important;
   background-color: #ececec!important;
 }
-
+.badge.bg-info .bi {
+  font-size: inherit;
+}

data/web/css/site/quarantine.css

@@ -1,102 +1,104 @@
-.pagination a {
-  text-decoration: none !important;
-}
-
-.panel.panel-default {
-  overflow: visible !important;
-}
-
-.table-responsive {
-  overflow: visible !important;
-}
-
-.table-responsive {
-  overflow-x: scroll !important;
-}
-
-.footer-add-item {
-  display: block;
-  text-align: center;
-  font-style: italic;
-  padding: 10px;
-  background: #F5F5F5;
-}
-
-@media (min-width: 992px) {
-  .container {
-    width: 100%;
-  }
-}
-@media (min-width: 1920px) {
-  .container {
-      width: 80%;
-  }
-}
-
-.mass-actions-quarantine {
-  user-select: none;
-}
-
-.inputMissingAttr {
-  border-color: #FF4136;
-}
-
-.modal#qidDetailModal p {
-  word-break: break-all;
-}
-
-span#qid_detail_score {
-  font-weight: 700;
-  margin-left: 5px;
-}
-
-span.rspamd-symbol {
-  display: inline-block;
-  margin: 2px 6px 2px 0;
-  border-radius: 4px;
-  padding: 0 7px;
-}
-
-span.rspamd-symbol.positive {
-  background: #4CAF50;
-  border: 1px solid #4CAF50;
-  color: white;
-}
-
-span.rspamd-symbol.negative {
-  background: #ff4136;
-  border: 1px solid #ff4136;
-  color: white;
-}
-
-span.rspamd-symbol.neutral {
-  background: #f5f5f5;
-  color: #333;
-  border: 1px solid #ccc;
-}
-
-span.rspamd-symbol span.score {
-  font-weight: 700;
-}
-
-span.mail-address-item {
-  background-color: #f5f5f5;
-  border-radius: 4px;
-  border: 1px solid #ccc;
-  padding: 2px 7px;
-  display: inline-block;
-  margin: 2px 6px 2px 0;
-}
-
-table tbody tr {
-  cursor: pointer;
-}
-
-table tbody tr td input[type="checkbox"] {
-  cursor: pointer;
-}
-.label-rspamd-action {
-  font-size:110%;
-  margin:20px;
-}
-
+.pagination a {
+  text-decoration: none !important;
+}
+
+.panel.panel-default {
+  overflow: visible !important;
+}
+
+.table-responsive {
+  overflow: visible !important;
+}
+
+.table-responsive {
+  overflow-x: scroll !important;
+}
+
+.footer-add-item {
+  display: block;
+  text-align: center;
+  font-style: italic;
+  padding: 10px;
+  background: #F5F5F5;
+}
+
+@media (min-width: 992px) {
+  .container {
+    width: 100%;
+  }
+}
+@media (min-width: 1920px) {
+  .container {
+      width: 80%;
+  }
+}
+
+.mass-actions-quarantine {
+  user-select: none;
+}
+
+.inputMissingAttr {
+  border-color: #FF4136;
+}
+
+.modal#qidDetailModal p {
+  word-break: break-all;
+}
+
+span#qid_detail_score {
+  font-weight: 700;
+  margin-left: 5px;
+}
+
+span.rspamd-symbol {
+  display: inline-block;
+  margin: 2px 6px 2px 0;
+  border-radius: 4px;
+  padding: 0 7px;
+}
+
+span.rspamd-symbol.positive {
+  background: #4CAF50;
+  border: 1px solid #4CAF50;
+  color: white;
+}
+
+span.rspamd-symbol.negative {
+  background: #ff4136;
+  border: 1px solid #ff4136;
+  color: white;
+}
+
+span.rspamd-symbol.neutral {
+  background: #f5f5f5;
+  color: #333;
+  border: 1px solid #ccc;
+}
+
+span.rspamd-symbol span.score {
+  font-weight: 700;
+}
+
+span.mail-address-item {
+  background-color: #f5f5f5;
+  border-radius: 4px;
+  border: 1px solid #ccc;
+  padding: 2px 7px;
+  display: inline-block;
+  margin: 2px 6px 2px 0;
+}
+
+table tbody tr {
+  cursor: pointer;
+}
+
+table tbody tr td input[type="checkbox"] {
+  cursor: pointer;
+}
+.label-rspamd-action {
+  font-size:110%;
+  margin:20px;
+}
+.senders-mw220 {
+  max-width: 220px;
+}

data/web/css/themes/mailcow-darkmode.css

@@ -20,6 +20,11 @@ legend {
     background-color: #7a7a7a !important;
     border-color: #5c5c5c !important;
 }
+.btn-dark {
+  color: #000 !important;;
+  background-color: #f6f6f6 !important;;
+  border-color: #ddd !important;;
+}
 .btn-check:checked+.btn-secondary, .btn-check:active+.btn-secondary, .btn-secondary:active, .btn-secondary.active, .show>.btn-secondary.dropdown-toggle {
     border-color: #7a7a7a !important;
 }
@@ -299,22 +304,22 @@ a:hover {
 }
 
 
-table.dataTable.dtr-inline.collapsed>tbody>tr>td.dtr-control:before:hover, 
+table.dataTable.dtr-inline.collapsed>tbody>tr>td.dtr-control:before:hover,
 table.dataTable.dtr-inline.collapsed>tbody>tr>th.dtr-control:before:hover {
   background-color: #7a7a7a !important;
 }
-table.dataTable.dtr-inline.collapsed>tbody>tr>td.dtr-control:before, 
+table.dataTable.dtr-inline.collapsed>tbody>tr>td.dtr-control:before,
 table.dataTable.dtr-inline.collapsed>tbody>tr>th.dtr-control:before {
   background-color: #7a7a7a !important;
   border: 1.5px solid #5c5c5c !important;
   color: #fff !important;
 }
-table.dataTable.dtr-inline.collapsed>tbody>tr.parent>td.dtr-control:before, 
+table.dataTable.dtr-inline.collapsed>tbody>tr.parent>td.dtr-control:before,
 table.dataTable.dtr-inline.collapsed>tbody>tr.parent>th.dtr-control:before {
   background-color: #949494;
 }
-table.dataTable.dtr-inline.collapsed>tbody>tr>td.child, 
-table.dataTable.dtr-inline.collapsed>tbody>tr>th.child, 
+table.dataTable.dtr-inline.collapsed>tbody>tr>td.child,
+table.dataTable.dtr-inline.collapsed>tbody>tr>th.child,
 table.dataTable.dtr-inline.collapsed>tbody>tr>td.dataTables_empty {
   background-color: #444444;
 }
@@ -327,7 +332,7 @@ table.dataTable.dtr-inline.collapsed>tbody>tr>td.dataTables_empty {
 }
 .btn.btn-outline-secondary {
   color: #fff !important;
-  border-color: #7a7a7a !important;  
+  border-color: #7a7a7a !important;
 }
 .btn-check:checked+.btn-outline-secondary, .btn-check:active+.btn-outline-secondary, .btn-outline-secondary:active, .btn-outline-secondary.active, .btn-outline-secondary.dropdown-toggle.show {
     background-color: #9b9b9b !important;

data/web/edit.php

@@ -112,6 +112,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
         $quarantine_category = mailbox('get', 'quarantine_category', $mailbox);
         $get_tls_policy = mailbox('get', 'tls_policy', $mailbox);
         $rlyhosts = relayhost('get');
+        $iam_settings = identity_provider('get');
         $template = 'edit/mailbox.twig';
         $template_data = [
           'acl' => $_SESSION['acl'],
@@ -124,7 +125,8 @@ if (isset($_SESSION['mailcow_cc_role'])) {
           'rlyhosts' => $rlyhosts,
           'sender_acl_handles' => mailbox('get', 'sender_acl_handles', $mailbox),
           'user_acls' => acl('get', 'user', $mailbox),
-          'mailbox_details' => $result
+          'mailbox_details' => $result,
+          'iam_settings' => $iam_settings,
         ];
       }
     }

data/web/inc/footer.inc.php

@@ -65,6 +65,8 @@ $globalVariables = [
   'lang_acl' => json_encode($lang['acl']),
   'lang_tfa' => json_encode($lang['tfa']),
   'lang_fido2' => json_encode($lang['fido2']),
+  'lang_success' => json_encode($lang['success']),
+  'lang_danger' => json_encode($lang['danger']),
   'docker_timeout' => $DOCKER_TIMEOUT,
   'session_lifetime' => (int)$SESSION_LIFETIME,
   'csrf_token' => $_SESSION['CSRF']['TOKEN'],

data/web/inc/functions.address_rewriting.inc.php

@@ -49,7 +49,9 @@ function bcc($_action, $_data = null, $_attr = null) {
       }
       elseif (filter_var($local_dest, FILTER_VALIDATE_EMAIL)) {
         $mailbox = mailbox('get', 'mailbox_details', $local_dest);
-        if ($mailbox === false && array_key_exists($local_dest, array_merge($direct_aliases, $shared_aliases)) === false) {
+        $shared_aliases = mailbox('get', 'shared_aliases');
+        $direct_aliases = mailbox('get', 'direct_aliases');
+        if ($mailbox === false && in_array($local_dest, array_merge($direct_aliases, $shared_aliases)) === false) {
           $_SESSION['return'][] = array(
             'type' => 'danger',
             'log' => array(__FUNCTION__, $_action, $_data, $_attr),

data/web/inc/functions.auth.inc.php

@@ -0,0 +1,408 @@
+<?php
+function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
+  global $pdo;
+  global $redis;
+  
+  $is_internal = $extra['is_internal'];
+
+  // Try validate admin
+  $result = admin_login($user, $pass);
+  if ($result !== false) return $result;
+
+  // Try validate domain admin
+  $result = domainadmin_login($user, $pass);
+  if ($result !== false) return $result;
+
+  // Try validate user
+  $result = user_login($user, $pass);
+  if ($result !== false) return $result;
+
+  // Try validate app password
+  $result = apppass_login($user, $pass, $app_passwd_data);
+  if ($result !== false) return $result;
+
+  // skip log and only return false if it's an internal request
+  if ($is_internal == true) return false;
+
+  if (!isset($_SESSION['ldelay'])) {
+    $_SESSION['ldelay'] = "0";
+    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+  }
+  elseif (!isset($_SESSION['mailcow_cc_username'])) {
+    $_SESSION['ldelay'] = $_SESSION['ldelay']+0.5;
+    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+  }
+  $_SESSION['return'][] =  array(
+    'type' => 'danger',
+    'log' => array(__FUNCTION__, $user, '*'),
+    'msg' => 'login_failed'
+  );
+
+  sleep($_SESSION['ldelay']);
+  return false;
+}
+
+function admin_login($user, $pass){
+  global $pdo;
+
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
+    return false;
+  }
+
+  $user = strtolower(trim($user));
+  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
+      WHERE `superadmin` = '1'
+      AND `active` = '1'
+      AND `username` = :user");
+  $stmt->execute(array(':user' => $user));
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+  // verify password
+  if (verify_hash($row['password'], $pass)) {
+    // check for tfa authenticators
+    $authenticators = get_tfa($user);
+    if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+      // active tfa authenticators found, set pending user login
+      $_SESSION['pending_mailcow_cc_username'] = $user;
+      $_SESSION['pending_mailcow_cc_role'] = "admin";
+      $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+      unset($_SESSION['ldelay']);
+      $_SESSION['return'][] =  array(
+        'type' => 'info',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'awaiting_tfa_confirmation'
+      );
+      return "pending";
+    } else {
+      unset($_SESSION['ldelay']);
+      // Reactivate TFA if it was set to "deactivate TFA for next login"
+      $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+      $stmt->execute(array(':user' => $user));
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => array('logged_in_as', $user)
+      );
+      return "admin";
+    }
+  }
+
+  return false;
+}
+function domainadmin_login($user, $pass){
+  global $pdo;
+
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
+    return false;
+  }
+
+  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
+      WHERE `superadmin` = '0'
+      AND `active`='1'
+      AND `username` = :user");
+  $stmt->execute(array(':user' => $user));
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+  // verify password
+  if (verify_hash($row['password'], $pass) !== false) {
+    // check for tfa authenticators
+    $authenticators = get_tfa($user);
+    if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+      $_SESSION['pending_mailcow_cc_username'] = $user;
+      $_SESSION['pending_mailcow_cc_role'] = "domainadmin";
+      $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+      unset($_SESSION['ldelay']);
+      $_SESSION['return'][] =  array(
+        'type' => 'info',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'awaiting_tfa_confirmation'
+      );
+      return "pending";
+    }
+    else {
+      unset($_SESSION['ldelay']);
+      // Reactivate TFA if it was set to "deactivate TFA for next login"
+      $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+      $stmt->execute(array(':user' => $user));
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => array('logged_in_as', $user)
+      );
+      return "domainadmin";
+    }
+  }
+
+  return false;
+}
+function user_login($user, $pass, $extra = null){
+  global $pdo;
+
+  $is_internal = $extra['is_internal'];
+
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
+    return false;
+  }
+
+  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `domain`.`active`='1'
+        AND `username` = :user");
+  $stmt->execute(array(':user' => $user));
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+  // user does not exist, try call keycloak login and create user if possible via rest flow
+  if (!$row){
+    $iam_settings = identity_provider('get');
+    if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailboxpassword_flow']) == 1){
+      $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
+      if ($result !== false) return $result;
+    }
+  } 
+  if ($row['active'] != 1) {
+    return false;
+  }
+
+  if ($row['authsource'] == 'keycloak'){
+    // user authsource is keycloak, try using via rest flow
+    $iam_settings = identity_provider('get');
+    if (intval($iam_settings['mailboxpassword_flow']) == 1){
+      $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal));
+      return $result;
+    } else {
+      return false;
+    }
+  }
+ 
+  // verify password
+  if (verify_hash($row['password'], $pass) !== false) {
+    // check for tfa authenticators
+    $authenticators = get_tfa($user);
+    if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
+      // authenticators found, init TFA flow
+      $_SESSION['pending_mailcow_cc_username'] = $user;
+      $_SESSION['pending_mailcow_cc_role'] = "user";
+      $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+      unset($_SESSION['ldelay']);
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => array('logged_in_as', $user)
+      );
+      return "pending";
+    } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+      // no authenticators found, login successfull
+      if (!$is_internal){
+        unset($_SESSION['ldelay']);
+        // Reactivate TFA if it was set to "deactivate TFA for next login"
+        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+        $stmt->execute(array(':user' => $user));
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $user, '*'),
+          'msg' => array('logged_in_as', $user)
+        );
+      }
+      return "user";
+    }
+  }
+
+  return false;
+}
+function apppass_login($user, $pass, $app_passwd_data, $extra = null){
+  global $pdo;
+
+  $is_internal = $extra['is_internal'];
+
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
+    return false;
+  }
+
+  $protocol = false;
+  if ($app_passwd_data['eas']){
+    $protocol = 'eas';
+  } else if ($app_passwd_data['dav']){
+    $protocol = 'dav';
+  } else if ($app_passwd_data['smtp']){
+    $protocol = 'smtp';
+  } else if ($app_passwd_data['imap']){
+    $protocol = 'imap';
+  } else if ($app_passwd_data['sieve']){
+    $protocol = 'sieve';
+  } else if ($app_passwd_data['pop3']){
+    $protocol = 'pop3';
+  } else if (!$is_internal) {
+    return false;
+  }
+
+  // fetch app password data
+  $stmt = $pdo->prepare("SELECT `app_passwd`.*, `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
+    INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
+    INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
+    WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
+      AND `mailbox`.`active` = '1'
+      AND `domain`.`active` = '1'
+      AND `app_passwd`.`active` = '1'
+      AND `app_passwd`.`mailbox` = :user"
+  );
+  // fetch password data
+  $stmt->execute(array(
+    ':user' => $user,
+  ));
+  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  
+  foreach ($rows as $row) {
+    if ($protocol && $row[$protocol . '_access'] != '1'){
+      continue;
+    }
+
+    // verify password
+    if (verify_hash($row['password'], $pass) !== false) {
+      if ($is_internal){
+        $remote_addr = $extra['remote_addr'];
+      } else {
+        $remote_addr = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
+      }
+
+      $service = strtoupper($is_app_passwd);
+      $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
+      $stmt->execute(array(
+        ':service' => $service,
+        ':app_id' => $row['app_passwd_id'],
+        ':username' => $user,
+        ':remote_addr' => $remote_addr
+      ));
+
+      unset($_SESSION['ldelay']);
+      return "user";
+    }
+  }
+
+  return false;
+}
+// Keycloak REST Api Flow - auth user by mailcow_password attribute
+// This password will be used for direct UI, IMAP and SMTP Auth
+// To use direct user credentials, only Authorization Code Flow is valid
+function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
+  global $pdo;
+
+  $is_internal = $extra['is_internal'];
+  $create = $extra['create'];
+
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
+    return false;
+  }
+
+  // get access_token for service account of mailcow client
+  $admin_token = identity_provider("get-keycloak-admin-token");
+
+  // get the mailcow_password attribute from keycloak user
+  $url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users";
+  $queryParams = array('email' => $user, 'exact' => true);
+  $queryString = http_build_query($queryParams);
+  $curl = curl_init();
+  curl_setopt($curl, CURLOPT_TIMEOUT, 7);
+  curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
+  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+  curl_setopt($curl, CURLOPT_HTTPHEADER, array(
+      'Authorization: Bearer ' . $admin_token,
+      'Content-Type: application/json'
+  ));
+  $user_res = json_decode(curl_exec($curl), true)[0];
+  $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+  curl_close($curl);
+  if ($code != 200) {
+    return false;
+  }
+  if (!isset($user_res['attributes']['mailcow_password']) || !is_array($user_res['attributes']['mailcow_password'])){
+    return false;
+  }
+  if (empty($user_res['attributes']['mailcow_password'][0])){
+    return false;
+  }
+
+  // validate mailcow_password
+  $mailcow_password = $user_res['attributes']['mailcow_password'][0];
+  if (!verify_hash($mailcow_password, $pass)) {
+    return false;
+  }
+
+  // get mapped template, if not set return false
+  // also return false if no mappers were defined
+  $user_template = $user_data['attributes']['mailcow_template'][0];
+  if ($create && (empty($iam_settings['mappers']) || $user_template)){
+    return false;
+  } else if (!$create) {
+    // login success - dont create mailbox
+    $_SESSION['return'][] =  array(
+      'type' => 'success',
+      'log' => array(__FUNCTION__, $user, '*'),
+      'msg' => array('logged_in_as', $user)
+    );
+    return 'user';
+  }
+
+  // check if matching attribute exist
+  $mapper_key = array_search($user_template, $iam_settings['mappers']);
+  if ($mapper_key === false) return false;
+
+  // create mailbox
+  $create_res = mailbox('add', 'mailbox_from_template', array(
+    'domain' => explode('@', $user)[1],
+    'local_part' => explode('@', $user)[0],
+    'authsource' => 'keycloak',
+    'template' => $iam_settings['mappers'][$mapper_key]
+  ));
+  if (!$create_res) return false;
+
+  // check if created mailbox from template is even active
+  // maybe dont even create it if active != 1
+  if ($mailbox_attributes['active'] != 1){
+    return false;
+  }
+
+  $_SESSION['return'][] =  array(
+    'type' => 'success',
+    'log' => array(__FUNCTION__, $user, '*'),
+    'msg' => array('logged_in_as', $user)
+  );
+  return 'user';
+}

data/web/inc/functions.customize.inc.php

@@ -103,10 +103,16 @@ function customize($_action, $_item, $_data = null) {
         case 'app_links':
           $apps = (array)$_data['app'];
           $links = (array)$_data['href'];
+          $user_links = (array)$_data['user_href'];
+          $hide = (array)$_data['hide'];
           $out = array();
-          if (count($apps) == count($links)) {
+          if (count($apps) == count($links) && count($apps) == count($user_links) && count($apps) == count($hide)) {
             for ($i = 0; $i < count($apps); $i++) {
-              $out[] = array($apps[$i] => $links[$i]);
+              $out[] = array($apps[$i] => array(
+                'link' => $links[$i],
+                'user_link' => $user_links[$i],
+                'hide' => ($hide[$i] === '0' || $hide[$i] === 0) ? false : true
+              ));
             }
             try {
               $redis->set('APP_LINKS', json_encode($out));
@@ -236,7 +242,22 @@ function customize($_action, $_item, $_data = null) {
             );
             return false;
           }
-          return ($app_links) ? $app_links : false;
+
+          if (empty($app_links)){
+            return false;
+          }
+
+          foreach($app_links as $key => $value){
+            foreach($value as $app => $details){
+              if (empty($details['user_link']) || empty($_SESSION['mailcow_cc_username'])){
+                $app_links[$key][$app]['user_link'] = $app_links[$key][$app]['link'];
+              } else {
+                $app_links[$key][$app]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $app_links[$key][$app]['user_link']);
+              }
+            }
+          }
+
+          return $app_links;
         break;
         case 'main_logo':
           try {

data/web/inc/functions.docker.inc.php

@@ -192,5 +192,16 @@ function docker($action, $service_name = null, $attr1 = null, $attr2 = null, $ex
       }
       return false;
     break;
+    case 'broadcast':
+      $request = array(
+        "api_call" => "container_post",
+        "container_name" => $service_name,
+        "post_action" => $attr1,
+        "request" => $attr2
+      );
+
+      $redis->publish("MC_CHANNEL", json_encode($request));
+      return true;
+    break;
   }
 }

