From 3c62a7fd9f67592371f2334e04cf7dbcfa328073 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 31 Mar 2023 14:55:05 +0200
Subject: [PATCH] [Web] IAM - add delete option & fix test connection

---
 data/web/inc/functions.inc.php | 48 +++++++++++++++++++++++++---------
 data/web/js/site/admin.js      | 12 +++++++--
 data/web/json_api.php          | 20 +++++---------
 3 files changed, 52 insertions(+), 28 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index f64f150ad..1e4cc8c1d 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2166,15 +2166,21 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       );
       return true;
     break;
-    case 'test':  
-      $identity_provider_settings = identity_provider('get');
-      $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+    case 'test':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+
+      $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
       $req = http_build_query(array(
-        'grant_type'    => 'password',
-        'client_id'     => $identity_provider_settings['client_id'],
-        'client_secret' => $identity_provider_settings['client_secret'],
-        'username'      => "test",
-        'password'      => "test",
+        'grant_type'    => 'client_credentials',
+        'client_id'     => $_data['client_id'],
+        'client_secret' => $_data['client_secret']
       ));
       $curl = curl_init();
       curl_setopt($curl, CURLOPT_URL, $url);
@@ -2182,13 +2188,29 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
       curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
       curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
-      $res = json_decode(curl_exec($curl), true);
+      $res = curl_exec($curl);
+      $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
       curl_close ($curl);
-
-      if ($res["error"] && $res["error"] === 'invalid_grant'){
-        return true;
+      
+      if ($code != 200) {
+        return false;
       }
-      return false;
+      return true;
+    break;
+    case "delete":
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      
+      $stmt = $pdo->prepare("DELETE FROM identity_provider;");
+      $stmt->execute();
+
+      return true;
     break;
   }
 }
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 708cb0be0..885e5ea52 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -752,14 +752,22 @@ jQuery(function($){
   // IAM test connection
   $('#iam_test_connection').click(async function(e){
     e.preventDefault();
-    var res = await fetch("/api/v1/get/status/identity-provider", { method:'GET', cache:'no-cache' });
+    var data = { attr: $('form[data-id="iam_sso"]').serializeObject() };
+    var res = await fetch("/api/v1/edit/identity-provider-test", { 
+      headers: {
+        "Content-Type": "application/json",
+      },
+      method:'POST', 
+      cache:'no-cache', 
+      body: JSON.stringify(data) 
+    });
     res = await res.json();
-    console.log(res);
     if (res.type === 'success'){
       return mailcow_alert_box(lang_success.iam_test_connection, 'success');
     }
     return mailcow_alert_box(lang_danger.iam_test_connection, 'danger');
   });
+
   $('#iam_rolemap_add').click(async function(e){
     e.preventDefault();
 
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 52ca8b715..9564af888 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1702,19 +1702,6 @@ if (isset($_GET['query'])) {
                     'version' => $GLOBALS['MAILCOW_GIT_VERSION']
                   ));
                 break;
-                case "identity-provider":
-                  if (identity_provider('test')){
-                    echo json_encode(array(
-                      'type' => 'success',
-                      'msg' => 'connection successfull'
-                    ));
-                  } else {
-                    echo json_encode(array(
-                      'type' => 'error',
-                      'msg' => 'connection failed'
-                    ));
-                  }
-                break;
               }
             }
           break;
@@ -1879,6 +1866,9 @@ if (isset($_GET['query'])) {
         case "rlhash":
           echo ratelimit('delete', null, implode($items));
         break;
+        case "identity-provider":
+          process_delete_return(identity_provider('delete'));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);
@@ -2098,8 +2088,12 @@ if (isset($_GET['query'])) {
         case "cors":
           process_edit_return(cors('edit', $attr));
         case "identity_provider":
+        case "identity-provider":
           process_edit_return(identity_provider('edit', $attr));
         break;
+        case "identity-provider-test":
+          process_edit_return(identity_provider('test', $attr));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);