This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 85f9071067 JAMES-3756 DelegationStoreAuthorizator should not fail on
bad admin virtualHosting (#1405)
85f9071067 is described below
commit 85f90710676eee2fb5d8571b836c27e32ee9bd6d
Author: Benoit TELLIER <[email protected]>
AuthorDate: Tue Jan 24 21:20:03 2023 +0700
JAMES-3756 DelegationStoreAuthorizator should not fail on bad admin
virtualHosting (#1405)
It is preferable to fallback to forbidden.
---
.../adapter/mailbox/DelegationStoreAuthorizator.java | 9 ++++++++-
.../adapter/mailbox/DelegationStoreAuthorizatorTest.java | 16 ++++++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git
a/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
b/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
index 8c1b9887e7..a8a5733380 100644
---
a/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
+++
b/server/container/mailbox-adapter/src/main/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizator.java
@@ -49,7 +49,7 @@ public class DelegationStoreAuthorizator implements
Authorizator {
public AuthorizationState canLoginAsOtherUser(Username userId, Username
otherUserId) throws MailboxException {
boolean isAuthorized =
Flux.from(delegationStore.authorizedUsers(otherUserId)).hasElement(userId).block();
try {
- if (isAuthorized || usersRepository.isAdministrator(userId)) {
+ if (isAuthorized || isAdministrator(userId)) {
return AuthorizationState.ALLOWED;
}
if (!usersRepository.contains(otherUserId)) {
@@ -61,6 +61,13 @@ public class DelegationStoreAuthorizator implements
Authorizator {
}
}
+ private boolean isAdministrator(Username userId) throws
UsersRepositoryException {
+ if (userId.hasDomainPart() ^ usersRepository.supportVirtualHosting()) {
+ return false;
+ }
+ return usersRepository.isAdministrator(userId);
+ }
+
@Override
public Collection<Username> delegatedUsers(Username username) {
return
Flux.from(delegationStore.delegatedUsers(username)).collectList()
diff --git
a/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
b/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
index e892644d0e..1aba300da4 100644
---
a/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
+++
b/server/container/mailbox-adapter/src/test/java/org/apache/james/adapter/mailbox/DelegationStoreAuthorizatorTest.java
@@ -59,6 +59,13 @@ class DelegationStoreAuthorizatorTest {
assertThat(testee.canLoginAsOtherUser(ADMIN_USER,
OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
}
+ @Test
+ void canLoginAsOtherUserShouldReturnForbiddenWhenWrongVirtualHosting()
throws Exception {
+ usersRepository.addUser(OTHER_USER, "secret");
+
assertThat(testee.canLoginAsOtherUser(Username.of("[email protected]"),
OTHER_USER))
+ .isEqualTo(Authorizator.AuthorizationState.FORBIDDEN);
+ }
+
@Test
void
canLoginAsOtherUserShouldReturnAllowedWhenGivenUserIsDelegatedByOtherUser()
throws Exception {
usersRepository.addUser(OTHER_USER, "secret");
@@ -67,6 +74,15 @@ class DelegationStoreAuthorizatorTest {
assertThat(testee.canLoginAsOtherUser(GIVEN_USER,
OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
}
+ @Test
+ void
canLoginAsOtherUserShouldReturnAllowedWhenGivenUserIsAdminWithWrongVirtualHosting()
throws Exception {
+ Username accessor = Username.of("[email protected]");
+ usersRepository.addUser(OTHER_USER, "secret");
+ Mono.from(delegationStore.addAuthorizedUser(OTHER_USER,
accessor)).block();
+
+ assertThat(testee.canLoginAsOtherUser(accessor,
OTHER_USER)).isEqualTo(Authorizator.AuthorizationState.ALLOWED);
+ }
+
@Test
void
canLoginAsOtherUserShouldReturnForbiddenWhenGivenUserIsNotAdminAndNotDelegated()
throws Exception {
usersRepository.addUser(OTHER_USER, "secret");
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
