1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2024-12-23 02:04:46 +02:00

[Web] move /process/login to internal endpoint

This commit is contained in:
FreddleSpl0it 2023-04-12 15:32:22 +02:00 committed by DerLinkman
parent f0689e08d9
commit dca5f1baab
No known key found for this signature in database
GPG Key ID: F109FD97469550A2
10 changed files with 123 additions and 58 deletions

1
.gitignore vendored
View File

@ -69,3 +69,4 @@ rebuild-images.sh
refresh_images.sh
update_diffs/
create_cold_standby.sh
!data/conf/nginx/mailcow_auth.conf

View File

@ -152,13 +152,14 @@ function auth_password_verify(request, password)
-- check against mailbox passwds
local b, c = https.request {
method = "POST",
url = "https://nginx/api/v1/process/login",
url = "https://nginx:9082",
source = ltn12.source.string(req_json),
headers = {
["content-type"] = "application/json",
["content-length"] = tostring(#req_json)
},
sink = ltn12.sink.table(res)
sink = ltn12.sink.table(res),
insecure = true
}
local api_response = json.decode(table.concat(res))
if api_response.role == 'user' then
@ -182,13 +183,14 @@ function auth_password_verify(request, password)
local b, c = https.request {
method = "POST",
url = "https://nginx/api/v1/process/login",
url = "https://nginx:9082",
source = ltn12.source.string(req_json),
headers = {
["content-type"] = "application/json",
["content-length"] = tostring(#req_json)
},
sink = ltn12.sink.table(res)
sink = ltn12.sink.table(res),
insecure = true
}
local api_response = json.decode(table.concat(res))
if api_response.role == 'user' then

View File

@ -0,0 +1,54 @@
<?php
header('Content-Type: application/json');
$post = trim(file_get_contents('php://input'));
if ($post) {
$post = json_decode($post, true);
}
$return = array("success" => false, "role" => false);
if(!isset($post['username']) || !isset($post['password'])){
echo json_encode($return);
exit();
}
require_once('../../../web/inc/vars.inc.php');
if (file_exists('../../../web/inc/vars.local.inc.php')) {
include_once('../../../web/inc/vars.local.inc.php');
}
require_once '../../../web/inc/lib/vendor/autoload.php';
// Do not show errors, we log to using error_log
ini_set('error_reporting', 0);
// Init database
//$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
$opt = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
try {
$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
}
catch (PDOException $e) {
error_log("MAILCOWAUTH: " . $e . PHP_EOL);
http_response_code(501);
exit;
}
// Load core functions first
require_once 'functions.inc.php';
require_once 'functions.auth.inc.php';
require_once 'sessions.inc.php';
// Init Keycloak Provider
$iam_provider = identity_provider('init');
$result = check_login($post['username'], $post['password'], $post['protocol'], true);
if ($result) {
$return = array("success" => true, "role" => $result);
}
echo json_encode($return);
exit();

View File

@ -0,0 +1,23 @@
server {
listen 9082 ssl http2;
ssl_certificate /etc/ssl/mail/cert.pem;
ssl_certificate_key /etc/ssl/mail/key.pem;
index mailcowauth.php;
server_name _;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /mailcowauth;
client_max_body_size 10M;
location ~ \.php$ {
client_max_body_size 10M;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9001;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}

