[Web] Remove authentication from autodiscover.php

data/web/autodiscover.php

@@ -1,15 +1,139 @@
 <?php
+
+error_reporting(0);
+header("Content-Type: application/xml");
+
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/lib/vendor/autoload.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.inc.php';
 if(file_exists('inc/vars.local.inc.php')) {
   include_once 'inc/vars.local.inc.php';
 }
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
-require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
+
+
+function error_xml($error_id, $error_code, $message) {
+  list($usec, $sec) = explode(' ', microtime());
+  $time_string = date('H:i:s', $sec) . substr($usec, 0, strlen($usec) - 2);
+
+  return <<<EOD
+<?xml version="1.0" encoding="utf-8" ?>
+<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
+  <Response>
+    <Error Time="$time_string" Id="$error_id">
+      <ErrorCode>$error_code</ErrorCode>
+      <Message>$message</Message>
+      <DebugData />
+    </Error>
+  </Response>
+</Autodiscover>
+EOD;
+}
+
+function autodiscover_xml($type, $email, $displayname, $autodiscover_config) {
+  $displayname = htmlspecialchars($displayname, ENT_XML1 | ENT_QUOTES, 'UTF-8');
+  $caldav_port = $autodiscover_config['caldav']['port'] != 443 ? ':' . $autodiscover_config['caldav']['port'] : '';
+  $carddav_port = $autodiscover_config['carddav']['port'] != 443 ? ':' . $autodiscover_config['carddav']['port'] : '';
+  $xml = '';
+  $calcardav_xml = '';
+
+  if (getenv('SKIP_SOGO') != "y") {
+      $calcardav_xml .= <<<EOD
+
+      <Protocol>
+        <Type>CalDAV</Type>
+        <Server>https://{$autodiscover_config['caldav']['server']}{$caldav_port}/SOGo/dav/{$email}/</Server>
+        <DomainRequired>off</DomainRequired>
+        <LoginName>{$email}</LoginName>
+      </Protocol>
+      <Protocol>
+        <Type>CardDAV</Type>
+        <Server>https://{$autodiscover_config['carddav']['server']}{$carddav_port}/SOGo/dav/{$email}/</Server>
+        <DomainRequired>off</DomainRequired>
+        <LoginName>{$email}</LoginName>
+      </Protocol>
+EOD;
+  }
+
+  if ($type == 'imap') {
+    $xml .= <<<EOD
+  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
+    <User>
+      <DisplayName>{$displayname}</DisplayName>
+    </User>
+    <Account>
+      <AccountType>email</AccountType>
+      <Action>settings</Action>
+      <Protocol>
+        <Type>IMAP</Type>
+        <Server>{$autodiscover_config['imap']['server']}</Server>
+        <Port>{$autodiscover_config['imap']['port']}</Port>
+        <DomainRequired>off</DomainRequired>
+        <LoginName>{$email}</LoginName>
+        <SPA>off</SPA>
+        <SSL>on</SSL>
+        <AuthRequired>on</AuthRequired>
+      </Protocol>
+      <Protocol>
+        <Type>SMTP</Type>
+        <Server>{$autodiscover_config['smtp']['server']}</Server>
+        <Port>{$autodiscover_config['smtp']['port']}</Port>
+        <DomainRequired>off</DomainRequired>
+        <LoginName>{$email}</LoginName>
+        <SPA>off</SPA>
+        <SSL>on</SSL>
+        <AuthRequired>on</AuthRequired>
+        <UsePOPAuth>on</UsePOPAuth>
+        <SMTPLast>off</SMTPLast>
+      </Protocol>
+      {$calcardav_xml}
+    </Account>
+  </Response>
+EOD;
+  }
+  else if ($type == 'activesync') {
+    $xml .= <<<EOD
+  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
+    <Culture>en:en</Culture>
+    <User>
+      <DisplayName>{$displayname}</DisplayName>
+      <EMailAddress>{$email}</EMailAddress>
+    </User>
+    <Action>
+      <Settings>
+        <Server>
+        <Type>MobileSync</Type>
+        <Url>{$autodiscover_config['activesync']['url']}</Url>
+        <Name>{$autodiscover_config['activesync']['url']}</Name>
+        </Server>
+      </Settings>
+    </Action>
+  </Response>
+EOD;
+  }
+
+
+  return <<<EOD
+<?xml version="1.0" encoding="utf-8" ?>
+<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
+$xml
+</Autodiscover>
+EOD;
+}
+
 $default_autodiscover_config = $autodiscover_config;
 $autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);
 
+// SQL
+//$dsn = $database_type . ":host=" . $database_host . ";dbname=" . $database_name;
+$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
+$opt = [
+  PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+  PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+  PDO::ATTR_EMULATE_PREPARES   => false,
+];
+$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+
 // Redis
 $redis = new Redis();
 try {
@@ -22,10 +146,15 @@ try {
   $redis->auth(getenv("REDISPASS"));
 }
 catch (Exception $e) {
-  exit;
+  $_SESSION['return'][] = array(
+    'type' => 'danger',
+    'msg' => 'Redis: '.$e
+  );
+
+  echo error_xml("2477272013", "600", "Server Error");
+  exit(0);
 }
 
