½gXb†föÎB#¨ˆêØ)ªÛ»bi—s²_‹ØIIßªÛ»bi—s²_‹ØIIßªÛ»bi—s²_‹ØIIßªÛ»bi—s²_‹ØIIß4&ðºDÝ.5ú;³AÏ³Þ†:ü}W¹«Û»¨õ¼p%¡©äè”ûÔ7Þ”²ž_”#žÐâ5üLÂ<mÃ‹$ã mèJÑ$Þl“`ÉäHÜ¹¾&ºÏ9Iëc×sàúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]O5&'0…·ÝºÚoaW	I¿<áÁëî7
ÉA—ÆR(ÿ=³Ò£ÃFIÎ§ÅZœª)SÙÊ¯u›N4«ý——0šúw½ÊgÖFœN5¶·Ký]O~¤*™ b£-!&iª˜Ùúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]Oê'pµøÂ¾g`««ÈB§L™Vçœ¿“û:þ"EqŠôã•¸QR:ÅárÄU!îttO•p­x5>¬@?sóÚs®\òÀ,óøÊþfÒa\eðž¤C®h¾›É›+æM“¯ ÎÂîM«¡àXå,¬½-º\_Œ[¿½®‚6¥E·q_uC”¢ó^a›vh²->]+óŒ/½‹öWìg¾¢×¿·ÿ>|ºüüÕ÷€â"×d2ŸD„œŒ^1=“«]ŠmÂúw½ÊgÖFœN5¶·Ký]OÝElfÛ5ÇàFÓ \Áúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]Oþ’[_·×®æ¢ |Sü: jJË®ñô9ÏA¶é÷¿yúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]OPjqÆWéMùJ€AÞz«žmmƒÐ,'à·‡ËoY­ÌÈRš²Þ àé«Q©|AÖwúw½ÊgÖFœN5¶·Ký]Oúw½ÊgÖFœN5¶·Ký]OQ+RýÅžÔ²&M.ÅxªÛ»bi—s²_‹ØIIßªÛ»bi—s²_‹ØIIßªÛ»bi—s²_‹ØIIß„”}•æBóúškH1å<÷ýhKÏÀ­‡±tc<ýBÒŠ\=Õ,½94%âGkQ²†êf
*<wGî	úw½ÊgÖFœN5¶·Ký]O‘1èñ”%éÉ#zÕhÜªÛ»bi—s²_‹ØIIßªÛ»bi—s²_‹ØIIßªÛ»bi—s²_‹ØIIßªÛ»bi—s²_‹ØIIßÊÂ¯‡ ¶Ø<è£ÔòlÿÇ"a•“\Wo1>*(xõÆ·²Í%¸Ž+Ä\"tÔ—žý€˜Žørû”èc<êk¹•û™u=çÖêxí¢¯ýaã*:fNºÑaœ93%<3‡ÝéÿÛ=\á›Ý“ˆÈ×Ã½LˆÚ¶Zp`šgªBtÖZªã¡¥ÐO5k˜ºËô4äS”ºb·d•ã‹ƒþ%µP6	ÏdAúo—$3Õ§¦ö“a½yÊÓXËD:ÝóFeìæÖKI¯$¤5à.°Ý¼U¬ógŸN…3Å,d±D…ÌqP´î2´iÏìÍºÄ¡ôU[êXrëhÊùÓ‡’9à#'@ê¾¼	B*WDñ¹4*´¨þÿ—ÿ×vŒ0U;%8–ÊŠ:8)Æ‰@|"\ßžÓx€è…Áòêl»°û	×§ìR„£@HKvÀÏKw"o£ÆaÒÍ:2H÷ð»„m.q±ÅàC d¥µ©½*Ö¤R3½lL%Œc)%ÖCÈŠÖáå¥€ÍvRý‰(3eÁSë'Nâê6Õ,4NÝ½uƒ1¨=uÞ¶„ÓŠÊJÅ3ÿ¥Z³­oÏ8Œ°ÿ©5sÊ¨åÈ?[#?&”šèÌylï=±fû'ZiÂAû"äØètZBãa†Œ[L~üÑ¦&ÒŽJn¾Ç0‘ÿQÊåÆ‰¢‡žÏ­ÿÁç~þÍ›§‡$¦H