data/web/inc/functions.domain_admin.inc.php

@@ -1,407 +1,468 @@
-<?php
-function domain_admin($_action, $_data = null) {
-  global $pdo;
-  global $lang;
-  $_data_log = $_data;
-  !isset($_data_log['password']) ?: $_data_log['password'] = '*';
-  !isset($_data_log['password2']) ?: $_data_log['password2'] = '*';
-  !isset($_data_log['user_old_pass']) ?: $_data_log['user_old_pass'] = '*';
-  !isset($_data_log['user_new_pass']) ?: $_data_log['user_new_pass'] = '*';
-  !isset($_data_log['user_new_pass2']) ?: $_data_log['user_new_pass2'] = '*';
-  switch ($_action) {
-    case 'add':
-      $username		= strtolower(trim($_data['username']));
-      $password		= $_data['password'];
-      $password2  = $_data['password2'];
-      $domains    = (array)$_data['domains'];
-      $active     = intval($_data['active']);
-      if ($_SESSION['mailcow_cc_role'] != "admin") {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'access_denied'
-        );
-        return false;
-      }
-      if (empty($domains)) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'domain_invalid'
-        );
-        return false;
-      }
-      if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username)) || empty ($username) || $username == 'API') {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('username_invalid', $username)
-        );
-        return false;
-      }
-
-      $stmt = $pdo->prepare("SELECT `username` FROM `mailbox`
-        WHERE `username` = :username");
-      $stmt->execute(array(':username' => $username));
-      $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
-
-      $stmt = $pdo->prepare("SELECT `username` FROM `admin`
-        WHERE `username` = :username");
-      $stmt->execute(array(':username' => $username));
-      $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
-
-      $stmt = $pdo->prepare("SELECT `username` FROM `domain_admins`
-        WHERE `username` = :username");
-      $stmt->execute(array(':username' => $username));
-      $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
-
-      foreach ($num_results as $num_results_each) {
-        if ($num_results_each != 0) {
-          $_SESSION['return'][] = array(
-            'type' => 'danger',
-            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('object_exists', htmlspecialchars($username))
-          );
-          return false;
-        }
-      }
-      if (password_check($password, $password2) !== true) {
-        continue;
-      }
-      $password_hashed = hash_password($password);
-      $valid_domains = 0;
-      foreach ($domains as $domain) {
-        if (!is_valid_domain_name($domain) || mailbox('get', 'domain_details', $domain) === false) {
-          $_SESSION['return'][] = array(
-            'type' => 'danger',
-            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('domain_invalid', htmlspecialchars($domain))
-          );
-          continue;
-        }
-        $valid_domains++;
-        $stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
-            VALUES (:username, :domain, :created, :active)");
-        $stmt->execute(array(
-          ':username' => $username,
-          ':domain' => $domain,
-          ':created' => date('Y-m-d H:i:s'),
-          ':active' => $active
-        ));
-      }
-      if ($valid_domains != 0) {
-        $stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
-          VALUES (:username, :password_hashed, '0', :active)");
-        $stmt->execute(array(
-          ':username' => $username,
-          ':password_hashed' => $password_hashed,
-          ':active' => $active
-        ));
-      }
-      $stmt = $pdo->prepare("INSERT INTO `da_acl` (`username`) VALUES (:username)");
-      $stmt->execute(array(
-        ':username' => $username
-      ));
-      $_SESSION['return'][] = array(
-        'type' => 'success',
-        'log' => array(__FUNCTION__, $_action, $_data_log),
-        'msg' => array('domain_admin_added', htmlspecialchars($username))
-      );
-    break;
-    case 'edit':
-      if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'access_denied'
-        );
-        return false;
-      }
-      // Administrator
-      if ($_SESSION['mailcow_cc_role'] == "admin") {
-        if (!is_array($_data['username'])) {
-          $usernames = array();
-          $usernames[] = $_data['username'];
-        }
-        else {
-          $usernames = $_data['username'];
-        }
-        foreach ($usernames as $username) {
-          $is_now = domain_admin('details', $username);
-          $domains = (isset($_data['domains'])) ? (array)$_data['domains'] : null;
-          if (!empty($is_now)) {
-            $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
-            $domains = (!empty($domains)) ? $domains : $is_now['selected_domains'];
-            $username_new = (!empty($_data['username_new'])) ? $_data['username_new'] : $is_now['username'];
-          }
-          else {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_data_log),
-              'msg' => 'access_denied'
-            );
-            continue;
-          }
-          $password     = $_data['password'];
-          $password2    = $_data['password2'];
-          if (!empty($domains)) {
-            foreach ($domains as $domain) {
-              if (!is_valid_domain_name($domain) || mailbox('get', 'domain_details', $domain) === false) {
-                $_SESSION['return'][] = array(
-                  'type' => 'danger',
-                  'log' => array(__FUNCTION__, $_action, $_data_log),
-                  'msg' => array('domain_invalid', htmlspecialchars($domain))
-                );
-                continue 2;
-              }
-            }
-          }
-          if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username_new))) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_data_log),
-              'msg' => array('username_invalid', $username_new)
-            );
-            continue;
-          }
-          if ($username_new != $username) {
-            if (!empty(domain_admin('details', $username_new)['username'])) {
-              $_SESSION['return'][] = array(
-                'type' => 'danger',
-                'log' => array(__FUNCTION__, $_action, $_data_log),
-                'msg' => array('username_invalid', $username_new)
-              );
-              continue;
-            }
-          }
-          $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
-          $stmt->execute(array(
-            ':username' => $username,
-          ));
-          $stmt = $pdo->prepare("UPDATE `da_acl` SET `username` = :username_new WHERE `username` = :username");
-          $stmt->execute(array(
-            ':username_new' => $username_new,
-            ':username' => $username
-          ));
-          if (!empty($domains)) {
-            foreach ($domains as $domain) {
-              $stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
-                VALUES (:username_new, :domain, :created, :active)");
-              $stmt->execute(array(
-                ':username_new' => $username_new,
-                ':domain' => $domain,
-                ':created' => date('Y-m-d H:i:s'),
-                ':active' => $active
-              ));
-            }
-          }
-          if (!empty($password)) {
-            if (password_check($password, $password2) !== true) {
-              return false;
-            }
-            $password_hashed = hash_password($password);
-            $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active, `password` = :password_hashed WHERE `username` = :username");
-            $stmt->execute(array(
-              ':password_hashed' => $password_hashed,
-              ':username_new' => $username_new,
-              ':username' => $username,
-              ':active' => $active
-            ));
-            if (isset($_data['disable_tfa'])) {
-              $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
-              $stmt->execute(array(':username' => $username));
-            }
-            else {
-              $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
-              $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
-            }
-          }
-          else {
-            $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active WHERE `username` = :username");
-            $stmt->execute(array(
-              ':username_new' => $username_new,
-              ':username' => $username,
-              ':active' => $active
-            ));
-            if (isset($_data['disable_tfa'])) {
-              $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
-              $stmt->execute(array(':username' => $username));
-            }
-            else {
-              $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
-              $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
-            }
-          }
-          $_SESSION['return'][] = array(
-            'type' => 'success',
-            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('domain_admin_modified', htmlspecialchars($username))
-          );
-        }
-        return true;
-      }
-      // Domain administrator
-      // Can only edit itself
-      elseif ($_SESSION['mailcow_cc_role'] == "domainadmin") {
-        $username = $_SESSION['mailcow_cc_username'];
-        $password_old		= $_data['user_old_pass'];
-        $password_new	= $_data['user_new_pass'];
-        $password_new2	= $_data['user_new_pass2'];
-
-        $stmt = $pdo->prepare("SELECT `password` FROM `admin`
-            WHERE `username` = :user");
-        $stmt->execute(array(':user' => $username));
-        $row = $stmt->fetch(PDO::FETCH_ASSOC);
-        if (!verify_hash($row['password'], $password_old)) {
-          $_SESSION['return'][] = array(
-            'type' => 'danger',
-            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => 'access_denied'
-          );
-          return false;
-        }
-        if (password_check($password_new, $password_new2) !== true) {
-          return false;
-        }
-        $password_hashed = hash_password($password_new);
-        $stmt = $pdo->prepare("UPDATE `admin` SET `password` = :password_hashed WHERE `username` = :username");
-        $stmt->execute(array(
-          ':password_hashed' => $password_hashed,
-          ':username' => $username
-        ));
-        $_SESSION['return'][] = array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('domain_admin_modified', htmlspecialchars($username))
-        );
-      }
-    break;
-    case 'delete':
-      if ($_SESSION['mailcow_cc_role'] != "admin") {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'access_denied'
-        );
-        return false;
-      }
-      $usernames = (array)$_data['username'];
-      foreach ($usernames as $username) {
-        if (empty(domain_admin('details', $username))) {
-          $_SESSION['return'][] = array(
-            'type' => 'danger',
-            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('username_invalid', $username)
-          );
-          continue;
-        }
-        $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
-        $stmt->execute(array(
-          ':username' => $username,
-        ));
-        $stmt = $pdo->prepare("DELETE FROM `admin` WHERE `username` = :username");
-        $stmt->execute(array(
-          ':username' => $username,
-        ));
-        $stmt = $pdo->prepare("DELETE FROM `da_acl` WHERE `username` = :username");
-        $stmt->execute(array(
-          ':username' => $username,
-        ));
-        $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
-        $stmt->execute(array(
-          ':username' => $username,
-        ));
-        $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
-        $stmt->execute(array(
-          ':username' => $username,
-        ));
-        $_SESSION['return'][] = array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('domain_admin_removed', htmlspecialchars($username))
-        );
-      }
-    break;
-    case 'get':
-      $domainadmins = array();
-      if ($_SESSION['mailcow_cc_role'] != "admin") {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'access_denied'
-        );
-        return false;
-      }
-      $stmt = $pdo->query("SELECT DISTINCT
-        `username`
-          FROM `domain_admins`
-            WHERE `username` IN (
-              SELECT `username` FROM `admin`
-                WHERE `superadmin`!='1'
-            )");
-      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-      while ($row = array_shift($rows)) {
-        $domainadmins[] = $row['username'];
-      }
-      return $domainadmins;
-    break;
-    case 'details':
-      $domainadmindata = array();
-      if ($_SESSION['mailcow_cc_role'] == "domainadmin" && $_data != $_SESSION['mailcow_cc_username']) {
-        return false;
-      }
-      elseif ($_SESSION['mailcow_cc_role'] != "admin" || !isset($_data)) {
-        return false;
-      }
-      if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $_data))) {
-        return false;
-      }
-      $stmt = $pdo->prepare("SELECT
-        `tfa`.`active` AS `tfa_active`,
-        `domain_admins`.`username`,
-        `domain_admins`.`created`,
-        `domain_admins`.`active` AS `active`
-          FROM `domain_admins`
-          LEFT OUTER JOIN `tfa` ON `tfa`.`username`=`domain_admins`.`username`
-            WHERE `domain_admins`.`username`= :domain_admin");
-      $stmt->execute(array(
-        ':domain_admin' => $_data
-      ));
-      $row = $stmt->fetch(PDO::FETCH_ASSOC);
-      if (empty($row)) {
-        return false;
-      }
-      $domainadmindata['username'] = $row['username'];
-      $domainadmindata['tfa_active'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
-      $domainadmindata['tfa_active_int'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
-      $domainadmindata['active'] = $row['active'];
-      $domainadmindata['active_int'] = $row['active'];
-      $domainadmindata['created'] = $row['created'];
-      // GET SELECTED
-      $stmt = $pdo->prepare("SELECT `domain` FROM `domain`
-        WHERE `domain` IN (
-          SELECT `domain` FROM `domain_admins`
-            WHERE `username`= :domain_admin)");
-      $stmt->execute(array(':domain_admin' => $_data));
-      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-      while($row = array_shift($rows)) {
-        $domainadmindata['selected_domains'][] = $row['domain'];
-      }
-      // GET UNSELECTED
-      $stmt = $pdo->prepare("SELECT `domain` FROM `domain`
-        WHERE `domain` NOT IN (
-          SELECT `domain` FROM `domain_admins`
-            WHERE `username`= :domain_admin)");
-      $stmt->execute(array(':domain_admin' => $_data));
-      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-      while($row = array_shift($rows)) {
-        $domainadmindata['unselected_domains'][] = $row['domain'];
-      }
-      if (!isset($domainadmindata['unselected_domains'])) {
-        $domainadmindata['unselected_domains'] = "";
-      }
-
-      return $domainadmindata;
-    break;
-  }
-}
+<?php
+function domain_admin($_action, $_data = null) {
+  global $pdo;
+  global $lang;
+  $_data_log = $_data;
+  !isset($_data_log['password']) ?: $_data_log['password'] = '*';
+  !isset($_data_log['password2']) ?: $_data_log['password2'] = '*';
+  !isset($_data_log['user_old_pass']) ?: $_data_log['user_old_pass'] = '*';
+  !isset($_data_log['user_new_pass']) ?: $_data_log['user_new_pass'] = '*';
+  !isset($_data_log['user_new_pass2']) ?: $_data_log['user_new_pass2'] = '*';
+  switch ($_action) {
+    case 'add':
+      $username		= strtolower(trim($_data['username']));
+      $password		= $_data['password'];
+      $password2  = $_data['password2'];
+      $domains    = (array)$_data['domains'];
+      $active     = intval($_data['active']);
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      if (empty($domains)) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'domain_invalid'
+        );
+        return false;
+      }
+      if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username)) || empty ($username) || $username == 'API') {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => array('username_invalid', $username)
+        );
+        return false;
+      }
+
+      $stmt = $pdo->prepare("SELECT `username` FROM `mailbox`
+        WHERE `username` = :username");
+      $stmt->execute(array(':username' => $username));
+      $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+
+      $stmt = $pdo->prepare("SELECT `username` FROM `admin`
+        WHERE `username` = :username");
+      $stmt->execute(array(':username' => $username));
+      $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+
+      $stmt = $pdo->prepare("SELECT `username` FROM `domain_admins`
+        WHERE `username` = :username");
+      $stmt->execute(array(':username' => $username));
+      $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+
+      foreach ($num_results as $num_results_each) {
+        if ($num_results_each != 0) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => array('object_exists', htmlspecialchars($username))
+          );
+          return false;
+        }
+      }
+      if (password_check($password, $password2) !== true) {
+        continue;
+      }
+      $password_hashed = hash_password($password);
+      $valid_domains = 0;
+      foreach ($domains as $domain) {
+        if (!is_valid_domain_name($domain) || mailbox('get', 'domain_details', $domain) === false) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => array('domain_invalid', htmlspecialchars($domain))
+          );
+          continue;
+        }
+        $valid_domains++;
+        $stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
+            VALUES (:username, :domain, :created, :active)");
+        $stmt->execute(array(
+          ':username' => $username,
+          ':domain' => $domain,
+          ':created' => date('Y-m-d H:i:s'),
+          ':active' => $active
+        ));
+      }
+      if ($valid_domains != 0) {
+        $stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
+          VALUES (:username, :password_hashed, '0', :active)");
+        $stmt->execute(array(
+          ':username' => $username,
+          ':password_hashed' => $password_hashed,
+          ':active' => $active
+        ));
+      }
+      $stmt = $pdo->prepare("INSERT INTO `da_acl` (`username`) VALUES (:username)");
+      $stmt->execute(array(
+        ':username' => $username
+      ));
+      $_SESSION['return'][] = array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $_data_log),
+        'msg' => array('domain_admin_added', htmlspecialchars($username))
+      );
+    break;
+    case 'edit':
+      if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      // Administrator
+      if ($_SESSION['mailcow_cc_role'] == "admin") {
+        if (!is_array($_data['username'])) {
+          $usernames = array();
+          $usernames[] = $_data['username'];
+        }
+        else {
+          $usernames = $_data['username'];
+        }
+        foreach ($usernames as $username) {
+          $is_now = domain_admin('details', $username);
+          $domains = (isset($_data['domains'])) ? (array)$_data['domains'] : null;
+          if (!empty($is_now)) {
+            $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
+            $domains = (!empty($domains)) ? $domains : $is_now['selected_domains'];
+            $username_new = (!empty($_data['username_new'])) ? $_data['username_new'] : $is_now['username'];
+          }
+          else {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_data_log),
+              'msg' => 'access_denied'
+            );
+            continue;
+          }
+          $password     = $_data['password'];
+          $password2    = $_data['password2'];
+          if (!empty($domains)) {
+            foreach ($domains as $domain) {
+              if (!is_valid_domain_name($domain) || mailbox('get', 'domain_details', $domain) === false) {
+                $_SESSION['return'][] = array(
+                  'type' => 'danger',
+                  'log' => array(__FUNCTION__, $_action, $_data_log),
+                  'msg' => array('domain_invalid', htmlspecialchars($domain))
+                );
+                continue 2;
+              }
+            }
+          }
+          if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username_new))) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_data_log),
+              'msg' => array('username_invalid', $username_new)
+            );
+            continue;
+          }
+          if ($username_new != $username) {
+            if (!empty(domain_admin('details', $username_new)['username'])) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_data_log),
+                'msg' => array('username_invalid', $username_new)
+              );
+              continue;
+            }
+          }
+          $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
+          $stmt->execute(array(
+            ':username' => $username,
+          ));
+          $stmt = $pdo->prepare("UPDATE `da_acl` SET `username` = :username_new WHERE `username` = :username");
+          $stmt->execute(array(
+            ':username_new' => $username_new,
+            ':username' => $username
+          ));
+          if (!empty($domains)) {
+            foreach ($domains as $domain) {
+              $stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
+                VALUES (:username_new, :domain, :created, :active)");
+              $stmt->execute(array(
+                ':username_new' => $username_new,
+                ':domain' => $domain,
+                ':created' => date('Y-m-d H:i:s'),
+                ':active' => $active
+              ));
+            }
+          }
+          if (!empty($password)) {
+            if (password_check($password, $password2) !== true) {
+              return false;
+            }
+            $password_hashed = hash_password($password);
+            $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active, `password` = :password_hashed WHERE `username` = :username");
+            $stmt->execute(array(
+              ':password_hashed' => $password_hashed,
+              ':username_new' => $username_new,
+              ':username' => $username,
+              ':active' => $active
+            ));
+            if (isset($_data['disable_tfa'])) {
+              $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
+              $stmt->execute(array(':username' => $username));
+            }
+            else {
+              $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
+              $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
+            }
+          }
+          else {
+            $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active WHERE `username` = :username");
+            $stmt->execute(array(
+              ':username_new' => $username_new,
+              ':username' => $username,
+              ':active' => $active
+            ));
+            if (isset($_data['disable_tfa'])) {
+              $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
+              $stmt->execute(array(':username' => $username));
+            }
+            else {
+              $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
+              $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
+            }
+          }
+          $_SESSION['return'][] = array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => array('domain_admin_modified', htmlspecialchars($username))
+          );
+        }
+        return true;
+      }
+      // Domain administrator
+      // Can only edit itself
+      elseif ($_SESSION['mailcow_cc_role'] == "domainadmin") {
+        $username = $_SESSION['mailcow_cc_username'];
+        $password_old		= $_data['user_old_pass'];
+        $password_new	= $_data['user_new_pass'];
+        $password_new2	= $_data['user_new_pass2'];
+
+        $stmt = $pdo->prepare("SELECT `password` FROM `admin`
+            WHERE `username` = :user");
+        $stmt->execute(array(':user' => $username));
+        $row = $stmt->fetch(PDO::FETCH_ASSOC);
+        if (!verify_hash($row['password'], $password_old)) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => 'access_denied'
+          );
+          return false;
+        }
+        if (password_check($password_new, $password_new2) !== true) {
+          return false;
+        }
+        $password_hashed = hash_password($password_new);
+        $stmt = $pdo->prepare("UPDATE `admin` SET `password` = :password_hashed WHERE `username` = :username");
+        $stmt->execute(array(
+          ':password_hashed' => $password_hashed,
+          ':username' => $username
+        ));
+        $_SESSION['return'][] = array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => array('domain_admin_modified', htmlspecialchars($username))
+        );
+      }
+    break;
+    case 'delete':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      $usernames = (array)$_data['username'];
+      foreach ($usernames as $username) {
+        if (empty(domain_admin('details', $username))) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => array('username_invalid', $username)
+          );
+          continue;
+        }
+        $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
+        $stmt = $pdo->prepare("DELETE FROM `admin` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
+        $stmt = $pdo->prepare("DELETE FROM `da_acl` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
+        $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
+        $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
+        $_SESSION['return'][] = array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => array('domain_admin_removed', htmlspecialchars($username))
+        );
+      }
+    break;
+    case 'get':
+      $domainadmins = array();
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      $stmt = $pdo->query("SELECT DISTINCT
+        `username`
+          FROM `domain_admins`
+            WHERE `username` IN (
+              SELECT `username` FROM `admin`
+                WHERE `superadmin`!='1'
+            )");
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      while ($row = array_shift($rows)) {
+        $domainadmins[] = $row['username'];
+      }
+      return $domainadmins;
+    break;
+    case 'details':
+      $domainadmindata = array();
+      if ($_SESSION['mailcow_cc_role'] == "domainadmin" && $_data != $_SESSION['mailcow_cc_username']) {
+        return false;
+      }
+      elseif ($_SESSION['mailcow_cc_role'] != "admin" || !isset($_data)) {
+        return false;
+      }
+      if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $_data))) {
+        return false;
+      }
+      $stmt = $pdo->prepare("SELECT
+        `tfa`.`active` AS `tfa_active`,
+        `domain_admins`.`username`,
+        `domain_admins`.`created`,
+        `domain_admins`.`active` AS `active`
+          FROM `domain_admins`
+          LEFT OUTER JOIN `tfa` ON `tfa`.`username`=`domain_admins`.`username`
+            WHERE `domain_admins`.`username`= :domain_admin");
+      $stmt->execute(array(
+        ':domain_admin' => $_data
+      ));
+      $row = $stmt->fetch(PDO::FETCH_ASSOC);
+      if (empty($row)) {
+        return false;
+      }
+      $domainadmindata['username'] = $row['username'];
+      $domainadmindata['tfa_active'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
+      $domainadmindata['tfa_active_int'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
+      $domainadmindata['active'] = $row['active'];
+      $domainadmindata['active_int'] = $row['active'];
+      $domainadmindata['created'] = $row['created'];
+      // GET SELECTED
+      $stmt = $pdo->prepare("SELECT `domain` FROM `domain`
+        WHERE `domain` IN (
+          SELECT `domain` FROM `domain_admins`
+            WHERE `username`= :domain_admin)");
+      $stmt->execute(array(':domain_admin' => $_data));
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      while($row = array_shift($rows)) {
+        $domainadmindata['selected_domains'][] = $row['domain'];
+      }
+      // GET UNSELECTED
+      $stmt = $pdo->prepare("SELECT `domain` FROM `domain`
+        WHERE `domain` NOT IN (
+          SELECT `domain` FROM `domain_admins`
+            WHERE `username`= :domain_admin)");
+      $stmt->execute(array(':domain_admin' => $_data));
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      while($row = array_shift($rows)) {
+        $domainadmindata['unselected_domains'][] = $row['domain'];
+      }
+      if (!isset($domainadmindata['unselected_domains'])) {
+        $domainadmindata['unselected_domains'] = "";
+      }
+
+      return $domainadmindata;
+    break;
+  }
+}
+function domain_admin_sso($_action, $_data) {
+  global $pdo;
+
+  switch ($_action) {
+    case 'check':
+      $token = $_data;
+
+      $stmt = $pdo->prepare("SELECT `t1`.`username` FROM `da_sso` AS `t1` JOIN `admin` AS `t2` ON `t1`.`username` = `t2`.`username` WHERE `t1`.`token` = :token AND `t1`.`created` > DATE_SUB(NOW(), INTERVAL '30' SECOND) AND `t2`.`active` = 1 AND `t2`.`superadmin` = 0;");
+      $stmt->execute(array(
+        ':token' => preg_replace('/[^a-zA-Z0-9-]/', '', $token)
+      ));
+      $return = $stmt->fetch(PDO::FETCH_ASSOC);
+      return empty($return['username']) ? false : $return['username'];
+    case 'issue':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+
+      $username = $_data['username'];
+
+      $stmt = $pdo->prepare("SELECT `username` FROM `domain_admins`
+        WHERE `username` = :username");
+      $stmt->execute(array(':username' => $username));
+      $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+
+      if ($num_results < 1) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => array('object_doesnt_exist', htmlspecialchars($username))
+        );
+        return false;
+      }
+
+      $token = implode('-', array(
+        strtoupper(bin2hex(random_bytes(3))),
+        strtoupper(bin2hex(random_bytes(3))),
+        strtoupper(bin2hex(random_bytes(3))),
+        strtoupper(bin2hex(random_bytes(3))),
+        strtoupper(bin2hex(random_bytes(3)))
+      ));
+
+      $stmt = $pdo->prepare("INSERT INTO `da_sso` (`username`, `token`)
+            VALUES (:username, :token)");
+      $stmt->execute(array(
+        ':username' => $username,
+        ':token' => $token
+      ));
+
+      // perform cleanup
+      $pdo->query("DELETE FROM `da_sso` WHERE created < DATE_SUB(NOW(), INTERVAL '30' SECOND);");
+
+      return ['token' => $token];
+    break;
+  }
+}

