diff --git a/src/app/Backends/IMAP.php b/src/app/Backends/IMAP.php index 7100a356..fd0b56d9 100644 --- a/src/app/Backends/IMAP.php +++ b/src/app/Backends/IMAP.php @@ -1,785 +1,785 @@ 'lrs', 'read-write' => 'lrswitedn', 'full' => 'lrswipkxtecdn', ]; /** * Delete a group. * * @param \App\Group $group Group * * @return bool True if a group was deleted successfully, False otherwise * @throws \Exception */ public static function deleteGroup(Group $group): bool { $domainName = explode('@', $group->email, 2)[1]; // Cleanup ACL // FIXME: Since all groups in Kolab4 have email address, // should we consider using it in ACL instead of the name? // Also we need to decide what to do and configure IMAP appropriately, // right now groups in ACL does not work for me at all. // Commented out in favor of a nightly cleanup job, for performance reasons // \App\Jobs\IMAP\AclCleanupJob::dispatch($group->name, $domainName); return true; } /** * Create a mailbox. * * @param \App\User $user User * * @return bool True if a mailbox was created successfully, False otherwise * @throws \Exception */ public static function createUser(User $user): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $mailbox = self::toUTF7('user/' . $user->email); // Mailbox already exists if (self::folderExists($imap, $mailbox)) { $imap->closeConnection(); self::createDefaultFolders($user); return true; } // Create the mailbox if (!$imap->createFolder($mailbox)) { \Log::error("Failed to create mailbox {$mailbox}"); $imap->closeConnection(); return false; } // Wait until it's propagated (for Cyrus Murder setup) // FIXME: Do we still need this? if (strpos($imap->conn->data['GREETING'] ?? '', 'Cyrus IMAP Murder') !== false) { $tries = 30; while ($tries-- > 0) { $folders = $imap->listMailboxes('', $mailbox); if (is_array($folders) && count($folders)) { break; } sleep(1); $imap->closeConnection(); $imap = self::initIMAP($config); } } // Set quota $quota = $user->countEntitlementsBySku('storage') * 1048576; if ($quota) { $imap->setQuota($mailbox, ['storage' => $quota]); } self::createDefaultFolders($user); $imap->closeConnection(); return true; } /** * Create default folders for the user. * * @param \App\User $user User */ public static function createDefaultFolders(User $user): void { if ($defaultFolders = \config('imap.default_folders')) { $config = self::getConfig(); // Log in as user to set private annotations and subscription state $imap = self::initIMAP($config, $user->email); foreach ($defaultFolders as $name => $folderconfig) { try { $mailbox = self::toUTF7($name); self::createFolder($imap, $mailbox, true, $folderconfig['metadata']); } catch (\Exception $e) { \Log::warning("Failed to create the default folder. " . $e->getMessage()); } } $imap->closeConnection(); } } /** * Delete a mailbox. * * @param \App\User $user User * * @return bool True if a mailbox was deleted successfully, False otherwise * @throws \Exception */ public static function deleteUser(User $user): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $mailbox = self::toUTF7('user/' . $user->email); // To delete the mailbox cyrus-admin needs extra permissions $imap->setACL($mailbox, $config['user'], 'c'); // Delete the mailbox (no need to delete subfolders?) $result = $imap->deleteFolder($mailbox); if (!$result) { // Ignore the error if the folder doesn't exist (maybe it was removed already). if (!self::folderExists($imap, $mailbox)) { \Log::info("The mailbox to delete was already removed: $mailbox"); $result = true; } } $imap->closeConnection(); // Cleanup ACL // Commented out in favor of a nightly cleanup job, for performance reasons // \App\Jobs\IMAP\AclCleanupJob::dispatch($user->email); return $result; } /** * Update a mailbox (quota). * * @param \App\User $user User * * @return bool True if a mailbox was updated successfully, False otherwise * @throws \Exception */ public static function updateUser(User $user): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $mailbox = self::toUTF7('user/' . $user->email); $result = true; // Set quota $quota = $user->countEntitlementsBySku('storage') * 1048576; if ($quota) { $result = $imap->setQuota($mailbox, ['storage' => $quota]); } $imap->closeConnection(); return $result; } /** * Create a resource. * * @param \App\Resource $resource Resource * * @return bool True if a resource was created successfully, False otherwise * @throws \Exception */ public static function createResource(Resource $resource): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $settings = $resource->getSettings(['invitation_policy', 'folder']); $mailbox = self::toUTF7($settings['folder']); $metadata = ['/shared/vendor/kolab/folder-type' => 'event']; $acl = []; if (!empty($settings['invitation_policy'])) { if (preg_match('/^manual:(\S+@\S+)$/', $settings['invitation_policy'], $m)) { $acl = ["{$m[1]}, full"]; } } self::createFolder($imap, $mailbox, false, $metadata, Utils::ensureAclPostPermission($acl)); $imap->closeConnection(); return true; } /** * Update a resource. * * @param \App\Resource $resource Resource * @param array $props Old resource properties * * @return bool True if a resource was updated successfully, False otherwise * @throws \Exception */ public static function updateResource(Resource $resource, array $props = []): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $settings = $resource->getSettings(['invitation_policy', 'folder']); $folder = $settings['folder']; $mailbox = self::toUTF7($folder); // Rename the mailbox (only possible if we have the old folder) if (!empty($props['folder']) && $props['folder'] != $folder) { $oldMailbox = self::toUTF7($props['folder']); if (!$imap->renameFolder($oldMailbox, $mailbox)) { \Log::error("Failed to rename mailbox {$oldMailbox} to {$mailbox}"); $imap->closeConnection(); return false; } } // ACL $acl = []; if (!empty($settings['invitation_policy'])) { if (preg_match('/^manual:(\S+@\S+)$/', $settings['invitation_policy'], $m)) { $acl = ["{$m[1]}, full"]; } } self::aclUpdate($imap, $mailbox, Utils::ensureAclPostPermission($acl)); $imap->closeConnection(); return true; } /** * Delete a resource. * * @param \App\Resource $resource Resource * * @return bool True if a resource was deleted successfully, False otherwise * @throws \Exception */ public static function deleteResource(Resource $resource): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $settings = $resource->getSettings(['folder']); $mailbox = self::toUTF7($settings['folder']); // To delete the mailbox cyrus-admin needs extra permissions $imap->setACL($mailbox, $config['user'], 'c'); // Delete the mailbox (no need to delete subfolders?) $result = $imap->deleteFolder($mailbox); $imap->closeConnection(); return $result; } /** * Create a shared folder. * * @param \App\SharedFolder $folder Shared folder * * @return bool True if a falder was created successfully, False otherwise * @throws \Exception */ public static function createSharedFolder(SharedFolder $folder): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $settings = $folder->getSettings(['acl', 'folder']); $acl = !empty($settings['acl']) ? json_decode($settings['acl'], true) : []; $mailbox = self::toUTF7($settings['folder']); $metadata = ['/shared/vendor/kolab/folder-type' => $folder->type]; self::createFolder($imap, $mailbox, false, $metadata, Utils::ensureAclPostPermission($acl)); $imap->closeConnection(); return true; } /** * Update a shared folder. * * @param \App\SharedFolder $folder Shared folder * @param array $props Old folder properties * * @return bool True if a falder was updated successfully, False otherwise * @throws \Exception */ public static function updateSharedFolder(SharedFolder $folder, array $props = []): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $settings = $folder->getSettings(['acl', 'folder']); - $acl = !empty($settings['acl']) ? json_decode($settings['acl'], true) : null; + $acl = !empty($settings['acl']) ? json_decode($settings['acl'], true) : []; $folder = $settings['folder']; $mailbox = self::toUTF7($folder); // Rename the mailbox if (!empty($props['folder']) && $props['folder'] != $folder) { $oldMailbox = self::toUTF7($props['folder']); if (!