F L{§¬íe,*Z÷X2Ê(ß ™äù¯®ó8îñe«I¼Û¤>Û®‚RrFšóxx˜ôç3ŽXW@ÅüðL¾VÂn"µ¾ä3(-WU¤Õ”™ûl†XˆMoM_p3““‡`ÒüäUa¿ÒTleâ8ë8¦§T™+ßŒæ•aV-	½«Ô]?’ÕŒl?CßÑÀ‚ip¤¢·»þüôÚuy¨áW‚­û) g¦äOG,ì.SŠå\.á¿Ô•Á·Ñ.úØœ5¶g›®Æ¡ÚÀqU»"ø’Øq°Ý92ŠÑbµ,ÌSAäs]§i-F‰yËéÿíš+•=_ÂUŽIc^Ÿ¶=|¡,dàx7p	²ç¢€“µxÌÃ‰]0¥=íÀb«Q„"2x¯óxD«W+ƒ$ã6­?D3! šöŸ»Ý÷3…OÍgš‚ÀàOÍ„;Œ,I)`…Múêc'ÂöËç7óÃÚF,;.¹*+~ ª*–qð"¢ïÌ ñh‡§†MwIF~ìE2,škqÔCYÕ[•¨éëMÊN·,öt&ZÝÒØÕ[à–Œs.KJ§ú’Ö°:êüÓJÈñEöNŽg§ƒõl’ÄJ=nP0nŽí¡ÙöNÊýù¸CiÀã³S¥Mâ„2À{„iuVw“E¯ {hLH·ŒlKÇÁiD©`ëÙ…Î3]³ky¤ý*-|<ç·â‚`m×‡~°rÀ†˜ùlÞªh¿¸×ƒý>–ÖýØ­”!fD1Šrè°3DGv¹]bçi¿|ßÄ3jð é¡€ekgœ£g!SÀ	®¹R½ÈsíñVo-DcïEËEí¾g‚Ò³ªÊ‘Éi
éšcv_Ùìö'bã:î(Æ•^
Ã`qd/-é›õ±[L1’Wœ;‘4Ò2.!4 GˆÖBÒ$×æÝŽµÝ–©?FÚUÉÞC6ÆÛ÷e„Ï˜é@.
 `u†ÈJáÂAÍ@[P£ü'Z•·¾[0øý'>öEñtßú®°xtª–¯"Ê/î½ôƒ˜ÿ#?™—õÖÐ  ‘	¡Dµ•{ç]˜`.bkõÄD1ü.>ÇÑÆÝÍ@[P£ü'Z•·¾[0øýú¶{Â J˜›Ež°ºlV}šx5óÎŸÿ/§‰¿Þµî§õÖÐ  ‘	¡Dµ•{ç]˜ºn;üÒG62 )uÍ@[P£ü'Z•·¾[0øýú¶{Â J˜›Ež°ºlVS²†)æ‚àu£ìhk4Æ¿*>¦^ÈÜ'5]ï±ÞIúHð_cŠcÁl6Hµ}·îþN‚ŠS¡(_Ž¹ii¨øÕ„ûñ;ê¤FÚ‚µ•ºÍãšt7_§Ñòû³›Ïâ®Ñ*N¥ÔáLÃŸH½&Ù%q#€¢-‘.$®~¡p-‰øIs©-XXÐ ò›
