From 076b6ba503f08e4161d02568d50cede79e5081e5 Mon Sep 17 00:00:00 2001
From: Sebastian Hugentobler <sebastian@vanwa.ch>
Date: Sun, 22 Aug 2021 22:45:28 +0200
Subject: [PATCH] use oauth2

---
 Dockerfile                                    |  4 --
 rootfs/bin/restart-services                   |  3 -
 .../conf.d/app-passwords-lookup.lua.toml      |  3 -
 .../etc/confd/conf.d/auth-ldap.conf.ext.toml  |  3 -
 .../confd/conf.d/auth-oauth2.conf.ext.toml    |  3 +
 .../confd/conf.d/dovecot-ldap.conf.ext.toml   |  3 -
 .../confd/conf.d/dovecot-oauth2.conf.ext.toml |  3 +
 rootfs/etc/confd/templates/10-auth.conf.tmpl  |  2 +-
 rootfs/etc/confd/templates/10-ssl.conf.tmpl   |  4 +-
 rootfs/etc/confd/templates/90-sieve.conf.tmpl |  2 +-
 .../templates/app-passwords-lookup.lua.tmpl   | 55 -------------------
 .../confd/templates/auth-ldap.conf.ext.tmpl   | 14 -----
 .../confd/templates/auth-oauth2.conf.ext.tmpl | 10 ++++
 .../templates/dovecot-ldap.conf.ext.tmpl      |  9 ---
 .../templates/dovecot-oauth2.conf.ext.tmpl    |  6 ++
 rootfs/var/spool/incron/root                  |  1 -
 16 files changed, 26 insertions(+), 99 deletions(-)
 delete mode 100755 rootfs/bin/restart-services
 delete mode 100644 rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
 delete mode 100644 rootfs/etc/confd/conf.d/auth-ldap.conf.ext.toml
 create mode 100644 rootfs/etc/confd/conf.d/auth-oauth2.conf.ext.toml
 delete mode 100644 rootfs/etc/confd/conf.d/dovecot-ldap.conf.ext.toml
 create mode 100644 rootfs/etc/confd/conf.d/dovecot-oauth2.conf.ext.toml
 delete mode 100644 rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
 delete mode 100644 rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl
 create mode 100644 rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
 delete mode 100644 rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl
 create mode 100644 rootfs/etc/confd/templates/dovecot-oauth2.conf.ext.tmpl
 delete mode 100644 rootfs/var/spool/incron/root

diff --git a/Dockerfile b/Dockerfile
index 83976bf..dbf13d1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,6 @@ RUN apk --no-cache add \
     openssl \
     openssl-dev \
     lua-dev \
-    openldap-dev \
     libsodium-dev \
     linux-pam-dev \
     zlib-dev \
@@ -41,7 +40,6 @@ RUN cd /tmp/dovecot && \
     --with-ssl=openssl \
     --with-sodium \
     --without-sql \
-    --with-ldap \
     --with-lzma \
     --with-lz4 \
     --with-icu \
@@ -54,7 +52,6 @@ RUN cd /tmp/dovecot && \
 
 RUN cd /tmp/pigeonhole && \
     ./configure --prefix '' \
-    --with-ldap=yes \
     --with-dovecot=/lib/dovecot \
     --disable-static && \
     make && make install
@@ -79,7 +76,6 @@ RUN apk --no-cache add \
     ssmtp \
     ca-certificates \
     lua \
-    lua-ldap \
     inotify-tools
 
