From 576f19df7ef27ede1419e0d86c84a6b9af6e31d4 Mon Sep 17 00:00:00 2001
From: Sebastian Hugentobler <sebastian@vanwa.ch>
Date: Mon, 23 Aug 2021 18:44:16 +0200
Subject: [PATCH] use lua lookup for userdb

---
 .../confd/templates/auth-oauth2.conf.ext.tmpl |  9 +++-
 .../dovecot-oauth2.token.conf.ext.tmpl        |  1 +
 rootfs/etc/dovecot/oauth2-userdb.lua          | 44 +++++++++++++++++++
 3 files changed, 52 insertions(+), 2 deletions(-)
 create mode 100644 rootfs/etc/dovecot/oauth2-userdb.lua

diff --git a/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl b/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
index f8392e2..b0fef79 100644
--- a/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
+++ b/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
@@ -10,7 +10,12 @@ passdb {
   args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
 }
 
+#userdb {
+#  driver = static
+#  args = uid=vmail gid=vmail username_format=%n home=/var/lib/vmail/mail/%n
+#}
+
 userdb {
-  driver = static
-  args = uid=vmail gid=vmail username_format=%n home=/var/lib/vmail/mail/%n
+  driver = lua
+  args = file=/etc/dovecot/oauth2-userdb-lua blocking=yes
 }
diff --git a/rootfs/etc/confd/templates/dovecot-oauth2.token.conf.ext.tmpl b/rootfs/etc/confd/templates/dovecot-oauth2.token.conf.ext.tmpl
index 4ece4cd..f6b5597 100644
--- a/rootfs/etc/confd/templates/dovecot-oauth2.token.conf.ext.tmpl
+++ b/rootfs/etc/confd/templates/dovecot-oauth2.token.conf.ext.tmpl
@@ -9,3 +9,4 @@ use_grant_password = no
 pass_attrs = pass=%{oauth2:access_token}
 debug = yes
 username_format = %n
+
diff --git a/rootfs/etc/dovecot/oauth2-userdb.lua b/rootfs/etc/dovecot/oauth2-userdb.lua
new file mode 100644
index 0000000..82791d7
--- /dev/null
+++ b/rootfs/etc/dovecot/oauth2-userdb.lua
@@ -0,0 +1,44 @@
+local rapidjson = require('rapidjson')
+
+local clientId = os.getenv("CLIENT_ID")
+local clientSecret = os.getenv("CLIENT_SECRET")
+local username = os.getenv("OAUTH_ADMIN_USER")
+local password = os.getenv("OAUTH_ADMIN_PASSWORD")
+local tokenUrl = os.getenv("GRANT_URL")
+local userUrl = os.getenv("USER_URL")
+
+function os.capture(cmd, raw)
+  local f = assert(io.popen(cmd, 'r'))
+  local s = assert(f:read('*a'))
+  f:close()
+
+  return s
+end
+
+function auth_userdb_lookup(req)
+	local tokenCmd = "curl -L --silent -X POST -d \"grant_type=password\"" 
+	tokenCmd = tokenCmd .. " -d \"client_id=" .. clientId .. "\""
+	tokenCmd = tokenCmd .. " -d \"client_secret=" .. clientSecret .. "\""
+	tokenCmd = tokenCmd .. " -d \"username=" .. username .. "\""
+	tokenCmd = tokenCmd .. " -d \"password=" .. password .. "\""
+	tokenCmd = tokenCmd .. " \"" .. tokenUrl .. "\""
+
+	local tokenRaw = os.capture(tokenCmd)
+	local tokenJson = rapidjson.decode(tokenRaw)
+	local accessToken = tokenJson.access_token
+
+	local userCmd = "curl -L --silent -H \"Authorization: Bearer " .. accessToken .. "\" \"" .. userUrl .. req.username .. "\""
+	local userRaw = os.capture(userCmd)
+	local userJson = rapidjson.decode(userRaw)
+
+	if #userJson == 0 then
+		return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
+	end
+
+	if userJson[1].username == req.username then
+		return dovecot.auth.USERDB_RESULT_OK, "uid=vmail gid=vmail home=/var/lib/vmail/mail/%n"
+	end
+
+	return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
+end
+