diff options
author | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2011-07-05 15:32:01 +0100 |
---|---|---|
committer | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2011-07-05 15:32:01 +0100 |
commit | 5730afec6a3d17b77676d59295cb275d5c4d9c02 (patch) | |
tree | 9d14abcd57eab8e06421686cd8b9b13331ca0fef /bin | |
parent | 7a5c36fd28db707a9e6cc984d2201931f4fc23c8 (diff) | |
download | pykolab-5730afec6a3d17b77676d59295cb275d5c4d9c02.tar.gz |
Only use authentication credentials for authorization, such as when verifying whether the sender is a delegate, if the sasl_username has been supplied
Diffstat (limited to 'bin')
-rw-r--r-- | bin/kolab_smtp_access_policy.py | 203 |
1 files changed, 111 insertions, 92 deletions
diff --git a/bin/kolab_smtp_access_policy.py b/bin/kolab_smtp_access_policy.py index 15e3ca2..1395497 100644 --- a/bin/kolab_smtp_access_policy.py +++ b/bin/kolab_smtp_access_policy.py @@ -35,6 +35,7 @@ from pykolab.constants import KOLAB_LIB_PATH from pykolab.translate import _ log = pykolab.getLogger('pykolab.smtp_access_policy') +log.remove_stdout_handler() conf = pykolab.getConf() @@ -105,7 +106,7 @@ def dunno(message, policy_request=None): print "action=DUNNO %s\n\n" %(message) def permit(message, policy_request=None): - print "action=PERMIT %s\n\n" %(message) + print "action=PERMIT\n\n" def reject(message, policy_request=None): print "action=REJECT %s\n\n" %(message) @@ -189,6 +190,100 @@ def read_request_input(): return policy_request +def verify_delegate(policy_request, sender_domain, sender_user): + sender_is_delegate = None + + sasl_domain = policy_request['sasl_username'].split('@')[1] + + sender_delegates = auth.get_user_attribute( + sender_domain, + sender_user, + 'kolabDelegate' + ) + + if sender_delegates == None: + log.warning( + _("User %s attempted to use envelope sender address %s without " + \ + "authorization") %( + policy_request["sasl_username"], + policy_request["sender"] + ) + ) + + # Got a final answer here, do the cachking thing. + if not cache == False: + result_set = cache.select( + sender=policy_request['sender'], + recipient=policy_request['recipient'], + sasl_username=policy_request['sasl_username'], + sasl_sender=policy_request['sasl_sender'], + function='verify_sender' + ) + + if len(result_set) < 1: + record_id = cache.insert( + sender=policy_request['sender'], + recipient=policy_request['recipient'], + sasl_username=policy_request['sasl_username'], + sasl_sender=policy_request['sasl_sender'], + function='verify_sender', + result=0, + expire=time.time() + cache_expire + ) + + sender_is_delegate = False + + else: + # See if we can match the value of the envelope sender delegates to + # the actual sender sasl_username + sasl_user = { + 'dn': auth.find_user( + 'mail', + parse_address(policy_request['sasl_username']), + domain=sasl_domain + ) + } + + # Possible values for the kolabDelegate attribute are: + # a 'uid', a 'dn'. + sasl_user['uid'] = auth.get_user_attribute( + sasl_domain, + sasl_user, + 'uid' + ) + + if not type(sender_delegates) == list: + sender_delegates = [ sender_delegates ] + + for sender_delegate in sender_delegates: + if sasl_user['dn'] == sender_delegate: + log.debug( + _("Found user %s to be a valid delegate user of %s") %( + policy_request["sasl_username"], + policy_request["sender"] + ), + level=8 + ) + + sender_is_delegate = True + + elif sasl_user['uid'] == sender_delegate: + log.debug( + _("Found user %s to be a valid delegate user of %s") %( + policy_request["sasl_username"], + policy_request["sender"] + ), + level=8 + ) + + sender_is_delegate = True + + # If nothing matches sender_is_delegate is still None. + if not sender_is_delegate == True: + sender_is_delegate = False + + return sender_is_delegate + def