Skip to content

[Web] Add User ACL to manage SOGo access #7129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
FreddleSpl0it wants to merge 1 commit into
base: staging
Choose a base branch
from
Open

[Web] Add User ACL to manage SOGo access #7129

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion data/conf/phpfpm/crons/keycloak-sync.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ function logMsg($priority, $message, $task = "Keycloak Sync") {
$_SESSION['acl']['quarantine_notification'] = "1";
$_SESSION['acl']['quarantine_category'] = "1";
$_SESSION['acl']['ratelimit'] = "1";
$_SESSION['acl']['sogo_access'] = "1";
$_SESSION['acl']['sogo_redirection'] = "1";
$_SESSION['acl']['protocol_access'] = "1";
$_SESSION['acl']['mailbox_relayhost'] = "1";
$_SESSION['acl']['unlimited_quota'] = "1";
Expand Down
2 changes: 1 addition & 1 deletion data/conf/phpfpm/crons/ldap-sync.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ function logMsg($priority, $message, $task = "LDAP Sync") {
$_SESSION['acl']['quarantine_notification'] = "1";
$_SESSION['acl']['quarantine_category'] = "1";
$_SESSION['acl']['ratelimit'] = "1";
$_SESSION['acl']['sogo_access'] = "1";
$_SESSION['acl']['sogo_redirection'] = "1";
$_SESSION['acl']['protocol_access'] = "1";
$_SESSION['acl']['mailbox_relayhost'] = "1";
$_SESSION['acl']['unlimited_quota'] = "1";
Expand Down
14 changes: 7 additions & 7 deletions data/web/api/openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -754,7 +754,7 @@ paths:
- syncjobs
- quarantine
- login_as
- sogo_access
- sogo_redirection
- app_passwds
- bcc_maps
- pushover
Expand Down Expand Up @@ -807,7 +807,7 @@ paths:
- syncjobs
- quarantine
- login_as
- sogo_access
- sogo_redirection
- app_passwds
- bcc_maps
- pushover
Expand Down Expand Up @@ -3423,7 +3423,7 @@ paths:
- info@domain2.tld
- domain3.tld
- "*"
sogo_access: "1"
sogo_redirection: "1"
username:
- info@domain.tld
tags: ["tag3", "tag4"]
Expand Down Expand Up @@ -3474,7 +3474,7 @@ paths:
- info@domain2.tld
- domain3.tld
- "*"
sogo_access: "1"
sogo_redirection: "1"
tags: ["tag3", "tag4"]
items:
- info@domain.tld
Expand Down Expand Up @@ -3506,7 +3506,7 @@ paths:
sender_acl:
description: list of allowed send from addresses
type: object
sogo_access:
sogo_redirection:
description: is access to SOGo webmail active or not
type: boolean
type: object
Expand Down Expand Up @@ -4883,7 +4883,7 @@ paths:
force_pw_update: "0"
mailbox_format: "maildir:"
quarantine_notification: never
sogo_access: "1"
sogo_redirection: "1"
tls_enforce_in: "0"
tls_enforce_out: "0"
domain: doman3.tld
Expand Down Expand Up @@ -5807,7 +5807,7 @@ paths:
force_pw_update: "0"
mailbox_format: "maildir:"
quarantine_notification: never
sogo_access: "1"
sogo_redirection: "1"
tls_enforce_in: "0"
tls_enforce_out: "0"
custom_attributes: {}
Expand Down
9 changes: 9 additions & 0 deletions data/web/inc/functions.acl.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,12 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) {
);
continue;
}
$sogo_acl_changed = false;
foreach ($set_acls as $set_acl_key => $set_acl_val) {
// Track if sogo_access ACL changed
if ($set_acl_key == 'sogo_access' && $is_now[$set_acl_key] != $set_acl_val) {
$sogo_acl_changed = true;
}
$stmt = $pdo->prepare("UPDATE `user_acl` SET " . $set_acl_key . " = " . intval($set_acl_val) . "
WHERE `username` = :username");
$stmt->execute(array(
Expand All @@ -60,6 +65,10 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) {
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
'msg' => array('acl_saved', $username)
);
// Update SOGo static view if sogo_access ACL changed
if ($sogo_acl_changed) {
update_sogo_static_view($username);
}
}
break;
case 'domainadmin':
Expand Down
43 changes: 37 additions & 6 deletions data/web/inc/functions.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -940,8 +940,12 @@ function update_sogo_static_view($mailbox = null) {

