Merge #2035

2035: updated roundcube to 1.5.1 and carddav to 4.3.0 r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement

## What does this PR do?

updated roundcube to 1.5 and carddav to 4.2.2
also runs cleanup cronjob _once_ at startup

### Related issue(s)

- closes #2031 
- runs cleanup job mentioned in #1702 at startup

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>

docs/compose/docker-compose.yml

@@ -100,6 +100,7 @@ services:
     env_file: .env
     volumes:
       - "$ROOT/webmail:/data"
+      - "$ROOT/overrides/$WEBMAIL:/overrides:ro"
     depends_on:
       - imap
 

docs/compose/traefik/docker-compose.yml

@@ -128,6 +128,7 @@ services:
     env_file: .env
     volumes:
       - "$ROOT/webmail:/data"
+      - "$ROOT/overrides/$WEBMAIL:/overrides:ro"
     depends_on:
       - imap
 

docs/configuration.rst

@@ -263,6 +263,50 @@ The roundcube service stores configurations in a database.
 - ``ROUNDCUBE_DB_USER``: the database user for roundcube service. (when not ``sqlite``)
 - ``ROUNDCUBE_DB_NAME``: the database name for roundcube service. (when not ``sqlite``)
 
+Webmail settings
+----------------
+
+When using roundcube it is possible to select the plugins to be enabled by setting ``ROUNDCUBE_PLUGINS`` to
+a comma separated list of plugin-names. Included plugins are:
+
+- acl (needs configuration)
+- additional_message_headers (needs configuration)
+- archive
+- attachment_reminder
+- carddav
+- database_attachmentsi
+- debug_logger
+- emoticons
+- enigma
+- help
+- hide_blockquote
+- identicon
+- identity_select
+- jqueryui
+- mailu
+- managesieve
+- markasjunk
+- new_user_dialog
+- newmail_notifier
+- reconnect
+- show_additional_headers (needs configuration)
+- subscriptions_option
+- vcard_attachments
+- zipdownload
+
+If ``ROUNDCUBE_PLUGINS`` is not set the following plugins are enabled by default:
+
+- archive
+- carddav
+- enigma
+- mailu
+- managesieve
+- markasjunk
+- zipdownload
+
+To disable all plugins just set ``ROUNDCUBE_PLUGINS`` to ``mailu``.
+
+To configure a plugin add php files named ``*.inc`` to roundcube's :ref:`override section <override-label>`.
 
 Mail log settings
 -----------------

setup/flavors/compose/docker-compose.yml

@@ -147,6 +147,7 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/webmail:/data"
+      - "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro"
     depends_on:
       - imap
   {% endif %}

setup/flavors/stack/docker-compose.yml

@@ -123,6 +123,7 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/webmail:/data"
+      - "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro"
     deploy:
       replicas: 1
     healthcheck:

towncrier/newsfragments/2035.enhancement

@@ -0,0 +1 @@
+updated roundcube to 1.5 and carddav to 4.2.2 using php8

webmails/roundcube/Dockerfile

@@ -1,10 +1,10 @@
-# NOTE: only add file if building for arm
+# NOTE: only add qemu-arm-static if building for arm
 ARG ARCH=""
 ARG QEMU=other
-FROM ${ARCH}php:7.4-apache as build_arm
+FROM ${ARCH}php:8.0-apache as build_arm
 ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
+FROM ${ARCH}php:8.0-apache as build_other
 
