mailcow/src/mailcow-dockerized/data/web/inc/functions.oauth2.inc.php - kubeia - Gitiles

 <?php
 function oauth2($_action, $_type, $_data = null) {
 	global $pdo;
 	global $redis;
 	global $lang;
 	if ($_SESSION['mailcow_cc_role'] != "admin") {
 		$_SESSION['return'][] = array(
 			'type' => 'danger',
       'log' => array(__FUNCTION__, $_action, $_type, $_data),
 			'msg' => 'access_denied'
 		);
 		return false;
 	}
   switch ($_action) {
     case 'add':
       switch ($_type) {
         case 'client':
           $client_id = bin2hex(random_bytes(6));
           $client_secret = bin2hex(random_bytes(12));
           $redirect_uri = $_data['redirect_uri'];
           $scope = 'profile';
           // For future use
           // $grant_type = isset($_data['grant_type']) ? $_data['grant_type'] : 'authorization_code';
           // $scope = isset($_data['scope']) ? $_data['scope'] : 'profile';
           // if ($grant_type != "authorization_code" && $grant_type != "password") {
             // $_SESSION['return'][] = array(
               // 'type' => 'danger',
               // 'log' => array(__FUNCTION__, $_action, $_type, $_data),
               // 'msg' => 'access_denied'
             // );
             // return false;
           // }
           if ($scope != "profile") {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data),
               'msg' => 'Invalid scope'
             );
             return false;
           }
           $stmt = $pdo->prepare("SELECT 'client' FROM `oauth_clients`
             WHERE `client_id` = :client_id");
           $stmt->execute(array(':client_id' => $client_id));
           $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
           if ($num_results != 0) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data),
               'msg' => 'Client ID exists'
             );
             return false;
           }
           $stmt = $pdo->prepare("INSERT INTO `oauth_clients` (`client_id`, `client_secret`, `redirect_uri`, `scope`)
             VALUES (:client_id, :client_secret, :redirect_uri, :scope)");
           $stmt->execute(array(
             ':client_id' => $client_id,
             ':client_secret' => $client_secret,
             ':redirect_uri' => $redirect_uri,
             ':scope' => $scope
           ));
           $_SESSION['return'][] = array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_action, $_type, $_data),
             'msg' => 'Added client access'
           );
         break;
       }
     break;
     case 'edit':
       switch ($_type) {
         case 'client':
           $ids = (array)$_data['id'];
           foreach ($ids as $id) {
             $is_now = oauth2('details', 'client', $id);
             if (!empty($is_now)) {
               $redirect_uri = (!empty($_data['redirect_uri'])) ? $_data['redirect_uri'] : $is_now['redirect_uri'];
             }
             else {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data),
                 'msg' => 'access_denied'
               );
               return false;
             }
             if (isset($_data['revoke_tokens'])) {
               $stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens`
                 WHERE `client_id` IN (
                   SELECT `client_id` FROM `oauth_clients` WHERE `id` = :id
                 )");
               $stmt->execute(array(
                 ':id' => $id
               ));
               $stmt = $pdo->prepare("DELETE FROM `oauth_refresh_tokens`
                 WHERE `client_id` IN (
                   SELECT `client_id` FROM `oauth_clients` WHERE `id` = :id
                 )");
               $stmt->execute(array(
                 ':id' => $id
               ));
               $_SESSION['return'][] = array(
                 'type' => 'success',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data),
                 'msg' => array('object_modified', htmlspecialchars($id))
               );
               continue;
             }
             if (isset($_data['renew_secret'])) {
               $client_secret = bin2hex(random_bytes(12));
               $stmt = $pdo->prepare("UPDATE `oauth_clients` SET `client_secret` = :client_secret WHERE  `id` = :id");
               $stmt->execute(array(
                 ':client_secret' => $client_secret,
                 ':id' => $id
               ));
               $_SESSION['return'][] = array(
                 'type' => 'success',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data),
                 'msg' => array('object_modified', htmlspecialchars($id))
               );
               continue;
             }
             if (empty($redirect_uri)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data),
                 'msg' => 'Redirect/Callback URL cannot be empty'
               );
               continue;
             }
             $stmt = $pdo->prepare("UPDATE `oauth_clients` SET
               `redirect_uri` = :redirect_uri
                 WHERE `id` = :id");