çØgQ?Æ;=™Êk±Òõ²+í²ø=GXÊ i×Ñèî[Žt½M:·sƒ9TÃE‚ãê¿5NÕ ¦úËTUæÃ¶ênŠ—Ær™) ÃòöéŽM[úûoú]•¼q9ÎÎ–~ó-gÐÝmÂÕ¡±yÃ/G æ[mÐöw]`/YøÔ„ýÖ/	ž„×´±uszW¼5ªÿJÞHøáÌÆ‡îþN‚ŠS¡(_Ž¹ii¨øÕ„ûñ;ê¤FÚ‚µ•ºÍã¢MîXv!=Ÿa˜U½EYÉ¨gä«=³Ì¤*wœ	¬Âg Y6á;žŠú©‚«jÑ=JÎH,{jÀ·Ý‚{@Ì]£^ï§ ¶!&›ÙmÏ¢¶K)CSd"Ò8!MO¿in
IÎt‘n”à+7t€gà¶wÂˆÚ-ëD8[£Eÿár:I„ÁaC6Ä)®¥oÊ) H_YØbò¸¾¾úno»íå6ºw‡z£È[Á¿ç>YÁ¡ŸnÂ²	0Môævk›:ÈêG-nXSùEòíž¶ub‚ÏÃvI…à?VoÄc)€p N¯ßÊ‹ñ‹f…Ä¨vÄ–¼ò	Ë¿–ŸË¥HOØjº_'Œt‹K…ƒ6öc®³­ÿP@?Û‡ò½åúäçA¼ë¨*ñI²© ’Ø1úßCóËÔ–oùÜ?“+rxW¦ÇÍa‘"2ñ‚Û%½>Sw±ÎƒöÎc]I¶ÑÈýÊ˜%ï„Ò°AöëoÇéF†á°¹I-š=þ'‰Ñà±‚n\‹õ_vËÿÇz”T£1çÙ.°â?èÈþ«w—/4@?©­8;rŽÏ¬˜Í3øØkU%™2ø…/aŸ7ÎËy÷"P§dÀ2ÔÞ®AõhcÍ ®xÊZ †wG>ë™‡Ãœ9Â€ˆ}õ§¦¶§—C« )×˜Nòú.ºÖ'‚5ÜÍ«x¥ª½aâ %â	¶l¿&.ªG‚H°fÌÈ-½&=}JæJÂ“dÝYªS®À>çì¼óó÷\RýM©hiUå\<âÌë?…„ÙPœEë‹w¬oyÙ&	#
ÚHPbcõ7Q\˜ø,†Ç°_Ð…CçzWa«Œ˜Cºÿ³Ú‹-Å9ð(føÏ/\cÙØ ßÉÚZÉˆ°²ü†ÒÛB€Åª
˜ÚÛ‰²ÜsÓ½@k ×‚ŽÓÝùÔÒŽK>Kª7sL4‡°°OÁtº=í‡ˆ§UBþÅö÷©l‹Œ²$Ä˜ß:æ)ODí'Õxà`\«5ÑFéŠ8+
]CJè‘`T9eäl(’%|J•Ô{îþN‚ŠS¡(_Ž¹ii¨Ü¨Ä/,ÇvË‘ö*v¸˜ý>#„ã^©DÔ—"/ÃM"›Šñ:*Ô¯	»ïåY#¬Õ8ëå'=µh
¯‹kš1à*!>z€ß¤«<ð·ÖlêôÌäæ:o­‹–Éø™]	…¦jÙ°SäÍî@XPZ§Øó›xÀ Ž9¯™cò¤¡ÏÙüŸûg^tÕ,¢"yaÓôÆ‹¤z… r™5î—ð¶§—C« )×˜Nòú.ºÖ'‚5ÜÍ«x¥ª½aâ %â	¶l¿&.ªG‚H°fÅ
Üâ‡$ujQ¼½$ÇqÍ((Û LÂÅLG¦¬¤Ræ¤P—Y—²-ÅÁÜL¦­gñ;¡C¹¯F_ëÞ» ›¶'¯A­jP–%ÞgÄÜ˜AÎÐÝ¿qPb¶‚–Ë–Ga®}¾«qƒxÞðH²ßl¿B‰•àg=õS)÷HÜºAà€	P¿‚öLXŽ¬Þ„
ðÅ*iùúGÑæ¶MwÁ}K8Ã$»)ØgÙÎz ß\c$^þH¦ú€¡G6 6#ùû¡Èeèempty($this->options['provider']) &&
            !empty($this->options['token_uri']) &&
            !empty($this->options['client_id']);
    }

