mailcow-dockerized/data/web/sogo-auth.php

<?php

ob_start();

function setAuthHeaders($username, $password) {
  $auth = "";
  $type = "";
  if (!empty($username) && !empty($password)) {
    $auth = "Basic " . base64_encode("$username:$password");
    $type = "Basic";
  }

  http_response_code(200);
  header("X-User: $username");
  header("X-Auth: $auth");
  header("X-Auth-Type: $type");
}

$session_var_user_allowed = 'sogo-sso-user-allowed';
$session_var_pass = 'sogo-sso-pass';

$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
  "/^([yY][eE][sS]|[yY])+$/",
  $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
));

$request = null;
if (isset($_SERVER['PHP_AUTH_USER'])) {
  $request = "basic-auth";
} elseif (isset($_GET['login'])) {
  $request = "admin-login";
} elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) &&
          strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 6), "/SOGo/") === 0) {
  $request = "auth-request";
}


switch ($request) {
  case "basic-auth":
    require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';

    $username = $_SERVER['PHP_AUTH_USER'];
    $password = $_SERVER['PHP_AUTH_PW'];
    $is_eas = (preg_match('/^(\/SOGo|)\/Microsoft-Server-ActiveSync.*/', $original_uri) === 1);
    $is_dav = (preg_match('/^(\/SOGo|)\/dav.*/', $original_uri) === 1);
    $original_uri = isset($_SERVER['HTTP_X_ORIGINAL_URI']) ? $_SERVER['HTTP_X_ORIGINAL_URI'] : '';

    $login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas));
    if ($login_check === 'user') {
      setAuthHeaders($username, $password);
      ob_end_flush();
      exit;
    }

    http_response_code(401);
    ob_end_flush();
    exit;
  break;
  case "admin-login":
    require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';

    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
    $login = html_entity_decode(rawurldecode($_GET["login"]));

    if (isset($_SESSION['mailcow_cc_role'])) {
      // Check if login is allowed:
      // - User has the "login as" ACL
      // - Admin email login is enabled in mailcow.conf
      // - Dual login is not active
      // - The current role is not "user" or dual login role is admin / domainadmin
      $is_login_allowed = (
        $_SESSION['acl']['login_as'] == "1" &&
        $ALLOW_ADMIN_EMAIL_LOGIN !== 0 &&
        ($_SESSION['mailcow_cc_role'] != "user" || $_SESSION['dual-login']['role'] == "admin" || $_SESSION['dual-login']['role'] == "domainadmin")
      );
      if ($is_login_allowed) {
        // set dual login session
        $_SESSION[$session_var_user_allowed][] = $login;
        if (!$is_dual) {
          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
        }
        $_SESSION['mailcow_cc_username']    = $login;
        $_SESSION['mailcow_cc_role']        = "user";

        // update sasl logs
        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
        $stmt->execute(array(
          ':username' => $login,
          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
        ));

        // redirect to sogo (sogo will get the correct credentials via nginx auth_request
        http_response_code(200);
        header("Location: /SOGo/so/{$login}");
        ob_end_flush();
        exit;
      }
    }

    http_response_code(401);
    header("Location: /");
    ob_end_flush();
    exit;
  break;
  case "auth-request":
    session_start();

    $email_list = array(
      ($_SESSION['mailcow_cc_username'] ?? ''),     // Current user
      ($_SESSION["dual-login"]["username"] ?? ''),  // Dual login user
    );

    $url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']);
    if (count($url_parts) >= 4) {
      array_push($email_list, $url_parts[3]);       // Requested user
    }

    foreach($email_list as $email) {
      // check if this email is in session allowed list
      if (
        !empty($email) &&
        filter_var($email, FILTER_VALIDATE_EMAIL) &&
        is_array($_SESSION[$session_var_user_allowed]) &&
        in_array($email, $_SESSION[$session_var_user_allowed])
      ) {
        $password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
        setAuthHeaders($email, $password);
        ob_end_flush();
        exit;
      }
    }

    http_response_code(401);
    ob_end_flush();
    exit;
  break;
  default:
    setAuthHeaders("", "");
    ob_end_flush();
    exit;
  break;
}
add config ALLOW_ADMIN_EMAIL_LOGIN and implement password-less SOGo login admins 2019-02-23 18:59:18 +02:00			`<?php`