$imap->renameFolder($oldMailbox, $mailbox)) { \Log::error("Failed to rename mailbox {$oldMailbox} to {$mailbox}"); $imap->closeConnection(); return false; } } // Note: Shared folder type does not change // ACL self::aclUpdate($imap, $mailbox, Utils::ensureAclPostPermission($acl)); $imap->closeConnection(); return true; } /** * Delete a shared folder. * * @param \App\SharedFolder $folder Shared folder * * @return bool True if a falder was deleted successfully, False otherwise * @throws \Exception */ public static function deleteSharedFolder(SharedFolder $folder): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $settings = $folder->getSettings(['folder']); $mailbox = self::toUTF7($settings['folder']); // To delete the mailbox cyrus-admin needs extra permissions $imap->setACL($mailbox, $config['user'], 'c'); // Delete the mailbox $result = $imap->deleteFolder($mailbox); $imap->closeConnection(); return $result; } /** * Check if a shared folder is set up. * * @param string $folder Folder name, e.g. shared/Resources/Name@domain.tld * * @return bool True if a folder exists and is set up, False otherwise */ public static function verifySharedFolder(string $folder): bool { $config = self::getConfig(); $imap = self::initIMAP($config); // Convert the folder from UTF8 to UTF7-IMAP if (\preg_match('#^(shared/|shared/Resources/)(.+)(@[^@]+)$#', $folder, $matches)) { $folderName = self::toUTF7($matches[2]); $folder = $matches[1] . $folderName . $matches[3]; } // FIXME: just listMailboxes() does not return shared folders at all $metadata = $imap->getMetadata($folder, ['/shared/vendor/kolab/folder-type']); $imap->closeConnection(); // Note: We have to use error code to distinguish an error from "no mailbox" response if ($imap->errornum === \rcube_imap_generic::ERROR_NO) { return false; } if ($imap->errornum !== \rcube_imap_generic::ERROR_OK) { throw new \Exception("Failed to get folder metadata from IMAP"); } return true; } /** * Convert UTF8 string to UTF7-IMAP encoding */ public static function toUTF7(string $string): string { return \mb_convert_encoding($string, 'UTF7-IMAP', 'UTF8'); } /** * Check if an account is set up * * @param string $username User login (email address) * * @return bool True if an account exists and is set up, False otherwise */ public static function verifyAccount(string $username): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $mailbox = self::toUTF7('user/' . $username); // Mailbox already exists if (self::folderExists($imap, $mailbox)) { $imap->closeConnection(); return true; } $imap->closeConnection(); return false; } /** * Check if an account is set up * * @param string $username User login (email address) * * @return bool True if an account exists and is set up, False otherwise */ public static function verifyDefaultFolders(string $username): bool { $config = self::getConfig(); $imap = self::initIMAP($config, $username); foreach (\config('imap.default_folders') as $mb => $_metadata) { $mailbox = self::toUTF7($mb); if (!self::folderExists($imap, $mailbox)) { $imap->closeConnection(); return false; } } $imap->closeConnection(); return true; } /** * Check if we can connect to the imap server * * @return bool True on success */ public static function healthcheck(): bool { $config = self::getConfig(); $imap = self::initIMAP($config); $imap->closeConnection(); return true; } /** * Remove ACL for a specified user/group anywhere in the IMAP * * @param string $ident ACL identifier (user email or e.g. group name) * @param string $domain ACL domain */ public static function aclCleanup(string $ident, string $domain = ''): void { $config = self::getConfig(); $imap = self::initIMAP($config); if (strpos($ident, '@')) { $domain = explode('@', $ident, 2)[1]; } $callback = function ($folder) use ($imap, $ident) { $acl = $imap->getACL($folder); if (is_array($acl) && isset($acl[$ident])) { \Log::info("Cleanup: Removing {$ident} from ACL on {$folder}"); $imap->deleteACL($folder, $ident); } }; $folders = $imap->listMailboxes('', "user/*@{$domain}"); if (!is_array($folders)) { $imap->closeConnection(); throw new \Exception("Failed to get IMAP folders"); } array_walk($folders, $callback); $folders = $imap->listMailboxes('', "shared/*@{$domain}"); if (!is_array($folders)) { $imap->closeConnection(); throw new \Exception("Failed to get IMAP folders"); } array_walk($folders, $callback); $imap->closeConnection(); } /** * Remove ACL entries pointing to non-existent users/groups, for a specified domain * * @param string $domain Domain namespace * @param bool $dry_run Output ACL entries to delete, but do not delete */ public static function aclCleanupDomain(string $domain, bool $dry_run = false): void { $config = self::getConfig(); $imap = self::initIMAP($config); // Collect available (existing) users/groups // FIXME: Should we limit this to the requested domain or account? // FIXME: For groups should we use name or email? $idents = User::pluck('email') // ->concat(Group::pluck('name')) ->concat(['anyone', 'anonymous', $config['user']]) ->all(); $callback = function ($folder) use ($imap, $idents, $dry_run) { $acl = $imap->getACL($folder); if (is_array($acl)) { $owner = null; if (preg_match('|^user/([^/@]+).*@([^@/]+)$|', $folder, $m)) { $owner = $m[1] . '@' . $m[2]; } foreach (array_keys($acl) as $key) { if ($owner && $key === $owner) { // Don't even try to remove the folder's owner entry continue; } if (!in_array($key, $idents)) { if ($dry_run) { echo "{$folder} {$key} {$acl[$key]}\n"; } else { \Log::info("Cleanup: Removing {$key} from ACL on {$folder}"); $imap->deleteACL($folder, $key); } } } } }; $folders = $imap->listMailboxes('', "user/*@{$domain}"); if (!is_array($folders)) { $imap->closeConnection(); throw new \Exception("Failed to get IMAP folders"); } array_walk($folders, $callback); $folders = $imap->listMailboxes('', "shared/*@{$domain}"); if (!is_array($folders)) { $imap->closeConnection(); throw new \Exception("Failed to get IMAP folders"); } array_walk($folders, $callback); $imap->closeConnection(); } /** * Create a folder and set some default properties * * @param \rcube_imap_generic $imap The imap instance * @param string $mailbox Mailbox name * @param bool $subscribe Subscribe to the folder * @param array $metadata Metadata to set on the folder * @param array $acl Acl to set on the folder * * @return bool True when having a folder created, False if it already existed. * @throws \Exception */ private static function createFolder($imap, string $mailbox, $subscribe = false, $metadata = null, $acl = null) { if (self::folderExists($imap, $mailbox)) { return false; } if (!$imap->createFolder($mailbox)) { throw new \Exception("Failed to create mailbox {$mailbox}"); } if (!empty($acl)) { self::aclUpdate($imap, $mailbox, $acl, true); } if ($subscribe) { $imap->subscribe($mailbox); } foreach ($metadata as $key => $value) { $imap->setMetadata($mailbox, [$key => $value]); } return true; } /** * Convert Kolab ACL into IMAP user->rights array */ private static function aclToImap($acl): array { if (empty($acl)) { return []; } return \collect($acl) ->mapWithKeys(function ($item, $key) { list($user, $rights) = explode(',', $item, 2); $rights = trim($rights); return [trim($user) => self::ACL_MAP[$rights] ?? $rights]; }) ->all(); } /** * Update folder ACL */ private static function aclUpdate($imap, $mailbox, $acl, bool $isNew = false) { $imapAcl = $isNew ? [] : $imap->getACL($mailbox); if (is_array($imapAcl)) { foreach (self::aclToImap($acl) as $user => $rights) { if (empty($imapAcl[$user]) || implode('', $imapAcl[$user]) !