mailcow/data/web/sogo-auth.php

<?php

$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
  "/^([yY][eE][sS]|[yY])+$/",
  $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
));

$session_var_user_allowed = 'sogo-sso-user-allowed';
$session_var_pass = 'sogo-sso-pass';

// validate credentials for basic auth requests
if (isset($_SERVER['PHP_AUTH_USER'])) {
  // load prerequisites only when required
  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
  $username = $_SERVER['PHP_AUTH_USER'];
  $password = $_SERVER['PHP_AUTH_PW'];
  $is_eas = false;
  $is_dav = false;
  $original_uri = isset($_SERVER['HTTP_X_ORIGINAL_URI']) ? $_SERVER['HTTP_X_ORIGINAL_URI'] : '';
  if (preg_match('/^(\/SOGo|)\/dav.*/', $original_uri) === 1) {
    $is_dav = true;
  }
  elseif (preg_match('/^(\/SOGo|)\/Microsoft-Server-ActiveSync.*/', $original_uri) === 1) {
    $is_eas = true;
  }
  $login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas));
  if ($login_check === 'user') {
    header("X-User: $username");
    header("X-Auth: Basic ".base64_encode("$username:$password"));
    header("X-Auth-Type: Basic");
    exit;
  } else {
    header('HTTP/1.0 401 Unauthorized');
    echo 'Invalid login';
    exit;
  }
}
// check permissions and redirect for direct GET ?login=xy requests
elseif (isset($_GET['login'])) {
  // load prerequisites only when required
  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
  // check if dual_login is active
  $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
  // check permissions (if dual_login is active, deny sso when acl is not given)
  $login = html_entity_decode(rawurldecode($_GET["login"]));
  if (isset($_SESSION['mailcow_cc_role']) &&
    (($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
    if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
      if (user_get_alias_details($login) !== false) {
        // load master password
        $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
        // register username and password in session
        $_SESSION[$session_var_user_allowed][] = $login;
        $_SESSION[$session_var_pass] = $sogo_sso_pass;
        // update sasl logs
        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
        $stmt->execute(array(
          ':username' => $login,
          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
        ));
        // redirect to sogo (sogo will get the correct credentials via nginx auth_request
        header("Location: /SOGo/so/${login}");
        exit;
      }
    }
  }
  header('HTTP/1.0 403 Forbidden');
  echo "Forbidden";
  exit;
}
// only check for admin-login on sogo GUI requests
elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0) {
  // this is an nginx auth_request call, we check for existing sogo-sso session variables
  session_start();
  // extract email address from "/SOGo/so/user@domain/xy"
  $url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']);
  $email_list = array(
      $url_parts[3],                                // Requested mailbox
      ($_SESSION['mailcow_cc_username'] ?? ''),     // Current user
      ($_SESSION["dual-login"]["username"] ?? ''),  // Dual login user
  );
  foreach($email_list as $email) {
    // check if this email is in session allowed list
    if (
        !empty($email) &&
        filter_var($email, FILTER_VALIDATE_EMAIL) &&
        is_array($_SESSION[$session_var_user_allowed]) &&
        in_array($email, $_SESSION[$session_var_user_allowed])
    ) {
      $username = $email;
      $password = $_SESSION[$session_var_pass];
      header("X-User: $username");
      header("X-Auth: Basic ".base64_encode("$username:$password"));
      header("X-Auth-Type: Basic");
      exit;
    }
  }
}

// if username is empty, SOGo will use the normal login methods / login form
header("X-User: ");
header("X-Auth: ");
header("X-Auth-Type: ");
add config ALLOW_ADMIN_EMAIL_LOGIN and implement password-less SOGo login admins 2019-02-24 00:59:18 +08:00			`<?php`

[Web] Do not allow admin login to mailbox logged in as user while ALLOW_ADMIN_EMAIL_LOGIN is n 2021-07-09 13:43:23 +08:00			`$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(`
			`"/^([yY][eE][sS]\|[yY])+$/",`
			`$_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]`
			`));`

