From b4298bc0965b7944a6bc3e73ae170bbe829ca412 Mon Sep 17 00:00:00 2001 From: neilmunday Date: Sat, 17 Feb 2018 00:04:44 +0000 Subject: [PATCH 1/3] Added GSSAPI support for issue #5779 - requires updated Net_Sieve class. See https://github.com/neilmunday/Net_Sieve/Sieve.php --- plugins/managesieve/Changelog | 1 + plugins/managesieve/lib/Roundcube/rcube_sieve.php | 7 ++++++- plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php | 4 +++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/plugins/managesieve/Changelog b/plugins/managesieve/Changelog index 7bb5883fe..e63820dc7 100644 --- a/plugins/managesieve/Changelog +++ b/plugins/managesieve/Changelog @@ -1,3 +1,4 @@ +- Added GSSAPI support(#5779) - requires updated Net_Sieve class - Added option managesieve_default_headers - Added option managesieve_forward to enable settings dialog for simple forwarding (#6021) - Support filter action with custom IMAP flags (#6011) diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve.php b/plugins/managesieve/lib/Roundcube/rcube_sieve.php index 0cc8769d0..0933b5f6a 100644 --- a/plugins/managesieve/lib/Roundcube/rcube_sieve.php +++ b/plugins/managesieve/lib/Roundcube/rcube_sieve.php @@ -59,10 +59,11 @@ class rcube_sieve * @param string Proxy authentication identifier * @param string Proxy authentication password * @param array List of options to pass to stream_context_create(). + * @param string Kerberos service principal to use with GSSAPI authentication method */ public function __construct($username, $password='', $host='localhost', $port=2000, $auth_type=null, $usetls=true, $disabled=array(), $debug=false, - $auth_cid=null, $auth_pw=null, $options=array()) + $auth_cid=null, $auth_pw=null, $options=array(), $servicePrincipal=null) { $this->sieve = new Net_Sieve(); @@ -70,6 +71,10 @@ class rcube_sieve $this->sieve->setDebug(true, array($this, 'debug_handler')); } + if (isset($servicePrincipal)) { + $this->sieve->setServicePrincipal($servicePrincipal); + } + $result = $this->sieve->connect($host, $port, $options, $usetls); if (is_a($result, 'PEAR_Error')) { diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php index 90f98f9fa..a0f66b93d 100644 --- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php +++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php @@ -196,6 +196,7 @@ class rcube_sieve_engine 'auth_cid' => $this->rc->config->get('managesieve_auth_cid'), 'auth_pw' => $this->rc->config->get('managesieve_auth_pw'), 'socket_options' => $this->rc->config->get('managesieve_conn_options'), + 'service_principal' => $this->rc->config->get('krb_authentication_context') )); // Handle per-host socket options @@ -213,7 +214,8 @@ class rcube_sieve_engine $plugin['debug'], $plugin['auth_cid'], $plugin['auth_pw'], - $plugin['socket_options'] + $plugin['socket_options'], + $plugin['service_principal'] ); $error = $this->sieve->error(); From 7abcc5a2ccb3c11b82d27978d015ee85ca148108 Mon Sep 17 00:00:00 2001 From: neilmunday Date: Mon, 26 Feb 2018 23:21:23 +0000 Subject: [PATCH 2/3] Added hook for managesieve_connect to set up GSSAPI authentication --- .../krb_authentication/krb_authentication.php | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/plugins/krb_authentication/krb_authentication.php b/plugins/krb_authentication/krb_authentication.php index 00a323fd3..f0c252c48 100644 --- a/plugins/krb_authentication/krb_authentication.php +++ b/plugins/krb_authentication/krb_authentication.php @@ -24,6 +24,7 @@ class krb_authentication extends rcube_plugin $this->add_hook('authenticate', array($this, 'authenticate')); $this->add_hook('login_after', array($this, 'login')); $this->add_hook('storage_connect', array($this, 'storage_connect')); + $this->add_hook('managesieve_connect', array($this, 'managesieve_connect')); } /** @@ -106,4 +107,20 @@ class krb_authentication extends rcube_plugin return $args; } + + + /** + * managesieve_connect hook handler + */ + function managesieve_connect($args) + { + if ((!isset($args['auth_type']) || $args['auth_type'] == 'GSSAPI') && !empty($_SERVER['REMOTE_USER']) && !empty($_SERVER['KRB5CCNAME'])) { + $rcmail = rcmail::get_instance(); + $context = $rcmail->config->get('krb_authentication_context'); + $args['gssapi_context'] = $context ?: 'imap/kolab.example.org@EXAMPLE.ORG'; + $args['gssapi_cn'] = $_SERVER['KRB5CCNAME']; + $args['auth_type'] = 'GSSAPI'; + } + return $args; + } } From 57fa665db1adb25771bb3051205cb7028f859474 Mon Sep 17 00:00:00 2001 From: neilmunday Date: Mon, 26 Feb 2018 23:22:30 +0000 Subject: [PATCH 3/3] Updated to use latest Net_Sieve Sieve class --- plugins/managesieve/lib/Roundcube/rcube_sieve.php | 12 ++++++++---- .../managesieve/lib/Roundcube/rcube_sieve_engine.php | 6 +++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve.php b/plugins/managesieve/lib/Roundcube/rcube_sieve.php index 0933b5f6a..01b52319f 100644 --- a/plugins/managesieve/lib/Roundcube/rcube_sieve.php +++ b/plugins/managesieve/lib/Roundcube/rcube_sieve.php @@ -59,11 +59,11 @@ class rcube_sieve * @param string Proxy authentication identifier * @param string Proxy authentication password * @param array List of options to pass to stream_context_create(). - * @param string Kerberos service principal to use with GSSAPI authentication method */ public function __construct($username, $password='', $host='localhost', $port=2000, $auth_type=null, $usetls=true, $disabled=array(), $debug=false, - $auth_cid=null, $auth_pw=null, $options=array(), $servicePrincipal=null) + $auth_cid=null, $auth_pw=null, $options=array(), $gssapi_principal=null, + $gssapi_cname=null) { $this->sieve = new Net_Sieve(); @@ -71,8 +71,12 @@ class rcube_sieve $this->sieve->setDebug(true, array($this, 'debug_handler')); } - if (isset($servicePrincipal)) { - $this->sieve->setServicePrincipal($servicePrincipal); + if (isset($gssapi_principal)) { + $this->sieve->setServicePrincipal($gssapi_principal); + } + + if (isset($gssapi_cname)) { + $this->sieve->setServiceCN($gssapi_cname); } $result = $this->sieve->connect($host, $port, $options, $usetls); diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php index 6b7000939..12e8a0074 100644 --- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php +++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php @@ -195,8 +195,7 @@ class rcube_sieve_engine 'debug' => $this->rc->config->get('managesieve_debug', false), 'auth_cid' => $this->rc->config->get('managesieve_auth_cid'), 'auth_pw' => $this->rc->config->get('managesieve_auth_pw'), - 'socket_options' => $this->rc->config->get('managesieve_conn_options'), - 'service_principal' => $this->rc->config->get('krb_authentication_context') + 'socket_options' => $this->rc->config->get('managesieve_conn_options') )); // Handle per-host socket options @@ -215,7 +214,8 @@ class rcube_sieve_engine $plugin['auth_cid'], $plugin['auth_pw'], $plugin['socket_options'], - $plugin['service_principal'] + $plugin['gssapi_context'], + $plugin['gssapi_cn'] ); $error = $this->sieve->error();