mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2025-01-10 04:18:10 +02:00
[Web] remove ropc flow
This commit is contained in:
parent
e784c98a5a
commit
ad19ff5429
@ -270,7 +270,7 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
|
||||
AND `app_passwd`.`active` = '1'
|
||||
AND `app_passwd`.`mailbox` = :user
|
||||
:has_access_query"
|
||||
);
|
||||
);
|
||||
// check if app password has protocol access
|
||||
// skip if protocol is false and the call is not external
|
||||
$has_access_query = '';
|
||||
@ -308,83 +308,6 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// ROPC Flow (deprecated oAuth2.1)
|
||||
// uses direct user credentials for UI, IMAP and SMTP Auth
|
||||
function keycloak_mbox_login_ropc($user, $pass, $iam_settings, $is_internal = false, $create = false){
|
||||
global $pdo;
|
||||
|
||||
$url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
|
||||
$req = http_build_query(array(
|
||||
'grant_type' => 'password',
|
||||
'client_id' => $iam_settings['client_id'],
|
||||
'client_secret' => $iam_settings['client_secret'],
|
||||
'username' => $user,
|
||||
'password' => $pass,
|
||||
));
|
||||
$curl = curl_init();
|
||||
curl_setopt($curl, CURLOPT_URL, $url);
|
||||
curl_setopt($curl, CURLOPT_POST, 1);
|
||||
curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
|
||||
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
|
||||
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
|
||||
$res = json_decode(curl_exec($curl), true);
|
||||
$code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
|
||||
curl_close ($curl);
|
||||
|
||||
if ($code == 200) {
|
||||
// decode jwt
|
||||
$user_data = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $res['access_token'])[1]))), true);
|
||||
if ($user != $user_data['email']){
|
||||
// check if $user is email address, only accept email address as username
|
||||
return false;
|
||||
}
|
||||
if ($create && !empty($iam_settings['mappers'])){
|
||||
// try to create mbox on successfull login
|
||||
$mbox_template = null;
|
||||
// check if matching attribute mapping exists
|
||||
foreach ($iam_settings['mappers'] as $index => $mapper){
|
||||
if (in_array($mapper, $iam_settings['mappers'])) {
|
||||
$mbox_template = $iam_settings['templates'][$index];
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!$mbox_template){
|
||||
// no matching template found
|
||||
return false;
|
||||
}
|
||||
|
||||
$stmt = $pdo->prepare("SELECT * FROM `templates`
|
||||
WHERE `template` = :template AND type = 'mailbox'");
|
||||
$stmt->execute(array(
|
||||
":template" => $mbox_template
|
||||
));
|
||||
$mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
|
||||
|
||||
if (!empty($mbox_template_data)){
|
||||
$mbox_template_data = json_decode($mbox_template_data["attributes"], true);
|
||||
$mbox_template_data['domain'] = explode('@', $user)[1];
|
||||
$mbox_template_data['local_part'] = explode('@', $user)[0];
|
||||
$mbox_template_data['authsource'] = 'keycloak';
|
||||
$_SESSION['iam_create_login'] = true;
|
||||
$create_res = mailbox('add', 'mailbox', $mbox_template_data);
|
||||
$_SESSION['iam_create_login'] = false;
|
||||
if (!$create_res){
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'success',
|
||||
'log' => array(__FUNCTION__, $user, '*'),
|
||||
'msg' => array('logged_in_as', $user)
|
||||
);
|
||||
return 'user';
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
// Keycloak REST Api Flow - auth user by mailcow_password attribute
|
||||
// This password will be used for direct UI, IMAP and SMTP Auth
|
||||
// To use direct user credentials, only Authorization Code Flow is valid
|
||||
|
Loading…
Reference in New Issue
Block a user