data/web/inc/functions.fail2ban.inc.php

@@ -239,7 +239,9 @@ function fail2ban($_action, $_data = null) {
       $is_now = fail2ban('get');
       if (!empty($is_now)) {
         $ban_time = intval((isset($_data['ban_time'])) ? $_data['ban_time'] : $is_now['ban_time']);
+        $ban_time_increment = (isset($_data['ban_time_increment']) && $_data['ban_time_increment'] == "1") ? 1 : 0;
         $max_attempts = intval((isset($_data['max_attempts'])) ? $_data['max_attempts'] : $is_now['max_attempts']);
+        $max_ban_time = intval((isset($_data['max_ban_time'])) ? $_data['max_ban_time'] : $is_now['max_ban_time']);
         $retry_window = intval((isset($_data['retry_window'])) ? $_data['retry_window'] : $is_now['retry_window']);
         $netban_ipv4 = intval((isset($_data['netban_ipv4'])) ? $_data['netban_ipv4'] : $is_now['netban_ipv4']);
         $netban_ipv6 = intval((isset($_data['netban_ipv6'])) ? $_data['netban_ipv6'] : $is_now['netban_ipv6']);
@@ -256,6 +258,8 @@ function fail2ban($_action, $_data = null) {
       }
       $f2b_options = array();
       $f2b_options['ban_time'] = ($ban_time < 60) ? 60 : $ban_time;
+      $f2b_options['ban_time_increment'] = ($ban_time_increment == 1) ? true : false;
+      $f2b_options['max_ban_time'] = ($max_ban_time < 60) ? 60 : $max_ban_time;
       $f2b_options['netban_ipv4'] = ($netban_ipv4 < 8) ? 8 : $netban_ipv4;
       $f2b_options['netban_ipv6'] = ($netban_ipv6 < 8) ? 8 : $netban_ipv6;
       $f2b_options['netban_ipv4'] = ($netban_ipv4 > 32) ? 32 : $netban_ipv4;

data/web/inc/functions.inc.php

@@ -526,8 +526,9 @@ function logger($_data = false) {
           ':remote' => get_remote_ip()
         ));
       }
-      catch (Exception $e) {
-        // Do nothing
+      catch (PDOException $e) {
+        # handle the exception here, as the exception handler function results in a white page
+        error_log($e->getMessage(), 0);
       }
     }
   }
@@ -810,200 +811,6 @@ function verify_hash($hash, $password) {
   }
   return false;
 }
-function check_login($user, $pass, $app_passwd_data = false) {
-  global $pdo;
-  global $redis;
-  global $imap_server;
-
-  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => 'malformed_username'
-    );
-    return false;
-  }
-
-  // Validate admin
-  $user = strtolower(trim($user));
-  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
-      WHERE `superadmin` = '1'
-      AND `active` = '1'
-      AND `username` = :user");
-  $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  foreach ($rows as $row) {
-    // verify password
-    if (verify_hash($row['password'], $pass)) {
-      // check for tfa authenticators
-      $authenticators = get_tfa($user);
-      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
-        // active tfa authenticators found, set pending user login
-        $_SESSION['pending_mailcow_cc_username'] = $user;
-        $_SESSION['pending_mailcow_cc_role'] = "admin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-        unset($_SESSION['ldelay']);
-        $_SESSION['return'][] =  array(
-          'type' => 'info',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => 'awaiting_tfa_confirmation'
-        );
-        return "pending";
-      } else {
-        unset($_SESSION['ldelay']);
-        // Reactivate TFA if it was set to "deactivate TFA for next login"
-        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-        $stmt->execute(array(':user' => $user));
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => array('logged_in_as', $user)
-        );
-        return "admin";
-      }
-    }
-  }
-
-  // Validate domain admin
-  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
-      WHERE `superadmin` = '0'
-      AND `active`='1'
-      AND `username` = :user");
-  $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  foreach ($rows as $row) {
-    // verify password
-    if (verify_hash($row['password'], $pass) !== false) {
-      // check for tfa authenticators
-      $authenticators = get_tfa($user);
-      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
-        $_SESSION['pending_mailcow_cc_username'] = $user;
-        $_SESSION['pending_mailcow_cc_role'] = "domainadmin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-        unset($_SESSION['ldelay']);
-        $_SESSION['return'][] =  array(
-          'type' => 'info',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => 'awaiting_tfa_confirmation'
-        );
-        return "pending";
-      }
-      else {
-        unset($_SESSION['ldelay']);
-        // Reactivate TFA if it was set to "deactivate TFA for next login"
-        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-        $stmt->execute(array(':user' => $user));
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => array('logged_in_as', $user)
-        );
-        return "domainadmin";
-      }
-    }
-  }
-
-  // Validate mailbox user
-  $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
-      INNER JOIN domain on mailbox.domain = domain.domain
-      WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `mailbox`.`active`='1'
-        AND `domain`.`active`='1'
-        AND `username` = :user");
-  $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  if ($app_passwd_data['eas'] === true) {
-    $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
-        INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
-        INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
-        WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
-          AND `mailbox`.`active` = '1'
-          AND `domain`.`active` = '1'
-          AND `app_passwd`.`active` = '1'
-          AND `app_passwd`.`eas_access` = '1'
-          AND `app_passwd`.`mailbox` = :user");
-    $stmt->execute(array(':user' => $user));
-    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
-  }
-  elseif ($app_passwd_data['dav'] === true) {
-    $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
-        INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
-        INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
-        WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
-          AND `mailbox`.`active` = '1'
-          AND `domain`.`active` = '1'
-          AND `app_passwd`.`active` = '1'
-          AND `app_passwd`.`dav_access` = '1'
-          AND `app_passwd`.`mailbox` = :user");
-    $stmt->execute(array(':user' => $user));
-    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
-  }
-  foreach ($rows as $row) { 
-    // verify password
-    if (verify_hash($row['password'], $pass) !== false) {
-      if (!array_key_exists("app_passwd_id", $row)){ 
-        // password is not a app password
-        // check for tfa authenticators
-        $authenticators = get_tfa($user);
-        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 &&
-            $app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true) {
-          // authenticators found, init TFA flow
-          $_SESSION['pending_mailcow_cc_username'] = $user;
-          $_SESSION['pending_mailcow_cc_role'] = "user";
-          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-          unset($_SESSION['ldelay']);
-          $_SESSION['return'][] =  array(
-            'type' => 'success',
-            'log' => array(__FUNCTION__, $user, '*'),
-            'msg' => array('logged_in_as', $user)
-          );
-          return "pending";
-        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
-          // no authenticators found, login successfull
-          // Reactivate TFA if it was set to "deactivate TFA for next login"
-          $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-          $stmt->execute(array(':user' => $user));
-
-          unset($_SESSION['ldelay']);
-          return "user";
-        }
-      } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
-        // password is a app password
-        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
-        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
-        $stmt->execute(array(
-          ':service' => $service,
-          ':app_id' => $row['app_passwd_id'],
-          ':username' => $user,
-          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
-        ));
-
-        unset($_SESSION['ldelay']);
-        return "user";
-      }
-    }
-  }
-
-  if (!isset($_SESSION['ldelay'])) {
-    $_SESSION['ldelay'] = "0";
-    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
-    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
-  }
-  elseif (!isset($_SESSION['mailcow_cc_username'])) {
-    $_SESSION['ldelay'] = $_SESSION['ldelay']+0.5;
-    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
-    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
-  }
-
-  $_SESSION['return'][] =  array(
-    'type' => 'danger',
-    'log' => array(__FUNCTION__, $user, '*'),
-    'msg' => 'login_failed'
-  );
-
-  sleep($_SESSION['ldelay']);
-  return false;
-}
 function formatBytes($size, $precision = 2) {
   if(!is_numeric($size)) {
     return "0";
@@ -1015,20 +822,77 @@ function formatBytes($size, $precision = 2) {
   }
   return round(pow(1024, $base - floor($base)), $precision) . $suffixes[floor($base)];
 }
-function update_sogo_static_view() {
+function update_sogo_static_view($mailbox = null) {
   if (getenv('SKIP_SOGO') == "y") {
     return true;
   }
   global $pdo;
   global $lang;
-  $stmt = $pdo->query("SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES
-    WHERE TABLE_NAME = 'sogo_view'");
-  $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
-  if ($num_results != 0) {
-    $stmt = $pdo->query("REPLACE INTO _sogo_static_view (`c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings`)
-      SELECT `c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings` from sogo_view");
-    $stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');");
+
+  $mailbox_exists = false;
+  if ($mailbox !== null) {
+    // Check if the mailbox exists
+    $stmt = $pdo->prepare("SELECT username FROM mailbox WHERE username = :mailbox AND active = '1'");
+    $stmt->execute(array(':mailbox' => $mailbox));
+    $row = $stmt->fetch(PDO::FETCH_ASSOC);  
+    if ($row){
+      $mailbox_exists = true;
+    }
   }
+
+  $subquery = "GROUP BY mailbox.username";
+  if ($mailbox_exists) {
+    $subquery = "AND mailbox.username = :mailbox";
+  }
+  $query = "INSERT INTO _sogo_static_view (`c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings`)
+      SELECT
+        mailbox.username,
+        mailbox.domain,
+        mailbox.username,
+        CASE 
+          WHEN mailbox.authsource IS NOT NULL AND mailbox.authsource <> 'mailcow' THEN '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'
+          ELSE 
+            IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) = '0',
+              IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.sogo_access')) = 1, password, '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
+              '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321')
+        END AS c_password,
+        mailbox.name,
+        mailbox.username,
+        IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''),
+        IFNULL(gda.ad_alias, ''),
+        IFNULL(external_acl.send_as_acl, ''),
+        mailbox.kind,
+        mailbox.multiple_bookings
+      FROM
+        mailbox
+        LEFT OUTER JOIN grouped_mail_aliases ga ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)')
+        LEFT OUTER JOIN grouped_domain_alias_address gda ON gda.username = mailbox.username
+        LEFT OUTER JOIN grouped_sender_acl_external external_acl ON external_acl.username = mailbox.username
+      WHERE
+        mailbox.active = '1'
+        $subquery
+      ON DUPLICATE KEY UPDATE
+        `domain` = VALUES(`domain`),
+        `c_name` = VALUES(`c_name`),
+        `c_password` = VALUES(`c_password`),
+        `c_cn` = VALUES(`c_cn`),
+        `mail` = VALUES(`mail`),
+        `aliases` = VALUES(`aliases`),
+        `ad_aliases` = VALUES(`ad_aliases`),
+        `ext_acl` = VALUES(`ext_acl`),
+        `kind` = VALUES(`kind`),
+        `multiple_bookings` = VALUES(`multiple_bookings`)";
+
+  
+  if ($mailbox_exists) {
+    $stmt = $pdo->prepare($query);
+    $stmt->execute(array(':mailbox' => $mailbox));
+  } else {
+    $stmt = $pdo->query($query);
+  }
+  
+  $stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');");
+  
   flush_memcached();
 }
 function edit_user_account($_data) {
@@ -1051,7 +915,7 @@ function edit_user_account($_data) {
   }
   $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
       WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `username` = :user");
+        AND `username` = :user AND authsource = 'mailcow'");
   $stmt->execute(array(':user' => $username));
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
   if (!verify_hash($row['password'], $password_old)) {
@@ -1072,7 +936,7 @@ function edit_user_account($_data) {
     $stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed,
       `attributes` = JSON_SET(`attributes`, '$.force_pw_update', '0'),
       `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
-        WHERE `username` = :username");
+        WHERE `username` = :username AND authsource = 'mailcow'");
     $stmt->execute(array(
       ':password_hashed' => $password_hashed,
       ':username' => $username
@@ -1739,7 +1603,7 @@ function verify_tfa_login($username, $_data) {
               $_SESSION['return'][] =  array(
                   'type' => 'danger',
                   'log' => array(__FUNCTION__, $username, '*'),
-                  'msg' => array('webauthn_verification_failed', 'authenticator not found')
+                  'msg' => array('webauthn_authenticator_failed')
               );
               return false;
             } 
@@ -1748,11 +1612,20 @@ function verify_tfa_login($username, $_data) {
                 $_SESSION['return'][] =  array(
                     'type' => 'danger',
                     'log' => array(__FUNCTION__, $username, '*'),
-                    'msg' => array('webauthn_verification_failed', 'publicKey not found')
+                    'msg' => array('webauthn_publickey_failed')
                 );
                 return false;
             }
 
+            if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){
+              $_SESSION['return'][] =  array(
+                  'type' => 'danger',
+                  'log' => array(__FUNCTION__, $username, '*'),
+                  'msg' => array('webauthn_username_failed')
+              );
+              return false;
+            }
+
             try {
                 $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_webauthn['publicKey'], $challenge, null, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN'], $GLOBALS['WEBAUTHN_USER_PRESENT_FLAG']);
             }
@@ -1784,21 +1657,12 @@ function verify_tfa_login($username, $_data) {
                 $_SESSION['return'][] =  array(
                   'type' => 'danger',
                   'log' => array(__FUNCTION__, $username, '*'),
-                  'msg' => array('webauthn_verification_failed', 'could not determine user role')
+                  'msg' => array('webauthn_role_failed')
                 );
                 return false;
               }
             }
 
-            if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){
-                $_SESSION['return'][] =  array(
-                    'type' => 'danger',
-                    'log' => array(__FUNCTION__, $username, '*'),
-                    'msg' => array('webauthn_verification_failed', 'user who requests does not match with sql entry')
-                );
-                return false;
-            }
-
             $_SESSION["mailcow_cc_username"] = $process_webauthn['username'];
             $_SESSION['tfa_id'] = $process_webauthn['id'];
             $_SESSION['authReq'] = null;
@@ -2094,6 +1958,555 @@ function rspamd_ui($action, $data = null) {
   }
 }
 