[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`ob_start();`

			`function setAuthHeaders($username, $password) {`
			`$auth = "";`
			`$type = "";`
			`if (!empty($username) && !empty($password)) {`
			`$auth = "Basic " . base64_encode("$username:$password");`
			`$type = "Basic";`
			`}`

			`http_response_code(200);`
			`header("X-User: $username");`
			`header("X-Auth: $auth");`
			`header("X-Auth-Type: $type");`
			`}`

			`$session_var_user_allowed = 'sogo-sso-user-allowed';`
			`$session_var_pass = 'sogo-sso-pass';`

[Web] Do not allow admin login to mailbox logged in as user while ALLOW_ADMIN_EMAIL_LOGIN is n 2021-07-09 07:43:23 +02:00			`$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(`
			`"/^([yY][eE][sS]\|[yY])+$/",`
			`$_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]`
			`));`

[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`$request = null;`
[Dovecot] Re-add listescape... 2021-06-23 14:17:39 +02:00			`if (isset($_SERVER['PHP_AUTH_USER'])) {`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`$request = "basic-auth";`
			`} elseif (isset($_GET['login'])) {`
			`$request = "admin-login";`
			`} elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) &&`
			`strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 6), "/SOGo/") === 0) {`
			`$request = "auth-request";`
always check basic auth against user database for EAS and SOGo if ALLOW_ADMIN_EMAIL_LOGIN is enabled 2019-02-28 00:06:19 +02:00			`}`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00

			`switch ($request) {`
			`case "basic-auth":`
			`require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';`

			`$username = $_SERVER['PHP_AUTH_USER'];`
			`$password = $_SERVER['PHP_AUTH_PW'];`
			`$is_eas = (preg_match('/^(\/SOGo\|)\/Microsoft-Server-ActiveSync.*/', $original_uri) === 1);`
			`$is_dav = (preg_match('/^(\/SOGo\|)\/dav.*/', $original_uri) === 1);`
			`$original_uri = isset($_SERVER['HTTP_X_ORIGINAL_URI']) ? $_SERVER['HTTP_X_ORIGINAL_URI'] : '';`

			`$login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas));`
			`if ($login_check === 'user') {`
			`setAuthHeaders($username, $password);`
			`ob_end_flush();`
			`exit;`
			`}`

			`http_response_code(401);`
			`ob_end_flush();`
			`exit;`
			`break;`
			`case "admin-login":`
			`require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';`

			`$is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;`
			`$login = html_entity_decode(rawurldecode($_GET["login"]));`

			`if (isset($_SESSION['mailcow_cc_role'])) {`
			`// Check if login is allowed:`
			`// - User has the "login as" ACL`
			`// - Admin email login is enabled in mailcow.conf`
			`// - Dual login is not active`
			`// - The current role is not "user" or dual login role is admin / domainadmin`
			`$is_login_allowed = (`
			`$_SESSION['acl']['login_as'] == "1" &&`
			`$ALLOW_ADMIN_EMAIL_LOGIN !== 0 &&`
			`($_SESSION['mailcow_cc_role'] != "user" \|\| $_SESSION['dual-login']['role'] == "admin" \|\| $_SESSION['dual-login']['role'] == "domainadmin")`
			`);`
			`if ($is_login_allowed) {`
			`// set dual login session`
allow multiple concurrent admin logins 2019-03-02 13:32:10 +02:00			`$_SESSION[$session_var_user_allowed][] = $login;`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`if (!$is_dual) {`
[Web] add ldap idp 2024-02-20 11:31:14 +02:00			`$_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];`
			`$_SESSION["dual-login"]["role"] = $_SESSION['mailcow_cc_role'];`
			`}`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`$_SESSION['mailcow_cc_username'] = $login;`
			`$_SESSION['mailcow_cc_role'] = "user";`

