Roundcube: Use Mail-in-a-Box admin API to drive password changes (#92)

* Use Mail-in-a-Box driver
We're using the user's own credentials to authenticate themselves.
There are some issues if we release as-is:
* Only usable if the user in question is an admin
* Cannot be used if the user has 2FA enabled

* daemon: Add selective gatekeeper
* Allows us to give access to features for logged in, non-admin users

* Allow non-admins to change their own password

* Begin password management self service, frontend

* Allow all users to enable 2FA

* Password change front-end form

* Self password change front-end functionality

* Force logout after successful password change

* Clear fields after successful password change, also fix error modal
This commit is contained in:
David Duque 2022-11-07 21:07:37 +00:00 committed by GitHub
parent b961a2b74a
commit 3451dadde5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 192 additions and 115 deletions

View file

@ -56,8 +56,8 @@ app = Flask(__name__,
# Decorator to protect views that require a user with 'admin' privileges.
def authorized_personnel_only(viewfunc):
def authorized_personnel_only(admin = True):
def gatekeeper(viewfunc):
@wraps(viewfunc)
def newview(*args, **kwargs):
@ -68,6 +68,16 @@ def authorized_personnel_only(viewfunc):
try:
email, privs = auth_service.authenticate(request, env)
# Store the email address of the logged in user so it can be accessed
# from the API methods that affect the calling user.
request.user_email = email
request.user_privs = privs
if not admin or "admin" in privs:
return viewfunc(*args, **kwargs)
else:
error = "You are not an administrator."
except ValueError as e:
# Write a line in the log recording the failed login, unless no authorization header
# was given which can happen on an initial request before a 403 response.
@ -77,19 +87,6 @@ def authorized_personnel_only(viewfunc):
# Authentication failed.
error = str(e)
# Authorized to access an API view?
if "admin" in privs:
# Store the email address of the logged in user so it can be accessed
# from the API methods that affect the calling user.
request.user_email = email
request.user_privs = privs
# Call view func.
return viewfunc(*args, **kwargs)
if not error:
error = "You are not an administrator."
# Not authorized. Return a 401 (send auth) and a prompt to authorize by default.
status = 401
headers = {
@ -122,6 +119,8 @@ def authorized_personnel_only(viewfunc):
return newview
return gatekeeper
@app.errorhandler(401)
def unauthorized(error):
@ -213,7 +212,7 @@ def logout():
@app.route('/mail/users')
@authorized_personnel_only
@authorized_personnel_only()
def mail_users():
if request.args.get("format", "") == "json":
return json_response(get_mail_users_ex(env, with_archived=True))
@ -222,7 +221,7 @@ def mail_users():
@app.route('/mail/users/add', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def mail_users_add():
quota = request.form.get('quota', get_default_quota(env))
try:
@ -234,7 +233,7 @@ def mail_users_add():
@app.route('/mail/users/quota', methods=['GET'])
@authorized_personnel_only
@authorized_personnel_only()
def get_mail_users_quota():
email = request.values.get('email', '')
quota = get_mail_quota(email, env)
@ -246,7 +245,7 @@ def get_mail_users_quota():
@app.route('/mail/users/quota', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def mail_users_quota():
try:
return set_mail_quota(request.form.get('email', ''),
@ -256,8 +255,13 @@ def mail_users_quota():
@app.route('/mail/users/password', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only(admin = False)
def mail_users_password():
if "admin" not in request.user_privs:
# Non-admins can only change their own password.
if request.form.get('email', '') != request.user_email:
return ("You are not an administrator; you can only change your own password!", 403)
try:
return set_mail_password(request.form.get('email', ''),
request.form.get('password', ''), env)
@ -266,13 +270,13 @@ def mail_users_password():
@app.route('/mail/users/remove', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def mail_users_remove():
return remove_mail_user(request.form.get('email', ''), env)
@app.route('/mail/users/privileges')
@authorized_personnel_only
@authorized_personnel_only()
def mail_user_privs():
privs = get_mail_user_privileges(request.args.get('email', ''), env)
if isinstance(privs, tuple):
@ -281,7 +285,7 @@ def mail_user_privs():
@app.route('/mail/users/privileges/add', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def mail_user_privs_add():
return add_remove_mail_user_privilege(request.form.get('email', ''),
request.form.get('privilege', ''),
@ -289,7 +293,7 @@ def mail_user_privs_add():
@app.route('/mail/users/privileges/remove', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def mail_user_privs_remove():
return add_remove_mail_user_privilege(request.form.get('email', ''),
request.form.get('privilege', ''),
@ -297,7 +301,7 @@ def mail_user_privs_remove():
@app.route('/mail/aliases')
@authorized_personnel_only
@authorized_personnel_only()
def mail_aliases():
if request.args.get("format", "") == "json":
return json_response(get_mail_aliases_ex(env))
@ -308,7 +312,7 @@ def mail_aliases():
@app.route('/mail/aliases/add', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def mail_aliases_add():
return add_mail_alias(request.form.get('address', ''),
request.form.get('forwards_to', ''),
@ -319,13 +323,13 @@ def mail_aliases_add():
