2018-10-18 15:57:43 +02:00
|
|
|
from mailu import models, utils
|
2018-09-27 16:09:38 +02:00
|
|
|
from mailu.internal import internal, nginx
|
2018-10-18 15:57:43 +02:00
|
|
|
from flask import current_app as app
|
2018-09-27 16:09:38 +02:00
|
|
|
|
|
|
|
import flask
|
|
|
|
import flask_login
|
|
|
|
import base64
|
2019-12-06 10:35:21 +02:00
|
|
|
|
2018-09-27 16:09:38 +02:00
|
|
|
@internal.route("/auth/email")
|
|
|
|
def nginx_authentication():
|
|
|
|
""" Main authentication endpoint for Nginx email server
|
|
|
|
"""
|
2020-02-09 18:38:18 +02:00
|
|
|
client_ip = flask.request.headers["Client-Ip"]
|
2021-10-31 20:41:12 +02:00
|
|
|
headers = flask.request.headers
|
2022-03-09 20:28:33 +02:00
|
|
|
if headers["Auth-Port"] == '25' and headers['Auth-Method'] != 'none':
|
2021-10-31 20:41:12 +02:00
|
|
|
response = flask.Response()
|
|
|
|
response.headers['Auth-Status'] = 'AUTH not supported'
|
|
|
|
response.headers['Auth-Error-Code'] = '502 5.5.1'
|
|
|
|
utils.limiter.rate_limit_ip(client_ip)
|
|
|
|
return response
|
2022-01-07 10:07:32 +02:00
|
|
|
is_from_webmail = headers['Auth-Port'] in ['10143', '10025']
|
|
|
|
if not is_from_webmail and utils.limiter.should_rate_limit_ip(client_ip):
|
2021-09-23 18:40:49 +02:00
|
|
|
status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
|
2020-02-09 18:38:18 +02:00
|
|
|
response = flask.Response()
|
2021-09-23 18:40:49 +02:00
|
|
|
response.headers['Auth-Status'] = status
|
|
|
|
response.headers['Auth-Error-Code'] = code
|
2020-02-09 18:38:18 +02:00
|
|
|
if int(flask.request.headers['Auth-Login-Attempt']) < 10:
|
|
|
|
response.headers['Auth-Wait'] = '3'
|
|
|
|
return response
|
2018-09-27 16:09:38 +02:00
|
|
|
headers = nginx.handle_authentication(flask.request.headers)
|
|
|
|
response = flask.Response()
|
|
|
|
for key, value in headers.items():
|
|
|
|
response.headers[key] = str(value)
|
2021-09-23 18:40:49 +02:00
|
|
|
is_valid_user = False
|
2022-03-18 21:05:16 +02:00
|
|
|
if response.headers.get("Auth-User-Exists") == "True":
|
2021-09-23 18:40:49 +02:00
|
|
|
username = response.headers["Auth-User"]
|
|
|
|
if utils.limiter.should_rate_limit_user(username, client_ip):
|
|
|
|
# FIXME could be done before handle_authentication()
|
|
|
|
status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
|
|
|
|
response = flask.Response()
|
|
|
|
response.headers['Auth-Status'] = status
|
|
|
|
response.headers['Auth-Error-Code'] = code
|
|
|
|
if int(flask.request.headers['Auth-Login-Attempt']) < 10:
|
|
|
|
response.headers['Auth-Wait'] = '3'
|
|
|
|
return response
|
|
|
|
is_valid_user = True
|
2021-10-16 15:12:20 +02:00
|
|
|
if headers.get("Auth-Status") == "OK":
|
2021-09-23 18:40:49 +02:00
|
|
|
utils.limiter.exempt_ip_from_ratelimits(client_ip)
|
2021-10-16 15:12:20 +02:00
|
|
|
elif is_valid_user:
|
|
|
|
utils.limiter.rate_limit_user(username, client_ip)
|
2022-01-03 14:38:21 +02:00
|
|
|
elif not is_from_webmail:
|
2021-10-25 21:21:38 +02:00
|
|
|
utils.limiter.rate_limit_ip(client_ip)
|
2018-09-27 16:09:38 +02:00
|
|
|
return response
|
|
|
|
|
|
|
|
@internal.route("/auth/admin")
|
|
|
|
def admin_authentication():
|
|
|
|
""" Fails if the user is not an authenticated admin.
|
|
|
|
"""
|
|
|
|
if (not flask_login.current_user.is_anonymous
|
|
|
|
and flask_login.current_user.global_admin
|
|
|
|
and flask_login.current_user.enabled):
|
|
|
|
return ""
|
|
|
|
return flask.abort(403)
|
|
|
|
|
2021-02-06 18:23:05 +02:00
|
|
|
@internal.route("/auth/user")
|
|
|
|
def user_authentication():
|
|
|
|
""" Fails if the user is not authenticated.
|
|
|
|
"""
|
|
|
|
if (not flask_login.current_user.is_anonymous
|
|
|
|
and flask_login.current_user.enabled):
|
|
|
|
response = flask.Response()
|
2021-12-20 00:24:44 +02:00
|
|
|
email = flask_login.current_user.get_id()
|
|
|
|
response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, email, "")
|
|
|
|
response.headers["X-User-Token"] = utils.gen_temp_token(email, flask.session)
|
2021-02-06 18:23:05 +02:00
|
|
|
return response
|
|
|
|
return flask.abort(403)
|
|
|
|
|
2018-09-27 16:09:38 +02:00
|
|
|
|
|
|
|
@internal.route("/auth/basic")
|
|
|
|
def basic_authentication():
|
|
|
|
""" Tries to authenticate using the Authorization header.
|
|
|
|
"""
|
2021-10-16 09:36:49 +02:00
|
|
|
client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
|
2021-09-23 18:40:49 +02:00
|
|
|
if utils.limiter.should_rate_limit_ip(client_ip):
|
|
|
|
response = flask.Response(status=401)
|
|
|
|
response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit from one source exceeded"'
|
|
|
|
response.headers['Retry-After'] = '60'
|
|
|
|
return response
|
2018-09-27 16:09:38 +02:00
|
|
|
authorization = flask.request.headers.get("Authorization")
|
|
|
|
if authorization and authorization.startswith("Basic "):
|
|
|
|
encoded = authorization.replace("Basic ", "")
|
2021-07-14 09:25:04 +02:00
|
|
|
user_email, password = base64.b64decode(encoded).split(b":", 1)
|
2021-09-23 18:40:49 +02:00
|
|
|
user_email = user_email.decode("utf8")
|
|
|
|
if utils.limiter.should_rate_limit_user(user_email, client_ip):
|
|
|
|
response = flask.Response(status=401)
|
|
|
|
response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit for this username exceeded"'
|
|
|
|
response.headers['Retry-After'] = '60'
|
|
|
|
return response
|
|
|
|
user = models.User.query.get(user_email)
|
2021-10-16 10:39:43 +02:00
|
|
|
if user and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web"):
|
2018-09-27 16:09:38 +02:00
|
|
|
response = flask.Response()
|
2021-08-27 10:20:52 +02:00
|
|
|
response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
|
2021-09-23 18:40:49 +02:00
|
|
|
utils.limiter.exempt_ip_from_ratelimits(client_ip)
|
2018-09-27 16:09:38 +02:00
|
|
|
return response
|
2021-09-23 18:40:49 +02:00
|
|
|
utils.limiter.rate_limit_user(user_email, client_ip) if user else utils.limiter.rate_limit_ip(client_ip)
|
2018-09-27 16:09:38 +02:00
|
|
|
response = flask.Response(status=401)
|
|
|
|
response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"'
|
|
|
|
return response
|