This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 9d599ad968013365661028bb02b4788ed19fbf41 Author: Benoit Tellier <[email protected]> AuthorDate: Tue Mar 24 18:26:48 2020 +0700 JAMES-3087 Fix QueryParameterAccessTokenAuthenticationStrategy --- .../integration/cucumber/DownloadStepdefs.java | 17 ++++++++++++++ .../resources/cucumber/DownloadEndpoint.feature | 2 +- ...ParameterAccessTokenAuthenticationStrategy.java | 27 ++++++++++++++++++---- 3 files changed, 40 insertions(+), 6 deletions(-) diff --git a/server/protocols/jmap-draft-integration-testing/jmap-draft-integration-testing-common/src/test/java/org/apache/james/jmap/draft/methods/integration/cucumber/DownloadStepdefs.java b/server/protocols/jmap-draft-integration-testing/jmap-draft-integration-testing-common/src/test/java/org/apache/james/jmap/draft/methods/integration/cucumber/DownloadStepdefs.java index 961ada7..eb1e05f 100644 --- a/server/protocols/jmap-draft-integration-testing/jmap-draft-integration-testing-common/src/test/java/org/apache/james/jmap/draft/methods/integration/cucumber/DownloadStepdefs.java +++ b/server/protocols/jmap-draft-integration-testing/jmap-draft-integration-testing-common/src/test/java/org/apache/james/jmap/draft/methods/integration/cucumber/DownloadStepdefs.java @@ -194,6 +194,16 @@ public class DownloadStepdefs { downLoad(username, attachmentIdOrMessageId); } + @When("^\"([^\"]*)\" downloads \"([^\"]*)\" using query parameter strategy$") + public void downloadsUsingQueryParameter(String username, String blobId) throws Throwable { + String attachmentIdOrMessageId = Optional.ofNullable(blobIdByAttachmentId.get(blobId)) + .orElse(Optional.ofNullable(inputToMessageId.get(blobId)) + .map(MessageId::serialize) + .orElse(null)); + URIBuilder uriBuilder = baseUri(mainStepdefs.jmapServer).setPath("/download/" + attachmentIdOrMessageId); + response = queryParameterDownloadRequest(uriBuilder, attachmentIdOrMessageId, username).execute().returnResponse(); + } + @When("^un-authenticated user downloads \"([^\"]*)\"$") public void downloadsUnAuthenticated(String blobId) throws Throwable { String attachmentIdOrMessageId = Optional.ofNullable(blobIdByAttachmentId.get(blobId)) @@ -232,6 +242,13 @@ public class DownloadStepdefs { return request; } + private Request queryParameterDownloadRequest(URIBuilder uriBuilder, String blobId, String username) throws URISyntaxException { + AccessToken accessToken = userStepdefs.authenticate(username); + AttachmentAccessTokenKey key = new AttachmentAccessTokenKey(username, blobId); + uriBuilder.addParameter("access_token", attachmentAccessTokens.get(key).serialize()); + return Request.Get(uriBuilder.build()); + } + @When("^\"([^\"]*)\" is trusted for attachment \"([^\"]*)\"$") public void attachmentAccessTokenFor(String username, String attachmentId) throws Throwable { userStepdefs.connectUser(username); diff --git a/server/protocols/jmap-draft-integration-testing/jmap-draft-integration-testing-common/src/test/resources/cucumber/DownloadEndpoint.feature b/server/protocols/jmap-draft-integration-testing/jmap-draft-integration-testing-common/src/test/resources/cucumber/DownloadEndpoint.feature index 2920b19..6270201 100644 --- a/server/protocols/jmap-draft-integration-testing/jmap-draft-integration-testing-common/src/test/resources/cucumber/DownloadEndpoint.feature +++ b/server/protocols/jmap-draft-integration-testing/jmap-draft-integration-testing-common/src/test/resources/cucumber/DownloadEndpoint.feature @@ -73,7 +73,7 @@ Feature: Download endpoint @BasicFeature Scenario: A user should have access to the download endpoint when an authentication token is valid Given "[email protected]" is trusted for attachment "a1" - When "[email protected]" downloads "a1" + When "[email protected]" downloads "a1" using query parameter strategy Then the user should be authorized Scenario: An authenticated user should have access to the download endpoint diff --git a/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/http/QueryParameterAccessTokenAuthenticationStrategy.java b/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/http/QueryParameterAccessTokenAuthenticationStrategy.java index 1aa6e5b..cc211e5 100644 --- a/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/http/QueryParameterAccessTokenAuthenticationStrategy.java +++ b/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/http/QueryParameterAccessTokenAuthenticationStrategy.java @@ -20,6 +20,8 @@ package org.apache.james.jmap.http; import static org.apache.james.jmap.http.DownloadRoutes.BLOB_ID_PATH_PARAM; +import java.util.Optional; + import javax.inject.Inject; import org.apache.james.core.Username; @@ -31,6 +33,7 @@ import org.apache.james.mailbox.MailboxSession; import com.google.common.annotations.VisibleForTesting; +import io.netty.handler.codec.http.QueryStringDecoder; import reactor.core.publisher.Mono; import reactor.netty.http.server.HttpServerRequest; @@ -49,7 +52,7 @@ public class QueryParameterAccessTokenAuthenticationStrategy implements Authenti @Override public Mono<MailboxSession> createMailboxSession(HttpServerRequest httpRequest) { - return getAccessToken(httpRequest) + return Mono.justOrEmpty(getAccessToken(httpRequest)) .filter(tokenManager::isValid) .map(AttachmentAccessToken::getUsername) .map(Username::of) @@ -57,12 +60,26 @@ public class QueryParameterAccessTokenAuthenticationStrategy implements Authenti .switchIfEmpty(Mono.error(new UnauthorizedException())); } - private Mono<AttachmentAccessToken> getAccessToken(HttpServerRequest httpRequest) { + private Optional<AttachmentAccessToken> getAccessToken(HttpServerRequest httpRequest) { try { - return Mono.justOrEmpty(httpRequest.param(BLOB_ID_PATH_PARAM)) - .map(blobId -> AttachmentAccessToken.from(httpRequest.param(AUTHENTICATION_PARAMETER), blobId)); + + return Optional.ofNullable(httpRequest.param(BLOB_ID_PATH_PARAM)) + .flatMap(blobId -> queryParam(httpRequest, AUTHENTICATION_PARAMETER) + .map(serializedAttachmentAccessToken -> AttachmentAccessToken.from(serializedAttachmentAccessToken, blobId))); } catch (IllegalArgumentException e) { - return Mono.empty(); + return Optional.empty(); } } + + private Optional<String> queryParam(HttpServerRequest httpRequest, String parameterName) { + return queryParam(parameterName, httpRequest.uri()); + } + + private Optional<String> queryParam(String parameterName, String uri) { + return new QueryStringDecoder(uri) + .parameters() + .get(parameterName) + .stream() + .findFirst(); + } } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
