No OneTemporary
Actions

Authored By

Unknown

Size

20 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/plugins/kolab_auth/kolab_auth.php b/plugins/kolab_auth/kolab_auth.php
	index fc0158ba..719df98c 100644
	--- a/plugins/kolab_auth/kolab_auth.php
	+++ b/plugins/kolab_auth/kolab_auth.php
	@@ -1,564 +1,564 @@
	<?php

	/**
	* Kolab Authentication (based on ldap_authentication plugin)
	*
	* Authenticates on LDAP server, finds canonized authentication ID for IMAP
	* and for new users creates identity based on LDAP information.
	*
	* Supports impersonate feature (login as another user). To use this feature
	* imap_auth_type/smtp_auth_type must be set to DIGEST-MD5 or PLAIN.
	*
	* @version @package_version@
	* @author Aleksander Machniak <machniak@kolabsys.com>
	*
	* Copyright (C) 2011-2012, Kolab Systems AG <contact@kolabsys.com>
	*
	* This program is free software: you can redistribute it and/or modify
	* it under the terms of the GNU Affero General Public License as
	* published by the Free Software Foundation, either version 3 of the
	* License, or (at your option) any later version.
	*
	* This program is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU Affero General Public License for more details.
	*
	* You should have received a copy of the GNU Affero General Public License
	* along with this program. If not, see <http://www.gnu.org/licenses/>.
	*/

	class kolab_auth extends rcube_plugin
	{
	static $ldap;
	private $data = array();

	public function init()
	{
	$rcmail = rcube::get_instance();

	$this->add_hook('authenticate', array($this, 'authenticate'));
	$this->add_hook('startup', array($this, 'startup'));
	$this->add_hook('user_create', array($this, 'user_create'));

	// Hooks related to "Login As" feature
	$this->add_hook('template_object_loginform', array($this, 'login_form'));
	$this->add_hook('storage_connect', array($this, 'imap_connect'));
	$this->add_hook('managesieve_connect', array($this, 'imap_connect'));
	$this->add_hook('smtp_connect', array($this, 'smtp_connect'));

	$this->add_hook('write_log', array($this, 'write_log'));

	// TODO: This section does not actually seem to work
	if ($rcmail->config->get('kolab_auth_auditlog', false)) {
	$rcmail->config->set('debug_level', 1);
	$rcmail->config->set('devel_mode', true);
	$rcmail->config->set('smtp_log', true);
	$rcmail->config->set('log_logins', true);
	$rcmail->config->set('log_session', true);
	$rcmail->config->set('sql_debug', true);
	$rcmail->config->set('memcache_debug', true);
	$rcmail->config->set('imap_debug', true);
	$rcmail->config->set('ldap_debug', true);
	$rcmail->config->set('smtp_debug', true);

	}

	}

	public function startup($args) {
	// Arguments are task / action, not interested
	if (!empty($_SESSION['user_roledns'])) {
	$this->load_user_role_plugins_and_settings($_SESSION['user_roledns']);
	}

	return $args;
	}

	public function load_user_role_plugins_and_settings($role_dns) {
	$rcmail = rcube::get_instance();
	$this->load_config();

	// Check role dependent plugins to enable and settings to modify

	// Example 'kolab_auth_role_plugins' =
	//
	// Array(
	// '<role_dn>' => Array('plugin1', 'plugin2'),
	// );

	$role_plugins = $rcmail->config->get('kolab_auth_role_plugins');

	// Example $rcmail_config['kolab_auth_role_settings'] =
	//
	// Array(
	// '<role_dn>' => Array(
	// '$setting' => Array(
	// 'mode' => '(override\|merge)', (default: override)
	// 'value' => <>,
	// 'allow_override' => (true\|false) (default: false)
	// ),
	// ),
	// );

	$role_settings = $rcmail->config->get('kolab_auth_role_settings');

	foreach ($role_dns as $role_dn) {
	if (isset($role_plugins[$role_dn]) && is_array($role_plugins[$role_dn])) {
	foreach ($role_plugins[$role_dn] as $plugin) {
	$this->require_plugin($plugin);
	}
	}

	if (isset($role_settings[$role_dn]) && is_array($role_settings[$role_dn])) {
	foreach ($role_settings[$role_dn] as $setting_name => $setting) {
	if (!isset($setting['mode'])) {
	$setting['mode'] = 'override';
	}

	if ($setting['mode'] == "override") {
	$rcmail->config->set($setting_name, $setting['value']);
	} elseif ($setting['mode'] == "merge") {
	$orig_setting = $rcmail->config->get($setting_name);

	if (!empty($orig_setting)) {
	if (is_array($orig_setting)) {
	$rcmail->config->set($setting_name, array_merge($orig_setting, $setting['value']));
	}
	} else {
	$rcmail->config->set($setting_name, $setting['value']);
	}
	}

