[Web] move iam sso functions

mailcow · Feb 8, 2024 · 593e581 · 593e581
1 parent e202d00
commit 593e581
Show file tree

Hide file tree

Showing 4 changed files with 222 additions and 196 deletions.
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
@@ -1,14 +1,4 @@
 <?php
-function unset_auth_session(){
-  unset($_SESSION['keycloak_token']);
-  unset($_SESSION['keycloak_refresh_token']);
-  unset($_SESSION['mailcow_cc_username']);
-  unset($_SESSION['mailcow_cc_role']);
-  unset($_SESSION['oauth2state']);
-  unset($_SESSION['pending_mailcow_cc_username']);
-  unset($_SESSION['pending_mailcow_cc_role']);
-  unset($_SESSION['pending_tfa_methods']);
-}
 function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
   global $pdo;
   global $redis;
@@ -503,171 +493,3 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
   );
   return 'user';
 }
-// Authorization Code Flow
-function keycloak_verify_token(){
-  global $keycloak_provider;
-  global $pdo;
-
-  try {
-    $token = $keycloak_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
-  } catch (Exception $e) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__),
-      'msg' => array('login_failed', $e->getMessage())
-    );
-    return false;
-  }
-
-  $_SESSION['keycloak_token'] = $token->getToken();
-  $_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
-  // decode jwt data
-  $info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $token->getToken())[1]))), true);
-  // check if email address is given
-  if (!$info['email']){
-    return false;
-  }
-
-
-  // token valid, get mailbox
-  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
-    INNER JOIN domain on mailbox.domain = domain.domain
-    WHERE `kind` NOT REGEXP 'location|thing|group'
-      AND `mailbox`.`active`='1'
-      AND `domain`.`active`='1'
-      AND `username` = :user
-      AND `authsource`='keycloak'");
-  $stmt->execute(array(':user' => $info['email']));
-  $row = $stmt->fetch(PDO::FETCH_ASSOC);
-  if ($row){
-    // success
-    $_SESSION['mailcow_cc_username'] = $info['email'];
-    $_SESSION['mailcow_cc_role'] = "user";
-    $_SESSION['return'][] =  array(
-      'type' => 'success',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
-    );
-    return true;
-  }
-  // get mapped template, if not set return false
-  // also return false if no mappers were defined
-  $identity_provider_settings = identity_provider('get');
-  $user_template = $info['mailcow_template'];
-  if (empty($identity_provider_settings['mappers']) || empty($user_template)){
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'login_failed'
-    );
-    return false;
-  }
-  $mbox_template = null;
-  // check if matching rolemapping exist
-  foreach ($identity_provider_settings['mappers'] as $index => $mapper){
-    if ($user_template == $mapper) {
-      $mbox_template = $identity_provider_settings['templates'][$index];
-      break;
-    }
-  }
-  if (!$mbox_template){
-    // no matching template found
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'login_failed'
-    );
-    return false;
-  }
-  $stmt = $pdo->prepare("SELECT * FROM `templates` 
-  WHERE `template` = :template AND type = 'mailbox'");
-  $stmt->execute(array(
-    ":template" => $mbox_template
-  ));
-  $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
-  if (empty($mbox_template_data)){
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'login_failed'
-    );
-    return false;
-  }
-
-  // create mailbox
-  $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
-  $mbox_template_data['domain'] = explode('@', $info['email'])[1];
-  $mbox_template_data['local_part'] = explode('@', $info['email'])[0];
-  $mbox_template_data['authsource'] = 'keycloak';
-  $_SESSION['iam_create_login'] = true;
-  $create_res = mailbox('add', 'mailbox', $mbox_template_data);
-  $_SESSION['iam_create_login'] = false;
-  if (!$create_res){
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'login_failed'
-    );
-    return false;
-  }
-
-  $_SESSION['mailcow_cc_username'] = $info['email'];
-  $_SESSION['mailcow_cc_role'] = "user";
-  $_SESSION['return'][] =  array(
-    'type' => 'success',
-    'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-    'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
-  );
-  return true;
-}
-function keycloak_refresh(){
-  global $keycloak_provider;
-
-  try {
-    $token = $keycloak_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['keycloak_refresh_token']]);
-  } catch (Exception $e) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__),
-      'msg' => array('login_failed', $e->getMessage())
-    );
-    return false;
-  }
-
-  $_SESSION['keycloak_token'] = $token->getToken();
-  $_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
-  // decode jwt data
-  $info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $_SESSION['keycloak_token'])[1]))), true);
-  if (!$info['email']){
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'refresh_login_failed'
-    );
-  }
-
-  $_SESSION['mailcow_cc_username'] = $info['email'];
-  $_SESSION['mailcow_cc_role'] = "user";
-  return true;
-}
-function keycloak_get_redirect(){
-  global $keycloak_provider;
-
-  $authUrl = $keycloak_provider->getAuthorizationUrl();
-  $_SESSION['oauth2state'] = $keycloak_provider->getState();
-
-  return $authUrl;
-}
-function keycloak_get_logout(){
-  global $keycloak_provider;
-
-  $logoutUrl = $keycloak_provider->getLogoutUrl();
-  $logoutUrl = $logoutUrl . "&post_logout_redirect_uri=https://" . $_SERVER['SERVER_NAME'];
-
-  return $logoutUrl;
-}