1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-01-10 04:18:10 +02:00

[Web] remove ropc flow

This commit is contained in:
FreddleSpl0it 2023-05-16 12:37:01 +02:00 committed by DerLinkman
parent e784c98a5a
commit ad19ff5429
No known key found for this signature in database
GPG Key ID: F109FD97469550A2

View File

@ -270,7 +270,7 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
AND `app_passwd`.`active` = '1'
AND `app_passwd`.`mailbox` = :user
:has_access_query"
);
);
// check if app password has protocol access
// skip if protocol is false and the call is not external
$has_access_query = '';
@ -308,83 +308,6 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
return false;
}
// ROPC Flow (deprecated oAuth2.1)
// uses direct user credentials for UI, IMAP and SMTP Auth
function keycloak_mbox_login_ropc($user, $pass, $iam_settings, $is_internal = false, $create = false){
global $pdo;
$url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
$req = http_build_query(array(
'grant_type' => 'password',
'client_id' => $iam_settings['client_id'],
'client_secret' => $iam_settings['client_secret'],
'username' => $user,
'password' => $pass,
));
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$res = json_decode(curl_exec($curl), true);
$code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close ($curl);
if ($code == 200) {
// decode jwt
$user_data = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $res['access_token'])[1]))), true);
if ($user != $user_data['email']){
// check if $user is email address, only accept email address as username
return false;
}
if ($create && !empty($iam_settings['mappers'])){
// try to create mbox on successfull login
$mbox_template = null;
// check if matching attribute mapping exists
foreach ($iam_settings['mappers'] as $index => $mapper){
if (in_array($mapper, $iam_settings['mappers'])) {
$mbox_template = $iam_settings['templates'][$index];
break;
}
}
if (!$mbox_template){
// no matching template found
return false;
}
$stmt = $pdo->prepare("SELECT * FROM `templates`
WHERE `template` = :template AND type = 'mailbox'");
$stmt->execute(array(
":template" => $mbox_template
));
$mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
if (!empty($mbox_template_data)){
$mbox_template_data = json_decode($mbox_template_data["attributes"], true);
$mbox_template_data['domain'] = explode('@', $user)[1];
$mbox_template_data['local_part'] = explode('@', $user)[0];
$mbox_template_data['authsource'] = 'keycloak';
$_SESSION['iam_create_login'] = true;
$create_res = mailbox('add', 'mailbox', $mbox_template_data);
$_SESSION['iam_create_login'] = false;
if (!$create_res){
return false;
}
}
}
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
return 'user';
} else {
return false;
}
}
// Keycloak REST Api Flow - auth user by mailcow_password attribute
// This password will be used for direct UI, IMAP and SMTP Auth
// To use direct user credentials, only Authorization Code Flow is valid