+function identity_provider($_action, $_data = null, $_extra = null) {
+  global $pdo;
+
+  $data_log = $_data;
+  if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*';
+  if (isset($data_log['access_token'])) $data_log['access_token'] = '*';
+
+  switch ($_action) {
+    case 'get':
+      $settings = array();
+      $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");
+      $stmt->execute();
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      foreach($rows as $row){
+        if ($row["key"] == 'mappers' || $row["key"] == 'templates'){
+          $settings[$row["key"]] = json_decode($row["value"]);
+        } else {
+          $settings[$row["key"]] = $row["value"];
+        }
+      }
+      if ($_extra['hide_sensitive']){
+        $settings['client_secret'] = '';
+        $settings['access_token'] = '';
+      }
+      return $settings;
+    break;
+    case 'edit':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      if (!isset($_data['authsource'])){
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('required_data_missing', $setting)
+        );
+        return false;
+      }
+      $_data['authsource'] = strtolower($_data['authsource']);
+      if ($_data['authsource'] != "keycloak" && $_data['authsource'] != "generic-oidc"){
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('invalid_authsource', $setting)
+        );
+        return false;
+      }
+
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+          WHERE `authsource` != 'mailcow'
+          AND `authsource` IS NOT NULL
+          AND `authsource` != :authsource");  
+      $stmt->execute(array(':authsource' => $_data['authsource']));
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      if ($rows) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('authsource_in_use', $setting)
+        );
+        return false;
+      }
+
+      if ($_data['authsource'] == "keycloak") {
+        $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
+        $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
+        $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
+        $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
+        $_data['sync_interval']     = isset($_data['sync_interval']) ? intval($_data['sync_interval']) : 15;
+        $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
+        $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
+      } else if ($_data['authsource'] == "generic-oidc") {
+        $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? rtrim($_data['authorize_url'], '/') : null;
+        $_data['token_url']         = (!empty($_data['token_url'])) ? rtrim($_data['token_url'], '/') : null;
+        $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? rtrim($_data['userinfo_url'], '/') : null;
+        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
+      }
+      
+      $pdo->beginTransaction();
+      $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+      // add connection settings
+      foreach($required_settings as $setting){
+        if (!isset($_data[$setting])){
+          $_SESSION['return'][] =  array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $data_log),
+            'msg' => array('required_data_missing', $setting)
+          );
+          $pdo->rollback();
+          return false;
+        }
+        if ($setting == "server_url" || $setting == "authorize_url" || $setting == "token_url" || $setting == "userinfo_url") {
+          $_data[$setting] = rtrim($_data[$setting], '/');
+        }
+
+        $stmt->bindParam(':key', $setting);
+        $stmt->bindParam(':value', $_data[$setting]);
+        $stmt->execute();
+      }
+      $pdo->commit();
+
+      // add mappers
+      if ($_data['mappers'] && $_data['templates']){
+        $_data['mappers'] = (!is_array($_data['mappers'])) ? array($_data['mappers']) : $_data['mappers'];
+        $_data['templates'] = (!is_array($_data['templates'])) ? array($_data['templates']) : $_data['templates'];
+
+        $mappers = array_filter($_data['mappers']);
+        $templates = array_filter($_data['templates']);
+        if (count($mappers) == count($templates)){
+          $mappers = json_encode($mappers);
+          $templates = json_encode($templates);
+
+          $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('mappers', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+          $stmt->bindParam(':value', $mappers);
+          $stmt->execute();
+          $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('templates', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+          $stmt->bindParam(':value', $templates);
+          $stmt->execute();
+        }
+      }
+
+      // delete old access_token
+      $stmt = $pdo->query("INSERT INTO identity_provider (`key`, `value`) VALUES ('access_token', '') ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $data_log),
+        'msg' => array('object_modified', '')
+      );
+      return true;
+    break;
+    case 'test':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+
+      if ($_data['authsource'] == 'keycloak') {
+        $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
+      } else {
+        $url = $_data['token_url'];
+      }
+      $req = http_build_query(array(
+        'grant_type'    => 'client_credentials',
+        'client_id'     => $_data['client_id'],
+        'client_secret' => $_data['client_secret']
+      ));
+      $curl = curl_init();
+      curl_setopt($curl, CURLOPT_URL, $url);
+      curl_setopt($curl, CURLOPT_TIMEOUT, 7);
+      curl_setopt($curl, CURLOPT_POST, 1);
+      curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+      curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+      curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+      $res = curl_exec($curl);
+      $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+      curl_close ($curl);
+      
+      if ($code != 200) {
+        return false;
+      }
+      return true;
+    break;
+    case "delete":
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      
+      $stmt = $pdo->query("SELECT * FROM `mailbox`
+          WHERE `authsource` != 'mailcow'
+          AND `authsource` IS NOT NULL");
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      if ($rows) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('authsource_in_use', $setting)
+        );
+        return false;
+      }
+
+      $stmt = $pdo->query("DELETE FROM identity_provider;");
+
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $data_log),
+        'msg' => array('item_deleted', '')
+      );
+      return true;
+    break;
+    case "init":
+      $iam_settings = identity_provider('get');
+      $provider = null;
+      if ($iam_settings['authsource'] == 'keycloak'){
+        if ($iam_settings['server_url'] && $iam_settings['realm'] && $iam_settings['client_id'] &&
+            $iam_settings['client_secret'] && $iam_settings['redirect_url'] && $iam_settings['version']){
+          $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+            'authServerUrl'         => $iam_settings['server_url'],
+            'realm'                 => $iam_settings['realm'],
+            'clientId'              => $iam_settings['client_id'],
+            'clientSecret'          => $iam_settings['client_secret'],
+            'redirectUri'           => $iam_settings['redirect_url'],
+            'version'               => $iam_settings['version'],                            
+            // 'encryptionAlgorithm'   => 'RS256',                             // optional
+            // 'encryptionKeyPath'     => '../key.pem'                         // optional
+            // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+          ]);
+        }
+      }
+      else if ($iam_settings['authsource'] == 'generic-oidc'){
+        if ($iam_settings['client_id'] && $iam_settings['client_secret'] && $iam_settings['redirect_url'] &&
+            $iam_settings['authorize_url'] && $iam_settings['token_url'] && $iam_settings['userinfo_url']){
+          $provider = new \League\OAuth2\Client\Provider\GenericProvider([
+            'clientId'                => $iam_settings['client_id'],
+            'clientSecret'            => $iam_settings['client_secret'],
+            'redirectUri'             => $iam_settings['redirect_url'],
+            'urlAuthorize'            => $iam_settings['authorize_url'],
+            'urlAccessToken'          => $iam_settings['token_url'],
+            'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
+            'scopes'                  => 'openid profile email'
+          ]);
+        }
+      }
+      return $provider;
+    break;
+    case "verify-sso":
+      $provider = $_data['iam_provider'];
+    
+      try {
+        $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
+        $_SESSION['iam_token'] = $token->getToken();
+        $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
+        $info = $provider->getResourceOwner($token)->toArray();
+      } catch (Throwable $e) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__),
+          'msg' => array('login_failed', $e->getMessage())
+        );
+        return false;
+      }
+      // check if email address is given
+      if (empty($info['email'])) return false;
+    
+      // token valid, get mailbox
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+        INNER JOIN domain on mailbox.domain = domain.domain
+        WHERE `kind` NOT REGEXP 'location|thing|group'
+          AND `mailbox`.`active`='1'
+          AND `domain`.`active`='1'
+          AND `username` = :user
+          AND `authsource`='keycloak' OR `authsource`='generic-oidc'");
+      $stmt->execute(array(':user' => $info['email']));
+      $row = $stmt->fetch(PDO::FETCH_ASSOC);
+      if ($row){
+        // success
+        $_SESSION['mailcow_cc_username'] = $info['email'];
+        $_SESSION['mailcow_cc_role'] = "user";
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
+        );
+        return true;
+      }
+
+      // get mapped template, if not set return false
+      // also return false if no mappers were defined
+      $provider = identity_provider('get');
+      $user_template = $info['mailcow_template'];
+      if (empty($provider['mappers']) || empty($user_template)){
+        clear_session();  
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+
+      // check if matching attribute exist
+      $mapper_key = array_search($user_template, $provider['mappers']);
+      if ($mapper_key === false) {
+        clear_session();  
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+
+      // create mailbox
+      $create_res = mailbox('add', 'mailbox_from_template', array(
+        'domain' => explode('@', $info['email'])[1],
+        'local_part' => explode('@', $info['email'])[0],
+        'authsource' => identity_provider('get')['authsource'],
+        'template' => $provider['templates'][$mapper_key]
+      ));
+      if (!$create_res){
+        clear_session();  
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+    
+      $_SESSION['mailcow_cc_username'] = $info['email'];
+      $_SESSION['mailcow_cc_role'] = "user";
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+        'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
+      );
+      return true;
+    break;
+    case "refresh-token":
+      $provider = $_data['iam_provider'];
+
+      try {
+        $token = $provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
+        $_SESSION['iam_token'] = $token->getToken();
+        $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
+        $info = $provider->getResourceOwner($token)->toArray();
+      } catch (Throwable $e) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__),
+          'msg' => array('login_failed', $e->getMessage())
+        );
+        return false;
+      }
+
+      if (empty($info['email'])){
+        clear_session();  
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => 'refresh_login_failed'
+        );
+        return false;
+      }
+    
+      $_SESSION['mailcow_cc_username'] = $info['email'];
+      $_SESSION['mailcow_cc_role'] = "user";
+      return true;
+    break;
+    case "get-redirect":
+      $provider = $_data['iam_provider'];
+      $authUrl = $provider->getAuthorizationUrl();
+      $_SESSION['oauth2state'] = $provider->getState();
+      return $authUrl;
+    break;
+    case "get-keycloak-admin-token":
+      // get access_token for service account of mailcow client
+      $iam_settings = identity_provider('get');
+      if ($iam_settings['authsource'] !== 'keycloak') return false;
+      if (isset($iam_settings['access_token'])) {
+        // check if access_token is valid
+        $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token/introspect";
+        $req = http_build_query(array(
+          'token'    => $iam_settings['access_token'],
+          'client_id'     => $iam_settings['client_id'],
+          'client_secret' => $iam_settings['client_secret']
+        ));
+        $curl = curl_init();
+        curl_setopt($curl, CURLOPT_URL, $url);
+        curl_setopt($curl, CURLOPT_TIMEOUT, 7);
+        curl_setopt($curl, CURLOPT_POST, 1);
+        curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+        curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($curl, CURLOPT_TIMEOUT, 5);
+        $res = json_decode(curl_exec($curl), true);
+        $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+        curl_close ($curl);
+        if ($code == 200 && $res['active'] == true) {
+          // token is valid
+          return $iam_settings['access_token'];
+        }
+      }
+
+      $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
+      $req = http_build_query(array(
+        'grant_type'    => 'client_credentials',
+        'client_id'     => $iam_settings['client_id'],
+        'client_secret' => $iam_settings['client_secret']
+      ));
+      $curl = curl_init();
+      curl_setopt($curl, CURLOPT_URL, $url);
+      curl_setopt($curl, CURLOPT_TIMEOUT, 7);
+      curl_setopt($curl, CURLOPT_POST, 1);
+      curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+      curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+      curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+      curl_setopt($curl, CURLOPT_TIMEOUT, 5);
+      $res = json_decode(curl_exec($curl), true);
+      $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+      curl_close ($curl);
+      if ($code != 200) {
+        return false;
+      }
+      
+      $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+      $stmt->execute(array(
+        ':key' => 'access_token',
+        ':value' => $res['access_token']
+      ));
+      return $res['access_token'];
+    break;
+  }
+}
+function cors($action, $data = null) {
+  global $redis;
+
+  switch ($action) {
+    case "edit":
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }    
+
+      $allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']);
+      $allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins;
+      foreach ($allowed_origins as $origin) {
+        if (!filter_var($origin, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) && $origin != '*') {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $action, $data),
+            'msg' => 'cors_invalid_origin'
+          );
+          return false;
+        }
+      }
+
+      $allowed_methods = isset($data['allowed_methods']) ? $data['allowed_methods'] : array('GET', 'POST', 'PUT', 'DELETE');
+      $allowed_methods  = !is_array($allowed_methods) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_methods)) : $allowed_methods;
+      $available_methods = array('GET', 'POST', 'PUT', 'DELETE');
+      foreach ($allowed_methods as $method) {
+        if (!in_array($method, $available_methods)) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $action, $data),
+            'msg' => 'cors_invalid_method'
+          );
+          return false;
+        }
+      }
+
+      try {
+        $redis->hMSet('CORS_SETTINGS', array(
+          'allowed_origins' => implode(', ', $allowed_origins),
+          'allowed_methods' => implode(', ', $allowed_methods)
+        ));   
+      } catch (RedisException $e) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $data),
+          'msg' => array('redis_error', $e)
+        );
+        return false;
+      }
+      
+      $_SESSION['return'][] = array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $action, $data),
+        'msg' => 'cors_headers_edited'
+      );
+      return true;
+    break;
+    case "get":
+      try {
+        $cors_settings                  = $redis->hMGet('CORS_SETTINGS', array('allowed_origins', 'allowed_methods'));
+      } catch (RedisException $e) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $data),
+          'msg' => array('redis_error', $e)
+        );
+      }
+
+      $cors_settings                    = !$cors_settings ? array('allowed_origins' => $_SERVER['SERVER_NAME'], 'allowed_methods' => 'GET, POST, PUT, DELETE') : $cors_settings;
+      $cors_settings['allowed_origins'] = empty($cors_settings['allowed_origins']) ? $_SERVER['SERVER_NAME'] : $cors_settings['allowed_origins'];
+      $cors_settings['allowed_methods'] = empty($cors_settings['allowed_methods']) ? 'GET, POST, PUT, DELETE, OPTION' : $cors_settings['allowed_methods'];
+
+      return $cors_settings;
+    break;
+    case "set_headers":
+      $cors_settings = cors('get');
+      // check if requested origin is in allowed origins
+      $allowed_origins = explode(', ', $cors_settings['allowed_origins']);
+      $cors_settings['allowed_origins'] = $allowed_origins[0];
+      if (in_array('*', $allowed_origins)){
+        $cors_settings['allowed_origins'] = '*';
+      } else if (in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) {
+        $cors_settings['allowed_origins'] = $_SERVER['HTTP_ORIGIN'];
+      }
+      // always allow OPTIONS for preflight request
+      $cors_settings["allowed_methods"] = empty($cors_settings["allowed_methods"]) ? 'OPTIONS' : $cors_settings["allowed_methods"] . ', ' . 'OPTIONS';
+
+      header('Access-Control-Allow-Origin: ' . $cors_settings['allowed_origins']);
+      header('Access-Control-Allow-Methods: '. $cors_settings['allowed_methods']);
+      header('Access-Control-Allow-Headers: Accept, Content-Type, X-Api-Key, Origin');
+
+      // Access-Control settings requested, this is just a preflight request
+      if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && 
+        isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) &&
+        isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) {
+  
+        $allowed_methods = explode(', ', $cors_settings["allowed_methods"]);
+        if (in_array($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'], $allowed_methods, true))
+          // method allowed send 200 OK
+          http_response_code(200);
+        else
+          // method not allowed send 405 METHOD NOT ALLOWED
+          http_response_code(405);
+
+        exit;
+      }
+    break;
+  }
+}
+
+function clear_session(){
+  session_regenerate_id(true);
+  session_unset();
+  session_destroy();
+  session_write_close();
+}
 function get_logs($application, $lines = false) {
   if ($lines === false) {
     $lines = $GLOBALS['LOG_LINES'] - 1;
@@ -2168,6 +2581,20 @@ function get_logs($application, $lines = false) {
       return $data_array;
     }
   }
+  if ($application == "cron-mailcow") {
+    if (isset($from) && isset($to)) {
+      $data = $redis->lRange('CRON_LOG', $from - 1, $to - 1);
+    }
+    else {
+      $data = $redis->lRange('CRON_LOG', 0, $lines);
+    }
+    if ($data) {
+      foreach ($data as $json_line) {
+        $data_array[] = json_decode($json_line, true);
+      }
+      return $data_array;
+    }
+  }
   if ($application == "postfix-mailcow") {
     if (isset($from) && isset($to)) {
       $data = $redis->lRange('POSTFIX_MAILLOG', $from - 1, $to - 1);

data/web/inc/functions.mailbox.inc.php

@@ -988,6 +988,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $local_part   = strtolower(trim($_data['local_part']));
           $domain       = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
           $username     = $local_part . '@' . $domain;
+          $authsource   = 'mailcow';
           if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
@@ -1004,12 +1005,20 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
+          if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc'))){
+            $authsource = $_data['authsource'];
+          }
           $password     = $_data['password'];
           $password2    = $_data['password2'];
           $name         = ltrim(rtrim($_data['name'], '>'), '<');
           $tags         = $_data['tags'];
           $quota_m      = intval($_data['quota']);
-          if ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0) {
+          if ($authsource != 'mailcow'){
+            $password = '';
+            $password2 = '';
+            $password_hashed = '';
+          }
+          if (!$_extra['iam_create_login'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1040,6 +1049,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $quarantine_notification = (isset($_data['quarantine_notification'])) ? strval($_data['quarantine_notification']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
           $quarantine_category = (isset($_data['quarantine_category'])) ? strval($_data['quarantine_category']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']);
           $quota_b    = ($quota_m * 1048576);
+          $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
           $mailbox_attrs = json_encode(
             array(
               'force_pw_update' => strval($force_pw_update),
@@ -1054,7 +1064,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'passwd_update' => time(),
               'mailbox_format' => strval($MAILBOX_DEFAULT_ATTRIBUTES['mailbox_format']),
               'quarantine_notification' => strval($quarantine_notification),
-              'quarantine_category' => strval($quarantine_category)
+              'quarantine_category' => strval($quarantine_category),
+              'attribute_hash' => $attribute_hash
             )
           );
           if (!is_valid_domain_name($domain)) {
@@ -1065,7 +1076,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['iam_create_login']) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1129,10 +1140,12 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (password_check($password, $password2) !== true) {
-            return false;
+          if ($authsource == 'mailcow'){
+            if (password_check($password, $password2) !== true) {
+              return false;
+            }
+            $password_hashed = hash_password($password);
           }
-          $password_hashed = hash_password($password);
           if ($MailboxData['count'] >= $DomainData['mailboxes']) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
@@ -1158,8 +1171,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          $stmt = $pdo->prepare("INSERT INTO `mailbox` (`username`, `password`, `name`, `quota`, `local_part`, `domain`, `attributes`, `active`)
-            VALUES (:username, :password_hashed, :name, :quota_b, :local_part, :domain, :mailbox_attrs, :active)");
+          $stmt = $pdo->prepare("INSERT INTO `mailbox` (`username`, `password`, `name`, `quota`, `local_part`, `domain`, `attributes`, `authsource`, `active`)
+            VALUES (:username, :password_hashed, :name, :quota_b, :local_part, :domain, :mailbox_attrs, :authsource, :active)");
           $stmt->execute(array(
             ':username' => $username,
             ':password_hashed' => $password_hashed,
@@ -1168,6 +1181,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             ':local_part' => $local_part,
             ':domain' => $domain,
             ':mailbox_attrs' => $mailbox_attrs,
+            ':authsource' => $authsource,
             ':active' => $active
           ));
           $stmt = $pdo->prepare("UPDATE `mailbox` SET
@@ -1187,11 +1201,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               break;
             }
-            $stmt = $pdo->prepare("INSERT INTO `tags_mailbox` (`username`, `tag_name`) VALUES (:username, :tag_name)");
-            $stmt->execute(array(
-              ':username' => $username,
-              ':tag_name' => $tag,
-            ));
+            try {
+              $stmt = $pdo->prepare("INSERT INTO `tags_mailbox` (`username`, `tag_name`) VALUES (:username, :tag_name)");
+              $stmt->execute(array(
+                ':username' => $username,
+                ':tag_name' => $tag,
+              ));
+            } catch (Exception $e) {
+            }
           }
           $stmt = $pdo->prepare("INSERT INTO `quota2` (`username`, `bytes`, `messages`)
             VALUES (:username, '0', '0') ON DUPLICATE KEY UPDATE `bytes` = '0', `messages` = '0';");
@@ -1261,14 +1278,62 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'object' => $username,
               'rl_frame' => $_data['rl_frame'],
               'rl_value' => $_data['rl_value']
-            ));
+            ), $_extra);
+          }
+       
+          try {
+            update_sogo_static_view($username);
+          }catch (PDOException $e) {
+            $_SESSION['return'][] = array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => $e->getMessage()
+            );
           }
-
           $_SESSION['return'][] = array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
             'msg' => array('mailbox_added', htmlspecialchars($username))
           );
+          return true;
+        break;
+        case 'mailbox_from_template':
+          $stmt = $pdo->prepare("SELECT * FROM `templates` 
+          WHERE `template` = :template AND type = 'mailbox'");
+          $stmt->execute(array(
+            ":template" => $_data['template']
+          ));
+          $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+          if (empty($mbox_template_data)){
+            $_SESSION['return'][] =  array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => 'template_missing'
+            );
+            return false;
+          }  
+          
+          $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
+          $mbox_template_data = json_decode($mbox_template_data["attributes"], true);  
+          $mbox_template_data['domain'] = $_data['domain'];
+          $mbox_template_data['local_part'] = $_data['local_part'];
+          $mbox_template_data['authsource'] = $_data['authsource'];
+          $mbox_template_data['attribute_hash'] = $attribute_hash;
+          $mbox_template_data['quota'] = intval($mbox_template_data['quota'] / 1048576);
+        
+          $mailbox_attributes = array('acl' => array());
+          foreach ($mbox_template_data as $key => $value){
+            switch (true) {
+              case (strpos($key, 'acl_') === 0 && $value != 0):
+                array_push($mailbox_attributes['acl'], str_replace('acl_' , '', $key));
+              break;
+              default:
+                $mailbox_attributes[$key] = $value;
+              break;
+            }
+          }
+
+          return mailbox('add', 'mailbox', $mailbox_attributes, array('iam_create_login' => true));
         break;
         case 'resource':
           $domain             = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
@@ -2824,12 +2889,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               (int)$sieve_access = (isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
               (int)$relayhost = (isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
               (int)$quota_m = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
-              $name       = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
-              $domain     = $is_now['domain'];
-              $quota_b    = $quota_m * 1048576;
-              $password   = (!empty($_data['password'])) ? $_data['password'] : null;
-              $password2  = (!empty($_data['password2'])) ? $_data['password2'] : null;
-              $tags       = (is_array($_data['tags']) ? $_data['tags'] : array());
+              $name           = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
+              $domain         = $is_now['domain'];
+              $quota_b        = $quota_m * 1048576;
+              $password       = (!empty($_data['password'])) ? $_data['password'] : null;
+              $password2      = (!empty($_data['password2'])) ? $_data['password2'] : null;
+              $tags           = (is_array($_data['tags']) ? $_data['tags'] : array());
+              $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
+              $authsource     = $is_now['authsource'];
+              if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc'))){
+                $authsource = $_data['authsource'];
+              }
             }
             else {
               $_SESSION['return'][] = array(
@@ -3068,7 +3138,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $stmt = $pdo->prepare("UPDATE `mailbox` SET
                   `password` = :password_hashed,
                   `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
-                    WHERE `username` = :username");
+                    WHERE `username` = :username AND authsource = 'mailcow'");
               $stmt->execute(array(
                 ':password_hashed' => $password_hashed,
                 ':username' => $username
@@ -3086,18 +3156,21 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 `active` = :active,
                 `name`= :name,
                 `quota` = :quota_b,
+                `authsource` = :authsource,
                 `attributes` = JSON_SET(`attributes`, '$.force_pw_update', :force_pw_update),
                 `attributes` = JSON_SET(`attributes`, '$.sogo_access', :sogo_access),
                 `attributes` = JSON_SET(`attributes`, '$.imap_access', :imap_access),
                 `attributes` = JSON_SET(`attributes`, '$.sieve_access', :sieve_access),
                 `attributes` = JSON_SET(`attributes`, '$.pop3_access', :pop3_access),
                 `attributes` = JSON_SET(`attributes`, '$.relayhost', :relayhost),
-                `attributes` = JSON_SET(`attributes`, '$.smtp_access', :smtp_access)
+                `attributes` = JSON_SET(`attributes`, '$.smtp_access', :smtp_access),
+                `attributes` = JSON_SET(`attributes`, '$.attribute_hash', :attribute_hash)
                   WHERE `username` = :username");
             $stmt->execute(array(
               ':active' => $active,
               ':name' => $name,
               ':quota_b' => $quota_b,
+              ':attribute_hash' => $attribute_hash,
               ':force_pw_update' => $force_pw_update,
               ':sogo_access' => $sogo_access,
               ':imap_access' => $imap_access,
@@ -3105,7 +3178,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               ':sieve_access' => $sieve_access,
               ':smtp_access' => $smtp_access,
               ':relayhost' => $relayhost,
-              ':username' => $username
+              ':username' => $username,
+              ':authsource' => $authsource
             ));
             // save tags
             foreach($tags as $index => $tag){
@@ -3118,11 +3192,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 );
                 break;
               }
-              $stmt = $pdo->prepare("INSERT INTO `tags_mailbox` (`username`, `tag_name`) VALUES (:username, :tag_name)");
-              $stmt->execute(array(
-                ':username' => $username,
-                ':tag_name' => $tag,
-              ));
+              try {
+                $stmt = $pdo->prepare("INSERT INTO `tags_mailbox` (`username`, `tag_name`) VALUES (:username, :tag_name)");
+                $stmt->execute(array(
+                  ':username' => $username,
+                  ':tag_name' => $tag,
+                ));
+              } catch (Exception $e) {
+              }
             }
             
