Merge pull request #111 from YunoHost-Apps/sso

Attempt to SSO

README.md

@@ -19,7 +19,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 Simple, modern, lightweight & fast web-based email client. The drastically upgraded & secured fork of RainLoop Webmail Community edition.
 
 
-**Shipped version:** 2.28.4~ynh1
+**Shipped version:** 2.28.4~ynh2
 
 **Demo:** https://snappymail.eu/demo/
 

README_fr.md

@@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po
 
 Client de messagerie Web simple, moderne, léger et rapide. Snappymail est un fork considérablement amélioré et sécurisé de l'édition RainLoop Webmail Community.
 
-**Version incluse :** 2.28.4~ynh1
+**Version incluse :** 2.28.4~ynh2
 
 **Démo :** https://snappymail.eu/demo/
 

conf/application.ini

@@ -8,76 +8,115 @@ title = "SnappyMail Webmail"
 ; Text displayed on startup
 loading_description = "SnappyMail"
 favicon_url = ""
+app_path = ""
 
 ; Theme used by default
-theme = "Clear"
+theme = "Default"
 
 ; Allow theme selection on settings screen
 allow_themes = On
 allow_user_background = Off
 
 ; Language used by default
-language = "__LANGUAGE__"
+language = "en"
 
 ; Admin Panel interface language
-language_admin = "__LANGUAGE__"
+language_admin = "en"
 
 ; Allow language selection on settings screen
 allow_languages_on_settings = On
 allow_additional_accounts = On
 allow_additional_identities = On
 
-;  Number of messages displayed on page by default
+; Number of messages displayed on page by default
 messages_per_page = 20
 
+; Mark message read after N seconds
+message_read_delay = 5
+
 ; File size limit (MB) for file upload on compose screen
 ; 0 for unlimited.
 attachment_size_limit = 25
 
+; brotli or gzip compress the output.
+; Warning: only enable when server does not do this, else double compression errors occur
+compress_output = Off
+
 [interface]
 show_attachment_thumbnail = On
-new_move_to_folder_button = on
 
 [contacts]
 ; Enable contacts
 enable = On
-allow_sharing = On
 allow_sync = On
 sync_interval = 20
 type = "mysql"
 pdo_dsn = "mysql:host=127.0.0.1;port=3306;dbname=__DB_NAME__"
 pdo_user = "__DB_USER__"
 pdo_password = "__DB_PWD__"
-suggestions_limit = 30
+
+; PEM format certificate
+mysql_ssl_ca = ""
+mysql_ssl_verify = On
+
+; HIGH
+mysql_ssl_ciphers = ""
+suggestions_limit = 20
 
 [security]
-; Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)
-csrf_protection = On
 custom_server_signature = "SnappyMail"
-x_frame_options_header = "DENY"
 x_xss_protection_header = "1; mode=block"
 openpgp = Off
 
-; Login and password for web admin panel
-admin_login = "admin"
-admin_password = "12345"
-admin_totp = ""
-
 ; Access settings
 allow_admin_panel = On
-hide_x_mailer_header = On
+
+; Login and password for web admin panel
+admin_login = "admin"
+admin_password = ""
+admin_totp = ""
 admin_panel_host = ""
 admin_panel_key = "admin"
+force_https = Off
+hide_x_mailer_header = On
+
+; https://en.m.wikipedia.org/wiki/Load_(computing)
+max_sys_getloadavg = 0
+
+; For example to allow all images use "img-src https:". More info at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives
 content_security_policy = ""
+
+; Report CSP errors to PHP and/or SnappyMail Log
 csp_report = Off
+
+; A valid cipher method from https://php.net/openssl_get_cipher_methods
 encrypt_cipher = "aes-256-cbc-hmac-sha1"
 
