You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2021/06/11 07:37:11 UTC
[james-project] 15/18: JAMES-3594 Validate filters at
ReadOnlyLDAPUsersDAO initialization
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 15a86bf58ff72c4269b8a8af9d646c2ec6ff2933
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Thu Jun 10 11:17:49 2021 +0700
JAMES-3594 Validate filters at ReadOnlyLDAPUsersDAO initialization
---
.../james/user/ldap/ReadOnlyLDAPUsersDAO.java | 30 ++++++++++------------
.../user/ldap/ReadOnlyUsersLDAPRepositoryTest.java | 21 +++++++++++++++
2 files changed, 35 insertions(+), 16 deletions(-)
diff --git a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java
index 3839126..6901ab4 100644
--- a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java
+++ b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java
@@ -66,6 +66,9 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable {
private LdapRepositoryConfiguration ldapConfiguration;
private LDAPConnectionPool ldapConnectionPool;
+ private Optional<Filter> userExtraFilter;
+ private Filter objectClassFilter;
+ private Filter listingFilter;
@Inject
public ReadOnlyLDAPUsersDAO() {
@@ -115,6 +118,12 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable {
SocketFactory socketFactory = null;
LDAPConnection ldapConnection = new LDAPConnection(socketFactory, connectionOptions, uri.getHost(), uri.getPort(), ldapConfiguration.getPrincipal(), ldapConfiguration.getCredentials());
ldapConnectionPool = new LDAPConnectionPool(ldapConnection, 4);
+
+ userExtraFilter = Optional.ofNullable(ldapConfiguration.getFilter())
+ .map(Throwing.function(Filter::create).sneakyThrow());
+ objectClassFilter = Filter.createEqualityFilter("objectClass", ldapConfiguration.getUserObjectClass());
+ listingFilter = userExtraFilter.map(extraFilter -> Filter.createANDFilter(objectClassFilter, extraFilter))
+ .orElse(objectClassFilter);
}
@PreDestroy
@@ -124,20 +133,9 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable {
private Filter createFilter(String username) {
Filter specificUserFilter = Filter.createEqualityFilter(ldapConfiguration.getUserIdAttribute(), username);
- return Optional.ofNullable(ldapConfiguration.getFilter())
- .map(Throwing.function(userFilter ->
- Filter.createANDFilter(objectClassFilter(), specificUserFilter, Filter.create(userFilter))))
- .orElseGet(() -> Filter.createANDFilter(objectClassFilter(), specificUserFilter));
- }
-
- private Filter objectClassFilter() {
- return Filter.createEqualityFilter("objectClass", ldapConfiguration.getUserObjectClass());
- }
-
- private Filter createFilter() {
- return Optional.ofNullable(ldapConfiguration.getFilter())
- .map(Throwing.function(userFilter -> Filter.createANDFilter(objectClassFilter(), Filter.create(userFilter))))
- .orElseGet(this::objectClassFilter);
+ return userExtraFilter
+ .map(extraFilter -> Filter.createANDFilter(objectClassFilter, specificUserFilter, extraFilter))
+ .orElseGet(() -> Filter.createANDFilter(objectClassFilter, specificUserFilter));
}
/**
@@ -175,7 +173,7 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable {
private Set<DN> getAllUsersDNFromLDAP() throws LDAPException {
SearchRequest searchRequest = new SearchRequest(ldapConfiguration.getUserBase(),
SearchScope.SUB,
- createFilter(),
+ listingFilter,
SearchRequest.NO_ATTRIBUTES);
SearchResult searchResult = ldapConnectionPool.search(searchRequest);
@@ -189,7 +187,7 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable {
private Stream<Username> getAllUsernamesFromLDAP() throws LDAPException {
SearchRequest searchRequest = new SearchRequest(ldapConfiguration.getUserBase(),
SearchScope.SUB,
- createFilter(),
+ listingFilter,
ldapConfiguration.getUserIdAttribute());
SearchResult searchResult = ldapConnectionPool.search(searchRequest);
diff --git a/server/data/data-ldap/src/test/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepositoryTest.java b/server/data/data-ldap/src/test/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepositoryTest.java
index db551cc..047ce35 100644
--- a/server/data/data-ldap/src/test/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepositoryTest.java
+++ b/server/data/data-ldap/src/test/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepositoryTest.java
@@ -48,6 +48,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.common.collect.ImmutableList;
+import com.unboundid.ldap.sdk.LDAPException;
class ReadOnlyUsersLDAPRepositoryTest {
@@ -72,6 +73,26 @@ class ReadOnlyUsersLDAPRepositoryTest {
ldapContainer.stop();
}
+ @Test
+ void shouldNotStartWithInvalidFilter() throws Exception {
+ PropertyListConfiguration configuration = new PropertyListConfiguration();
+ configuration.addProperty("[@ldapHost]", ldapContainer.getLdapHost());
+ configuration.addProperty("[@principal]", "cn=admin,dc=james,dc=org");
+ configuration.addProperty("[@credentials]", ADMIN_PASSWORD);
+ configuration.addProperty("[@userBase]", "ou=people,dc=james,dc=org");
+ configuration.addProperty("[@userObjectClass]", "inetOrgPerson");
+ configuration.addProperty("[@userIdAttribute]", "uid");
+ configuration.addProperty("[@administratorId]", ADMIN_LOCAL_PART);
+
+ configuration.addProperty("[@filter]", "INVALID!!!");
+
+ ReadOnlyUsersLDAPRepository usersLDAPRepository = new ReadOnlyUsersLDAPRepository(new SimpleDomainList());
+ usersLDAPRepository.configure(configuration);
+
+ assertThatThrownBy(usersLDAPRepository::init)
+ .isInstanceOf(LDAPException.class);
+ }
+
@Nested
class WhenEnableVirtualHosting implements UsersRepositoryContract.WithVirtualHostingReadOnlyContract {
@RegisterExtension
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org