1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2024-12-23 02:04:46 +02:00

[Web] use global vars for iam_provider and iam_settings

This commit is contained in:
FreddleSpl0it 2024-11-29 15:50:35 +01:00
parent dc379267a9
commit 05e4bd7602
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
9 changed files with 60 additions and 72 deletions

View File

@ -86,8 +86,6 @@ $cors_settings['allowed_origins'] = str_replace(", ", "\n", $cors_settings['allo
$cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_methods']);
$f2b_data = fail2ban('get');
// identity provider
$iam_settings = identity_provider('get');
// mbox templates
$mbox_templates = mailbox('get', 'mailbox_templates');

View File

@ -55,6 +55,7 @@ $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
// Init Identity Provider
$iam_provider = identity_provider('init');
$iam_settings = identity_provider('get');
$login_user = strtolower(trim($_SERVER['PHP_AUTH_USER']));
$login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW']));

View File

@ -119,7 +119,6 @@ if (isset($_SESSION['mailcow_cc_role'])) {
$quarantine_category = mailbox('get', 'quarantine_category', $mailbox);
$get_tls_policy = mailbox('get', 'tls_policy', $mailbox);
$rlyhosts = relayhost('get');
$iam_settings = identity_provider('get');
$template = 'edit/mailbox.twig';
$template_data = [
'acl' => $_SESSION['acl'],

View File

@ -162,6 +162,8 @@ function domainadmin_login($user, $pass){
}
function user_login($user, $pass, $extra = null){
global $pdo;
global $iam_provider;
global $iam_settings;
$is_internal = $extra['is_internal'];
@ -186,12 +188,11 @@ function user_login($user, $pass, $extra = null){
// user does not exist, try call idp login and create user if possible via rest flow
if (!$row){
$iam_settings = identity_provider('get');
if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailpassword_flow']) == 1){
$result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
$result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal, 'create' => true));
if ($result !== false) return $result;
} else if ($iam_settings['authsource'] == 'ldap') {
$result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
$result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal, 'create' => true));
if ($result !== false) return $result;
}
}
@ -202,9 +203,8 @@ function user_login($user, $pass, $extra = null){
switch ($row['authsource']) {
case 'keycloak':
// user authsource is keycloak, try using via rest flow
$iam_settings = identity_provider('get');
if (intval($iam_settings['mailpassword_flow']) == 1){
$result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal));
$result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal));
if ($result !== false) {
// check for tfa authenticators
$authenticators = get_tfa($user);
@ -243,8 +243,7 @@ function user_login($user, $pass, $extra = null){
break;
case 'ldap':
// user authsource is ldap
$iam_settings = identity_provider('get');
$result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal));
$result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal));
if ($result !== false) {
// check for tfa authenticators
$authenticators = get_tfa($user);
@ -397,8 +396,10 @@ function apppass_login($user, $pass, $app_passwd_data, $extra = null){
// Keycloak REST Api Flow - auth user by mailcow_password attribute
// This password will be used for direct UI, IMAP and SMTP Auth
// To use direct user credentials, only Authorization Code Flow is valid
function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
function keycloak_mbox_login_rest($user, $pass, $extra = null){
global $pdo;
global $iam_provider;
global $iam_settings;
$is_internal = $extra['is_internal'];
$create = $extra['create'];
@ -474,10 +475,11 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
return 'user';
}
function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
function ldap_mbox_login($user, $pass, $extra = null){
global $pdo;
global $iam_provider;
global $iam_settings;
$iam_provider = identity_provider();
$is_internal = $extra['is_internal'];
$create = $extra['create'];