+; Strict, Lax or None
+cookie_samesite = "Strict"
+
+; Additional allowed Sec-Fetch combinations separated by ";".
+; For example:
+; * Allow iframe on same domain in any mode: dest=iframe,site=same-origin
+; * Allow navigate to iframe on same domain: mode=navigate,dest=iframe,site=same-origin
+; * Allow navigate to iframe on (sub)domain: mode=navigate,dest=iframe,site=same-site
+; * Allow navigate to iframe from any domain: mode=navigate,dest=iframe,site=cross-site
+; 
+; Default is "site=same-origin;site=none"
+secfetch_allow = ""
+
+[admin_panel]
+allow_update = Off
+
 [ssl]
 ; Require verification of SSL certificate used.
-verify_certificate = Off
+verify_certificate = On
 
 ; Allow self-signed certificates. Requires verify_certificate.
-allow_self_signed = On
+allow_self_signed = Off
+
+; https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+security_level = 1
 
 ; Location of Certificate Authority file on local filesystem (/etc/ssl/certs/ca-certificates.crt)
 cafile = ""
@@ -85,23 +124,40 @@ cafile = ""
 ; capath must be a correctly hashed certificate directory. (/etc/ssl/certs/)
 capath = ""
 
+; Location of client certificate file (pem format with private key) on local filesystem
+local_cert = ""
+
+; This can help mitigate the CRIME attack vector.
+disable_compression = On
+
 [capa]
 contacts = On
 quota = On
 help = On
 search = On
 search_adv = On
+; Allow clear folder and delete messages without moving to trash
 dangerous_actions = On
+
+; Allow download attachments as Zip (and optionally others)
 attachments_actions = On
 
 [login]
+; If someone logs in without "@domain.tld", this value will be used
+; When this value is HTTP_HOST, the $_SERVER["HTTP_HOST"] value is used.
+; When this value is SERVER_NAME, the $_SERVER["SERVER_NAME"] value is used.
+; When this value is gethostname, the gethostname() value is used.
+; 
 default_domain = "__DOMAIN__"
 
 ; Allow language selection on webmail login screen
 allow_languages_on_login = On
+
+; Detect language from browser header `Accept-Language`
 determine_user_language = On
+
+; Like default_domain but then HTTP_HOST/SERVER_NAME without www.
 determine_user_domain = Off
-hide_submit_button = On
 login_lowercase = On
 
 ; This option allows webmail to remember the logged in user
@@ -117,11 +173,11 @@ sign_me_auto = "DefaultOff"
 ; Enable plugin support
 enable = On
 
-; List of enabled plugins
+; Comma-separated list of enabled plugins
 enabled_list = "ldap-identities"
 
 [defaults]
-; Editor mode used by default (Plain, Html, HtmlForced or PlainForced)
+; Editor mode used by default (Plain, Html)
 view_editor_type = "Html"
 
 ; layout: 0 - no preview, 1 - side preview, 2 - bottom preview
@@ -139,22 +195,24 @@ mail_reply_same_folder = Off
 ; Enable logging
 enable = Off
 
+; Path where log files will be stored
+path = ""
+
+; Log messages of set RFC 5424 section 6.2.1 Severity level and higher (0 = highest, 7 = lowest).
+; 0 = Emergency
+; 1 = Alert
+; 2 = Critical
+; 3 = Error
+; 4 = Warning
+; 5 = Notice
+; 6 = Informational
+; 7 = Debug
 level = 4
 
-; Logs entire request only if error occured (php requred)
-write_on_error_only = Off
-
-; Logs entire request only if php error occured
-write_on_php_error_only = Off
-
-; Logs entire request only if request timeout (in seconds) occured.
-write_on_timeout_only = 0
-
 ; Required for development purposes only.
 ; Disabling this option is not recommended.
 hide_passwords = On
-time_offset = __TIMEZONE__
-session_filter = ""
+time_zone = "__TIMEZONE__"
 
 ; Log filename.
 ; For security reasons, some characters are removed from filename.
@@ -182,16 +240,23 @@ session_filter = ""
 ;   filename = "log-{date:Y-m-d}.txt"
 ;   filename = "{date:Y-m-d}/{user:domain}/{user:email}_{user:uid}.log"
 ;   filename = "{user:email}-{date:Y-m-d}.txt"
+;   filename = "syslog"
+;   filename = "stderr"
 filename = "log-{date:Y-m-d}.txt"
 
