git subrepo clone https://github.com/mailcow/mailcow-dockerized.git mailcow/src/mailcow-dockerized
subrepo: subdir: "mailcow/src/mailcow-dockerized"
merged: "a832becb"
upstream: origin: "https://github.com/mailcow/mailcow-dockerized.git"
branch: "master"
commit: "a832becb"
git-subrepo: version: "0.4.3"
origin: "???"
commit: "???"
Change-Id: If5be2d621a211e164c9b6577adaa7884449f16b5
diff --git a/mailcow/src/mailcow-dockerized/data/web/inc/functions.oauth2.inc.php b/mailcow/src/mailcow-dockerized/data/web/inc/functions.oauth2.inc.php
new file mode 100644
index 0000000..7bc7dea
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/web/inc/functions.oauth2.inc.php
@@ -0,0 +1,242 @@
+<?php
+function oauth2($_action, $_type, $_data = null) {
+ global $pdo;
+ global $redis;
+ global $lang;
+ if ($_SESSION['mailcow_cc_role'] != "admin") {
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'access_denied'
+ );
+ return false;
+ }
+ switch ($_action) {
+ case 'add':
+ switch ($_type) {
+ case 'client':
+ $client_id = bin2hex(random_bytes(6));
+ $client_secret = bin2hex(random_bytes(12));
+ $redirect_uri = $_data['redirect_uri'];
+ $scope = 'profile';
+ // For future use
+ // $grant_type = isset($_data['grant_type']) ? $_data['grant_type'] : 'authorization_code';
+ // $scope = isset($_data['scope']) ? $_data['scope'] : 'profile';
+ // if ($grant_type != "authorization_code" && $grant_type != "password") {
+ // $_SESSION['return'][] = array(
+ // 'type' => 'danger',
+ // 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ // 'msg' => 'access_denied'
+ // );
+ // return false;
+ // }
+ if ($scope != "profile") {
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'Invalid scope'
+ );
+ return false;
+ }
+ $stmt = $pdo->prepare("SELECT 'client' FROM `oauth_clients`
+ WHERE `client_id` = :client_id");
+ $stmt->execute(array(':client_id' => $client_id));
+ $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+ if ($num_results != 0) {
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'Client ID exists'
+ );
+ return false;
+ }
+ $stmt = $pdo->prepare("INSERT INTO `oauth_clients` (`client_id`, `client_secret`, `redirect_uri`, `scope`)
+ VALUES (:client_id, :client_secret, :redirect_uri, :scope)");
+ $stmt->execute(array(
+ ':client_id' => $client_id,
+ ':client_secret' => $client_secret,
+ ':redirect_uri' => $redirect_uri,
+ ':scope' => $scope
+ ));
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'Added client access'
+ );
+ break;
+ }
+ break;
+ case 'edit':
+ switch ($_type) {
+ case 'client':
+ $ids = (array)$_data['id'];
+ foreach ($ids as $id) {
+ $is_now = oauth2('details', 'client', $id);
+ if (!empty($is_now)) {
+ $redirect_uri = (!empty($_data['redirect_uri'])) ? $_data['redirect_uri'] : $is_now['redirect_uri'];
+ }
+ else {
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'access_denied'
+ );
+ return false;
+ }
+ if (isset($_data['revoke_tokens'])) {
+ $stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens`
+ WHERE `client_id` IN (
+ SELECT `client_id` FROM `oauth_clients` WHERE `id` = :id
+ )");
+ $stmt->execute(array(
+ ':id' => $id
+ ));
+ $stmt = $pdo->prepare("DELETE FROM `oauth_refresh_tokens`
+ WHERE `client_id` IN (
+ SELECT `client_id` FROM `oauth_clients` WHERE `id` = :id
+ )");
+ $stmt->execute(array(
+ ':id' => $id
+ ));
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => array('object_modified', htmlspecialchars($id))
+ );
+ continue;
+ }
+ if (isset($_data['renew_secret'])) {
+ $client_secret = bin2hex(random_bytes(12));
+ $stmt = $pdo->prepare("UPDATE `oauth_clients` SET `client_secret` = :client_secret WHERE `id` = :id");
+ $stmt->execute(array(
+ ':client_secret' => $client_secret,
+ ':id' => $id
+ ));
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => array('object_modified', htmlspecialchars($id))
+ );
+ continue;
+ }
+ if (empty($redirect_uri)) {
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'Redirect/Callback URL cannot be empty'
+ );
+ continue;
+ }
+ $stmt = $pdo->prepare("UPDATE `oauth_clients` SET
+ `redirect_uri` = :redirect_uri
+ WHERE `id` = :id");
+ $stmt->execute(array(
+ ':id' => $id,
+ ':redirect_uri' => $redirect_uri
+ ));
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => array('object_modified', htmlspecialchars($id))
+ );
+ }
+ break;
+ }
+ break;
+ case 'delete':
+ switch ($_type) {
+ case 'client':
+ (array)$ids = $_data['id'];
+ foreach ($ids as $id) {
+ if (!is_numeric($id)) {
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'access_denied'
+ );
+ continue;
+ }
+ $stmt = $pdo->prepare("DELETE FROM `oauth_clients`
+ WHERE `id` = :id");
+ $stmt->execute(array(
+ ':id' => $id
+ ));
+ }
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => array('items_deleted', htmlspecialchars($id))
+ );
+ break;
+ case 'access_token':
+ (array)$access_tokens = $_data['access_token'];
+ foreach ($access_tokens as $access_token) {
+ if (!ctype_alnum($access_token)) {
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'access_denied'
+ );
+ return false;
+ }
+ $stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens`
+ WHERE `access_token` = :access_token");
+ $stmt->execute(array(
+ ':access_token' => $access_token
+ ));
+ }
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $access_tokens))
+ );
+ break;
+ case 'refresh_token':
+ (array)$refresh_tokens = $_data['refresh_token'];
+ foreach ($refresh_tokens as $refresh_token) {
+ if (!ctype_alnum($refresh_token)) {
+ $_SESSION['return'][] = array(
+ 'type' => 'danger',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => 'access_denied'
+ );
+ return false;
+ }
+ $stmt = $pdo->prepare("DELETE FROM `oauth_refresh_tokens` WHERE `refresh_token` = :refresh_token");
+ $stmt->execute(array(
+ ':refresh_token' => $refresh_token
+ ));
+ }
+ $_SESSION['return'][] = array(
+ 'type' => 'success',
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data),
+ 'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $refresh_tokens))
+ );
+ break;
+ }
+ break;
+ case 'get':
+ switch ($_type) {
+ case 'clients':
+ $stmt = $pdo->query("SELECT `id` FROM `oauth_clients`");
+ $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+ while ($row = array_shift($rows)) {
+ $oauth_clients[] = $row['id'];
+ }
+ return $oauth_clients;
+ break;
+ }
+ break;
+ case 'details':
+ switch ($_type) {
+ case 'client':
+ $stmt = $pdo->prepare("SELECT * FROM `oauth_clients`
+ WHERE `id` = :id");
+ $stmt->execute(array(':id' => $_data));
+ $oauth_client_details = $stmt->fetch(PDO::FETCH_ASSOC);
+ return $oauth_client_details;
+ break;
+ }
+ break;
+ }
+}
\ No newline at end of file