diff --git a/plugins/kolab_sso/LICENSE b/plugins/kolab_sso/LICENSE
new file mode 100644
index 00000000..dba13ed2
--- /dev/null
+++ b/plugins/kolab_sso/LICENSE
@@ -0,0 +1,661 @@
+ GNU AFFERO GENERAL PUBLIC LICENSE
+ Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+ A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate. Many developers of free software are heartened and
+encouraged by the resulting cooperation. However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+ The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community. It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server. Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+ An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals. This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU Affero General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Remote Network Interaction; Use with the GNU General Public License.
+
+ Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software. This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source. For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code. There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+.
diff --git a/plugins/kolab_sso/README b/plugins/kolab_sso/README
new file mode 100644
index 00000000..f12b0eca
--- /dev/null
+++ b/plugins/kolab_sso/README
@@ -0,0 +1,46 @@
+Single Sign On Authentication for Kolab
+---------------------------------------
+
+This plugin adds possibility to authenticate users via external authentication
+services. Currently the only supported method of authentication is OpenID Connect.
+
+Because Kolab backends do not support token authentication it is required
+to use master user (sasl proxy) authentication, i.e. you have to put
+master user credentials in plugin's config.
+
+Plugin requires libkolab plugin and HTTP/Request2 library.
+Plugin contains BSD-licensed https://github.com/firebase/php-jwt (v5.0.0) library.
+
+Supported algorithms:
+- HS256, HS385, HS512 (PHP hash extension required)
+- RS256, RS384, RS512 (PHP openssl extension required).
+
+
+INSTALLATION
+------------
+
+Enable plugin in Roundcube's main configuration file. Make sure it is first
+on the list of plugins, especially before any authentication plugin, e.g. kolab_auth.
+
+Default return URL for Auth Provider is https://host.roundcube?_task=login&_action=sso,
+but not all providers support query params. To workaround this limitation you have to
+define an alias URI or redirect. For example:
+
+RewriteEngine On
+RewriteCond %{REQUEST_URI} ^/roundcubemail
+RewriteRule "^sso" "/roundcubemail/?_task=login&_action=sso" [L,QSA]
+
+For the above "alias" plugin configuration should include 'response_uri' = '/sso'
+and on the provider side configured URI will be https://host/roundcubemail/sso.
+
+
+TODO
+----
+
+- SMTP auth
+- LDAP addressbook
+- kolab_delegation (LDAP auth)
+- Chwala auth (+Seafile, +WebDAV)
+- Freebusy auth
+- Mattermost auth
+- Improved token validation
diff --git a/plugins/kolab_sso/composer.json b/plugins/kolab_sso/composer.json
new file mode 100644
index 00000000..e5063b5b
--- /dev/null
+++ b/plugins/kolab_sso/composer.json
@@ -0,0 +1,27 @@
+{
+ "name": "kolab/kolab_sso",
+ "type": "roundcube-plugin",
+ "description": "Single Sign On for Kolab",
+ "homepage": "https://git.kolab.org/diffusion/RPK/",
+ "license": "AGPLv3",
+ "version": "3.4.0",
+ "authors": [
+ {
+ "name": "Aleksander Machniak",
+ "email": "machniak@kolabsys.com",
+ "role": "Lead"
+ }
+ ],
+ "repositories": [
+ {
+ "type": "composer",
+ "url": "http://plugins.roundcube.net"
+ }
+ ],
+ "require": {
+ "php": ">=5.3.0",
+ "roundcube/plugin-installer": ">=0.1.3",
+ "kolab/libkolab": ">=3.4.0",
+ "pear/http_request2": "~2.3.0"
+ }
+}
diff --git a/plugins/kolab_sso/config.inc.php.dist b/plugins/kolab_sso/config.inc.php.dist
new file mode 100644
index 00000000..2e705aab
--- /dev/null
+++ b/plugins/kolab_sso/config.inc.php.dist
@@ -0,0 +1,44 @@
+ array(
+ // User-friendly name (will be displayed in the button label)
+ 'name' => 'OpenIDC Test',
+ // Driver name
+ 'driver' => 'openidc',
+ // Provider API URI
+ 'uri' => 'https://kolab.eu.auth0.com',
+ // Client ID/Secret for the API
+ 'client_id' => '20w6DXX69isNBaufCwyK24wkBHqPT2ht',
+ 'client_secret' => 'd78McGW4UWfFyZprGd8BCKooll',
+ // Token URI, if different than /token
+ 'token_uri' => 'https://kolab.eu.auth0.com/oauth/token',
+ // Authorize URI, if different than /authorize
+ 'authorize_uri' => 'https://kolab.eu.auth0.com/authorize',
+ // Response URI, by default we use https://domain.tld/path?_task=login&_action=sso
+ // Define it if the Provider does not allow above
+ // to use https://domain.tld/path/ instead
+ 'response_uri' => '/sso',
+ // Public key for token validation when using RS256/RS385/RS512 method
+ 'pubkey' => '-----BEGIN CERTIFICATE-----
+ ...
