Re: [PR] JAMES-3680 XUserAuthenticationStrategy support secret checking (safer) [james-project]

Mon, 14 Oct 2024 03:01:44 -0700 


chibenwa commented on code in PR #2450:
URL: https://github.com/apache/james-project/pull/2450#discussion_r1799119005


##########
server/protocols/jmap/src/main/java/org/apache/james/jmap/http/XUserAuthenticationStrategy.java:
##########
@@ -36,25 +42,50 @@
 
 public class XUserAuthenticationStrategy implements AuthenticationStrategy {
     private static final String X_USER_HEADER_NAME = "X-User";
+    private static final String X_USER_SECRET_HEADER_NAME = "X-User-Secret";
+    private static final String AUTHENTICATION_STRATEGY_XUSER_SECRET = 
"authentication.strategy.rfc8621.xUser.secret";
+
+    private static final Logger LOGGER = 
LoggerFactory.getLogger(XUserAuthenticationStrategy.class);
     private static final AuthenticationChallenge X_USER_CHALLENGE = 
AuthenticationChallenge.of(
         AuthenticationScheme.of("XUserHeader"),
         ImmutableMap.of());
 
+    private static Optional<String> 
extractXUserSecretFromConfig(PropertiesProvider propertiesProvider) {
+        try {
+            return 
Optional.ofNullable(propertiesProvider.getConfiguration("jmap"))
+                .map(config -> 
config.getString(AUTHENTICATION_STRATEGY_XUSER_SECRET, null));
+        } catch (FileNotFoundException | ConfigurationException e) {
+            return Optional.empty();
+        }
+    }
+
     private final UsersRepository usersRepository;
     private final MailboxManager mailboxManager;
+    private final Function<HttpServerRequest, Optional<Username>> 
usernameExtractor;
 
     @Inject
-    public XUserAuthenticationStrategy(UsersRepository usersRepository, 
MailboxManager mailboxManager) {
+    public XUserAuthenticationStrategy(UsersRepository usersRepository,
+                                       MailboxManager mailboxManager,
+                                       PropertiesProvider configuration) {
+        this(usersRepository, mailboxManager, 
extractXUserSecretFromConfig(configuration));
+    }
+
+    public XUserAuthenticationStrategy(UsersRepository usersRepository,
+                                       MailboxManager mailboxManager,
+                                       Optional<String> xUserSecret) {
         this.usersRepository = usersRepository;
         this.mailboxManager = mailboxManager;
+        this.usernameExtractor = xUserSecret
+            .map(this::createUsernameExtractorWithSecretValidation)
+            .orElseGet(() -> {
+                LOGGER.warn("No X-User-Secret value found. X-User header will 
be used without secret validation.");

Review Comment:
   Add : 
   ```suggestion
                   LOGGER.warn("No X-User-Secret value found. X-User header 
will be used without secret validation which can pose a security risk if an 
attacker gains access to the JMAP endpoint. Secret valdiation can be set up via 
the authentication.strategy.rfc8621.xUser.secret jmap configuration property.");
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org

Reply via email to