             $stmt->execute(array(
               ':id' => $id,
               ':redirect_uri' => $redirect_uri
             ));
             $_SESSION['return'][] = array(
               'type' => 'success',
               'log' => array(__FUNCTION__, $_action, $_type, $_data),
               'msg' => array('object_modified', htmlspecialchars($id))
             );
           }
         break;
       }
     break;
     case 'delete':
       switch ($_type) {
         case 'client':
           (array)$ids = $_data['id'];
           foreach ($ids as $id) {
             if (!is_numeric($id)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data),
                 'msg' => 'access_denied'
               );
               continue;
             }
             $stmt = $pdo->prepare("DELETE FROM `oauth_clients`
               WHERE `id` = :id");
             $stmt->execute(array(
               ':id' => $id
             ));
           }
           $_SESSION['return'][] = array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_action, $_type, $_data),
             'msg' => array('items_deleted', htmlspecialchars($id))
           );
         break;
         case 'access_token':
           (array)$access_tokens = $_data['access_token'];
           foreach ($access_tokens as $access_token) {
             if (!ctype_alnum($access_token)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data),
                 'msg' => 'access_denied'
               );
               return false;
             }
             $stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens`
               WHERE `access_token` = :access_token");
             $stmt->execute(array(
               ':access_token' => $access_token
             ));
           }
           $_SESSION['return'][] = array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_action, $_type, $_data),
             'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $access_tokens))
           );
         break;
         case 'refresh_token':
           (array)$refresh_tokens = $_data['refresh_token'];
           foreach ($refresh_tokens as $refresh_token) {
             if (!ctype_alnum($refresh_token)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data),
                 'msg' => 'access_denied'
               );
               return false;
             }
             $stmt = $pdo->prepare("DELETE FROM `oauth_refresh_tokens` WHERE `refresh_token` = :refresh_token");
             $stmt->execute(array(
               ':refresh_token' => $refresh_token
             ));
           }
           $_SESSION['return'][] = array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_action, $_type, $_data),
             'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $refresh_tokens))
           );
         break;
       }
     break;
     case 'get':
       switch ($_type) {
         case 'clients':
           $stmt = $pdo->query("SELECT `id` FROM `oauth_clients`");
           $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
           while ($row = array_shift($rows)) {
             $oauth_clients[] = $row['id'];
           }
           return $oauth_clients;
         break;
       }
     break;
     case 'details':
       switch ($_type) {
         case 'client':
           $stmt = $pdo->prepare("SELECT * FROM `oauth_clients`
             WHERE `id` = :id");
           $stmt->execute(array(':id' => $_data));
           $oauth_client_details = $stmt->fetch(PDO::FETCH_ASSOC);
           return $oauth_client_details;
         break;
       }
     break;
   }
 }
	<?php
	function oauth2($_action, $_type, $_data = null) {
	global $pdo;
	global $redis;
	global $lang;
	if ($_SESSION['mailcow_cc_role'] != "admin") {
	$_SESSION['return'][] = array(
	'type' => 'danger',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'access_denied'
	);
	return false;
	}
	switch ($_action) {
	case 'add':
	switch ($_type) {
	case 'client':
	$client_id = bin2hex(random_bytes(6));
	$client_secret = bin2hex(random_bytes(12));
	$redirect_uri = $_data['redirect_uri'];
	$scope = 'profile';
	// For future use
	// $grant_type = isset($_data['grant_type']) ? $_data['grant_type'] : 'authorization_code';
	// $scope = isset($_data['scope']) ? $_data['scope'] : 'profile';
	// if ($grant_type != "authorization_code" && $grant_type != "password") {
	// $_SESSION['return'][] = array(
	// 'type' => 'danger',
	// 'log' => array(__FUNCTION__, $_action, $_type, $_data),
	// 'msg' => 'access_denied'
	// );
	// return false;
	// }
	if ($scope != "profile") {
	$_SESSION['return'][] = array(
	'type' => 'danger',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'Invalid scope'
	);
	return false;
	}
	$stmt = $pdo->prepare("SELECT 'client' FROM `oauth_clients`
	WHERE `client_id` = :client_id");
	$stmt->execute(array(':client_id' => $client_id));
	$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
	if ($num_results != 0) {
	$_SESSION['return'][] = array(