+ -----END CERTIFICATE-----
+ ',
+ ),
+);
+*/
diff --git a/plugins/kolab_sso/drivers/openidc.php b/plugins/kolab_sso/drivers/openidc.php
new file mode 100644
index 00000000..a9ef16a4
--- /dev/null
+++ b/plugins/kolab_sso/drivers/openidc.php
@@ -0,0 +1,401 @@
+
+ *
+ * Copyright (C) 2018, Kolab Systems AG
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+class kolab_sso_openidc
+{
+ protected $id = 'openidc';
+ protected $config = array();
+ protected $plugin;
+
+
+ public function __construct($plugin, $config)
+ {
+ $this->plugin = $plugin;
+ $this->config = $config;
+
+ $this->plugin->require_plugin('libkolab');
+ }
+
+ /**
+ * Authentication request (redirect to SSO service)
+ */
+ public function authorize()
+ {
+ $params = array(
+ 'response_type' => 'code',
+ 'scope' => 'openid email offline_access',
+ 'client_id' => $this->config['client_id'],
+ 'state' => $this->plugin->rc->get_request_token(),
+ 'redirect_uri' => $this->redirect_uri(),
+ );
+
+ // TODO: Other params by config: display, prompt, max_age,
+
+ $url = $this->config['authorize_uri'] ?: (unslashify($this->config['uri']) . '/authorize');
+ $url .= '?' . http_build_query($params);
+
+ $this->plugin->debug("[{$this->id}][authorize] Redirecting to $url");
+
+ header("Location: $url");
+ die;
+ }
+
+ /**
+ * Authorization response validation
+ */
+ public function response()
+ {
+ $this->plugin->debug("[{$this->id}][authorize] Response: " . $_SERVER['REQUEST_URI']);
+
+ $error = $this->response_error(
+ rcube_utils::get_input_value('error', rcube_utils::INPUT_GET),
+ rcube_utils::get_input_value('error_description', rcube_utils::INPUT_GET),
+ rcube_utils::get_input_value('error_uri', rcube_utils::INPUT_GET)
+ );
+
+ if ($error) {
+ // TODO: display error in UI
+ return;
+ }
+
+ $state = rcube_utils::get_input_value('state', rcube_utils::INPUT_GET);
+ $code = rcube_utils::get_input_value('code', rcube_utils::INPUT_GET);
+
+ if (!$state) {
+ $this->plugin->debug("[{$this->id}][response] State missing");
+ $error = $this->plugin->gettext('errorinvalidresponse');
+ return;
+ }
+
+ if ($state != $this->plugin->rc->get_request_token()) {
+ $this->plugin->debug("[{$this->id}][response] Invalid response state");
+ $error = $this->plugin->gettext('errorinvalidresponse');
+ return;
+ }
+
+ if (!$code) {
+ $this->plugin->debug("[{$this->id}][response] Code missing");
+ $error = $this->plugin->gettext('errorinvalidresponse');
+ return;
+ }
+
+ return $this->request_token($code);
+ }
+
+ /**
+ * Existing session validation
+ */
+ public function validate_session($session)
+ {
+ $this->plugin->debug("[{$this->id}][validate] Session: " . json_encode($session));
+
+ // Sanity checks
+ if (empty($session) || empty($session['code']) || empty($session['validto']) || empty($session['email'])) {
+ $this->plugin->debug("[{$this->id}][validate] Session invalid");
+ return;
+ }
+
+ // Check expiration time
+ $now = new DateTime('now', new DateTimezone('UTC'));
+ $validto = new DateTime($session['validto'], new DateTimezone('UTC'));
+
+ if ($now >= $validto) {
+ $this->plugin->debug("[{$this->id}][validate] Token expired");
+ return;
+ }
+
+ // Don't refresh often than TTL/2
+ $validto->sub(new DateInterval(sprintf('PT%dS', $session['ttl']/2)));
+ if ($now < $validto) {
+ $this->plugin->debug("[{$this->id}][validate] Token valid, skipping refresh");
+ return $session;
+ }
+
+ // No refresh_token, not possible to refresh
+ if (empty($session['refresh_token'])) {
+ $this->plugin->debug("[{$this->id}][validate] Session cannot be refreshed");
+ return;
+ }
+
+ // Renew tokens
+ $info = $this->request_token($session['code'], $session['refresh_token']);
+
+ if (!empty($info)) {
+ // Make sure the email didn't change
+ if (!empty($info['email']) && $info['email'] != $session['email']) {
+ $this->plugin->debug("[{$this->id}][validate] Email address change");
+ return;
+ }
+
+ $session = array_merge($session, $info);
+
+ $this->plugin->debug("[{$this->id}][validate] Session valid: " . json_encode($session));
+ return $session;
+ }
+ }
+
+ /**
+ * Authentication Token request (or token refresh)
+ */
+ protected function request_token($code, $refresh_token = null)
+ {
+ $mode = $refresh_token ? 'token-refresh' : 'token';
+ $url = $this->config['token_uri'] ?: ($this->config['uri'] . '/token');
+ $params = array(