	$dont_override = (array) $rcmail->config->get('dont_override');

	if (!isset($setting['allow_override']) \|\| !$setting['allow_override']) {
	$rcmail->config->set('dont_override', array_merge($dont_override, array($setting_name)));
	}
	else {
	if (in_array($setting_name, $dont_override)) {
	$_dont_override = array();
	foreach ($dont_override as $_setting) {
	if ($_setting != $setting_name) {
	$_dont_override[] = $_setting;
	}
	}
	$rcmail->config->set('dont_override', $_dont_override);
	}
	}
	}
	}
	}
	}

	public function write_log($args) {
	$rcmail = rcube::get_instance();

	if (!$rcmail->config->get('kolab_auth_auditlog', false)) {
	return $args;
	}

	$args['abort'] = true;

	if ($rcmail->config->get('log_driver') == 'syslog') {
	$prio = $args['name'] == 'errors' ? LOG_ERR : LOG_INFO;
	syslog($prio, $args['line']);
	return $args;
	}
	else {
	$line = sprintf("[%s]: %s\n", $args['date'], $args['line']);

	// log_driver == 'file' is assumed here
	$log_dir = $rcmail->config->get('log_dir', INSTALL_PATH . 'logs');
	$log_path = $log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']);

	// Append original username + target username
	if (!is_dir($log_path)) {
	// Attempt to create the directory
	if (@mkdir($log_path, 0750, true)) {
	$log_dir = $log_path;
	}
	}
	else {
	$log_dir = $log_path;
	}

	// try to open specific log file for writing
	$logfile = $log_dir.'/'.$args['name'];

	if ($fp = fopen($logfile, 'a')) {
	fwrite($fp, $line);
	fflush($fp);
	fclose($fp);
	return $args;
	}
	else {
	trigger_error("Error writing to log file $logfile; Please check permissions", E_USER_WARNING);
	}
	}

	return $args;
	}

	/**
	* Sets defaults for new user.
	*/
	public function user_create($args)
	{
	if (!empty($this->data['user_email'])) {
	// addresses list is supported
	if (array_key_exists('email_list', $args)) {
	$email_list = array_unique($this->data['user_email']);

	// add organization to the list
	if (!empty($this->data['user_organization'])) {
	foreach ($email_list as $idx => $email) {
	$email_list[$idx] = array(
	'organization' => $this->data['user_organization'],
	'email' => $email,
	);
	}
	}

	$args['email_list'] = $email_list;
	}
	else {
	$args['user_email'] = $this->data['user_email'][0];
	}
	}

	if (!empty($this->data['user_name'])) {
	$args['user_name'] = $this->data['user_name'];
	}

	return $args;
	}

	/**
	* Modifies login form adding additional "Login As" field
	*/
	public function login_form($args)
	{
	$this->load_config();
	$this->add_texts('localization/');

	$rcmail = rcube::get_instance();
	$admin_login = $rcmail->config->get('kolab_auth_admin_login');
	$group = $rcmail->config->get('kolab_auth_group');
	$role_attr = $rcmail->config->get('kolab_auth_role');

	// Show "Login As" input
	if (empty($admin_login) \|\| (empty($group) && empty($role_attr))) {
	return $args;
	}

	$input = new html_inputfield(array('name' => '_loginas', 'id' => 'rcmloginas',
	'type' => 'text', 'autocomplete' => 'off'));
	$row = html::tag('tr', null,
	html::tag('td', 'title', html::label('rcmloginas', Q($this->gettext('loginas'))))
	. html::tag('td', 'input', $input->show(trim(rcube_utils::get_input_value('_loginas', rcube_utils::INPUT_POST))))
	);
	$args['content'] = preg_replace('/<\/tbody>/i', $row . '</tbody>', $args['content']);

	return $args;
	}

	/**
	* Find user credentials In LDAP.
	*/
	public function authenticate($args)
	{
	// get username and host
	$host = $args['host'];
	$user = $args['user'];
	$pass = $args['pass'];
	$loginas = trim(rcube_utils::get_input_value('_loginas', rcube_utils::INPUT_POST));

	if (empty($user) \|\| empty($pass)) {
	$args['abort'] = true;
	return $args;
	}

	$ldap = self::ldap();
	if (!$ldap \|\| !$ldap->ready) {
	$args['abort'] = true;
	return $args;
	}