	'type' => 'danger',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'Client ID exists'
	);
	return false;
	}
	$stmt = $pdo->prepare("INSERT INTO `oauth_clients` (`client_id`, `client_secret`, `redirect_uri`, `scope`)
	VALUES (:client_id, :client_secret, :redirect_uri, :scope)");
	$stmt->execute(array(
	':client_id' => $client_id,
	':client_secret' => $client_secret,
	':redirect_uri' => $redirect_uri,
	':scope' => $scope
	));
	$_SESSION['return'][] = array(
	'type' => 'success',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'Added client access'
	);
	break;
	}
	break;
	case 'edit':
	switch ($_type) {
	case 'client':
	$ids = (array)$_data['id'];
	foreach ($ids as $id) {
	$is_now = oauth2('details', 'client', $id);
	if (!empty($is_now)) {
	$redirect_uri = (!empty($_data['redirect_uri'])) ? $_data['redirect_uri'] : $is_now['redirect_uri'];
	}
	else {
	$_SESSION['return'][] = array(
	'type' => 'danger',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'access_denied'
	);
	return false;
	}
	if (isset($_data['revoke_tokens'])) {
	$stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens`
	WHERE `client_id` IN (
	SELECT `client_id` FROM `oauth_clients` WHERE `id` = :id
	)");
	$stmt->execute(array(
	':id' => $id
	));
	$stmt = $pdo->prepare("DELETE FROM `oauth_refresh_tokens`
	WHERE `client_id` IN (
	SELECT `client_id` FROM `oauth_clients` WHERE `id` = :id
	)");
	$stmt->execute(array(
	':id' => $id
	));
	$_SESSION['return'][] = array(
	'type' => 'success',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => array('object_modified', htmlspecialchars($id))
	);
	continue;
	}
	if (isset($_data['renew_secret'])) {
	$client_secret = bin2hex(random_bytes(12));
	$stmt = $pdo->prepare("UPDATE `oauth_clients` SET `client_secret` = :client_secret WHERE `id` = :id");
	$stmt->execute(array(
	':client_secret' => $client_secret,
	':id' => $id
	));
	$_SESSION['return'][] = array(
	'type' => 'success',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => array('object_modified', htmlspecialchars($id))
	);
	continue;
	}
	if (empty($redirect_uri)) {
	$_SESSION['return'][] = array(
	'type' => 'danger',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'Redirect/Callback URL cannot be empty'
	);
	continue;
	}
	$stmt = $pdo->prepare("UPDATE `oauth_clients` SET
	`redirect_uri` = :redirect_uri
	WHERE `id` = :id");
	$stmt->execute(array(
	':id' => $id,
	':redirect_uri' => $redirect_uri
	));
	$_SESSION['return'][] = array(
	'type' => 'success',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => array('object_modified', htmlspecialchars($id))
	);
	}
	break;
	}
	break;
	case 'delete':
	switch ($_type) {
	case 'client':
	(array)$ids = $_data['id'];
	foreach ($ids as $id) {
	if (!is_numeric($id)) {
	$_SESSION['return'][] = array(
	'type' => 'danger',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'access_denied'
	);
	continue;
	}
	$stmt = $pdo->prepare("DELETE FROM `oauth_clients`
	WHERE `id` = :id");
	$stmt->execute(array(
	':id' => $id
	));
	}
	$_SESSION['return'][] = array(
	'type' => 'success',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => array('items_deleted', htmlspecialchars($id))
	);
	break;
	case 'access_token':
	(array)$access_tokens = $_data['access_token'];
	foreach ($access_tokens as $access_token) {
	if (!ctype_alnum($access_token)) {
	$_SESSION['return'][] = array(
	'type' => 'danger',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'access_denied'
	);
	return false;
	}
	$stmt = $pdo->prepare("DELETE FROM `oauth_access_tokens`
	WHERE `access_token` = :access_token");
	$stmt->execute(array(
	':access_token' => $access_token
	));
	}
	$_SESSION['return'][] = array(
	'type' => 'success',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $access_tokens))
	);
	break;
	case 'refresh_token':
	(array)$refresh_tokens = $_data['refresh_token'];
	foreach ($refresh_tokens as $refresh_token) {
	if (!ctype_alnum($refresh_token)) {
	$_SESSION['return'][] = array(
	'type' => 'danger',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => 'access_denied'
	);
	return false;
	}
	$stmt = $pdo->prepare("DELETE FROM `oauth_refresh_tokens` WHERE `refresh_token` = :refresh_token");
	$stmt->execute(array(
	':refresh_token' => $refresh_token
	));
	}
	$_SESSION['return'][] = array(
	'type' => 'success',
	'log' => array(__FUNCTION__, $_action, $_type, $_data),
	'msg' => sprintf($lang['success']['items_deleted'], implode(', ', $refresh_tokens))
	);
	break;
	}
	break;
	case 'get':
	switch ($_type) {
	case 'clients':
	$stmt = $pdo->query("SELECT `id` FROM `oauth_clients`");
	$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
	while ($row = array_shift($rows)) {
	$oauth_clients[] = $row['id'];
	}
	return $oauth_clients;
	break;
	}
	break;
	case 'details':
	switch ($_type) {
	case 'client':
	$stmt = $pdo->prepare("SELECT * FROM `oauth_clients`
	WHERE `id` = :id");
	$stmt->execute(array(':id' => $_data));
	$oauth_client_details = $stmt->fetch(PDO::FETCH_ASSOC);
	return $oauth_client_details;
	break;
	}
	break;
	}
	}