Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame^] | 1 | <?php |
| 2 | |
| 3 | $ALLOW_ADMIN_EMAIL_LOGIN = (preg_match( |
| 4 | "/^([yY][eE][sS]|[yY])+$/", |
| 5 | $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"] |
| 6 | )); |
| 7 | |
| 8 | $session_var_user_allowed = 'sogo-sso-user-allowed'; |
| 9 | $session_var_pass = 'sogo-sso-pass'; |
| 10 | |
| 11 | // prevent if feature is disabled |
| 12 | if (!$ALLOW_ADMIN_EMAIL_LOGIN) { |
| 13 | header('HTTP/1.0 403 Forbidden'); |
| 14 | echo "this feature is disabled"; |
| 15 | exit; |
| 16 | } |
| 17 | // validate credentials for basic auth requests |
| 18 | elseif (isset($_SERVER['PHP_AUTH_USER'])) { |
| 19 | // load prerequisites only when required |
| 20 | require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; |
| 21 | $username = $_SERVER['PHP_AUTH_USER']; |
| 22 | $password = $_SERVER['PHP_AUTH_PW']; |
| 23 | $login_check = check_login($username, $password); |
| 24 | if ($login_check === 'user') { |
| 25 | header("X-User: $username"); |
| 26 | header("X-Auth: Basic ".base64_encode("$username:$password")); |
| 27 | header("X-Auth-Type: Basic"); |
| 28 | exit; |
| 29 | } else { |
| 30 | header('HTTP/1.0 401 Unauthorized'); |
| 31 | echo 'Invalid login'; |
| 32 | exit; |
| 33 | } |
| 34 | } |
| 35 | // check permissions and redirect for direct GET ?login=xy requests |
| 36 | elseif (isset($_GET['login'])) { |
| 37 | // load prerequisites only when required |
| 38 | require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; |
| 39 | // check permissions |
| 40 | if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['acl']['login_as'] == "1") { |
| 41 | $login = html_entity_decode(rawurldecode($_GET["login"])); |
| 42 | if (filter_var($login, FILTER_VALIDATE_EMAIL)) { |
| 43 | if (!empty(mailbox('get', 'mailbox_details', $login))) { |
| 44 | // load master password |
| 45 | $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); |
| 46 | // register username and password in session |
| 47 | $_SESSION[$session_var_user_allowed][] = $login; |
| 48 | $_SESSION[$session_var_pass] = $sogo_sso_pass; |
| 49 | // redirect to sogo (sogo will get the correct credentials via nginx auth_request |
| 50 | header("Location: /SOGo/so/${login}"); |
| 51 | exit; |
| 52 | } |
| 53 | } |
| 54 | } |
| 55 | header('HTTP/1.0 403 Forbidden'); |
| 56 | exit; |
| 57 | } |
| 58 | // only check for admin-login on sogo GUI requests |
| 59 | elseif ( |
| 60 | strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0 |
| 61 | ) { |
| 62 | // this is an nginx auth_request call, we check for existing sogo-sso session variables |
| 63 | session_start(); |
| 64 | // extract email address from "/SOGo/so/user@domain/xy" |
| 65 | $url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']); |
| 66 | $email = $url_parts[3]; |
| 67 | // check if this email is in session allowed list |
| 68 | if ( |
| 69 | !empty($email) && |
| 70 | filter_var($email, FILTER_VALIDATE_EMAIL) && |
| 71 | is_array($_SESSION[$session_var_user_allowed]) && |
| 72 | in_array($email, $_SESSION[$session_var_user_allowed]) |
| 73 | ) { |
| 74 | $username = $email; |
| 75 | $password = $_SESSION[$session_var_pass]; |
| 76 | header("X-User: $username"); |
| 77 | header("X-Auth: Basic ".base64_encode("$username:$password")); |
| 78 | header("X-Auth-Type: Basic"); |
| 79 | exit; |
| 80 | } |
| 81 | } |
| 82 | |
| 83 | // if username is empty, SOGo will use the normal login methods / login form |
| 84 | header("X-User: "); |
| 85 | header("X-Auth: "); |
| 86 | header("X-Auth-Type: "); |