You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2023/01/24 14:20:09 UTC

[james-project] branch master updated: JAMES-3756 DelegationStoreAuthorizator should not fail on bad admin virtualHosting (#1405)

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git


The following commit(s) were added to refs/heads/master by this push:
     new 85f9071067 JAMES-3756 DelegationStoreAuthorizator should not fail on bad admin virtualHosting (#1405)
85f9071067 is described below

commit 85f90710676eee2fb5d8571b836c27e32ee9bd6d
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Tue Jan 24 21:20:03 2023 +0700

    JAMES-3756 DelegationStoreAuthorizator should not fail on bad admin virtualHosting (#1405)
    
    It is preferable to fallback to forbidden.
---
 .../adapter/mailbox/DelegationStoreAuthorizator.java     |  9 ++++++++-
 .../adapter/mailbox/DelegationStoreAuthorizatorTest.java | 16 ++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java b/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
index 8c1b9887e7..a8a5733380 100644
--- a/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
+++ b/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
@@ -49,7 +49,7 @@ public class DelegationStoreAuthorizator implements Authorizator {
     public AuthorizationState canLoginAsOtherUser(Username userId, Username otherUserId) throws MailboxException {
         boolean isAuthorized = Flux.from(delegationStore.authorizedUsers(otherUserId)).hasElement(userId).block();
         try {
-            if (isAuthorized || usersRepository.isAdministrator(userId)) {
+            if (isAuthorized || isAdministrator(userId)) {
                 return AuthorizationState.ALLOWED;
             }
             if (!usersRepository.contains(otherUserId)) {
@@ -61,6 +61,13 @@ public class DelegationStoreAuthorizator implements Authorizator {
         }
     }
 
+    private boolean isAdministrator(Username userId) throws UsersRepositoryException {
+        if (userId.hasDomainPart() ^ usersRepository.supportVirtualHosting()) {
+            return false;
+        }
+        return usersRepository.isAdministrator(userId);
+    }
+
     @Override
     public Collection<Username> delegatedUsers(Username username) {
         return Flux.from(delegationStore.delegatedUsers(username)).collectList()
diff --git a/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java b/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
index e892644d0e..1aba300da4 100644
--- a/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
+++ b/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
@@ -59,6 +59,13 @@ class DelegationStoreAuthorizatorTest {
         assertThat(testee.canLoginAsOtherUser(ADMIN_USER, OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
     }
 
+    @Test
+    void canLoginAsOtherUserShouldReturnForbiddenWhenWrongVirtualHosting() throws Exception {
+        usersRepository.addUser(OTHER_USER, "secret");
+        assertThat(testee.canLoginAsOtherUser(Username.of("other_user@domain.tld"), OTHER_USER))
+            .isEqualTo(Authorizator.AuthorizationState.FORBIDDEN);
+    }
+
     @Test
     void canLoginAsOtherUserShouldReturnAllowedWhenGivenUserIsDelegatedByOtherUser() throws Exception {
         usersRepository.addUser(OTHER_USER, "secret");
@@ -67,6 +74,15 @@ class DelegationStoreAuthorizatorTest {
         assertThat(testee.canLoginAsOtherUser(GIVEN_USER, OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
     }
 
+    @Test
+    void canLoginAsOtherUserShouldReturnAllowedWhenGivenUserIsAdminWithWrongVirtualHosting() throws Exception {
+        Username accessor = Username.of("other_user@domain.tld");
+        usersRepository.addUser(OTHER_USER, "secret");
+        Mono.from(delegationStore.addAuthorizedUser(OTHER_USER, accessor)).block();
+
+        assertThat(testee.canLoginAsOtherUser(accessor, OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
+    }
+
     @Test
     void canLoginAsOtherUserShouldReturnForbiddenWhenGivenUserIsNotAdminAndNotDelegated() throws Exception {
         usersRepository.addUser(OTHER_USER, "secret");


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org