             $_SESSION['return'][] = array(
@@ -3130,7 +3207,84 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
               'msg' => array('mailbox_modified', $username)
             );
+
+            try {
+              update_sogo_static_view($username);
+            }catch (PDOException $e) {
+              $_SESSION['return'][] = array(
+                'type' => 'success',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => $e->getMessage()
+              );
+            }
           }
+          return true;
+        break;
+        case 'mailbox_from_template':
+          $stmt = $pdo->prepare("SELECT * FROM `templates` 
+          WHERE `template` = :template AND type = 'mailbox'");
+          $stmt->execute(array(
+            ":template" => $_data['template']
+          ));
+          $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+          if (empty($mbox_template_data)){
+            $_SESSION['return'][] =  array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => 'template_missing'
+            );
+            return false;
+          }
+
+          $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
+          $is_now = mailbox('get', 'mailbox_details', $_data['username']);
+          if ($is_now['attributes']['attribute_hash'] == $attribute_hash)
+            return true;
+
+          $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+          $mbox_template_data['attribute_hash'] = $attribute_hash;
+          $quarantine_attributes = array('username' => $_data['username']);
+          $tls_attributes = array('username' => $_data['username']);
+          $ratelimit_attributes = array('object' => $_data['username']);
+          $acl_attributes = array('username' => $_data['username'], 'user_acl' => array());
+          $mailbox_attributes = array('username' => $_data['username']);
+          foreach ($mbox_template_data as $key => $value){
+            switch (true) {
+              case (strpos($key, 'quarantine_') === 0):
+                $quarantine_attributes[$key] = $value;
+              break;
+              case (strpos($key, 'tls_') === 0):
+                if ($value == null)
+                  $value = 0;
+                $tls_attributes[$key] = $value;
+              break;
+              case (strpos($key, 'rl_') === 0):
+                $ratelimit_attributes[$key] = $value;
+              break;
+              case (strpos($key, 'acl_') === 0 && $value != 0):
+                array_push($acl_attributes['user_acl'], str_replace('acl_' , '', $key));
+              break;
+              default:
+                $mailbox_attributes[$key] = $value;
+              break;
+            }
+          }
+        
+          $mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576);
+          $result = mailbox('edit', 'mailbox', $mailbox_attributes);
+          if ($result === false) return $result;
+          $result = mailbox('edit', 'tls_policy', $tls_attributes);
+          if ($result === false) return $result;
+          $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes);
+          if ($result === false) return $result;
+          $result = mailbox('edit', 'quarantine_category', $quarantine_attributes);
+          if ($result === false) return $result;
+          $result = ratelimit('edit', 'mailbox', $ratelimit_attributes);
+          if ($result === false) return $result;
+          $result = acl('edit', 'user', $acl_attributes);
+          if ($result === false) return $result;
+
+          return true;
         break;
         case 'mailbox_templates':
           if ($_SESSION['mailcow_cc_role'] != "admin") {
@@ -3960,6 +4114,39 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
           return $aliasdomaindata;
         break;
+        case 'shared_aliases':
+          $shared_aliases = array();
+          $stmt = $pdo->query("SELECT `address` FROM `alias`
+            WHERE `goto` REGEXP ','
+            AND `address` NOT LIKE '@%'
+            AND `goto` != `address`");
+          $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+          while($row = array_shift($rows)) {
+            $domain = explode("@", $row['address'])[1];
+            if (hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+              $shared_aliases[] = $row['address'];
+            }
+          }
+
+          return $shared_aliases;
+        break;
+        case 'direct_aliases':
+          $direct_aliases = array();
+          $stmt = $pdo->query("SELECT `address` FROM `alias`
+            WHERE `goto` NOT LIKE '%,%'
+            AND `address` NOT LIKE '@%'
+            AND `goto` != `address`");
+          $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+          while($row = array_shift($rows)) {
+            $domain = explode("@", $row['address'])[1];
+            if (hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+              $direct_aliases[] = $row['address'];
+            }
+          }
+
+          return $direct_aliases;
+        break;
         case 'domains':
           $domains = array();
           if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
@@ -4190,6 +4377,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               `mailbox`.`quota`,
               `mailbox`.`created`,
               `mailbox`.`modified`,
+              `mailbox`.`authsource`,
               `quota2`.`bytes`,
               `attributes`,
               `quota2`.`messages`
@@ -4210,6 +4398,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               `mailbox`.`quota`,
               `mailbox`.`created`,
               `mailbox`.`modified`,
+              `mailbox`.`authsource`,
               `quota2replica`.`bytes`,
               `attributes`,
               `quota2replica`.`messages`
@@ -4238,6 +4427,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $mailboxdata['percent_in_use'] = ($row['quota'] == 0) ? '- ' : round((intval($row['bytes']) / intval($row['quota'])) * 100);
           $mailboxdata['created'] = $row['created'];
           $mailboxdata['modified'] = $row['modified'];
+          $mailboxdata['authsource'] = ($row['authsource']) ? $row['authsource'] : 'mailcow';
 
           if ($mailboxdata['percent_in_use'] === '- ') {
             $mailboxdata['percent_class'] = "info";
@@ -4892,13 +5082,19 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             if (!empty($mailbox_details['domain']) && !empty($mailbox_details['local_part'])) {
               $maildir = $mailbox_details['domain'] . '/' . $mailbox_details['local_part'];
               $exec_fields = array('cmd' => 'maildir', 'task' => 'cleanup', 'maildir' => $maildir);
-              $maildir_gc = json_decode(docker('post', 'dovecot-mailcow', 'exec', $exec_fields), true);
-              if ($maildir_gc['type'] != 'success') {
-                $_SESSION['return'][] = array(
-                  'type' => 'warning',
-                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                  'msg' => 'Could not move maildir to garbage collector: ' . $maildir_gc['msg']
-                );
+
+              if (getenv("CLUSTERMODE") == "replication") {
+                // broadcast to each dovecot container
+                docker('broadcast', 'dovecot-mailcow', 'exec', $exec_fields);
+              } else {
+                $maildir_gc = json_decode(docker('post', 'dovecot-mailcow', 'exec', $exec_fields), true);
+                if ($maildir_gc['type'] != 'success') {
+                  $_SESSION['return'][] = array(
+                    'type' => 'warning',
+                    'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                    'msg' => 'Could not move maildir to garbage collector: ' . $maildir_gc['msg']
+                  );
+                }
               }
             }
             else {
@@ -4951,9 +5147,10 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $stmt->execute(array(
               ':username' => $username
             ));
-            $stmt = $pdo->prepare("DELETE FROM `sender_acl` WHERE `logged_in_as` = :username");
+            $stmt = $pdo->prepare("DELETE FROM `sender_acl` WHERE `logged_in_as` = :logged_in_as OR `send_as` = :send_as");
             $stmt->execute(array(
-              ':username' => $username
+              ':logged_in_as' => $username,
+              ':send_as' => $username
             ));
             // fk, better safe than sorry
             $stmt = $pdo->prepare("DELETE FROM `user_acl` WHERE `username` = :username");
@@ -5053,12 +5250,23 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
+                 
+            try {
+              update_sogo_static_view($username);
+            }catch (PDOException $e) {
+              $_SESSION['return'][] = array(
+                'type' => 'success',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => $e->getMessage()
+              );
+            }
             $_SESSION['return'][] = array(
               'type' => 'success',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
               'msg' => array('mailbox_removed', htmlspecialchars($username))
             );
           }
+          return true;
         break;
         case 'mailbox_templates':
           if ($_SESSION['mailcow_cc_role'] != "admin") {
@@ -5264,7 +5472,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
       }
     break;
   }
-  if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'mailbox', 'resource'))) {
-    update_sogo_static_view();
+  if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'resource')) && getenv('SKIP_SOGO') != "y") {            
+    try {
+      update_sogo_static_view();
+    }catch (PDOException $e) {
+      $_SESSION['return'][] = array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+        'msg' => $e->getMessage()
+      );
+    }
   }
+  
+  return true;
 }

data/web/inc/functions.ratelimit.inc.php

@@ -1,10 +1,10 @@
 <?php
-function ratelimit($_action, $_scope, $_data = null) {
+function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
   global $redis;
   $_data_log = $_data;
   switch ($_action) {
     case 'edit':
-      if (!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1" ) {
+      if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['iam_create_login']) {
         $_SESSION['return'][] = array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -92,8 +92,8 @@ function ratelimit($_action, $_scope, $_data = null) {
               );
               continue;
             }
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
-              || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
+            if ((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
+                || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_extra['iam_create_login']) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),

data/web/inc/header.inc.php

@@ -30,6 +30,32 @@ if(!file_exists($CSSPath)) {
   cleanupCSS($hash);
 }
 
+$mailcow_apps_processed = $MAILCOW_APPS;
+$app_links = customize('get', 'app_links');
+$app_links_processed = $app_links;
+$hide_mailcow_apps = true;
+for ($i = 0; $i < count($mailcow_apps_processed); $i++) {
+  if ($hide_mailcow_apps && !$mailcow_apps_processed[$i]['hide']){
+    $hide_mailcow_apps = false;
+  }
+  if (!empty($_SESSION['mailcow_cc_username'])){
+    $mailcow_apps_processed[$i]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $mailcow_apps_processed[$i]['user_link']);
+  }
+}
+if ($app_links_processed){
+  for ($i = 0; $i < count($app_links_processed); $i++) {
+    $key = array_key_first($app_links_processed[$i]);
+    if ($hide_mailcow_apps && !$app_links_processed[$i][$key]['hide']){
+      $hide_mailcow_apps = false;
+    }
+    if (!empty($_SESSION['mailcow_cc_username'])){
+      $app_links_processed[$i][$key]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $app_links_processed[$i][$key]['user_link']);
+    }
+  }
+}
+
+
+
 $globalVariables = [
   'mailcow_hostname' => getenv('MAILCOW_HOSTNAME'),
   'mailcow_locale' => @$_SESSION['mailcow_locale'],
@@ -44,8 +70,11 @@ $globalVariables = [
   'lang' => $lang,
   'skip_sogo' => (getenv('SKIP_SOGO') == 'y'),
   'allow_admin_email_login' => (getenv('ALLOW_ADMIN_EMAIL_LOGIN') == 'n'),
+  'hide_mailcow_apps' => $hide_mailcow_apps,
   'mailcow_apps' => $MAILCOW_APPS,
-  'app_links' => customize('get', 'app_links'),
+  'mailcow_apps_processed' => $mailcow_apps_processed,
+  'app_links' => $app_links,
+  'app_links_processed' => $app_links_processed,
   'is_root_uri' => (parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/'),
   'uri' => $_SERVER['REQUEST_URI'],
   'last_login' => last_login('get', $_SESSION['mailcow_cc_username'], 7, 0)['ui']['time']

data/web/inc/lib/composer.json

@@ -1,7 +1,6 @@
 {
     "require": {
         "robthree/twofactorauth": "^1.6",
-        "yubico/u2flib-server": "^1.0",
         "phpmailer/phpmailer": "^6.1",
         "php-mime-mail-parser/php-mime-mail-parser": "^7",
         "soundasleep/html2text": "^0.5.0",
@@ -10,6 +9,8 @@
         "bshaffer/oauth2-server-php": "^1.11",
         "mustangostang/spyc": "^0.6.3",
         "directorytree/ldaprecord": "^2.4",
-        "twig/twig": "^3.0"
+        "twig/twig": "^3.0",
+        "stevenmaguire/oauth2-keycloak": "^4.0",
+        "league/oauth2-client": "^2.7"
     }
 }

data/web/inc/lib/composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "139c1e5dec323144cd778ce80fd1847e",
+    "content-hash": "8f5a147cdb147b935a158b86f47a4747",
     "packages": [
         {
             "name": "bshaffer/oauth2-server-php",
@@ -216,6 +216,397 @@
             ],
             "time": "2022-02-25T16:00:51+00:00"
         },
+        {
+            "name": "firebase/php-jwt",
+            "version": "v6.5.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/firebase/php-jwt.git",
+                "reference": "e94e7353302b0c11ec3cfff7180cd0b1743975d2"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/e94e7353302b0c11ec3cfff7180cd0b1743975d2",
+                "reference": "e94e7353302b0c11ec3cfff7180cd0b1743975d2",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.4||^8.0"
+            },
+            "require-dev": {
+                "guzzlehttp/guzzle": "^6.5||^7.4",
+                "phpspec/prophecy-phpunit": "^2.0",
+                "phpunit/phpunit": "^9.5",
+                "psr/cache": "^1.0||^2.0",
+                "psr/http-client": "^1.0",
+                "psr/http-factory": "^1.0"
+            },
+            "suggest": {
+                "ext-sodium": "Support EdDSA (Ed25519) signatures",
+                "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Firebase\\JWT\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Neuman Vong",
+                    "email": "neuman+pear@twilio.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Anant Narayanan",
+                    "email": "anant@php.net",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+            "homepage": "https://github.com/firebase/php-jwt",
+            "keywords": [
+                "jwt",
+                "php"
+            ],
+            "support": {
+                "issues": "https://github.com/firebase/php-jwt/issues",
+                "source": "https://github.com/firebase/php-jwt/tree/v6.5.0"
+            },
+            "time": "2023-05-12T15:47:07+00:00"
+        },
+        {
+            "name": "guzzlehttp/guzzle",
+            "version": "7.5.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/guzzle.git",
+                "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba",
+                "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba",
+                "shasum": ""
+            },
+            "require": {
+                "ext-json": "*",
+                "guzzlehttp/promises": "^1.5",
+                "guzzlehttp/psr7": "^1.9 || ^2.4",
+                "php": "^7.2.5 || ^8.0",
+                "psr/http-client": "^1.0",
+                "symfony/deprecation-contracts": "^2.2 || ^3.0"
+            },
+            "provide": {
+                "psr/http-client-implementation": "1.0"
+            },
+            "require-dev": {
+                "bamarni/composer-bin-plugin": "^1.8.1",
+                "ext-curl": "*",
+                "php-http/client-integration-tests": "^3.0",
+                "phpunit/phpunit": "^8.5.29 || ^9.5.23",
+                "psr/log": "^1.1 || ^2.0 || ^3.0"
+            },
+            "suggest": {
+                "ext-curl": "Required for CURL handler support",
+                "ext-intl": "Required for Internationalized Domain Name (IDN) support",
+                "psr/log": "Required for using the Log middleware"
+            },
+            "type": "library",
+            "extra": {
+                "bamarni-bin": {
+                    "bin-links": true,
+                    "forward-command": false
+                },
+                "branch-alias": {
+                    "dev-master": "7.5-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "src/functions_include.php"
+                ],
+                "psr-4": {
+                    "GuzzleHttp\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "Jeremy Lindblom",
+                    "email": "jeremeamia@gmail.com",
+                    "homepage": "https://github.com/jeremeamia"
+                },
+                {
+                    "name": "George Mponos",
+                    "email": "gmponos@gmail.com",
+                    "homepage": "https://github.com/gmponos"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://github.com/sagikazarmark"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                }
+            ],
+            "description": "Guzzle is a PHP HTTP client library",
+            "keywords": [
+                "client",
+                "curl",
+                "framework",
+                "http",
+                "http client",
+                "psr-18",
+                "psr-7",
+                "rest",
+                "web service"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/guzzle/issues",
+                "source": "https://github.com/guzzle/guzzle/tree/7.5.0"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/guzzle",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2022-08-28T15:39:27+00:00"
+        },
+        {
+            "name": "guzzlehttp/promises",
+            "version": "1.5.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/promises.git",
+                "reference": "b94b2807d85443f9719887892882d0329d1e2598"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/promises/zipball/b94b2807d85443f9719887892882d0329d1e2598",
+                "reference": "b94b2807d85443f9719887892882d0329d1e2598",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.5"
+            },
+            "require-dev": {
+                "symfony/phpunit-bridge": "^4.4 || ^5.1"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.5-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "src/functions_include.php"
+                ],
+                "psr-4": {
+                    "GuzzleHttp\\Promise\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                }
+            ],
+            "description": "Guzzle promises library",
+            "keywords": [
+                "promise"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/promises/issues",
+                "source": "https://github.com/guzzle/promises/tree/1.5.2"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/promises",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2022-08-28T14:55:35+00:00"
+        },
+        {
+            "name": "guzzlehttp/psr7",
+            "version": "2.4.5",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/psr7.git",
+                "reference": "0454e12ef0cd597ccd2adb036f7bda4e7fface66"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/0454e12ef0cd597ccd2adb036f7bda4e7fface66",
+                "reference": "0454e12ef0cd597ccd2adb036f7bda4e7fface66",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.2.5 || ^8.0",
+                "psr/http-factory": "^1.0",
+                "psr/http-message": "^1.0",
+                "ralouphie/getallheaders": "^3.0"
+            },
+            "provide": {
+                "psr/http-factory-implementation": "1.0",
+                "psr/http-message-implementation": "1.0"
+            },
+            "require-dev": {
+                "bamarni/composer-bin-plugin": "^1.8.1",
+                "http-interop/http-factory-tests": "^0.9",
+                "phpunit/phpunit": "^8.5.29 || ^9.5.23"
+            },
+            "suggest": {
+                "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
+            },
+            "type": "library",
+            "extra": {
+                "bamarni-bin": {
+                    "bin-links": true,
+                    "forward-command": false
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "GuzzleHttp\\Psr7\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "George Mponos",
+                    "email": "gmponos@gmail.com",
+                    "homepage": "https://github.com/gmponos"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://github.com/sagikazarmark"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://sagikazarmark.hu"
+                }
+            ],
+            "description": "PSR-7 message implementation that also provides common utility methods",
+            "keywords": [
+                "http",
+                "message",
+                "psr-7",
+                "request",
+                "response",
+                "stream",
+                "uri",
+                "url"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/psr7/issues",
+                "source": "https://github.com/guzzle/psr7/tree/2.4.5"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/psr7",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2023-04-17T16:00:45+00:00"
+        },
         {
             "name": "illuminate/contracts",
             "version": "v9.3.0",
@@ -264,6 +655,76 @@
             },
             "time": "2022-02-22T14:45:39+00:00"
         },
+        {
+            "name": "league/oauth2-client",
+            "version": "2.7.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thephpleague/oauth2-client.git",
+                "reference": "160d6274b03562ebeb55ed18399281d8118b76c8"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/160d6274b03562ebeb55ed18399281d8118b76c8",
+                "reference": "160d6274b03562ebeb55ed18399281d8118b76c8",
+                "shasum": ""
+            },
+            "require": {
+                "guzzlehttp/guzzle": "^6.0 || ^7.0",
+                "paragonie/random_compat": "^1 || ^2 || ^9.99",
+                "php": "^5.6 || ^7.0 || ^8.0"
+            },
+            "require-dev": {
+                "mockery/mockery": "^1.3.5",
+                "php-parallel-lint/php-parallel-lint": "^1.3.1",
+                "phpunit/phpunit": "^5.7 || ^6.0 || ^9.5",
+                "squizlabs/php_codesniffer": "^2.3 || ^3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-2.x": "2.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "League\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alex Bilbie",
+                    "email": "hello@alexbilbie.com",
+                    "homepage": "http://www.alexbilbie.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Woody Gilk",
+                    "homepage": "https://github.com/shadowhand",
+                    "role": "Contributor"
+                }
+            ],
+            "description": "OAuth 2.0 Client Library",
+            "keywords": [
+                "Authentication",
+                "SSO",
+                "authorization",
+                "identity",
+                "idp",
+                "oauth",
+                "oauth2",
+                "single sign on"
+            ],
+            "support": {
+                "issues": "https://github.com/thephpleague/oauth2-client/issues",
+                "source": "https://github.com/thephpleague/oauth2-client/tree/2.7.0"
+            },
+            "time": "2023-04-16T18:19:15+00:00"
+        },
         {
             "name": "matthiasmullie/minify",
             "version": "1.3.66",
@@ -813,6 +1274,166 @@
             },
             "time": "2021-11-05T16:47:00+00:00"
         },
+        {
+            "name": "psr/http-client",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-client.git",
+                "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-client/zipball/2dfb5f6c5eff0e91e20e913f8c5452ed95b86621",
+                "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.0 || ^8.0",
+                "psr/http-message": "^1.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP clients",
+            "homepage": "https://github.com/php-fig/http-client",
+            "keywords": [
+                "http",
+                "http-client",
+                "psr",
+                "psr-18"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-client/tree/master"
+            },
+            "time": "2020-06-29T06:28:15+00:00"
+        },
+        {
+            "name": "psr/http-factory",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-factory.git",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.0.0",
+                "psr/http-message": "^1.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interfaces for PSR-7 HTTP message factories",
+            "keywords": [
+                "factory",
+                "http",
+                "message",
+                "psr",
+                "psr-17",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-factory/tree/master"
+            },
+            "time": "2019-04-30T12:38:16+00:00"
+        },
+        {
+            "name": "psr/http-message",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-message.git",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP messages",
+            "homepage": "https://github.com/php-fig/http-message",
+            "keywords": [
+                "http",
+                "http-message",
+                "psr",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-message/tree/master"
+            },
+            "time": "2016-08-06T14:39:51+00:00"
+        },
         {
             "name": "psr/log",
             "version": "3.0.0",
@@ -914,6 +1535,50 @@
             },
             "time": "2021-10-29T13:22:09+00:00"
         },
+        {
+            "name": "ralouphie/getallheaders",
+            "version": "3.0.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ralouphie/getallheaders.git",
+                "reference": "120b605dfeb996808c31b6477290a714d356e822"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822",
+                "reference": "120b605dfeb996808c31b6477290a714d356e822",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.6"
+            },
+            "require-dev": {
+                "php-coveralls/php-coveralls": "^2.1",
+                "phpunit/phpunit": "^5 || ^6.5"
+            },
+            "type": "library",
+            "autoload": {
+                "files": [
+                    "src/getallheaders.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Ralph Khattar",
+                    "email": "ralph.khattar@gmail.com"
+                }
+            ],
+            "description": "A polyfill for getallheaders.",
+            "support": {
+                "issues": "https://github.com/ralouphie/getallheaders/issues",
+                "source": "https://github.com/ralouphie/getallheaders/tree/develop"
+            },
+            "time": "2019-03-08T08:55:37+00:00"
+        },
         {
             "name": "robthree/twofactorauth",
             "version": "1.8.1",
@@ -1039,6 +1704,134 @@
             },
             "time": "2017-04-19T22:01:50+00:00"
         },
+        {
+            "name": "stevenmaguire/oauth2-keycloak",
+            "version": "4.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/stevenmaguire/oauth2-keycloak.git",
+                "reference": "05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/stevenmaguire/oauth2-keycloak/zipball/05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d",
+                "reference": "05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d",
+                "shasum": ""
+            },
+            "require": {
+                "firebase/php-jwt": "^4.0 || ^5.0 || ^6.0",
+                "league/oauth2-client": "^2.0",
+                "php": "~7.2 || ~8.0"
+            },
+            "require-dev": {
+                "mockery/mockery": "~1.5.0",
+                "phpunit/phpunit": "~9.6.4",
+                "squizlabs/php_codesniffer": "~3.7.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Stevenmaguire\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Steven Maguire",
+                    "email": "stevenmaguire@gmail.com",
+                    "homepage": "https://github.com/stevenmaguire"
+                }
+            ],
+            "description": "Keycloak OAuth 2.0 Client Provider for The PHP League OAuth2-Client",
+            "keywords": [
+                "authorisation",
+                "authorization",
+                "client",
+                "keycloak",
+                "oauth",
+                "oauth2"
+            ],
+            "support": {
+                "issues": "https://github.com/stevenmaguire/oauth2-keycloak/issues",
+                "source": "https://github.com/stevenmaguire/oauth2-keycloak/tree/4.0.0"
+            },
+            "time": "2023-03-14T09:43:47+00:00"
+        },
+        {
+            "name": "symfony/deprecation-contracts",
+            "version": "v3.2.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/deprecation-contracts.git",
+                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.1"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-main": "3.3-dev"
+                },
+                "thanks": {
+                    "name": "symfony/contracts",
+                    "url": "https://github.com/symfony/contracts"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "function.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "A generic function and convention to trigger deprecation notices",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.2.1"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2023-03-01T10:25:55+00:00"
+        },
         {
             "name": "symfony/polyfill-ctype",
             "version": "v1.24.0",
@@ -1677,47 +2470,6 @@
                 }
             ],
             "time": "2022-09-28T08:42:51+00:00"
-        },
-        {
-            "name": "yubico/u2flib-server",
-            "version": "1.0.2",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/Yubico/php-u2flib-server.git",
-                "reference": "55d813acf68212ad2cadecde07551600d6971939"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/Yubico/php-u2flib-server/zipball/55d813acf68212ad2cadecde07551600d6971939",
-                "reference": "55d813acf68212ad2cadecde07551600d6971939",
-                "shasum": ""
-            },
-            "require": {
-                "ext-openssl": "*",
-                "paragonie/random_compat": ">= 1",
-                "php": ">=5.6"
-            },
-            "require-dev": {
-                "phpunit/phpunit": "~5.7",
-                "vimeo/psalm": "^0|^1|^2"
-            },
-            "type": "library",
-            "autoload": {
-                "classmap": [
-                    "src/"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "BSD-2-Clause"
-            ],
-            "description": "Library for U2F implementation",
-            "homepage": "https://developers.yubico.com/php-u2flib-server",
-            "support": {
-                "issues": "https://github.com/Yubico/php-u2flib-server/issues",
-                "source": "https://github.com/Yubico/php-u2flib-server/tree/1.0.2"
-            },
-            "time": "2018-09-07T08:16:44+00:00"
         }
     ],
     "packages-dev": [],

