You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by rc...@apache.org on 2020/12/30 03:35:29 UTC

[james-project] 17/29: JAMES-1784 Users with `_` in their names cannot download attachments

This is an automated email from the ASF dual-hosted git repository.

rcordier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git

commit 394459ba7efb8619a98218b0f3f90b18d4e40498
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Sat Dec 26 11:12:14 2020 +0700

    JAMES-1784 Users with `_` in their names cannot download attachments
    
    Because `_` is used as a delimiter within the token, and because
    we expected a fixed number of parts, it could not be used in the
    username.
    
    We can relax this condition by counting separators by the end of
    the token, allowing thus its usage in the username.
---
 .../james/jmap/draft/model/AttachmentAccessToken.java   | 17 ++++++++++++-----
 .../jmap/draft/model/AttachmentAccessTokenTest.java     | 16 ++++++++++++++++
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/model/AttachmentAccessToken.java b/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/model/AttachmentAccessToken.java
index 9209ffc..f456fe6 100644
--- a/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/model/AttachmentAccessToken.java
+++ b/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/model/AttachmentAccessToken.java
@@ -24,7 +24,9 @@ import java.time.format.DateTimeFormatter;
 import java.util.List;
 import java.util.Objects;
 
+import com.github.steveash.guavate.Guavate;
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Joiner;
 import com.google.common.base.MoreObjects;
 import com.google.common.base.Preconditions;
 import com.google.common.base.Splitter;
@@ -33,7 +35,7 @@ import com.google.common.collect.Iterables;
 
 public class AttachmentAccessToken implements SignedExpiringToken {
 
-    public static final String SEPARATOR = "_";
+    public static final char SEPARATOR = '_';
 
     public static Builder builder() {
         return new Builder();
@@ -42,14 +44,19 @@ public class AttachmentAccessToken implements SignedExpiringToken {
     public static AttachmentAccessToken from(String serializedAttachmentAccessToken, String blobId) {
         Preconditions.checkArgument(!Strings.isNullOrEmpty(serializedAttachmentAccessToken), "'AttachmentAccessToken' is mandatory");
         List<String> split = Splitter.on(SEPARATOR).splitToList(serializedAttachmentAccessToken);
-        Preconditions.checkArgument(split.size() == 3, "Wrong 'AttachmentAccessToken'");
+        Preconditions.checkArgument(split.size() >= 3, "Wrong 'AttachmentAccessToken'");
+
+        String username = Joiner.on(SEPARATOR)
+            .join(split.stream()
+                .limit(split.size() - 2)
+                .collect(Guavate.toImmutableList()));
 
         String defaultValue = null;
         return builder()
                 .blobId(blobId)
-                .username(Iterables.get(split, 0, defaultValue))
-                .expirationDate(ZonedDateTime.parse(Iterables.get(split, 1, defaultValue)))
-                .signature(Iterables.get(split, 2, defaultValue))
+                .username(username)
+                .expirationDate(ZonedDateTime.parse(Iterables.get(split, split.size() - 2, defaultValue)))
+                .signature(Iterables.get(split, split.size() - 1, defaultValue))
                 .build();
     }
 
diff --git a/server/protocols/jmap-draft/src/test/java/org/apache/james/jmap/draft/model/AttachmentAccessTokenTest.java b/server/protocols/jmap-draft/src/test/java/org/apache/james/jmap/draft/model/AttachmentAccessTokenTest.java
index fdc69b4..2d6b62f 100644
--- a/server/protocols/jmap-draft/src/test/java/org/apache/james/jmap/draft/model/AttachmentAccessTokenTest.java
+++ b/server/protocols/jmap-draft/src/test/java/org/apache/james/jmap/draft/model/AttachmentAccessTokenTest.java
@@ -24,6 +24,7 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeFormatter;
 
+import org.apache.james.core.Username;
 import org.junit.Test;
 
 public class AttachmentAccessTokenTest {
@@ -41,6 +42,21 @@ public class AttachmentAccessTokenTest {
     }
 
     @Test
+    public void fromShouldDeserializeAccessToken() {
+        AttachmentAccessToken attachmentAccessToken = new AttachmentAccessToken(USERNAME, BLOB_ID, EXPIRATION_DATE, SIGNATURE);
+        assertThat(AttachmentAccessToken.from(attachmentAccessToken.serialize(), BLOB_ID))
+            .isEqualTo(attachmentAccessToken);
+    }
+
+    @Test
+    public void fromShouldAcceptUsernamesWithUnderscores() {
+        Username failingUsername = Username.of("bad_separator@usage.screwed");
+        AttachmentAccessToken attachmentAccessToken = new AttachmentAccessToken(failingUsername.asString(), BLOB_ID, EXPIRATION_DATE, SIGNATURE);
+        assertThat(AttachmentAccessToken.from(attachmentAccessToken.serialize(), BLOB_ID))
+            .isEqualTo(attachmentAccessToken);
+    }
+
+    @Test
     public void getPayloadShouldNotContainBlobId() {
         assertThat(new AttachmentAccessToken(USERNAME, BLOB_ID, EXPIRATION_DATE, SIGNATURE).getPayload())
             .isEqualTo(USERNAME + AttachmentAccessToken.SEPARATOR + EXPIRATION_DATE_STRING);


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org