verify_recipient(policy_request): """ Verify whether the sender is allowed send to this recipient, using the @@ -284,6 +379,10 @@ def verify_sender(policy_request): sender_verified = False + sender_is_delegate = None + + sasl_user = False + if not cache == False: records = cache( sender=policy_request['sender'], @@ -301,16 +400,8 @@ def verify_sender(policy_request): else: return record.result - sasl_domain = policy_request['sasl_username'].split('@')[1] sender_domain = policy_request['sender'].split('@')[1] - sender_is_delegate = False - - # TODO: For now, do not allow cross-realm authorization. Find a mechanism to - # make sure Mandatory Access Control is applied. - if not sender_domain == sasl_domain: - return False - # Obtain 'kolabDelegate' from the envelope sender. log.debug( _("Obtaining envelope sender dn for %s") %( @@ -327,97 +418,23 @@ def verify_sender(policy_request): ) } - sender_delegates = auth.get_user_attribute( - sender_domain, - sender_user, - 'kolabDelegate' - ) - - sasl_user = False - - if sender_delegates == None: - log.warning( - _("User %s attempted to use envelope sender address %s without " + \ - "authorization") %( - policy_request["sasl_username"], - policy_request["sender"] - ) + # Only when a user is authenticated do we have the means to check for + # kolabDelegate functionality. + if not policy_request['sasl_username'] == '': + sender_is_delegate = verify_delegate( + policy_request, + sender_domain, + sender_user ) - if not cache == False: - result_set = cache.select( - sender=policy_request['sender'], - recipient=policy_request['recipient'], - sasl_username=policy_request['sasl_username'], - sasl_sender=policy_request['sasl_sender'], - function='verify_sender' - ) - - if len(result_set) < 1: - record_id = cache.insert( - sender=policy_request['sender'], - recipient=policy_request['recipient'], - sasl_username=policy_request['sasl_username'], - sasl_sender=policy_request['sasl_sender'], - function='verify_sender', - result=0, - expire=time.time() + cache_expire - ) - return False - - else: - # See if we can match the value of the envelope sender delegates to - # the actual sender sasl_username - sasl_user = { - 'dn': auth.find_user( - 'mail', - parse_address(policy_request['sasl_username']), - domain=sasl_domain - ) - } - - # Possible values for the kolabDelegate attribute are: - # a 'uid', a 'dn'. - sasl_user['uid'] = auth.get_user_attribute( - sasl_domain, - sasl_user, - 'uid' - ) - - if not type(sender_delegates) == list: - sender_delegates = [ sender_delegates ] - - for sender_delegate in sender_delegates: - if sasl_user['dn'] == sender_delegate: - log.debug( - _("Found user %s to be a valid delegate user of %s") %( - policy_request["sasl_username"], - policy_request["sender"] - ), - level=8 - ) - - sender_is_delegate = True - - elif sasl_user['uid'] == sender_delegate: - log.debug( - _("Found user %s to be a valid delegate user of %s") %( - policy_request["sasl_username"], - policy_request["sender"] - ), - level=8 - ) - - sender_is_delegate = True - # If the authenticated user is using delegate functionality, apply the # recipient policy attribute for the envelope sender. - if sender_is_delegate: recipient_policy_domain = sender_domain recipient_policy_sender = policy_request['sender'] recipient_policy_user = sender_user - else: + elif not policy_request['sasl_username'] == '': + sasl_domain = policy_request['sasl_username'].split('@')[1] recipient_policy_domain = sasl_domain recipient_policy_sender = policy_request['sasl_username'] if not sasl_user: @@ -430,6 +447,8 @@ def verify_sender(policy_request): } recipient_policy_user = sasl_user + else: + reject(_("Could not verify sender")) recipient_policy = auth.get_user_attribute( recipient_policy_domain, |