From 472138ce2e0015883653f8599d5faa04f0dc7838 Mon Sep 17 00:00:00 2001
From: "Aleksander Machniak (Kolab Systems)" <machniak@kolabsys.com>
Date: Tue, 20 Sep 2011 10:56:08 +0200
Subject: [PATCH] - kolab_auth initial commit

---
 plugins/kolab_auth/config.inc.php.dist    |  31 ++
 plugins/kolab_auth/kolab_auth.php         | 333 ++++++++++++++++++++++
 plugins/kolab_auth/localization/en_US.inc |   5 +
 plugins/kolab_auth/localization/pl_PL.inc |   5 +
 4 files changed, 374 insertions(+)
 create mode 100644 plugins/kolab_auth/config.inc.php.dist
 create mode 100644 plugins/kolab_auth/kolab_auth.php
 create mode 100644 plugins/kolab_auth/localization/en_US.inc
 create mode 100644 plugins/kolab_auth/localization/pl_PL.inc

diff --git a/plugins/kolab_auth/config.inc.php.dist b/plugins/kolab_auth/config.inc.php.dist
new file mode 100644
index 00000000..b874d258
--- /dev/null
+++ b/plugins/kolab_auth/config.inc.php.dist
@@ -0,0 +1,31 @@
+<?php
+
+// The id of the LDAP address book (which refers to the $rcmail_config['ldap_public'])
+// or complete addressbook definition array.
+$rcmail_config['kolab_auth_addressbook'] = '';
+
+// This will overwrite defined filter
+$rcmail_config['kolab_auth_filter'] = '(&(objectClass=kolabInetOrgPerson)(|(uid=%u)(mail=%fu)(alias=%fu)))';
+
+// Use this fields (from fieldmap configuration) to get authentication ID
+$rcmail_config['kolab_auth_login'] = 'email';
+
+// Use this fields (from fieldmap configuration) for default identity
+$rcmail_config['kolab_auth_name']  = 'name';
+$rcmail_config['kolab_auth_alias'] = 'alias';
+$rcmail_config['kolab_auth_email'] = 'email';
+
+// Login and password of the admin user. Enables "Login As" feature.
+$rcmail_config['kolab_auth_admin_login']    = '';
+$rcmail_config['kolab_auth_admin_password'] = '';
+
+// Administrative role field (from fieldmap configuration) which must be filled with
+// specified value which adds privilege to login as another user.
+$rcmail_config['kolab_auth_role']       = '';
+$rcmail_config['kolab_auth_role_value'] = '';
+
+// Administrative group name to which user must be assigned to
+// which adds privilege to login as another user.
+$rcmail_config['kolab_auth_group'] = '';
+
+?>
diff --git a/plugins/kolab_auth/kolab_auth.php b/plugins/kolab_auth/kolab_auth.php
new file mode 100644
index 00000000..0b7ba1d0
--- /dev/null
+++ b/plugins/kolab_auth/kolab_auth.php
@@ -0,0 +1,333 @@
+<?php
+
+/**
+ * Kolab Authentication (based on ldap_authentication plugin)
+ *
+ * Authenticates on LDAP server, finds canonized authentication ID for IMAP
+ * and for new users creates identity based on LDAP information.
+ *
+ * Supports impersonate feature (login as another user). To use this feature
+ * imap_auth_type/smtp_auth_type must be set to DIGEST-MD5 or PLAIN.
+ *
+ * @version 0.1
+ * @author Aleksander Machniak <machniak@kolabsys.com>
+ *
+ * Copyright (C) 2011, Kolab Systems AG
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+class kolab_auth extends rcube_plugin
+{
+    private $ldap;
+    private $data = array();
+
+	public function init()
+	{
+		$this->add_hook('authenticate', array($this, 'authenticate'));
+		$this->add_hook('user_create', array($this, 'user_create'));
+
+        // Hooks related to "Login As" feature
+		$this->add_hook('template_object_loginform', array($this, 'login_form'));
+		$this->add_hook('imap_connect', array($this, 'imap_connect'));
+		$this->add_hook('managesieve_connect', array($this, 'imap_connect'));
+		$this->add_hook('smtp_connect', array($this, 'smtp_connect'));
+	}
+
+    /**
+     * Sets defaults for new user.