+ 'client_id' => $this->config['client_id'],
+ 'client_secret' => $this->config['client_secret'],
+ 'grant_type' => $refresh_token ? 'refresh_token' : 'authorization_code',
+ );
+
+ if ($refresh_token) {
+ $params['refresh_token'] = $refresh_token;
+ $params['scope'] = 'openid email offline_access';
+ }
+ else {
+ $params['code'] = $code;
+ $params['redirect_uri'] = $this->redirect_uri();
+ }
+
+ $post = http_build_query($params);
+
+ $this->plugin->debug("[{$this->id}][$mode] Requesting POST $url?$post");
+
+ try {
+ // TODO: HTTP Basic and JWT methods of client authentication
+ // https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.9
+
+ $request = $this->get_request($url, 'POST');
+// $request->setAuth($this->config['client_id'], $this->config['client_secret']);
+ $request->setBody($post);
+
+ $response = $request->send();
+ $status = $response->getStatus();
+ $response = $response->getBody();
+
+ $this->plugin->debug("[{$this->id}][$mode] Response: $response");
+
+ $response = @json_decode($response, true);
+
+ if ($status != 200 || !is_array($response) || !empty($response['error'])) {
+ $err = $this->error_message(is_array($response) ? $response['error'] : null);
+ throw new Exception("OpenIDC request failed with error: $err");
+ }
+ }
+ catch (Exception $e) {
+ rcube::raise_error(array(
+ 'line' => __LINE__, 'file' => __FILE__, 'message' => $e->getMessage()),
+ true, false);
+ return;
+ }
+
+ // Example response: {
+ // "access_token":"ACCESS_TOKEN",
+ // "token_type":"bearer",
+ // "expires_in":2592000,
+ // "refresh_token":"REFRESH_TOKEN",
+ // "scope":"read",
+ // "uid":100101,
+ // "info":{"name":"Mark E. Mark","email":"mark@example.com"}
+ // }
+
+ if (empty($response['access_token']) || empty($response['token_type'])
+ || strtolower($response['token_type']) != 'bearer'
+ ) {
+ $this->plugin->debug("[{$this->id}][$mode] Error: Invalid or unsupported response");
+ return;
+ }
+
+ $ttl = $response['expires_in'] ?: 600;
+ $validto = new DateTime(sprintf('+%d seconds', $ttl), new DateTimezone('UTC'));
+
+ $result = array(
+ 'code' => $code,
+ 'access_token' => $response['access_token'],
+ // 'token_type' => $response['token_type'],
+ 'validto' => $validto->format(DateTime::ISO8601),
+ 'ttl' => $ttl,
+ );
+
+ if (!empty($response['refresh_token'])) {
+ $result['refresh_token'] = $response['refresh_token'];
+ }
+
+ if (!empty($response['id_token'])) {
+ try {
+ $key = $this->config['client_secret'];
+
+ if (!empty($this->config['pubkey'])) {
+ $pubkey = trim(preg_replace('/\r?\n[\s\t]+/', "\n", $this->config['pubkey']));
+ if ($keyid = openssl_pkey_get_public($pubkey)) {
+ $key = $keyid;
+ }
+ else {
+ throw new Exception("Failed to extract public key");
+ }
+ }
+
+ $jwt = new Firebase\JWT\JWT;
+ $jwt::$leeway = 60;
+
+ $payload = $jwt->decode($response['id_token'], $key, array_keys(Firebase\JWT\JWT::$supported_algs));
+ $email = $this->config['debug_email'] ?: $payload->email;
+
+ if (empty($email)) {
+ throw new Exception("No email address in JWT token");
+ }
+
+ if (!in_array($this->config['client_id'], (array) $payload->aud)) {
+ throw new Exception("Token audience does not match");
+ }
+
+ // More extended token validation
+ // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+
+ $result['email'] = $email;
+ }
+ catch (Exception $e) {
+ rcube::raise_error(array(
+ 'line' => __LINE__, 'file' => __FILE__, 'message' => $e->getMessage()),
+ true, false);
+ return;
+ }
+ }
+
+ return $result;
+ }
+
+ /**
+ * The URL to use when redirecting the user from SSO back to Roundcube
+ */
+ protected function redirect_uri()
+ {
+ // response_uri is useful when the Provider does not allow
+ // URIs with parameters. In such case set response_uri = '/sso'
+ // and define a redirect in http server, example for Apache:
+ // RewriteRule "^sso" "/roundcubemail/?_task=login&_action=sso" [L,QSA]
+
+ $redirect_params = empty($this->config['response_uri']) ? array('_action' => 'sso') : array();
+
+ $url = $this->plugin->rc->url($redirect_params, false, true);
+
+ if (!empty($this->config['response_uri'])) {
+ $url = unslashify(preg_replace('/\?.*$/', '', $url)) . '/' . ltrim($this->config['response_uri'], '/');
+ }
+
+ return $url;
+ }
+
+ /**
+ * Get HTTP/Request2 object
+ */
+ protected function get_request($url, $type)
+ {
+ $config = array_intersect_key($this->config, array_flip(array(