@app.route('/mail/aliases/remove', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def mail_aliases_remove():
return remove_mail_alias(request.form.get('address', ''), env)
@app.route('/mail/domains')
@authorized_personnel_only
@authorized_personnel_only()
def mail_domains():
return "".join(x + "\n" for x in get_mail_domains(env))
@ -334,14 +338,14 @@ def mail_domains():
@app.route('/dns/zones')
@authorized_personnel_only
@authorized_personnel_only()
def dns_zones():
from dns_update import get_dns_zones
return json_response([z[0] for z in get_dns_zones(env)])
@app.route('/dns/update', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def dns_update():
from dns_update import do_dns_update
try:
@ -351,7 +355,7 @@ def dns_update():
@app.route('/dns/secondary-nameserver')
@authorized_personnel_only
@authorized_personnel_only()
def dns_get_secondary_nameserver():
from dns_update import get_custom_dns_config, get_secondary_dns
return json_response({
@ -361,7 +365,7 @@ def dns_get_secondary_nameserver():
@app.route('/dns/secondary-nameserver', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def dns_set_secondary_nameserver():
from dns_update import set_secondary_dns
try:
@ -375,7 +379,7 @@ def dns_set_secondary_nameserver():
@app.route('/dns/custom')
@authorized_personnel_only
@authorized_personnel_only()
def dns_get_records(qname=None, rtype=None):
# Get the current set of custom DNS records.
from dns_update import get_custom_dns_config, get_dns_zones
@ -431,7 +435,7 @@ def dns_get_records(qname=None, rtype=None):
@app.route('/dns/custom/<qname>', methods=['GET', 'POST', 'PUT', 'DELETE'])
@app.route('/dns/custom/<qname>/<rtype>',
methods=['GET', 'POST', 'PUT', 'DELETE'])
@authorized_personnel_only
@authorized_personnel_only()
def dns_set_record(qname, rtype="A"):
from dns_update import do_dns_update, set_custom_dns_record
try:
@ -498,14 +502,14 @@ def dns_set_record(qname, rtype="A"):
@app.route('/dns/dump')
@authorized_personnel_only
@authorized_personnel_only()
def dns_get_dump():
from dns_update import build_recommended_dns
return json_response(build_recommended_dns(env))
@app.route('/dns/zonefile/<zone>')
@authorized_personnel_only
@authorized_personnel_only()
def dns_get_zonefile(zone):
from dns_update import get_dns_zonefile
return Response(get_dns_zonefile(zone, env),
@ -517,7 +521,7 @@ def dns_get_zonefile(zone):
@app.route('/ssl/status')
@authorized_personnel_only
@authorized_personnel_only()
def ssl_get_status():
from ssl_certificates import get_certificates_to_provision
from web_update import get_web_domains_info, get_web_domains
@ -557,7 +561,7 @@ def ssl_get_status():
@app.route('/ssl/csr/<domain>', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def ssl_get_csr(domain):
from ssl_certificates import create_csr
ssl_private_key = os.path.join(
@ -567,7 +571,7 @@ def ssl_get_csr(domain):
@app.route('/ssl/install', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def ssl_install_cert():
from web_update import get_web_domains
from ssl_certificates import install_cert
@ -580,7 +584,7 @@ def ssl_install_cert():
@app.route('/ssl/provision', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def ssl_provision_certs():
from ssl_certificates import provision_certificates
requests = provision_certificates(env, limit_domains=None)
@ -591,7 +595,7 @@ def ssl_provision_certs():
@app.route('/mfa/status', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only(admin = False)
def mfa_get_status():
# Anyone accessing this route is an admin, and we permit them to
# see the MFA status for any user if they submit a 'user' form
@ -599,6 +603,9 @@ def mfa_get_status():
# only provision for themselves.
# user field if given, otherwise the user making the request
email = request.form.get('user', request.user_email)
if "admin" not in request.user_privs and email != request.user_email:
return ("You are not an administrator; you can only view your own MFA status!", 403)
try:
resp = {"enabled_mfa": get_public_mfa_state(email, env)}
if email == request.user_email:
@ -609,7 +616,7 @@ def mfa_get_status():
@app.route('/mfa/totp/enable', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only(admin = False)
def totp_post_enable():
secret = request.form.get('secret')
token = request.form.get('token')
@ -625,13 +632,16 @@ def totp_post_enable():
@app.route('/mfa/disable', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only(admin = False)
def totp_post_disable():
# Anyone accessing this route is an admin, and we permit them to
# disable the MFA status for any user if they submit a 'user' form
# field.
# user field if given, otherwise the user making the request
email = request.form.get('user', request.user_email)
if "admin" not in request.user_privs and email != request.user_email:
return ("You are not an administrator; you can only view your own MFA status!", 403)
try:
result = disable_mfa(email,
request.form.get('mfa-id') or None,
@ -648,14 +658,14 @@ def totp_post_disable():
@app.route('/web/domains')
@authorized_personnel_only
@authorized_personnel_only()
def web_get_domains():
from web_update import get_web_domains_info
return json_response(get_web_domains_info(env))
@app.route('/web/update', methods=['POST'])
@authorized_personnel_only
@authorized_personnel_only()
def web_update():
from web_update import do_web_update
try:
@ -668,7 +678,7 @@ def web_update():
@app.route('/system/version', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def system_version():
from status_checks import what_version_is_this