data/web/inc/lib/vendor/composer/autoload_classmap.php

@@ -11,9 +11,4 @@ return array(
     'Stringable' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/Stringable.php',
     'UnhandledMatchError' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php',
     'ValueError' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/ValueError.php',
-    'u2flib_server\\Error' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-    'u2flib_server\\RegisterRequest' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-    'u2flib_server\\Registration' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-    'u2flib_server\\SignRequest' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-    'u2flib_server\\U2F' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
 );

data/web/inc/lib/vendor/composer/autoload_files.php

@@ -7,6 +7,10 @@ $baseDir = dirname($vendorDir);
 
 return array(
     '0e6d7bf4a5811bfa5cf40c5ccd6fae6a' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
+    '7b11c4dc42b3b3023073cb14e519683c' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
+    'c964ee0ededf28c96ebd9db5099ef910' => $vendorDir . '/guzzlehttp/promises/src/functions_include.php',
+    '6e3fae29631ef280660b3cdad06f25a8' => $vendorDir . '/symfony/deprecation-contracts/function.php',
+    '37a3dc5111fe8f707ab4c132ef1dbc62' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
     'a4a119a56e50fbb293281d9a48007e0e' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
     'a1105708a18b76903365ca1c4aa61b02' => $vendorDir . '/symfony/translation/Resources/functions.php',
     '667aeda72477189d0494fecd327c3641' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',

data/web/inc/lib/vendor/composer/autoload_psr4.php

@@ -14,17 +14,25 @@ return array(
     'Symfony\\Contracts\\Translation\\' => array($vendorDir . '/symfony/translation-contracts'),
     'Symfony\\Component\\VarDumper\\' => array($vendorDir . '/symfony/var-dumper'),
     'Symfony\\Component\\Translation\\' => array($vendorDir . '/symfony/translation'),
+    'Stevenmaguire\\OAuth2\\Client\\' => array($vendorDir . '/stevenmaguire/oauth2-keycloak/src'),
     'RobThree\\Auth\\' => array($vendorDir . '/robthree/twofactorauth/lib'),
     'Psr\\SimpleCache\\' => array($vendorDir . '/psr/simple-cache/src'),
     'Psr\\Log\\' => array($vendorDir . '/psr/log/src'),
+    'Psr\\Http\\Message\\' => array($vendorDir . '/psr/http-factory/src', $vendorDir . '/psr/http-message/src'),
+    'Psr\\Http\\Client\\' => array($vendorDir . '/psr/http-client/src'),
     'Psr\\Container\\' => array($vendorDir . '/psr/container/src'),
     'PhpMimeMailParser\\' => array($vendorDir . '/php-mime-mail-parser/php-mime-mail-parser/src'),
     'PHPMailer\\PHPMailer\\' => array($vendorDir . '/phpmailer/phpmailer/src'),
     'MatthiasMullie\\PathConverter\\' => array($vendorDir . '/matthiasmullie/path-converter/src'),
     'MatthiasMullie\\Minify\\' => array($vendorDir . '/matthiasmullie/minify/src'),
+    'League\\OAuth2\\Client\\' => array($vendorDir . '/league/oauth2-client/src'),
     'LdapRecord\\' => array($vendorDir . '/directorytree/ldaprecord/src'),
     'Illuminate\\Contracts\\' => array($vendorDir . '/illuminate/contracts'),
     'Html2Text\\' => array($vendorDir . '/soundasleep/html2text/src'),
+    'GuzzleHttp\\Psr7\\' => array($vendorDir . '/guzzlehttp/psr7/src'),
+    'GuzzleHttp\\Promise\\' => array($vendorDir . '/guzzlehttp/promises/src'),
+    'GuzzleHttp\\' => array($vendorDir . '/guzzlehttp/guzzle/src'),
+    'Firebase\\JWT\\' => array($vendorDir . '/firebase/php-jwt/src'),
     'Ddeboer\\Imap\\' => array($vendorDir . '/ddeboer/imap/src'),
     'Carbon\\' => array($vendorDir . '/nesbot/carbon/src/Carbon'),
 );

data/web/inc/lib/vendor/composer/autoload_static.php

@@ -8,6 +8,10 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
 {
     public static $files = array (
         '0e6d7bf4a5811bfa5cf40c5ccd6fae6a' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
+        '7b11c4dc42b3b3023073cb14e519683c' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
+        'c964ee0ededf28c96ebd9db5099ef910' => __DIR__ . '/..' . '/guzzlehttp/promises/src/functions_include.php',
+        '6e3fae29631ef280660b3cdad06f25a8' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
+        '37a3dc5111fe8f707ab4c132ef1dbc62' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
         'a4a119a56e50fbb293281d9a48007e0e' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
         'a1105708a18b76903365ca1c4aa61b02' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
         '667aeda72477189d0494fecd327c3641' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
@@ -31,6 +35,7 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
             'Symfony\\Contracts\\Translation\\' => 30,
             'Symfony\\Component\\VarDumper\\' => 28,
             'Symfony\\Component\\Translation\\' => 30,
+            'Stevenmaguire\\OAuth2\\Client\\' => 28,
         ),
         'R' => 
         array (
@@ -40,6 +45,8 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             'Psr\\SimpleCache\\' => 16,
             'Psr\\Log\\' => 8,
+            'Psr\\Http\\Message\\' => 17,
+            'Psr\\Http\\Client\\' => 16,
             'Psr\\Container\\' => 14,
             'PhpMimeMailParser\\' => 18,
             'PHPMailer\\PHPMailer\\' => 20,
@@ -51,6 +58,7 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         ),
         'L' => 
         array (
+            'League\\OAuth2\\Client\\' => 21,
             'LdapRecord\\' => 11,
         ),
         'I' => 
@@ -61,6 +69,16 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             'Html2Text\\' => 10,
         ),
+        'G' => 
+        array (
+            'GuzzleHttp\\Psr7\\' => 16,
+            'GuzzleHttp\\Promise\\' => 19,
+            'GuzzleHttp\\' => 11,
+        ),
+        'F' => 
+        array (
+            'Firebase\\JWT\\' => 13,
+        ),
         'D' => 
         array (
             'Ddeboer\\Imap\\' => 13,
@@ -104,6 +122,10 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/symfony/translation',
         ),
+        'Stevenmaguire\\OAuth2\\Client\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/stevenmaguire/oauth2-keycloak/src',
+        ),
         'RobThree\\Auth\\' => 
         array (
             0 => __DIR__ . '/..' . '/robthree/twofactorauth/lib',
@@ -116,6 +138,15 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/psr/log/src',
         ),
+        'Psr\\Http\\Message\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/psr/http-factory/src',
+            1 => __DIR__ . '/..' . '/psr/http-message/src',
+        ),
+        'Psr\\Http\\Client\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/psr/http-client/src',
+        ),
         'Psr\\Container\\' => 
         array (
             0 => __DIR__ . '/..' . '/psr/container/src',
@@ -136,6 +167,10 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/matthiasmullie/minify/src',
         ),
+        'League\\OAuth2\\Client\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/league/oauth2-client/src',
+        ),
         'LdapRecord\\' => 
         array (
             0 => __DIR__ . '/..' . '/directorytree/ldaprecord/src',
@@ -148,6 +183,22 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/soundasleep/html2text/src',
         ),
+        'GuzzleHttp\\Psr7\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/guzzlehttp/psr7/src',
+        ),
+        'GuzzleHttp\\Promise\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/guzzlehttp/promises/src',
+        ),
+        'GuzzleHttp\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/guzzlehttp/guzzle/src',
+        ),
+        'Firebase\\JWT\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/firebase/php-jwt/src',
+        ),
         'Ddeboer\\Imap\\' => 
         array (
             0 => __DIR__ . '/..' . '/ddeboer/imap/src',
@@ -174,11 +225,6 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         'Stringable' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/Stringable.php',
         'UnhandledMatchError' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php',
         'ValueError' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/ValueError.php',
-        'u2flib_server\\Error' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-        'u2flib_server\\RegisterRequest' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-        'u2flib_server\\Registration' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-        'u2flib_server\\SignRequest' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-        'u2flib_server\\U2F' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
     );
 
     public static function getInitializer(ClassLoader $loader)

data/web/inc/lib/vendor/composer/installed.json

@@ -215,6 +215,409 @@
             ],
             "install-path": "../directorytree/ldaprecord"
         },
+        {
+            "name": "firebase/php-jwt",
+            "version": "v6.5.0",
+            "version_normalized": "6.5.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/firebase/php-jwt.git",
+                "reference": "e94e7353302b0c11ec3cfff7180cd0b1743975d2"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/e94e7353302b0c11ec3cfff7180cd0b1743975d2",
+                "reference": "e94e7353302b0c11ec3cfff7180cd0b1743975d2",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.4||^8.0"
+            },
+            "require-dev": {
+                "guzzlehttp/guzzle": "^6.5||^7.4",
+                "phpspec/prophecy-phpunit": "^2.0",
+                "phpunit/phpunit": "^9.5",
+                "psr/cache": "^1.0||^2.0",
+                "psr/http-client": "^1.0",
+                "psr/http-factory": "^1.0"
+            },
+            "suggest": {
+                "ext-sodium": "Support EdDSA (Ed25519) signatures",
+                "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
+            },
+            "time": "2023-05-12T15:47:07+00:00",
+            "type": "library",
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Firebase\\JWT\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Neuman Vong",
+                    "email": "neuman+pear@twilio.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Anant Narayanan",
+                    "email": "anant@php.net",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+            "homepage": "https://github.com/firebase/php-jwt",
+            "keywords": [
+                "jwt",
+                "php"
+            ],
+            "support": {
+                "issues": "https://github.com/firebase/php-jwt/issues",
+                "source": "https://github.com/firebase/php-jwt/tree/v6.5.0"
+            },
+            "install-path": "../firebase/php-jwt"
+        },
+        {
+            "name": "guzzlehttp/guzzle",
+            "version": "7.5.0",
+            "version_normalized": "7.5.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/guzzle.git",
+                "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba",
+                "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba",
+                "shasum": ""
+            },
+            "require": {
+                "ext-json": "*",
+                "guzzlehttp/promises": "^1.5",
+                "guzzlehttp/psr7": "^1.9 || ^2.4",
+                "php": "^7.2.5 || ^8.0",
+                "psr/http-client": "^1.0",
+                "symfony/deprecation-contracts": "^2.2 || ^3.0"
+            },
+            "provide": {
+                "psr/http-client-implementation": "1.0"
+            },
+            "require-dev": {
+                "bamarni/composer-bin-plugin": "^1.8.1",
+                "ext-curl": "*",
+                "php-http/client-integration-tests": "^3.0",
+                "phpunit/phpunit": "^8.5.29 || ^9.5.23",
+                "psr/log": "^1.1 || ^2.0 || ^3.0"
+            },
+            "suggest": {
+                "ext-curl": "Required for CURL handler support",
+                "ext-intl": "Required for Internationalized Domain Name (IDN) support",
+                "psr/log": "Required for using the Log middleware"
+            },
+            "time": "2022-08-28T15:39:27+00:00",
+            "type": "library",
+            "extra": {
+                "bamarni-bin": {
+                    "bin-links": true,
+                    "forward-command": false
+                },
+                "branch-alias": {
+                    "dev-master": "7.5-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "files": [
+                    "src/functions_include.php"
+                ],
+                "psr-4": {
+                    "GuzzleHttp\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "Jeremy Lindblom",
+                    "email": "jeremeamia@gmail.com",
+                    "homepage": "https://github.com/jeremeamia"
+                },
+                {
+                    "name": "George Mponos",
+                    "email": "gmponos@gmail.com",
+                    "homepage": "https://github.com/gmponos"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://github.com/sagikazarmark"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                }
+            ],
+            "description": "Guzzle is a PHP HTTP client library",
+            "keywords": [
+                "client",
+                "curl",
+                "framework",
+                "http",
+                "http client",
+                "psr-18",
+                "psr-7",
+                "rest",
+                "web service"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/guzzle/issues",
+                "source": "https://github.com/guzzle/guzzle/tree/7.5.0"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/guzzle",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../guzzlehttp/guzzle"
+        },
+        {
+            "name": "guzzlehttp/promises",
+            "version": "1.5.2",
+            "version_normalized": "1.5.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/promises.git",
+                "reference": "b94b2807d85443f9719887892882d0329d1e2598"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/promises/zipball/b94b2807d85443f9719887892882d0329d1e2598",
+                "reference": "b94b2807d85443f9719887892882d0329d1e2598",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.5"
+            },
+            "require-dev": {
+                "symfony/phpunit-bridge": "^4.4 || ^5.1"
+            },
+            "time": "2022-08-28T14:55:35+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.5-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "files": [
+                    "src/functions_include.php"
+                ],
+                "psr-4": {
+                    "GuzzleHttp\\Promise\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                }
+            ],
+            "description": "Guzzle promises library",
+            "keywords": [
+                "promise"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/promises/issues",
+                "source": "https://github.com/guzzle/promises/tree/1.5.2"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/promises",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../guzzlehttp/promises"
+        },
+        {
+            "name": "guzzlehttp/psr7",
+            "version": "2.4.5",
+            "version_normalized": "2.4.5.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/psr7.git",
+                "reference": "0454e12ef0cd597ccd2adb036f7bda4e7fface66"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/0454e12ef0cd597ccd2adb036f7bda4e7fface66",
+                "reference": "0454e12ef0cd597ccd2adb036f7bda4e7fface66",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.2.5 || ^8.0",
+                "psr/http-factory": "^1.0",
+                "psr/http-message": "^1.0",
+                "ralouphie/getallheaders": "^3.0"
+            },
+            "provide": {
+                "psr/http-factory-implementation": "1.0",
+                "psr/http-message-implementation": "1.0"
+            },
+            "require-dev": {
+                "bamarni/composer-bin-plugin": "^1.8.1",
+                "http-interop/http-factory-tests": "^0.9",
+                "phpunit/phpunit": "^8.5.29 || ^9.5.23"
+            },
+            "suggest": {
+                "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
+            },
+            "time": "2023-04-17T16:00:45+00:00",
+            "type": "library",
+            "extra": {
+                "bamarni-bin": {
+                    "bin-links": true,
+                    "forward-command": false
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "GuzzleHttp\\Psr7\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "George Mponos",
+                    "email": "gmponos@gmail.com",
+                    "homepage": "https://github.com/gmponos"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://github.com/sagikazarmark"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://sagikazarmark.hu"
+                }
+            ],
+            "description": "PSR-7 message implementation that also provides common utility methods",
+            "keywords": [
+                "http",
+                "message",
+                "psr-7",
+                "request",
+                "response",
+                "stream",
+                "uri",
+                "url"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/psr7/issues",
+                "source": "https://github.com/guzzle/psr7/tree/2.4.5"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/psr7",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../guzzlehttp/psr7"
+        },
         {
             "name": "illuminate/contracts",
             "version": "v9.3.0",
@@ -266,6 +669,79 @@
             },
             "install-path": "../illuminate/contracts"
         },
+        {
+            "name": "league/oauth2-client",
+            "version": "2.7.0",
+            "version_normalized": "2.7.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thephpleague/oauth2-client.git",
+                "reference": "160d6274b03562ebeb55ed18399281d8118b76c8"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/160d6274b03562ebeb55ed18399281d8118b76c8",
+                "reference": "160d6274b03562ebeb55ed18399281d8118b76c8",
+                "shasum": ""
+            },
+            "require": {
+                "guzzlehttp/guzzle": "^6.0 || ^7.0",
+                "paragonie/random_compat": "^1 || ^2 || ^9.99",
+                "php": "^5.6 || ^7.0 || ^8.0"
+            },
+            "require-dev": {
+                "mockery/mockery": "^1.3.5",
+                "php-parallel-lint/php-parallel-lint": "^1.3.1",
+                "phpunit/phpunit": "^5.7 || ^6.0 || ^9.5",
+                "squizlabs/php_codesniffer": "^2.3 || ^3.0"
+            },
+            "time": "2023-04-16T18:19:15+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-2.x": "2.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "League\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alex Bilbie",
+                    "email": "hello@alexbilbie.com",
+                    "homepage": "http://www.alexbilbie.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Woody Gilk",
+                    "homepage": "https://github.com/shadowhand",
+                    "role": "Contributor"
+                }
+            ],
+            "description": "OAuth 2.0 Client Library",
+            "keywords": [
+                "Authentication",
+                "SSO",
+                "authorization",
+                "identity",
+                "idp",
+                "oauth",
+                "oauth2",
+                "single sign on"
+            ],
+            "support": {
+                "issues": "https://github.com/thephpleague/oauth2-client/issues",
+                "source": "https://github.com/thephpleague/oauth2-client/tree/2.7.0"
+            },
+            "install-path": "../league/oauth2-client"
+        },
         {
             "name": "matthiasmullie/minify",
             "version": "1.3.66",
@@ -835,6 +1311,175 @@
             },
             "install-path": "../psr/container"
         },
+        {
+            "name": "psr/http-client",
+            "version": "1.0.1",
+            "version_normalized": "1.0.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-client.git",
+                "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-client/zipball/2dfb5f6c5eff0e91e20e913f8c5452ed95b86621",
+                "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.0 || ^8.0",
+                "psr/http-message": "^1.0"
+            },
+            "time": "2020-06-29T06:28:15+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP clients",
+            "homepage": "https://github.com/php-fig/http-client",
+            "keywords": [
+                "http",
+                "http-client",
+                "psr",
+                "psr-18"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-client/tree/master"
+            },
+            "install-path": "../psr/http-client"
+        },
+        {
+            "name": "psr/http-factory",
+            "version": "1.0.1",
+            "version_normalized": "1.0.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-factory.git",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.0.0",
+                "psr/http-message": "^1.0"
+            },
+            "time": "2019-04-30T12:38:16+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interfaces for PSR-7 HTTP message factories",
+            "keywords": [
+                "factory",
+                "http",
+                "message",
+                "psr",
+                "psr-17",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-factory/tree/master"
+            },
+            "install-path": "../psr/http-factory"
+        },
+        {
+            "name": "psr/http-message",
+            "version": "1.0.1",
+            "version_normalized": "1.0.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-message.git",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "time": "2016-08-06T14:39:51+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP messages",
+            "homepage": "https://github.com/php-fig/http-message",
+            "keywords": [
+                "http",
+                "http-message",
+                "psr",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-message/tree/master"
+            },
+            "install-path": "../psr/http-message"
+        },
         {
             "name": "psr/log",
             "version": "3.0.0",
@@ -942,6 +1587,53 @@
             },
             "install-path": "../psr/simple-cache"
         },
+        {
+            "name": "ralouphie/getallheaders",
+            "version": "3.0.3",
+            "version_normalized": "3.0.3.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ralouphie/getallheaders.git",
+                "reference": "120b605dfeb996808c31b6477290a714d356e822"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822",
+                "reference": "120b605dfeb996808c31b6477290a714d356e822",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.6"
+            },
+            "require-dev": {
+                "php-coveralls/php-coveralls": "^2.1",
+                "phpunit/phpunit": "^5 || ^6.5"
+            },
+            "time": "2019-03-08T08:55:37+00:00",
+            "type": "library",
+            "installation-source": "dist",
+            "autoload": {
+                "files": [
+                    "src/getallheaders.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Ralph Khattar",
+                    "email": "ralph.khattar@gmail.com"
+                }
+            ],
+            "description": "A polyfill for getallheaders.",
+            "support": {
+                "issues": "https://github.com/ralouphie/getallheaders/issues",
+                "source": "https://github.com/ralouphie/getallheaders/tree/develop"
+            },
+            "install-path": "../ralouphie/getallheaders"
+        },
         {
             "name": "robthree/twofactorauth",
             "version": "1.8.1",
@@ -1068,6 +1760,140 @@
             ],
             "install-path": "../soundasleep/html2text"
         },
+        {
+            "name": "stevenmaguire/oauth2-keycloak",
+            "version": "4.0.0",
+            "version_normalized": "4.0.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/stevenmaguire/oauth2-keycloak.git",
+                "reference": "05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/stevenmaguire/oauth2-keycloak/zipball/05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d",
+                "reference": "05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d",
+                "shasum": ""
+            },
+            "require": {
+                "firebase/php-jwt": "^4.0 || ^5.0 || ^6.0",
+                "league/oauth2-client": "^2.0",
+                "php": "~7.2 || ~8.0"
+            },
+            "require-dev": {
+                "mockery/mockery": "~1.5.0",
+                "phpunit/phpunit": "~9.6.4",
+                "squizlabs/php_codesniffer": "~3.7.0"
+            },
+            "time": "2023-03-14T09:43:47+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Stevenmaguire\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Steven Maguire",
+                    "email": "stevenmaguire@gmail.com",
+                    "homepage": "https://github.com/stevenmaguire"
+                }
+            ],
+            "description": "Keycloak OAuth 2.0 Client Provider for The PHP League OAuth2-Client",
+            "keywords": [
+                "authorisation",
+                "authorization",
+                "client",
+                "keycloak",
+                "oauth",
+                "oauth2"
+            ],
+            "support": {
+                "issues": "https://github.com/stevenmaguire/oauth2-keycloak/issues",
+                "source": "https://github.com/stevenmaguire/oauth2-keycloak/tree/4.0.0"
+            },
+            "install-path": "../stevenmaguire/oauth2-keycloak"
+        },
+        {
+            "name": "symfony/deprecation-contracts",
+            "version": "v3.2.1",
+            "version_normalized": "3.2.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/deprecation-contracts.git",
+                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.1"
+            },
+            "time": "2023-03-01T10:25:55+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-main": "3.3-dev"
+                },
+                "thanks": {
+                    "name": "symfony/contracts",
+                    "url": "https://github.com/symfony/contracts"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "files": [
+                    "function.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "A generic function and convention to trigger deprecation notices",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.2.1"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../symfony/deprecation-contracts"
+        },
         {
             "name": "symfony/polyfill-ctype",
             "version": "v1.24.0",
@@ -1730,46 +2556,6 @@
                 }
             ],
             "install-path": "../twig/twig"
-        },
-        {
-            "name": "yubico/u2flib-server",
-            "version": "1.0.2",
-            "version_normalized": "1.0.2.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/Yubico/php-u2flib-server.git",
-                "reference": "55d813acf68212ad2cadecde07551600d6971939"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/Yubico/php-u2flib-server/zipball/55d813acf68212ad2cadecde07551600d6971939",
-                "reference": "55d813acf68212ad2cadecde07551600d6971939",
-                "shasum": ""
-            },
-            "require": {
-                "ext-openssl": "*",
-                "paragonie/random_compat": ">= 1",
-                "php": ">=5.6"
-            },
-            "require-dev": {
-                "phpunit/phpunit": "~5.7",
-                "vimeo/psalm": "^0|^1|^2"
-            },
-            "time": "2018-09-07T08:16:44+00:00",
-            "type": "library",
-            "installation-source": "dist",
-            "autoload": {
-                "classmap": [
-                    "src/"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "BSD-2-Clause"
-            ],
-            "description": "Library for U2F implementation",
-            "homepage": "https://developers.yubico.com/php-u2flib-server",
-            "install-path": "../yubico/u2flib-server"
         }
     ],
     "dev": true,

