Merge pull request #2360 from mhofer117/allow-admin-email-login

Allow admins to login as email user (without any password)
2019-02-24 18:49:13 +01:00 · 2019-02-24 18:49:13 +01:00 · 298a8d24e9
parent 108e808d06 4482aee747
commit 298a8d24e9
12 changed files with 1105 additions and 991 deletions
--- a/.gitignore
+++ b/.gitignore
@ -24,6 +24,7 @@ data/conf/nginx/*.custom
 data/conf/nginx/*.bak
 data/conf/dovecot/acl_anyone
 data/conf/dovecot/mail_plugins*
+data/conf/dovecot/sogo-sso.conf
 data/conf/dovecot/extra.conf
 data/conf/rspamd/custom/*
 data/conf/portainer/
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@ -118,6 +118,17 @@ default_pass_scheme = SSHA256
 password_query = SELECT password FROM mailbox WHERE active = '1' AND username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%'
 EOF

+if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    cat <<EOF > /usr/local/etc/dovecot/sogo-sso.conf
+passdb {
+  driver = static
+  args = password= allow_real_nets=${IPV4_NETWORK}.248/32
+}
+EOF
+else
+    rm -f /usr/local/etc/dovecot/sogo-sso.conf
+fi
+
 # Create global sieve_after script
 cat /usr/local/etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve

--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@ -389,4 +389,5 @@ auth_cache_negative_ttl = 0
 auth_cache_ttl = 30 s
 auth_cache_size = 2 M
 !include_try /usr/local/etc/dovecot/extra.conf
+!include_try /usr/local/etc/dovecot/sogo-sso.conf
 default_client_limit = 10400
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@ -164,6 +164,17 @@ server {
    client_max_body_size 0;
  }

+  # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
+  location /sogo-auth-verify {
+    internal;
+    proxy_set_header  X-Original-URI $request_uri;
+    proxy_set_header  X-Real-IP $remote_addr;
+    proxy_set_header  Host $http_host;
+    proxy_set_header  Content-Length "";
+    proxy_pass        http://127.0.0.1:80/sogo-auth;
+    proxy_pass_request_body off;
+  }
+
  location ^~ /SOGo {
    include /etc/nginx/conf.d/sogo.active;
    proxy_set_header X-Real-IP $remote_addr;
--- a/data/conf/nginx/templates/sogo.auth_request.template.sh
+++ b/data/conf/nginx/templates/sogo.auth_request.template.sh
@ -0,0 +1,6 @@
+if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
+    echo 'auth_request /sogo-auth-verify;
+auth_request_set $user $upstream_http_x_username;
+proxy_set_header x-webobjects-remote-user $user;
+'
+fi
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@ -83,4 +83,6 @@
  //SOGoUIxDebugEnabled = YES;
  //WODontZipResponse = YES;
    WOLogFile = "/dev/sogo_log";
+
+    SOGoTrustProxyAuthentication = YES;
 }
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
--- a/data/web/mailbox.php
+++ b/data/web/mailbox.php
@ -348,6 +348,11 @@ $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? 'true' : 'false';
 echo "var role = '". $role . "';\n";
 echo "var is_dual = " . $is_dual . ";\n";
 echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";
+$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
+	"/^([yY][eE][sS]|[yY])+$/",
+    $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
+)) ? "true" : "false";
+echo "var ALLOW_ADMIN_EMAIL_LOGIN = " . $ALLOW_ADMIN_EMAIL_LOGIN . ";\n";
 ?>
 </script>
 <?php
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@ -0,0 +1,64 @@
+<?php
+
+/**
+* currently disabled: we could add auth_request to ningx sogo_eas.template
+* but this seems to be not required with the postfix allow_real_nets option
+*/
+/*
+if (substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 28) === "/Microsoft-Server-ActiveSync") {
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+
+  $server=print_r($_SERVER, true);
+  $username = $_SERVER['PHP_AUTH_USER'];
+  $password = $_SERVER['PHP_AUTH_PW'];
+  $login_check = check_login($username, $password);
+  if ($login_check !== 'user') {
+      header('HTTP/1.0 401 Unauthorized');
+      echo 'Invalid login';
+      exit;
+  } else {
+      echo 'Login OK';
+      exit;
+  }
+} else {
+  // other code
+}
+*/
+
+$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
+  "/^([yY][eE][sS]|[yY])+$/",
+  $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
+));
+
+$session_variable = 'sogo-sso-user';
+
+if (!$ALLOW_ADMIN_EMAIL_LOGIN) {
+  header("Location: /");
+  exit;
+}
+elseif (isset($_GET['login'])) {
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+  if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['acl']['login_as'] == "1") {
+    $login = html_entity_decode(rawurldecode($_GET["login"]));
+    if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
+      if (!empty(mailbox('get', 'mailbox_details', $login))) {
+        $_SESSION[$session_variable] = $login;
+        header("Location: /SOGo/");
+        exit;
+      }
+    }
+  }
+  header("Location: /");
+  exit;
+}
+else {
+  // this is an nginx auth_request call, we check for an existing sogo-sso-user session variable
+  session_start();
+  $username = "";
+  if (isset($_SESSION[$session_variable]) && filter_var($_SESSION[$session_variable], FILTER_VALIDATE_EMAIL)) {
+      $username = $_SESSION[$session_variable];
+  }
+  // if username is empty, SOGo will display the normal login form
+  header("X-Username: $username");
+  exit;
+}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -130,6 +130,7 @@ services:
        - API_ALLOW_FROM=${API_ALLOW_FROM:-invalid}
        - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
        - SKIP_SOLR=${SKIP_SOLR:-y}
+        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
      restart: always
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
@ -185,6 +186,8 @@ services:
        - DBUSER=${DBUSER}
        - DBPASS=${DBPASS}
        - TZ=${TZ}
+        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
+        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
        - MAILDIR_GC_TIME=${MAILDIR_GC_TIME:-1440}
        - ACL_ANYONE=${ACL_ANYONE:-disallow}
        - SKIP_SOLR=${SKIP_SOLR:-y}
@ -260,7 +263,8 @@ services:
      command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
        envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
        envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active &&
-        envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
+        . /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo.active &&
+        envsubst < /etc/nginx/conf.d/templates/sogo.template >> /etc/nginx/conf.d/sogo.active &&
        envsubst < /etc/nginx/conf.d/templates/sogo_eas.template > /etc/nginx/conf.d/sogo_eas.active &&
        nginx -qt &&
        until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
@ -274,6 +278,7 @@ services:
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - TZ=${TZ}
+        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
      volumes:
        - ./data/web:/web:ro
        - ./data/conf/rspamd/dynmaps:/dynmaps:ro
--- a/generate_config.sh
+++ b/generate_config.sh
@ -200,6 +200,10 @@ SOLR_HEAP=1024

 USE_WATCHDOG=n

+# Allow admins to log into SOGo as email user (without any password)
+
+ALLOW_ADMIN_EMAIL_LOGIN=n
+
 # Send notifications by mail (no DKIM signature, sent from watchdog@MAILCOW_HOSTNAME)
 # Can by multiple rcpts, NO quotation marks

--- a/update.sh
+++ b/update.sh
@ -130,6 +130,7 @@ CONFIG_ARRAY=(
  "ACL_ANYONE"
  "SOLR_HEAP"
  "SKIP_SOLR"
+  "ALLOW_ADMIN_EMAIL_LOGIN"
 )

 sed -i '$a\' mailcow.conf