try:
@ -678,7 +688,7 @@ def system_version():
@app.route('/system/latest-upstream-version', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def system_latest_upstream_version():
from status_checks import get_latest_miab_version
try:
@ -688,7 +698,7 @@ def system_latest_upstream_version():
@app.route('/system/status', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def system_status():
from status_checks import run_checks
@ -736,7 +746,7 @@ def system_status():
@app.route('/system/updates')
@authorized_personnel_only
@authorized_personnel_only()
def show_updates():
from status_checks import list_apt_updates
return "".join("%s (%s)\n" % (p["package"], p["version"])
@ -744,7 +754,7 @@ def show_updates():
@app.route('/system/update-packages', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def do_updates():
utils.shell("check_call", ["/usr/bin/apt-get", "-qq", "update"])
return utils.shell("check_output", ["/usr/bin/apt-get", "-y", "upgrade"],
@ -752,7 +762,7 @@ def do_updates():
@app.route('/system/reboot', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def needs_reboot():
from status_checks import is_reboot_needed_due_to_package_installation
if is_reboot_needed_due_to_package_installation():
@ -762,7 +772,7 @@ def needs_reboot():
@app.route('/system/reboot', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def do_reboot():
# To keep the attack surface low, we don't allow a remote reboot if one isn't necessary.
from status_checks import is_reboot_needed_due_to_package_installation
@ -774,7 +784,7 @@ def do_reboot():
@app.route('/system/backup/status')
@authorized_personnel_only
@authorized_personnel_only()
def backup_status():
from backup import backup_status
try:
@ -784,14 +794,14 @@ def backup_status():
@app.route('/system/backup/config', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def backup_get_custom():
from backup import get_backup_config
return json_response(get_backup_config(env, for_ui=True))
@app.route('/system/backup/config', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def backup_set_custom():
from backup import backup_set_custom
return json_response(
@ -803,7 +813,7 @@ def backup_set_custom():
@app.route('/system/backup/new', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def backup_new():
from backup import perform_backup, get_backup_config
@ -817,14 +827,14 @@ def backup_new():
@app.route('/system/privacy', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def privacy_status_get():
config = utils.load_settings(env)
return json_response(config.get("privacy", True))
@app.route('/system/privacy', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def privacy_status_set():
config = utils.load_settings(env)
config["privacy"] = (request.form.get('value') == "private")
@ -833,7 +843,7 @@ def privacy_status_set():
@app.route('/system/smtp/relay', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def smtp_relay_get():
config = utils.load_settings(env)
@ -864,7 +874,7 @@ def smtp_relay_get():
@app.route('/system/smtp/relay', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def smtp_relay_set():
from editconf import edit_conf
from os import chmod
@ -995,7 +1005,7 @@ def smtp_relay_set():
@app.route('/system/pgp/', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def get_keys():
from pgp import get_daemon_key, get_imported_keys, key_representation
return {
@ -1005,7 +1015,7 @@ def get_keys():
@app.route('/system/pgp/<fpr>', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def get_key(fpr):
from pgp import get_key, key_representation
k = get_key(fpr)
@ -1015,7 +1025,7 @@ def get_key(fpr):
@app.route('/system/pgp/<fpr>', methods=["DELETE"])
@authorized_personnel_only
@authorized_personnel_only()
def delete_key(fpr):
from pgp import delete_key
from wkd import parse_wkd_list, build_wkd
@ -1030,7 +1040,7 @@ def delete_key(fpr):
@app.route('/system/pgp/<fpr>/export', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def export_key(fpr):
from pgp import export_key
exp = export_key(fpr)
@ -1040,7 +1050,7 @@ def export_key(fpr):
@app.route('/system/pgp/import', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def import_key():
from pgp import import_key
from wkd import build_wkd
@ -1065,7 +1075,7 @@ def import_key():
@app.route('/system/pgp/wkd', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def get_wkd_status():
from pgp import get_daemon_key, get_imported_keys, key_representation
from wkd import get_user_fpr_maps, get_wkd_config
@ -1099,7 +1109,7 @@ def get_wkd_status():
@app.route('/system/pgp/wkd', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def update_wkd():
from wkd import update_wkd_config, build_wkd
update_wkd_config(request.form)
@ -1108,7 +1118,7 @@ def update_wkd():
@app.route('/system/default-quota', methods=["GET"])
@authorized_personnel_only
@authorized_personnel_only()
def default_quota_get():
if request.values.get('text'):
return get_default_quota(env)
@ -1119,7 +1129,7 @@ def default_quota_get():
@app.route('/system/default-quota', methods=["POST"])
@authorized_personnel_only
@authorized_personnel_only()
def default_quota_set():
config = utils.load_settings(env)
try:
@ -1137,7 +1147,7 @@ def default_quota_set():
@app.route('/munin/')
@authorized_personnel_only
@authorized_personnel_only()
def munin_start():
# Munin pages, static images, and dynamically generated images are served
# outside of the AJAX API. We'll start with a 'start' API that sets a cookie