data/web/inc/lib/vendor/composer/installed.php

@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '8e0b1d8aee4af02311692cb031695cc2ac3850fd',
+        'reference' => '96390c2e12fd8d886495fde5514ad431e4e66069',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '8e0b1d8aee4af02311692cb031695cc2ac3850fd',
+            'reference' => '96390c2e12fd8d886495fde5514ad431e4e66069',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -52,6 +52,42 @@
                 0 => '*',
             ),
         ),
+        'firebase/php-jwt' => array(
+            'pretty_version' => 'v6.5.0',
+            'version' => '6.5.0.0',
+            'reference' => 'e94e7353302b0c11ec3cfff7180cd0b1743975d2',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../firebase/php-jwt',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'guzzlehttp/guzzle' => array(
+            'pretty_version' => '7.5.0',
+            'version' => '7.5.0.0',
+            'reference' => 'b50a2a1251152e43f6a37f0fa053e730a67d25ba',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../guzzlehttp/guzzle',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'guzzlehttp/promises' => array(
+            'pretty_version' => '1.5.2',
+            'version' => '1.5.2.0',
+            'reference' => 'b94b2807d85443f9719887892882d0329d1e2598',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../guzzlehttp/promises',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'guzzlehttp/psr7' => array(
+            'pretty_version' => '2.4.5',
+            'version' => '2.4.5.0',
+            'reference' => '0454e12ef0cd597ccd2adb036f7bda4e7fface66',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../guzzlehttp/psr7',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'illuminate/contracts' => array(
             'pretty_version' => 'v9.3.0',
             'version' => '9.3.0.0',
@@ -61,6 +97,15 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'league/oauth2-client' => array(
+            'pretty_version' => '2.7.0',
+            'version' => '2.7.0.0',
+            'reference' => '160d6274b03562ebeb55ed18399281d8118b76c8',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../league/oauth2-client',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'matthiasmullie/minify' => array(
             'pretty_version' => '1.3.66',
             'version' => '1.3.66.0',
@@ -139,6 +184,51 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'psr/http-client' => array(
+            'pretty_version' => '1.0.1',
+            'version' => '1.0.1.0',
+            'reference' => '2dfb5f6c5eff0e91e20e913f8c5452ed95b86621',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../psr/http-client',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'psr/http-client-implementation' => array(
+            'dev_requirement' => false,
+            'provided' => array(
+                0 => '1.0',
+            ),
+        ),
+        'psr/http-factory' => array(
+            'pretty_version' => '1.0.1',
+            'version' => '1.0.1.0',
+            'reference' => '12ac7fcd07e5b077433f5f2bee95b3a771bf61be',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../psr/http-factory',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'psr/http-factory-implementation' => array(
+            'dev_requirement' => false,
+            'provided' => array(
+                0 => '1.0',
+            ),
+        ),
+        'psr/http-message' => array(
+            'pretty_version' => '1.0.1',
+            'version' => '1.0.1.0',
+            'reference' => 'f6561bf28d520154e4b0ec72be95418abe6d9363',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../psr/http-message',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'psr/http-message-implementation' => array(
+            'dev_requirement' => false,
+            'provided' => array(
+                0 => '1.0',
+            ),
+        ),
         'psr/log' => array(
             'pretty_version' => '3.0.0',
             'version' => '3.0.0.0',
@@ -157,6 +247,15 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'ralouphie/getallheaders' => array(
+            'pretty_version' => '3.0.3',
+            'version' => '3.0.3.0',
+            'reference' => '120b605dfeb996808c31b6477290a714d356e822',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../ralouphie/getallheaders',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'robthree/twofactorauth' => array(
             'pretty_version' => '1.8.1',
             'version' => '1.8.1.0',
@@ -175,6 +274,24 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'stevenmaguire/oauth2-keycloak' => array(
+            'pretty_version' => '4.0.0',
+            'version' => '4.0.0.0',
+            'reference' => '05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../stevenmaguire/oauth2-keycloak',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'symfony/deprecation-contracts' => array(
+            'pretty_version' => 'v3.2.1',
+            'version' => '3.2.1.0',
+            'reference' => 'e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../symfony/deprecation-contracts',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'symfony/polyfill-ctype' => array(
             'pretty_version' => 'v1.24.0',
             'version' => '1.24.0.0',
@@ -253,14 +370,5 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
-        'yubico/u2flib-server' => array(
-            'pretty_version' => '1.0.2',
-            'version' => '1.0.2.0',
-            'reference' => '55d813acf68212ad2cadecde07551600d6971939',
-            'type' => 'library',
-            'install_path' => __DIR__ . '/../yubico/u2flib-server',
-            'aliases' => array(),
-            'dev_requirement' => false,
-        ),
     ),
 );

data/web/inc/lib/vendor/composer/platform_check.php

@@ -4,8 +4,8 @@
 
 $issues = array();
 
-if (!(PHP_VERSION_ID >= 80002)) {
-    $issues[] = 'Your Composer dependencies require a PHP version ">= 8.0.2". You are running ' . PHP_VERSION . '.';
+if (!(PHP_VERSION_ID >= 80100)) {
+    $issues[] = 'Your Composer dependencies require a PHP version ">= 8.1.0". You are running ' . PHP_VERSION . '.';
 }
 
 if ($issues) {

data/web/inc/lib/vendor/firebase/php-jwt/CHANGELOG.md

@@ -0,0 +1,117 @@
+# Changelog
+
+## [6.5.0](https://github.com/firebase/php-jwt/compare/v6.4.0...v6.5.0) (2023-05-12)
+
+
+### Bug Fixes
+
+* allow KID of '0' ([#505](https://github.com/firebase/php-jwt/issues/505)) ([9dc46a9](https://github.com/firebase/php-jwt/commit/9dc46a9c3e5801294249cfd2554c5363c9f9326a))
+
+
+### Miscellaneous Chores
+
+* drop support for PHP 7.3 ([#495](https://github.com/firebase/php-jwt/issues/495))
+
+## [6.4.0](https://github.com/firebase/php-jwt/compare/v6.3.2...v6.4.0) (2023-02-08)
+
+
+### Features
+
+* add support for W3C ES256K ([#462](https://github.com/firebase/php-jwt/issues/462)) ([213924f](https://github.com/firebase/php-jwt/commit/213924f51936291fbbca99158b11bd4ae56c2c95))
+* improve caching by only decoding jwks when necessary ([#486](https://github.com/firebase/php-jwt/issues/486)) ([78d3ed1](https://github.com/firebase/php-jwt/commit/78d3ed1073553f7d0bbffa6c2010009a0d483d5c))
+
+## [6.3.2](https://github.com/firebase/php-jwt/compare/v6.3.1...v6.3.2) (2022-11-01)
+
+
+### Bug Fixes
+
+* check kid before using as array index ([bad1b04](https://github.com/firebase/php-jwt/commit/bad1b040d0c736bbf86814c6b5ae614f517cf7bd))
+
+## [6.3.1](https://github.com/firebase/php-jwt/compare/v6.3.0...v6.3.1) (2022-11-01)
+
+
+### Bug Fixes
+
+* casing of GET for PSR compat ([#451](https://github.com/firebase/php-jwt/issues/451)) ([60b52b7](https://github.com/firebase/php-jwt/commit/60b52b71978790eafcf3b95cfbd83db0439e8d22))
+* string interpolation format for php 8.2 ([#446](https://github.com/firebase/php-jwt/issues/446)) ([2e07d8a](https://github.com/firebase/php-jwt/commit/2e07d8a1524d12b69b110ad649f17461d068b8f2))
+
+## 6.3.0 / 2022-07-15
+
+ - Added ES256 support to JWK parsing ([#399](https://github.com/firebase/php-jwt/pull/399))
+ - Fixed potential caching error in `CachedKeySet` by caching jwks as strings ([#435](https://github.com/firebase/php-jwt/pull/435))
+
+## 6.2.0 / 2022-05-14
+
+ - Added `CachedKeySet` ([#397](https://github.com/firebase/php-jwt/pull/397))
+ - Added `$defaultAlg` parameter to `JWT::parseKey` and `JWT::parseKeySet` ([#426](https://github.com/firebase/php-jwt/pull/426)).
+
+## 6.1.0 / 2022-03-23
+
+ - Drop support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0
+ - Add parameter typing and return types where possible
+
+## 6.0.0 / 2022-01-24
+
+ - **Backwards-Compatibility Breaking Changes**: See the [Release Notes](https://github.com/firebase/php-jwt/releases/tag/v6.0.0) for more information.
+ - New Key object to prevent key/algorithm type confusion (#365)
+ - Add JWK support (#273)
+ - Add ES256 support (#256)
+ - Add ES384 support (#324)
+ - Add Ed25519 support (#343)
+
+## 5.0.0 / 2017-06-26
+- Support RS384 and RS512.
+  See [#117](https://github.com/firebase/php-jwt/pull/117). Thanks [@joostfaassen](https://github.com/joostfaassen)!
+- Add an example for RS256 openssl.
+  See [#125](https://github.com/firebase/php-jwt/pull/125). Thanks [@akeeman](https://github.com/akeeman)!
+- Detect invalid Base64 encoding in signature.
+  See [#162](https://github.com/firebase/php-jwt/pull/162). Thanks [@psignoret](https://github.com/psignoret)!
+- Update `JWT::verify` to handle OpenSSL errors.
+  See [#159](https://github.com/firebase/php-jwt/pull/159). Thanks [@bshaffer](https://github.com/bshaffer)!
+- Add `array` type hinting to `decode` method
+  See [#101](https://github.com/firebase/php-jwt/pull/101). Thanks [@hywak](https://github.com/hywak)!
+- Add all JSON error types.
+  See [#110](https://github.com/firebase/php-jwt/pull/110). Thanks [@gbalduzzi](https://github.com/gbalduzzi)!
+- Bugfix 'kid' not in given key list.
+  See [#129](https://github.com/firebase/php-jwt/pull/129). Thanks [@stampycode](https://github.com/stampycode)!
+- Miscellaneous cleanup, documentation and test fixes.
+  See [#107](https://github.com/firebase/php-jwt/pull/107), [#115](https://github.com/firebase/php-jwt/pull/115),
+  [#160](https://github.com/firebase/php-jwt/pull/160), [#161](https://github.com/firebase/php-jwt/pull/161), and
+  [#165](https://github.com/firebase/php-jwt/pull/165). Thanks [@akeeman](https://github.com/akeeman),
+  [@chinedufn](https://github.com/chinedufn), and [@bshaffer](https://github.com/bshaffer)!
+
+## 4.0.0 / 2016-07-17
+- Add support for late static binding. See [#88](https://github.com/firebase/php-jwt/pull/88) for details. Thanks to [@chappy84](https://github.com/chappy84)!
+- Use static `$timestamp` instead of `time()` to improve unit testing. See [#93](https://github.com/firebase/php-jwt/pull/93) for details. Thanks to [@josephmcdermott](https://github.com/josephmcdermott)!
+- Fixes to exceptions classes. See [#81](https://github.com/firebase/php-jwt/pull/81) for details. Thanks to [@Maks3w](https://github.com/Maks3w)!
+- Fixes to PHPDoc. See [#76](https://github.com/firebase/php-jwt/pull/76) for details. Thanks to [@akeeman](https://github.com/akeeman)!
+
+## 3.0.0 / 2015-07-22
+- Minimum PHP version updated from `5.2.0` to `5.3.0`.
+- Add `\Firebase\JWT` namespace. See
+[#59](https://github.com/firebase/php-jwt/pull/59) for details. Thanks to
+[@Dashron](https://github.com/Dashron)!
+- Require a non-empty key to decode and verify a JWT. See
+[#60](https://github.com/firebase/php-jwt/pull/60) for details. Thanks to
+[@sjones608](https://github.com/sjones608)!
+- Cleaner documentation blocks in the code. See
+[#62](https://github.com/firebase/php-jwt/pull/62) for details. Thanks to
+[@johanderuijter](https://github.com/johanderuijter)!
+
+## 2.2.0 / 2015-06-22
+- Add support for adding custom, optional JWT headers to `JWT::encode()`. See
+[#53](https://github.com/firebase/php-jwt/pull/53/files) for details. Thanks to
+[@mcocaro](https://github.com/mcocaro)!
+
+## 2.1.0 / 2015-05-20
+- Add support for adding a leeway to `JWT:decode()` that accounts for clock skew
+between signing and verifying entities. Thanks to [@lcabral](https://github.com/lcabral)!
+- Add support for passing an object implementing the `ArrayAccess` interface for
+`$keys` argument in `JWT::decode()`. Thanks to [@aztech-dev](https://github.com/aztech-dev)!
+
+## 2.0.0 / 2015-04-01
+- **Note**: It is strongly recommended that you update to > v2.0.0 to address
+  known security vulnerabilities in prior versions when both symmetric and
+  asymmetric keys are used together.
+- Update signature for `JWT::decode(...)` to require an array of supported
+  algorithms to use when verifying token signatures.

data/web/inc/lib/vendor/firebase/php-jwt/LICENSE

@@ -1,9 +1,9 @@
-Copyright (c) 2014 Yubico AB
+Copyright (c) 2011, Neuman Vong
+
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
+modification, are permitted provided that the following conditions are met:
 
     * Redistributions of source code must retain the above copyright
       notice, this list of conditions and the following disclaimer.
@@ -13,6 +13,10 @@ met:
       disclaimer in the documentation and/or other materials provided
       with the distribution.
 
+    * Neither the name of the copyright holder nor the names of other
+      contributors may be used to endorse or promote products derived
+      from this software without specific prior written permission.
+
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

