feat(managesieve): add XOAUTH2 authentication mechanism

felixauringer · felixauringer · commit e17b138d4db1 · 2025-07-21T14:40:31.000+02:00
diff --git a/protocols/managesieve/pom.xml b/protocols/managesieve/pom.xml
@@ -41,11 +41,19 @@
             <groupId>${james.groupId}</groupId>
             <artifactId>james-server-data-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>${james.groupId}</groupId>
+            <artifactId>james-server-jwt</artifactId>
+        </dependency>
         <dependency>
             <groupId>${james.groupId}</groupId>
             <artifactId>testing-base</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>${james.protocols.groupId}</groupId>
+            <artifactId>protocols-api</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/CapabilityAdvertiser.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/CapabilityAdvertiser.java
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java
@@ -20,8 +20,11 @@
 
 package org.apache.james.managesieve.api;
 
+import java.util.Optional;
+
 import org.apache.james.core.Username;
 import org.apache.james.managesieve.api.commands.Authenticate;
+import org.apache.james.protocols.api.OidcSASLConfiguration;
 
 public interface Session {
 
@@ -51,4 +54,7 @@ enum State {
 
     boolean isSslEnabled();
 
+    Optional<OidcSASLConfiguration> getOidcSASLConfiguration();
+
+    void setOidcSASLConfiguration(Optional<OidcSASLConfiguration> configuration);
 }
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/commands/Authenticate.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/commands/Authenticate.java
@@ -30,7 +30,7 @@
 public interface Authenticate {
 
     enum SupportedMechanism {
-        PLAIN;
+        PLAIN, XOAUTH2;
 
         public static SupportedMechanism retrieveMechanism(String serializedData) throws UnknownSaslMechanism {
             for (SupportedMechanism supportedMechanism : SupportedMechanism.values()) {
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/commands/CoreCommands.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/commands/CoreCommands.java
@@ -20,15 +20,12 @@
 
 package org.apache.james.managesieve.api.commands;
 
-import org.apache.james.managesieve.api.CapabilityAdvertiser;
-
 /**
  * Core RFC 5804 Commands common to all transports
  * 
  * @see <a href=http://tools.ietf.org/html/rfc5804#section-2>RFC 5804 Commands</a>
  */
 public interface CoreCommands extends Capability, CheckScript, DeleteScript, GetScript, HaveSpace,
-        ListScripts, PutScript, RenameScript, SetActive, Noop, Unauthenticate, Logout, Authenticate, StartTLS,
-        CapabilityAdvertiser {
+        ListScripts, PutScript, RenameScript, SetActive, Noop, Unauthenticate, Logout, Authenticate, StartTLS {
 
 }
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/CoreProcessor.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/CoreProcessor.java
@@ -22,7 +22,6 @@
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
-import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -57,7 +56,6 @@
 import com.google.common.base.Joiner;
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
-import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 
 public class CoreProcessor implements CoreCommands {
@@ -83,11 +81,6 @@ public CoreProcessor(SieveRepository repository, UsersRepository usersRepository
         this.authenticationProcessorMap.put(SupportedMechanism.PLAIN, new PlainAuthenticationProcessor(usersRepository));
     }
 
-    @Override
-    public String getAdvertisedCapabilities() {
-        return convertCapabilityMapToString(capabilitiesBase) + "\r\n";
-    }
-
     @Override
     public String capability(Session session) {
         return convertCapabilityMapToString(computeCapabilityMap(session)) + "\r\nOK";
@@ -106,6 +99,10 @@ private Map<Capabilities, String> computeCapabilityMap(Session session) {
         if (session.isAuthenticated()) {
             capabilities.put(Capabilities.OWNER, session.getUser().asString());
         }
+        session.getOidcSASLConfiguration().ifPresent(oidcConfiguration -> {
+            this.authenticationProcessorMap.putIfAbsent(SupportedMechanism.XOAUTH2, new XOAUTH2AuthenticationProcessor(oidcConfiguration));
+        });
+        capabilities.put(Capabilities.SASL, constructSaslSupportedAuthenticationMechanisms());
         return capabilities;
     }
 