	// Find user record in LDAP
	$record = $this->get_user_record($user, $host);

	if (empty($record)) {
	$args['abort'] = true;
	return $args;
	}

	$rcmail = rcube::get_instance();
	$admin_login = $rcmail->config->get('kolab_auth_admin_login');
	$admin_pass = $rcmail->config->get('kolab_auth_admin_password');
	$login_attr = $rcmail->config->get('kolab_auth_login');
	$name_attr = $rcmail->config->get('kolab_auth_name');
	$email_attr = $rcmail->config->get('kolab_auth_email');
	$org_attr = $rcmail->config->get('kolab_auth_organization');
	$role_attr = $rcmail->config->get('kolab_auth_role');

	if (!empty($role_attr) && !empty($record[$role_attr])) {
	$_SESSION['user_roledns'] = (array)($record[$role_attr]);
	}

	// Login As...
	if (!empty($loginas) && $admin_login) {
	// Authenticate to LDAP
	$dn = rcube_ldap::dn_decode($record['ID']);
	$result = $ldap->bind($dn, $pass);

	if (!$result) {
	$args['abort'] = true;
	return $args;
	}

	// check if the original user has/belongs to administrative role/group
	$isadmin = false;
	$group = $rcmail->config->get('kolab_auth_group');
	$role_attr = $rcmail->config->get('kolab_auth_role');
	$role_dn = $rcmail->config->get('kolab_auth_role_value');

	// check role attribute
	if (!empty($role_attr) && !empty($role_dn) && !empty($record[$role_attr])) {
	$role_dn = $this->parse_vars($role_dn, $user, $host);
	foreach ((array)$record[$role_attr] as $role) {
	if ($role == $role_dn) {
	$isadmin = true;
	break;
	}
	}
	}

	// check group
	if (!$isadmin && !empty($group)) {
	$groups = $ldap->get_record_groups($record['ID']);
	- foreach ($groups as $g) {
	+ foreach ($groups as $g => $prop) {
	if ($group == rcube_ldap::dn_decode($g)) {
	$isadmin = true;
	break;
	}
	}

	}

	// Save original user login for log (see below)
	if ($login_attr) {
	$origname = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr];
	}
	else {
	$origname = $user;
	}

	$record = null;

	// user has the privilage, get "login as" user credentials
	if ($isadmin) {
	$record = $this->get_user_record($loginas, $host);
	}

	if (empty($record)) {
	$args['abort'] = true;
	return $args;
	}

	$args['user'] = $loginas;

	// Mark session to use SASL proxy for IMAP authentication
	$_SESSION['kolab_auth_admin'] = strtolower($origname);
	$_SESSION['kolab_auth_login'] = $rcmail->encrypt($admin_login);
	$_SESSION['kolab_auth_password'] = $rcmail->encrypt($admin_pass);
	}

	// Store UID and DN of logged user in session for use by other plugins
	$_SESSION['kolab_uid'] = is_array($record['uid']) ? $record['uid'][0] : $record['uid'];
	$_SESSION['kolab_dn'] = $record['ID']; // encoded

	// Set user login
	if ($login_attr) {
	$this->data['user_login'] = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr];
	}
	if ($this->data['user_login']) {
	$args['user'] = $this->data['user_login'];
	}

	// User name for identity (first log in)
	foreach ((array)$name_attr as $field) {
	$name = is_array($record[$field]) ? $record[$field][0] : $record[$field];
	if (!empty($name)) {
	$this->data['user_name'] = $name;
	break;
	}
	}
	// User email(s) for identity (first log in)
	foreach ((array)$email_attr as $field) {
	$email = is_array($record[$field]) ? array_filter($record[$field]) : $record[$field];
	if (!empty($email)) {
	$this->data['user_email'] = array_merge((array)$this->data['user_email'], (array)$email);
	}
	}
	// Organization name for identity (first log in)
	foreach ((array)$org_attr as $field) {
	$organization = is_array($record[$field]) ? $record[$field][0] : $record[$field];
	if (!empty($organization)) {
	$this->data['user_organization'] = $organization;
	break;
	}
	}