+     */
+	public function user_create($args)
+	{
+		if (!empty($this->data['user_email']))
+    		$args['user_email'] = $this->data['user_email'];
+		if (!empty($this->data['user_name']))
+	    	$args['user_name'] = $this->data['user_name'];
+		if (!empty($this->data['user_alias']))
+	    	$args['user_alias'] = $this->data['user_alias'];
+
+		return $args;
+	}
+
+    /**
+     * Modifies login form adding additional "Login As" field
+     */
+    public function login_form($args)
+    {
+        $this->load_config();
+        $this->add_texts('localization/');
+
+        $rcmail      = rcmail::get_instance();
+        $admin_login = $rcmail->config->get('kolab_auth_admin_login');
+        $group       = $rcmail->config->get('kolab_auth_group');
+        $role_attr   = $rcmail->config->get('kolab_auth_role');
+
+        // Show "Login As" input
+        if (empty($admin_login) || (empty($group) && empty($role_attr))) {
+            return $args;
+        }
+
+        $input = new html_inputfield(array('name' => '_loginas', 'id' => 'rcmloginas',
+            'type' => 'text', 'autocomplete' => 'off'));
+        $row = html::tag('tr', null,
+            html::tag('td', 'title', html::label('rcmloginas', Q($this->gettext('loginas'))))
+            . html::tag('td', 'input', $input->show(trim(get_input_value('_loginas', RCUBE_INPUT_POST))))
+        );
+        $args['content'] = preg_replace('/<\/tbody>/i', $row . '</tbody>', $args['content']);
+
+        return $args;
+    }
+
+    /**
+     * Find user credentials In LDAP.
+     */
+    public function authenticate($args)
+    {
+        $this->load_config();
+
+        if (!$this->init_ldap()) {
+            return $args;
+        }
+
+        $rcmail      = rcmail::get_instance();
+        $admin_login = $rcmail->config->get('kolab_auth_admin_login');
+        $login_attr  = $rcmail->config->get('kolab_auth_login');
+        $alias_attr  = $rcmail->config->get('kolab_auth_alias');
+        $name_attr   = $rcmail->config->get('kolab_auth_name');
+
+        // get username and host
+        $host    = rcube_parse_host($args['host']);
+        $user    = $args['user'];
+        $pass    = $args['pass'];
+        $loginas = trim(get_input_value('_loginas', RCUBE_INPUT_POST));
+
+        if (empty($user) || empty($pass)) {
+            return $args;
+        }
+
+        // Find user record in LDAP
+        $record = $this->get_user_record($user, $host);
+
+        if (empty($record)) {
+            return $args;
+        }
+
+        // Login As...
+        if (!empty($loginas) && $admin_login) {
+            // Authenticate to LDAP
+            $dn     = $this->ldap->dn_decode($record['ID']);
+            $result = $this->ldap->bind($dn, $pass);
+
+            if (!$result) {
+                return $args;
+            }
+
+            // check if the original user has/belongs to administrative role/group
+            $isadmin   = false;
+            $group     = $rcmail->config->get('kolab_auth_group');
+            $role_attr = $rcmail->config->get('kolab_auth_role');
+            $role_dn   = $rcmail->config->get('kolab_auth_role_value');
+
+            // check role attribute
+            if (!empty($role_attr) && !empty($role_dn) && !empty($record[$role_attr])) {
+                $role_dn = $this->parse_vars($role_dn, $user, $host);
+                foreach ((array)$record[$role_attr] as $role) {
+                    if ($role == $role_dn) {
+                        $isadmin = true;
+                        break;
+                    }
+                }
+            }
+
+            // check group
+            if (!$isadmin && !empty($group)) {
+                $groups = $this->ldap->get_record_groups($record['ID']);
+                foreach ($groups as $g) {
+                    if ($group == $this->ldap->dn_decode($g)) {
+                        $isadmin = true;
+                        break;
+                    }
+                }
+
+            }
+
+            // Save original user login for log (see below)
+            if ($login_attr)
+                $origname = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr];
+            else
+                $origname = $user;
+
+            $record = null;
+
+            // user has the privilage, get "login as" user credentials
+            if ($isadmin) {
+                $record = $this->get_user_record($loginas, $host);
+            }
+
+            if (empty($record)) {
+                $args['valid'] = false;
+                return $args;
+            }
+
+            $args['user'] = $loginas;
+            // Mark session to use SASL proxy for IMAP authentication
+            $_SESSION['kolab_auth_admin'] = true;
+        }
+
+        // Set credentials
+        if ($record) {
+            if ($login_attr)
+                $this->data['user_login'] = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr];