== $rights) { $imap->setACL($mailbox, $user, $rights); } unset($imapAcl[$user]); } foreach ($imapAcl as $user => $rights) { $imap->deleteACL($mailbox, $user); } } } /** * Check if an IMAP folder exists */ private static function folderExists($imap, string $folder): bool { $folders = $imap->listMailboxes('', $folder); if (!is_array($folders)) { $imap->closeConnection(); throw new \Exception("Failed to get IMAP folders"); } return count($folders) > 0; } /** * Initialize connection to IMAP */ private static function initIMAP(array $config, string $login_as = null) { $imap = new \rcube_imap_generic(); if (\config('app.debug')) { $imap->setDebug(true, 'App\Backends\IMAP::logDebug'); } if ($login_as) { $config['options']['auth_cid'] = $config['user']; $config['options']['auth_pw'] = $config['password']; $config['options']['auth_type'] = 'PLAIN'; $config['user'] = $login_as; } $imap->connect($config['host'], $config['user'], $config['password'], $config['options']); if (!$imap->connected()) { $message = sprintf("Login failed for %s against %s. %s", $config['user'], $config['host'], $imap->error); \Log::error($message); throw new \Exception("Connection to IMAP failed"); } return $imap; } /** * Get LDAP configuration for specified access level */ private static function getConfig() { $uri = \parse_url(\config('imap.uri')); $default_port = 143; $ssl_mode = null; if (isset($uri['scheme'])) { if (preg_match('/^(ssl|imaps)/', $uri['scheme'])) { $default_port = 993; $ssl_mode = 'ssl'; } elseif ($uri['scheme'] === 'tls') { $ssl_mode = 'tls'; } } $config = [ 'host' => $uri['host'], 'user' => \config('imap.admin_login'), 'password' => \config('imap.admin_password'), 'options' => [ 'port' => !empty($uri['port']) ? $uri['port'] : $default_port, 'ssl_mode' => $ssl_mode, 'socket_options' => [ 'ssl' => [ 'verify_peer' => \config('imap.verify_peer'), 'verify_peer_name' => \config('imap.verify_peer'), 'verify_host' => \config('imap.verify_host') ], ], ], ]; return $config; } /** * Debug logging callback */ public static function logDebug($conn, $msg): void { $msg = '[IMAP] ' . $msg; \Log::debug($msg); } } diff --git a/src/app/Handlers/Auth2F.php b/src/app/Handlers/Auth2F.php index d17a40d1..d2d067ae 100644 --- a/src/app/Handlers/Auth2F.php +++ b/src/app/Handlers/Auth2F.php @@ -1,43 +1,58 @@ entitleable && !$entitlement->entitleable->trashed()) { + // TODO: This should be an async job + $sf = new \App\Auth\SecondFactor($entitlement->entitleable); + $sf->removeFactors(); + } + } + /** * SKU handler metadata. * * @param \App\Sku $sku The SKU object * * @return array */ public static function metadata(\App\Sku $sku): array { $data = parent::metadata($sku); $data['forbidden'] = ['Activesync']; return $data; } /** * The priority that specifies the order of SKUs in UI. * Higher number means higher on the list. * * @return int */ public static function priority(): int { return 60; } } diff --git a/src/app/Handlers/Base.php b/src/app/Handlers/Base.php index c24d4f8e..5f17b358 100644 --- a/src/app/Handlers/Base.php +++ b/src/app/Handlers/Base.php @@ -1,101 +1,119 @@ active) { if (!$object->entitlements()->where('sku_id', $sku->id)->first()) { return false; } } return true; } /** * Metadata of this SKU handler. * * @param \App\Sku $sku The SKU object * * @return array */ public static function metadata(\App\Sku $sku): array { return [ // entitleable type 'type' => \lcfirst(\class_basename(static::entitleableClass())), // handler 'handler' => str_replace("App\\Handlers\\", '', static::class), // readonly entitlement state cannot be changed 'readonly' => false, // is entitlement enabled by default? 'enabled' => false, // priority on the entitlements list 'prio' => static::priority(), ]; } /** * Prerequisites for the Entitlement to be applied to the object. * * @param \App\Entitlement $entitlement * @param mixed $object * * @return bool */ public static function preReq($entitlement, $object): bool { $type = static::entitleableClass(); if (empty($type) || empty($entitlement->entitleable_type)) { \Log::error("Entitleable class/type not specified"); return false; } if ($type !