dfwarden · xaionaro · Oct 7, 2016 · Oct 7, 2016 · Oct 7, 2016 · Oct 7, 2016
diff --git a/cas_authn/cas_authn.php b/cas_authn/cas_authn.php
@@ -22,6 +22,7 @@
 class cas_authn extends rcube_plugin {
 
     private $cas_inited;
+    private $_cache_cfg = null;
 
     /**
      * Initialize plugin
@@ -33,6 +34,10 @@ function init() {
 
         // load plugin configuration
         $this->load_config();
+
+        if ($this->isDisabled()) {
+            return;
+        }
 
         // add application hooks
         $this->add_hook('startup', array($this, 'startup'));
@@ -42,14 +47,43 @@ function init() {
         $this->add_hook('template_object_loginform', array($this, 'add_cas_login_html'));
     }
 
+    /**
+     * Gets config and caches
+     *
+     * @return array configuration array
+     */
+    function getCfg() {
+        if (is_null($_cache_cfg)) {
+             $_cache_cfg = rcmail::get_instance()->config->all();
+        }
+        return $_cache_cfg;
+    }
+
+    /**
+     * Determine if this plugin should be disable for current request
+     *
+     * @return bool true -- disabled; false -- enabled
+     */
+    function isDisabled() {
+        $cfg = $this->getCfg();
+        if (is_array($cfg['cas_disable_for_domains'])) {
+            foreach ($cfg['cas_disable_for_domains'] as $domain_pattern) {
+                if (preg_match($domain_pattern, $_SERVER['SERVER_NAME'])) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
     /**
      * Handle plugin-specific actions
      * These actions are handled at the startup hook rather than registered as
      * custom actions because the user session does not necessarily exist when
      * these actions need to be handled.
      *
      * @param array $args arguments from rcmail
-* @return array modified arguments
+     * @return array modified arguments
      */
     function startup($args) {
         // intercept PGT callback action from CAS server
@@ -106,13 +140,22 @@ function startup($args) {
             $user = phpCAS::getUser();
             $pass = '';
             // retrieve credentials, either a Proxy Ticket or 'masteruser' password
-            $cfg = rcmail::get_instance()->config->all();
+            $cfg = $this->getCfg();
             if ($cfg['cas_proxy']) {
                 $_SESSION['cas_pt'][php_uname('n')] = phpCAS::retrievePT($cfg['cas_imap_name'], $err_code, $output);
                 $pass = $_SESSION['cas_pt'][php_uname('n')];
             }
             else {
                 $pass = $cfg['cas_imap_password'];
+
+                if (!empty($cfg['cas_imap_masteruser'])) {
+                    if (!empty($cfg['username_domain'])) {
+                        $user .= '@'.rcube_utils::parse_host($cfg['username_domain']).'*'.$cfg['cas_imap_masteruser'];
+                        $cfg['username_domain'] = '';
+                    } else {
+                        $user .= '*'.$cfg['cas_imap_masteruser'];
+                    }
+                }
             }
 
             // Do Roundcube login actions
@@ -150,7 +193,7 @@ function startup($args) {
      */
     function imap_connect($args) {
         // retrieve configuration
-        $cfg = rcmail::get_instance()->config->all();
+        $cfg = $this->getCfg();
 
         // RoundCube is acting as CAS proxy
         if ($cfg['cas_proxy']) {
@@ -212,7 +255,7 @@ function imap_connect($args) {
      */
     function smtp_connect($args) {
         // retrieve configuration
-        $cfg = rcmail::get_instance()->config->all();
+        $cfg = $this->getCfg();
 
         // RoundCube is acting as CAS proxy and performing SMTP authn
         if ($cfg['cas_proxy'] && $args['smtp_user'] && $args['smtp_pass']) {
@@ -242,7 +285,7 @@ function smtp_connect($args) {
      */
     function sieverules_connect($args) {
         // retrieve configuration
-        $cfg = rcmail::get_instance()->config->all();
+        $cfg = $this->getCfg();
 
         // RoundCube is acting as CAS proxy
         if ($cfg['opt_cas_proxy']) {
@@ -268,10 +311,12 @@ function add_cas_login_html($args) {
         $RCMAIL = rcmail::get_instance();
         $this->add_texts('localization');
         // retrieve configuration
-        $cfg = rcmail::get_instance()->config->all();
+        $cfg = $this->getCfg();
+
+        $this->cas_init();
 
         // Force CAS authn?
-	if($cfg["cas_force"]) {
+	if($cfg["cas_force"] && !phpCAS::checkAuthentication()) {
             global $OUTPUT;
             $OUTPUT->redirect(array('action' => 'caslogin'));
         }
@@ -304,7 +349,7 @@ private function cas_init() {
 		session_destroy();
 	    }
 
-            $cfg = rcmail::get_instance()->config->all();
+            $cfg = $this->getCfg();
 
             // include phpCAS
             require_once('CAS.php');
@@ -395,7 +440,7 @@ private function generate_url($params) {
                 $delm = '&';
             }
         }
-        $cfg = rcmail::get_instance()->config->all();
+        $cfg = $this->getCfg();
         if ( $cfg['cas_webmail_server_name'] ) {
           $serverName = $cfg['cas_webmail_server_name'];
         } else {

diff --git a/cas_authn/config.inc.php.dist b/cas_authn/config.inc.php.dist
@@ -9,6 +9,10 @@
 //     the CAS login URL. This means nobody will ever see the RC login page.
 $rcmail_config['cas_force'] = false;
 
+// Disable this plugin for 'SERVER_NAME' that matches to a pattern from the
+//     array:
+$rcmail_config['cas_disable_for_domains'] = array("/nocas\.example\.com/", "/.*\.nocas\.example\.com/");
+
 // whether to act as a CAS proxy. If set to true, a proxy ticket will be
 //     retrieved from the CAS server to be used as password for logging into
 //     the IMAP server. This is the preferred method of authenticating
@@ -48,6 +52,15 @@ $rcmail_config['cas_imap_pt_expiration_time'] = 300;
 //     authorized users.
 $rcmail_config['cas_imap_password'] = '';
 
+// Don't authenticate to IMAP using user's username. Use "username*masteruser" instead.
+//     If user's username is "[email protected]" and master's username is "[email protected]"
+//     then the plugin will authenticate using username "[email protected]*[email protected]".
+//     See "http://wiki2.dovecot.org/Authentication/MasterUsers" for more information.
+//     This option is ignored if "cas_proxy" is set to true.
+//
+//     To disable this option -- just comment it out.
+//$rcmail_config['cas_imap_masteruser'] = '[email protected]';
+
 // CAS server host name.
 $rcmail_config['cas_hostname'] = 'address.of.cas.server';