From 1a8273ead553b35eefec7b9bfc94347e905a478c Mon Sep 17 00:00:00 2001
From: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date: Wed, 11 Jun 2025 12:52:26 +0200
Subject: [PATCH] add openid auth bearer

---
 API/SOGoAPIDispatcher.m            | 67 ++++++++++++++------------
 API/SOGoAPIUserFolder.m            | 77 ++++++++++++++----------------
 SoObjects/SOGo/SOGoOpenIdSession.m |  9 +++-
 3 files changed, 82 insertions(+), 71 deletions(-)

diff --git a/API/SOGoAPIDispatcher.m b/API/SOGoAPIDispatcher.m
index 47298a93a..a6992481c 100644
--- a/API/SOGoAPIDispatcher.m
+++ b/API/SOGoAPIDispatcher.m
@@ -31,48 +31,21 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #include "SOGoAPIDispatcher.h"
 
 #import <Foundation/NSAutoreleasePool.h>
-#import <Foundation/NSProcessInfo.h>
-#import <Foundation/NSTimeZone.h>
-#import <Foundation/NSURL.h>
-#import <Foundation/NSValue.h>
-
 #import <NGObjWeb/NSException+HTTP.h>
-#import <NGObjWeb/SoPermissions.h>
-#import <NGObjWeb/SoSecurityManager.h>
 #import <NGObjWeb/WOContext+SoObjects.h>
 #import <NGObjWeb/WOCoreApplication.h>
-#import <NGObjWeb/SoHTTPAuthenticator.h>
-
-#import <NGCards/iCalCalendar.h>
-#import <NGCards/iCalEvent.h>
-#import <NGCards/iCalAlarm.h>
-#import <NGCards/iCalPerson.h>
-
-#import <NGExtensions/NGBase64Coding.h>
-
-#import <NGExtensions/NSCalendarDate+misc.h>
-#import <NGExtensions/NGCalendarDateRange.h>
-#import <NGExtensions/NGHashMap.h>
 #import <NGExtensions/NSObject+Logs.h>
 #import <NGExtensions/NSString+misc.h>
 #import <NGExtensions/NSString+Encoding.h>
-
-#import <SOGo/NSArray+DAV.h>
-#import <SOGo/NSDictionary+DAV.h>
-#import <SOGo/SOGoCache.h>
-#import <SOGo/SOGoCacheGCSObject.h>
-#import <SOGo/SOGoMailer.h>
 #import <SOGo/SOGoSystemDefaults.h>
 #import <SOGo/SOGoUser.h>
-#import <SOGo/SOGoUserFolder.h>
 #import <SOGo/SOGoUserManager.h>
-#import <SOGo/GCSSpecialQueries+SOGoCacheObject.h>
 #import <SOGo/NSString+Utilities.h>
 #import <SOGo/WORequest+SOGo.h>
 #import <SOGo/WOResponse+SOGo.h>
 #import <SOGo/NSArray+Utilities.h>
 #import <SOGo/NSString+Utilities.h>
-#import <SOGo/SOGoPermissions.h>
+#import <SOGo/SOGoOpenIdSession.h>
 
 
 void handle_api_terminate(int signum)
@@ -206,6 +179,39 @@ void handle_api_terminate(int signum)
   return user;
 }
 
+- (NSDictionary *) _authOpenId: (NSString *) auth withDomain: (NSString *) domain
+{
+  NSDictionary *user;
+  NSString *token, *login;
+  SOGoOpenIdSession *openIdSession;
+  SOGoUserManager *lm;
+
+  user = nil;
+  token = [[auth substringFromIndex:6] stringByTrimmingLeadWhiteSpaces];
+
+  openIdSession = [SOGoOpenIdSession OpenIdSession: domain];
+  if(![openIdSession sessionIsOk])
+  {
+    [self errorWithFormat: @"API - OpenId server not found or has unexpected behavior, contact your admin."];
+    return nil;
+  }
+
+  [openIdSession setAccessToken: token];
+  login = [openIdSession login: @""];
+  
+  if(login && ![login isEqualToString: @"anonymous"])
+  {
+    //Fecth user info
+    lm = [SOGoUserManager sharedUserManager];
+    user = [lm contactInfosForUserWithUIDorEmail: login];
+  }
+  else
+   user = nil;
+
+  return user;
+}
+
+
 - (NSException *) dispatchRequest: (WORequest*) theRequest
                        inResponse: (WOResponse*) theResponse
                           context: (id) theContext
@@ -323,8 +329,9 @@ void handle_api_terminate(int signum)
       }
       else if([[auth lowercaseString] hasPrefix: @"bearer"])
       {
-        //openid auth
-
+        //openid auth, we may need to know the user-domain to know which openid server to fetch
+        NSString *domain = [theRequest headerForKey: @"user-domain"];
+        user = [self _authOpenId: auth withDomain: domain];
       }
       else
       {
diff --git a/API/SOGoAPIUserFolder.m b/API/SOGoAPIUserFolder.m
index 371d946ca..90f9406c6 100644
--- a/API/SOGoAPIUserFolder.m
+++ b/API/SOGoAPIUserFolder.m
@@ -23,54 +23,51 @@
 
