This is an automated email from the ASF dual-hosted git repository. quantranhong1999 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 61f9840a1025401c02b0a84be0fe81673f42a99b Author: Felix Auringer <[email protected]> AuthorDate: Mon May 18 12:38:52 2026 +0200 refactor(imap): move oauth methods to its plain auth counterparts --- .../imap/processor/AbstractAuthProcessor.java | 20 +++++++++++ .../imap/processor/AuthenticateProcessor.java | 41 ++++++---------------- 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/protocols/imap/src/main/java/org/apache/james/imap/processor/AbstractAuthProcessor.java b/protocols/imap/src/main/java/org/apache/james/imap/processor/AbstractAuthProcessor.java index 4bd2cbb633..69cb152ea5 100644 --- a/protocols/imap/src/main/java/org/apache/james/imap/processor/AbstractAuthProcessor.java +++ b/protocols/imap/src/main/java/org/apache/james/imap/processor/AbstractAuthProcessor.java @@ -27,6 +27,8 @@ import org.apache.james.imap.api.message.request.ImapRequest; import org.apache.james.imap.api.message.response.StatusResponseFactory; import org.apache.james.imap.api.process.ImapSession; import org.apache.james.imap.main.PathConverter; +import org.apache.james.jwt.OidcJwtTokenVerifier; +import org.apache.james.jwt.OidcSASLConfiguration; import org.apache.james.mailbox.Authorizator; import org.apache.james.mailbox.DefaultMailboxes; import org.apache.james.mailbox.MailboxManager; @@ -39,6 +41,7 @@ import org.apache.james.mailbox.exception.UserDoesNotExistException; import org.apache.james.mailbox.model.MailboxConstants; import org.apache.james.mailbox.model.MailboxPath; import org.apache.james.metrics.api.MetricFactory; +import org.apache.james.protocols.api.OIDCSASLParser; import org.apache.james.util.AuditTrail; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -191,6 +194,23 @@ public abstract class AbstractAuthProcessor<R extends ImapRequest> extends Abstr } } + protected void doOAuth(OIDCSASLParser.OIDCInitialResponse oidcInitialResponse, OidcSASLConfiguration oidcSASLConfiguration, + ImapSession session, ImapRequest request, Responder responder) { + new OidcJwtTokenVerifier(oidcSASLConfiguration).validateToken(oidcInitialResponse.getToken()) + .ifPresentOrElse(authenticatedUser -> { + Username associatedUser = Username.of(oidcInitialResponse.getAssociatedUser()); + if (!associatedUser.equals(authenticatedUser)) { + doAuthWithDelegation(() -> getMailboxManager() + .withExtraAuthorizator(withAdminUsers()) + .authenticate(authenticatedUser) + .as(associatedUser), + session, request, responder, authenticatedUser, associatedUser); + } else { + authSuccess(authenticatedUser, session, request, responder); + } + }, () -> manageFailureCount(session, request, responder)); + } + protected void provisionInbox(ImapSession session, MailboxManager mailboxManager, MailboxSession mailboxSession) throws MailboxException { MailboxPath inboxPath = pathConverterFactory.forSession(session).buildFullPath(MailboxConstants.INBOX); if (Mono.from(mailboxManager.mailboxExists(inboxPath, mailboxSession)).block()) { diff --git a/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java b/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java index 1f66be3daa..2988064e82 100644 --- a/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java +++ b/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java @@ -39,8 +39,6 @@ import org.apache.james.imap.main.PathConverter; import org.apache.james.imap.message.request.AuthenticateRequest; import org.apache.james.imap.message.request.IRAuthenticateRequest; import org.apache.james.imap.message.response.AuthenticateResponse; -import org.apache.james.jwt.OidcJwtTokenVerifier; -import org.apache.james.jwt.OidcSASLConfiguration; import org.apache.james.mailbox.MailboxManager; import org.apache.james.metrics.api.MetricFactory; import org.apache.james.protocols.api.OIDCSASLParser; @@ -143,6 +141,17 @@ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateReq session.stopDetectingCommandInjection(); } + /** + * Parse the initial client response and start oauth authentication. + */ + protected void parseAndDoOAuth(String initialResponse, ImapSession session, ImapRequest request, Responder responder) { + OIDCSASLParser.parse(initialResponse) + .flatMap(oidcInitialResponseValue -> session.oidcSaslConfiguration().map(configure -> Pair.of(oidcInitialResponseValue, configure))) + .ifPresentOrElse(pair -> doOAuth(pair.getLeft(), pair.getRight(), session, request, responder), + () -> manageFailureCount(session, request, responder)); + session.stopDetectingCommandInjection(); + } + private AuthenticationAttempt parseDelegationAttempt(String initialClientResponse) { try { String userpass = new String(Base64.getDecoder().decode(initialClientResponse)); @@ -201,34 +210,6 @@ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateReq .addToContext("authType", request.getAuthType()); } - /** - * Parse the initial client response and start oauth authentication. - */ - protected void parseAndDoOAuth(String initialResponse, ImapSession session, ImapRequest request, Responder responder) { - OIDCSASLParser.parse(initialResponse) - .flatMap(oidcInitialResponseValue -> session.oidcSaslConfiguration().map(configure -> Pair.of(oidcInitialResponseValue, configure))) - .ifPresentOrElse(pair -> doOAuth(pair.getLeft(), pair.getRight(), session, request, responder), - () -> manageFailureCount(session, request, responder)); - session.stopDetectingCommandInjection(); - } - - private void doOAuth(OIDCSASLParser.OIDCInitialResponse oidcInitialResponse, OidcSASLConfiguration oidcSASLConfiguration, - ImapSession session, ImapRequest request, Responder responder) { - new OidcJwtTokenVerifier(oidcSASLConfiguration).validateToken(oidcInitialResponse.getToken()) - .ifPresentOrElse(authenticatedUser -> { - Username associatedUser = Username.of(oidcInitialResponse.getAssociatedUser()); - if (!associatedUser.equals(authenticatedUser)) { - doAuthWithDelegation(() -> getMailboxManager() - .withExtraAuthorizator(withAdminUsers()) - .authenticate(authenticatedUser) - .as(associatedUser), - session, request, responder, authenticatedUser, associatedUser); - } else { - oauthSuccess(authenticatedUser, session, request, responder); - } - }, () -> manageFailureCount(session, request, responder)); - } - private static String extractInitialClientResponse(byte[] data) { // cut of the CRLF return new String(data, 0, data.length - 2, StandardCharsets.US_ASCII); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