+ 'ssl_verify_peer',
+ 'ssl_verify_host',
+ 'ssl_cafile',
+ 'ssl_capath',
+ 'ssl_local_cert',
+ 'ssl_passphrase',
+ 'follow_redirects',
+ )));
+
+ return libkolab::http_request($url, $type, $config);
+ }
+
+ /**
+ * Returns (localized) user-friendly error message
+ */
+ protected function response_error($error, $description, $uri)
+ {
+ if (empty($error)) {
+ return;
+ }
+
+ $msg = $this->error_message($error);
+
+ $this->plugin->debug("[{$this->id}] Error: $msg");
+
+ // TODO: Add URI to the message
+
+ $label = 'error' . str_replace('_', '', $error);
+ if ($this->plugin->rc->text_exists($label, 'kolab_sso')) {
+ return $this->plugin->gettext($label);
+ }
+
+ return $this->plugin->gettext('responseerrorunknown');
+ }
+
+ /**
+ * Returns error message for specified OpenIDC error code
+ */
+ protected function error_message($error)
+ {
+ switch ($error) {
+ // OAuth2 codes
+ case 'invalid_request':
+ return "Request malformed";
+ case 'unauthorized_client':
+ return "The client is not authorized";
+ case 'invalid_client':
+ return "Client authentication failed";
+ case 'access_denied':
+ return "Request denied";
+ case 'unsupported_response_type':
+ return "Unsupported response type";
+ case 'invalid_grant':
+ return "Invalid authorization grant";
+ case 'unsupported_grant_type':
+ return "Unsupported authorization grant";
+ case 'invalid_scope':
+ return "Invalid scope";
+ case 'server_error':
+ return "Server error";
+ case 'temporarily_unavailable':
+ return "Service temporarily unavailable";
+ // OpenIDC codes
+ case 'interaction_required':
+ return "End-User interaction required";
+ case 'login_required':
+ return "End-User authentication required";
+ case 'account_selection_required':
+ return "End-User account selection required";
+ case 'consent_required':
+ return "End-User consent required";
+ case 'invalid_request_uri':
+ return "Invalid request_uri";
+ case 'invalid_request_object':
+ return "Invalid Request Object";
+ case 'request_not_supported':
+ return "Request param not supported";
+ case 'request_uri_not_supported':
+ return "request_uri param not supported";
+ case 'registration_not_supported':
+ return "Registration parameter not supported";
+ }
+
+ return "Unknown error";
+ }
+}
diff --git a/plugins/kolab_sso/kolab_sso.php b/plugins/kolab_sso/kolab_sso.php
new file mode 100644
index 00000000..433e4e7f
--- /dev/null
+++ b/plugins/kolab_sso/kolab_sso.php
@@ -0,0 +1,340 @@
+
+ *
+ * Copyright (C) 2018, Kolab Systems AG
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+class kolab_sso extends rcube_plugin
+{
+ public $rc;
+
+ private $data;
+ private $driver;
+ private $debug = false;
+
+
+ /**
+ * Plugin initialization
+ */
+ public function init()
+ {
+ $this->rc = rcube::get_instance();
+
+ // Disable the plugin in Syncroton, iRony, etc.
+ if (!($this->rc instanceof rcmail)) {
+ return;
+ }
+
+ $this->add_hook('startup', array($this, 'startup'));
+ $this->add_hook('ready', array($this, 'ready'));
+ $this->add_hook('login_after', array($this, 'ready'));
+ $this->add_hook('authenticate', array($this, 'authenticate'));
+ }
+
+ /**
+ * Startup hook handler
+ */
+ public function startup($args)
+ {
+ // On login or logout (or when the session expired)...
+ if ($args['task'] == 'login' || $args['task'] == 'logout') {
+ $mode = $args['action'] == 'sso' ? $_SESSION['sso_mode'] : rcube_utils::get_input_value('_sso', rcube_utils::INPUT_GP);
+
+ // Authorization
+ if ($mode) {
+ $driver = $this->get_driver($mode);
+
+ // This is where we handle redirections from the SSO provider
+ if ($args['action'] == 'sso') {
+ $this->data = $driver->response();
+
+ if (!empty($this->data)) {
+ $this->data['timezone'] = $_SESSION['sso_timezone'];
+ $this->data['url'] = $_SESSION['sso_url'];
+ $this->data['mode'] = $mode;
+ }
+ }
+ // This is where we handle clicking one of "Login by SSO" buttons
+ else if ($_SESSION['temp'] && $this->rc->check_request()) {
+ // Remember some logon params for use on SSO response above
+ $_SESSION['sso_timezone'] = rcube_utils::get_input_value('_timezone', rcube_utils::INPUT_POST);
+ $_SESSION['sso_url'] = rcube_utils::get_input_value('_url', rcube_utils::INPUT_POST);
+ $_SESSION['sso_mode'] = $mode;
+
+ $driver->authorize();
+ }
+
+ $args['action'] = 'login';
+ $args['task'] = 'login';
+ }
+ }
+ // On valid session...