    /**
     * Compose a fully qualified redirect URI for auth requests
     *
     * @return string
     */
    public function get_redirect_uri()
    {
        $url = $this->rcmail->url([], true, true);

        // rewrite redirect URL to not contain query parameters because some providers do not support this
        $url = preg_replace('/\?.*/', '', $url);

        return slashify($url) . 'index.php/login/oauth';
    }

    /**
     * Getter for the last error occurred
     *
     * @return mixed
     */
    public function get_last_error()
    {
        return $this->last_error;
    }

    /**
     * Helper method to decode a JWT
     * 
     * @param string $jwt
     * @return array Hash array with decoded body
     */
    public function jwt_decode($jwt)
    {
        list($headb64, $bodyb64, $cryptob64) = explode('.', strtr($jwt, '-_', '+/'));

        $header = json_decode(base64_decode($headb64), true);
        $body   = json_decode(base64_decode($bodyb64), true);

        if (isset($body['azp']) && $body['azp'] !== $this->options['client_id']) {
            throw new RuntimeException('Failed to validate JWT: invalid azp value');
        }
        else if (isset($body['aud']) && !in_array($this->options['client_id'], (array) $body['aud'])) {
            throw new RuntimeException('Failed to validate JWT: invalid aud value');
        }
        else if (!isset($body['azp']) && !isset($body['aud'])) {
            throw new RuntimeException('Failed to validate JWT: missing aud/azp value');
        }

        return $body;
    }

    /**
     * Login action: redirect to `oauth_auth_uri`
     *
     * @return void
     */
    public function login_redirect()
    {
        if (!empty($this->options['auth_uri']) && !empty($this->options['client_id'])) {
            // create a secret string
            $_SESSION['oauth_state'] = rcube_utils::random_bytes(12);

            // compose full oauth login uri
            $delimiter = strpos($this->options['auth_uri'], '?') > 0 ? '&' : '?';
            $query = http_build_query([
                'response_type' => 'code',
                'client_id'     => $this->options['client_id'],
                'scope'         => $this->options['scope'],
                'redirect_uri'  => $this->get_redirect_uri(),
                'state'         => $_SESSION['oauth_state'],
            ] + (array) $this->options['auth_parameters']);
            $this->rcmail->output->redirect($this->options['auth_uri'] . $delimiter . $query);  // exit
        }
        else {
            // log error about missing config options
            rcube::raise_error([
                    'message' => "Missing required OAuth config options 'oauth_auth_uri', 'oauth_client_id'",
                    'file'    => __FILE__,
                    'line'    => __LINE__,
                ], true, false
            );
        }
    }

    /**
     * Request access token with auth code returned from oauth login
     *
     * @param string $auth_code
     * @param string $state
     *
     * @return array Authorization data as hash array with entries
     *   `username` as the authentication user name
     *   `authorization` as the oauth authorization string "<type> <access-token>"
     *   `token` as the complete oauth response to be stored in session
     */
    public function request_access_token($auth_code, $state = null)
    {
        $oauth_token_uri     = $this->options['token_uri'];
        $oauth_client_id     = $this->options['client_id'];
        $oauth_client_secret = $this->options['client_secret'];
        $oauth_identity_uri  = $this->options['identity_uri'];

        if (!empty($oauth_token_uri) && !empty($oauth_client_secret)) {
            try {
                // validate state parameter against $_SESSION['oauth_state']
                if (!empty($_SESSION['oauth_state']) && $_SESSION['oauth_state'] !== $state) {
                    throw new RuntimeException('Invalid state parameter');
                }

                // send token request to get a real access token for the given auth code
                $client = new Client([
                    'timeout' => 10.0,
                    'verify' => $this->options['verify_peer'],
                ]);

                $response = $client->post($oauth_token_uri, [
                        'form_params'       => [
                            'code'          => $auth_code,
                            'client_id'     => $oauth_client_id,
                            'client_secret' => $oauth_client_secret,
                            'redirect_uri'  => $this->get_redirect_uri(),
                            'grant_type'    => 'authorization_code',
                        ],
                ]);

                $data = \GuzzleHttp\json_decode($response->getBody(), true);

                // auth success
                if (!empty($data['access_token'])) {
                    $username = null;
                    $identity = null;
                    $authorization = sprintf('%s %s', $data['token_type'], $data['access_token']);