View file

@ -135,6 +135,13 @@
Monitoring</a></li>
</ul>
</li>
<li class="nav-item me-1 me-xl-4 dropdown if-logged-in-not-admin">
<button class="btn dropdown-toggle" type="button" data-bs-toggle="dropdown" aria-expanded="false">Your Account</button>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="#manage-password" onclick="return show_panel(this);">Manage Password</a></li>
<li><a class="dropdown-item" href="#mfa" onclick="return show_panel(this);">Two-Factor Authentication</a></li>
</ul>
</li>
<li class="nav-item me-1 me-xl-4 btn if-logged-in-not-admin" type="button" href="#mail-guide"
onclick="return show_panel(this);">
Mail Guide
@ -198,6 +205,10 @@
{% include "wkd.html" %}
</div>
<div id="panel_manage-password" class="admin_panel">
{% include "manage-password.html" %}
</div>
<div id="panel_mfa" class="admin_panel">
{% include "mfa.html" %}
</div>

View file

@ -0,0 +1,57 @@
<div>
<h2>Manage Password</h2>
<p>Here you can change your account password. The new password is then valid for both this panel and your email.</p>
<p>If you have client emails configured, you'll then need to update the configuration with the new password. See the <a href="#mail-guide" onclick="return show_panel(this);">Mail Guide</a> for more information about this.</p>
<form class="form-horizontal" role="form" onsubmit="set_password_self(); return false;">
<div class="col-lg-10 col-xl-8 mb-3">
<div class="input-group">
<label for="manage-password-new" class="input-group-text col-3">New Password</label>
<input type="password" placeholder="password" class="form-control" id="manage-password-new">
</div>
</div>
<div class="col-lg-10 col-xl-8 mb-3">
<div class="input-group">
<label for="manage-password-confirm" class="input-group-text col-3">Confirm Password</label>
<input type="password" placeholder="password" class="form-control" id="manage-password-confirm">
</div>
</div>
<div class="mt-3">
<button id="manage-password-submit" type="submit" class="btn btn-primary">Save</button>
</div>
<small>After changing your password, you'll be logged out from the account and will need to log in again.</small>
</form>
</div>
<script>
function set_password_self() {
if ($('#manage-password-new').val() !== $('#manage-password-confirm').val()) {
show_modal_error("Set Password", 'Passwords do not match!');
return;
}
let password = $('#manage-password-new').val()
api(
"/mail/users/password",
"POST",
{
email: api_credentials.username,
password: password
},
function (r) {
// Responses are multiple lines of pre-formatted text.
show_modal_error("Set Password", $("<pre/>").text(r), () => {
do_logout()
$('#manage-password-new').val("")
$('#manage-password-confirm').val("")
});
},
function (r) {
show_modal_error("Set Password", r);
}
);
}
</script>

View file

@ -212,12 +212,11 @@ cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
${RCM_PLUGIN_DIR}/password/config.inc.php
management/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php -c "//" \
"\$config['password_driver'] = 'miab';" \
"\$config['password_minimum_length'] = 8;" \
"\$config['password_db_dsn'] = 'sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
"\$config['password_query'] = 'UPDATE users SET password=%P WHERE email=%u';" \
"\$config['password_algorithm'] = 'sha512-crypt';" \
"\$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';" \
"\$config['password_dovecotpw_with_method'] = false;"
"\$config['password_miab_url'] = 'http://127.0.0.1:10222/';" \
"\$config['password_miab_user'] = '';" \
"\$config['password_miab_pass'] = '';"
# so PHP can use doveadm, for the password changing plugin
usermod -a -G dovecot www-data