+ else if (isset($_SESSION['user_id'])
+ && ($data = $_SESSION['sso_data'])
+ && ($data = json_decode($this->rc->decrypt($data), true))
+ && ($mode = $data['mode'])
+ ) {
+ $driver = $this->get_driver($mode);
+
+ // Session validation, token refresh, etc.
+ if ($this->data = $driver->validate_session($data)) {
+ // register storage connection hooks
+ $this->authenticate(array(), true);
+ }
+ else {
+ // Destroy the session
+ $this->rc->kill_session();
+ // TODO: error message beter explaining the reason
+ // $this->rc->output->show_message('sessionferror', 'error');
+ }
+ }
+
+ // Register login form modifications
+ $this->add_hook('template_object_loginform', array($this, 'login_form'));
+
+ return $args;
+ }
+
+ /**
+ * Authenticate hook handler
+ */
+ public function authenticate($args, $internal = false)
+ {
+ if (!empty($this->data) && ($email = $this->data['email'])) {
+ if (!$internal) {
+ $args['user'] = $email;
+ $args['pass'] = 'fake-sso-password';
+ $args['valid'] = true;
+ $args['cookiecheck'] = false;
+
+ $_POST['_timezone'] = $this->data['timezone'];
+ $_POST['_url'] = $this->data['url'];
+ }
+
+ $this->add_hook('storage_connect', array($this, 'storage_connect'));
+ $this->add_hook('managesieve_connect', array($this, 'storage_connect'));
+ $this->add_hook('smtp_connect', array($this, 'smtp_connect'));
+ }
+
+ return $args;
+ }
+
+ /**
+ * Login_after hook handler
+ */
+ public function login_after($args)
+ {
+ // Between startup and authenticate the session is destroyed.
+ // So, we save the data later than that. Here, because of
+ // a redirect after successful login
+ if (!empty($this->data)) {
+ $_SESSION['sso_data'] = $this->rc->encrypt(json_encode($this->data));
+ }
+
+ return $args;
+ }
+
+ /**
+ * Ready hook handler
+ */
+ public function ready($args)
+ {
+ // Between startup and authenticate the session is destroyed.
+ // So, we save the data later than that.
+ if (!empty($this->data)) {
+ $_SESSION['sso_data'] = $this->rc->encrypt(json_encode($this->data));
+ }
+
+ return $args;
+ }
+
+ /**
+ * Storage_connect/managesieve_connect hook handler
+ */
+ public function storage_connect($args)
+ {
+ $user = $this->rc->config->get('kolab_sso_username');
+ $pass = $this->rc->config->get('kolab_sso_password');
+
+ if ($user && $pass) {
+ $args['auth_cid'] = $user;
+ $args['auth_pw'] = $pass;
+ $args['auth_type'] = 'PLAIN';
+ }
+
+ return $args;
+ }
+
+ /**
+ * Smtp_connect hook handler
+ */
+ public function smtp_connect($args)
+ {
+ $user = $this->rc->config->get('kolab_sso_username');
+ $pass = $this->rc->config->get('kolab_sso_password');
+
+ if ($user && $pass) {
+ $args['smtp_auth_cid'] = $user;
+ $args['smtp_auth_pw'] = $pass;
+ $args['smtp_auth_type'] = 'PLAIN';
+ }
+
+ return $args;
+ }
+
+ /**
+ * Login form object
+ */
+ public function login_form($args)
+ {
+ $this->load_config();
+
+ $options = (array) $this->rc->config->get('kolab_sso_options');
+ $disable_login = $this->rc->config->get('kolab_sso_disable_login');
+
+ if (empty($options)) {
+ return $args;
+ }
+
+ $doc = new DOMDocumentHelper('1.0');
+ $doc->loadHTML($args['content']);
+
+ $body = $doc->getElementsByTagName('body')->item(0);
+
+ if ($disable_login) {
+ // Remove login form inputs table
+ $table = $doc->getElementsByTagName('table')->item(0);
+ $table->parentNode->removeChild($table);
+
+ // Remove original Submit button
+ $submit = $doc->getElementsByTagName('button')->item(0);
+ $submit->parentNode->removeChild($submit);
+ }
+
+ if (!$this->driver) {
+ $this->add_texts('localization/');
+ }
+
+ // Add SSO form elements
+ $form = $doc->createNode('p', null, array('id' => 'sso-form', 'class' => 'formbuttons'), $body);
+
+ foreach ($options as $idx => $option) {
+ $label = array('name' => 'loginby', 'vars' => array('provider' => $option['name'] ?: $this->gettext('sso')));
+ $doc->createNode('button', $this->gettext($label), array(
+ 'type' => 'button',
+ 'value' => $idx,
+ 'class' => 'button sso w-100',
+ 'onclick' => 'kolab_sso_submit(this)',
+ ), $form);
+ }
+
+ $doc->createNode('input', null, array('name' => '_sso', 'type' => 'hidden'), $form);
+
+ // Save the form content back
+ $args['content'] = preg_replace('||', '', $doc->saveHTML($body));
+
+ // Add script
+ $args['content'] .= "";
+
+ return $args;
+ }
+
+ /**
+ * Debug function for drivers
+ */
+ public function debug($line)
+ {
+ if ($this->debug) {
+ rcube::write_log('sso', $line);
+ }
+ }
+
+ /**
+ * Initialize SSO driver object
+ */
+ private function get_driver($name)
+ {
+ if ($this->driver) {
+ return $this->driver;
+ }
+
+ $this->load_config();
+ $this->add_texts('localization/');
+
+ $options = (array) $this->rc->config->get('kolab_sso_options');
+ $options = (array) $options[$name];
+ $driver = $options['driver'] ?: 'openidc';
+ $class = "kolab_sso_$driver";
+
+ if (empty($options) || !file_exists($this->home . "/drivers/$driver.php")) {
+ rcube::raise_error(array(