[Web, Dovecot] Allow to define scope of services for app passwords 2021-10-28 21:57:19 +02:00			`// update sasl logs`
			`$service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';`
			$stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
			`$stmt->execute(array(`
			`':username' => $login,`
[Dovecot, Web] Fix remaining issues of app password enhancements from #4296 2021-10-30 14:34:33 +02:00			`':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])`
[Web, Dovecot] Allow to define scope of services for app passwords 2021-10-28 21:57:19 +02:00			`));`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00
remove obsolete code, use openssl instead of `cat /dev/urandom` 2019-02-26 21:44:53 +02:00			`// redirect to sogo (sogo will get the correct credentials via nginx auth_request`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`http_response_code(200);`
Fix error "Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /web/sogo-auth.php on line 63" 2023-04-08 17:29:34 +02:00			`header("Location: /SOGo/so/{$login}");`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`ob_end_flush();`
Update sogo-auth.php Consistency again. :) I moved the prerequisites require_once to the top, ok? 2019-02-23 23:26:41 +02:00			`exit;`
			`}`
add config ALLOW_ADMIN_EMAIL_LOGIN and implement password-less SOGo login admins 2019-02-23 18:59:18 +02:00			`}`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00
			`http_response_code(401);`
			`header("Location: /");`
			`ob_end_flush();`
			`exit;`
			`break;`
			`case "auth-request":`
			`session_start();`

			`$email_list = array(`
Jan(moo)uary Update 2022 - Revision A (2022-01a) (#4445) * [API] Fix minor issue in api docs * [GH-Actions][stale] Add neverstale label to exempt list * [Web] add github version tag * [Web] add github version tag error handling * Passwordless SOGo auth: support for calendar invitations and calendar/contacts subscriptions Inviting someone to a calendar event triggers a request to /SOGo/so/otheruser@example.com/freebusy.ifb/ajaxRead. Subscribing to someone's calendar/contacts triggers a request to /SOGo/so/otheruser@example.com/foldersSearch. The email address in the URL is different from the logged-in user, which needs to be handled appropriately by sogo-auth.php. * [Web] add github version tag - adjust css * [Compose] Update SOGo Autoreply Schedule to 5m Based on the advice of inverse (SOGo developer). Thanks to https://github.com/jmber Closes: https://github.com/mailcow/mailcow-dockerized/issues/4436 * [Web] add github version tag - move twig globals * [Web] add github version tag - missing </div> * Passwordless SOGo auth: improvements for when accessing other users * [WebAuthn] fido2 passwordless auth - fix (#4440) * [WebAuthn] fido2 revert * [WebAuthn] set UV flags to 'discouraged' * [WebAuthn] revert - set UV flags to 'discouraged' Co-authored-by: ntimo <git@nowitzki.me> Co-authored-by: Peter <magic@kthx.at> Co-authored-by: FreddleSpl0it <patschul@posteo.de> Co-authored-by: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com> Co-authored-by: Michael Kuron <mkuron@users.noreply.github.com> 2022-02-01 16:26:48 +02:00			`($_SESSION['mailcow_cc_username'] ?? ''), // Current user`
			`($_SESSION["dual-login"]["username"] ?? ''), // Dual login user`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`);`

			`$url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']);`
			`if (count($url_parts) >= 4) {`
			`array_push($email_list, $url_parts[3]); // Requested user`
			`}`

