1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-01-10 04:18:10 +02:00

[Web] use global vars for iam_provider and iam_settings

This commit is contained in:
FreddleSpl0it 2024-11-29 15:50:35 +01:00
parent dc379267a9
commit 05e4bd7602
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
9 changed files with 60 additions and 72 deletions

View File

@ -86,8 +86,6 @@ $cors_settings['allowed_origins'] = str_replace(", ", "\n", $cors_settings['allo
$cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_methods']); $cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_methods']);
$f2b_data = fail2ban('get'); $f2b_data = fail2ban('get');
// identity provider
$iam_settings = identity_provider('get');
// mbox templates // mbox templates
$mbox_templates = mailbox('get', 'mailbox_templates'); $mbox_templates = mailbox('get', 'mailbox_templates');

View File

@ -55,6 +55,7 @@ $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
// Init Identity Provider // Init Identity Provider
$iam_provider = identity_provider('init'); $iam_provider = identity_provider('init');
$iam_settings = identity_provider('get');
$login_user = strtolower(trim($_SERVER['PHP_AUTH_USER'])); $login_user = strtolower(trim($_SERVER['PHP_AUTH_USER']));
$login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW'])); $login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW']));

View File

@ -119,7 +119,6 @@ if (isset($_SESSION['mailcow_cc_role'])) {
$quarantine_category = mailbox('get', 'quarantine_category', $mailbox); $quarantine_category = mailbox('get', 'quarantine_category', $mailbox);
$get_tls_policy = mailbox('get', 'tls_policy', $mailbox); $get_tls_policy = mailbox('get', 'tls_policy', $mailbox);
$rlyhosts = relayhost('get'); $rlyhosts = relayhost('get');
$iam_settings = identity_provider('get');
$template = 'edit/mailbox.twig'; $template = 'edit/mailbox.twig';
$template_data = [ $template_data = [
'acl' => $_SESSION['acl'], 'acl' => $_SESSION['acl'],

View File

@ -162,6 +162,8 @@ function domainadmin_login($user, $pass){
} }
function user_login($user, $pass, $extra = null){ function user_login($user, $pass, $extra = null){
global $pdo; global $pdo;
global $iam_provider;
global $iam_settings;
$is_internal = $extra['is_internal']; $is_internal = $extra['is_internal'];
@ -186,12 +188,11 @@ function user_login($user, $pass, $extra = null){
// user does not exist, try call idp login and create user if possible via rest flow // user does not exist, try call idp login and create user if possible via rest flow
if (!$row){ if (!$row){
$iam_settings = identity_provider('get');
if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailpassword_flow']) == 1){ if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailpassword_flow']) == 1){
$result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true)); $result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal, 'create' => true));
if ($result !== false) return $result; if ($result !== false) return $result;
} else if ($iam_settings['authsource'] == 'ldap') { } else if ($iam_settings['authsource'] == 'ldap') {
$result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true)); $result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal, 'create' => true));
if ($result !== false) return $result; if ($result !== false) return $result;
} }
} }
@ -202,9 +203,8 @@ function user_login($user, $pass, $extra = null){
switch ($row['authsource']) { switch ($row['authsource']) {
case 'keycloak': case 'keycloak':
// user authsource is keycloak, try using via rest flow // user authsource is keycloak, try using via rest flow
$iam_settings = identity_provider('get');
if (intval($iam_settings['mailpassword_flow']) == 1){ if (intval($iam_settings['mailpassword_flow']) == 1){
$result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal)); $result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal));
if ($result !== false) { if ($result !== false) {
// check for tfa authenticators // check for tfa authenticators
$authenticators = get_tfa($user); $authenticators = get_tfa($user);
@ -243,8 +243,7 @@ function user_login($user, $pass, $extra = null){
break; break;
case 'ldap': case 'ldap':
// user authsource is ldap // user authsource is ldap
$iam_settings = identity_provider('get'); $result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal));
$result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal));
if ($result !== false) { if ($result !== false) {
// check for tfa authenticators // check for tfa authenticators
$authenticators = get_tfa($user); $authenticators = get_tfa($user);
@ -397,8 +396,10 @@ function apppass_login($user, $pass, $app_passwd_data, $extra = null){
// Keycloak REST Api Flow - auth user by mailcow_password attribute // Keycloak REST Api Flow - auth user by mailcow_password attribute
// This password will be used for direct UI, IMAP and SMTP Auth // This password will be used for direct UI, IMAP and SMTP Auth
// To use direct user credentials, only Authorization Code Flow is valid // To use direct user credentials, only Authorization Code Flow is valid
function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){ function keycloak_mbox_login_rest($user, $pass, $extra = null){
global $pdo; global $pdo;
global $iam_provider;
global $iam_settings;
$is_internal = $extra['is_internal']; $is_internal = $extra['is_internal'];
$create = $extra['create']; $create = $extra['create'];
@ -474,10 +475,11 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
return 'user'; return 'user';
} }
function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){ function ldap_mbox_login($user, $pass, $extra = null){
global $pdo; global $pdo;
global $iam_provider;
global $iam_settings;
$iam_provider = identity_provider();
$is_internal = $extra['is_internal']; $is_internal = $extra['is_internal'];
$create = $extra['create']; $create = $extra['create'];