+ 'line' => __LINE__, 'file' => __FILE__,
+ 'message' => "Unable to find SSO driver"
+ ), true, true);
+ }
+
+ // Add /lib to include_path
+ $include_path = $this->home . '/lib' . PATH_SEPARATOR;
+ $include_path .= ini_get('include_path');
+ set_include_path($include_path);
+
+ require_once $this->home . "/drivers/$driver.php";
+
+ $this->debug = $this->rc->config->get('kolab_sso_debug');
+ $this->driver = new $class($this, $options);
+
+ return $this->driver;
+ }
+}
+
+/**
+ * DOMDocument wrapper with some shortcut method
+ */
+class DOMDocumentHelper extends DOMDocument
+{
+ public function createNode($name, $value = null, $args = array(), $parent = null, $prepend = false)
+ {
+ $node = parent::createElement($name);
+
+ if ($value) {
+ $node->appendChild(new DOMText(rcube::Q($value)));
+ }
+
+ foreach ($args as $attr_name => $attr_value) {
+ $node->setAttribute($attr_name, $attr_value);
+ }
+
+ if ($parent) {
+ if ($prepend && $parent->firstChild) {
+ $parent->insertBefore($node, $parent->firstChild);
+ }
+ else {
+ $parent->appendChild($node);
+ }
+ }
+
+ return $node;
+ }
+}
diff --git a/plugins/kolab_sso/lib/Firebase/JWT/BeforeValidException.php b/plugins/kolab_sso/lib/Firebase/JWT/BeforeValidException.php
new file mode 100644
index 00000000..a6ee2f7c
--- /dev/null
+++ b/plugins/kolab_sso/lib/Firebase/JWT/BeforeValidException.php
@@ -0,0 +1,7 @@
+
+ * @author Anant Narayanan
+ * @license http://opensource.org/licenses/BSD-3-Clause 3-clause BSD
+ * @link https://github.com/firebase/php-jwt
+ */
+class JWT
+{
+
+ /**
+ * When checking nbf, iat or expiration times,
+ * we want to provide some extra leeway time to
+ * account for clock skew.
+ */
+ public static $leeway = 0;
+
+ /**
+ * Allow the current timestamp to be specified.
+ * Useful for fixing a value within unit testing.
+ *
+ * Will default to PHP time() value if null.
+ */
+ public static $timestamp = null;
+
+ public static $supported_algs = array(
+ 'HS256' => array('hash_hmac', 'SHA256'),
+ 'HS512' => array('hash_hmac', 'SHA512'),
+ 'HS384' => array('hash_hmac', 'SHA384'),
+ 'RS256' => array('openssl', 'SHA256'),
+ 'RS384' => array('openssl', 'SHA384'),
+ 'RS512' => array('openssl', 'SHA512'),
+ );
+
+ /**
+ * Decodes a JWT string into a PHP object.
+ *
+ * @param string $jwt The JWT
+ * @param string|array $key The key, or map of keys.
+ * If the algorithm used is asymmetric, this is the public key
+ * @param array $allowed_algs List of supported verification algorithms
+ * Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
+ *
+ * @return object The JWT's payload as a PHP object
+ *
+ * @throws UnexpectedValueException Provided JWT was invalid
+ * @throws SignatureInvalidException Provided JWT was invalid because the signature verification failed
+ * @throws BeforeValidException Provided JWT is trying to be used before it's eligible as defined by 'nbf'
+ * @throws BeforeValidException Provided JWT is trying to be used before it's been created as defined by 'iat'
+ * @throws ExpiredException Provided JWT has since expired, as defined by the 'exp' claim
+ *
+ * @uses jsonDecode
+ * @uses urlsafeB64Decode
+ */
+ public static function decode($jwt, $key, array $allowed_algs = array())
+ {
+ $timestamp = is_null(static::$timestamp) ? time() : static::$timestamp;
+
+ if (empty($key)) {
+ throw new InvalidArgumentException('Key may not be empty');
+ }
+ $tks = explode('.', $jwt);
+ if (count($tks) != 3) {
+ throw new UnexpectedValueException('Wrong number of segments');
+ }
+ list($headb64, $bodyb64, $cryptob64) = $tks;
+ if (null === ($header = static::jsonDecode(static::urlsafeB64Decode($headb64)))) {
+ throw new UnexpectedValueException('Invalid header encoding');
+ }
+ if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {
+ throw new UnexpectedValueException('Invalid claims encoding');
+ }
+ if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {
+ throw new UnexpectedValueException('Invalid signature encoding');
+ }
+ if (empty($header->alg)) {
+ throw new UnexpectedValueException('Empty algorithm');
+ }
+ if (empty(static::$supported_algs[$header->alg])) {
+ throw new UnexpectedValueException('Algorithm not supported');
+ }
+ if (!in_array($header->alg, $allowed_algs)) {
+ throw new UnexpectedValueException('Algorithm not allowed');
+ }
+ if (is_array($key) || $key instanceof \ArrayAccess) {
+ if (isset($header->kid)) {
+ if (!isset($key[$header->kid])) {
+ throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
+ }
+ $key = $key[$header->kid];
+ } else {
+ throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
+ }
+ }
+
+ // Check the signature
+ if (!static::verify("$headb64.$bodyb64", $sig, $key, $header->alg)) {
+ throw new SignatureInvalidException('Signature verification failed');
+ }
+
+ // Check if the nbf if it is defined. This is the time that the
+ // token can actually be used. If it's not yet that time, abort.
