diff --git a/data/web/admin.php b/data/web/admin.php index 9af7b6449..2081f34a6 100644 --- a/data/web/admin.php +++ b/data/web/admin.php @@ -86,8 +86,6 @@ $cors_settings['allowed_origins'] = str_replace(", ", "\n", $cors_settings['allo $cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_methods']); $f2b_data = fail2ban('get'); -// identity provider -$iam_settings = identity_provider('get'); // mbox templates $mbox_templates = mailbox('get', 'mailbox_templates'); diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index 323f89e78..0b03eb3ce 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -55,6 +55,7 @@ $pdo = new PDO($dsn, $database_user, $database_pass, $opt); // Init Identity Provider $iam_provider = identity_provider('init'); +$iam_settings = identity_provider('get'); $login_user = strtolower(trim($_SERVER['PHP_AUTH_USER'])); $login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW'])); diff --git a/data/web/edit.php b/data/web/edit.php index fb7051b4c..b6359d172 100644 --- a/data/web/edit.php +++ b/data/web/edit.php @@ -119,7 +119,6 @@ if (isset($_SESSION['mailcow_cc_role'])) { $quarantine_category = mailbox('get', 'quarantine_category', $mailbox); $get_tls_policy = mailbox('get', 'tls_policy', $mailbox); $rlyhosts = relayhost('get'); - $iam_settings = identity_provider('get'); $template = 'edit/mailbox.twig'; $template_data = [ 'acl' => $_SESSION['acl'], diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php index a0424f3ed..74cd6d956 100644 --- a/data/web/inc/functions.auth.inc.php +++ b/data/web/inc/functions.auth.inc.php @@ -162,6 +162,8 @@ function domainadmin_login($user, $pass){ } function user_login($user, $pass, $extra = null){ global $pdo; + global $iam_provider; + global $iam_settings; $is_internal = $extra['is_internal']; @@ -186,12 +188,11 @@ function user_login($user, $pass, $extra = null){ // user does not exist, try call idp login and create user if possible via rest flow if (!$row){ - $iam_settings = identity_provider('get'); if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailpassword_flow']) == 1){ - $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true)); + $result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal, 'create' => true)); if ($result !== false) return $result; } else if ($iam_settings['authsource'] == 'ldap') { - $result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true)); + $result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal, 'create' => true)); if ($result !== false) return $result; } } @@ -202,9 +203,8 @@ function user_login($user, $pass, $extra = null){ switch ($row['authsource']) { case 'keycloak': // user authsource is keycloak, try using via rest flow - $iam_settings = identity_provider('get'); if (intval($iam_settings['mailpassword_flow']) == 1){ - $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal)); + $result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal)); if ($result !== false) { // check for tfa authenticators $authenticators = get_tfa($user); @@ -243,8 +243,7 @@ function user_login($user, $pass, $extra = null){ break; case 'ldap': // user authsource is ldap - $iam_settings = identity_provider('get'); - $result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal)); + $result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal)); if ($result !== false) { // check for tfa authenticators $authenticators = get_tfa($user); @@ -397,8 +396,10 @@ function apppass_login($user, $pass, $app_passwd_data, $extra = null){ // Keycloak REST Api Flow - auth user by mailcow_password attribute // This password will be used for direct UI, IMAP and SMTP Auth // To use direct user credentials, only Authorization Code Flow is valid -function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){ +function keycloak_mbox_login_rest($user, $pass, $extra = null){ global $pdo; + global $iam_provider; + global $iam_settings; $is_internal = $extra['is_internal']; $create = $extra['create']; @@ -474,10 +475,11 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){ return 'user'; } -function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){ +function ldap_mbox_login($user, $pass, $extra = null){ global $pdo; + global $iam_provider; + global $iam_settings; - $iam_provider = identity_provider(); $is_internal = $extra['is_internal']; $create = $extra['create']; diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index fc703c353..c7cab469d 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1072,6 +1072,8 @@ function set_tfa($_data) { global $pdo; global $yubi; global $tfa; + global $iam_settings; + $_data_log = $_data; $access_denied = null; !