This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 15a86bf58ff72c4269b8a8af9d646c2ec6ff2933 Author: Benoit Tellier <[email protected]> AuthorDate: Thu Jun 10 11:17:49 2021 +0700 JAMES-3594 Validate filters at ReadOnlyLDAPUsersDAO initialization --- .../james/user/ldap/ReadOnlyLDAPUsersDAO.java | 30 ++++++++++------------ .../user/ldap/ReadOnlyUsersLDAPRepositoryTest.java | 21 +++++++++++++++ 2 files changed, 35 insertions(+), 16 deletions(-) diff --git a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java index 3839126..6901ab4 100644 --- a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java +++ b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java @@ -66,6 +66,9 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable { private LdapRepositoryConfiguration ldapConfiguration; private LDAPConnectionPool ldapConnectionPool; + private Optional<Filter> userExtraFilter; + private Filter objectClassFilter; + private Filter listingFilter; @Inject public ReadOnlyLDAPUsersDAO() { @@ -115,6 +118,12 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable { SocketFactory socketFactory = null; LDAPConnection ldapConnection = new LDAPConnection(socketFactory, connectionOptions, uri.getHost(), uri.getPort(), ldapConfiguration.getPrincipal(), ldapConfiguration.getCredentials()); ldapConnectionPool = new LDAPConnectionPool(ldapConnection, 4); + + userExtraFilter = Optional.ofNullable(ldapConfiguration.getFilter()) + .map(Throwing.function(Filter::create).sneakyThrow()); + objectClassFilter = Filter.createEqualityFilter("objectClass", ldapConfiguration.getUserObjectClass()); + listingFilter = userExtraFilter.map(extraFilter -> Filter.createANDFilter(objectClassFilter, extraFilter)) + .orElse(objectClassFilter); } @PreDestroy @@ -124,20 +133,9 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable { private Filter createFilter(String username) { Filter specificUserFilter = Filter.createEqualityFilter(ldapConfiguration.getUserIdAttribute(), username); - return Optional.ofNullable(ldapConfiguration.getFilter()) - .map(Throwing.function(userFilter -> - Filter.createANDFilter(objectClassFilter(), specificUserFilter, Filter.create(userFilter)))) - .orElseGet(() -> Filter.createANDFilter(objectClassFilter(), specificUserFilter)); - } - - private Filter objectClassFilter() { - return Filter.createEqualityFilter("objectClass", ldapConfiguration.getUserObjectClass()); - } - - private Filter createFilter() { - return Optional.ofNullable(ldapConfiguration.getFilter()) - .map(Throwing.function(userFilter -> Filter.createANDFilter(objectClassFilter(), Filter.create(userFilter)))) - .orElseGet(this::objectClassFilter); + return userExtraFilter + .map(extraFilter -> Filter.createANDFilter(objectClassFilter, specificUserFilter, extraFilter)) + .orElseGet(() -> Filter.createANDFilter(objectClassFilter, specificUserFilter)); } /** @@ -175,7 +173,7 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable { private Set<DN> getAllUsersDNFromLDAP() throws LDAPException { SearchRequest searchRequest = new SearchRequest(ldapConfiguration.getUserBase(), SearchScope.SUB, - createFilter(), + listingFilter, SearchRequest.NO_ATTRIBUTES); SearchResult searchResult = ldapConnectionPool.search(searchRequest); @@ -189,7 +187,7 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable { private Stream<Username> getAllUsernamesFromLDAP() throws LDAPException { SearchRequest searchRequest = new SearchRequest(ldapConfiguration.getUserBase(), SearchScope.SUB, - createFilter(), + listingFilter, ldapConfiguration.getUserIdAttribute()); SearchResult searchResult = ldapConnectionPool.search(searchRequest); diff --git a/server/data/data-ldap/src/test/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepositoryTest.java b/server/data/data-ldap/src/test/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepositoryTest.java index db551cc..047ce35 100644 --- a/server/data/data-ldap/src/test/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepositoryTest.java +++ b/server/data/data-ldap/src/test/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepositoryTest.java @@ -48,6 +48,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.common.collect.ImmutableList; +import com.unboundid.ldap.sdk.LDAPException; class ReadOnlyUsersLDAPRepositoryTest { @@ -72,6 +73,26 @@ class ReadOnlyUsersLDAPRepositoryTest { ldapContainer.stop(); } + @Test + void shouldNotStartWithInvalidFilter() throws Exception { + PropertyListConfiguration configuration = new PropertyListConfiguration(); + configuration.addProperty("[@ldapHost]", ldapContainer.getLdapHost()); + configuration.addProperty("[@principal]", "cn=admin,dc=james,dc=org"); + configuration.addProperty("[@credentials]", ADMIN_PASSWORD); + configuration.addProperty("[@userBase]", "ou=people,dc=james,dc=org"); + configuration.addProperty("[@userObjectClass]", "inetOrgPerson"); + configuration.addProperty("[@userIdAttribute]", "uid"); + configuration.addProperty("[@administratorId]", ADMIN_LOCAL_PART); + + configuration.addProperty("[@filter]", "INVALID!!!"); + + ReadOnlyUsersLDAPRepository usersLDAPRepository = new ReadOnlyUsersLDAPRepository(new SimpleDomainList()); + usersLDAPRepository.configure(configuration); + + assertThatThrownBy(usersLDAPRepository::init) + .isInstanceOf(LDAPException.class); + } + @Nested class WhenEnableVirtualHosting implements UsersRepositoryContract.WithVirtualHostingReadOnlyContract { @RegisterExtension --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
