1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2024-12-23 02:04:46 +02:00

[Web] add ignore ssl option for keycloak and generic-oidc provider

This commit is contained in:
FreddleSpl0it 2024-11-30 14:37:07 +01:00
parent ec4b9b088c
commit c8c4cfd939
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
2 changed files with 39 additions and 4 deletions

View File

@ -2222,6 +2222,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return false;
}
$_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
switch ($_data['authsource']) {
case "keycloak":
$_data['server_url'] = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
@ -2230,14 +2231,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
$_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
$_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
$_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
$required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
$required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error');
break;
case "generic-oidc":
$_data['authorize_url'] = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
$_data['token_url'] = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
$_data['userinfo_url'] = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
$_data['client_scopes'] = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
$required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
$required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error');
break;
case "ldap":
$_data['host'] = (!empty($_data['host'])) ? str_replace(" ", "", $_data['host']) : "";
@ -2249,7 +2250,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
$_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
$_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false;
$_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false;
$_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
$_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
$_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
$required_settings = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error');
@ -2416,6 +2416,13 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
case "keycloak":
if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] &&
$settings['client_secret'] && $settings['redirect_url'] && $settings['version']){
$guzzyClient = new GuzzleHttp\Client([
'defaults' => [
\GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
\GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true],
\GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'],
]
);
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
'authServerUrl' => $settings['server_url'],
'realm' => $settings['realm'],
@ -2427,11 +2434,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
// 'encryptionKeyPath' => '../key.pem' // optional
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
]);
$provider->setHttpClient($guzzyClient);
}
break;
case "generic-oidc":
if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] &&
$settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){
$guzzyClient = new GuzzleHttp\Client([
'defaults' => [
\GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
\GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true],
\GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'],
]
);
$provider = new \League\OAuth2\Client\Provider\GenericProvider([
'clientId' => $settings['client_id'],
'clientSecret' => $settings['client_secret'],
@ -2441,6 +2456,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
'urlResourceOwnerDetails' => $settings['userinfo_url'],
'scopes' => $settings['client_scopes']
]);
$provider->setHttpClient($guzzyClient);
}
break;
case "ldap":
@ -2468,7 +2484,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
}
break;
}
return $provider;
break;
case "verify-sso":

View File

@ -157,6 +157,16 @@
</p>
</div>
</div>
<div class="row mb-2">
<div class="col-md-3 d-flex align-items-center justify-content-md-end">
<label class="control-label">{{ lang.admin.ignore_ssl_error }}</label>
</div>
<div class="col-12 col-md-9">
<div class="form-check form-switch">
<input class="form-check-input" type="checkbox" role="switch" name="ignore_ssl_error" value="1" {% if iam_settings.ignore_ssl_error == 1 %}checked{% endif %}>
</div>
</div>
</div>
<div class="row mb-2">
<div class="col-md-3 d-flex align-items-center justify-content-md-end">
<label class="control-label">{{ lang.admin.iam_periodic_full_sync }}</label>
@ -316,6 +326,16 @@
</div>
{% endif %}
</div>
<div class="row mb-4">
<div class="col-md-3 d-flex align-items-center justify-content-md-end">
<label class="control-label">{{ lang.admin.ignore_ssl_error }}</label>
</div>
<div class="col-12 col-md-9">
<div class="form-check form-switch">
<input class="form-check-input" type="checkbox" role="switch" name="ignore_ssl_error" value="1" {% if iam_settings.ignore_ssl_error == 1 %}checked{% endif %}>
</div>
</div>
</div>
<div class="row mt-4 mb-2">
<div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
<div class="btn-group mb-2">