Webadmin agent invalidation

Signed-off-by: sami <[email protected]>

Author: samiulsami

backends-common/redis/pom.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.james</groupId>
+        <artifactId>james-backends-common</artifactId>
+        <version>3.9.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>apache-james-backends-redis</artifactId>
+    <name>Apache James :: Backends Common :: Redis</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>${james.groupId}</groupId>
+            <artifactId>james-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>${james.groupId}</groupId>
+            <artifactId>james-server-guice-common</artifactId>
+            <type>test-jar</type>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>${james.groupId}</groupId>
+            <artifactId>james-server-testing</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.google.inject</groupId>
+            <artifactId>guice</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>eu.timepit</groupId>
+            <artifactId>refined_${scala.base}</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.lettuce</groupId>
+            <artifactId>lettuce-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.projectreactor</groupId>
+            <artifactId>reactor-scala-extensions_${scala.base}</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.scalatest</groupId>
+            <artifactId>scalatest_${scala.base}</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>testcontainers</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>net.alchim31.maven</groupId>
+                <artifactId>scala-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project>

examples/pom.xml.bak

@@ -38,6 +38,7 @@
     <james.protocols.groupId>${james.groupId}.protocols</james.protocols.groupId>
     <maven.compiler.target>1.11</maven.compiler.target>
     <maven.compiler.source>1.11</maven.compiler.source>
+    <jacoco-maven-plugin.version>0.8.12</jacoco-maven-plugin.version>
   </properties>
 
   <modules>
@@ -57,6 +58,7 @@
       <plugin>
         <groupId>org.jacoco</groupId>
         <artifactId>jacoco-maven-plugin</artifactId>
+        <version>${jacoco-maven-plugin.version}</version>
         <executions>
           <execution>
             <id>jacoco-report</id>

server/apps/distributed-app/README.adoc

@@ -128,7 +128,7 @@ $ docker compose -f docker-composeOLD.yml up
 $ cd server/apps/distributed-app/
 
 $ mvn clean install -DskipTests
- OR
+## OR
 $ mvn com.github.ekryd.sortpom:sortpom-maven-plugin:sort -Dsort.keepBlankLines -Dsort.predefinedSortOrder=custom_1 -DskipTests clean install
 
 $ docker compose -f docker-compose.yml up -d

server/apps/distributed-app/mounting specific files.yaml

@@ -0,0 +1,87 @@
+version: '3'
+
+services:
+
+  james:
+    depends_on:
+      cassandra:
+        condition: service_healthy
+      opensearch:
+        condition: service_started
+      tika:
+        condition: service_started
+      rabbitmq:
+        condition: service_started
+      s3:
+        condition: service_started
+    image: sami7786/distributed-james-test:webadmin-invalidation
+    volumes:
+      - $PWD/jmap.properties:/root/conf/jmap.properties
+    container_name: james
+    hostname: james.local
+    command:
+      - --generate-keystore
+    networks:
+      - james
+    ports:
+      - "80:80"
+      - "25:25"
+      - "110:110"
+      - "143:143"
+      - "465:465"
+      - "587:587"
+      - "993:993"
+      - "8000:8000"
+
+  opensearch:
+    image: opensearchproject/opensearch:2.1.0
+    environment:
+      - discovery.type=single-node
+      - DISABLE_INSTALL_DEMO_CONFIG=true
+      - DISABLE_SECURITY_PLUGIN=true
+    networks:
+      james:
+        aliases:
+          - elasticsearch
+
+  cassandra:
+    image: cassandra:4.1.3
+    ports:
+      - "9042:9042"
+    healthcheck:
+      test: [ "CMD", "cqlsh", "-e", "describe keyspaces" ]
+      interval: 3s
+      timeout: 20s
+      retries: 5
+    environment:
+      - JVM_OPTS=-Dcassandra.skip_wait_for_gossip_to_settle=0 -Dcassandra.initial_token=1
+    networks:
+      - james
+
+  tika:
+    image: apache/tika:2.8.0.0
+    networks:
+      - james
+
+  rabbitmq:
+    image: rabbitmq:3.12.1-management
+    ports:
+      - "5672:5672"
+      - "15672:15672"
+    networks:
+      - james
+
+  s3:
+    image: registry.scality.com/cloudserver/cloudserver:8.7.25
+    container_name: s3.docker.test
+    environment:
+      - SCALITY_ACCESS_KEY_ID=accessKey1
+      - SCALITY_SECRET_ACCESS_KEY=secretKey1
+      - S3BACKEND=mem
+      - LOG_LEVEL=trace
+      - REMOTE_MANAGEMENT_DISABLE=1
+    networks:
+      - james
+
+networks:
+  james:

server/container/guice/protocols/webadmin/src/main/java/org/apache/james/modules/server/WebAdminServerModule.java

