mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2024-12-23 02:04:46 +02:00
[Web] move /process/login to internal endpoint
This commit is contained in:
parent
f0689e08d9
commit
dca5f1baab
1
.gitignore
vendored
1
.gitignore
vendored
@ -69,3 +69,4 @@ rebuild-images.sh
|
|||||||
refresh_images.sh
|
refresh_images.sh
|
||||||
update_diffs/
|
update_diffs/
|
||||||
create_cold_standby.sh
|
create_cold_standby.sh
|
||||||
|
!data/conf/nginx/mailcow_auth.conf
|
||||||
|
@ -152,13 +152,14 @@ function auth_password_verify(request, password)
|
|||||||
-- check against mailbox passwds
|
-- check against mailbox passwds
|
||||||
local b, c = https.request {
|
local b, c = https.request {
|
||||||
method = "POST",
|
method = "POST",
|
||||||
url = "https://nginx/api/v1/process/login",
|
url = "https://nginx:9082",
|
||||||
source = ltn12.source.string(req_json),
|
source = ltn12.source.string(req_json),
|
||||||
headers = {
|
headers = {
|
||||||
["content-type"] = "application/json",
|
["content-type"] = "application/json",
|
||||||
["content-length"] = tostring(#req_json)
|
["content-length"] = tostring(#req_json)
|
||||||
},
|
},
|
||||||
sink = ltn12.sink.table(res)
|
sink = ltn12.sink.table(res),
|
||||||
|
insecure = true
|
||||||
}
|
}
|
||||||
local api_response = json.decode(table.concat(res))
|
local api_response = json.decode(table.concat(res))
|
||||||
if api_response.role == 'user' then
|
if api_response.role == 'user' then
|
||||||
@ -182,13 +183,14 @@ function auth_password_verify(request, password)
|
|||||||
|
|
||||||
local b, c = https.request {
|
local b, c = https.request {
|
||||||
method = "POST",
|
method = "POST",
|
||||||
url = "https://nginx/api/v1/process/login",
|
url = "https://nginx:9082",
|
||||||
source = ltn12.source.string(req_json),
|
source = ltn12.source.string(req_json),
|
||||||
headers = {
|
headers = {
|
||||||
["content-type"] = "application/json",
|
["content-type"] = "application/json",
|
||||||
["content-length"] = tostring(#req_json)
|
["content-length"] = tostring(#req_json)
|
||||||
},
|
},
|
||||||
sink = ltn12.sink.table(res)
|
sink = ltn12.sink.table(res),
|
||||||
|
insecure = true
|
||||||
}
|
}
|
||||||
local api_response = json.decode(table.concat(res))
|
local api_response = json.decode(table.concat(res))
|
||||||
if api_response.role == 'user' then
|
if api_response.role == 'user' then
|
||||||
|
54
data/conf/dovecot/auth/mailcowauth.php
Normal file
54
data/conf/dovecot/auth/mailcowauth.php
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
<?php
|
||||||
|
header('Content-Type: application/json');
|
||||||
|
|
||||||
|
$post = trim(file_get_contents('php://input'));
|
||||||
|
if ($post) {
|
||||||
|
$post = json_decode($post, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
$return = array("success" => false, "role" => false);
|
||||||
|
if(!isset($post['username']) || !isset($post['password'])){
|
||||||
|
echo json_encode($return);
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
|
require_once('../../../web/inc/vars.inc.php');
|
||||||
|
if (file_exists('../../../web/inc/vars.local.inc.php')) {
|
||||||
|
include_once('../../../web/inc/vars.local.inc.php');
|
||||||
|
}
|
||||||
|
require_once '../../../web/inc/lib/vendor/autoload.php';
|
||||||
|
|
||||||
|
// Do not show errors, we log to using error_log
|
||||||
|
ini_set('error_reporting', 0);
|
||||||
|
// Init database
|
||||||
|
//$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
|
||||||
|
$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
|
||||||
|
$opt = [
|
||||||
|
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
|
||||||
|
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
|
||||||
|
PDO::ATTR_EMULATE_PREPARES => false,
|
||||||
|
];
|
||||||
|
try {
|
||||||
|
$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
|
||||||
|
}
|
||||||
|
catch (PDOException $e) {
|
||||||
|
error_log("MAILCOWAUTH: " . $e . PHP_EOL);
|
||||||
|
http_response_code(501);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Load core functions first
|
||||||
|
require_once 'functions.inc.php';
|
||||||
|
require_once 'functions.auth.inc.php';
|
||||||
|
require_once 'sessions.inc.php';
|
||||||
|
|
||||||
|
// Init Keycloak Provider
|
||||||
|
$iam_provider = identity_provider('init');
|
||||||
|
|
||||||
|
$result = check_login($post['username'], $post['password'], $post['protocol'], true);
|
||||||
|
if ($result) {
|
||||||
|
$return = array("success" => true, "role" => $result);
|
||||||
|
}
|
||||||
|
|
||||||
|
echo json_encode($return);
|
||||||
|
exit();
|
23
data/conf/nginx/mailcow_auth.conf
Normal file
23
data/conf/nginx/mailcow_auth.conf
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
server {
|
||||||
|
listen 9082 ssl http2;
|
||||||
|
|
||||||
|
ssl_certificate /etc/ssl/mail/cert.pem;
|
||||||
|
ssl_certificate_key /etc/ssl/mail/key.pem;
|
||||||
|
|
||||||
|
index mailcowauth.php;
|
||||||
|
server_name _;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
root /mailcowauth;
|
||||||
|
client_max_body_size 10M;
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
client_max_body_size 10M;
|
||||||
|
try_files $uri =404;
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_pass phpfpm:9001;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
|
}
|
