feat(provisioning): Master password support#9008
Conversation
ChristophWurst
force-pushed
the
feat/master-password
branch
from
fc1bbef to
abf92a6
Compare
This comment was marked as outdated.
This comment was marked as outdated.
|
Will this be merged in time for 3.5.0? I saw that you guys were tagging beta releases? |
|
Yes, no rush. 3.5 will only be branched off in a week. This PR should make it. |
|
@mickenordin may I ask you to also give the latest state a final test? 🙏 |
Definetly! Will get right on it! |
|
Unfortunately this does no longer work for me. The app now fails to detect that the user should see the mail box, and instead claims that it is disabled due to being a SSO account. The actual code works though it seems. If I set the master password and give a local user the same email it works, but not for a user signed in with single signon. I am pretty sure that this used to work, so I am not sure what happened here. How can it have stopped detecting that the user account should be able to see the mail box? What I did to set this up by the way was this: |
|
I'm also unable to test the changes at the moment |
|
@ChristophWurst I see what is missing now, it is the check in src/components/Navigation.vue in https://github.com/nextcloud/mail/pull/8917/files#diff-578fcad0646f9b6ab3e4f8bbe2f8f946e54d39670c0da653db620aaead7d9663 And the corresponding getter in store |
|
From: Micke Nordin ***@***.***>
…---
src/components/Navigation.vue | 3 ++-
src/store/getters.js | 1 +
src/store/index.js | 1 +
src/store/mutations.js | 3 +++
4 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/components/Navigation.vue b/src/components/Navigation.vue
index 5feaf97b0..adcaa26d2 100644
--- a/src/components/Navigation.vue
+++ b/src/components/Navigation.vue
@@ -182,7 +182,8 @@ export default {
* @return {boolean} True if the account should be disabled
*/
isDisabled(account) {
- return this.passwordIsUnavailable && !!account.provisioningId
+
+ return (this.passwordIsUnavailable && !!account.provisioningId) && !!this.$store.getters.masterPasswordEnabled
},
},
}
diff --git a/src/store/getters.js b/src/store/getters.js
index da6424222..e2d7f1bf5 100644
--- a/src/store/getters.js
+++ b/src/store/getters.js
@@ -117,6 +117,7 @@ export const getters = {
isScheduledSendingDisabled: (state) => state.isScheduledSendingDisabled,
isSnoozeDisabled: (state) => state.isSnoozeDisabled,
googleOauthUrl: (state) => state.googleOauthUrl,
+ masterPasswordEnabled: (state) => state.masterPasswordEnabled,
microsoftOauthUrl: (state) => state.microsoftOauthUrl,
getActiveSieveScript: (state) => (accountId) => state.sieveScript[accountId],
getCurrentUserPrincipal: (state) => state.currentUserPrincipal,
diff --git a/src/store/index.js b/src/store/index.js
index fbd245183..6bdbda6fe 100644
--- a/src/store/index.js
+++ b/src/store/index.js
@@ -103,6 +103,7 @@ export default new Store({
isSnoozeDisabled: false,
currentUserPrincipal: undefined,
googleOauthUrl: null,
+ masterPasswordEnabled: false,
sieveScript: {},
calendars: [],
smimeCertificates: [],
diff --git a/src/store/mutations.js b/src/store/mutations.js
index ad7c1beb8..3719dc699 100644
--- a/src/store/mutations.js
+++ b/src/store/mutations.js
@@ -475,6 +475,9 @@ export default {
setGoogleOauthUrl(state, url) {
state.googleOauthUrl = url
},
+ setMasterPasswordEnabled(state, value) {
+ state.masterPasswordEnabled = value
+ },
setMicrosoftOauthUrl(state, url) {
state.microsoftOauthUrl = url
},
--
2.42.0
|
|
The patch above fixes the issue and here it is as an attachement as well. |
|
The feature works again 🚀 |
ChristophWurst
left a comment
ChristophWurst
left a comment
There was a problem hiding this comment.
👍 on @mickenordin's changes :)
Thanks a lot
SSO users do not have a password set, and the auto provisioning of mail
does not work for SSO user. It is also inconvenient to synchronize the
password database between Nextcloud and the mail server used.
So to allow SSO user to use the mail app we can instead configure a
shared password for all users, this will work well with for example
Dovecot that has a concept of a "master password"[0] that can be used to
authenticate users. To use this feature we must convince the mail app
that the user has a password available, which we can set with occ like
so:
```
./occ config:app:set mail master_password --value 'very-secret-master-password'
```
We can then configure dovecot to allow this password from the Nextcloud
server, in this example 89.46.21.198:
```
passdb {
args = password=very-secret-master-password allow_nets=89.46.21.198/32
driver = static
}
```
If we configure postfix to use SASL auth against dovecot, we can then
both send and recieve mail from Nextcloud mail app, for SSO users.
0. https://doc.dovecot.org/configuration_manual/authentication/master_users/
Co-Authored-By: Christoph Wurst <[email protected]>
Signed-off-by: Micke Nordin <[email protected]>
Signed-off-by: Christoph Wurst <[email protected]>
ChristophWurst
force-pushed
the
feat/master-password
branch
from
c283ab3 to
ae74847
Compare
| * @method bool|null getMasterPasswordEnabled() | ||
| * @method void setMasterPasswordEnabled(bool $masterPasswordEnabled) | ||
| * @method string|null getMasterPassword() | ||
| * @method void setMasterPassword(string $masterPassword) |
There was a problem hiding this comment.
| * @method void setMasterPassword(string $masterPassword) | |
| * @method void setMasterPassword(?string $masterPassword) |
There was a problem hiding this comment.
To unset the master password?
| * @method bool|null getMasterPasswordEnabled() | ||
| * @method void setMasterPasswordEnabled(bool $masterPasswordEnabled) | ||
| * @method string|null getMasterPassword() | ||
| * @method void setMasterPassword(string $masterPassword) |
There was a problem hiding this comment.
To unset the master password?
| $masterPasswordEnabled = $provisioning->getMasterPasswordEnabled(); | ||
| if ($masterPasswordEnabled && $masterPassword !== null) { | ||
| $password = $masterPassword; | ||
| $this->logger->debug('Password set to master password for ' . $user->getUID()); |
There was a problem hiding this comment.
early return here? Having both a master pw and a regular pw is unneccessary, right?
|
This PR doesn't work if the user never had a password to begin with. This is the case in my environment as none of my users were created with a password, they were all created via mail/lib/Http/Middleware/ProvisioningMiddleware.php Lines 60 to 88 in 3fc016f I am not sure why the password logic is split between two places like this when it seems the only place I have monkeypatched this in my environment by always calling |
|
My users also don't have a password set and were created by the global site selector. This is what this PR aims to fix by allowing the administrator to set a master password. Can you explain a bit more clearly what is not working, and what the regression is? |
|
Please put this into a new ticket. |
Your users probably have something set as their password in the database; they would not be able to use provisioned accounts at all if they didn't. Users without any password set (be it in use or if they signed in via SSO) will have an exception thrown, and
|
4 participants
Amended and squashed version of #8917.
How to test
How to test – Alternative