This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 8d04141f7cc4ce6c692eacc35c2317ab354b9512 Author: Benoit Tellier <[email protected]> AuthorDate: Sun Jun 6 18:19:56 2021 +0700 JAMES-3594 Implement group restrictions on top of UnboundID --- .../user/ldap/ReadOnlyLDAPGroupRestriction.java | 33 +++++------- .../james/user/ldap/ReadOnlyLDAPUsersDAO.java | 60 ++++++++++------------ 2 files changed, 39 insertions(+), 54 deletions(-) diff --git a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPGroupRestriction.java b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPGroupRestriction.java index 3d3a3d5..9123f65 100644 --- a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPGroupRestriction.java +++ b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPGroupRestriction.java @@ -19,21 +19,21 @@ package org.apache.james.user.ldap; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; -import javax.naming.NamingEnumeration; -import javax.naming.NamingException; -import javax.naming.directory.Attribute; -import javax.naming.directory.Attributes; -import javax.naming.ldap.LdapContext; - import org.apache.commons.configuration2.HierarchicalConfiguration; import org.apache.commons.configuration2.tree.ImmutableNode; +import com.github.steveash.guavate.Guavate; +import com.unboundid.ldap.sdk.LDAPConnection; +import com.unboundid.ldap.sdk.LDAPException; +import com.unboundid.ldap.sdk.SearchResultEntry; + /** * <p> * Encapsulates the information required to restrict users to LDAP groups or @@ -112,13 +112,12 @@ public class ReadOnlyLDAPGroupRestriction { * <code>groupDN</code> is associated to a list of <code>userDNs</code>. * * @return Returns a map of groupDNs to userDN lists. - * @throws NamingException Propagated from underlying LDAP communication layer. */ - protected Map<String, Collection<String>> getGroupMembershipLists(LdapContext ldapContext) throws NamingException { + protected Map<String, Collection<String>> getGroupMembershipLists(LDAPConnection connection) throws LDAPException { Map<String, Collection<String>> result = new HashMap<>(); for (String groupDN : groupDNs) { - result.put(groupDN, extractMembers(ldapContext.getAttributes(groupDN))); + result.put(groupDN, extractMembers(connection.getEntry(groupDN))); } return result; @@ -130,20 +129,12 @@ public class ReadOnlyLDAPGroupRestriction { * attribute, with name equivalent to the field value * {@link #memberAttribute}, from the attributes collection. * - * @param groupAttributes The attributes taken from the group's LDAP context. * @return A collection of distinguished-names for the users belonging to * the group with the specified attributes. - * @throws NamingException Propagated from underlying LDAP communication layer. */ - private Collection<String> extractMembers(Attributes groupAttributes) throws NamingException { - Collection<String> result = new ArrayList<>(); - Attribute members = groupAttributes.get(memberAttribute); - NamingEnumeration<?> memberDNs = members.getAll(); - - while (memberDNs.hasMore()) { - result.add(memberDNs.next().toString()); - } - - return result; + private Collection<String> extractMembers(SearchResultEntry entry) { + com.unboundid.ldap.sdk.Attribute members = entry.getAttribute(memberAttribute); + return Arrays.stream(members.getValues()) + .collect(Guavate.toImmutableList()); } } diff --git a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java index fb450d0..3d406a1 100644 --- a/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java +++ b/server/data/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyLDAPUsersDAO.java @@ -207,28 +207,23 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable { sanitizedFilter, ldapConfiguration.getUserIdAttribute()); - return searchResult.getSearchEntries() + SearchResultEntry result = searchResult.getSearchEntries() .stream() - .map(entry -> new ReadOnlyLDAPUser( - Username.of(entry.getAttribute(ldapConfiguration.getUserIdAttribute()).getName()), - entry.getDN(), - ldapConnectionPool)) .findFirst() .orElse(null); - } finally { - ldapConnectionPool.releaseConnection(connection); - } + if (result == null) { + return null; + } - /* - TODO implement restrictions + if (!ldapConfiguration.getRestriction().isActivated() + || userInGroupsMembershipList(result.getDN(), ldapConfiguration.getRestriction().getGroupMembershipLists(connection))) { - if (!ldapConfiguration.getRestriction().isActivated() - || userInGroupsMembershipList(r.getNameInNamespace(), ldapConfiguration.getRestriction().getGroupMembershipLists(ldapContext))) { - return new ReadOnlyLDAPUser(Username.of(userName.get().toString()), r.getNameInNamespace(), ldapContext); + return new ReadOnlyLDAPUser(name, result.getDN(), ldapConnectionPool); + } + return null; + } finally { + ldapConnectionPool.releaseConnection(connection); } - - return null; - */ } private Optional<ReadOnlyLDAPUser> buildUser(String userDN) throws LDAPException { @@ -285,31 +280,30 @@ public class ReadOnlyLDAPUsersDAO implements UsersDAO, Configurable { } private Collection<String> getValidUsers() throws LDAPException { - return getAllUsersFromLDAP(); - - /* - TODO Implement restrictions - */ - /* + Set<String> userDNs = getAllUsersFromLDAP(); Collection<String> validUserDNs; if (ldapConfiguration.getRestriction().isActivated()) { - Map<String, Collection<String>> groupMembershipList = ldapConfiguration.getRestriction() - .getGroupMembershipLists(ldapContext); - validUserDNs = new ArrayList<>(); - - Iterator<String> userDNIterator = userDNs.iterator(); - String userDN; - while (userDNIterator.hasNext()) { - userDN = userDNIterator.next(); - if (userInGroupsMembershipList(userDN, groupMembershipList)) { - validUserDNs.add(userDN); + final LDAPConnection connection = ldapConnectionPool.getConnection(); + try { + Map<String, Collection<String>> groupMembershipList = ldapConfiguration.getRestriction() + .getGroupMembershipLists(connection); + validUserDNs = new ArrayList<>(); + + Iterator<String> userDNIterator = userDNs.iterator(); + String userDN; + while (userDNIterator.hasNext()) { + userDN = userDNIterator.next(); + if (userInGroupsMembershipList(userDN, groupMembershipList)) { + validUserDNs.add(userDN); + } } + } finally { + ldapConnectionPool.releaseConnection(connection); } } else { validUserDNs = userDNs; } return validUserDNs; - */ } @Override --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
