git subrepo commit (merge) mailcow/src/mailcow-dockerized

subrepo: subdir:   "mailcow/src/mailcow-dockerized"
  merged:   "32243e56"
upstream: origin:   "https://github.com/mailcow/mailcow-dockerized.git"
  branch:   "master"
  commit:   "e2b4b6f6"
git-subrepo: version:  "0.4.3"
  origin:   "???"
  commit:   "???"
Change-Id: I51e2016ef5ab88a8b0bdc08551b18f48ceef0aa5
diff --git a/mailcow/src/mailcow-dockerized/data/web/sogo-auth.php b/mailcow/src/mailcow-dockerized/data/web/sogo-auth.php
index 3bd19c6..bb2673a 100644
--- a/mailcow/src/mailcow-dockerized/data/web/sogo-auth.php
+++ b/mailcow/src/mailcow-dockerized/data/web/sogo-auth.php
@@ -14,7 +14,16 @@
   require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
   $username = $_SERVER['PHP_AUTH_USER'];
   $password = $_SERVER['PHP_AUTH_PW'];
-  $login_check = check_login($username, $password);
+  $is_eas = false;
+  $is_dav = false;
+  $original_uri = isset($_SERVER['HTTP_X_ORIGINAL_URI']) ? $_SERVER['HTTP_X_ORIGINAL_URI'] : '';
+  if (preg_match('/^(\/SOGo|)\/dav.*/', $original_uri) === 1) {
+    $is_dav = true;
+  }
+  elseif (preg_match('/^(\/SOGo|)\/Microsoft-Server-ActiveSync.*/', $original_uri) === 1) {
+    $is_eas = true;
+  }
+  $login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas));
   if ($login_check === 'user') {
     header("X-User: $username");
     header("X-Auth: Basic ".base64_encode("$username:$password"));
@@ -34,13 +43,8 @@
   $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
   // check permissions (if dual_login is active, deny sso when acl is not given)
   $login = html_entity_decode(rawurldecode($_GET["login"]));
-  if ($ALLOW_ADMIN_EMAIL_LOGIN === 0 && $is_dual === true) {
-    header('HTTP/1.0 403 Forbidden');
-    echo "Admin login is forbidden";
-    exit;
-  }
   if (isset($_SESSION['mailcow_cc_role']) &&
-    ($_SESSION['acl']['login_as'] == "1" || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
+    (($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
     if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
       if (user_get_alias_details($login) !== false) {
         // load master password
@@ -48,6 +52,13 @@
         // register username and password in session
         $_SESSION[$session_var_user_allowed][] = $login;
         $_SESSION[$session_var_pass] = $sogo_sso_pass;
+        // update sasl logs
+        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
+        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
+        $stmt->execute(array(
+          ':username' => $login,
+          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
+        ));
         // redirect to sogo (sogo will get the correct credentials via nginx auth_request
         header("Location: /SOGo/so/${login}");
         exit;
@@ -55,13 +66,11 @@
     }
   }
   header('HTTP/1.0 403 Forbidden');
-  echo "Access is forbidden";
+  echo "Forbidden";
   exit;
 }
 // only check for admin-login on sogo GUI requests
-elseif (
-  strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0
-) {
+elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0) {
   // this is an nginx auth_request call, we check for existing sogo-sso session variables
   session_start();
   // extract email address from "/SOGo/so/user@domain/xy"