View File

@ -1072,6 +1072,8 @@ function set_tfa($_data) {
global $pdo; global $pdo;
global $yubi; global $yubi;
global $tfa; global $tfa;
global $iam_settings;
$_data_log = $_data; $_data_log = $_data;
$access_denied = null; $access_denied = null;
!isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*'; !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*';
@ -1100,7 +1102,6 @@ function set_tfa($_data) {
$row = $stmt->fetch(PDO::FETCH_ASSOC); $row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row) { if ($row) {
if ($row['authsource'] == 'ldap'){ if ($row['authsource'] == 'ldap'){
$iam_settings = identity_provider('get');
if (!ldap_mbox_login($username, $_data["confirm_password"], $iam_settings)) $access_denied = true; if (!ldap_mbox_login($username, $_data["confirm_password"], $iam_settings)) $access_denied = true;
else $access_denied = false; else $access_denied = false;
} else { } else {
@ -2129,20 +2130,13 @@ function uuid4() {
function identity_provider($_action = null, $_data = null, $_extra = null) { function identity_provider($_action = null, $_data = null, $_extra = null) {
global $pdo; global $pdo;
global $iam_provider; global $iam_provider;
global $iam_settings;
$data_log = $_data; $data_log = $_data;
if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*'; if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*';
if (isset($data_log['access_token'])) $data_log['access_token'] = '*'; if (isset($data_log['access_token'])) $data_log['access_token'] = '*';
switch ($_action) { switch ($_action) {
case NULL:
if ($iam_provider) {
return $iam_provider;
} else {
$iam_provider = identity_provider("init");
return $iam_provider;
}
break;
case 'get': case 'get':
$settings = array(); $settings = array();
$stmt = $pdo->prepare("SELECT * FROM `identity_provider`;"); $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");
@ -2414,20 +2408,20 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return true; return true;
break; break;
case "init": case "init":
$iam_settings = identity_provider('get'); $settings = identity_provider('get');
$provider = null; $provider = null;
switch ($iam_settings['authsource']) { switch ($settings['authsource']) {
case "keycloak": case "keycloak":
if ($iam_settings['server_url'] && $iam_settings['realm'] && $iam_settings['client_id'] && if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] &&
$iam_settings['client_secret'] && $iam_settings['redirect_url'] && $iam_settings['version']){ $settings['client_secret'] && $settings['redirect_url'] && $settings['version']){
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
'authServerUrl' => $iam_settings['server_url'], 'authServerUrl' => $settings['server_url'],
'realm' => $iam_settings['realm'], 'realm' => $settings['realm'],
'clientId' => $iam_settings['client_id'], 'clientId' => $settings['client_id'],
'clientSecret' => $iam_settings['client_secret'], 'clientSecret' => $settings['client_secret'],
'redirectUri' => $iam_settings['redirect_url'], 'redirectUri' => $settings['redirect_url'],
'version' => $iam_settings['version'], 'version' => $settings['version'],
// 'encryptionAlgorithm' => 'RS256', // optional // 'encryptionAlgorithm' => 'RS256', // optional
// 'encryptionKeyPath' => '../key.pem' // optional // 'encryptionKeyPath' => '../key.pem' // optional
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional // 'encryptionKey' => 'contents_of_key_or_certificate' // optional
@ -2435,34 +2429,34 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
} }
break; break;
case "generic-oidc": case "generic-oidc":
if ($iam_settings['client_id'] && $iam_settings['client_secret'] && $iam_settings['redirect_url'] && if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] &&
$iam_settings['authorize_url'] && $iam_settings['token_url'] && $iam_settings['userinfo_url']){ $settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){
$provider = new \League\OAuth2\Client\Provider\GenericProvider([ $provider = new \League\OAuth2\Client\Provider\GenericProvider([
'clientId' => $iam_settings['client_id'], 'clientId' => $settings['client_id'],
'clientSecret' => $iam_settings['client_secret'], 'clientSecret' => $settings['client_secret'],
'redirectUri' => $iam_settings['redirect_url'], 'redirectUri' => $settings['redirect_url'],
'urlAuthorize' => $iam_settings['authorize_url'], 'urlAuthorize' => $settings['authorize_url'],