$mailbox_exists = false;
if ($mailbox !== null) {
// Check if the mailbox exists
$stmt = $pdo->prepare("SELECT username FROM mailbox WHERE username = :mailbox AND active = '1'");
// Check if the mailbox exists and should have SOGo access
$stmt = $pdo->prepare("SELECT m.username FROM mailbox m
LEFT JOIN user_acl u ON m.username = u.username
WHERE m.username = :mailbox
AND m.active = '1'
AND (u.sogo_access IS NULL OR u.sogo_access = 1)");
$stmt->execute(array(':mailbox' => $mailbox));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row){
Expand Down Expand Up @@ -976,8 +980,10 @@ function update_sogo_static_view($mailbox = null) {
LEFT OUTER JOIN grouped_mail_aliases ga ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)')
LEFT OUTER JOIN grouped_domain_alias_address gda ON gda.username = mailbox.username
LEFT OUTER JOIN grouped_sender_acl_external external_acl ON external_acl.username = mailbox.username
LEFT OUTER JOIN user_acl ON user_acl.username = mailbox.username
WHERE
mailbox.active = '1'
AND (user_acl.sogo_access IS NULL OR user_acl.sogo_access = 1)
$subquery
ON DUPLICATE KEY UPDATE
`domain` = VALUES(`domain`),
Expand Down Expand Up @@ -1005,7 +1011,27 @@ function update_sogo_static_view($mailbox = null) {
));
}

$stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');");
if ($mailbox_exists) {
// For single mailbox update, only delete this specific user
$stmt = $pdo->prepare("DELETE FROM _sogo_static_view
WHERE `c_uid` = :mailbox
AND `c_uid` NOT IN (
SELECT m.`username` FROM `mailbox` m
LEFT JOIN `user_acl` u ON m.`username` = u.`username`
WHERE m.`active` = '1'
AND m.`username` = :mailbox2
AND (u.`sogo_access` IS NULL OR u.`sogo_access` = 1)
)");
$stmt->execute(array(':mailbox' => $mailbox, ':mailbox2' => $mailbox));
} else {
// Full cleanup for all users
$stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (
SELECT m.`username` FROM `mailbox` m
LEFT JOIN `user_acl` u ON m.`username` = u.`username`
WHERE m.`active` = '1'
AND (u.`sogo_access` IS NULL OR u.`sogo_access` = 1)
);");
}

flush_memcached();
}
Expand Down Expand Up @@ -3490,9 +3516,14 @@ function set_user_loggedin_session($user) {
session_regenerate_id(true);
$_SESSION['mailcow_cc_username'] = $user;
$_SESSION['mailcow_cc_role'] = 'user';
$sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
$_SESSION['sogo-sso-user-allowed'][] = $user;
$_SESSION['sogo-sso-pass'] = $sogo_sso_pass;

acl('to_session');
if (hasACLAccess("sogo_access")) {
$sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
$_SESSION['sogo-sso-user-allowed'][] = $user;
$_SESSION['sogo-sso-pass'] = $sogo_sso_pass;
}

unset($_SESSION['pending_mailcow_cc_username']);
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_methods']);
Expand Down
24 changes: 15 additions & 9 deletions data/web/inc/functions.mailbox.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1101,7 +1101,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$force_tfa = (isset($_data['force_tfa'])) ? intval($_data['force_tfa']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['force_tfa']);
$tls_enforce_in = (isset($_data['tls_enforce_in'])) ? intval($_data['tls_enforce_in']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_in']);
$tls_enforce_out = (isset($_data['tls_enforce_out'])) ? intval($_data['tls_enforce_out']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_out']);
$sogo_access = (isset($_data['sogo_access'])) ? intval($_data['sogo_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['sogo_access']);
$sogo_redirection = (isset($_data['sogo_redirection'])) ? intval($_data['sogo_redirection']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['sogo_redirection']);
$imap_access = (isset($_data['imap_access'])) ? intval($_data['imap_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['imap_access']);
$pop3_access = (isset($_data['pop3_access'])) ? intval($_data['pop3_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['pop3_access']);
$smtp_access = (isset($_data['smtp_access'])) ? intval($_data['smtp_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['smtp_access']);
Expand All @@ -1123,7 +1123,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
'force_tfa' => strval($force_tfa),
'tls_enforce_in' => strval($tls_enforce_in),
'tls_enforce_out' => strval($tls_enforce_out),
'sogo_access' => strval($sogo_access),
'sogo_redirection' => strval($sogo_redirection),
'imap_access' => strval($imap_access),
'pop3_access' => strval($pop3_access),
'smtp_access' => strval($smtp_access),
Expand Down Expand Up @@ -1314,6 +1314,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$_data['syncjobs'] = (in_array('syncjobs', $_data['acl'])) ? 1 : 0;
$_data['eas_reset'] = (in_array('eas_reset', $_data['acl'])) ? 1 : 0;
$_data['sogo_profile_reset'] = (in_array('sogo_profile_reset', $_data['acl'])) ? 1 : 0;
$_data['sogo_access'] = (in_array('sogo_access', $_data['acl'])) ? 1 : 0;
$_data['pushover'] = (in_array('pushover', $_data['acl'])) ? 1 : 0;
$_data['quarantine'] = (in_array('quarantine', $_data['acl'])) ? 1 : 0;
$_data['quarantine_attachments'] = (in_array('quarantine_attachments', $_data['acl'])) ? 1 : 0;
Expand All @@ -1330,6 +1331,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$_data['syncjobs'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_syncjobs']);
$_data['eas_reset'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_eas_reset']);
$_data['sogo_profile_reset'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_sogo_profile_reset']);
$_data['sogo_access'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_sogo_access']);
$_data['pushover'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_pushover']);
$_data['quarantine'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine']);
$_data['quarantine_attachments'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine_attachments']);
Expand All @@ -1341,9 +1343,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {

try {
$stmt = $pdo->prepare("INSERT INTO `user_acl`
(`username`, `spam_alias`, `tls_policy`, `spam_score`, `spam_policy`, `delimiter_action`, `syncjobs`, `eas_reset`, `sogo_profile_reset`,
(`username`, `spam_alias`, `tls_policy`, `spam_score`, `spam_policy`, `delimiter_action`, `syncjobs`, `eas_reset`, `sogo_profile_reset`, `sogo_access`,
`pushover`, `quarantine`, `quarantine_attachments`, `quarantine_notification`, `quarantine_category`, `app_passwds`, `pw_reset`)
VALUES (:username, :spam_alias, :tls_policy, :spam_score, :spam_policy, :delimiter_action, :syncjobs, :eas_reset, :sogo_profile_reset,
VALUES (:username, :spam_alias, :tls_policy, :spam_score, :spam_policy, :delimiter_action, :syncjobs, :eas_reset, :sogo_profile_reset, :sogo_access,
:pushover, :quarantine, :quarantine_attachments, :quarantine_notification, :quarantine_category, :app_passwds, :pw_reset) ");
$stmt->execute(array(
':username' => $username,
Expand All @@ -1355,6 +1357,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
':syncjobs' => $_data['syncjobs'],
':eas_reset' => $_data['eas_reset'],
':sogo_profile_reset' => $_data['sogo_profile_reset'],
':sogo_access' => $_data['sogo_access'],
':pushover' => $_data['pushover'],
':quarantine' => $_data['quarantine'],
':quarantine_attachments' => $_data['quarantine_attachments'],
Expand Down Expand Up @@ -1735,7 +1738,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$attr["rl_value"] = (!empty($_data['rl_value'])) ? $_data['rl_value'] : "";
$attr["force_pw_update"] = isset($_data['force_pw_update']) ? intval($_data['force_pw_update']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update']);
$attr["force_tfa"] = isset($_data['force_tfa']) ? intval($_data['force_tfa']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['force_tfa']);
$attr["sogo_access"] = isset($_data['sogo_access']) ? intval($_data['sogo_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['sogo_access']);
$attr["sogo_redirection"] = isset($_data['sogo_redirection']) ? intval($_data['sogo_redirection']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['sogo_redirection']);
$attr["active"] = isset($_data['active']) ? intval($_data['active']) : 1;
$attr["tls_enforce_in"] = isset($_data['tls_enforce_in']) ? intval($_data['tls_enforce_in']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_in']);
$attr["tls_enforce_out"] = isset($_data['tls_enforce_out']) ? intval($_data['tls_enforce_out']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_out']);
Expand Down Expand Up @@ -1766,6 +1769,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$attr['acl_syncjobs'] = (in_array('syncjobs', $_data['acl'])) ? 1 : 0;
$attr['acl_eas_reset'] = (in_array('eas_reset', $_data['acl'])) ? 1 : 0;
$attr['acl_sogo_profile_reset'] = (in_array('sogo_profile_reset', $_data['acl'])) ? 1 : 0;
$attr['acl_sogo_access'] = (in_array('sogo_access', $_data['acl'])) ? 1 : 0;
$attr['acl_pushover'] = (in_array('pushover', $_data['acl'])) ? 1 : 0;
$attr['acl_quarantine'] = (in_array('quarantine', $_data['acl'])) ? 1 : 0;
$attr['acl_quarantine_attachments'] = (in_array('quarantine_attachments', $_data['acl'])) ? 1 : 0;
Expand All @@ -1783,6 +1787,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$attr['acl_syncjobs'] = 0;
$attr['acl_eas_reset'] = 0;
$attr['acl_sogo_profile_reset'] = 0;
$attr['acl_sogo_access'] = 0;
$attr['acl_pushover'] = 0;
$attr['acl_quarantine'] = 0;
$attr['acl_quarantine_attachments'] = 0;
Expand Down Expand Up @@ -3103,7 +3108,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