-error_reporting(0);
 
 $data = trim(file_get_contents("php://input"));
 
@@ -45,102 +174,37 @@ if (getenv('SKIP_SOGO') == "y") {
   $autodiscover_config['autodiscoverType'] = 'imap';
 }
 
-//$dsn = $database_type . ":host=" . $database_host . ";dbname=" . $database_name;
-$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
-$opt = [
-  PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
-  PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
-  PDO::ATTR_EMULATE_PREPARES   => false,
-];
-$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
-
-// Init Identity Provider
-$iam_provider = identity_provider('init');
-$iam_settings = identity_provider('get');
 
-$login_user = strtolower(trim($_SERVER['PHP_AUTH_USER']));
-$login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW']));
+if(!$data) {
+  try {
+    $json = json_encode(
+      array(
+        "time" => time(),
+        "ua" => $_SERVER['HTTP_USER_AGENT'],
+        "user" => $_SERVER['PHP_AUTH_USER'],
+        "ip" => $_SERVER['REMOTE_ADDR'],
+        "service" => "Error: invalid or missing request data"
+      )
+    );
+    $redis->lPush('AUTODISCOVER_LOG', $json);
+    $redis->lTrim('AUTODISCOVER_LOG', 0, 100);
+  }
+  catch (RedisException $e) {
+    $_SESSION['return'][] = array(
+      'type' => 'danger',
+      'msg' => 'Redis: '.$e
+    );
+  }
 
-if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW'])) {
-  $json = json_encode(
-    array(
-      "time" => time(),
-      "ua" => $_SERVER['HTTP_USER_AGENT'],
-      "user" => "none",
-      "ip" => $_SERVER['REMOTE_ADDR'],
-      "service" => "Error: must be authenticated"
-    )
-  );
-  $redis->lPush('AUTODISCOVER_LOG', $json);
-  header('WWW-Authenticate: Basic realm="' . $_SERVER['HTTP_HOST'] . '"');
-  header('HTTP/1.0 401 Unauthorized');
+  echo error_xml("2477272013", "600", "Invalid Request");
   exit(0);
 }
 