View File

@ -1072,6 +1072,8 @@ function set_tfa($_data) {
global $pdo;
global $yubi;
global $tfa;
global $iam_settings;
$_data_log = $_data;
$access_denied = null;
!isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*';
@ -1100,7 +1102,6 @@ function set_tfa($_data) {
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row) {
if ($row['authsource'] == 'ldap'){
$iam_settings = identity_provider('get');
if (!ldap_mbox_login($username, $_data["confirm_password"], $iam_settings)) $access_denied = true;
else $access_denied = false;
} else {
@ -2129,20 +2130,13 @@ function uuid4() {
function identity_provider($_action = null, $_data = null, $_extra = null) {
global $pdo;
global $iam_provider;
global $iam_settings;
$data_log = $_data;
if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*';
if (isset($data_log['access_token'])) $data_log['access_token'] = '*';
switch ($_action) {
case NULL:
if ($iam_provider) {
return $iam_provider;
} else {
$iam_provider = identity_provider("init");
return $iam_provider;
}
break;
case 'get':
$settings = array();
$stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");
@ -2414,20 +2408,20 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return true;
break;
case "init":
$iam_settings = identity_provider('get');
$settings = identity_provider('get');
$provider = null;
switch ($iam_settings['authsource']) {
switch ($settings['authsource']) {
case "keycloak":
if ($iam_settings['server_url'] && $iam_settings['realm'] && $iam_settings['client_id'] &&
$iam_settings['client_secret'] && $iam_settings['redirect_url'] && $iam_settings['version']){
if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] &&
$settings['client_secret'] && $settings['redirect_url'] && $settings['version']){
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
'authServerUrl' => $iam_settings['server_url'],
'realm' => $iam_settings['realm'],
'clientId' => $iam_settings['client_id'],
'clientSecret' => $iam_settings['client_secret'],
'redirectUri' => $iam_settings['redirect_url'],
'version' => $iam_settings['version'],
'authServerUrl' => $settings['server_url'],
'realm' => $settings['realm'],
'clientId' => $settings['client_id'],
'clientSecret' => $settings['client_secret'],
'redirectUri' => $settings['redirect_url'],
'version' => $settings['version'],
// 'encryptionAlgorithm' => 'RS256', // optional
// 'encryptionKeyPath' => '../key.pem' // optional
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
@ -2435,34 +2429,34 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
}
break;
case "generic-oidc":
if ($iam_settings['client_id'] && $iam_settings['client_secret'] && $iam_settings['redirect_url'] &&
$iam_settings['authorize_url'] && $iam_settings['token_url'] && $iam_settings['userinfo_url']){
if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] &&
$settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){
$provider = new \League\OAuth2\Client\Provider\GenericProvider([
'clientId' => $iam_settings['client_id'],
'clientSecret' => $iam_settings['client_secret'],
'redirectUri' => $iam_settings['redirect_url'],
'urlAuthorize' => $iam_settings['authorize_url'],
'urlAccessToken' => $iam_settings['token_url'],
'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
'scopes' => $iam_settings['client_scopes']
'clientId' => $settings['client_id'],
'clientSecret' => $settings['client_secret'],
'redirectUri' => $settings['redirect_url'],
'urlAuthorize' => $settings['authorize_url'],
'urlAccessToken' => $settings['token_url'],
'urlResourceOwnerDetails' => $settings['userinfo_url'],
'scopes' => $settings['client_scopes']
]);
}
break;
case "ldap":
if ($iam_settings['host'] && $iam_settings['port'] && $iam_settings['basedn'] &&
$iam_settings['binddn'] && $iam_settings['bindpass']){
if ($settings['host'] && $settings['port'] && $settings['basedn'] &&
$settings['binddn'] && $settings['bindpass']){
$options = array();
if ($iam_settings['ignore_ssl_error']) {
if ($settings['ignore_ssl_error']) {
$options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER;
}
$provider = new \LdapRecord\Connection([
'hosts' => [$iam_settings['host']],
'port' => $iam_settings['port'],
'base_dn' => $iam_settings['basedn'],
'username' => $iam_settings['binddn'],
'password' => $iam_settings['bindpass'],
'use_ssl' => $iam_settings['use_ssl'],
'use_tls' => $iam_settings['use_tls'],
'hosts' => [$settings['host']],
'port' => $settings['port'],
'base_dn' => $settings['basedn'],
'username' => $settings['binddn'],
'password' => $settings['bindpass'],
'use_ssl' => $settings['use_ssl'],
'use_tls' => $settings['use_tls'],
'options' => $options
]);
try {
@ -2477,8 +2471,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return $provider;
break;
case "verify-sso":
$provider = $_data['iam_provider'];
$iam_settings = identity_provider('get');
if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){
$_SESSION['return'][] = array(
'type' => 'danger',
@ -2489,10 +2481,10 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
}
try {
$token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
$token = $iam_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
$_SESSION['iam_token'] = $token->getToken();
$_SESSION['iam_refresh_token'] = $token->getRefreshToken();
$info = $provider->getResourceOwner($token)->toArray();
$info = $iam_provider->getResourceOwner($token)->toArray();
} catch (Throwable $e) {
$_SESSION['return'][] = array(
'type' => 'danger',
@ -2577,13 +2569,11 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return true;
break;
case "refresh-token":
$provider = $_data['iam_provider'];
try {
$token = $provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
$token = $iam_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
$_SESSION['iam_token'] = $token->getToken();
$_SESSION['iam_refresh_token'] = $token->getRefreshToken();
$info = $provider->getResourceOwner($token)->toArray();
$info = $iam_provider->getResourceOwner($token)->toArray();
} catch (Throwable $e) {
clear_session();
$_SESSION['return'][] = array(
@ -2609,17 +2599,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return true;
break;
case "get-redirect":
$iam_settings = identity_provider('get');
if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc')
return false;
$provider = $_data['iam_provider'];
$authUrl = $provider->getAuthorizationUrl();
$_SESSION['oauth2state'] = $provider->getState();
$authUrl = $iam_provider->getAuthorizationUrl();
$_SESSION['oauth2state'] = $iam_provider->getState();
return $authUrl;
break;
case "get-keycloak-admin-token":
// get access_token for service account of mailcow client
$iam_settings = identity_provider('get');
if ($iam_settings['authsource'] !== 'keycloak') return false;
if (isset($iam_settings['access_token'])) {
// check if access_token is valid

