From a985ca5cca24d16eab5041298e56212b37b71b4e Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Tue, 12 Feb 2019 11:32:33 +0100
Subject: [PATCH] Allow password reset in Nextcloud

---
 Dockerfile                       | 12 +----
 htdocs/create.php                | 93 +++++++++++++-------------------
 htdocs/users.php                 | 39 --------------
 id_rsa_postfixadmincontainer.pub |  1 -
 scripts/createAccount.sh         | 33 ------------
 5 files changed, 40 insertions(+), 138 deletions(-)
 delete mode 100644 htdocs/users.php
 delete mode 100644 id_rsa_postfixadmincontainer.pub
 delete mode 100755 scripts/createAccount.sh

diff --git a/Dockerfile b/Dockerfile
index 2d33f00..3f72312 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,16 +1,8 @@
 FROM php:7-apache-stretch
 ARG DOMAIN=welcome.ecloud.global
 LABEL maintainer "thilo@e.email"
-RUN mkdir -p /home/www-data/.ssh \
- && chown www-data:www-data /home/www-data/ -R \
- && chmod 700 /home/www-data/.ssh
-COPY scripts/createAccount.sh /var/script/
 COPY htdocs /var/www/html/
-RUN chown www-data:www-data /var/script /var/www -R \
- && chmod +x /var/script/createAccount.sh \
- && mkdir -p /home/www-data/.ssh \
- && chown www-data:www-data /home/www-data/ -R \
- && chmod 700 /home/www-data/.ssh
+RUN chown www-data:www-data /var/www -R
 
 # Use the default production configuration
 RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
@@ -18,7 +10,7 @@ RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
 # copy composer executable from official Docker image
 # https://hub.docker.com/_/composer
 COPY --from=composer:1.8 /usr/bin/composer /usr/bin/composer
-RUN apt-get update && apt-get install -y --no-install-recommends git unzip openssh-client \
+RUN apt-get update && apt-get install -y --no-install-recommends git unzip \
  # these params are recommended for installing untrusted extensions
  # https://getcomposer.org/doc/faqs/how-to-install-untrusted-packages-safely.md
  && composer require --no-plugins --no-scripts pear/mail pear/net_smtp pear/auth_sasl pear/mail_mime \
diff --git a/htdocs/create.php b/htdocs/create.php
index 8433d3e..55c38df 100644
--- a/htdocs/create.php
+++ b/htdocs/create.php
@@ -11,7 +11,6 @@ $name=$_POST['displayname'];
 $quota=5120;
 $active=1;
 $wmail=0;
-$script="/var/script/createAccount.sh";
 $authmail=$_POST['authmail'];
 $authsecret=$_POST['authsecret'];
 $GLOBALS["lang"]="en";
@@ -116,65 +115,49 @@ if(!isAuthorized(trim($authmail),trim($authsecret))) {
 
 if(!isset($_POST['username']) || !isset($_POST['password']) ||!isset($_POST['displayname']) ||!isset($_POST['repassword']) || strcmp($pw,$pw2)!=0) 
 {
-	if(strcmp($pw,$pw2)==0)
+	if(strcmp($pw,$pw2)==0) {
 		echo "Error: Mandatory fields are missing";
-	else
+	} else {
 		echo "Passwords do not match";
-} else {
+    }
+    return;
+}
 
 $resultmail=$mbox."@".$domain;
-$cmd = "$script ".$resultmail." 2>&1";
-$ret=shell_exec($cmd);
 