			`foreach($email_list as $email) {`
			`// check if this email is in session allowed list`
			`if (`
Jan(moo)uary Update 2022 - Revision A (2022-01a) (#4445) * [API] Fix minor issue in api docs * [GH-Actions][stale] Add neverstale label to exempt list * [Web] add github version tag * [Web] add github version tag error handling * Passwordless SOGo auth: support for calendar invitations and calendar/contacts subscriptions Inviting someone to a calendar event triggers a request to /SOGo/so/otheruser@example.com/freebusy.ifb/ajaxRead. Subscribing to someone's calendar/contacts triggers a request to /SOGo/so/otheruser@example.com/foldersSearch. The email address in the URL is different from the logged-in user, which needs to be handled appropriately by sogo-auth.php. * [Web] add github version tag - adjust css * [Compose] Update SOGo Autoreply Schedule to 5m Based on the advice of inverse (SOGo developer). Thanks to https://github.com/jmber Closes: https://github.com/mailcow/mailcow-dockerized/issues/4436 * [Web] add github version tag - move twig globals * [Web] add github version tag - missing </div> * Passwordless SOGo auth: improvements for when accessing other users * [WebAuthn] fido2 passwordless auth - fix (#4440) * [WebAuthn] fido2 revert * [WebAuthn] set UV flags to 'discouraged' * [WebAuthn] revert - set UV flags to 'discouraged' Co-authored-by: ntimo <git@nowitzki.me> Co-authored-by: Peter <magic@kthx.at> Co-authored-by: FreddleSpl0it <patschul@posteo.de> Co-authored-by: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com> Co-authored-by: Michael Kuron <mkuron@users.noreply.github.com> 2022-02-01 16:26:48 +02:00			`!empty($email) &&`
			`filter_var($email, FILTER_VALIDATE_EMAIL) &&`
			`is_array($_SESSION[$session_var_user_allowed]) &&`
			`in_array($email, $_SESSION[$session_var_user_allowed])`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00			`) {`
			`$password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");`
			`setAuthHeaders($email, $password);`
			`ob_end_flush();`
			`exit;`
			`}`
Jan(moo)uary Update 2022 - Revision A (2022-01a) (#4445) * [API] Fix minor issue in api docs * [GH-Actions][stale] Add neverstale label to exempt list * [Web] add github version tag * [Web] add github version tag error handling * Passwordless SOGo auth: support for calendar invitations and calendar/contacts subscriptions Inviting someone to a calendar event triggers a request to /SOGo/so/otheruser@example.com/freebusy.ifb/ajaxRead. Subscribing to someone's calendar/contacts triggers a request to /SOGo/so/otheruser@example.com/foldersSearch. The email address in the URL is different from the logged-in user, which needs to be handled appropriately by sogo-auth.php. * [Web] add github version tag - adjust css * [Compose] Update SOGo Autoreply Schedule to 5m Based on the advice of inverse (SOGo developer). Thanks to https://github.com/jmber Closes: https://github.com/mailcow/mailcow-dockerized/issues/4436 * [Web] add github version tag - move twig globals * [Web] add github version tag - missing </div> * Passwordless SOGo auth: improvements for when accessing other users * [WebAuthn] fido2 passwordless auth - fix (#4440) * [WebAuthn] fido2 revert * [WebAuthn] set UV flags to 'discouraged' * [WebAuthn] revert - set UV flags to 'discouraged' Co-authored-by: ntimo <git@nowitzki.me> Co-authored-by: Peter <magic@kthx.at> Co-authored-by: FreddleSpl0it <patschul@posteo.de> Co-authored-by: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com> Co-authored-by: Michael Kuron <mkuron@users.noreply.github.com> 2022-02-01 16:26:48 +02:00			`}`
[Web][Nginx] use nginx to redirect unauthenticated users to /index on SOGo Routes 2024-12-06 12:52:49 +02:00
			`http_response_code(401);`
			`ob_end_flush();`
			`exit;`
			`break;`
			`default:`
			`setAuthHeaders("", "");`
			`ob_end_flush();`
			`exit;`
			`break;`
add config ALLOW_ADMIN_EMAIL_LOGIN and implement password-less SOGo login admins 2019-02-23 18:59:18 +02:00			`}`
allow multiple concurrent admin logins 2019-03-02 13:32:10 +02:00