 - (NSDictionary *) action: (WOContext*) ctx withParam: (NSDictionary *) param
 {
-  /*
-  Coté sogo, il faudrait un endpoint API qui retourne tous les liens caldav/cardav + leur nom lisible de l’utilisateur.
-  */
-NSDictionary* result;
-NSArray *folders;
-NSMutableArray *cardavLinks, *caldavLinks;
-NSString *serverUrl, *basePath, *c_uid, *url;
-GCSFolderManager *fm;
-int max, i;
+  NSDictionary* result;
+  NSArray *folders;
+  NSMutableArray *cardavLinks, *caldavLinks;
+  NSString *serverUrl, *basePath, *c_uid, *url;
+  GCSFolderManager *fm;
+  int max, i;
 
-//Should be a user
-c_uid = [[[param objectForKey: @"user"] objectForKey: @"emails"] objectAtIndex: 0];
+  //Should be a user
+  c_uid = [[[param objectForKey: @"user"] objectForKey: @"emails"] objectAtIndex: 0];
 
-//fetch folders
-fm = [GCSFolderManager defaultFolderManager];
-basePath = [NSString stringWithFormat: @"/Users/%@", c_uid];
-folders = [fm listSubFoldersAtPath: basePath recursive: YES];
+  //fetch folders
+  fm = [GCSFolderManager defaultFolderManager];
+  basePath = [NSString stringWithFormat: @"/Users/%@", c_uid];
+  folders = [fm listSubFoldersAtPath: basePath recursive: YES];
 
-//Generate dav link
-max = [folders count];
-serverUrl = [[ctx serverURL] absoluteString];
+  //Generate dav link
+  max = [folders count];
+  serverUrl = [[ctx serverURL] absoluteString];
 
-cardavLinks = [NSMutableArray array];
-caldavLinks = [NSMutableArray array];
-serverUrl = [[ctx serverURL] absoluteString];
-for (i = 0; i < max; i++)
-{
-  url = [NSString stringWithFormat: @"%@/SOGo/dav/%@/%@", serverUrl, c_uid, [folders objectAtIndex: i]];
-  if([url rangeOfString:@"/Calendar/"].location == NSNotFound)
+  cardavLinks = [NSMutableArray array];
+  caldavLinks = [NSMutableArray array];
+  serverUrl = [[ctx serverURL] absoluteString];
+  for (i = 0; i < max; i++)
   {
-    //Contacts
-    [cardavLinks addObject: url];
+    url = [NSString stringWithFormat: @"%@/SOGo/dav/%@/%@", serverUrl, c_uid, [folders objectAtIndex: i]];
+    if([url rangeOfString:@"/Calendar/"].location == NSNotFound)
+    {
+      //Contacts
+      [cardavLinks addObject: url];
+    }
+    else
+    {
+      //Calendar
+      [caldavLinks addObject: url];
+    }
   }
-  else
-  {
-    //Calendar
-    [caldavLinks addObject: url];
-  }
-}
 
-result = [[NSDictionary alloc] initWithObjectsAndKeys:
-                                  c_uid,  @"username",
-                                  cardavLinks, @"contact",
-                                  caldavLinks, @"calendar",
-                                  nil];
+  result = [[NSDictionary alloc] initWithObjectsAndKeys:
+                                    c_uid,  @"username",
+                                    cardavLinks, @"contact",
+                                    caldavLinks, @"calendar",
+                                    nil];
 
-[result autorelease];
-return result;
+  [result autorelease];
+  return result;
 }
 
 
diff --git a/SoObjects/SOGo/SOGoOpenIdSession.m b/SoObjects/SOGo/SOGoOpenIdSession.m
index 38710f4a1..aa2fc3dc7 100644
--- a/SoObjects/SOGo/SOGoOpenIdSession.m
+++ b/SoObjects/SOGo/SOGoOpenIdSession.m
@@ -54,6 +54,13 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
     return NO;
   }
   sd = [SOGoSystemDefaults sharedSystemDefaults];
+
+  if(![[sd authenticationType] isEqualToString: @"openid"])
+  {
+    [self errorWithFormat: @"Sogo SOGoAuthenticationType is not openid"];
+    return NO;
+  }
+
   return ([sd openIdConfigUrl] && [sd openIdScope]  && [sd openIdClient]  && [sd openIdClientSecret]);
 }
 
@@ -120,7 +127,7 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
     }
     else
     {
-      [self errorWithFormat: @"Missing parameters from sogo.conf"];
+      [self errorWithFormat: @"LoginTypebyDOmain - Openid not found or missing parameters for domain", _domain];
     }
   }
   else if ([[self class] checkUserConfig])