Merge pull request #2373 from mhofer117/allow-admin-email-login

always check basic auth against user database for EAS and SOGo if ALLOW_ADMIN_EMAIL_LOGIN is enabled

data/conf/nginx/site.conf

@@ -142,7 +142,19 @@ server {
     try_files /autoconfig.php =404;
   }
 
+  # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
+  location /sogo-auth-verify {
+    internal;
+    proxy_set_header  X-Original-URI $request_uri;
+    proxy_set_header  X-Real-IP $remote_addr;
+    proxy_set_header  Host $http_host;
+    proxy_set_header  Content-Length "";
+    proxy_pass        http://127.0.0.1:80/sogo-auth;
+    proxy_pass_request_body off;
+  }
+
   location ^~ /Microsoft-Server-ActiveSync {
+    include /etc/nginx/conf.d/sogo_proxy_auth.active;
     include /etc/nginx/conf.d/sogo_eas.active;
     proxy_connect_timeout 4000;
     proxy_next_upstream timeout error;
@@ -164,34 +176,9 @@ server {
     client_max_body_size 0;
   }
 
-  # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
-  location /sogo-auth-verify {
-    internal;
-    proxy_set_header  X-Original-URI $request_uri;
-    proxy_set_header  X-Real-IP $remote_addr;
-    proxy_set_header  Host $http_host;
-    proxy_set_header  Content-Length "";
-    proxy_pass        http://127.0.0.1:80/sogo-auth;
-    proxy_pass_request_body off;
-  }
-
   location ^~ /SOGo {
-    include /etc/nginx/conf.d/sogo_main.active;
+    include /etc/nginx/conf.d/sogo_proxy_auth.active;
-    proxy_set_header X-Real-IP $remote_addr;
+    include /etc/nginx/conf.d/sogo.active;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $http_host;
-    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
-    proxy_set_header x-webobjects-remote-host $remote_addr;
-    proxy_set_header x-webobjects-server-name $server_name;
-    proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
-    proxy_set_header x-webobjects-server-port $server_port;
-    client_body_buffer_size 128k;
-    client_max_body_size 0;
-    break;
-  }
-
-  location ^~ /SOGo/dav {
-    include /etc/nginx/conf.d/sogo_dav.active;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;

data/web/sogo-auth.php

@@ -8,11 +8,31 @@ $ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
 $session_var_user = 'sogo-sso-user';
 $session_var_pass = 'sogo-sso-pass';
 
+// prevent if feature is disabled
 if (!$ALLOW_ADMIN_EMAIL_LOGIN) {
-  header('HTTP/1.0 401 Forbidden');
+  header('HTTP/1.0 403 Forbidden');
   echo "this feature is disabled";
   exit;
 }
+// validate credentials for basic auth requests
+elseif (isset($_SERVER['PHP_AUTH_USER'])) {
+  // load prerequisites only when required
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+  $username = $_SERVER['PHP_AUTH_USER'];
+  $password = $_SERVER['PHP_AUTH_PW'];
+  $login_check = check_login($username, $password);
+  if ($login_check === 'user') {
+    header("X-User: $username");
+    header("X-Auth: Basic ".base64_encode("$username:$password"));
+    header("X-Auth-Type: Basic");
+    exit;
+  } else {
+    header('HTTP/1.0 401 Unauthorized');
+    echo 'Invalid login';
+    exit;
+  }
+}
+// check permissions and redirect for direct GET ?login=xy requests
 elseif (isset($_GET['login'])) {
   // load prerequisites only when required
   require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
@@ -32,10 +52,14 @@ elseif (isset($_GET['login'])) {
       }
     }
   }
-  header('HTTP/1.0 401 Forbidden');
+  header('HTTP/1.0 403 Forbidden');
   exit;
 }
-else {
+// do not check for admin-login / sogo-sso for EAS and DAV requests, SOGo can check auth itself if no authorization header is set
+elseif (
+  strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 28), "/Microsoft-Server-ActiveSync") !== 0 &&
+  strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/dav") !== 0
+) {
   // this is an nginx auth_request call, we check for existing sogo-sso session variables
   session_start();
   if (isset($_SESSION[$session_var_user]) && filter_var($_SESSION[$session_var_user], FILTER_VALIDATE_EMAIL)) {

docker-compose.yml

@@ -268,10 +268,9 @@ services:
       command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
         envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
         envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active &&
-        . /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_main.active &&
+        envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
-        envsubst < /etc/nginx/conf.d/templates/sogo.template >> /etc/nginx/conf.d/sogo_main.active &&
-        envsubst < /etc/nginx/conf.d/templates/sogo.template >> /etc/nginx/conf.d/sogo_dav.active &&
         envsubst < /etc/nginx/conf.d/templates/sogo_eas.template > /etc/nginx/conf.d/sogo_eas.active &&
+        . /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_proxy_auth.active &&
         nginx -qt &&
         until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
         until ping sogo -c1 > /dev/null; do sleep 1; done &&