webadmin authorization

Signed-off-by: sami <[email protected]>
ops-center · Oct 2, 2024 · 4adc797 · 4adc797
1 parent 7bf1390
commit 4adc797
Show file tree

Hide file tree

Showing 13 changed files with 243 additions and 94 deletions.
diff --git a/backends-common/redis/pom.xml b/backends-common/redis/pom.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.james</groupId>
+        <artifactId>james-backends-common</artifactId>
+        <version>3.9.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>apache-james-backends-redis</artifactId>
+    <name>Apache James :: Backends Common :: Redis</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>${james.groupId}</groupId>
+            <artifactId>james-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>${james.groupId}</groupId>
+            <artifactId>james-server-guice-common</artifactId>
+            <type>test-jar</type>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>${james.groupId}</groupId>
+            <artifactId>james-server-testing</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.google.inject</groupId>
+            <artifactId>guice</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>eu.timepit</groupId>
+            <artifactId>refined_${scala.base}</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.lettuce</groupId>
+            <artifactId>lettuce-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.projectreactor</groupId>
+            <artifactId>reactor-scala-extensions_${scala.base}</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.scalatest</groupId>
+            <artifactId>scalatest_${scala.base}</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>testcontainers</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>net.alchim31.maven</groupId>
+                <artifactId>scala-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/examples/pom.xml b/examples/pom.xml
@@ -50,6 +50,10 @@
     <james.protocols.groupId>${james.groupId}.protocols</james.protocols.groupId>
     <maven.compiler.target>1.11</maven.compiler.target>
     <maven.compiler.source>1.11</maven.compiler.source>
+<<<<<<< HEAD
+=======
+    <jacoco-maven-plugin.version>0.8.12</jacoco-maven-plugin.version>
+>>>>>>> 78c823221d (Check user existence in webadmin routes for non-admin users)
   </properties>
 
   <build>

diff --git a/examples/pom.xml.bak b/examples/pom.xml.bak
diff --git a/server/apps/distributed-app/README.adoc b/server/apps/distributed-app/README.adoc
@@ -128,7 +128,7 @@ $ docker compose -f docker-composeOLD.yml up
 $ cd server/apps/distributed-app/
 
 $ mvn clean install -DskipTests
- OR
+## OR
 $ mvn com.github.ekryd.sortpom:sortpom-maven-plugin:sort -Dsort.keepBlankLines -Dsort.predefinedSortOrder=custom_1 -DskipTests clean install
 
 $ docker compose -f docker-compose.yml up -d

diff --git a/server/apps/distributed-app/docker-composeOLD.yml b/server/apps/distributed-app/docker-composeOLD.yml
@@ -15,8 +15,8 @@ services:
     image: ghcr.io/appscode/inbox-server:latest
     container_name: james
     hostname: james.local
-   # volumes:
-     # - $PWD/webadmin.properties:/root/conf/webadmin.properties
+    volumes:
+      - $PWD/jmap.properties:/root/conf/jmap.properties
     command:
       - --generate-keystore
     networks:

diff --git a/server/apps/distributed-app/jmap.properties b/server/apps/distributed-app/jmap.properties
@@ -0,0 +1,47 @@
+# Configuration file for JMAP
+# Read https://james.apache.org/server/config-jmap.html for further details
+
+enabled=true
+jmap.version.default=rfc-8621
+tls.keystoreURL=file://conf/keystore
+tls.secret=james72laBalle
+
+
+jmap.port=80
+url.prefix=http://localhost
+websocket.url.prefix=ws://localhost
+
+email.send.max.size=100M
+max.size.attachments.per.mail=100M
+# only not work for RabbitMQ mail queue
+#delay.sends.enabled=true
+
+# Alternatively TLS keys can be supplied via PEM files
+# tls.privateKey=file://conf/private.nopass.key
+# tls.certificates=file://conf/certs.self-signed.csr
+# An optional secret might be specified for the private key
+# tls.secret=james72laBalle
+# view.email.query.enabled=true
+#authentication.strategy.draft=BasicAuthenticationStrategy
+user.provisioning.enabled=false
+#
+# If you wish to use OAuth authentication, you should provide a valid JWT public key.
+# The following entry specify the link to the URL of the public key file,
+# which should be a PEM format file.
+#
+jwt.publickeypem.url=file://conf/rs256-4096-public.pem
+# Should simple Email/query be resolved against a Cassandra projection, or should we resolve them against OpenSearch?
+# This enables a higher resilience, but the projection needs to be correctly populated. False by default.
+# view.email.query.enabled=true
+
+# If you want to specify authentication strategies for Jmap draft version
+# For custom Authentication Strategy not inside package "org.apache.james.jmap.http", you have to specify its FQDN
+# authentication.strategy.draft=AccessTokenAuthenticationStrategy,JWTAuthenticationStrategy,QueryParameterAccessTokenAuthenticationStrategy
+
+# If you want to specify authentication strategies for Jmap rfc-8621 version
+# For custom Authentication Strategy not inside package "org.apache.james.jmap.http", you have to specify its FQDN
+
+authentication.strategy.rfc8621=JWTAuthenticationStrategy,BasicAuthenticationStrategy
+
+# Prevent server side request forgery by preventing calls to the private network ranges. Defaults to true, can be disabled for testing.
+webpush.prevent.server.side.request.forgery=false
diff --git a/server/apps/distributed-app/mounting specific files.yaml b/server/apps/distributed-app/mounting specific files.yaml
@@ -0,0 +1,87 @@
+version: '3'
+
+services:
+
+  james:
+    depends_on:
+      cassandra:
+        condition: service_healthy
+      opensearch:
+        condition: service_started
+      tika:
+        condition: service_started
+      rabbitmq:
+        condition: service_started
+      s3:
+        condition: service_started
+    image: sami7786/distributed-james-test:webadmin-invalidation
+    volumes:
+      - $PWD/jmap.properties:/root/conf/jmap.properties
+    container_name: james
+    hostname: james.local
+    command:
+      - --generate-keystore
+    networks:
+      - james
+    ports:
+      - "80:80"
+      - "25:25"
+      - "110:110"
+      - "143:143"
+      - "465:465"
+      - "587:587"
+      - "993:993"
+      - "8000:8000"
+
+  opensearch:
+    image: opensearchproject/opensearch:2.1.0
+    environment:
+      - discovery.type=single-node
+      - DISABLE_INSTALL_DEMO_CONFIG=true
+      - DISABLE_SECURITY_PLUGIN=true
+    networks:
+      james:
+        aliases:
+          - elasticsearch
+
+  cassandra:
+    image: cassandra:4.1.3
+    ports:
+      - "9042:9042"
+    healthcheck:
+      test: [ "CMD", "cqlsh", "-e", "describe keyspaces" ]
+      interval: 3s
+      timeout: 20s
+      retries: 5
+    environment:
+      - JVM_OPTS=-Dcassandra.skip_wait_for_gossip_to_settle=0 -Dcassandra.initial_token=1
+    networks:
+      - james
+
+  tika:
+    image: apache/tika:2.8.0.0
+    networks:
+      - james
+
+  rabbitmq:
+    image: rabbitmq:3.12.1-management
+    ports:
+      - "5672:5672"
+      - "15672:15672"
+    networks:
+      - james
+
+  s3:
+    image: registry.scality.com/cloudserver/cloudserver:8.7.25
+    container_name: s3.docker.test
+    environment:
+      - SCALITY_ACCESS_KEY_ID=accessKey1
+      - SCALITY_SECRET_ACCESS_KEY=secretKey1
+      - S3BACKEND=mem
+      - LOG_LEVEL=trace
+      - REMOTE_MANAGEMENT_DISABLE=1
+    networks:
+      - james
+
+networks:
+  james:
diff --git a/server/apps/distributed-app/pom.xml b/server/apps/distributed-app/pom.xml
@@ -446,15 +446,9 @@
                         <image>eclipse-temurin:11-jre-jammy</image>
                     </from>
                     <to>
-<<<<<<< HEAD
                         <image>ghcr.io/appscode/inbox-server</image>
                         <tags>
                             <tag>latest</tag>
-=======
-                        <image>sami7786/distributed-james-test</image>
-                        <tags>
-                            <tag>disable-user-provisioning</tag>
->>>>>>> ae975b8150 (Force JMAP endpoints to check for user existence.)
                         </tags>
                     </to>
                     <container>

diff --git a/...rotocols/webadmin/src/main/java/org/apache/james/modules/server/WebAdminServerModule.java b/...rotocols/webadmin/src/main/java/org/apache/james/modules/server/WebAdminServerModule.java
@@ -40,6 +40,7 @@
 import org.apache.james.server.task.json.dto.AdditionalInformationDTO;
 import org.apache.james.server.task.json.dto.AdditionalInformationDTOModule;
 import org.apache.james.task.TaskExecutionDetails;
+import org.apache.james.user.api.UsersRepository;
 import org.apache.james.utils.ClassName;
 import org.apache.james.utils.ExtensionConfiguration;
 import org.apache.james.utils.GuiceGenericLoader;
@@ -182,11 +183,11 @@ private Optional<String> loadPublicKey(FileSystem fileSystem, Optional<String> j
     @Provides
     @Singleton
     public AuthenticationFilter providesAuthenticationFilter(PropertiesProvider propertiesProvider,
-                                                             @Named("webadmin") JwtTokenVerifier.Factory jwtTokenVerifier) throws Exception {
+                                                             @Named("webadmin") JwtTokenVerifier.Factory jwtTokenVerifier, UsersRepository usersRepository) throws Exception {
         try {
             Configuration configurationFile = propertiesProvider.getConfiguration("webadmin");
             if (configurationFile.getBoolean("jwt.enabled", DEFAULT_JWT_DISABLED)) {
-                return new JwtFilter(jwtTokenVerifier);
+                return new JwtFilter(jwtTokenVerifier, usersRepository);
             }
             return new NoAuthenticationFilter();
         } catch (FileNotFoundException e) {

diff --git a/server/protocols/jwt/pom.xml b/server/protocols/jwt/pom.xml
@@ -105,6 +105,10 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-configuration2</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.james</groupId>
+            <artifactId>james-server-data-api</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>

diff --git a/server/protocols/webadmin/webadmin-core/pom.xml b/server/protocols/webadmin/webadmin-core/pom.xml
@@ -85,7 +85,8 @@
         <dependency>
             <groupId>com.auth0</groupId>
             <artifactId>java-jwt</artifactId>
-            <version>4.2.1</version> <!-- Check for the latest version -->
+            <version>4.2.1</version>
+            <!-- Check for the latest version -->
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>