You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2021/06/11 07:36:58 UTC
[james-project] 02/18: JAMES-3594 Implement group restrictions on
top of UnboundID
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 8d04141f7cc4ce6c692eacc35c2317ab354b9512
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Sun Jun 6 18:19:56 2021 +0700
JAMES-3594 Implement group restrictions on top of UnboundID
---
.../user/ldap/ReadOnlyLDAPGroupRestriction.java | 33 +++++-------
.../james/user/ldap/ReadOnlyLDAPUsersDAO.java | 60 ++++++++++------------
2 files changed, 39 insertions(+), 54 deletions(-)
diff --git a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPGroupRestriction.java b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPGroupRestriction.java
index 3d3a3d5..9123f65 100644
--- a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPGroupRestriction.java
+++ b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPGroupRestriction.java
@@ -19,21 +19,21 @@
package org.apache.james.user.ldap;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import javax.naming.NamingEnumeration;
-import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
-import javax.naming.ldap.LdapContext;
-
import org.apache.commons.configuration2.HierarchicalConfiguration;
import org.apache.commons.configuration2.tree.ImmutableNode;
+import com.github.steveash.guavate.Guavate;
+import com.unboundid.ldap.sdk.LDAPConnection;
+import com.unboundid.ldap.sdk.LDAPException;
+import com.unboundid.ldap.sdk.SearchResultEntry;
+
/**
* <p>
* Encapsulates the information required to restrict users to LDAP groups or
@@ -112,13 +112,12 @@ public class ReadOnlyLDAPGroupRestriction {
* <code>groupDN</code> is associated to a list of <code>userDNs</code>.
*
* @return Returns a map of groupDNs to userDN lists.
- * @throws NamingException Propagated from underlying LDAP communication layer.
*/
- protected Map<String, Collection<String>> getGroupMembershipLists(LdapContext ldapContext) throws NamingException {
+ protected Map<String, Collection<String>> getGroupMembershipLists(LDAPConnection connection) throws LDAPException {
Map<String, Collection<String>> result = new HashMap<>();
for (String groupDN : groupDNs) {
- result.put(groupDN, extractMembers(ldapContext.getAttributes(groupDN)));
+ result.put(groupDN, extractMembers(connection.getEntry(groupDN)));
}
return result;
@@ -130,20 +129,12 @@ public class ReadOnlyLDAPGroupRestriction {
* attribute, with name equivalent to the field value
* {@link #memberAttribute}, from the attributes collection.
*
- * @param groupAttributes The attributes taken from the group's LDAP context.
* @return A collection of distinguished-names for the users belonging to
* the group with the specified attributes.
- * @throws NamingException Propagated from underlying LDAP communication layer.
*/
- private Collection<String> extractMembers(Attributes groupAttributes) throws NamingException {
- Collection<String> result = new ArrayList<>();
- Attribute members = groupAttributes.get(memberAttribute);
- NamingEnumeration<?> memberDNs = members.getAll();
-
- while (memberDNs.hasMore()) {
- result.add(memberDNs.next().toString());
- }
-
- return result;
+ private Collection<String> extractMembers(SearchResultEntry entry) {
+ com.unboundid.ldap.sdk.Attribute members = entry.getAttribute(memberAttribute);
+ return Arrays.stream(members.getValues())
+ .collect(Guavate.toImmutableList());
}
}
diff --git a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java
index fb450d0..3d406a1 100644
--- a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java
+++ b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java
@@ -207,28 +207,23 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable {
sanitizedFilter,
ldapConfiguration.getUserIdAttribute());
- return searchResult.getSearchEntries()
+ SearchResultEntry result = searchResult.getSearchEntries()
.stream()
- .map(entry -> new ReadOnlyLDAPUser(
- Username.of(entry.getAttribute(ldapConfiguration.getUserIdAttribute()).getName()),
- entry.getDN(),
- ldapConnectionPool))
.findFirst()
.orElse(null);
- } finally {
- ldapConnectionPool.releaseConnection(connection);
- }
+ if (result == null) {
+ return null;
+ }
- /*
- TODO implement restrictions
+ if (!ldapConfiguration.getRestriction().isActivated()
+ || userInGroupsMembershipList(result.getDN(), ldapConfiguration.getRestriction().getGroupMembershipLists(connection))) {
- if (!ldapConfiguration.getRestriction().isActivated()
- || userInGroupsMembershipList(r.getNameInNamespace(), ldapConfiguration.getRestriction().getGroupMembershipLists(ldapContext))) {
- return new ReadOnlyLDAPUser(Username.of(userName.get().toString()), r.getNameInNamespace(), ldapContext);
+ return new ReadOnlyLDAPUser(name, result.getDN(), ldapConnectionPool);
+ }
+ return null;
+ } finally {
+ ldapConnectionPool.releaseConnection(connection);
}
-
- return null;
- */
}
private Optional<ReadOnlyLDAPUser> buildUser(String userDN) throws LDAPException {
@@ -285,31 +280,30 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable {
}
private Collection<String> getValidUsers() throws LDAPException {
- return getAllUsersFromLDAP();
-
- /*
- TODO Implement restrictions
- */
- /*
+ Set<String> userDNs = getAllUsersFromLDAP();
Collection<String> validUserDNs;
if (ldapConfiguration.getRestriction().isActivated()) {
- Map<String, Collection<String>> groupMembershipList = ldapConfiguration.getRestriction()
- .getGroupMembershipLists(ldapContext);
- validUserDNs = new ArrayList<>();
-
- Iterator<String> userDNIterator = userDNs.iterator();
- String userDN;
- while (userDNIterator.hasNext()) {
- userDN = userDNIterator.next();
- if (userInGroupsMembershipList(userDN, groupMembershipList)) {
- validUserDNs.add(userDN);
+ final LDAPConnection connection = ldapConnectionPool.getConnection();
+ try {
+ Map<String, Collection<String>> groupMembershipList = ldapConfiguration.getRestriction()
+ .getGroupMembershipLists(connection);
+ validUserDNs = new ArrayList<>();
+
+ Iterator<String> userDNIterator = userDNs.iterator();
+ String userDN;
+ while (userDNIterator.hasNext()) {
+ userDN = userDNIterator.next();
+ if (userInGroupsMembershipList(userDN, groupMembershipList)) {
+ validUserDNs.add(userDN);
+ }
}
+ } finally {
+ ldapConnectionPool.releaseConnection(connection);
}
} else {
validUserDNs = userDNs;
}
return validUserDNs;
- */
}
@Override
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org