From 44d2448412ac4a4587ff2288916b50f03889a3d4 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Mon, 25 Oct 2021 19:21:38 +0000 Subject: [PATCH] Updated SSO logic for webmails. Fixed small bug rate limiting. --- core/admin/mailu/internal/views/auth.py | 2 +- core/admin/mailu/sso/views/base.py | 16 +++++++++++----- core/nginx/conf/nginx.conf | 21 ++++++++++++++------- webmails/rainloop/defaults/application.ini | 4 +--- webmails/roundcube/config.inc.php | 6 +++--- 5 files changed, 30 insertions(+), 19 deletions(-) diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py index c5cd9e28..1afb53b5 100644 --- a/core/admin/mailu/internal/views/auth.py +++ b/core/admin/mailu/internal/views/auth.py @@ -41,7 +41,7 @@ def nginx_authentication(): elif is_valid_user: utils.limiter.rate_limit_user(username, client_ip) else: - rate_limit_ip(client_ip) + utils.limiter.rate_limit_ip(client_ip) return response @internal.route("/auth/admin") diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index f3d60fd0..cb86e1ab 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -11,13 +11,13 @@ def login(): form = forms.LoginForm() endpoint = flask.request.args.get('next', 'ui.index') - if str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint != 'ui.webmail': + if str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint != 'ui.webmail': form.target.choices = [('Admin', 'Admin'), ('Webmail', 'Webmail')] - elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint == 'ui.webmail': + elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint == 'ui.webmail': form.target.choices = [('Webmail', 'Webmail'), ('Admin', 'Admin')] - elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper == 'NONE': + elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() == 'FALSE': form.target.choices = [('Webmail', 'Webmail')] - elif str(app.config['WEBMAIL']).upper == 'NONE' and str(app.config['ADMIN']).upper != 'NONE': + elif str(app.config['WEBMAIL']).upper() == 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE': form.target.choices = [('Admin', 'Admin')] if form.validate_on_submit(): @@ -36,4 +36,10 @@ def login(): client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr flask.current_app.logger.warn(f'Login failed for {str(form.email.data)} from {client_ip}.') return flask.render_template('login.html', form=form, endpoint=endpoint) - \ No newline at end of file + +@sso.route('/logout', methods=['GET']) +@access.authenticated +def logout(): + flask_login.logout_user() + flask.session.destroy() + return flask.redirect(flask.url_for('.login')) \ No newline at end of file diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 81202ef0..e5fed3df 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -146,6 +146,12 @@ http { rewrite /sso/static/(.*) /static/$1 permanent; } + location ^~ {{ WEB_WEBMAIL }}/sso/ui/logout { + include /etc/nginx/proxy.conf; + rewrite ^{{ WEB_WEBMAIL }}/sso/ui/logout$ /sso/logout break; + proxy_pass http://$admin; + } + location ^~ /ui/language { include /etc/nginx/proxy.conf; proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }}; @@ -183,11 +189,12 @@ http { rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break; {% endif %} include /etc/nginx/proxy.conf; - client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }}; - proxy_pass http://$webmail; - {% if ADMIN == 'true' %} + client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }}; auth_request /internal/auth/user; + auth_request_set $user $upstream_http_x_user; + auth_request_set $token $upstream_http_x_user_token; error_page 403 @webmail_login; + proxy_pass http://$webmail; } location {{ WEB_WEBMAIL }}/sso.php { @@ -202,16 +209,16 @@ http { auth_request_set $token $upstream_http_x_user_token; proxy_set_header X-Remote-User $user; proxy_set_header X-Remote-User-Token $token; - proxy_pass http://$webmail; error_page 403 @webmail_login; + proxy_pass http://$webmail; } - location @webmail_login { - return 302 {{ WEB_ADMIN }}/sso/login?next=ui.webmail; + location @webmail_login { + return 302 /sso/login?next=ui.webmail; } {% else %} } - {% endif %}{% endif %} + {% endif %} {% if ADMIN == 'true' %} location {{ WEB_ADMIN }} { return 301 {{ WEB_ADMIN }}/ui; diff --git a/webmails/rainloop/defaults/application.ini b/webmails/rainloop/defaults/application.ini index 0504f174..2e266235 100644 --- a/webmails/rainloop/defaults/application.ini +++ b/webmails/rainloop/defaults/application.ini @@ -8,10 +8,8 @@ allow_admin_panel = Off [labs] allow_gravatar = Off -{% if ADMIN == "true" %} custom_login_link='sso.php' -custom_logout_link='{{ WEB_ADMIN }}/ui/logout' -{% endif %} +custom_logout_link='sso/ui/logout' [contacts] enable = On diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php index 797f229c..3b474795 100644 --- a/webmails/roundcube/config.inc.php +++ b/webmails/roundcube/config.inc.php @@ -37,11 +37,11 @@ $config['managesieve_usetls'] = false; // Customization settings if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) { - array_push($config['plugins'], 'mailu'); - $config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : ''; - $config['sso_logout_url'] = getenv('WEB_ADMIN').'/ui/logout'; + $config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : ''; } $config['product_name'] = 'Mailu Webmail'; +array_push($config['plugins'], 'mailu'); +$config['sso_logout_url'] = 'sso/ui/logout'; // We access the IMAP and SMTP servers locally with internal names, SSL // will obviously fail but this sounds better than allowing insecure login