 ; Enable auth logging in a separate file (for fail2ban)
 auth_logging = On
-auth_logging_filename = "fail2ban/auth-fail.log"
-auth_logging_format = "[{date:Y-m-d H:i:s T}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"
+auth_logging_filename = "fail2ban/auth-{date:Y-m-d}.txt"
+auth_logging_format = "[{date:Y-m-d H:i:s}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"
+
+; Enable auth logging to syslog for fail2ban
+auth_syslog = Off
 
 [debug]
 ; Special option required for development purposes
 enable = Off
+javascript = Off
+css = Off
 
 [cache]
 ; The section controls caching of the entire application.
@@ -199,10 +264,13 @@ enable = Off
 ; Enables caching in the system
 enable = On
 
+; Path where cache files will be stored
+path = ""
+
 ; Additional caching key. If changed, cache is purged
 index = "v1"
 
-; Can be: files, APC, memcache
+; Can be: files, APCU, memcache, redis (beta)
 fast_cache_driver = "files"
 
 ; Additional caching key. If changed, fast cache is purged
@@ -216,58 +284,39 @@ http_expires = 3600
 
 ; Caching message UIDs when searching and sorting (threading)
 server_uids = On
+system_data = On
+
+[imap]
+use_force_selection = Off
+use_expunge_all_on_delete = Off
+message_list_fast_simple_search = On
+message_list_permanent_filter = ""
+message_all_headers = Off
+show_login_alert = On
+fetch_new_messages = On
 
 [labs]
-allow_prefetch = Off
-cache_system_data = On
+; Display message RFC 2822 date and time header, instead of the arrival internal date.
 date_from_headers = On
-autocreate_system_folders = Off
 allow_message_append = Off
-login_fault_delay = 1
+
+; When login fails, wait N seconds before responding
+login_fault_delay = 5
 log_ajax_response_write_limit = 300
-allow_html_editor_source_button = Off
-allow_ctrl_enter_on_compose = On
-try_to_detect_hidden_images = Off
-use_app_debug_js = Off
-use_mobile_version_for_tablets = Off
-use_app_debug_css = Off
-use_imap_sort = On
-use_imap_force_selection = Off
-use_imap_thread = On
-use_imap_move = Off
-use_imap_expunge_all_on_delete = Off
-imap_forwarded_flag = "$Forwarded"
-imap_read_receipt_flag = "$ReadReceipt"
-imap_body_text_limit = 555000
-imap_message_list_fast_simple_search = On
-imap_message_list_count_limit_trigger = 0
-imap_message_list_date_filter = 0
-imap_message_list_permanent_filter = ""
-imap_message_all_headers = Off
-imap_large_thread_limit = 50
-imap_folder_list_limit = 200
-imap_show_login_alert = On
-imap_use_list_status = On
-imap_timeout = 300
 smtp_show_server_errors = Off
-smtp_timeout = 60
 sieve_auth_plain_initial = On
-sieve_allow_fileinfo_inbox = Off
-sieve__timeout = 10
-sasl_allow_plain = On
-sasl_allow_scram_sha = Off
-sasl_allow_cram_md5 = Off
+sieve_allow_fileinto_inbox = Off
+
+; PHP mail() remove To and Subject headers
 mail_func_clear_headers = On
+
+; PHP mail() set -f emailaddress
 mail_func_additional_parameters = Off
-favicon_status = On
 folders_spec_limit = 50
 curl_proxy = ""
 curl_proxy_auth = ""
-in_iframe = Off
-force_https = Off
-custom_login_link = ""
-custom_logout_link = ""
-allow_external_login = Off
+custom_login_link=''
+custom_logout_link='https://__MAIN_DOMAIN__/yunohost/sso/?action=logout'
 http_client_ip_check_proxy = Off
 fast_cache_memcache_host = "127.0.0.1"
 fast_cache_memcache_port = 11211
@@ -277,13 +326,11 @@ use_local_proxy_for_external_images = On
 image_exif_auto_rotate = Off
 cookie_default_path = ""
 cookie_default_secure = Off
-check _new_messages = On
 replace_env_in_configuration = ""
 boundary_prefix = ""
-kolab_enabled = Off
 dev_email = ""
 dev_password = ""
 