	// Log "Login As" usage
	if (!empty($origname)) {
	rcube::write_log('userlogins', sprintf('Admin login for %s by %s from %s',
	$args['user'], $origname, rcube_utils::remote_ip()));
	}

	return $args;
	}

	/**
	* Sets SASL Proxy login/password for IMAP and Managesieve auth
	*/
	public function imap_connect($args)
	{
	if (!empty($_SESSION['kolab_auth_admin'])) {
	$rcmail = rcube::get_instance();
	$admin_login = $rcmail->decrypt($_SESSION['kolab_auth_login']);
	$admin_pass = $rcmail->decrypt($_SESSION['kolab_auth_password']);

	$args['auth_cid'] = $admin_login;
	$args['auth_pw'] = $admin_pass;
	}

	return $args;
	}

	/**
	* Sets SASL Proxy login/password for SMTP auth
	*/
	public function smtp_connect($args)
	{
	if (!empty($_SESSION['kolab_auth_admin'])) {
	$rcmail = rcube::get_instance();
	$admin_login = $rcmail->decrypt($_SESSION['kolab_auth_login']);
	$admin_pass = $rcmail->decrypt($_SESSION['kolab_auth_password']);

	$args['options']['smtp_auth_cid'] = $admin_login;
	$args['options']['smtp_auth_pw'] = $admin_pass;
	}

	return $args;
	}

	/**
	* Initializes LDAP object and connects to LDAP server
	*/
	public static function ldap()
	{
	if (self::$ldap) {
	return self::$ldap;
	}

	$rcmail = rcube::get_instance();

	// $this->load_config();
	// we're in static method, load config manually
	$fpath = $rcmail->plugins->dir . '/kolab_auth/config.inc.php';
	if (is_file($fpath) && !$rcmail->config->load_from_file($fpath)) {
	rcube::raise_error(array(
	'code' => 527, 'type' => 'php',
	'file' => __FILE__, 'line' => __LINE__,
	'message' => "Failed to load config from $fpath"), true, false);
	}

	$addressbook = $rcmail->config->get('kolab_auth_addressbook');

	if (!is_array($addressbook)) {
	$ldap_config = (array)$rcmail->config->get('ldap_public');
	$addressbook = $ldap_config[$addressbook];
	}

	if (empty($addressbook)) {
	return null;
	}

	self::$ldap = new kolab_auth_ldap_backend(
	$addressbook,
	$rcmail->config->get('ldap_debug'),
	$rcmail->config->mail_domain($_SESSION['imap_host'])
	);

	$rcmail->add_shutdown_function(array(self::$ldap, 'close'));

	return self::$ldap;
	}

	/**
	* Fetches user data from LDAP addressbook
	*/
	private function get_user_record($user, $host)
	{
	$rcmail = rcube::get_instance();
	$filter = $rcmail->config->get('kolab_auth_filter');
	$filter = $this->parse_vars($filter, $user, $host);
	$ldap = self::ldap();

	// reset old result
	$ldap->reset();

	// get record
	$ldap->set_filter($filter);
	$results = $ldap->list_records();

	if (count($results->records) == 1) {
	return $results->records[0];
	}
	}

	/**
	* Prepares filter query for LDAP search
	*/
	private function parse_vars($str, $user, $host)
	{
	$rcmail = rcube::get_instance();
	$domain = $rcmail->config->get('username_domain');

	if (!empty($domain) && strpos($user, '@') === false) {
	if (is_array($domain) && isset($domain[$host])) {
	$user .= '@'.rcube_utils::parse_host($domain[$host], $host);
	}
	else if (is_string($domain)) {
	$user .= '@'.rcube_utils::parse_host($domain, $host);
	}
	}

	// replace variables in filter
	list($u, $d) = explode('@', $user);
	$dc = 'dc='.strtr($d, array('.' => ',dc=')); // hierarchal domain string
	$replaces = array('%dc' => $dc, '%d' => $d, '%fu' => $user, '%u' => $u);

	return strtr($str, $replaces);
	}
	}

	/**
	* Wrapper class for rcube_ldap addressbook
	*/
	class kolab_auth_ldap_backend extends rcube_ldap
	{
	function __construct($p, $debug=false, $mail_domain=null)
	{
	parent::__construct($p, $debug, $mail_domain);
	$this->fieldmap['uid'] = 'uid';
	}

	function set_filter($filter)
	{
	if ($filter) {
	$this->prop['filter'] = $filter;
	}
	}
	}

File Metadata

Mime Type: text/x-diff
Expires: Sat, Apr 4, 7:08 AM (2 w, 1 h ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 18822954
Default Alt Text: (20 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions