bin/kolab_smtp_access_policy.py

Jeroen van Meeuwen vanmeeuwen at kolabsys.com
Wed Jun 6 10:32:37 CEST 2012


 bin/kolab_smtp_access_policy.py |  104 +++++++++++++++++++++++++++-------------
 1 file changed, 71 insertions(+), 33 deletions(-)

New commits:
commit 5b96c88e3777c16f50b87227fc46e48807aa5b8a
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Wed Jun 6 10:22:02 2012 +0200

    Correct the Kolab SMTP Access Policy not matching alias email address to it's own authenticated entry (#827)

diff --git a/bin/kolab_smtp_access_policy.py b/bin/kolab_smtp_access_policy.py
index f2f7116..d7019fe 100755
--- a/bin/kolab_smtp_access_policy.py
+++ b/bin/kolab_smtp_access_policy.py
@@ -410,10 +410,15 @@ class PolicyRequest(object):
             John.Doe at example.org (mail) for example could be sending with
             envelope sender jdoe at example.org (mailAlternateAddress, alias).
         """
-        search_attrs = conf.get_list(
-                'kolab_smtp_access_policy',
-                'address_search_attrs'
-            )
+        search_attrs = conf.get_list(self.sasl_domain, 'mail_attributes')
+
+        if search_attrs == None or \
+                (isinstance(search_attrs, list) and len(search_attrs) == 0):
+
+            search_attrs = conf.get_list(
+                    conf.get('kolab', 'auth_mechanism'),
+                    'mail_attributes'
+                )
 
         # Catch a user using one of its own alias addresses.
         for search_attr in search_attrs:
@@ -452,12 +457,19 @@ class PolicyRequest(object):
             else:
                 self.sasl_domain = conf.get('kolab', 'primary_domain')
 
-        self.sasl_user = {
-                'dn': auth.find_recipient(
-                        self.sasl_username,
-                        domain=self.sasl_domain
-                    )
-            }
+        sasl_users = auth.find_recipient(
+                self.sasl_username,
+                domain=self.sasl_domain
+            )
+
+        if isinstance(sasl_users, list):
+            if len(sasl_users) == 0:
+                log.error(_("Could not find recipient"))
+                return False
+            else:
+                self.sasl_user = { 'dn': sasl_users[0] }
+        elif isinstance(sasl_users, basestring):
+            self.sasl_user = { 'dn': sasl_users }
 
         if not self.sasl_user['dn']:
             # Got a final answer here, do the caching thing.
@@ -472,13 +484,29 @@ class PolicyRequest(object):
 
             reject(
                     _("Could not find envelope sender user %s") % (
-                        self.sasl_username
+                            self.sasl_username
                         )
                 )
 
         attrs = conf.get_list(self.sasl_domain, 'auth_attributes')
-        if attrs == None:
-            attrs = conf.get_list(conf.get('kolab', 'auth_mechanism'), 'auth_attributes')
+
+        if attrs == None or (isinstance(attrs, list) and len(attrs) == 0):
+            attrs = conf.get_list(
+                    conf.get('kolab', 'auth_mechanism'),
+                    'auth_attributes'
+                )
+
+        mail_attrs = conf.get_list(self.sasl_domain, 'mail_attributes')
+        if mail_attrs == None or \
+                (isinstance(mail_attrs, list) and len(mail_attrs) == 0):
+
+            mail_attrs = conf.get_list(
+                    conf.get('kolab', 'auth_mechanism'),
+                    'mail_attributes'
+                )
+
+        if not mail_attrs == None:
+            attrs.extend(mail_attrs)
 
         attrs.extend(
                 [
@@ -487,6 +515,8 @@ class PolicyRequest(object):
                     ]
             )
 
+        attrs = list(set(attrs))
+
         user_attrs = auth.get_user_attributes(
                 self.sasl_domain,
                 self.sasl_user,
@@ -495,6 +525,13 @@ class PolicyRequest(object):
 
         user_attrs['dn'] = self.sasl_user['dn']
         self.sasl_user = utils.normalize(user_attrs)
+        log.debug(
+                _("Obtained authenticated user details for %r: %r") % (
+                        self.sasl_user['dn'],
+                        self.sasl_user.keys()
+                    ),
+                level=8
+            )
 
     def verify_delegate(self):
         """
@@ -502,11 +539,6 @@ class PolicyRequest(object):
             sender.
         """
 
-        search_attrs = conf.get_list(
-                'kolab_smtp_access_policy',
-                'address_search_attrs'
-            )
-
         if self.sender_domain == None:
             if len(self.sender.split('@')) > 1:
                 self.sender_domain = self.sender.split('@')[1]
@@ -514,7 +546,14 @@ class PolicyRequest(object):
                 self.sender_domain = conf.get('kolab', 'primary_domain')
 
         if self.sender == self.sasl_username:
-            return
+            return True
+
+        search_attrs = conf.get_list(self.sender_domain, 'mail_attributes')
+        if search_attrs == None:
+            search_attrs = conf.get_list(
+                    conf.get('kolab', 'auth_mechanism'),
+                    'mail_attributes'
+                )
 
         sender_users = auth.find_recipient(
                 self.sender,
@@ -564,11 +603,6 @@ class PolicyRequest(object):
         user_attrs['dn'] = self.sender_user['dn']
         self.sender_user = utils.normalize(user_attrs)
 
-        search_attrs = conf.get_list(
-                'kolab_smtp_access_policy',
-                'address_search_attrs'
-            )
-
         if not self.sender_user.has_key('kolabdelegate'):
             reject(
                     _("%s is unauthorized to send on behalf of %s") % (
@@ -614,15 +648,19 @@ class PolicyRequest(object):
             # See if we can match the value of the envelope sender delegates to
             # the actual sender sasl_username
             if self.sasl_user == None:
-                sasl_user = {
-                        'dn': auth.find_user(
-                                # TODO: Use the configured cyrus-sasl result
-                                # attribute.
-                                search_attrs,
-                                self.sasl_username,
-                                domain=self.sasl_domain
-                            )
-                    }
+                sasl_users = auth.find_recipient(
+                        self.sasl_username,
+                        domain=self.sasl_domain
+                    )
+
+                if isinstance(sasl_users, list):
+                    if len(sasl_users) == 0:
+                        log.error(_("Could not find recipient"))
+                        return False
+                    else:
+                        self.sasl_user = { 'dn': sasl_users[0] }
+                elif isinstance(sasl_users, basestring):
+                    self.sasl_user = { 'dn': sasl_users }
 
             # Possible values for the kolabDelegate attribute are:
             # a 'uid', a 'dn'.





More information about the commits mailing list