 [version]
-current = "2.15.0"
-saved = "Thu, 21 Apr 2022 15:18:08 +0000"
+current = "2.28.1"
+saved = "Wed, 21 Jun 2023 06:38:05 +0000"

conf/sso.php

@@ -0,0 +1,17 @@
+<?php
+
+// Enable SnappyMail Api and include index file 
+$_ENV['SNAPPYMAIL_INCLUDE_AS_API'] = true;
+require 'app/index.php';
+
+// Retrieve email and password
+if (isset($_SERVER['HTTP_EMAIL']) && isset($_SERVER['PHP_AUTH_PW'])) {
+        $email = $_SERVER['HTTP_EMAIL'];
+        $password = $_SERVER['PHP_AUTH_PW'];
+        $ssoHash = \RainLoop\Api::CreateUserSsoHash($email, $password);
+        // redirect to webmail sso url
+        \header('Location: https://__DOMAIN____PATH__/app/?sso&hash='.$ssoHash);
+}
+else {
+        \header('Location: https://__DOMAIN____PATH__/app/');
+}

doc/ADMIN.md

@@ -2,6 +2,6 @@ The password-file is created after first opening the admin UI!
 
 Be sure to immediately change the default password!
 
-Open Snappy's admin UI `https://__DOMAIN____PATH__/?admin` to configure your mail server settings. Login with user "admin" and password from the file `__INSTALL_DIR__/data/_data_/_default_/admin_password.txt`.
+Open Snappy's admin UI `https://__DOMAIN____PATH__/app/?admin` to configure your mail server settings. Login with user "admin" and password from the file `__INSTALL_DIR__/app/data/_data_/_default_/admin_password.txt`.
 
 In particular, to be able to send emails, you need to go to Snappy's admin UI > Domains > __DOMAIN__ > SMTP > Check "Use authentication"

doc/ADMIN_fr.md

@@ -2,6 +2,6 @@ Le fichier de mot de passe est créé après la première ouverture de l'interfa
 
 Assurez-vous de changer immédiatement le mot de passe par défaut !
 
-Ouvrez l'interface d'administration de Snappy `https://__DOMAIN____PATH__/?admin` pour configurer les paramètres de votre serveur de messagerie. Connectez-vous avec l'utilisateur "admin" et le mot de passe du fichier `__INSTALL_DIR__/data/_data_/_default_/admin_password.txt`.
+Ouvrez l'interface d'administration de Snappy `https://__DOMAIN____PATH__/app/?admin` pour configurer les paramètres de votre serveur de messagerie. Connectez-vous avec l'utilisateur "admin" et le mot de passe du fichier `__INSTALL_DIR__/data/_data_/_default_/admin_password.txt`.
 
 En particulier, pour pouvoir envoyer des mails, il vous faut aller dans l'interface d'admin de Snappy > Domaines > __DOMAIN__ > SMTP > Coche "Use authentication"

manifest.toml

@@ -5,7 +5,7 @@ name = "SnappyMail"
 description.en = "Simple, modern, lightweight & fast web-based e-mail client"
 description.fr = "Client de messagerie Web simple, moderne, léger et rapide"
 
-version = "2.28.4~ynh1"
+version = "2.28.4~ynh2"
 
 maintainers = ["eric_G"]
 
@@ -23,7 +23,7 @@ multi_instance = true
 ldap = false
 sso = false
 disk = "50M"
-ram.build = "50M"
+ram.build = "100M"
 ram.runtime = "50M"
 
 [install]
@@ -56,4 +56,8 @@ ram.runtime = "50M"
     main.url = "/"
 