'urlAccessToken' => $iam_settings['token_url'], 'urlAccessToken' => $settings['token_url'],
'urlResourceOwnerDetails' => $iam_settings['userinfo_url'], 'urlResourceOwnerDetails' => $settings['userinfo_url'],
'scopes' => $iam_settings['client_scopes'] 'scopes' => $settings['client_scopes']
]); ]);
} }
break; break;
case "ldap": case "ldap":
if ($iam_settings['host'] && $iam_settings['port'] && $iam_settings['basedn'] && if ($settings['host'] && $settings['port'] && $settings['basedn'] &&
$iam_settings['binddn'] && $iam_settings['bindpass']){ $settings['binddn'] && $settings['bindpass']){
$options = array(); $options = array();
if ($iam_settings['ignore_ssl_error']) { if ($settings['ignore_ssl_error']) {
$options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER; $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER;
} }
$provider = new \LdapRecord\Connection([ $provider = new \LdapRecord\Connection([
'hosts' => [$iam_settings['host']], 'hosts' => [$settings['host']],
'port' => $iam_settings['port'], 'port' => $settings['port'],
'base_dn' => $iam_settings['basedn'], 'base_dn' => $settings['basedn'],
'username' => $iam_settings['binddn'], 'username' => $settings['binddn'],
'password' => $iam_settings['bindpass'], 'password' => $settings['bindpass'],
'use_ssl' => $iam_settings['use_ssl'], 'use_ssl' => $settings['use_ssl'],
'use_tls' => $iam_settings['use_tls'], 'use_tls' => $settings['use_tls'],
'options' => $options 'options' => $options
]); ]);
try { try {
@ -2477,8 +2471,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return $provider; return $provider;
break; break;
case "verify-sso": case "verify-sso":
$provider = $_data['iam_provider'];
$iam_settings = identity_provider('get');
if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){ if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
@ -2489,10 +2481,10 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
} }
try { try {
$token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]); $token = $iam_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
$_SESSION['iam_token'] = $token->getToken(); $_SESSION['iam_token'] = $token->getToken();
$_SESSION['iam_refresh_token'] = $token->getRefreshToken(); $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
$info = $provider->getResourceOwner($token)->toArray(); $info = $iam_provider->getResourceOwner($token)->toArray();
} catch (Throwable $e) { } catch (Throwable $e) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
@ -2577,13 +2569,11 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return true; return true;
break; break;
case "refresh-token": case "refresh-token":
$provider = $_data['iam_provider'];
try { try {
$token = $provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]); $token = $iam_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
$_SESSION['iam_token'] = $token->getToken(); $_SESSION['iam_token'] = $token->getToken();
$_SESSION['iam_refresh_token'] = $token->getRefreshToken(); $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
$info = $provider->getResourceOwner($token)->toArray(); $info = $iam_provider->getResourceOwner($token)->toArray();
} catch (Throwable $e) { } catch (Throwable $e) {
clear_session(); clear_session();
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
@ -2609,17 +2599,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return true; return true;
break; break;
case "get-redirect": case "get-redirect":
$iam_settings = identity_provider('get');
if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc')
return false; return false;
$provider = $_data['iam_provider']; $authUrl = $iam_provider->getAuthorizationUrl();
$authUrl = $provider->getAuthorizationUrl(); $_SESSION['oauth2state'] = $iam_provider->getState();
$_SESSION['oauth2state'] = $provider->getState();
return $authUrl; return $authUrl;
break; break;
case "get-keycloak-admin-token": case "get-keycloak-admin-token":
// get access_token for service account of mailcow client // get access_token for service account of mailcow client
$iam_settings = identity_provider('get');
if ($iam_settings['authsource'] !== 'keycloak') return false; if ($iam_settings['authsource'] !== 'keycloak') return false;
if (isset($iam_settings['access_token'])) { if (isset($iam_settings['access_token'])) {
// check if access_token is valid // check if access_token is valid

