Explorar o código

Merge pull request #2373 from mhofer117/allow-admin-email-login

always check basic auth against user database for EAS and SOGo if ALLOW_ADMIN_EMAIL_LOGIN is enabled
André Peters %!s(int64=6) %!d(string=hai) anos
pai
achega
6dcb1af1b0
Modificáronse 3 ficheiros con 43 adicións e 33 borrados
  1. 14 27
      data/conf/nginx/site.conf
  2. 27 3
      data/web/sogo-auth.php
  3. 2 3
      docker-compose.yml

+ 14 - 27
data/conf/nginx/site.conf

@@ -142,28 +142,6 @@ server {
     try_files /autoconfig.php =404;
   }
 
-  location ^~ /Microsoft-Server-ActiveSync {
-    include /etc/nginx/conf.d/sogo_eas.active;
-    proxy_connect_timeout 4000;
-    proxy_next_upstream timeout error;
-    proxy_send_timeout 4000;
-    proxy_read_timeout 4000;
-    proxy_buffer_size 8k;
-    proxy_buffers 16 64k;
-    proxy_temp_file_write_size 64k;
-    proxy_busy_buffers_size 64k;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $http_host;
-    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
-    proxy_set_header x-webobjects-remote-host $remote_addr;
-    proxy_set_header x-webobjects-server-name $server_name;
-    proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
-    proxy_set_header x-webobjects-server-port $server_port;
-    client_body_buffer_size 128k;
-    client_max_body_size 0;
-  }
-
   # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
   location /sogo-auth-verify {
     internal;
@@ -175,8 +153,17 @@ server {
     proxy_pass_request_body off;
   }
 
-  location ^~ /SOGo {
-    include /etc/nginx/conf.d/sogo_main.active;
+  location ^~ /Microsoft-Server-ActiveSync {
+    include /etc/nginx/conf.d/sogo_proxy_auth.active;
+    include /etc/nginx/conf.d/sogo_eas.active;
+    proxy_connect_timeout 4000;
+    proxy_next_upstream timeout error;
+    proxy_send_timeout 4000;
+    proxy_read_timeout 4000;
+    proxy_buffer_size 8k;
+    proxy_buffers 16 64k;
+    proxy_temp_file_write_size 64k;
+    proxy_busy_buffers_size 64k;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;
@@ -187,11 +174,11 @@ server {
     proxy_set_header x-webobjects-server-port $server_port;
     client_body_buffer_size 128k;
     client_max_body_size 0;
-    break;
   }
 
-  location ^~ /SOGo/dav {
-    include /etc/nginx/conf.d/sogo_dav.active;
+  location ^~ /SOGo {
+    include /etc/nginx/conf.d/sogo_proxy_auth.active;
+    include /etc/nginx/conf.d/sogo.active;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;

+ 27 - 3
data/web/sogo-auth.php

@@ -8,11 +8,31 @@ $ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
 $session_var_user = 'sogo-sso-user';
 $session_var_pass = 'sogo-sso-pass';
 
+// prevent if feature is disabled
 if (!$ALLOW_ADMIN_EMAIL_LOGIN) {
-  header('HTTP/1.0 401 Forbidden');
+  header('HTTP/1.0 403 Forbidden');
   echo "this feature is disabled";
   exit;
 }
+// validate credentials for basic auth requests
+elseif (isset($_SERVER['PHP_AUTH_USER'])) {
+  // load prerequisites only when required
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+  $username = $_SERVER['PHP_AUTH_USER'];
+  $password = $_SERVER['PHP_AUTH_PW'];
+  $login_check = check_login($username, $password);
+  if ($login_check === 'user') {
+    header("X-User: $username");
+    header("X-Auth: Basic ".base64_encode("$username:$password"));
+    header("X-Auth-Type: Basic");
+    exit;
+  } else {
+    header('HTTP/1.0 401 Unauthorized');
+    echo 'Invalid login';
+    exit;
+  }
+}
+// check permissions and redirect for direct GET ?login=xy requests
 elseif (isset($_GET['login'])) {
   // load prerequisites only when required
   require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
@@ -32,10 +52,14 @@ elseif (isset($_GET['login'])) {
       }
     }
   }
-  header('HTTP/1.0 401 Forbidden');
+  header('HTTP/1.0 403 Forbidden');
   exit;
 }
-else {
+// do not check for admin-login / sogo-sso for EAS and DAV requests, SOGo can check auth itself if no authorization header is set
+elseif (
+  strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 28), "/Microsoft-Server-ActiveSync") !== 0 &&
+  strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/dav") !== 0
+) {
   // this is an nginx auth_request call, we check for existing sogo-sso session variables
   session_start();
   if (isset($_SESSION[$session_var_user]) && filter_var($_SESSION[$session_var_user], FILTER_VALIDATE_EMAIL)) {

+ 2 - 3
docker-compose.yml

@@ -268,10 +268,9 @@ services:
       command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
         envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
         envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active &&
-        . /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_main.active &&
-        envsubst < /etc/nginx/conf.d/templates/sogo.template >> /etc/nginx/conf.d/sogo_main.active &&
-        envsubst < /etc/nginx/conf.d/templates/sogo.template >> /etc/nginx/conf.d/sogo_dav.active &&
+        envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
         envsubst < /etc/nginx/conf.d/templates/sogo_eas.template > /etc/nginx/conf.d/sogo_eas.active &&
+        . /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_proxy_auth.active &&
         nginx -qt &&
         until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
         until ping sogo -c1 > /dev/null; do sleep 1; done &&