     [resources.apt]
-    packages = "php8.2-sqlite3 php8.2-tidy php8.2-dom php8.2-intl php8.2-mysql php8.2-curl php8.2-gd php8.2-cli php8.2-xml php8.2-mbstring"
+    packages = "mariadb-server php8.2-sqlite3 php8.2-tidy php8.2-dom php8.2-intl php8.2-mysql php8.2-curl php8.2-gd php8.2-cli php8.2-xml php8.2-mbstring"
+
+    [resources.database]
+    type = "mysql"
+    

scripts/_common.sh

@@ -4,6 +4,9 @@
 # COMMON VARIABLES
 #=================================================
 
+main_domain=$(cat /etc/yunohost/current_host)
+timezone=$(cat /etc/timezone)
+
 #=================================================
 # PERSONAL HELPERS
 #=================================================

scripts/change_url

@@ -6,8 +6,26 @@
 # IMPORT GENERIC HELPERS
 #=================================================
 
+source _common.sh
 source /usr/share/yunohost/helpers
 
+#=================================================
+# UPDATE A CONFIG FILE
+#=================================================
+ynh_script_progression --message="Updating a configuration file..." --weight=1
+
+ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini"
+
+chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini"
+chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini"
+
+#=================================================
+# SETUP SSO
+#=================================================
+ynh_script_progression --message="Applying SSO patch..." --weight=1
+
+ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php"
+
 #=================================================
 # MODIFY URL IN NGINX CONF
 #=================================================

scripts/install

@@ -31,7 +31,7 @@ ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage
 ynh_script_progression --message="Setting up source files..." --weight=3
 
 # Download, check integrity, uncompress and patch the source from app.src
-ynh_setup_source --dest_dir="$install_dir"
+ynh_setup_source --dest_dir="$install_dir/app"
 
 chmod -R o-rwx "$install_dir"
 chown -R $app:www-data "$install_dir"
@@ -50,6 +50,28 @@ ynh_add_nginx_config
 # Use logrotate to manage application logfile(s)
 ynh_use_logrotate
 
+#=================================================
+# APP INITIAL CONFIGURATION
+#=================================================
+# ADD A CONFIGURATION
+#=================================================
+ynh_script_progression --message="Adding a configuration file..." --weight=1
+
+mkdir -p "$install_dir/app/data/_data_/_default_/configs"
+chown $app:$app -R "$install_dir/app/data/_data_"
+
+ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini"
+
+chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini"
+chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini"
+
+#=================================================
+# SETUP SSO
+#=================================================
+ynh_script_progression --message="Applying SSO patch..." --weight=1
+
+ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/upgrade

@@ -38,6 +38,17 @@ if [ -z "${fpm_usage:-}" ]; then
     ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage
 fi
 
+# Do something when upgrading from 2.3.2~ynh1 or lower
+if ynh_compare_current_package_version --comparison le --version 2.28.4~ynh1
+then
+    # Move everything inside a $install_dir/app/ subfolder
+    # This allows to have a $install_dir/index.php handling the SSO
+    mkdir -p $install_dir/app
+    # Ugly way to not return an error when moving everything to a subfolter of the same folder https://stackoverflow.com/a/43262922
+    find $install_dir -maxdepth 1 -mindepth 1 -not -name app -exec mv -t $install_dir/app {} +
+    chown $app:root $install_dir/app/
+fi
+
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
 #=================================================
@@ -47,7 +58,7 @@ then
 	ynh_script_progression --message="Upgrading source files..." --weight=5
 
 	# Download, check integrity, uncompress and patch the source from app.src
-	ynh_setup_source --dest_dir="$install_dir" --keep="data/_data_/_default_/configs/application.ini"
+	ynh_setup_source --dest_dir="$install_dir/app" --keep="data/_data_/_default_/configs/application.ini"
 fi
 
 chmod -R o-rwx "$install_dir"
@@ -67,6 +78,25 @@ ynh_add_nginx_config
 # Use logrotate to manage app-specific logfile(s)
 ynh_use_logrotate --non-append
 
+#=================================================
+# RECONFIGURE THE APP (UPDATE CONF, APPLY MIGRATIONS...)
+#=================================================
+# UPDATE A CONFIG FILE
+#=================================================
+ynh_script_progression --message="Updating a configuration file..." --weight=1
+
+ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini"
+
+chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini"
+chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini"
+
+#=================================================
+# SETUP SSO
+#=================================================
+ynh_script_progression --message="Applying SSO patch..." --weight=1
+
+ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php"
+
 #=================================================
 # END OF SCRIPT
 #=================================================