From c1e8bd75c2c19b4389ad2e9dc81b4cd03406527c Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 27 Sep 2018 15:04:45 +0200
Subject: [PATCH] krb_authentication: Support per-protocol contexts

---
 plugins/krb_authentication/composer.json      |  2 +-
 .../krb_authentication/config.inc.php.dist    | 11 +++-
 .../krb_authentication/krb_authentication.php | 66 +++++++++----------
 3 files changed, 43 insertions(+), 36 deletions(-)

diff --git a/plugins/krb_authentication/composer.json b/plugins/krb_authentication/composer.json
index ee835556b..10af7eb35 100644
--- a/plugins/krb_authentication/composer.json
+++ b/plugins/krb_authentication/composer.json
@@ -3,7 +3,7 @@
     "type": "roundcube-plugin",
     "description": "Kerberos Authentication",
     "license": "GPLv3+",
-    "version": "1.1",
+    "version": "1.2",
     "authors": [
         {
             "name": "Jeroen van Meeuwen",
diff --git a/plugins/krb_authentication/config.inc.php.dist b/plugins/krb_authentication/config.inc.php.dist
index 63db16943..ae67f89a5 100644
--- a/plugins/krb_authentication/config.inc.php.dist
+++ b/plugins/krb_authentication/config.inc.php.dist
@@ -9,5 +9,12 @@
 // Unlike $config['default_host'] this must be a string!
 $config['krb_authentication_host'] = '';
 
-// GSS API security context
-$config['krb_authentication_context'] = 'imap/kolab.example.org@EXAMPLE.ORG';
+// GSS API security context.
+// Single value or an array with per-protocol values. Example:
+//
+//   $config['krb_authentication_context'] = array(
+//       'imap'  => 'imap/host.fqdn@REALM.NAME',
+//       'smtp'  => 'smtp/host.fqdn@REALM.NAME',
+//       'sieve' => 'sieve/host.fqdn@REALM.NAME',
+//   );
+$config['krb_authentication_context'] = 'host.fqdn@REALM.NAME';
diff --git a/plugins/krb_authentication/krb_authentication.php b/plugins/krb_authentication/krb_authentication.php
index 12ab95b51..95adc771d 100644
--- a/plugins/krb_authentication/krb_authentication.php
+++ b/plugins/krb_authentication/krb_authentication.php
@@ -76,34 +76,28 @@ class krb_authentication extends rcube_plugin
     }
 
     /**
-     * Storage_connect hook handler
+     * login_after hook handler
      */
-    function storage_connect($args)
+    function login($args)
     {
-        if (!empty($_SERVER['REMOTE_USER']) && !empty($_SERVER['KRB5CCNAME'])) {
-            // Load plugin's config file
-            $this->load_config();
-
-            $rcmail  = rcmail::get_instance();
-            $context = $rcmail->config->get('krb_authentication_context');
-
-            $args['gssapi_context'] = $context ?: 'imap/kolab.example.org@EXAMPLE.ORG';
-            $args['gssapi_cn']      = $_SERVER['KRB5CCNAME'];
-            $args['auth_type']      = 'GSSAPI';
+        // Redirect to the previous QUERY_STRING
+        if ($this->redirect_query) {
+            header('Location: ./?' . $this->redirect_query);
+            exit;
         }
 
         return $args;
     }
 
     /**
-     * login_after hook handler
+     * Storage_connect hook handler
      */
-    function login($args)
+    function storage_connect($args)
     {
-        // Redirect to the previous QUERY_STRING
-        if ($this->redirect_query) {
-            header('Location: ./?' . $this->redirect_query);
-            exit;
+        if (!empty($_SERVER['REMOTE_USER']) && !empty($_SERVER['KRB5CCNAME'])) {
+            $args['gssapi_context'] = $this->gssapi_context('imap');
+            $args['gssapi_cn']      = $_SERVER['KRB5CCNAME'];
+            $args['auth_type']      = 'GSSAPI';
         }
 
         return $args;
@@ -115,37 +109,43 @@ class krb_authentication extends rcube_plugin
     function managesieve_connect($args)
     {
         if ((!isset($args['auth_type']) || $args['auth_type'] == 'GSSAPI') && !empty($_SERVER['REMOTE_USER']) && !empty($_SERVER['KRB5CCNAME'])) {
-            // Load plugin's config file
-            $this->load_config();
-
-            $rcmail  = rcmail::get_instance();
-            $context = $rcmail->config->get('krb_authentication_context');
-
-            $args['gssapi_context'] = $context ?: 'imap/kolab.example.org@EXAMPLE.ORG';
+            $args['gssapi_context'] = $this->gssapi_context('sieve');
             $args['gssapi_cn']      = $_SERVER['KRB5CCNAME'];
             $args['auth_type']      = 'GSSAPI';
         }
 
         return $args;
     }
-    
+
     /**
      * smtp_connect hook handler
      */
     function smtp_connect($args)
     {
         if ((!isset($args['smtp_auth_type']) || $args['smtp_auth_type'] == 'GSSAPI') && !empty($_SERVER['REMOTE_USER']) && !empty($_SERVER['KRB5CCNAME'])) {
-            // Load plugin's config file
-            $this->load_config();
-
-            $rcmail  = rcmail::get_instance();
-            $context = $rcmail->config->get('krb_authentication_context');
-
-            $args['gssapi_context'] = $context ?: 'imap/kolab.example.org@EXAMPLE.ORG';
+            $args['gssapi_context'] = $this->gssapi_context('smtp');
             $args['gssapi_cn']      = $_SERVER['KRB5CCNAME'];
             $args['smtp_auth_type'] = 'GSSAPI';
         }
 
         return $args;
     }
+
+    /**
+     * Returns configured GSSAPI context string
+     */
+    private function gssapi_context($protocol)
+    {
+        // Load plugin's config file
+        $this->load_config();
+
+        $rcmail  = rcmail::get_instance();
+        $context = $rcmail->config->get('krb_authentication_context');
+
+        if (is_array($context)) {
+             $context = $context[$protocol];
+        }
+
+        return $context ?: 'host.fqdn@REALM.NAME';
+    }
 }