+            if ($alias_attr)
+                $this->data['user_alias'] = is_array($record[$alias_attr]) ? $record[$alias_attr][0] : $record[$alias_attr];
+            if ($name_attr)
+                $this->data['user_name'] = is_array($record[$name_attr]) ? $record[$name_attr][0] : $record[$name_attr];
+
+            if ($this->data['user_login'])
+                $args['user'] = $this->data['user_login'];
+        }
+
+        // Log "Login As" usage
+        if (!empty($origname)) {
+            write_log('userlogins', sprintf('Admin login for %s by %s from %s',
+                $args['user'], $origname, rcmail_remote_ip()));
+        }
+
+        return $args;
+    }
+
+    /**
+     * Sets SASL Proxy login/password for IMAP and Managesieve auth
+     */
+    public function imap_connect($args)
+    {
+        if (!empty($_SESSION['kolab_auth_admin'])) {
+            $this->load_config();
+
+            $rcmail      = rcmail::get_instance();
+            $admin_login = $rcmail->config->get('kolab_auth_admin_login');
+            $admin_pass  = $rcmail->config->get('kolab_auth_admin_password');
+
+            $args['auth_cid'] = $admin_login;
+            $args['auth_pw']  = $admin_pass;
+        }
+
+        return $args;
+    }
+
+    /**
+     * Sets SASL Proxy login/password for SMTP auth
+     */
+    public function smtp_connect($args)
+    {
+        if (!empty($_SESSION['kolab_auth_admin'])) {
+            $this->load_config();
+
+            $rcmail      = rcmail::get_instance();
+            $admin_login = $rcmail->config->get('kolab_auth_admin_login');
+            $admin_pass  = $rcmail->config->get('kolab_auth_admin_password');
+
+            $args['options']['smtp_auth_cid'] = $admin_login;
+            $args['options']['smtp_auth_pw']  = $admin_pass;
+        }
+
+        return $args;
+    }
+
+    /**
+     * Initializes LDAP object and connects to LDAP server
+     */
+    private function init_ldap()
+    {
+        if ($this->ldap)
+            return $this->ldap->ready;
+
+        $rcmail = rcmail::get_instance();
+
+        $addressbook = $rcmail->config->get('kolab_auth_addressbook');
+
+        if (!is_array($addressbook)) {
+            $ldap_config = (array)$rcmail->config->get('ldap_public');
+            $addressbook = $ldap_config[$addressbook];
+        }
+
+        if (empty($addressbook)) {
+            return false;
+        }
+
+        $this->ldap = new kolab_auth_ldap_backend(
+            $addressbook,
+            $rcmail->config->get('ldap_debug'),
+            $rcmail->config->mail_domain($_SESSION['imap_host'])
+        );
+
+        return $this->ldap->ready;
+    }
+
+    /**
+     * Fetches user data from LDAP addressbook
+     */
+    private function get_user_record($user, $host)
+    {
+        $rcmail = rcmail::get_instance();
+        $filter = $rcmail->config->get('kolab_auth_filter');
+
+        $filter = $this->parse_vars($filter, $user, $host);
+
+        // reset old result
+        $this->ldap->reset();
+
+        // get record
+        $this->ldap->set_filter($filter);
+        $results = $this->ldap->list_records();
+
+        if (count($results->records) == 1)
+            return $results->records[0];
+    }
+
+    /**
+     * Prepares filter query for LDAP search
+     */
+    private function parse_vars($str, $user, $host)
+    {
+        $rcmail = rcmail::get_instance();
+        $domain = $rcmail->config->get('username_domain');
+
+        if (!empty($domain) && strpos($user, '@') === false) {
+            if (is_array($domain) && isset($domain[$host]))
+                $user .= '@'.rcube_parse_host($domain[$host], $host);
+            else if (is_string($domain))
+                $user .= '@'.rcube_parse_host($domain, $host);
+        }
+
+        // replace variables in filter
+        list($u, $d) = explode('@', $user);
+        $dc = 'dc='.strtr($d, array('.' => ',dc=')); // hierarchal domain string
+        $replaces = array('%dc' => $dc, '%d' => $d, '%fu' => $user, '%u' => $u);
+
+        return strtr($str, $replaces);
+    }
+}
+
+/**
+ * Wrapper class for rcube_ldap addressbook
+ */
+class kolab_auth_ldap_backend extends rcube_ldap
+{
+    function set_filter($filter)
+    {
+        if ($filter)
+            $this->prop['filter'] = $filter;
+    }
+}
diff --git a/plugins/kolab_auth/localization/en_US.inc b/plugins/kolab_auth/localization/en_US.inc
new file mode 100644
index 00000000..e1adb3f2
--- /dev/null
+++ b/plugins/kolab_auth/localization/en_US.inc
@@ -0,0 +1,5 @@
+<?php
+
+$labels['loginas'] = 'Login As';
+
+?>
diff --git a/plugins/kolab_auth/localization/pl_PL.inc b/plugins/kolab_auth/localization/pl_PL.inc
new file mode 100644
index 00000000..785f200e
--- /dev/null
+++ b/plugins/kolab_auth/localization/pl_PL.inc
@@ -0,0 +1,5 @@
+<?php
+
+$labels['loginas'] = 'Zaloguj jako';
+
+?>