View File

@ -180,6 +180,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
// Init Identity Provider
$iam_provider = identity_provider('init');
$iam_settings = identity_provider('get');
// IMAP lib
// use Ddeboer\Imap\Server;

View File

@ -3,18 +3,18 @@
if ($iam_provider){
if (isset($_GET['iam_sso'])){
// redirect for sso
$redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider));
$redirect_uri = identity_provider('get-redirect');
$redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
header('Location: ' . $redirect_uri);
die();
}
if ($_SESSION['iam_token'] && $_SESSION['iam_refresh_token']) {
// Session found, try to refresh
$isRefreshed = identity_provider('refresh-token', array('iam_provider' => $iam_provider));
$isRefreshed = identity_provider('refresh-token');
if (!$isRefreshed){
// Session could not be refreshed, redirect to provider
$redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider));
$redirect_uri = identity_provider('get-redirect');
$redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
header('Location: ' . $redirect_uri);
die();
@ -23,7 +23,7 @@ if ($iam_provider){
// Check given state against previously stored one to mitigate CSRF attack
// Recieved access token in $_GET['code']
// extract info and verify user
identity_provider('verify-sso', array('iam_provider' => $iam_provider));
identity_provider('verify-sso');
}
}

View File

@ -32,7 +32,7 @@ $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
$has_iam_sso = false;
if ($iam_provider){
$has_iam_sso = identity_provider("get-redirect", array('iam_provider' => $iam_provider)) ? true : false;
$has_iam_sso = identity_provider("get-redirect") ? true : false;
}

View File

@ -1708,7 +1708,7 @@ if (isset($_GET['query'])) {
$score = array("score" => preg_replace("/\s+/", "", $score));
process_get_return($score);
case "identity_provider":
process_get_return(identity_provider('get'));
process_get_return($iam_settings);
break;
break;
// return no route found if no case is matched