iredapd / src / plugins / maillist_access_policy.py

#!/usr/bin/env python
# encoding: utf-8

# Author: Zhang Huangbin <michaelbibby (at) gmail.com>

import sys

ACTION_REJECT = 'REJECT Not Authorized'

def __get_allowed_senders(ldapConn, ldapBaseDn, listDn, sender, recipient, policy,):
    """return search_result_list_based_on_access_policy"""

    # Set search base dn, scope, filter and attribute list based on access policy.
    if policy == 'membersonly':
        basedn = ldapBaseDn
        searchScope = 2     # ldap.SCOPE_SUBTREE
        # Filter used to get domain members.
        searchFilter = "(&(objectclass=mailUser)(accountStatus=active)(memberOfGroup=%s))" % (recipient, )
        searchAttr = 'mail'
    else:
        basedn = listDn
        searchScope = 0     # Use SCOPE_BASE to improve performance.
        # Filter used to get domain moderators.
        searchFilter = "(&(objectclass=mailList)(mail=%s))" % (recipient, )
        searchAttr = 'listAllowedUser'

    try:
        result = ldapConn.search_s(basedn, searchScope, searchFilter, [searchAttr])
        if result[0][1].has_key(searchAttr):
            # Example of result data:
            # [('dn', {'listAllowedUser': ['user@domain.ltd']})]
            # [('dn', {'listAllowedUser': ['user@domain.ltd']})]
            return result[0][1][searchAttr]
        else:
            return []

    except Exception, e:
        return []

def restriction(ldapConn, ldapBaseDn, ldapRecipientDn, ldapRecipientLdif, smtpSessionData, **kargs):
    # Return if recipient is not a mail list object.
    if 'maillist' not in [ v.lower() for v in ldapRecipientLdif['objectClass']]:
        return 'DUNNO'

    sender = smtpSessionData['sender'].lower()
    recipient = smtpSessionData['recipient'].lower()
    policy = ldapRecipientLdif.get('accessPolicy', ['public'])[0].lower()

    if policy == "public": return 'DUNNO'   # No restriction.
    elif policy == "domain":
        # Bypass all users under the same domain.
        if sender.split('@')[1] == recipient.split('@')[1]: return 'DUNNO'
        else: return ACTION_REJECT
    else:
        # Handle other access policies: membersOnly, allowedOnly.
        allowedSenders = __get_allowed_senders(
                ldapConn=ldapConn,
                ldapBaseDn=ldapBaseDn,
                listDn=ldapRecipientDn,
                sender=sender,
                recipient=recipient,
                policy=policy,
                )

        if sender.lower() in [ v.lower for v in allowedSenders ]:
            return 'DUNNO'
        else:
            return ACTION_REJECT
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.