diff options
| author | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2013-09-20 13:53:36 +0100 |
|---|---|---|
| committer | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2014-01-18 18:19:05 +0100 |
| commit | 345209e57c8e3a7c23fe3420edac5eb3c8a77dd6 (patch) | |
| tree | c6c7749e5b3dca944ff3899c73f880573b5b7c9c /bin/kolab_smtp_access_policy.py | |
| parent | ca01db2cc0c6035a47ee8f311e5a0a58a9a66832 (diff) | |
| download | pykolab-345209e57c8e3a7c23fe3420edac5eb3c8a77dd6.tar.gz | |
Make sure the recipient checks are cached as well
Diffstat (limited to 'bin/kolab_smtp_access_policy.py')
| -rwxr-xr-x | bin/kolab_smtp_access_policy.py | 84 |
1 files changed, 70 insertions, 14 deletions
diff --git a/bin/kolab_smtp_access_policy.py b/bin/kolab_smtp_access_policy.py index 542345e..2553aea 100755 --- a/bin/kolab_smtp_access_policy.py +++ b/bin/kolab_smtp_access_policy.py @@ -48,7 +48,7 @@ except: from sqlalchemy.schema import Index from sqlalchemy.schema import UniqueConstraint -sys.path = ['..'] + sys.path +sys.path = ['..','.'] + sys.path import pykolab @@ -66,13 +66,15 @@ log.remove_stdout_handler() conf = pykolab.getConf() +mydomains = None + # # Caching routines using SQLAlchemy. # # If creating the cache fails, we continue without any caching, significantly # increasing the load on LDAP. # -cache_expire = 3600 +cache_expire = 86400 try: metadata = MetaData() except: @@ -740,7 +742,7 @@ class PolicyRequest(object): "money.") % (self.sender, recipient) ) - return record[0].value + return records[0].value # TODO: Under some conditions, the recipient may not be fully qualified. # We'll cross that bridge when we get there, though. @@ -748,6 +750,20 @@ class PolicyRequest(object): sasl_domain = recipient.split('@')[1] else: sasl_domain = conf.get('kolab', 'primary_domain') + recipient = "%s@%s" % (recipient,sasl_domain) + + if not verify_domain(sasl_domain): + if not cache == False: + cache_update( + function='verify_recipient', + sender=self.sender, + recipient=recipient, + result=(int)(True), + sasl_username=self.sasl_username, + sasl_sender=self.sasl_sender + ) + + return True if self.auth == None: self.auth = Auth(sasl_domain) @@ -795,9 +811,19 @@ class PolicyRequest(object): "object entries and the SMTP Access Policy can " + \ "therefore not restrict message flow") ) + + cache_update( + function='verify_recipient', + sender=self.sender, + recipient=normalize_address(recipient), + result=(int)(True), + sasl_username=self.sasl_username, + sasl_sender=self.sasl_sender + ) + return True elif len(recipients) == 1: - recipient = { 'dn': recipients[0] } + _recipient = { 'dn': recipients[0] } else: log.debug( _("Recipient address %r not found. Allowing since " + \ @@ -807,22 +833,31 @@ class PolicyRequest(object): level=3 ) + cache_update( + function='verify_recipient', + sender=self.sender, + recipient=normalize_address(recipient), + result=(int)(True), + sasl_username=self.sasl_username, + sasl_sender=self.sasl_sender + ) + return True elif isinstance(recipients, basestring): - recipient = { + _recipient = { 'dn': recipients } # We have gotten an invalid recipient. We need to catch this case, # because testing can input invalid recipients, and so can faulty # applications, or misconfigured servers. - if not recipient['dn']: + if not _recipient['dn']: if not conf.allow_unauthenticated: cache_update( function='verify_recipient', sender=self.sender, - recipient=recipient, + recipient=normalize_address(recipient), result=(int)(False), sasl_username=self.sasl_username, sasl_sender=self.sasl_sender @@ -833,7 +868,7 @@ class PolicyRequest(object): cache_update( function='verify_recipient', sender=self.sender, - recipient=recipient, + recipient=normalize_address(recipient), result=(int)(True), sasl_username=self.sasl_username, sasl_sender=self.sasl_sender @@ -842,15 +877,24 @@ class PolicyRequest(object): log.debug(_("Could not find this user, accepting"), level=8) return True - if not recipient['dn'] == False: + if not _recipient['dn'] == False: recipient_policy = self.auth.get_entry_attribute( sasl_domain, - recipient, + _recipient['dn'], 'kolabAllowSMTPSender' ) # If no such attribute has been specified, allow if recipient_policy == None: + cache_update( + function='verify_recipient', + sender=self.sender, + recipient=normalize_address(recipient), + result=(int)(True), + sasl_username=self.sasl_username, + sasl_sender=self.sasl_sender + ) + recipient_verified = True # Otherwise, parse the policy obtained with the subject of the policy @@ -866,7 +910,7 @@ class PolicyRequest(object): cache_update( function='verify_recipient', sender=self.sender, - recipient=recipient, + recipient=normalize_address(recipient), result=(int)(recipient_verified), sasl_username=self.sasl_username, sasl_sender=self.sasl_sender @@ -895,10 +939,11 @@ class PolicyRequest(object): ) if not records == None and len(records) == len(self.recipients): + log.debug("Euh, what am I doing here?") for record in records: recipient_found = False for recipient in self.recipients: - if recipient == record['recipient']: + if recipient == record.recipient: recipient_found = True if not recipient_found: @@ -1103,6 +1148,7 @@ def cache_init(): Session = sessionmaker(bind=engine) session = Session() + cache_cleanup() return cache @@ -1118,8 +1164,8 @@ def cache_select( if not cache == True: return None - if not recipient == '': - recipients.append(recipient) + if not recipient == '' and recipients == []: + recipients = [recipient] return session.query( PolicyResult @@ -1255,6 +1301,11 @@ def expand_mydomains(): Return a list of my domains. """ + global mydomains + + if not mydomains == None: + return mydomains + auth = Auth() auth.connect() @@ -1325,6 +1376,11 @@ def verify_domain(domain): Verify whether the domain is internal (mine) or external. """ + global mydomains + + if not mydomains == None: + return domain in mydomains + auth = Auth() auth.connect() |