-FROM ${ARCH}php:7.4-apache as build_other
 
 FROM build_${QEMU}
 ARG VERSION
@@ -12,25 +12,37 @@ ENV TZ Etc/UTC
 
 LABEL version=$VERSION
 
-#Shared layer between rainloop and roundcube
-RUN apt-get update && apt-get install -y \
-  python3 curl python3-pip git python3-multidict tzdata \
-  && rm -rf /var/lib/apt/lists \
-  && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
-  && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf
+RUN set -eu \
+ && apt update \
+ && echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections \
+ && apt install -y --no-install-recommends \
+      python3 curl python3-pip git python3-multidict \
+      python3-jinja2 gpg tzdata \
+ && pip3 install socrate \
+ && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \
+ && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
+ && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf \
+\
+ && mark="$(apt-mark showmanual)" \
+ && apt install -y --no-install-recommends \
+      libfreetype6-dev libicu-dev libjpeg62-turbo-dev libldap2-dev libmagickwand-dev \
+      libpng-dev libpq-dev libsqlite3-dev libzip-dev libpspell-dev libonig-dev \
+ && ln -s php.ini-production /usr/local/etc/php/php.ini \
+ && docker-php-ext-configure gd --with-jpeg --with-freetype \
+ && docker-php-ext-install exif gd intl zip pspell pdo_mysql pdo_pgsql pdo_sqlite \
+ && pecl install imagick \
+ && docker-php-ext-enable imagick opcache \
+ && apt-mark auto '.*' >/dev/null \
+ && apt-mark manual ${mark} >/dev/null \
+ && ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so | awk '/=>/ { print $3 }' | sort -u | \
+    xargs -r dpkg-query -S | cut -d: -f1 | sort -u | xargs -r apt-mark manual >/dev/null \
+ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+ && rm -rf /var/lib/apt/lists
 
-# Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
-RUN pip3 install socrate
+ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.5.1/roundcubemail-1.5.1-complete.tar.gz
+ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.3.0/carddav-v4.3.0.tar.gz
 
-ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz
-
-ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz
-
-RUN apt-get update && apt-get install -y \
-      zlib1g-dev libzip4 libzip-dev libpq-dev \
-      python3-jinja2 \
-      gpg \
- && docker-php-ext-install zip pdo_mysql pdo_pgsql \
+RUN set -eu \
  && rm -rf /var/www/html/ \
  && cd /var/www \
  && curl -sL ${ROUNDCUBE_URL} | tar xz \
@@ -38,27 +50,29 @@ RUN apt-get update && apt-get install -y \
  && mv roundcubemail-* html \
  && mv carddav html/plugins/ \
  && cd html \
- && rm -rf CHANGELOG INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \
- && sed -i 's,mod_php5.c,mod_php7.c,g' .htaccess \
- && sed -i 's,^php_value.*post_max_size,#&,g' .htaccess \
- && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \
+ && rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \
  && ln -sf index.php /var/www/html/sso.php \
  && ln -sf /dev/stderr /var/www/html/logs/errors.log \
  && chown -R root:root . \
  && chown www-data:www-data logs temp \
  && chmod -R a+rX . \
- && rm -rf /var/lib/apt/lists \
- && a2enmod rewrite deflate expires headers
+ && a2enmod rewrite deflate expires headers \
+ && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \
+ && rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query}
+
+# enable database_attachments (and memcache?)
 
-COPY php.ini /php.ini
-COPY config.inc.php /var/www/html/config/
 COPY mailu.php /var/www/html/plugins/mailu/mailu.php
-COPY start.py /start.py
+COPY php.ini /
+COPY config.inc.php /
+COPY start.py /
 
 EXPOSE 80/tcp
-VOLUME ["/data"]
+VOLUME /data
+VOLUME /overrides
 
 CMD /start.py
 
 HEALTHCHECK CMD curl -f -L -H 'User-Agent: health' http://localhost/ || exit 1
-RUN echo $VERSION >> /version
+
+RUN echo $VERSION >> /version

webmails/roundcube/config.inc.php

@@ -3,46 +3,29 @@
 $config = array();
 