 RUN addgroup -g 150 dovecot
diff --git a/rootfs/bin/restart-services b/rootfs/bin/restart-services
deleted file mode 100755
index bb0b976..0000000
--- a/rootfs/bin/restart-services
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/usr/bin/with-contenv sh
-
-s6-svc -t /var/run/s6/services/dovecot
diff --git a/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml b/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
deleted file mode 100644
index 07b70b0..0000000
--- a/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-[template]
-src = "app-passwords-lookup.lua.tmpl"
-dest = "/etc/dovecot/app-passwords-lookup.lua"
diff --git a/rootfs/etc/confd/conf.d/auth-ldap.conf.ext.toml b/rootfs/etc/confd/conf.d/auth-ldap.conf.ext.toml
deleted file mode 100644
index 4a883bb..0000000
--- a/rootfs/etc/confd/conf.d/auth-ldap.conf.ext.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-[template]
-src = "auth-ldap.conf.ext.tmpl"
-dest = "/etc/dovecot/conf.d/auth-ldap.conf.ext"
diff --git a/rootfs/etc/confd/conf.d/auth-oauth2.conf.ext.toml b/rootfs/etc/confd/conf.d/auth-oauth2.conf.ext.toml
new file mode 100644
index 0000000..cd6108e
--- /dev/null
+++ b/rootfs/etc/confd/conf.d/auth-oauth2.conf.ext.toml
@@ -0,0 +1,3 @@
+[template]
+src = "auth-oauth2.conf.ext.tmpl"
+dest = "/etc/dovecot/conf.d/auth-oauth2.conf.ext"
diff --git a/rootfs/etc/confd/conf.d/dovecot-ldap.conf.ext.toml b/rootfs/etc/confd/conf.d/dovecot-ldap.conf.ext.toml
deleted file mode 100644
index 58fe3df..0000000
--- a/rootfs/etc/confd/conf.d/dovecot-ldap.conf.ext.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-[template]
-src = "dovecot-ldap.conf.ext.tmpl"
-dest = "/etc/dovecot/dovecot-ldap.conf.ext"
diff --git a/rootfs/etc/confd/conf.d/dovecot-oauth2.conf.ext.toml b/rootfs/etc/confd/conf.d/dovecot-oauth2.conf.ext.toml
new file mode 100644
index 0000000..1d9e173
--- /dev/null
+++ b/rootfs/etc/confd/conf.d/dovecot-oauth2.conf.ext.toml
@@ -0,0 +1,3 @@
+[template]
+src = "dovecot-oauth2.conf.ext.tmpl"
+dest = "/etc/dovecot/dovecot-oauth2.conf.ext"
diff --git a/rootfs/etc/confd/templates/10-auth.conf.tmpl b/rootfs/etc/confd/templates/10-auth.conf.tmpl
index f7c7b0f..e3d8a9e 100644
--- a/rootfs/etc/confd/templates/10-auth.conf.tmpl
+++ b/rootfs/etc/confd/templates/10-auth.conf.tmpl
@@ -1,4 +1,4 @@
 auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
 auth_username_format = %Lu
 auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}}
-!include auth-ldap.conf.ext
+!include auth-oauth2.conf.ext
diff --git a/rootfs/etc/confd/templates/10-ssl.conf.tmpl b/rootfs/etc/confd/templates/10-ssl.conf.tmpl
index f2a7346..9f2017f 100644
--- a/rootfs/etc/confd/templates/10-ssl.conf.tmpl
+++ b/rootfs/etc/confd/templates/10-ssl.conf.tmpl
@@ -1,6 +1,6 @@
 ssl = yes
-ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
-ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
+ssl_cert = </etc/ssl/mail/tls.crt
+ssl_key = </etc/ssl/mail/tls.key
 ssl_dh=</etc/ssl/mail/dh.pem
 ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1.2"}}
 ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}}
diff --git a/rootfs/etc/confd/templates/90-sieve.conf.tmpl b/rootfs/etc/confd/templates/90-sieve.conf.tmpl
index 0bd3437..38b87a2 100644
--- a/rootfs/etc/confd/templates/90-sieve.conf.tmpl
+++ b/rootfs/etc/confd/templates/90-sieve.conf.tmpl
@@ -3,6 +3,6 @@ protocol sieve {
 }
 