||||||
|
}
|
@ -9,7 +9,7 @@ function unset_auth_session(){
|
|||||||
unset($_SESSION['pending_mailcow_cc_role']);
|
unset($_SESSION['pending_mailcow_cc_role']);
|
||||||
unset($_SESSION['pending_tfa_methods']);
|
unset($_SESSION['pending_tfa_methods']);
|
||||||
}
|
}
|
||||||
function check_login($user, $pass, $app_passwd_data = false) {
|
function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
|
||||||
global $pdo;
|
global $pdo;
|
||||||
global $redis;
|
global $redis;
|
||||||
|
|
||||||
@ -35,12 +35,6 @@ function check_login($user, $pass, $app_passwd_data = false) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Validate mailbox user
|
// Validate mailbox user
|
||||||
// skip log & ldelay if requests comes from dovecot
|
|
||||||
$is_dovecot = false;
|
|
||||||
$request_ip = $_SERVER['REMOTE_ADDR'];
|
|
||||||
if ($request_ip == getenv('IPV4_NETWORK').'.250'){
|
|
||||||
$is_dovecot = true;
|
|
||||||
}
|
|
||||||
// check authsource
|
// check authsource
|
||||||
$stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
|
$stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
|
||||||
INNER JOIN domain on mailbox.domain = domain.domain
|
INNER JOIN domain on mailbox.domain = domain.domain
|
||||||
@ -54,9 +48,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
|
|||||||
// mbox does not exist, call keycloak login and create mbox if possible
|
// mbox does not exist, call keycloak login and create mbox if possible
|
||||||
$identity_provider_settings = identity_provider('get');
|
$identity_provider_settings = identity_provider('get');
|
||||||
if ($identity_provider_settings['login_flow'] == 'ropc'){
|
if ($identity_provider_settings['login_flow'] == 'ropc'){
|
||||||
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot, true);
|
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal, true);
|
||||||
} else {
|
} else {
|
||||||
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot, true);
|
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal, true);
|
||||||
}
|
}
|
||||||
if ($result){
|
if ($result){
|
||||||
return $result;
|
return $result;
|
||||||
@ -64,7 +58,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
|
|||||||
} else if ($row['authsource'] == 'keycloak'){
|
} else if ($row['authsource'] == 'keycloak'){
|
||||||
if ($app_passwd_data){
|
if ($app_passwd_data){
|
||||||
// first check if password is app_password
|
// first check if password is app_password
|
||||||
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
|
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
|
||||||
if ($result){
|
if ($result){
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
@ -72,9 +66,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
|
|||||||
|
|
||||||
$identity_provider_settings = identity_provider('get');
|
$identity_provider_settings = identity_provider('get');
|
||||||
if ($identity_provider_settings['login_flow'] == 'ropc'){
|
if ($identity_provider_settings['login_flow'] == 'ropc'){
|
||||||
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot);
|
$result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal);
|
||||||
} else {
|
} else {
|
||||||
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot);
|
$result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal);
|
||||||
}
|
}
|
||||||
if ($result){
|
if ($result){
|
||||||
return $result;
|
return $result;
|
||||||
@ -82,21 +76,20 @@ function check_login($user, $pass, $app_passwd_data = false) {
|
|||||||
} else {
|
} else {
|
||||||
if ($app_passwd_data){
|
if ($app_passwd_data){
|
||||||
// first check if password is app_password
|
// first check if password is app_password
|
||||||
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
|
$result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
|
||||||
if ($result){
|
if ($result){
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_dovecot);
|
$result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
|
||||||
if ($result){
|
if ($result){
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// skip log and only return false
|
// skip log and only return false if it's an internal request
|
||||||
// netfilter uses dovecot error log for banning
|
if ($is_internal){
|
||||||
if ($is_dovecot){
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!isset($_SESSION['ldelay'])) {
|
if (!isset($_SESSION['ldelay'])) {
|
||||||
|
@ -2214,6 +2214,25 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
|
|||||||
|
|
||||||
return true;
|
return true;
|
||||||
break;
|
break;
|
||||||
|
case "init":
|
||||||
|
$identity_provider_settings = identity_provider('get');
|
||||||
|
$provider = null;
|
||||||
|
if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
|
||||||
|
$identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
|
||||||
|
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
|
||||||
|
'authServerUrl' => $identity_provider_settings['server_url'],
|
||||||
|
'realm' => $identity_provider_settings['realm'],
|
||||||
|
'clientId' => $identity_provider_settings['client_id'],
|
||||||
|
'clientSecret' => $identity_provider_settings['client_secret'],
|
||||||
|
'redirectUri' => $identity_provider_settings['redirect_url'],
|
||||||
|
'version' => $identity_provider_settings['version'],
|
||||||
|
// 'encryptionAlgorithm' => 'RS256', // optional