-$login_role = check_login($login_user, $login_pass, array('eas' => TRUE));
-
-if ($login_role === "user") {
-  header("Content-Type: application/xml");
-  echo '<?xml version="1.0" encoding="utf-8" ?>' . PHP_EOL;
-?>
-<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
-<?php
-  if(!$data) {
-    try {
-      $json = json_encode(
-        array(
-          "time" => time(),
-          "ua" => $_SERVER['HTTP_USER_AGENT'],
-          "user" => $_SERVER['PHP_AUTH_USER'],
-          "ip" => $_SERVER['REMOTE_ADDR'],
-          "service" => "Error: invalid or missing request data"
-        )
-      );
-      $redis->lPush('AUTODISCOVER_LOG', $json);
-      $redis->lTrim('AUTODISCOVER_LOG', 0, 100);
-    }
-    catch (RedisException $e) {
-      $_SESSION['return'][] = array(
-        'type' => 'danger',
-        'msg' => 'Redis: '.$e
-      );
-      return false;
-    }
-    list($usec, $sec) = explode(' ', microtime());
-?>
-  <Response>
-    <Error Time="<?=date('H:i:s', $sec) . substr($usec, 0, strlen($usec) - 2);?>" Id="2477272013">
-      <ErrorCode>600</ErrorCode>
-      <Message>Invalid Request</Message>
-      <DebugData />
-    </Error>
-  </Response>
-</Autodiscover>
-<?php
-    exit(0);
-  }
-  try {
-    $discover = new SimpleXMLElement($data);
-    $email = $discover->Request->EMailAddress;
-  } catch (Exception $e) {
-    $email = $_SERVER['PHP_AUTH_USER'];
-  }
-
-  $username = trim($email);
-  try {
-    $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
-    $stmt->execute(array(':username' => $username));
-    $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
-  }
-  catch(PDOException $e) {
-    die("Failed to determine name from SQL");
-  }
-  if (!empty($MailboxData['name'])) {
-    $displayname = $MailboxData['name'];
-  }
-  else {
-    $displayname = $email;
-  }
+try {
+  $discover = new SimpleXMLElement($data);
+  $email = $discover->Request->EMailAddress;
+} catch (Exception $e) {
+  // could not parse email address
   try {
     $json = json_encode(
       array(
@@ -148,7 +212,7 @@ if ($login_role === "user") {
         "ua" => $_SERVER['HTTP_USER_AGENT'],
         "user" => $_SERVER['PHP_AUTH_USER'],
         "ip" => $_SERVER['REMOTE_ADDR'],
-        "service" => $autodiscover_config['autodiscoverType']
+        "service" => "Error: missing email address in request data"
       )
     );
     $redis->lPush('AUTODISCOVER_LOG', $json);
@@ -159,83 +223,48 @@ if ($login_role === "user") {
       'type' => 'danger',
       'msg' => 'Redis: '.$e
     );
-    return false;
   }
-  if ($autodiscover_config['autodiscoverType'] == 'imap') {
-?>
-  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
-    <User>
-      <DisplayName><?=htmlspecialchars($displayname, ENT_XML1 | ENT_QUOTES, 'UTF-8');?></DisplayName>
-    </User>
-    <Account>
-      <AccountType>email</AccountType>
-      <Action>settings</Action>
-      <Protocol>
-        <Type>IMAP</Type>
-        <Server><?=$autodiscover_config['imap']['server'];?></Server>
-        <Port><?=$autodiscover_config['imap']['port'];?></Port>
-        <DomainRequired>off</DomainRequired>
-        <LoginName><?=$email;?></LoginName>
-        <SPA>off</SPA>
-        <SSL>on</SSL>
-        <AuthRequired>on</AuthRequired>
-      </Protocol>
-      <Protocol>
-        <Type>SMTP</Type>
-        <Server><?=$autodiscover_config['smtp']['server'];?></Server>
-        <Port><?=$autodiscover_config['smtp']['port'];?></Port>
-        <DomainRequired>off</DomainRequired>
-        <LoginName><?=$email;?></LoginName>
-        <SPA>off</SPA>
-        <SSL>on</SSL>
-        <AuthRequired>on</AuthRequired>
-        <UsePOPAuth>on</UsePOPAuth>
-        <SMTPLast>off</SMTPLast>
-      </Protocol>
-    <?php
-    if (getenv('SKIP_SOGO') != "y") {
-    ?>
-      <Protocol>
-        <Type>CalDAV</Type>
-        <Server>https://<?=$autodiscover_config['caldav']['server'];?><?php if ($autodiscover_config['caldav']['port'] != 443) echo ':'.$autodiscover_config['caldav']['port']; ?>/SOGo/dav/<?=$email;?>/</Server>
-        <DomainRequired>off</DomainRequired>
-        <LoginName><?=$email;?></LoginName>
-      </Protocol>
-      <Protocol>
-        <Type>CardDAV</Type>
-        <Server>https://<?=$autodiscover_config['carddav']['server'];?><?php if ($autodiscover_config['caldav']['port'] != 443) echo ':'.$autodiscover_config['carddav']['port']; ?>/SOGo/dav/<?=$email;?>/</Server>
-        <DomainRequired>off</DomainRequired>
-        <LoginName><?=$email;?></LoginName>
-      </Protocol>
-    <?php
-    }
-    ?>
-    </Account>
-  </Response>
-<?php
-  }
-  else if ($autodiscover_config['autodiscoverType'] == 'activesync') {
-?>
-  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
-    <Culture>en:en</Culture>
-    <User>
-      <DisplayName><?=htmlspecialchars($displayname, ENT_XML1 | ENT_QUOTES, 'UTF-8');?></DisplayName>
-      <EMailAddress><?=$email;?></EMailAddress>
-    </User>
-    <Action>
-      <Settings>
-        <Server>
-        <Type>MobileSync</Type>
-        <Url><?=$autodiscover_config['activesync']['url'];?></Url>
-        <Name><?=$autodiscover_config['activesync']['url'];?></Name>
-        </Server>
-      </Settings>
-    </Action>
-  </Response>
-<?php
-  }
-?>
-</Autodiscover>
-<?php
+
+  echo error_xml("2477272013", "600", "Invalid Request");
+  exit(0);
+}
+
+$username = trim($email);
+$displayname = $username;
+try {
+  $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
+  $stmt->execute(array(':username' => $username));
+  $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
+}
+catch(PDOException $e) {
+  $MailboxData = array("name" => "");
+}
+if (!empty($MailboxData['name'])) {
+  $displayname = $MailboxData['name'];
+}
+
+try {
+  $json = json_encode(
+    array(
+      "time" => time(),
+      "ua" => $_SERVER['HTTP_USER_AGENT'],
+      "user" => $_SERVER['PHP_AUTH_USER'],
+      "ip" => $_SERVER['REMOTE_ADDR'],
+      "service" => $autodiscover_config['autodiscoverType']
+    )
+  );
+  $redis->lPush('AUTODISCOVER_LOG', $json);
+  $redis->lTrim('AUTODISCOVER_LOG', 0, 100);
+}
+catch (RedisException $e) {
+  $_SESSION['return'][] = array(
+    'type' => 'danger',
+    'msg' => 'Redis: '.$e
+  );
+
+  echo error_xml("2477272013", "600", "Server Error");
+  exit(0);
 }
-?>
+
+echo autodiscover_xml($autodiscover_config['autodiscoverType'], $email, $displayname, $autodiscover_config);
+exit(0);