-//$pw=escapeshellarg($pw);
-//$pw=str_replace("\"","\\\"",$pw);
-//$pw=str_replace("'","\'",$pw);
-//$pw=str_replace("$","\$",$pw);
-//$pw2=escapeshellarg($pw2);
-//$pw2=str_replace("\"","\\\"",$pw2);
-//$pw2=str_replace("'","\'",$pw2);
-//$pw2=str_replace("$","\$",$pw2);
-
-if(strcmp(trim($ret),"0")==0) {
-   $tmpfilename="/tmp/$mbox-details";
-   $tmpfile = file_put_contents($tmpfilename,$resultmail.PHP_EOL , FILE_APPEND | LOCK_EX);
-   $tmpfile = file_put_contents($tmpfilename,$pw.PHP_EOL , FILE_APPEND | LOCK_EX);
-   $tmpfile = file_put_contents($tmpfilename,$pw2.PHP_EOL , FILE_APPEND | LOCK_EX);
-   $tmpfile = file_put_contents($tmpfilename,$name.PHP_EOL , FILE_APPEND | LOCK_EX);
-   $tmpfile = file_put_contents($tmpfilename,$quota.PHP_EOL , FILE_APPEND | LOCK_EX);
-   $cmd="scp -i /home/www-data/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $tmpfilename pfexec@postfixadmin:/tmp && rm $tmpfilename";
-   $ret=shell_exec($cmd);
-   $cmd="ssh -2i /home/www-data/.ssh/id_rsa pfexec@postfixadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \"cat $tmpfilename | /usr/local/bin/wrapper.sh\" 2>&1";
-   $ret=shell_exec($cmd);
-   $cmd="ssh -2i /home/www-data/.ssh/id_rsa pfexec@postfixadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \"rm -f $tmpfilename\"";
-   $retDel=shell_exec($cmd);
-   $find = "The mailbox $mbox@$domain has been added to the mailbox table";
-   $output=nl2br($ret);
-   $success = strpos($output, $find);
-   if ($success === false) {
-	error_log($output);
-	echo "Internal error";
-   } else {
-      echo "Account $mbox@$domain created";
-      sendWelcomeMsg($authmail,$mbox,$domain);
-      $done = "$authmail:$authsecret:$mbox";
-      $myfile = file_put_contents("/var/accounts/auth.file.done", $done.PHP_EOL , FILE_APPEND | LOCK_EX);
-      if ( $myfile === false ) {
-           echo "Error: Persisting creation info failed";
-           exit;
-      }
-   }
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
+$data = array("auth" => getenv("CREATE_ACCOUNT_PASSWORD"), "target_email" => $resultmail,
+              "password" => $pw, "password_confirm" => $pw2, "displayname" => $name,
+              "email_quota" => $quota, "fallback_email" => $authmail, "nextcloud_quota" => "$quota MB");
+curl_setopt($ch, CURLOPT_URL, "create-account:9000/create-account");
+curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
+$output = curl_exec($ch);
+$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+curl_close($ch);
+error_log($output);
+error_log("status code: $statusCode");
+if ($statusCode === 200) {
+    echo "Account $mbox@$domain created";
+    sendWelcomeMsg($authmail,$mbox,$domain);
+    $done = "$authmail:$authsecret:$mbox";
+    $myfile = file_put_contents("/var/accounts/auth.file.done", $done.PHP_EOL , FILE_APPEND | LOCK_EX);
+    if ( $myfile === false ) {
+        echo "Error: Persisting creation info failed";
+    }
 } else {
-   if(startsWith($ret, '1: ')) {
-	error_log($output);
-	echo "Internal error";
-   }
-   if(startsWith($ret, '2: ')) {
-	echo "Username $mbox@$domain is already taken";
-   }
-   if(startsWith($ret, '3: ')) {
-     echo "Username $mbox@$domain is not allowed";
-   }
-}
+    $json = json_decode($output, true);
+    switch ($json["message"]) {
+        case "username_forbidden":
+            echo "Username $mbox@$domain is not allowed";
+            break;
+        case "username_taken":
+            echo "Username $mbox@$domain is already taken";
+            break;
+        case "internal_error":
+            echo "Internal error";
+            break;
+    }
 }
 ?>
diff --git a/htdocs/users.php b/htdocs/users.php
deleted file mode 100644
index 16bfc24..0000000
--- a/htdocs/users.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-      function db_connect() {
-	$link = new mysqli("p:".getenv("PFDB_HOST"), getenv("PFDB_DB"), getenv("PFDB_PW"),getenv("PFDB_USR"));
-        if (!$link){
-            die('Could not connect: ' . mysqli_error());
-            return -1;
-        }
-	$GLOBALS["mysqli_user"] = $link;
-        return $GLOBALS["mysqli_user"];
-    }
-
-    function query($sql){//wrapper
-        $link=db_connect();
-	mysqli_set_charset($link, "utf8");
-        $result=mysqli_query($link,$sql);
-        if (!$result) {
-            die('Invalid query: ' . mysqli_error());
-		echo "error";
-}
-    	else
-    		return $result;
-        mysqli_close($link);
-    }
-    function printAccounts() {
-        $sql = "SELECT DISTINCT username AS account FROM mailbox WHERE domain LIKE 'eelo.%' OR domain='e.email' UNION ALL SELECT DISTINCT address AS account FROM alias WHERE domain='eelo.%' OR domain='e.email';";
-        $result=query($sql);
-        while($erg=mysqli_fetch_array($result))
-        {
-             echo "$erg[account]\n";
-        }
-   }
-?>
-<?php
-if(strcmp($_SERVER['REMOTE_ADDR'],"127.0.0.1")==0) {
-	printAccounts();
-} else {
-	echo "access denied for ".$_SERVER['REMOTE_ADDR'];
-}
-?>
diff --git a/id_rsa_postfixadmincontainer.pub b/id_rsa_postfixadmincontainer.pub
deleted file mode 100644
index 65025f5..0000000
--- a/id_rsa_postfixadmincontainer.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF+1sKPgDIKEv5rMpXlJizexdNcHFVlStqB6x/x2dp0Rb8r0MT20XEQEc9g+v3waKKgNL0CkuUQiRhNoFMcTf3pS6NFMeucWUVjv2Cv8BArl7Q3LTiBGgKSeaPNNmsu3QM7cwbAqY+M28eFuFRUFxBs6hzTatPPnJwJw7WnWaBHZmJYAGPe6B2EVH3Kqn46tSjzBifI3eV/z0CnRy0JMrjjO0/1P+lIGNEMnvy8ESX6GPZcU+phhKqfWeGY4xfwOjBLBBs1O1iy90TeKABPwbOq2mbg3btjj4fpBsJ0VHe+s05snobl6PhpI4GA4P88NezXzVpdKS/YnLZq8AYyJXJ root@onlyoffice-test
diff --git a/scripts/createAccount.sh b/scripts/createAccount.sh
deleted file mode 100755
index 252f3bd..0000000
--- a/scripts/createAccount.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-if (("$#" != 1)) 
-then
-  echo "1: internal error"
-  exit 1
-fi
-
-SOURCE="${BASH_SOURCE[0]}"
-while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
-  DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-  SOURCE="$(readlink "$SOURCE")"
-  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
-done
-DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-
-email="$1"
-prefix=$(echo "$email" | awk -F@ '{ print $1 }')
-forbidden=$(grep "^$prefix\$" $DIR/exclude_names | wc -l)
-if [ "$forbidden" = "1" ]
-then
-  echo "3: account $email not allowed"
-  exit 3
-fi
-ACCOUNT_EXISTS=$(curl -kH "Host: $DOMAINS" http://localhost/users.php 2>&1 | grep -e "$email" -e "$prefix@eelo.io" -e "$prefix@eelo.me" | wc -l)
-
-if [ "$ACCOUNT_EXISTS" = "0" ]
-then
-  echo "0"
-  exit 0
-else
-  echo "2: account $email already taken"
-  exit 2
-fi
-- 
GitLab