View File

@ -180,6 +180,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
// Init Identity Provider // Init Identity Provider
$iam_provider = identity_provider('init'); $iam_provider = identity_provider('init');
$iam_settings = identity_provider('get');
// IMAP lib // IMAP lib
// use Ddeboer\Imap\Server; // use Ddeboer\Imap\Server;

View File

@ -3,18 +3,18 @@
if ($iam_provider){ if ($iam_provider){
if (isset($_GET['iam_sso'])){ if (isset($_GET['iam_sso'])){
// redirect for sso // redirect for sso
$redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider)); $redirect_uri = identity_provider('get-redirect');
$redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/'; $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
header('Location: ' . $redirect_uri); header('Location: ' . $redirect_uri);
die(); die();
} }
if ($_SESSION['iam_token'] && $_SESSION['iam_refresh_token']) { if ($_SESSION['iam_token'] && $_SESSION['iam_refresh_token']) {
// Session found, try to refresh // Session found, try to refresh
$isRefreshed = identity_provider('refresh-token', array('iam_provider' => $iam_provider)); $isRefreshed = identity_provider('refresh-token');
if (!$isRefreshed){ if (!$isRefreshed){
// Session could not be refreshed, redirect to provider // Session could not be refreshed, redirect to provider
$redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider)); $redirect_uri = identity_provider('get-redirect');
$redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/'; $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
header('Location: ' . $redirect_uri); header('Location: ' . $redirect_uri);
die(); die();
@ -23,7 +23,7 @@ if ($iam_provider){
// Check given state against previously stored one to mitigate CSRF attack // Check given state against previously stored one to mitigate CSRF attack
// Recieved access token in $_GET['code'] // Recieved access token in $_GET['code']
// extract info and verify user // extract info and verify user
identity_provider('verify-sso', array('iam_provider' => $iam_provider)); identity_provider('verify-sso');
} }
} }

View File

@ -32,7 +32,7 @@ $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
$has_iam_sso = false; $has_iam_sso = false;
if ($iam_provider){ if ($iam_provider){
$has_iam_sso = identity_provider("get-redirect", array('iam_provider' => $iam_provider)) ? true : false; $has_iam_sso = identity_provider("get-redirect") ? true : false;
} }

View File

@ -1708,7 +1708,7 @@ if (isset($_GET['query'])) {
$score = array("score" => preg_replace("/\s+/", "", $score)); $score = array("score" => preg_replace("/\s+/", "", $score));
process_get_return($score); process_get_return($score);
case "identity_provider": case "identity_provider":
process_get_return(identity_provider('get')); process_get_return($iam_settings);
break; break;
break; break;
// return no route found if no case is matched // return no route found if no case is matched