 plugin {
-  sieve = ldap:/etc/dovecot/sieve-ldap.conf;bindir=~/.sieve-bin/
+  sieve = bindir=~/.sieve-bin/
   sieve_after = /var/lib/vmail/sieve-after/
 }
diff --git a/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl b/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
deleted file mode 100644
index 3c697b8..0000000
--- a/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
+++ /dev/null
@@ -1,55 +0,0 @@
-require "lualdap"
-
-function auth_passdb_lookup(req)
-    local ldap_host = "{{ getenv "LDAP_HOST" }}"
-    local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
-    local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
-    local ldap_use_tls = {{ if eq (getenv "LDAP_USE_TLS") "yes" }}true{{ else }}false{{ end }}
-
-    ld = assert (lualdap.open_simple(
-        ldap_host,
-        ldap_bin_dn,
-        ldap_bind_password,
-        ldap_use_tls))
-
-    local username = req.user
-    local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
-    local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
-    local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"
-
-    local user_count = 0
-    for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
-        user_count = user_count + 1
-    end
-
-    local return_code = dovecot.auth.PASSDB_RESULT_NEXT
-    local return_text = ""
-
-    local user_exists = user_count == 1
-    if user_exists then
-        local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
-        local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
-        local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
-        local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" "cn" }}"
-
-        local user_password = req.password
-
-        for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
-            req:log_info(string.format("trying %s...", dn))
-
-            local test_conn = lualdap.open_simple(
-                ldap_host,
-                dn,
-                user_password,
-                ldap_use_tls)
-            if test_conn ~= nil then
-                req:log_info(string.format("%s suceeded!", dn))
-                return dovecot.auth.PASSDB_RESULT_OK, string.format("password=%s user=%s", user_password, username)
-            end
-        end
-    else
-        return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
-    end
-
-    return return_code, return_text
-end
diff --git a/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl b/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl
deleted file mode 100644
index 64048e4..0000000
--- a/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl
+++ /dev/null
@@ -1,14 +0,0 @@
-passdb {
-  driver = ldap
-  args = /etc/dovecot/dovecot-ldap.conf.ext
-}
-
-passdb {
-   driver = lua
-   args = file=/etc/dovecot/app-passwords-lookup.lua
-}
-
-userdb {
-  driver = static
-  args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
-}
diff --git a/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl b/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
new file mode 100644
index 0000000..0e6f13e
--- /dev/null
+++ b/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
@@ -0,0 +1,10 @@
+passdb {
+  driver = oauth2
+  mechanisms = xoauth2 oauthbearer
+  args = /etc/dovecot/dovecot-oauth2.conf.ext
+}
+
+userdb {
+  driver = static
+  args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
+}
diff --git a/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl b/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl
deleted file mode 100644
index 2bc6c91..0000000
--- a/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl
+++ /dev/null
@@ -1,9 +0,0 @@
-uris = ldap://{{getenv "LDAP_HOST"}}
-dn = {{getenv "LDAP_BIND_DN"}}
-dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
-tls = {{getenv "LDAP_USE_TLS" "yes"}}
-auth_bind = yes
-base = {{getenv "LDAP_BASE_DN"}}
-scope = {{getenv "LDAP_SCOPE" "subtree"}}
-pass_attrs = {{getenv "LDAP_USER_ATTRIBUTE" "cn"}}=user,{{getenv "LDAP_PASSWORD_ATTRIBUTE" "userPassword"}}=password
-pass_filter = {{getenv "LDAP_PASS_FILTER"}}
diff --git a/rootfs/etc/confd/templates/dovecot-oauth2.conf.ext.tmpl b/rootfs/etc/confd/templates/dovecot-oauth2.conf.ext.tmpl
new file mode 100644
index 0000000..c3fa543
--- /dev/null
+++ b/rootfs/etc/confd/templates/dovecot-oauth2.conf.ext.tmpl
@@ -0,0 +1,6 @@
+tokeninfo_url = {{ getenv "TOKENINFO_URL" }}
+introspection_url = {{ getenv "INTROSPECTION_URL" }}
+#force_introspection = yes
+username_attribute = email
+tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+
diff --git a/rootfs/var/spool/incron/root b/rootfs/var/spool/incron/root
deleted file mode 100644
index c928fff..0000000
--- a/rootfs/var/spool/incron/root
+++ /dev/null
@@ -1 +0,0 @@
-/etc/ssl/mail IN_ATTRIB /bin/restart-services