data/web/inc/lib/vendor/firebase/php-jwt/README.md

@@ -0,0 +1,419 @@
+![Build Status](https://github.com/firebase/php-jwt/actions/workflows/tests.yml/badge.svg)
+[![Latest Stable Version](https://poser.pugx.org/firebase/php-jwt/v/stable)](https://packagist.org/packages/firebase/php-jwt)
+[![Total Downloads](https://poser.pugx.org/firebase/php-jwt/downloads)](https://packagist.org/packages/firebase/php-jwt)
+[![License](https://poser.pugx.org/firebase/php-jwt/license)](https://packagist.org/packages/firebase/php-jwt)
+
+PHP-JWT
+=======
+A simple library to encode and decode JSON Web Tokens (JWT) in PHP, conforming to [RFC 7519](https://tools.ietf.org/html/rfc7519).
+
+Installation
+------------
+
+Use composer to manage your dependencies and download PHP-JWT:
+
+```bash
+composer require firebase/php-jwt
+```
+
+Optionally, install the `paragonie/sodium_compat` package from composer if your
+php is < 7.2 or does not have libsodium installed:
+
+```bash
+composer require paragonie/sodium_compat
+```
+
+Example
+-------
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+$key = 'example_key';
+$payload = [
+    'iss' => 'http://example.org',
+    'aud' => 'http://example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
+
+/**
+ * IMPORTANT:
+ * You must specify supported algorithms for your application. See
+ * https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
+ * for a list of spec-compliant algorithms.
+ */
+$jwt = JWT::encode($payload, $key, 'HS256');
+$decoded = JWT::decode($jwt, new Key($key, 'HS256'));
+
+print_r($decoded);
+
+/*
+ NOTE: This will now be an object instead of an associative array. To get
+ an associative array, you will need to cast it as such:
+*/
+
+$decoded_array = (array) $decoded;
+
+/**
+ * You can add a leeway to account for when there is a clock skew times between
+ * the signing and verifying servers. It is recommended that this leeway should
+ * not be bigger than a few minutes.
+ *
+ * Source: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#nbfDef
+ */
+JWT::$leeway = 60; // $leeway in seconds
+$decoded = JWT::decode($jwt, new Key($key, 'HS256'));
+```
+Example encode/decode headers
+-------
+Decoding the JWT headers without verifying the JWT first is NOT recommended, and is not supported by
+this library. This is because without verifying the JWT, the header values could have been tampered with.
+Any value pulled from an unverified header should be treated as if it could be any string sent in from an
+attacker.  If this is something you still want to do in your application for whatever reason, it's possible to 
+decode the header values manually simply by calling `json_decode` and `base64_decode` on the JWT 
+header part:
+```php
+use Firebase\JWT\JWT;
+
+$key = 'example_key';
+$payload = [
+    'iss' => 'http://example.org',
+    'aud' => 'http://example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
+
+$headers = [
+    'x-forwarded-for' => 'www.google.com'
+];
+
+// Encode headers in the JWT string
+$jwt = JWT::encode($payload, $key, 'HS256', null, $headers);
+
+// Decode headers from the JWT string WITHOUT validation
+// **IMPORTANT**: This operation is vulnerable to attacks, as the JWT has not yet been verified.
+// These headers could be any value sent by an attacker.
+list($headersB64, $payloadB64, $sig) = explode('.', $jwt);
+$decoded = json_decode(base64_decode($headersB64), true);
+
+print_r($decoded);
+```
+Example with RS256 (openssl)
+----------------------------
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+$privateKey = <<<EOD
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuzWHNM5f+amCjQztc5QTfJfzCC5J4nuW+L/aOxZ4f8J3Frew
+M2c/dufrnmedsApb0By7WhaHlcqCh/ScAPyJhzkPYLae7bTVro3hok0zDITR8F6S
+JGL42JAEUk+ILkPI+DONM0+3vzk6Kvfe548tu4czCuqU8BGVOlnp6IqBHhAswNMM
+78pos/2z0CjPM4tbeXqSTTbNkXRboxjU29vSopcT51koWOgiTf3C7nJUoMWZHZI5
+HqnIhPAG9yv8HAgNk6CMk2CadVHDo4IxjxTzTTqo1SCSH2pooJl9O8at6kkRYsrZ
+WwsKlOFE2LUce7ObnXsYihStBUDoeBQlGG/BwQIDAQABAoIBAFtGaOqNKGwggn9k
+6yzr6GhZ6Wt2rh1Xpq8XUz514UBhPxD7dFRLpbzCrLVpzY80LbmVGJ9+1pJozyWc
+VKeCeUdNwbqkr240Oe7GTFmGjDoxU+5/HX/SJYPpC8JZ9oqgEA87iz+WQX9hVoP2
+oF6EB4ckDvXmk8FMwVZW2l2/kd5mrEVbDaXKxhvUDf52iVD+sGIlTif7mBgR99/b
+c3qiCnxCMmfYUnT2eh7Vv2LhCR/G9S6C3R4lA71rEyiU3KgsGfg0d82/XWXbegJW
+h3QbWNtQLxTuIvLq5aAryV3PfaHlPgdgK0ft6ocU2de2FagFka3nfVEyC7IUsNTK
+bq6nhAECgYEA7d/0DPOIaItl/8BWKyCuAHMss47j0wlGbBSHdJIiS55akMvnAG0M
+39y22Qqfzh1at9kBFeYeFIIU82ZLF3xOcE3z6pJZ4Dyvx4BYdXH77odo9uVK9s1l
+3T3BlMcqd1hvZLMS7dviyH79jZo4CXSHiKzc7pQ2YfK5eKxKqONeXuECgYEAyXlG
+vonaus/YTb1IBei9HwaccnQ/1HRn6MvfDjb7JJDIBhNClGPt6xRlzBbSZ73c2QEC
+6Fu9h36K/HZ2qcLd2bXiNyhIV7b6tVKk+0Psoj0dL9EbhsD1OsmE1nTPyAc9XZbb
+OPYxy+dpBCUA8/1U9+uiFoCa7mIbWcSQ+39gHuECgYAz82pQfct30aH4JiBrkNqP
+nJfRq05UY70uk5k1u0ikLTRoVS/hJu/d4E1Kv4hBMqYCavFSwAwnvHUo51lVCr/y
+xQOVYlsgnwBg2MX4+GjmIkqpSVCC8D7j/73MaWb746OIYZervQ8dbKahi2HbpsiG
+8AHcVSA/agxZr38qvWV54QKBgCD5TlDE8x18AuTGQ9FjxAAd7uD0kbXNz2vUYg9L
+hFL5tyL3aAAtUrUUw4xhd9IuysRhW/53dU+FsG2dXdJu6CxHjlyEpUJl2iZu/j15
+YnMzGWHIEX8+eWRDsw/+Ujtko/B7TinGcWPz3cYl4EAOiCeDUyXnqnO1btCEUU44
+DJ1BAoGBAJuPD27ErTSVtId90+M4zFPNibFP50KprVdc8CR37BE7r8vuGgNYXmnI
+RLnGP9p3pVgFCktORuYS2J/6t84I3+A17nEoB4xvhTLeAinAW/uTQOUmNicOP4Ek
+2MsLL2kHgL8bLTmvXV4FX+PXphrDKg1XxzOYn0otuoqdAQrkK4og
+-----END RSA PRIVATE KEY-----
+EOD;
+
+$publicKey = <<<EOD
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzWHNM5f+amCjQztc5QT
+fJfzCC5J4nuW+L/aOxZ4f8J3FrewM2c/dufrnmedsApb0By7WhaHlcqCh/ScAPyJ
+hzkPYLae7bTVro3hok0zDITR8F6SJGL42JAEUk+ILkPI+DONM0+3vzk6Kvfe548t
+u4czCuqU8BGVOlnp6IqBHhAswNMM78pos/2z0CjPM4tbeXqSTTbNkXRboxjU29vS
+opcT51koWOgiTf3C7nJUoMWZHZI5HqnIhPAG9yv8HAgNk6CMk2CadVHDo4IxjxTz
+TTqo1SCSH2pooJl9O8at6kkRYsrZWwsKlOFE2LUce7ObnXsYihStBUDoeBQlGG/B
+wQIDAQAB
+-----END PUBLIC KEY-----
+EOD;
+
+$payload = [
+    'iss' => 'example.org',
+    'aud' => 'example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
+
+$jwt = JWT::encode($payload, $privateKey, 'RS256');
+echo "Encode:\n" . print_r($jwt, true) . "\n";
+
+$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));
+
+/*
+ NOTE: This will now be an object instead of an associative array. To get
+ an associative array, you will need to cast it as such:
+*/
+
+$decoded_array = (array) $decoded;
+echo "Decode:\n" . print_r($decoded_array, true) . "\n";
+```
+
+Example with a passphrase
+-------------------------
+
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+// Your passphrase
+$passphrase = '[YOUR_PASSPHRASE]';
+
+// Your private key file with passphrase
+// Can be generated with "ssh-keygen -t rsa -m pem"
+$privateKeyFile = '/path/to/key-with-passphrase.pem';
+
+// Create a private key of type "resource"
+$privateKey = openssl_pkey_get_private(
+    file_get_contents($privateKeyFile),
+    $passphrase
+);
+
+$payload = [
+    'iss' => 'example.org',
+    'aud' => 'example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
+
+$jwt = JWT::encode($payload, $privateKey, 'RS256');
+echo "Encode:\n" . print_r($jwt, true) . "\n";
+
+// Get public key from the private key, or pull from from a file.
+$publicKey = openssl_pkey_get_details($privateKey)['key'];
+
+$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));
+echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
+```
+
+Example with EdDSA (libsodium and Ed25519 signature)
+----------------------------
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+// Public and private keys are expected to be Base64 encoded. The last
+// non-empty line is used so that keys can be generated with
+// sodium_crypto_sign_keypair(). The secret keys generated by other tools may
+// need to be adjusted to match the input expected by libsodium.
+
+$keyPair = sodium_crypto_sign_keypair();
+
+$privateKey = base64_encode(sodium_crypto_sign_secretkey($keyPair));
+
+$publicKey = base64_encode(sodium_crypto_sign_publickey($keyPair));
+
+$payload = [
+    'iss' => 'example.org',
+    'aud' => 'example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
+
+$jwt = JWT::encode($payload, $privateKey, 'EdDSA');
+echo "Encode:\n" . print_r($jwt, true) . "\n";
+
+$decoded = JWT::decode($jwt, new Key($publicKey, 'EdDSA'));
+echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
+````
+
+Example with multiple keys
+--------------------------
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+// Example RSA keys from previous example
+// $privateKey1 = '...';
+// $publicKey1 = '...';
+
+// Example EdDSA keys from previous example
+// $privateKey2 = '...';
+// $publicKey2 = '...';
+
+$payload = [
+    'iss' => 'example.org',
+    'aud' => 'example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
+
+$jwt1 = JWT::encode($payload, $privateKey1, 'RS256', 'kid1');
+$jwt2 = JWT::encode($payload, $privateKey2, 'EdDSA', 'kid2');
+echo "Encode 1:\n" . print_r($jwt1, true) . "\n";
+echo "Encode 2:\n" . print_r($jwt2, true) . "\n";
+
+$keys = [
+    'kid1' => new Key($publicKey1, 'RS256'),
+    'kid2' => new Key($publicKey2, 'EdDSA'),
+];
+
+$decoded1 = JWT::decode($jwt1, $keys);
+$decoded2 = JWT::decode($jwt2, $keys);
+
+echo "Decode 1:\n" . print_r((array) $decoded1, true) . "\n";
+echo "Decode 2:\n" . print_r((array) $decoded2, true) . "\n";
+```
+
+Using JWKs
+----------
+
+```php
+use Firebase\JWT\JWK;
+use Firebase\JWT\JWT;
+
+// Set of keys. The "keys" key is required. For example, the JSON response to
+// this endpoint: https://www.gstatic.com/iap/verify/public_key-jwk
+$jwks = ['keys' => []];
+
+// JWK::parseKeySet($jwks) returns an associative array of **kid** to Firebase\JWT\Key
+// objects. Pass this as the second parameter to JWT::decode.
+JWT::decode($payload, JWK::parseKeySet($jwks));
+```
+
+Using Cached Key Sets
+---------------------
+
+The `CachedKeySet` class can be used to fetch and cache JWKS (JSON Web Key Sets) from a public URI.
+This has the following advantages:
+
+1. The results are cached for performance.
+2. If an unrecognized key is requested, the cache is refreshed, to accomodate for key rotation.
+3. If rate limiting is enabled, the JWKS URI will not make more than 10 requests a second.
+
+```php
+use Firebase\JWT\CachedKeySet;
+use Firebase\JWT\JWT;
+
+// The URI for the JWKS you wish to cache the results from
+$jwksUri = 'https://www.gstatic.com/iap/verify/public_key-jwk';
+
+// Create an HTTP client (can be any PSR-7 compatible HTTP client)
+$httpClient = new GuzzleHttp\Client();
+
+// Create an HTTP request factory (can be any PSR-17 compatible HTTP request factory)
+$httpFactory = new GuzzleHttp\Psr\HttpFactory();
+
+// Create a cache item pool (can be any PSR-6 compatible cache item pool)
+$cacheItemPool = Phpfastcache\CacheManager::getInstance('files');
+
+$keySet = new CachedKeySet(
+    $jwksUri,
+    $httpClient,
+    $httpFactory,
+    $cacheItemPool,
+    null, // $expiresAfter int seconds to set the JWKS to expire
+    true  // $rateLimit    true to enable rate limit of 10 RPS on lookup of invalid keys
+);
+
+$jwt = 'eyJhbGci...'; // Some JWT signed by a key from the $jwkUri above
+$decoded = JWT::decode($jwt, $keySet);
+```
+
+Miscellaneous
+-------------
+
+#### Exception Handling
+
+When a call to `JWT::decode` is invalid, it will throw one of the following exceptions:
+
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\SignatureInvalidException;
+use Firebase\JWT\BeforeValidException;
+use Firebase\JWT\ExpiredException;
+use DomainException;
+use InvalidArgumentException;
+use UnexpectedValueException;
+
+try {
+    $decoded = JWT::decode($payload, $keys);
+} catch (InvalidArgumentException $e) {
+    // provided key/key-array is empty or malformed.
+} catch (DomainException $e) {
+    // provided algorithm is unsupported OR
+    // provided key is invalid OR
+    // unknown error thrown in openSSL or libsodium OR
+    // libsodium is required but not available.
+} catch (SignatureInvalidException $e) {
+    // provided JWT signature verification failed.
+} catch (BeforeValidException $e) {
+    // provided JWT is trying to be used before "nbf" claim OR
+    // provided JWT is trying to be used before "iat" claim.
+} catch (ExpiredException $e) {
+    // provided JWT is trying to be used after "exp" claim.
+} catch (UnexpectedValueException $e) {
+    // provided JWT is malformed OR
+    // provided JWT is missing an algorithm / using an unsupported algorithm OR
+    // provided JWT algorithm does not match provided key OR
+    // provided key ID in key/key-array is empty or invalid.
+}
+```
+
+All exceptions in the `Firebase\JWT` namespace extend `UnexpectedValueException`, and can be simplified
+like this:
+
+```php
+try {
+    $decoded = JWT::decode($payload, $keys);
+} catch (LogicException $e) {
+    // errors having to do with environmental setup or malformed JWT Keys
+} catch (UnexpectedValueException $e) {
+    // errors having to do with JWT signature and claims
+}
+```
+
+#### Casting to array
+
+The return value of `JWT::decode` is the generic PHP object `stdClass`. If you'd like to handle with arrays
+instead, you can do the following:
+
+```php
+// return type is stdClass
+$decoded = JWT::decode($payload, $keys);
+
+// cast to array
+$decoded = json_decode(json_encode($decoded), true);
+```
+
+Tests
+-----
+Run the tests using phpunit:
+
+```bash
+$ pear install PHPUnit
+$ phpunit --configuration phpunit.xml.dist
+PHPUnit 3.7.10 by Sebastian Bergmann.
+.....
+Time: 0 seconds, Memory: 2.50Mb
+OK (5 tests, 5 assertions)
+```
+
+New Lines in private keys
+-----
+
+If your private key contains `\n` characters, be sure to wrap it in double quotes `""`
+and not single quotes `''` in order to properly interpret the escaped characters.
+
+License
+-------
+[3-Clause BSD](http://opensource.org/licenses/BSD-3-Clause).

data/web/inc/lib/vendor/firebase/php-jwt/composer.json

@@ -0,0 +1,42 @@
+{
+    "name": "firebase/php-jwt",
+    "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+    "homepage": "https://github.com/firebase/php-jwt",
+    "keywords": [
+        "php",
+        "jwt"
+    ],
+    "authors": [
+        {
+            "name": "Neuman Vong",
+            "email": "neuman+pear@twilio.com",
+            "role": "Developer"
+        },
+        {
+            "name": "Anant Narayanan",
+            "email": "anant@php.net",
+            "role": "Developer"
+        }
+    ],
+    "license": "BSD-3-Clause",
+    "require": {
+        "php": "^7.4||^8.0"
+    },
+    "suggest": {
+        "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present",
+        "ext-sodium": "Support EdDSA (Ed25519) signatures"
+    },
+    "autoload": {
+        "psr-4": {
+            "Firebase\\JWT\\": "src"
+        }
+    },
+    "require-dev": {
+        "guzzlehttp/guzzle": "^6.5||^7.4",
+        "phpspec/prophecy-phpunit": "^2.0",
+        "phpunit/phpunit": "^9.5",
+        "psr/cache": "^1.0||^2.0",
+        "psr/http-client": "^1.0",
+        "psr/http-factory": "^1.0"
+    }
+}

data/web/inc/lib/vendor/firebase/php-jwt/src/BeforeValidException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace Firebase\JWT;
+
+class BeforeValidException extends \UnexpectedValueException
+{
+}

data/web/inc/lib/vendor/firebase/php-jwt/src/CachedKeySet.php

@@ -0,0 +1,258 @@
+<?php
+
+namespace Firebase\JWT;
+
+use ArrayAccess;
+use InvalidArgumentException;
+use LogicException;
+use OutOfBoundsException;
+use Psr\Cache\CacheItemInterface;
+use Psr\Cache\CacheItemPoolInterface;
+use Psr\Http\Client\ClientInterface;
+use Psr\Http\Message\RequestFactoryInterface;
+use RuntimeException;
+use UnexpectedValueException;
+
+/**
+ * @implements ArrayAccess<string, Key>
+ */
+class CachedKeySet implements ArrayAccess
+{
+    /**
+     * @var string
+     */
+    private $jwksUri;
+    /**
+     * @var ClientInterface
+     */
+    private $httpClient;
+    /**
+     * @var RequestFactoryInterface
+     */
+    private $httpFactory;
+    /**
+     * @var CacheItemPoolInterface
+     */
+    private $cache;
+    /**
+     * @var ?int
+     */
+    private $expiresAfter;
+    /**
+     * @var ?CacheItemInterface
+     */
+    private $cacheItem;
+    /**
+     * @var array<string, array<mixed>>
+     */
+    private $keySet;
+    /**
+     * @var string
+     */
+    private $cacheKey;
+    /**
+     * @var string
+     */
+    private $cacheKeyPrefix = 'jwks';
+    /**
+     * @var int
+     */
+    private $maxKeyLength = 64;
+    /**
+     * @var bool
+     */
+    private $rateLimit;
+    /**
+     * @var string
+     */
+    private $rateLimitCacheKey;
+    /**
+     * @var int
+     */
+    private $maxCallsPerMinute = 10;
+    /**
+     * @var string|null
+     */
+    private $defaultAlg;
+
+    public function __construct(
+        string $jwksUri,
+        ClientInterface $httpClient,
+        RequestFactoryInterface $httpFactory,
+        CacheItemPoolInterface $cache,
+        int $expiresAfter = null,
+        bool $rateLimit = false,
+        string $defaultAlg = null
+    ) {
+        $this->jwksUri = $jwksUri;
+        $this->httpClient = $httpClient;
+        $this->httpFactory = $httpFactory;
+        $this->cache = $cache;
+        $this->expiresAfter = $expiresAfter;
+        $this->rateLimit = $rateLimit;
+        $this->defaultAlg = $defaultAlg;
+        $this->setCacheKeys();
+    }
+
+    /**
+     * @param string $keyId
+     * @return Key
+     */
+    public function offsetGet($keyId): Key
+    {
+        if (!$this->keyIdExists($keyId)) {
+            throw new OutOfBoundsException('Key ID not found');
+        }
+        return JWK::parseKey($this->keySet[$keyId], $this->defaultAlg);
+    }
+
+    /**
+     * @param string $keyId
+     * @return bool
+     */
+    public function offsetExists($keyId): bool
+    {
+        return $this->keyIdExists($keyId);
+    }
+
+    /**
+     * @param string $offset
+     * @param Key $value
+     */
+    public function offsetSet($offset, $value): void
+    {
+        throw new LogicException('Method not implemented');
+    }
+
+    /**
+     * @param string $offset
+     */
+    public function offsetUnset($offset): void
+    {
+        throw new LogicException('Method not implemented');
+    }
+
+    /**
+     * @return array<mixed>
+     */
+    private function formatJwksForCache(string $jwks): array
+    {
+        $jwks = json_decode($jwks, true);
+
+        if (!isset($jwks['keys'])) {
+            throw new UnexpectedValueException('"keys" member must exist in the JWK Set');
+        }
+
+        if (empty($jwks['keys'])) {
+            throw new InvalidArgumentException('JWK Set did not contain any keys');
+        }
+
+        $keys = [];
+        foreach ($jwks['keys'] as $k => $v) {
+            $kid = isset($v['kid']) ? $v['kid'] : $k;
+            $keys[(string) $kid] = $v;
+        }
+
+        return $keys;
+    }
+
+    private function keyIdExists(string $keyId): bool
+    {
+        if (null === $this->keySet) {
+            $item = $this->getCacheItem();
+            // Try to load keys from cache
+            if ($item->isHit()) {
+                // item found! retrieve it
+                $this->keySet = $item->get();
+                // If the cached item is a string, the JWKS response was cached (previous behavior).
+                // Parse this into expected format array<kid, jwk> instead.
+                if (\is_string($this->keySet)) {
+                    $this->keySet = $this->formatJwksForCache($this->keySet);
+                }
+            }
+        }
+
+        if (!isset($this->keySet[$keyId])) {
+            if ($this->rateLimitExceeded()) {
+                return false;
+            }
+            $request = $this->httpFactory->createRequest('GET', $this->jwksUri);
+            $jwksResponse = $this->httpClient->sendRequest($request);
+            $this->keySet = $this->formatJwksForCache((string) $jwksResponse->getBody());
+
+            if (!isset($this->keySet[$keyId])) {
+                return false;
+            }
+
+            $item = $this->getCacheItem();
+            $item->set($this->keySet);
+            if ($this->expiresAfter) {
+                $item->expiresAfter($this->expiresAfter);
+            }
+            $this->cache->save($item);
+        }
+
+        return true;
+    }
+
+    private function rateLimitExceeded(): bool
+    {
+        if (!$this->rateLimit) {
+            return false;
+        }
+
+        $cacheItem = $this->cache->getItem($this->rateLimitCacheKey);
+        if (!$cacheItem->isHit()) {
+            $cacheItem->expiresAfter(1); // # of calls are cached each minute
+        }
+
+        $callsPerMinute = (int) $cacheItem->get();
+        if (++$callsPerMinute > $this->maxCallsPerMinute) {
+            return true;
+        }
+        $cacheItem->set($callsPerMinute);
+        $this->cache->save($cacheItem);
+        return false;
+    }
+
+    private function getCacheItem(): CacheItemInterface
+    {
+        if (\is_null($this->cacheItem)) {
+            $this->cacheItem = $this->cache->getItem($this->cacheKey);
+        }
+
+        return $this->cacheItem;
+    }
+
+    private function setCacheKeys(): void
+    {
+        if (empty($this->jwksUri)) {
+            throw new RuntimeException('JWKS URI is empty');
+        }
+
+        // ensure we do not have illegal characters
+        $key = preg_replace('|[^a-zA-Z0-9_\.!]|', '', $this->jwksUri);
+
+        // add prefix
+        $key = $this->cacheKeyPrefix . $key;
+
+        // Hash keys if they exceed $maxKeyLength of 64
+        if (\strlen($key) > $this->maxKeyLength) {
+            $key = substr(hash('sha256', $key), 0, $this->maxKeyLength);
+        }
+
+        $this->cacheKey = $key;
+
+        if ($this->rateLimit) {
+            // add prefix
+            $rateLimitKey = $this->cacheKeyPrefix . 'ratelimit' . $key;
+
+            // Hash keys if they exceed $maxKeyLength of 64
+            if (\strlen($rateLimitKey) > $this->maxKeyLength) {
+                $rateLimitKey = substr(hash('sha256', $rateLimitKey), 0, $this->maxKeyLength);
+            }
+
+            $this->rateLimitCacheKey = $rateLimitKey;
+        }
+    }
+}