Re: [PR] JAMES-2586 PostgresDelegationStore [james-project]

via GitHub Tue, 12 Dec 2023 23:40:37 -0800


chibenwa commented on code in PR #1851:
URL: https://github.com/apache/james-project/pull/1851#discussion_r1424959373



##########
server/data/data-postgres/src/main/java/org/apache/james/user/postgres/PostgresUsersDAO.java:
##########
@@ -141,4 +150,93 @@ public void addUser(Username username, String password) {
                 e -> new AlreadyExistInUsersRepositoryException("User with 
username " + username + " already exist!"))
             .block();
     }
+
+    public Mono<Void> addAuthorizedUser(Username baseUser, Username 
userWithAccess, boolean targetUserExists) {
+        return addUserToList(AUTHORIZED_USERS, baseUser, userWithAccess)
+            .then(addDelegatedUser(baseUser, userWithAccess, 
targetUserExists));
+    }
+
+    private Mono<Void> addDelegatedUser(Username baseUser, Username 
userWithAccess, boolean targetUserExists) {
+        if (targetUserExists) {
+            return addUserToList(DELEGATED_USERS, userWithAccess, baseUser);
+        } else {
+            return Mono.empty();
+        }
+    }
+
+    private Mono<Void> addUserToList(Field<String[]> field, Username baseUser, 
Username targetUser) {
+        String fullAuthorizedUsersColumnName = TABLE.getName() + "." + 
field.getName();
+        return postgresExecutor.executeVoid(dslContext ->
+            Mono.from(dslContext.insertInto(TABLE_NAME)
+                .set(USERNAME, baseUser.asString())
+                .set(field, DSL.array(targetUser.asString()))
+                .onConflict(USERNAME)
+                .doUpdate()
+                .set(DSL.field(field.getName()),
+                    (Object) DSL.field("array_append(coalesce(" + 
fullAuthorizedUsersColumnName + ", array[]::varchar[]), ?)",

Review Comment:
   string concatenation in a SQL query on a field potentially controlled by a 
user spotted.
   
   Extra care handling this is definitively needed.



##########
server/data/data-postgres/src/main/java/org/apache/james/user/postgres/PostgresUsersDAO.java:
##########
@@ -141,4 +150,93 @@ public void addUser(Username username, String password) {
                 e -> new AlreadyExistInUsersRepositoryException("User with 
username " + username + " already exist!"))
             .block();
     }
+
+    public Mono<Void> addAuthorizedUser(Username baseUser, Username 
userWithAccess, boolean targetUserExists) {
+        return addUserToList(AUTHORIZED_USERS, baseUser, userWithAccess)
+            .then(addDelegatedUser(baseUser, userWithAccess, 
targetUserExists));
+    }
+
+    private Mono<Void> addDelegatedUser(Username baseUser, Username 
userWithAccess, boolean targetUserExists) {
+        if (targetUserExists) {
+            return addUserToList(DELEGATED_USERS, userWithAccess, baseUser);
+        } else {
+            return Mono.empty();
+        }
+    }
+
+    private Mono<Void> addUserToList(Field<String[]> field, Username baseUser, 
Username targetUser) {
+        String fullAuthorizedUsersColumnName = TABLE.getName() + "." + 
field.getName();
+        return postgresExecutor.executeVoid(dslContext ->
+            Mono.from(dslContext.insertInto(TABLE_NAME)
+                .set(USERNAME, baseUser.asString())
+                .set(field, DSL.array(targetUser.asString()))
+                .onConflict(USERNAME)
+                .doUpdate()
+                .set(DSL.field(field.getName()),
+                    (Object) DSL.field("array_append(coalesce(" + 
fullAuthorizedUsersColumnName + ", array[]::varchar[]), ?)",
+                        targetUser.asString()))
+                .where(DSL.field(fullAuthorizedUsersColumnName).isNull()
+                    
.or(DSL.field(fullAuthorizedUsersColumnName).notContains(new 
String[]{targetUser.asString()})))));
+    }
+
+    public Mono<Void> removeAuthorizedUser(Username baseUser, Username 
userWithAccess) {
+        return removeUserInAuthorizedList(baseUser, userWithAccess)
+            .then(removeUserInDelegatedList(userWithAccess, baseUser));
+    }
+
+    public Mono<Void> removeDelegatedToUser(Username baseUser, Username 
delegatedToUser) {
+        return removeUserInDelegatedList(baseUser, delegatedToUser)
+            .then(removeUserInAuthorizedList(delegatedToUser, baseUser));
+    }
+
+    private Mono<Void> removeUserInAuthorizedList(Username baseUser, Username 
targetUser) {
+        return removeUserFromList(AUTHORIZED_USERS, baseUser, targetUser);
+    }
+
+    private Mono<Void> removeUserInDelegatedList(Username baseUser, Username 
targetUser) {
+        return removeUserFromList(DELEGATED_USERS, baseUser, targetUser);
+    }
+
+    private Mono<Void> removeUserFromList(Field<String[]> field, Username 
baseUser, Username targetUser) {
+        return postgresExecutor.executeVoid(dslContext ->
+            Mono.from(createQueryRemoveUserFromList(dslContext, field, 
baseUser, targetUser)));
+    }
+
+    private UpdateConditionStep<Record> 
createQueryRemoveUserFromList(DSLContext dslContext, Field<String[]> field, 
Username baseUser, Username targetUser) {
+        return dslContext.update(TABLE_NAME)
+            .set(DSL.field(field.getName()),
+                (Object) DSL.field("array_remove(" + field.getName() + ", ?)",

Review Comment:
   Idem.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] JAMES-2586 PostgresDelegationStore [james-project]

Reply via email to