                    // decode JWT id_token if provided
                    if (!empty($data['id_token'])) {
                        try {
                            $identity = $this->jwt_decode($data['id_token']);
                            foreach ($this->options['identity_fields'] as $field) {
                                if (isset($identity[$field])) {
                                    $username = $identity[$field];
                                    break;
                                }
                            }
                        } catch (\Exception $e) {
                            // log error
                            rcube::raise_error([
                                    'message' => $e->getMessage(),
                                    'file'    => __FILE__,
                                    'line'    => __LINE__,
                                ], true, false
                            );
                        }
                    }

                    // request user identity (email)
                    if (empty($username) && !empty($oauth_identity_uri)) {
                        $identity_response = $client->get($oauth_identity_uri, [
                                'headers' => [
                                    'Authorization' => $authorization,
                                    'Accept' => 'application/json',
                                ],
                        ]);

                        $identity = \GuzzleHttp\json_decode($identity_response->getBody(), true);

                        foreach ($this->options['identity_fields'] as $field) {
                            if (isset($identity[$field])) {
                                $username = $identity[$field];
                                break;
                            }
                        }
                    }

                    $data['identity'] = $username;
                    $this->mask_auth_data($data);

                    $this->rcmail->session->remove('oauth_state');

                    $this->rcmail->plugins->exec_hook('oauth_login', array_merge($data, [
                        'username' => $username,
                        'identity' => $identity,
                    ]));

                    // remove some data we don't want to store in session
                    unset($data['id_token']);

                    // return auth data
                    return [
                        'username'      => $username,
                        'authorization' => $authorization,
                        'token'         => $data,
                    ];
                }
                else {
                    throw new Exception('Unexpected response from OAuth service');
                }
            }
            catch (RequestException $e) {
                $this->last_error = "OAuth token request failed: " . $e->getMessage();
                $this->no_redirect = true;
                $formatter = new MessageFormatter();

                rcube::raise_error([
                        'message' => $this->last_error . '; ' . $formatter->format($e->getRequest(), $e->getResponse()),
                        'file'    => __FILE__,
                        'line'    => __LINE__,
                    ], true, false
                );

                return false;
            }
            catch (Exception $e) {
                $this->last_error = "OAuth token request failed: " . $e->getMessage();
                $this->no_redirect = true;

                rcube::raise_error([
                        'message' => $this->last_error,
                        'file'    => __FILE__,
                        'line'    => __LINE__,
                    ], true, false
                );

                return false;
            }
        }
        else {
            $this->last_error = "Missing required OAuth config options 'oauth_token_uri', 'oauth_client_id', 'oauth_client_secret'";

            rcube::raise_error([
                    'message' => $this->last_error,
                    'file'    => __FILE__,
                    'line'    => __LINE__,
                ], true, false
            );

            return false;
        }
    }

    /**
     * Obtain a new access token using the refresh_token grant type
     *
     * If successful, this will update the `oauth_token` entry in
     * session data.
     *
     * @param array $token
     *
     * @return array Updated authorization data
     */
    public function refresh_access_token(array $token)
    {
        $oauth_token_uri     = $this->options['token_uri'];
        $oauth_client_id     = $this->options['client_id'];
        $oauth_client_secret = $this->options['client_secret'];

        // send token request to get a real access token for the given auth code
        try {
            $client = new Client([
                'timeout' => 10.0,
                'verify' => $this->options['verify_peer'],
            ]);
            $response = $client->post($oauth_token_uri, [
                    'form_params' => [
                        'client_id'     => $oauth_client_id,
                        'client_secret' => $oauth_client_secret,
                        'refresh_token' => $this->rcmail->decrypt($token['refresh_token']),
                        'grant_type'    => 'refresh_token',
                    ],
            ]);
            $data = \GuzzleHttp\json_decode($response->getBody(), true);

            // auth success
            if (!empty($data['access_token'])) {
                // update access token stored as password
                $authorization = sprintf('%s %s', $data['token_type'], $data['access_token']);
                $_SESSION['password'] = $this->rcmail->encrypt($authorization);

                $this->mask_auth_data($data);

                // update session data
                $_SESSION['oauth_token'] = array_merge($token, $data);