+ if (isset($payload->nbf) && $payload->nbf > ($timestamp + static::$leeway)) {
+ throw new BeforeValidException(
+ 'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf)
+ );
+ }
+
+ // Check that this token has been created before 'now'. This prevents
+ // using tokens that have been created for later use (and haven't
+ // correctly used the nbf claim).
+ if (isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) {
+ throw new BeforeValidException(
+ 'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat)
+ );
+ }
+
+ // Check if this token has expired.
+ if (isset($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {
+ throw new ExpiredException('Expired token');
+ }
+
+ return $payload;
+ }
+
+ /**
+ * Converts and signs a PHP object or array into a JWT string.
+ *
+ * @param object|array $payload PHP object or array
+ * @param string $key The secret key.
+ * If the algorithm used is asymmetric, this is the private key
+ * @param string $alg The signing algorithm.
+ * Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
+ * @param mixed $keyId
+ * @param array $head An array with header elements to attach
+ *
+ * @return string A signed JWT
+ *
+ * @uses jsonEncode
+ * @uses urlsafeB64Encode
+ */
+ public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $head = null)
+ {
+ $header = array('typ' => 'JWT', 'alg' => $alg);
+ if ($keyId !== null) {
+ $header['kid'] = $keyId;
+ }
+ if ( isset($head) && is_array($head) ) {
+ $header = array_merge($head, $header);
+ }
+ $segments = array();
+ $segments[] = static::urlsafeB64Encode(static::jsonEncode($header));
+ $segments[] = static::urlsafeB64Encode(static::jsonEncode($payload));
+ $signing_input = implode('.', $segments);
+
+ $signature = static::sign($signing_input, $key, $alg);
+ $segments[] = static::urlsafeB64Encode($signature);
+
+ return implode('.', $segments);
+ }
+
+ /**
+ * Sign a string with a given key and algorithm.
+ *
+ * @param string $msg The message to sign
+ * @param string|resource $key The secret key
+ * @param string $alg The signing algorithm.
+ * Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
+ *
+ * @return string An encrypted message
+ *
+ * @throws DomainException Unsupported algorithm was specified
+ */
+ public static function sign($msg, $key, $alg = 'HS256')
+ {
+ if (empty(static::$supported_algs[$alg])) {
+ throw new DomainException('Algorithm not supported');
+ }
+ list($function, $algorithm) = static::$supported_algs[$alg];
+ switch($function) {
+ case 'hash_hmac':
+ return hash_hmac($algorithm, $msg, $key, true);
+ case 'openssl':
+ $signature = '';
+ $success = openssl_sign($msg, $signature, $key, $algorithm);
+ if (!$success) {
+ throw new DomainException("OpenSSL unable to sign data");
+ } else {
+ return $signature;
+ }
+ }
+ }
+
+ /**
+ * Verify a signature with the message, key and method. Not all methods
+ * are symmetric, so we must have a separate verify and sign method.
+ *
+ * @param string $msg The original message (header and body)
+ * @param string $signature The original signature
+ * @param string|resource $key For HS*, a string key works. for RS*, must be a resource of an openssl public key
+ * @param string $alg The algorithm
+ *
+ * @return bool
+ *
+ * @throws DomainException Invalid Algorithm or OpenSSL failure
+ */
+ private static function verify($msg, $signature, $key, $alg)
+ {
+ if (empty(static::$supported_algs[$alg])) {
+ throw new DomainException('Algorithm not supported');
+ }
+
+ list($function, $algorithm) = static::$supported_algs[$alg];
+ switch($function) {
+ case 'openssl':
+ $success = openssl_verify($msg, $signature, $key, $algorithm);
+ if ($success === 1) {
+ return true;
+ } elseif ($success === 0) {
+ return false;
+ }
+ // returns 1 on success, 0 on failure, -1 on error.
+ throw new DomainException(
+ 'OpenSSL error: ' . openssl_error_string()
+ );
+ case 'hash_hmac':
+ default:
+ $hash = hash_hmac($algorithm, $msg, $key, true);
+ if (function_exists('hash_equals')) {
+ return hash_equals($signature, $hash);
+ }
+ $len = min(static::safeStrlen($signature), static::safeStrlen($hash));
+
+ $status = 0;
+ for ($i = 0; $i < $len; $i++) {
+ $status |= (ord($signature[$i]) ^ ord($hash[$i]));
+ }
+ $status |= (static::safeStrlen($signature) ^ static::safeStrlen($hash));
+
+ return ($status === 0);
+ }
+ }
+
+ /**
+ * Decode a JSON string into a PHP object.
+ *
+ * @param string $input JSON string
+ *
+ * @return object Object representation of JSON string
+ *
+ * @throws DomainException Provided string was invalid JSON
+ */
+ public static function jsonDecode($input)
+ {
+ if (version_compare(PHP_VERSION, '5.4.0', '>=') && !(defined('JSON_C_VERSION') && PHP_INT_SIZE > 4)) {
+ /** In PHP >=5.4.0, json_decode() accepts an options parameter, that allows you
+ * to specify that large ints (like Steam Transaction IDs) should be treated as
+ * strings, rather than the PHP default behaviour of converting them to floats.
+ */
+ $obj = json_decode($input, false, 512, JSON_BIGINT_AS_STRING);
+ } else {
+ /** Not all servers will support that, however, so for older versions we must
+ * manually detect large ints in the JSON string and quote them (thus converting
+ *them to strings) before decoding, hence the preg_replace() call.
+ */
+ $max_int_length = strlen((string) PHP_INT_MAX) - 1;
+ $json_without_bigints = preg_replace('/:\s*(-?\d{'.$max_int_length.',})/', ': "$1"', $input);
+ $obj = json_decode($json_without_bigints);
+ }
+
+ if (function_exists('json_last_error') && $errno = json_last_error()) {
+ static::handleJsonError($errno);
+ } elseif ($obj === null && $input !== 'null') {
+ throw new DomainException('Null result with non-null input');
+ }
+ return $obj;
+ }
+
+ /**
+ * Encode a PHP object into a JSON string.
+ *
+ * @param object|array $input A PHP object or array
+ *
+ * @return string JSON representation of the PHP object or array
+ *
+ * @throws DomainException Provided object could not be encoded to valid JSON
+ */
+ public static function jsonEncode($input)
+ {
+ $json = json_encode($input);
+ if (function_exists('json_last_error') && $errno = json_last_error()) {
+ static::handleJsonError($errno);
+ } elseif ($json === 'null' && $input !== null) {
+ throw new DomainException('Null result with non-null input');
+ }
+ return $json;
+ }
+
+ /**
+ * Decode a string with URL-safe Base64.
+ *
+ * @param string $input A Base64 encoded string
+ *
+ * @return string A decoded string
+ */
+ public static function urlsafeB64Decode($input)
+ {
+ $remainder = strlen($input) % 4;
+ if ($remainder) {
+ $padlen = 4 - $remainder;
+ $input .= str_repeat('=', $padlen);
+ }
+ return base64_decode(strtr($input, '-_', '+/'));
+ }
+
+ /**
+ * Encode a string with URL-safe Base64.
+ *
+ * @param string $input The string you want encoded
+ *
+ * @return string The base64 encode of what you passed in
+ */
+ public static function urlsafeB64Encode($input)
+ {
+ return str_replace('=', '', strtr(base64_encode($input), '+/', '-_'));
+ }
+
+ /**
+ * Helper method to create a JSON error.
+ *
+ * @param int $errno An error number from json_last_error()
+ *
+ * @return void
+ */
+ private static function handleJsonError($errno)
+ {
+ $messages = array(
+ JSON_ERROR_DEPTH => 'Maximum stack depth exceeded',
+ JSON_ERROR_STATE_MISMATCH => 'Invalid or malformed JSON',
+ JSON_ERROR_CTRL_CHAR => 'Unexpected control character found',
+ JSON_ERROR_SYNTAX => 'Syntax error, malformed JSON',
+ JSON_ERROR_UTF8 => 'Malformed UTF-8 characters' //PHP >= 5.3.3
+ );
+ throw new DomainException(
+ isset($messages[$errno])
+ ? $messages[$errno]
+ : 'Unknown JSON error: ' . $errno
+ );
+ }
+
+ /**
+ * Get the number of bytes in cryptographic strings.
+ *
+ * @param string
+ *
+ * @return int
+ */
+ private static function safeStrlen($str)
+ {
+ if (function_exists('mb_strlen')) {
+ return mb_strlen($str, '8bit');
+ }
+ return strlen($str);
+ }
+}
diff --git a/plugins/kolab_sso/lib/Firebase/JWT/SignatureInvalidException.php b/plugins/kolab_sso/lib/Firebase/JWT/SignatureInvalidException.php
new file mode 100644
index 00000000..27332b21
--- /dev/null
+++ b/plugins/kolab_sso/lib/Firebase/JWT/SignatureInvalidException.php
@@ -0,0 +1,7 @@
+