You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2023/01/24 14:20:09 UTC
[james-project] branch master updated: JAMES-3756 DelegationStoreAuthorizator should not fail on bad admin virtualHosting (#1405)
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 85f9071067 JAMES-3756 DelegationStoreAuthorizator should not fail on bad admin virtualHosting (#1405)
85f9071067 is described below
commit 85f90710676eee2fb5d8571b836c27e32ee9bd6d
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Tue Jan 24 21:20:03 2023 +0700
JAMES-3756 DelegationStoreAuthorizator should not fail on bad admin virtualHosting (#1405)
It is preferable to fallback to forbidden.
---
.../adapter/mailbox/DelegationStoreAuthorizator.java | 9 ++++++++-
.../adapter/mailbox/DelegationStoreAuthorizatorTest.java | 16 ++++++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java b/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
index 8c1b9887e7..a8a5733380 100644
--- a/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
+++ b/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
@@ -49,7 +49,7 @@ public class DelegationStoreAuthorizator implements Authorizator {
public AuthorizationState canLoginAsOtherUser(Username userId, Username otherUserId) throws MailboxException {
boolean isAuthorized = Flux.from(delegationStore.authorizedUsers(otherUserId)).hasElement(userId).block();
try {
- if (isAuthorized || usersRepository.isAdministrator(userId)) {
+ if (isAuthorized || isAdministrator(userId)) {
return AuthorizationState.ALLOWED;
}
if (!usersRepository.contains(otherUserId)) {
@@ -61,6 +61,13 @@ public class DelegationStoreAuthorizator implements Authorizator {
}
}
+ private boolean isAdministrator(Username userId) throws UsersRepositoryException {
+ if (userId.hasDomainPart() ^ usersRepository.supportVirtualHosting()) {
+ return false;
+ }
+ return usersRepository.isAdministrator(userId);
+ }
+
@Override
public Collection<Username> delegatedUsers(Username username) {
return Flux.from(delegationStore.delegatedUsers(username)).collectList()
diff --git a/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java b/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
index e892644d0e..1aba300da4 100644
--- a/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
+++ b/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
@@ -59,6 +59,13 @@ class DelegationStoreAuthorizatorTest {
assertThat(testee.canLoginAsOtherUser(ADMIN_USER, OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
}
+ @Test
+ void canLoginAsOtherUserShouldReturnForbiddenWhenWrongVirtualHosting() throws Exception {
+ usersRepository.addUser(OTHER_USER, "secret");
+ assertThat(testee.canLoginAsOtherUser(Username.of("other_user@domain.tld"), OTHER_USER))
+ .isEqualTo(Authorizator.AuthorizationState.FORBIDDEN);
+ }
+
@Test
void canLoginAsOtherUserShouldReturnAllowedWhenGivenUserIsDelegatedByOtherUser() throws Exception {
usersRepository.addUser(OTHER_USER, "secret");
@@ -67,6 +74,15 @@ class DelegationStoreAuthorizatorTest {
assertThat(testee.canLoginAsOtherUser(GIVEN_USER, OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
}
+ @Test
+ void canLoginAsOtherUserShouldReturnAllowedWhenGivenUserIsAdminWithWrongVirtualHosting() throws Exception {
+ Username accessor = Username.of("other_user@domain.tld");
+ usersRepository.addUser(OTHER_USER, "secret");
+ Mono.from(delegationStore.addAuthorizedUser(OTHER_USER, accessor)).block();
+
+ assertThat(testee.canLoginAsOtherUser(accessor, OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
+ }
+
@Test
void canLoginAsOtherUserShouldReturnForbiddenWhenGivenUserIsNotAdminAndNotDelegated() throws Exception {
usersRepository.addUser(OTHER_USER, "secret");
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org