 // Generals
-$config['db_dsnw'] = getenv('DB_DSNW');;
+$config['db_dsnw'] = '{{ DB_DSNW }}';
 $config['temp_dir'] = '/tmp/';
-$config['des_key'] = getenv('SECRET_KEY') ? getenv('SECRET_KEY') : trim(file_get_contents(getenv('SECRET_KEY_FILE')));
+$config['des_key'] = '{{ SECRET_KEY }}';
 $config['cipher_method'] = 'AES-256-CBC';
 $config['identities_level'] = 0;
 $config['reply_all_mode'] = 1;
-
-// List of active plugins (in plugins/ directory)
-$config['plugins'] = array(
-    'archive',
-    'zipdownload',
-    'markasjunk',
-    'managesieve',
-    'enigma',
-    'carddav'
-);
-
-$front = getenv('FRONT_ADDRESS') ? getenv('FRONT_ADDRESS') : 'front';
-$imap  = getenv('IMAP_ADDRESS')  ? getenv('IMAP_ADDRESS')  : 'imap';
+$config['log_driver'] = 'stdout';
+$config['zipdownload_selection'] = true;
+$config['enable_spellcheck'] = true;
+$config['spellcheck_engine'] = 'pspell';
 
 // Mail servers
-$config['default_host'] = $front;
+$config['default_host'] = '{{ FRONT_ADDRESS or "front" }}';
 $config['default_port'] = 10143;
-$config['smtp_server'] = $front;
+$config['smtp_server'] = '{{ FRONT_ADDRESS or "front" }}';
 $config['smtp_port'] = 10025;
 $config['smtp_user'] = '%u';
 $config['smtp_pass'] = '%p';
 
 // Sieve script management
-$config['managesieve_host'] = $imap;
+$config['managesieve_host'] = '{{ IMAP_ADDRESS or "imap" }}';
 $config['managesieve_usetls'] = false;
 
-// Customization settings
-if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) {
-	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';	
-}
-$config['product_name'] = 'Mailu Webmail';
-array_push($config['plugins'], 'mailu');
-$config['sso_logout_url'] = '/sso/logout';
-
 // We access the IMAP and SMTP servers locally with internal names, SSL
 // will obviously fail but this sounds better than allowing insecure login
 // from the outter world
@@ -56,11 +39,27 @@ $config['imap_conn_options'] = $ssl_no_check;
 $config['smtp_conn_options'] = $ssl_no_check;
 $config['managesieve_conn_options'] = $ssl_no_check;
 
+// roundcube customization
+$config['product_name'] = 'Mailu Webmail';
+{%- if ADMIN and WEB_ADMIN %}
+$config['support_url'] = '../..{{ WEB_ADMIN }}';
+{%- endif %}
+$config['plugins'] = array({{ PLUGINS }});
+
 // skin name: folder from skins/
 $config['skin'] = 'elastic';
 
-// Enigma gpg plugin
+// configure mailu sso plugin
+$config['sso_logout_url'] = '/sso/logout';
+
+// configure enigma gpg plugin
 $config['enigma_pgp_homedir'] = '/data/gpg';
 
-// Set From header for DKIM signed message delivery reports
+// set From header for DKIM signed message delivery reports
 $config['mdn_use_from'] = true;
+
+// includes
+{%- for inc in INCLUDES %}
+include('{{ inc }}');
+{%- endfor %}
+

webmails/roundcube/healthcheck.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+SCRIPT_NAME=/ping SCRIPT_FILENAME=/ping REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 2>/dev/null | grep -qFx pong

webmails/roundcube/mailu.php

@@ -15,7 +15,14 @@ class mailu extends rcube_plugin
   function startup($args)
   {
     if (empty($_SESSION['user_id'])) {
-        $args['action'] = 'login';
+      $args['action'] = 'login';
+    }
+
+    $ua = $_SERVER['HTTP_USER_AGENT'];
+    $ra = $_SERVER['REMOTE_ADDR'];
+    if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) {
+      print('OK');
+      exit();
     }
 
