Page MenuHomekolab.org

implemented microsoft autodiscover v2 and secure autodiscover.xml
ClosedPublic

Authored by dhoffend on Feb 1 2020, 1:07 AM.

Details

Summary

Added support for json based autodiscover v2 which currently only supports Protocol ActiveSync or rediret to the XML based autodiscover v1

In addition this change implements basic authentication for autodiscover.xml to support the autodiscover/authentication flow and protect users data (prevents email testing/scraping)

Diff Detail

Repository
rAC autoconf
Branch
autodiscoverv2
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 27880
Build 9892: arc lint + arc unit

Event Timeline

dhoffend requested review of this revision.Feb 1 2020, 1:07 AM
dhoffend created this revision.
Harbormaster completed remote builds in B27880: Diff 2137.
dhoffend updated this revision to Diff 2143.Feb 1 2020, 1:12 AM
  • updated author name
dhoffend updated this revision to Diff 2149.Feb 1 2020, 11:36 AM
  • added missing charset
dhoffend updated this revision to Diff 2155.Feb 2 2020, 12:32 AM
  • autodiscover.xml now requires basic authentication

This helps the autodiscover process. With basic auth enabled on
autodiscover.xml urls, the tested mobile clients no longer require to go
through the advanced settings page (tested on ios).

This also protects the autodiscover service to not leak senstive
information about existing users (showing display name) when using crafted
autodiscover requests with just a known email address without proper
authentication.

dhoffend retitled this revision from implemented microsoft autodiscover v2 to implemented microsoft autodiscover v2 and secure autodiscover.xml.Feb 2 2020, 12:36 AM
dhoffend edited the summary of this revision. (Show Details)
dhoffend updated this revision to Diff 2158.Feb 2 2020, 12:37 AM
  • whitespace fix
dhoffend added a comment.EditedFeb 2 2020, 12:42 AM

Start an unauthenticated autodiscover request with a known email address

# curl -H 'Content-Type: text/xml' -X POST -d '<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/requestschema/2006">
>   <Request>
>     <EMailAddress>XXXXX@kolab.org</EMailAddress>
>     <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006a</AcceptableResponseSchema>
>   </Request>
> </Autodiscover>' https://kolabnow.com/autodiscover/autodiscover.xml

The response

<?xml version="1.0" encoding="UTF-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
    <User>
      <DisplayName>Daniel Hoffend</DisplayName>
      <EMailAddress>XXXXX@kolab.org</EMailAddress>
    </User>
    <Action>
      <Settings>
        <Server>
          <Type>MobileSync</Type>
          <Url>https://apps.kolabnow.com/Microsoft-Server-ActiveSync</Url>
          <Name>https://apps.kolabnow.com/Microsoft-Server-ActiveSync</Name>
        </Server>
      </Settings>
    </Action>
  </Response>
</Autodiscover>

With an unknown email address, the DisplayName field stays empty.

dhoffend updated this revision to Diff 2215.Feb 7 2020, 8:55 PM
  • tab/whitespace fix
dhoffend updated this revision to Diff 2218.Feb 7 2020, 8:58 PM
  • autodiscover.xml now requires basic authentication
  • whitespace fix
  • tab/whitespace fix
  • reupload after pushing the wrong working copy
vanmeeuwen accepted this revision.Feb 23 2020, 10:41 AM
This revision is now accepted and ready to land.Feb 23 2020, 10:41 AM
This revision was automatically updated to reflect the committed changes.