                $this->rcmail->plugins->exec_hook('oauth_refresh_token', $data);

                return [
                    'token' => $data,
                    'authorization' => $authorization,
                ];
            }
        }
        catch (RequestException $e) {
            $this->last_error = "OAuth refresh token request failed: " . $e->getMessage();
            $formatter = new MessageFormatter();
            rcube::raise_error([
                    'message' => $this->last_error . '; ' . $formatter->format($e->getRequest(), $e->getResponse()),
                    'file'    => __FILE__,
                    'line'    => __LINE__,
                ], true, false
            );

            // refrehsing token failed, mark session as expired
            if ($e->getCode() >= 400 && $e->getCode() < 500) {
                $this->rcmail->kill_session();
            }

            return false;
        }
        catch (Exception $e) {
            $this->last_error = "OAuth refresh token request failed: " . $e->getMessage();
            rcube::raise_error([
                    'message' => $this->last_error,
                    'file'    => __FILE__,
                    'line'    => __LINE__,
                ], true, false
            );

            return false;
        }
    }

    /**
     * Modify some properties of the received auth response
     *
     * @param array $token
     * @return void
     */
    protected function mask_auth_data(&$data)
    {
        // compute absolute token expiration date
        $data['expires'] = time() + $data['expires_in'] - 10;

        // encrypt refresh token if provided
        if (isset($data['refresh_token'])) {
            $data['refresh_token'] = $this->rcmail->encrypt($data['refresh_token']);
        }
    }

    /**
     * Check the given access token data if still valid
     *
     * ... and attempt to refresh if possible.
     *
     * @param array $token
     * @return boolean
     */
    protected function check_token_validity($token)
    {
        if ($token['expires'] < time() && isset($token['refresh_token']) && empty($this->last_error)) {
            return $this->refresh_access_token($token) !== false;
        }
        return false;
    }

    /**
     * Callback for 'storage_init' hook
     *
     * @param array $options
     * @return array
     */
    public function storage_init($options)
    {
        if (isset($_SESSION['oauth_token']) && $options['driver'] === 'imap') {
            // check token validity
            if ($this->check_token_validity($_SESSION['oauth_token'])) {
                $options['password'] = $this->rcmail->decrypt($_SESSION['password']);
            }

            // enforce XOAUTH2 authorization type
            $options['auth_type'] = 'XOAUTH2';
        }

        return $options;
    }

    /**
     * Callback for 'smtp_connect' hook
     *
     * @param array $options
     * @return array
     */
    public function smtp_connect($options)
    {
        if (isset($_SESSION['oauth_token'])) {
            // check token validity
            $this->check_token_validity($_SESSION['oauth_token']);

            // enforce XOAUTH2 authorization type
            $options['smtp_user'] = '%u';
            $options['smtp_pass'] = '%p';
            $options['smtp_auth_type'] = 'XOAUTH2';
        }

        return $options;
    }

    /**
     * Callback for 'managesieve_connect' hook
     *
     * @param array $options
     * @return array
     */
    public function managesieve_connect($options)
    {
        if (isset($_SESSION['oauth_token'])) {
            // check token validity
            $this->check_token_validity($_SESSION['oauth_token']);

            // enforce XOAUTH2 authorization type
            $options['auth_type'] = 'XOAUTH2';
        }

        return $options;
    }

    /**
     * Callback for 'logout_after' hook
     *
     * @param array $options
     * @return array
     */
    public function logout_after($options)
    {
        $this->no_redirect = true;
    }

    /**
     * Callback for 'login_failed' hook
     *
     * @param array $options
     * @return array
     */
    public function login_failed($options)
    {
        // no redirect on imap login failures
        $this->no_redirect = true;
        return $options;
    }

    /**
     * Callback for 'unauthenticated' hook
     *
     * @param array $options
     * @return array
     */
    public function unauthenticated($options)
    {
        if (
            $this->options['login_redirect']
            && !$this->rcmail->output->ajax_call
            && !$this->no_redirect
            && empty($options['error'])
            && $options['http_code'] === 200
        ) {
            $this->login_redirect();
        }

        return $options;
    }


    /**
     * Callback for 'refresh' hook
     *
     * @param array $options
     * @return void
     */
    public function refresh($options)
    {
        if (isset($_SESSION['oauth_token'])) {
            $this->check_token_validity($_SESSION['oauth_token']);
        }
    }
}