You've already forked mailcow-dockerized
mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2025-07-17 01:42:24 +02:00
[Web] move iam sso functions
This commit is contained in:
FreddleSpl0it
committed by
DerLinkman
DerLinkman
parent
e202d00beb
commit
593e581cf3
@ -1,14 +1,4 @@
|
||||
<?php
|
||||
function unset_auth_session(){
|
||||
unset($_SESSION['keycloak_token']);
|
||||
unset($_SESSION['keycloak_refresh_token']);
|
||||
unset($_SESSION['mailcow_cc_username']);
|
||||
unset($_SESSION['mailcow_cc_role']);
|
||||
unset($_SESSION['oauth2state']);
|
||||
unset($_SESSION['pending_mailcow_cc_username']);
|
||||
unset($_SESSION['pending_mailcow_cc_role']);
|
||||
unset($_SESSION['pending_tfa_methods']);
|
||||
}
|
||||
function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
|
||||
global $pdo;
|
||||
global $redis;
|
||||
@ -503,171 +493,3 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
|
||||
);
|
||||
return 'user';
|
||||
}
|
||||
// Authorization Code Flow
|
||||
function keycloak_verify_token(){
|
||||
global $keycloak_provider;
|
||||
global $pdo;
|
||||
|
||||
try {
|
||||
$token = $keycloak_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
|
||||
} catch (Exception $e) {
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__),
|
||||
'msg' => array('login_failed', $e->getMessage())
|
||||
);
|
||||
return false;
|
||||
}
|
||||
|
||||
$_SESSION['keycloak_token'] = $token->getToken();
|
||||
$_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
|
||||
// decode jwt data
|
||||
$info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $token->getToken())[1]))), true);
|
||||
// check if email address is given
|
||||
if (!$info['email']){
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
// token valid, get mailbox
|
||||
$stmt = $pdo->prepare("SELECT * FROM `mailbox`
|
||||
INNER JOIN domain on mailbox.domain = domain.domain
|
||||
WHERE `kind` NOT REGEXP 'location|thing|group'
|
||||
AND `mailbox`.`active`='1'
|
||||
AND `domain`.`active`='1'
|
||||
AND `username` = :user
|
||||
AND `authsource`='keycloak'");
|
||||
$stmt->execute(array(':user' => $info['email']));
|
||||
$row = $stmt->fetch(PDO::FETCH_ASSOC);
|
||||
if ($row){
|
||||
// success
|
||||
$_SESSION['mailcow_cc_username'] = $info['email'];
|
||||
$_SESSION['mailcow_cc_role'] = "user";
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'success',
|
||||
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
|
||||
'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
|
||||
);
|
||||
return true;
|
||||
}
|
||||
// get mapped template, if not set return false
|
||||
// also return false if no mappers were defined
|
||||
$identity_provider_settings = identity_provider('get');
|
||||
$user_template = $info['mailcow_template'];
|
||||
if (empty($identity_provider_settings['mappers']) || empty($user_template)){
|
||||
unset_auth_session();
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
|
||||
'msg' => 'login_failed'
|
||||
);
|
||||
return false;
|
||||
}
|
||||
$mbox_template = null;
|
||||
// check if matching rolemapping exist
|
||||
foreach ($identity_provider_settings['mappers'] as $index => $mapper){
|
||||
if ($user_template == $mapper) {
|
||||
$mbox_template = $identity_provider_settings['templates'][$index];
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!$mbox_template){
|
||||
// no matching template found
|
||||
unset_auth_session();
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
|
||||
'msg' => 'login_failed'
|
||||
);
|
||||
return false;
|
||||
}
|
||||
$stmt = $pdo->prepare("SELECT * FROM `templates`
|
||||
WHERE `template` = :template AND type = 'mailbox'");
|
||||
$stmt->execute(array(
|
||||
":template" => $mbox_template
|
||||
));
|
||||
$mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
|
||||
if (empty($mbox_template_data)){
|
||||
unset_auth_session();
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
|
||||
'msg' => 'login_failed'
|
||||
);
|
||||
return false;
|
||||
}
|
||||
|
||||
// create mailbox
|
||||
$mbox_template_data = json_decode($mbox_template_data["attributes"], true);
|
||||
$mbox_template_data['domain'] = explode('@', $info['email'])[1];
|
||||
$mbox_template_data['local_part'] = explode('@', $info['email'])[0];
|
||||
$mbox_template_data['authsource'] = 'keycloak';
|
||||
$_SESSION['iam_create_login'] = true;
|
||||
$create_res = mailbox('add', 'mailbox', $mbox_template_data);
|
||||
$_SESSION['iam_create_login'] = false;
|
||||
if (!$create_res){
|
||||
unset_auth_session();
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
|
||||
'msg' => 'login_failed'
|
||||
);
|
||||
return false;
|
||||
}
|
||||
|
||||
$_SESSION['mailcow_cc_username'] = $info['email'];
|
||||
$_SESSION['mailcow_cc_role'] = "user";
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'success',
|
||||
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
|
||||
'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
|
||||
);
|
||||
return true;
|
||||
}
|
||||
function keycloak_refresh(){
|
||||
global $keycloak_provider;
|
||||
|
||||
try {
|
||||
$token = $keycloak_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['keycloak_refresh_token']]);
|
||||
} catch (Exception $e) {
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__),
|
||||
'msg' => array('login_failed', $e->getMessage())
|
||||
);
|
||||
return false;
|
||||
}
|
||||
|
||||
$_SESSION['keycloak_token'] = $token->getToken();
|
||||
$_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
|
||||
// decode jwt data
|
||||
$info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $_SESSION['keycloak_token'])[1]))), true);
|
||||
if (!$info['email']){
|
||||
unset_auth_session();
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
|
||||
'msg' => 'refresh_login_failed'
|
||||
);
|
||||
}
|
||||
|
||||
$_SESSION['mailcow_cc_username'] = $info['email'];
|
||||
$_SESSION['mailcow_cc_role'] = "user";
|
||||
return true;
|
||||
}
|
||||
function keycloak_get_redirect(){
|
||||
global $keycloak_provider;
|
||||
|
||||
$authUrl = $keycloak_provider->getAuthorizationUrl();
|
||||
$_SESSION['oauth2state'] = $keycloak_provider->getState();
|
||||
|
||||
return $authUrl;
|
||||
}
|
||||
function keycloak_get_logout(){
|
||||
global $keycloak_provider;
|
||||
|
||||
$logoutUrl = $keycloak_provider->getLogoutUrl();
|
||||
$logoutUrl = $logoutUrl . "&post_logout_redirect_uri=https://" . $_SERVER['SERVER_NAME'];
|
||||
|
||||
return $logoutUrl;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user