     return $args;
@@ -23,10 +30,16 @@ class mailu extends rcube_plugin
 
   function authenticate($args)
   {
-    if (!in_array('HTTP_X_REMOTE_USER', $_SERVER) || !in_array('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
+    if (!array_key_exists('HTTP_X_REMOTE_USER', $_SERVER) or !array_key_exists('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
+      if ($_SERVER['PHP_SELF'] == '/sso.php') {
         header('HTTP/1.0 403 Forbidden');
-        die();
+        print('mailu sso failure');
+      } else {
+        header('Location: sso.php');
+      }
+      exit();
     }
+
     $args['user'] = $_SERVER['HTTP_X_REMOTE_USER'];
     $args['pass'] = $_SERVER['HTTP_X_REMOTE_USER_TOKEN'];
 
@@ -36,30 +49,25 @@ class mailu extends rcube_plugin
     return $args;
   }
 
-  function logout($args) {
-    // Redirect to global SSO logout path.
+  // Redirect to global SSO logout path.
+  function logout($args)
+  {
     $this->load_config();
-
     $sso_logout_url = rcmail::get_instance()->config->get('sso_logout_url');
-    header("Location: " . $sso_logout_url, true);
-    exit;
+    header('Location: ' . $sso_logout_url, true);
+    exit();
   }
 
   function login($args)
   {
-      header('Location: index.php');
-      exit();
+    header('Location: index.php');
+    exit();
   }
+
   function login_failed($args)
   {
-      $ua = $_SERVER['HTTP_USER_AGENT'];
-      $ra = $_SERVER['REMOTE_ADDR'];
-      if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) {
-        echo "OK";
-        exit;
-      }
-      header('Location: sso.php');
-      exit();
+    header('Location: sso.php');
+    exit();
   }
 
 }

webmails/roundcube/start.py

@@ -1,61 +1,105 @@
 #!/usr/bin/python3
 
 import os
-import logging as log
+import logging
 import sys
 from socrate import conf
 import subprocess
+import hmac
 
-log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
+env = os.environ
 
-os.environ["MAX_FILESIZE"] = str(int(int(os.environ.get("MESSAGE_SIZE_LIMIT")) * 0.66 / 1048576))
+logging.basicConfig(stream=sys.stderr, level=env.get("LOG_LEVEL", "WARNING"))
 
-db_flavor = os.environ.get("ROUNDCUBE_DB_FLAVOR", "sqlite")
+# jinja context
+context = {}
+context.update(env)
+
+context["MAX_FILESIZE"] = str(int(int(env.get("MESSAGE_SIZE_LIMIT", "50000000")) * 0.66 / 1048576))
+
+db_flavor = env.get("ROUNDCUBE_DB_FLAVOR", "sqlite")
 if db_flavor == "sqlite":
-    os.environ["DB_DSNW"] = "sqlite:////data/roundcube.db"
+    context["DB_DSNW"] = "sqlite:////data/roundcube.db"
 elif db_flavor == "mysql":
-    os.environ["DB_DSNW"] = "mysql://%s:%s@%s/%s" % (
-        os.environ.get("ROUNDCUBE_DB_USER", "roundcube"),
-        os.environ.get("ROUNDCUBE_DB_PW"),
-        os.environ.get("ROUNDCUBE_DB_HOST", "database"),
-        os.environ.get("ROUNDCUBE_DB_NAME", "roundcube")
+    context["DB_DSNW"] = "mysql://%s:%s@%s/%s" % (
+        env.get("ROUNDCUBE_DB_USER", "roundcube"),
+        env.get("ROUNDCUBE_DB_PW"),
+        env.get("ROUNDCUBE_DB_HOST", "database"),
+        env.get("ROUNDCUBE_DB_NAME", "roundcube")
     )
 elif db_flavor == "postgresql":
-    os.environ["DB_DSNW"] = "pgsql://%s:%s@%s/%s" % (
-        os.environ.get("ROUNDCUBE_DB_USER", "roundcube"),
-        os.environ.get("ROUNDCUBE_DB_PW"),
-        os.environ.get("ROUNDCUBE_DB_HOST", "database"),
-        os.environ.get("ROUNDCUBE_DB_NAME", "roundcube")
+    context["DB_DSNW"] = "pgsql://%s:%s@%s/%s" % (
+        env.get("ROUNDCUBE_DB_USER", "roundcube"),
+        env.get("ROUNDCUBE_DB_PW"),
+        env.get("ROUNDCUBE_DB_HOST", "database"),
+        env.get("ROUNDCUBE_DB_NAME", "roundcube")
     )
 else:
-    print("Unknown ROUNDCUBE_DB_FLAVOR: %s", db_flavor)
+    print(f"Unknown ROUNDCUBE_DB_FLAVOR: {db_flavor}", file=sys.stderr)
     exit(1)
 
-conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/roundcube.ini")
+# derive roundcube secret key
+secret_key = env.get("SECRET_KEY")
+if not secret_key:
+    try:
+        secret_key = open(env.get("SECRET_KEY_FILE"), "r").read().strip()
+    except Exception as exc:
+        print(f"Can't read SECRET_KEY from file: {exc}", file=sys.stderr)
+        exit(2)
 
-# Create dirs, setup permissions
+context['SECRET_KEY'] = hmac.new(bytearray(secret_key, 'utf-8'), bytearray('ROUNDCUBE_KEY', 'utf-8'), 'sha256').hexdigest()
+
+# roundcube plugins
+# (using "dict" because it is ordered and "set" is not)
+plugins = dict((p, None) for p in env.get("ROUNDCUBE_PLUGINS", "").replace(" ", "").split(",") if p and os.path.isdir(os.path.join("/var/www/plugins", p)))
+if plugins:
+    plugins["mailu"] = None
+else:
+    plugins = dict((k, None) for k in ["archive", "zipdownload", "markasjunk", "managesieve", "enigma", "carddav", "mailu"])
+
+context["PLUGINS"] = ",".join(f"'{p}'" for p in plugins)
+
+# add overrides
+context["INCLUDES"] = sorted(inc for inc in os.listdir("/overrides") if inc.endswith(".inc")) if os.path.isdir("/overrides") else []
+
+# create config files
+conf.jinja("/php.ini", context, "/usr/local/etc/php/conf.d/roundcube.ini")
+conf.jinja("/config.inc.php", context, "/var/www/html/config/config.inc.php")
+
+# create dirs
 os.system("mkdir -p /data/gpg")
 
+print("Initializing database")
 try:
-    print("Initializing database")
     result = subprocess.check_output(["/var/www/html/bin/initdb.sh", "--dir", "/var/www/html/SQL"],
                                      stderr=subprocess.STDOUT)
     print(result.decode())
-except subprocess.CalledProcessError as e:
-    if "already exists" in e.stdout.decode():
+except subprocess.CalledProcessError as exc:
+    err = exc.stdout.decode()
+    if "already exists" in err:
         print("Already initialzed")
     else:
-        print(e.stdout.decode())
-        quit(1)
+        print(err)
+        exit(3)
 
+print("Upgrading database")
 try:
-    print("Upgrading database")
     subprocess.check_call(["/var/www/html/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT)
-except subprocess.CalledProcessError as e:
-    quit(1)
+except subprocess.CalledProcessError as exc:
+    exit(4)
+else:
+    print("Cleaning database")
+    try:
+        subprocess.check_call(["/var/www/html/bin/cleandb.sh"], stderr=subprocess.STDOUT)
+    except subprocess.CalledProcessError as exc:
+        exit(5)
 
-# Setup database permissions
+# setup permissions
 os.system("chown -R www-data:www-data /data")
 
-# Run apache
-os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"])
+# clean env
+[env.pop(key, None) for key in env.keys() if key == "SECRET_KEY" or key.startswith("ROUNDCUBE_")]
+
+# run apache
+os.execve("/usr/local/bin/apache2-foreground", ["apache2-foreground"], env)
+