(int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
(int)$force_tfa = (isset($_data['force_tfa'])) ? intval($_data['force_tfa']) : intval($is_now['attributes']['force_tfa']);
(int)$sogo_access = (isset($_data['sogo_access']) && hasACLAccess("sogo_access")) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
(int)$sogo_redirection = (isset($_data['sogo_redirection'])) ? intval($_data['sogo_redirection']) : intval($is_now['attributes']['sogo_redirection']);
(int)$imap_access = (isset($_data['imap_access']) && hasACLAccess("protocol_access")) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
(int)$pop3_access = (isset($_data['pop3_access']) && hasACLAccess("protocol_access")) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
(int)$smtp_access = (isset($_data['smtp_access']) && hasACLAccess("protocol_access")) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
Expand Down Expand Up @@ -3399,7 +3404,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
`authsource` = :authsource,
`attributes` = JSON_SET(`attributes`, '$.force_pw_update', :force_pw_update),
`attributes` = JSON_SET(`attributes`, '$.force_tfa', :force_tfa),
`attributes` = JSON_SET(`attributes`, '$.sogo_access', :sogo_access),
`attributes` = JSON_SET(`attributes`, '$.sogo_redirection', :sogo_redirection),
`attributes` = JSON_SET(`attributes`, '$.imap_access', :imap_access),
`attributes` = JSON_SET(`attributes`, '$.sieve_access', :sieve_access),
`attributes` = JSON_SET(`attributes`, '$.pop3_access', :pop3_access),
Expand All @@ -3417,7 +3422,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
':attribute_hash' => $attribute_hash,
':force_pw_update' => $force_pw_update,
':force_tfa' => $force_tfa,
':sogo_access' => $sogo_access,
':sogo_redirection' => $sogo_redirection,
':imap_access' => $imap_access,
':pop3_access' => $pop3_access,
':sieve_access' => $sieve_access,
Expand Down Expand Up @@ -3789,7 +3794,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$attr["rl_frame"] = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : $is_now['rl_frame'];
$attr["rl_value"] = (!empty($_data['rl_value'])) ? $_data['rl_value'] : $is_now['rl_value'];
$attr["force_pw_update"] = isset($_data['force_pw_update']) ? intval($_data['force_pw_update']) : $is_now['force_pw_update'];
$attr["sogo_access"] = isset($_data['sogo_access']) ? intval($_data['sogo_access']) : $is_now['sogo_access'];
$attr["sogo_redirection"] = isset($_data['sogo_redirection']) ? intval($_data['sogo_redirection']) : $is_now['sogo_redirection'];
$attr["active"] = isset($_data['active']) ? intval($_data['active']) : $is_now['active'];
$attr["tls_enforce_in"] = isset($_data['tls_enforce_in']) ? intval($_data['tls_enforce_in']) : $is_now['tls_enforce_in'];
$attr["tls_enforce_out"] = isset($_data['tls_enforce_out']) ? intval($_data['tls_enforce_out']) : $is_now['tls_enforce_out'];
Expand Down Expand Up @@ -3817,6 +3822,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$attr['acl_syncjobs'] = (in_array('syncjobs', $_data['acl'])) ? 1 : 0;
$attr['acl_eas_reset'] = (in_array('eas_reset', $_data['acl'])) ? 1 : 0;
$attr['acl_sogo_profile_reset'] = (in_array('sogo_profile_reset', $_data['acl'])) ? 1 : 0;
$attr['acl_sogo_access'] = (in_array('sogo_access', $_data['acl'])) ? 1 : 0;
$attr['acl_pushover'] = (in_array('pushover', $_data['acl'])) ? 1 : 0;
$attr['acl_quarantine'] = (in_array('quarantine', $_data['acl'])) ? 1 : 0;
$attr['acl_quarantine_attachments'] = (in_array('quarantine_attachments', $_data['acl'])) ? 1 : 0;
Expand Down
Loading