From f6869da3a02b937d8f498476be1d7e95ab418e33 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Sun, 12 Mar 2023 19:08:09 +0100 Subject: [PATCH] [Web] manage keycloak identity provider --- data/web/admin.php | 3 + data/web/inc/functions.inc.php | 68 +++++++++++++++++++ data/web/inc/init_db.inc.php | 14 ++++ data/web/inc/prerequisites.inc.php | 18 +++++ data/web/json_api.php | 4 ++ data/web/templates/admin.twig | 2 + .../admin/tab-config-identity-providers.twig | 58 ++++++++++++++++ 7 files changed, 167 insertions(+) create mode 100644 data/web/templates/admin/tab-config-identity-providers.twig diff --git a/data/web/admin.php b/data/web/admin.php index d0fcbc992..278ab61b8 100644 --- a/data/web/admin.php +++ b/data/web/admin.php @@ -86,6 +86,8 @@ $cors_settings['allowed_origins'] = str_replace(", ", "\n", $cors_settings['allo $cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_methods']); $f2b_data = fail2ban('get'); +// identity provider +$identity_provider_settings = identity_provider('get'); $template = 'admin.twig'; $template_data = [ @@ -117,6 +119,7 @@ $template_data = [ 'show_rspamd_global_filters' => @$_SESSION['show_rspamd_global_filters'], 'cors_settings' => $cors_settings, 'is_https' => isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on', + 'identity_provider_settings' => $identity_provider_settings, 'lang_admin' => json_encode($lang['admin']), 'lang_datatables' => json_encode($lang['datatables']) ]; diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 28cdc1797..11e0b5053 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -2067,6 +2067,74 @@ function uuid4() { return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4)); } +function identity_provider($_action, $_data = null) { + global $pdo; + + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => 'access_denied' + ); + return false; + } + + switch ($_action) { + case 'get': + $settings = array(); + $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;"); + $stmt->execute(); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + foreach($rows as $row){ + $settings[$row["key"]] = $row["value"]; + } + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_action, $settings), + 'msg' => 'admin_api_modified' + ); + return $settings; + case 'edit': + $required_settings = array('server_url', 'authsource', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version'); + foreach($required_settings as $setting){ + if (!$_data[$setting]){ + return false; + } + } + try { + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => '2' + ); + $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => '3' + ); + } catch (Exception $e){ + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_action, $_data, $e->getMessage()), + 'msg' => 'post' + ); + return; + } + + foreach($_data as $key => $value){ + if (!in_array($key, $required_settings)){ + continue; + } + + $stmt->bindParam(':key', $key); + $stmt->bindParam(':value', $value); + $stmt->execute(); + } + return true; + break; + } +} function get_logs($application, $lines = false) { if ($lines === false) { diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index f7bd86d2d..5cfb1cd62 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -568,6 +568,20 @@ function init_db_schema() { ), "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC" ), + "identity_provider" => array( + "cols" => array( + "key" => "VARCHAR(255) NOT NULL", + "value" => "VARCHAR(255) NOT NULL", + "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)", + "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP" + ), + "keys" => array( + "primary" => array( + "" => array("key") + ) + ), + "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC" + ), "logs" => array( "cols" => array( "id" => "INT NOT NULL AUTO_INCREMENT", diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index 1a18ba92c..eac35be77 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -180,6 +180,24 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php'; require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php'; require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php'; +// Init Keycloak Provider +$identity_provider_settings = identity_provider('get'); +$keycloak_provider = null; +if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] && + $identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){ + $keycloak_provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ + 'authServerUrl' => $identity_provider_settings['server_url'], + 'realm' => $identity_provider_settings['realm'], + 'clientId' => $identity_provider_settings['client_id'], + 'clientSecret' => $identity_provider_settings['client_secret'], + 'redirectUri' => $identity_provider_settings['redirect_url'], + 'version' => $identity_provider_settings['version'], + // 'encryptionAlgorithm' => 'RS256', // optional + // 'encryptionKeyPath' => '../key.pem' // optional + // 'encryptionKey' => 'contents_of_key_or_certificate' // optional + ]); +} + // IMAP lib // use Ddeboer\Imap\Server; // $imap_server = new Server('dovecot', 143, '/imap/tls/novalidate-cert'); diff --git a/data/web/json_api.php b/data/web/json_api.php index 0b80bafd9..769775cee 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -1710,6 +1710,8 @@ if (isset($_GET['query'])) { if ($score) $score = array("score" => preg_replace("/\s+/", "", $score)); process_get_return($score); + case "identity_provider": + process_get_return(identity_provider('get')); break; break; // return no route found if no case is matched @@ -2082,6 +2084,8 @@ if (isset($_GET['query'])) { break; case "cors": process_edit_return(cors('edit', $attr)); + case "identity_provider": + process_edit_return(identity_provider('edit', $attr)); break; // return no route found if no case is matched default: diff --git a/data/web/templates/admin.twig b/data/web/templates/admin.twig index 33f2422b5..53fdeadc1 100644 --- a/data/web/templates/admin.twig +++ b/data/web/templates/admin.twig @@ -7,6 +7,7 @@