Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | <?php |
| 2 | |
| 3 | $ALLOW_ADMIN_EMAIL_LOGIN = (preg_match( |
| 4 | "/^([yY][eE][sS]|[yY])+$/", |
| 5 | $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"] |
| 6 | )); |
| 7 | |
| 8 | $session_var_user_allowed = 'sogo-sso-user-allowed'; |
| 9 | $session_var_pass = 'sogo-sso-pass'; |
| 10 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 11 | // validate credentials for basic auth requests |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame^] | 12 | if (isset($_SERVER['PHP_AUTH_USER'])) { |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 13 | // load prerequisites only when required |
| 14 | require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; |
| 15 | $username = $_SERVER['PHP_AUTH_USER']; |
| 16 | $password = $_SERVER['PHP_AUTH_PW']; |
| 17 | $login_check = check_login($username, $password); |
| 18 | if ($login_check === 'user') { |
| 19 | header("X-User: $username"); |
| 20 | header("X-Auth: Basic ".base64_encode("$username:$password")); |
| 21 | header("X-Auth-Type: Basic"); |
| 22 | exit; |
| 23 | } else { |
| 24 | header('HTTP/1.0 401 Unauthorized'); |
| 25 | echo 'Invalid login'; |
| 26 | exit; |
| 27 | } |
| 28 | } |
| 29 | // check permissions and redirect for direct GET ?login=xy requests |
| 30 | elseif (isset($_GET['login'])) { |
| 31 | // load prerequisites only when required |
| 32 | require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame^] | 33 | // check if dual_login is active |
| 34 | $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; |
| 35 | // check permissions (if dual_login is active, deny sso when acl is not given) |
| 36 | $login = html_entity_decode(rawurldecode($_GET["login"])); |
| 37 | if ($ALLOW_ADMIN_EMAIL_LOGIN === 0 && $is_dual === true) { |
| 38 | header('HTTP/1.0 403 Forbidden'); |
| 39 | echo "Admin login is forbidden"; |
| 40 | exit; |
| 41 | } |
| 42 | if (isset($_SESSION['mailcow_cc_role']) && |
| 43 | ($_SESSION['acl']['login_as'] == "1" || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) { |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 44 | if (filter_var($login, FILTER_VALIDATE_EMAIL)) { |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame^] | 45 | if (user_get_alias_details($login) !== false) { |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 46 | // load master password |
| 47 | $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); |
| 48 | // register username and password in session |
| 49 | $_SESSION[$session_var_user_allowed][] = $login; |
| 50 | $_SESSION[$session_var_pass] = $sogo_sso_pass; |
| 51 | // redirect to sogo (sogo will get the correct credentials via nginx auth_request |
| 52 | header("Location: /SOGo/so/${login}"); |
| 53 | exit; |
| 54 | } |
| 55 | } |
| 56 | } |
| 57 | header('HTTP/1.0 403 Forbidden'); |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame^] | 58 | echo "Access is forbidden"; |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 59 | exit; |
| 60 | } |
| 61 | // only check for admin-login on sogo GUI requests |
| 62 | elseif ( |
| 63 | strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0 |
| 64 | ) { |
| 65 | // this is an nginx auth_request call, we check for existing sogo-sso session variables |
| 66 | session_start(); |
| 67 | // extract email address from "/SOGo/so/user@domain/xy" |
| 68 | $url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']); |
| 69 | $email = $url_parts[3]; |
| 70 | // check if this email is in session allowed list |
| 71 | if ( |
| 72 | !empty($email) && |
| 73 | filter_var($email, FILTER_VALIDATE_EMAIL) && |
| 74 | is_array($_SESSION[$session_var_user_allowed]) && |
| 75 | in_array($email, $_SESSION[$session_var_user_allowed]) |
| 76 | ) { |
| 77 | $username = $email; |
| 78 | $password = $_SESSION[$session_var_pass]; |
| 79 | header("X-User: $username"); |
| 80 | header("X-Auth: Basic ".base64_encode("$username:$password")); |
| 81 | header("X-Auth-Type: Basic"); |
| 82 | exit; |
| 83 | } |
| 84 | } |
| 85 | |
| 86 | // if username is empty, SOGo will use the normal login methods / login form |
| 87 | header("X-User: "); |
| 88 | header("X-Auth: "); |
| 89 | header("X-Auth-Type: "); |