== $entitlement->entitleable_type) { \Log::error("Entitleable class mismatch"); return false; } if (!$entitlement->sku->active) { \Log::error("Sku not active"); return false; } return true; } /** * The priority that specifies the order of SKUs in UI. * Higher number means higher on the list. * * @return int */ public static function priority(): int { return 0; } } diff --git a/src/app/Handlers/Storage.php b/src/app/Handlers/Storage.php index 85a17125..46f85897 100644 --- a/src/app/Handlers/Storage.php +++ b/src/app/Handlers/Storage.php @@ -1,52 +1,72 @@ entitleable_id); + } + + /** + * Handle entitlement deletion event. + */ + public static function entitlementDeleted(Entitlement $entitlement): void + { + // Update the user IMAP mailbox quota + \App\Jobs\User\UpdateJob::dispatch($entitlement->entitleable_id); + } + /** * SKU handler metadata. * * @param \App\Sku $sku The SKU object * * @return array */ public static function metadata(\App\Sku $sku): array { $data = parent::metadata($sku); $data['readonly'] = true; // only the checkbox will be disabled, not range $data['enabled'] = true; $data['range'] = [ 'min' => $sku->units_free, 'max' => self::MAX_ITEMS, 'unit' => self::ITEM_UNIT, ]; return $data; } /** * The priority that specifies the order of SKUs in UI. * Higher number means higher on the list. * * @return int */ public static function priority(): int { return 90; } } diff --git a/src/app/Observers/EntitlementObserver.php b/src/app/Observers/EntitlementObserver.php index 07fb38cf..6caa1d63 100644 --- a/src/app/Observers/EntitlementObserver.php +++ b/src/app/Observers/EntitlementObserver.php @@ -1,116 +1,92 @@ wallet_id); if (!$wallet || !$wallet->owner) { return false; } $sku = \App\Sku::find($entitlement->sku_id); if (!$sku) { return false; } $result = $sku->handler_class::preReq($entitlement, $wallet->owner); if (!$result) { return false; } return true; } /** * Handle the entitlement "created" event. * * @param \App\Entitlement $entitlement The entitlement. * * @return void */ public function created(Entitlement $entitlement) { - $entitlement->entitleable->updated_at = Carbon::now(); - $entitlement->entitleable->save(); - $entitlement->createTransaction(\App\Transaction::ENTITLEMENT_CREATED); - // Update the user IMAP mailbox quota - if ($entitlement->sku->title == 'storage') { - \App\Jobs\User\UpdateJob::dispatch($entitlement->entitleable_id); - } + $entitlement->sku->handler_class::entitlementCreated($entitlement); } /** * Handle the entitlement "deleted" event. * * @param \App\Entitlement $entitlement The entitlement. * * @return void */ public function deleted(Entitlement $entitlement) { - if (!$entitlement->entitleable->trashed()) { - // TODO: This is useless, remove this, but also maybe refactor the whole method, - // i.e. move job invoking to App\Handlers (don't depend on SKU title). - // Also make sure the transaction is always being created - $entitlement->entitleable->updated_at = Carbon::now(); - $entitlement->entitleable->save(); - - $entitlement->createTransaction(\App\Transaction::ENTITLEMENT_DELETED); - } + $entitlement->createTransaction(\App\Transaction::ENTITLEMENT_DELETED); - // Remove all configured 2FA methods from Roundcube database - if ($entitlement->sku->title == '2fa') { - // FIXME: Should that be an async job? - $sf = new \App\Auth\SecondFactor($entitlement->entitleable); - $sf->removeFactors(); - } - - // Update the user IMAP mailbox quota - if ($entitlement->sku->title == 'storage') { - \App\Jobs\User\UpdateJob::dispatch($entitlement->entitleable_id); - } + $entitlement->sku->handler_class::entitlementDeleted($entitlement); } /** * Handle the entitlement "deleting" event. * * @param \App\Entitlement $entitlement The entitlement. * * @return void */ public function deleting(Entitlement $entitlement) { // Disable updating of updated_at column on delete, we need it unchanged to later // charge the wallet for the uncharged period before the entitlement has been deleted $entitlement->timestamps = false; } }