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*'; @@ -1100,7 +1102,6 @@ function set_tfa($_data) { $row = $stmt->fetch(PDO::FETCH_ASSOC); if ($row) { if ($row['authsource'] == 'ldap'){ - $iam_settings = identity_provider('get'); if (!ldap_mbox_login($username, $_data["confirm_password"], $iam_settings)) $access_denied = true; else $access_denied = false; } else { @@ -2129,20 +2130,13 @@ function uuid4() { function identity_provider($_action = null, $_data = null, $_extra = null) { global $pdo; global $iam_provider; + global $iam_settings; $data_log = $_data; if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*'; if (isset($data_log['access_token'])) $data_log['access_token'] = '*'; switch ($_action) { - case NULL: - if ($iam_provider) { - return $iam_provider; - } else { - $iam_provider = identity_provider("init"); - return $iam_provider; - } - break; case 'get': $settings = array(); $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;"); @@ -2414,20 +2408,20 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { return true; break; case "init": - $iam_settings = identity_provider('get'); + $settings = identity_provider('get'); $provider = null; - switch ($iam_settings['authsource']) { + switch ($settings['authsource']) { case "keycloak": - if ($iam_settings['server_url'] && $iam_settings['realm'] && $iam_settings['client_id'] && - $iam_settings['client_secret'] && $iam_settings['redirect_url'] && $iam_settings['version']){ + if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] && + $settings['client_secret'] && $settings['redirect_url'] && $settings['version']){ $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ - 'authServerUrl' => $iam_settings['server_url'], - 'realm' => $iam_settings['realm'], - 'clientId' => $iam_settings['client_id'], - 'clientSecret' => $iam_settings['client_secret'], - 'redirectUri' => $iam_settings['redirect_url'], - 'version' => $iam_settings['version'], + 'authServerUrl' => $settings['server_url'], + 'realm' => $settings['realm'], + 'clientId' => $settings['client_id'], + 'clientSecret' => $settings['client_secret'], + 'redirectUri' => $settings['redirect_url'], + 'version' => $settings['version'], // 'encryptionAlgorithm' => 'RS256', // optional // 'encryptionKeyPath' => '../key.pem' // optional // 'encryptionKey' => 'contents_of_key_or_certificate' // optional @@ -2435,34 +2429,34 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { } break; case "generic-oidc": - if ($iam_settings['client_id'] && $iam_settings['client_secret'] && $iam_settings['redirect_url'] && - $iam_settings['authorize_url'] && $iam_settings['token_url'] && $iam_settings['userinfo_url']){ + if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] && + $settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){ $provider = new \League\OAuth2\Client\Provider\GenericProvider([ - 'clientId' => $iam_settings['client_id'], - 'clientSecret' => $iam_settings['client_secret'], - 'redirectUri' => $iam_settings['redirect_url'], - 'urlAuthorize' => $iam_settings['authorize_url'], - 'urlAccessToken' => $iam_settings['token_url'], - 'urlResourceOwnerDetails' => $iam_settings['userinfo_url'], - 'scopes' => $iam_settings['client_scopes'] + 'clientId' => $settings['client_id'], + 'clientSecret' => $settings['client_secret'], + 'redirectUri' => $settings['redirect_url'], + 'urlAuthorize' => $settings['authorize_url'], + 'urlAccessToken' => $settings['token_url'], + 'urlResourceOwnerDetails' => $settings['userinfo_url'], + 'scopes' => $settings['client_scopes'] ]); } break; case "ldap": - if ($iam_settings['host'] && $iam_settings['port'] && $iam_settings['basedn'] && - $iam_settings['binddn'] && $iam_settings['bindpass']){ + if ($settings['host'] && $settings['port'] && $settings['basedn'] && + $settings['binddn'] && $settings['bindpass']){ $options = array(); - if ($iam_settings['ignore_ssl_error']) { + if ($settings['ignore_ssl_error']) { $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER; } $provider = new \LdapRecord\Connection([ - 'hosts' => [$iam_settings['host']], - 'port' => $iam_settings['port'], - 'base_dn' => $iam_settings['basedn'], - 'username' => $iam_settings['binddn'], - 'password' => $iam_settings['bindpass'], - 'use_ssl' => $iam_settings['use_ssl'], - 'use_tls' => $iam_settings['use_tls'], + 'hosts' => [$settings['host']], + 'port' => $settings['port'], + 'base_dn' => $settings['basedn'], + 'username' => $settings['binddn'], + 'password' => $settings['bindpass'], + 'use_ssl' => $settings['use_ssl'], + 'use_tls' => $settings['use_tls'], 'options' => $options ]); try { @@ -2477,8 +2471,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { return $provider; break; case "verify-sso": - $provider = $_data['iam_provider']; - $iam_settings = identity_provider('get'); if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){ $_SESSION['return'][] = array( 'type' => 'danger', @@ -2489,10 +2481,10 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { } try { - $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]); + $token = $iam_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]); $_SESSION['iam_token'] = $token->getToken(); $_SESSION['iam_refresh_token'] = $token->getRefreshToken(); - $info = $provider->getResourceOwner($token)->toArray(); + $info = $iam_provider->getResourceOwner($token)->toArray(); } catch (Throwable $e) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -2577,13 +2569,11 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { return true; break; case "refresh-token": - $provider = $_data['iam_provider']; - try { - $token = $provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]); + $token = $iam_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]); $_SESSION['iam_token'] = $token->getToken(); $_SESSION['iam_refresh_token'] = $token->getRefreshToken(); - $info = $provider->getResourceOwner($token)->toArray(); + $info = $iam_provider->getResourceOwner($token)->toArray(); } catch (Throwable $e) { clear_session(); $_SESSION['return'][] = array( @@ -2609,17 +2599,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { return true; break; case "get-redirect": - $iam_settings = identity_provider('get'); if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') return false; - $provider = $_data['iam_provider']; - $authUrl = $provider->getAuthorizationUrl(); - $_SESSION['oauth2state'] = $provider->getState(); + $authUrl = $iam_provider->getAuthorizationUrl(); + $_SESSION['oauth2state'] = $iam_provider->getState(); return $authUrl; break; case "get-keycloak-admin-token": // get access_token for service account of mailcow client - $iam_settings = identity_provider('get'); if ($iam_settings['authsource'] !== 'keycloak') return false; if (isset($iam_settings['access_token'])) { // check if access_token is valid diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index fb30956f4..e67271412 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -180,6 +180,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php'; // Init Identity Provider $iam_provider = identity_provider('init'); +$iam_settings = identity_provider('get'); // IMAP lib // use Ddeboer\Imap\Server; @@ -323,7 +324,7 @@ $UI_TEXTS = customize('get', 'ui_texts'); if (file_exists('/web/css/themes/'.$UI_THEME.'-bootstrap.css')) $css_minifier->add('/web/css/themes/'.$UI_THEME.'-bootstrap.css'); else - $css_minifier->add('/web/css/themes/lumen-bootstrap.css'); + $css_minifier->add('/web/css/themes/lumen-bootstrap.css'); // minify css build files foreach ($css_dir as $css_file) { $css_minifier->add('/web/css/build/' . $css_file); diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php index 7f330ba1c..b0c2237d6 100644 --- a/data/web/inc/triggers.inc.php +++ b/data/web/inc/triggers.inc.php @@ -3,18 +3,18 @@ if ($iam_provider){ if (isset($_GET['iam_sso'])){ // redirect for sso - $redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider)); + $redirect_uri = identity_provider('get-redirect'); $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/'; header('Location: ' . $redirect_uri); die(); } if ($_SESSION['iam_token'] && $_SESSION['iam_refresh_token']) { // Session found, try to refresh - $isRefreshed = identity_provider('refresh-token', array('iam_provider' => $iam_provider)); + $isRefreshed = identity_provider('refresh-token'); if (!$isRefreshed){ // Session could not be refreshed, redirect to provider - $redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider)); + $redirect_uri = identity_provider('get-redirect'); $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/'; header('Location: ' . $redirect_uri); die(); @@ -23,7 +23,7 @@ if ($iam_provider){ // Check given state against previously stored one to mitigate CSRF attack // Recieved access token in $_GET['code'] // extract info and verify user - identity_provider('verify-sso', array('iam_provider' => $iam_provider)); + identity_provider('verify-sso'); } } diff --git a/data/web/index.php b/data/web/index.php index 08857006f..0282e4835 100644 --- a/data/web/index.php +++ b/data/web/index.php @@ -15,7 +15,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == ' header('Location: /mailbox'); exit(); } -elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') { +elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') { $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']); $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) { @@ -32,7 +32,7 @@ $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING']; $has_iam_sso = false; if ($iam_provider){ - $has_iam_sso = identity_provider("get-redirect", array('iam_provider' => $iam_provider)) ? true : false; + $has_iam_sso = identity_provider("get-redirect") ? true : false; } diff --git a/data/web/json_api.php b/data/web/json_api.php index a3103ffa1..4e9d2a0ed 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -1708,7 +1708,7 @@ if (isset($_GET['query'])) { $score = array("score" => preg_replace("/\s+/", "", $score)); process_get_return($score); case "identity_provider": - process_get_return(identity_provider('get')); + process_get_return($iam_settings); break; break; // return no route found if no case is matched