View File

@ -9,7 +9,7 @@ function unset_auth_session(){
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_methods']);
}
function check_login($user, $pass, $app_passwd_data = false) {
function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
global $pdo;
global $redis;
@ -35,12 +35,6 @@ function check_login($user, $pass, $app_passwd_data = false) {
}
// Validate mailbox user
// skip log & ldelay if requests comes from dovecot
$is_dovecot = false;
$request_ip = $_SERVER['REMOTE_ADDR'];
if ($request_ip == getenv('IPV4_NETWORK').'.250'){
$is_dovecot = true;
}
// check authsource
$stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain
@ -54,9 +48,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
// mbox does not exist, call keycloak login and create mbox if possible
$identity_provider_settings = identity_provider('get');
if ($identity_provider_settings['login_flow'] == 'ropc'){
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot, true);
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal, true);
} else {
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot, true);
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal, true);
}
if ($result){
return $result;
@ -64,7 +58,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
} else if ($row['authsource'] == 'keycloak'){
if ($app_passwd_data){
// first check if password is app_password
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){
return $result;
}
@ -72,9 +66,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
$identity_provider_settings = identity_provider('get');
if ($identity_provider_settings['login_flow'] == 'ropc'){
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot);
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal);
} else {
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot);
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal);
}
if ($result){
return $result;
@ -82,21 +76,20 @@ function check_login($user, $pass, $app_passwd_data = false) {
} else {
if ($app_passwd_data){
// first check if password is app_password
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){
return $result;
}
}
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_dovecot);
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
if ($result){
return $result;
}
}
// skip log and only return false
// netfilter uses dovecot error log for banning
if ($is_dovecot){
// skip log and only return false if it's an internal request
if ($is_internal){
return false;
}
if (!isset($_SESSION['ldelay'])) {

View File

@ -2214,6 +2214,25 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
return true;
break;
case "init":
$identity_provider_settings = identity_provider('get');
$provider = null;
if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
$identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
'authServerUrl' => $identity_provider_settings['server_url'],
'realm' => $identity_provider_settings['realm'],
'clientId' => $identity_provider_settings['client_id'],
'clientSecret' => $identity_provider_settings['client_secret'],
'redirectUri' => $identity_provider_settings['redirect_url'],
'version' => $identity_provider_settings['version'],
// 'encryptionAlgorithm' => 'RS256', // optional
// 'encryptionKeyPath' => '../key.pem' // optional
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
]);
}
return $provider;
break;
}
}

View File

@ -179,22 +179,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
// Init Keycloak Provider
$identity_provider_settings = identity_provider('get');
$keycloak_provider = null;
if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
$identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
$keycloak_provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
'authServerUrl' => $identity_provider_settings['server_url'],
'realm' => $identity_provider_settings['realm'],
'clientId' => $identity_provider_settings['client_id'],
'clientSecret' => $identity_provider_settings['client_secret'],
'redirectUri' => $identity_provider_settings['redirect_url'],
'version' => $identity_provider_settings['version'],
// 'encryptionAlgorithm' => 'RS256', // optional
// 'encryptionKeyPath' => '../key.pem' // optional
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
]);
}
$keycloak_provider = identity_provider('init');
// IMAP lib
// use Ddeboer\Imap\Server;

View File

@ -401,26 +401,6 @@ if (isset($_GET['query'])) {
);
echo json_encode($return);
break;
case "login":
header('Content-Type: application/json');
$post = trim(file_get_contents('php://input'));
if ($post) {
$post = json_decode($post, true);
}
$return = array("success" => false, "role" => false);
if(!isset($post['username']) || !isset($post['password'])){
echo json_encode($return);
return;
}
$result = check_login($post['username'], $post['password'], $post['protocol']);
if ($result) {
$return = array("success" => true, "role" => $result);
}
echo json_encode($return);
return;
break;
}
break;
case "get":

View File

@ -120,6 +120,10 @@ services:
- ./data/web:/web:z
- ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
- ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
- ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
- ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
- ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
- ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
- rspamd-vol-1:/var/lib/rspamd
- mysql-socket-vol-1:/var/run/mysqld/
- ./data/conf/sogo/:/etc/sogo/:z
@ -389,6 +393,10 @@ services:
- ./data/assets/ssl/:/etc/ssl/mail/:ro,z
- ./data/conf/nginx/:/etc/nginx/conf.d/:z
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
- ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
- ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
- ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
- ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
- sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
ports:
- "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"

View File

@ -258,7 +258,7 @@ DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081 or 65510!
# IMPORTANT: Do not use port 8081, 9081, 9082 or 65510!
# Example: HTTP_BIND=1.2.3.4
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/