allow multiple concurrent admin logins 2019-03-02 19:32:10 +08:00			`$session_var_user_allowed = 'sogo-sso-user-allowed';`
add random masterpass for sogo admin login add required headers for sogo proxy auth with password add SOGoEncryptionKey add SOGoTrustProxyAuthentication only conditionally if feature is enabled 2019-02-26 16:02:35 +08:00			`$session_var_pass = 'sogo-sso-pass';`
add config ALLOW_ADMIN_EMAIL_LOGIN and implement password-less SOGo login admins 2019-02-24 00:59:18 +08:00
always check basic auth against user database for EAS and SOGo if ALLOW_ADMIN_EMAIL_LOGIN is enabled 2019-02-28 06:06:19 +08:00			`// validate credentials for basic auth requests`
[Dovecot] Re-add listescape... 2021-06-23 20:17:39 +08:00			`if (isset($_SERVER['PHP_AUTH_USER'])) {`
always check basic auth against user database for EAS and SOGo if ALLOW_ADMIN_EMAIL_LOGIN is enabled 2019-02-28 06:06:19 +08:00			`// load prerequisites only when required`
			`require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';`
			`$username = $_SERVER['PHP_AUTH_USER'];`
			`$password = $_SERVER['PHP_AUTH_PW'];`
[Web, Dovecot] Allow to define scope of services for app passwords 2021-10-29 03:57:19 +08:00			`$is_eas = false;`
			`$is_dav = false;`
			`$original_uri = isset($_SERVER['HTTP_X_ORIGINAL_URI']) ? $_SERVER['HTTP_X_ORIGINAL_URI'] : '';`
			`if (preg_match('/^(\/SOGo\|)\/dav.*/', $original_uri) === 1) {`
			`$is_dav = true;`
			`}`
			`elseif (preg_match('/^(\/SOGo\|)\/Microsoft-Server-ActiveSync.*/', $original_uri) === 1) {`
			`$is_eas = true;`
			`}`
[Web] Minor fix 2021-10-29 04:05:28 +08:00			`$login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas));`
always check basic auth against user database for EAS and SOGo if ALLOW_ADMIN_EMAIL_LOGIN is enabled 2019-02-28 06:06:19 +08:00			`if ($login_check === 'user') {`
			`header("X-User: $username");`
			`header("X-Auth: Basic ".base64_encode("$username:$password"));`
			`header("X-Auth-Type: Basic");`
			`exit;`
			`} else {`
			`header('HTTP/1.0 401 Unauthorized');`
			`echo 'Invalid login';`
			`exit;`
			`}`
			`}`
			`// check permissions and redirect for direct GET ?login=xy requests`
Update sogo-auth.php Consistency again. :) I moved the prerequisites require_once to the top, ok? 2019-02-24 05:26:41 +08:00			`elseif (isset($_GET['login'])) {`
remove obsolete code, use openssl instead of `cat /dev/urandom` 2019-02-27 03:44:53 +08:00			`// load prerequisites only when required`
Update sogo-auth.php 2019-02-24 07:15:09 +08:00			`require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';`
[Dovecot] Re-add listescape... 2021-06-23 20:17:39 +08:00			`// check if dual_login is active`
			`$is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;`
			`// check permissions (if dual_login is active, deny sso when acl is not given)`
			`$login = html_entity_decode(rawurldecode($_GET["login"]));`
			`if (isset($_SESSION['mailcow_cc_role']) &&`
[Web] Fix sogo-auth, fixes #4297 2021-10-25 19:47:25 +08:00			`(($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) \|\| ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {`
Update sogo-auth.php Consistency again. :) I moved the prerequisites require_once to the top, ok? 2019-02-24 05:26:41 +08:00			`if (filter_var($login, FILTER_VALIDATE_EMAIL)) {`
[Dovecot] Re-add listescape... 2021-06-23 20:17:39 +08:00			`if (user_get_alias_details($login) !== false) {`
remove obsolete code, use openssl instead of `cat /dev/urandom` 2019-02-27 03:44:53 +08:00			`// load master password`
add random masterpass for sogo admin login add required headers for sogo proxy auth with password add SOGoEncryptionKey add SOGoTrustProxyAuthentication only conditionally if feature is enabled 2019-02-26 16:02:35 +08:00			`$sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");`
remove obsolete code, use openssl instead of `cat /dev/urandom` 2019-02-27 03:44:53 +08:00			`// register username and password in session`
allow multiple concurrent admin logins 2019-03-02 19:32:10 +08:00			`$_SESSION[$session_var_user_allowed][] = $login;`
add random masterpass for sogo admin login add required headers for sogo proxy auth with password add SOGoEncryptionKey add SOGoTrustProxyAuthentication only conditionally if feature is enabled 2019-02-26 16:02:35 +08:00			`$_SESSION[$session_var_pass] = $sogo_sso_pass;`
[Web, Dovecot] Allow to define scope of services for app passwords 2021-10-29 03:57:19 +08:00			`// update sasl logs`
			`$service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';`
			$stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
			`$stmt->execute(array(`
			`':username' => $login,`
[Dovecot, Web] Fix remaining issues of app password enhancements from #4296 2021-10-30 20:34:33 +08:00			`':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])`