|
||||||
|
// 'encryptionKeyPath' => '../key.pem' // optional
|
||||||
|
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
return $provider;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -179,22 +179,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
|
|||||||
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
|
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
|
||||||
|
|
||||||
// Init Keycloak Provider
|
// Init Keycloak Provider
|
||||||
$identity_provider_settings = identity_provider('get');
|
$keycloak_provider = identity_provider('init');
|
||||||
$keycloak_provider = null;
|
|
||||||
if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
|
|
||||||
$identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
|
|
||||||
$keycloak_provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
|
|
||||||
'authServerUrl' => $identity_provider_settings['server_url'],
|
|
||||||
'realm' => $identity_provider_settings['realm'],
|
|
||||||
'clientId' => $identity_provider_settings['client_id'],
|
|
||||||
'clientSecret' => $identity_provider_settings['client_secret'],
|
|
||||||
'redirectUri' => $identity_provider_settings['redirect_url'],
|
|
||||||
'version' => $identity_provider_settings['version'],
|
|
||||||
// 'encryptionAlgorithm' => 'RS256', // optional
|
|
||||||
// 'encryptionKeyPath' => '../key.pem' // optional
|
|
||||||
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
|
|
||||||
]);
|
|
||||||
}
|
|
||||||
|
|
||||||
// IMAP lib
|
// IMAP lib
|
||||||
// use Ddeboer\Imap\Server;
|
// use Ddeboer\Imap\Server;
|
||||||
|
@ -401,26 +401,6 @@ if (isset($_GET['query'])) {
|
|||||||
);
|
);
|
||||||
echo json_encode($return);
|
echo json_encode($return);
|
||||||
break;
|
break;
|
||||||
case "login":
|
|
||||||
header('Content-Type: application/json');
|
|
||||||
$post = trim(file_get_contents('php://input'));
|
|
||||||
if ($post) {
|
|
||||||
$post = json_decode($post, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
$return = array("success" => false, "role" => false);
|
|
||||||
if(!isset($post['username']) || !isset($post['password'])){
|
|
||||||
echo json_encode($return);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
$result = check_login($post['username'], $post['password'], $post['protocol']);
|
|
||||||
if ($result) {
|
|
||||||
$return = array("success" => true, "role" => $result);
|
|
||||||
}
|
|
||||||
|
|
||||||
echo json_encode($return);
|
|
||||||
return;
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case "get":
|
case "get":
|
||||||
|
@ -120,6 +120,10 @@ services:
|
|||||||
- ./data/web:/web:z
|
- ./data/web:/web:z
|
||||||
- ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
|
- ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
|
||||||
- ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
|
- ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
|
||||||
|
- ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
|
||||||
|
- ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
|
||||||
|
- ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
|
||||||
|
- ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
|
||||||
- rspamd-vol-1:/var/lib/rspamd
|
- rspamd-vol-1:/var/lib/rspamd
|
||||||
- mysql-socket-vol-1:/var/run/mysqld/
|
- mysql-socket-vol-1:/var/run/mysqld/
|
||||||
- ./data/conf/sogo/:/etc/sogo/:z
|
- ./data/conf/sogo/:/etc/sogo/:z
|
||||||
@ -389,6 +393,10 @@ services:
|
|||||||
- ./data/assets/ssl/:/etc/ssl/mail/:ro,z
|
- ./data/assets/ssl/:/etc/ssl/mail/:ro,z
|
||||||
- ./data/conf/nginx/:/etc/nginx/conf.d/:z
|
- ./data/conf/nginx/:/etc/nginx/conf.d/:z
|
||||||
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
|
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
|
||||||
|
- ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
|
||||||
|
- ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
|
||||||
|
- ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
|
||||||
|
- ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
|
||||||
- sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
|
- sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
|
||||||
ports:
|
ports:
|
||||||
- "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
|
- "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
|
||||||
|
@ -258,7 +258,7 @@ DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
|
|||||||
# Might be important: This will also change the binding within the container.
|
# Might be important: This will also change the binding within the container.
|
||||||
# If you use a proxy within Docker, point it to the ports you set below.
|
# If you use a proxy within Docker, point it to the ports you set below.
|
||||||
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
|
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
|
||||||
# IMPORTANT: Do not use port 8081, 9081 or 65510!
|
# IMPORTANT: Do not use port 8081, 9081, 9082 or 65510!
|
||||||
# Example: HTTP_BIND=1.2.3.4
|
# Example: HTTP_BIND=1.2.3.4
|
||||||
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
|
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
|
||||||
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
|
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
|
||||||
|
Loading…
Reference in New Issue
Block a user