@@ -40,6 +40,7 @@
 import org.apache.james.server.task.json.dto.AdditionalInformationDTO;
 import org.apache.james.server.task.json.dto.AdditionalInformationDTOModule;
 import org.apache.james.task.TaskExecutionDetails;
+import org.apache.james.user.api.UsersRepository;
 import org.apache.james.utils.ClassName;
 import org.apache.james.utils.ExtensionConfiguration;
 import org.apache.james.utils.GuiceGenericLoader;
@@ -182,11 +183,11 @@ private Optional<String> loadPublicKey(FileSystem fileSystem, Optional<String> j
     @Provides
     @Singleton
     public AuthenticationFilter providesAuthenticationFilter(PropertiesProvider propertiesProvider,
-                                                             @Named("webadmin") JwtTokenVerifier.Factory jwtTokenVerifier) throws Exception {
+                                                             @Named("webadmin") JwtTokenVerifier.Factory jwtTokenVerifier, UsersRepository usersRepository) throws Exception {
         try {
             Configuration configurationFile = propertiesProvider.getConfiguration("webadmin");
             if (configurationFile.getBoolean("jwt.enabled", DEFAULT_JWT_DISABLED)) {
-                return new JwtFilter(jwtTokenVerifier);
+                return new JwtFilter(jwtTokenVerifier, usersRepository);
             }
             return new NoAuthenticationFilter();
         } catch (FileNotFoundException e) {

server/protocols/jwt/pom.xml

@@ -105,6 +105,10 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-configuration2</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.james</groupId>
+            <artifactId>james-server-data-api</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>

server/protocols/webadmin/webadmin-core/pom.xml

@@ -85,7 +85,8 @@
         <dependency>
             <groupId>com.auth0</groupId>
             <artifactId>java-jwt</artifactId>
-            <version>4.2.1</version> <!-- Check for the latest version -->
+            <version>4.2.1</version>
+            <!-- Check for the latest version -->
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>

server/protocols/webadmin/webadmin-core/src/main/java/org/apache/james/webadmin/authentication/JwtFilter.java

@@ -27,7 +27,10 @@
 import javax.inject.Inject;
 import javax.inject.Named;
 
+import org.apache.james.core.Username;
 import org.apache.james.jwt.JwtTokenVerifier;
+import org.apache.james.user.api.UsersRepository;
+import org.apache.james.user.api.UsersRepositoryException;
 import org.eclipse.jetty.http.HttpStatus;
 
 import com.auth0.jwt.JWT;
@@ -45,11 +48,13 @@ public class JwtFilter implements AuthenticationFilter {
     public static final String AUTHORIZATION_HEADER_NAME = "Authorization";
     public static final String OPTIONS = "OPTIONS";
 
+    private final UsersRepository usersRepository;
     private final JwtTokenVerifier jwtTokenVerifier;
 
     @Inject
-    public JwtFilter(@Named("webadmin") JwtTokenVerifier.Factory jwtTokenVerifierFactory) {
+    public JwtFilter(@Named("webadmin") JwtTokenVerifier.Factory jwtTokenVerifierFactory, UsersRepository usersRepository) {
         this.jwtTokenVerifier = jwtTokenVerifierFactory.create();
+        this.usersRepository = usersRepository;
     }
 
     @Override
@@ -95,10 +100,20 @@ private void checkIfNotAdminAndTypeEqualAgent(Optional<String> bearer, Request r
         ObjectMapper mapper = new ObjectMapper();
         JsonNode payloadNode = mapper.readTree(payload);
 
+        JsonNode usernameNode = payloadNode.get("sub");
+
+        try {
+            if (!usersRepository.contains(Username.of(usernameNode != null ? usernameNode.asText() : "N/A"))) {
+                halt(HttpStatus.NOT_FOUND_404, "User does not exist in repository.");
+            }
+        } catch (UsersRepositoryException e) {
+            throw new RuntimeException(e);
+        }
+
         JsonNode typeNode = payloadNode.get("type");
         String type = typeNode != null ? typeNode.asText() : "N/A";
         if (!type.equals("agent")) {
-            halt(HttpStatus.UNAUTHORIZED_401, "Non authorized user.Type is not agent");
+            halt(HttpStatus.UNAUTHORIZED_401, "Non authorized user. Type is not agent");
         }
         AtomicBoolean flag = new AtomicBoolean(false);
 
@@ -122,7 +137,7 @@ private void checkIfNotAdminAndTypeEqualAgent(Optional<String> bearer, Request r
         if (flag.get()) {
             return;
         }
-        halt(HttpStatus.UNAUTHORIZED_401, "Non authorized user.Do not have permission.");
+        halt(HttpStatus.UNAUTHORIZED_401, "Non authorized user. Do not have permission.");
     }
 
     private void checkHeaderPresent(Optional<String> bearer) {

server/protocols/webadmin/webadmin-core/src/test/java/org/apache/james/webadmin/authentication/JwtFilterTest.java

@@ -27,6 +27,7 @@
 import java.util.Optional;
 
 import org.apache.james.jwt.JwtTokenVerifier;
+import org.apache.james.user.api.UsersRepository;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
@@ -39,11 +40,13 @@
 class JwtFilterTest {
     private JwtTokenVerifier jwtTokenVerifier;
     private JwtFilter jwtFilter;
+    private UsersRepository usersRepository;
 
     @BeforeEach
     void setUp() {
         jwtTokenVerifier = mock(JwtTokenVerifier.class);
-        jwtFilter = new JwtFilter(() -> jwtTokenVerifier);
+        usersRepository = mock(UsersRepository.class);
+        jwtFilter = new JwtFilter(() -> jwtTokenVerifier, usersRepository);
     }
 
     @Test