[Web, Dovecot] Allow to define scope of services for app passwords 2021-10-29 03:57:19 +08:00			`));`
remove obsolete code, use openssl instead of `cat /dev/urandom` 2019-02-27 03:44:53 +08:00			`// redirect to sogo (sogo will get the correct credentials via nginx auth_request`
allow multiple concurrent admin logins 2019-03-02 19:32:10 +08:00			`header("Location: /SOGo/so/${login}");`
Update sogo-auth.php Consistency again. :) I moved the prerequisites require_once to the top, ok? 2019-02-24 05:26:41 +08:00			`exit;`
			`}`
add config ALLOW_ADMIN_EMAIL_LOGIN and implement password-less SOGo login admins 2019-02-24 00:59:18 +08:00			`}`
Update sogo-auth.php Consistency again. :) I moved the prerequisites require_once to the top, ok? 2019-02-24 05:26:41 +08:00			`}`
always check basic auth against user database for EAS and SOGo if ALLOW_ADMIN_EMAIL_LOGIN is enabled 2019-02-28 06:06:19 +08:00			`header('HTTP/1.0 403 Forbidden');`
[Web] Fix sogo-auth, fixes #4297 2021-10-25 19:47:25 +08:00			`echo "Forbidden";`
Update sogo-auth.php Consistency again. :) I moved the prerequisites require_once to the top, ok? 2019-02-24 05:26:41 +08:00			`exit;`
			`}`
allow multiple concurrent admin logins 2019-03-02 19:32:10 +08:00			`// only check for admin-login on sogo GUI requests`
[Web, Dovecot] Allow to define scope of services for app passwords 2021-10-29 03:57:19 +08:00			`elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0) {`
remove obsolete code, use openssl instead of `cat /dev/urandom` 2019-02-27 03:44:53 +08:00			`// this is an nginx auth_request call, we check for existing sogo-sso session variables`
Update sogo-auth.php 2019-02-24 07:15:09 +08:00			`session_start();`
allow multiple concurrent admin logins 2019-03-02 19:32:10 +08:00			`// extract email address from "/SOGo/so/user@domain/xy"`
			`$url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']);`
Jan(moo)uary Update 2022 - Revision A (2022-01a) (#4445) * [API] Fix minor issue in api docs * [GH-Actions][stale] Add neverstale label to exempt list * [Web] add github version tag * [Web] add github version tag error handling * Passwordless SOGo auth: support for calendar invitations and calendar/contacts subscriptions Inviting someone to a calendar event triggers a request to /SOGo/so/otheruser@example.com/freebusy.ifb/ajaxRead. Subscribing to someone's calendar/contacts triggers a request to /SOGo/so/otheruser@example.com/foldersSearch. The email address in the URL is different from the logged-in user, which needs to be handled appropriately by sogo-auth.php. * [Web] add github version tag - adjust css * [Compose] Update SOGo Autoreply Schedule to 5m Based on the advice of inverse (SOGo developer). Thanks to https://github.com/jmber Closes: https://github.com/mailcow/mailcow-dockerized/issues/4436 * [Web] add github version tag - move twig globals * [Web] add github version tag - missing </div> * Passwordless SOGo auth: improvements for when accessing other users * [WebAuthn] fido2 passwordless auth - fix (#4440) * [WebAuthn] fido2 revert * [WebAuthn] set UV flags to 'discouraged' * [WebAuthn] revert - set UV flags to 'discouraged' Co-authored-by: ntimo <git@nowitzki.me> Co-authored-by: Peter <magic@kthx.at> Co-authored-by: FreddleSpl0it <patschul@posteo.de> Co-authored-by: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com> Co-authored-by: Michael Kuron <mkuron@users.noreply.github.com> 2022-02-01 22:26:48 +08:00			`$email_list = array(`
			`$url_parts[3], // Requested mailbox`
			`($_SESSION['mailcow_cc_username'] ?? ''), // Current user`
			`($_SESSION["dual-login"]["username"] ?? ''), // Dual login user`
			`);`
			`foreach($email_list as $email) {`
			`// check if this email is in session allowed list`
			`if (`
			`!empty($email) &&`
			`filter_var($email, FILTER_VALIDATE_EMAIL) &&`
			`is_array($_SESSION[$session_var_user_allowed]) &&`
			`in_array($email, $_SESSION[$session_var_user_allowed])`
			`) {`
			`$username = $email;`
			`$password = $_SESSION[$session_var_pass];`
			`header("X-User: $username");`
			`header("X-Auth: Basic ".base64_encode("$username:$password"));`
			`header("X-Auth-Type: Basic");`
			`exit;`
			`}`
Update sogo-auth.php Consistency again. :) I moved the prerequisites require_once to the top, ok? 2019-02-24 05:26:41 +08:00			`}`
add config ALLOW_ADMIN_EMAIL_LOGIN and implement password-less SOGo login admins 2019-02-24 00:59:18 +08:00			`}`
allow multiple concurrent admin logins 2019-03-02 19:32:10 +08:00
			`// if username is empty, SOGo will use the normal login methods / login form`
			`header("X-User: ");`
			`header("X-Auth: ");`
			`header("X-Auth-Type: ");`