@@ -218,6 +215,9 @@ public String chooseMechanism(Session session, String mechanism) {
             }
             String unquotedMechanism = ParserUtils.unquoteFirst(mechanism);
             SupportedMechanism supportedMechanism = SupportedMechanism.retrieveMechanism(unquotedMechanism);
+            if (!this.authenticationProcessorMap.containsKey(supportedMechanism)) {
+                throw new UnknownSaslMechanism("SASL mechanism disabled: " + unquotedMechanism);
+            }
 
             session.setChoosedAuthenticationMechanism(supportedMechanism);
             session.setState(Session.State.AUTHENTICATION_IN_PROGRESS);
@@ -328,7 +328,6 @@ private Map<Capabilities, String> precomputedCapabilitiesBase(SieveParser parser
         Map<Capabilities, String> capabilitiesBase = new HashMap<>();
         capabilitiesBase.put(Capabilities.IMPLEMENTATION, IMPLEMENTATION_DESCRIPTION);
         capabilitiesBase.put(Capabilities.VERSION, MANAGE_SIEVE_VERSION);
-        capabilitiesBase.put(Capabilities.SASL, constructSaslSupportedAuthenticationMechanisms());
         capabilitiesBase.put(Capabilities.STARTTLS, null);
         if (!extensions.isEmpty()) {
             capabilitiesBase.put(Capabilities.SIEVE, extensions);
@@ -337,10 +336,12 @@ private Map<Capabilities, String> precomputedCapabilitiesBase(SieveParser parser
     }
 
     private String constructSaslSupportedAuthenticationMechanisms() {
-        return Joiner.on(' ')
-            .join(Lists.transform(
-                Arrays.asList(SupportedMechanism.values()),
-                Enum::toString));
+        return Joiner.on(' ').join(this.authenticationProcessorMap
+            .keySet()
+            .stream()
+            .map(Enum::toString)
+            .iterator()
+        );
     }
 
     private String sanitizeString(String message) {
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/XOAUTH2AuthenticationProcessor.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/XOAUTH2AuthenticationProcessor.java
@@ -0,0 +1,105 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+
+package org.apache.james.managesieve.core;
+
+import java.util.Optional;
+
+import org.apache.james.core.Username;
+import org.apache.james.jwt.OidcJwtTokenVerifier;
+import org.apache.james.jwt.introspection.IntrospectionEndpoint;
+import org.apache.james.managesieve.api.AuthenticationException;
+import org.apache.james.managesieve.api.AuthenticationProcessor;
+import org.apache.james.managesieve.api.Session;
+import org.apache.james.managesieve.api.SyntaxException;
+import org.apache.james.protocols.api.OIDCSASLParser;
+import org.apache.james.protocols.api.OIDCSASLParser.OIDCInitialResponse;
+import org.apache.james.protocols.api.OidcSASLConfiguration;
+
+import reactor.core.publisher.Mono;
+
+public class XOAUTH2AuthenticationProcessor implements AuthenticationProcessor {
+
+    private final OidcSASLConfiguration oidcConfiguration;
+
+    public XOAUTH2AuthenticationProcessor(OidcSASLConfiguration oidcConfiguration) {
+        this.oidcConfiguration = oidcConfiguration;
+    }
+
+    @Override
+    public String initialServerResponse(Session session) {
+        return "+ \"\"";
+    }
+
+    @Override
+    public Username isAuthenticationSuccesfull(Session session, String suppliedClientData) throws SyntaxException, AuthenticationException {
+        Optional<OIDCInitialResponse> oidcInitialResponseResult = OIDCSASLParser.parse(suppliedClientData);
+        if (oidcInitialResponseResult.isEmpty()) {
+            throw new SyntaxException("Could not parse the given JWT");
+        }
+        OIDCInitialResponse oidcInitialResponse = oidcInitialResponseResult.get();
+
+        Optional<Username> authenticatedUserResult = validateToken(oidcInitialResponse.getToken());
+        if (authenticatedUserResult.isEmpty()) {
+            throw new AuthenticationException("Could not validate the JWT");
+        }
+        Username authenticatedUser = authenticatedUserResult.get();
+
+        // The user from the managesieve AUTHENTICATE command must match the username in the token.
+        Username associatedUser = Username.of(oidcInitialResponse.getAssociatedUser());
+        if (!authenticatedUser.equals(associatedUser)) {
+            throw new AuthenticationException("Mismatch between user from command and JWT");
+        }
+
+        return authenticatedUser;
+    }
+
+    private Optional<Username> validateToken(String token) {
+        if (this.oidcConfiguration.isCheckTokenByIntrospectionEndpoint()) {
+            return validTokenWithIntrospection(token);
+        } else if (this.oidcConfiguration.isCheckTokenByUserinfoEndpoint()) {
+            return validTokenWithUserInfo(token);
+        } else {
+            return OidcJwtTokenVerifier.verifySignatureAndExtractClaim(token, this.oidcConfiguration.getJwksURL(), this.oidcConfiguration.getClaim())
+                .map(Username::of);
+        }
+    }
+
+    private Optional<Username> validTokenWithUserInfo(String token) {
+        return Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(token,
+                this.oidcConfiguration.getJwksURL(),
+                this.oidcConfiguration.getClaim(),
+                this.oidcConfiguration.getUserInfoEndpoint().orElseThrow()))
+            .blockOptional()
+            .map(Username::of);
+    }
+
+    private Optional<Username> validTokenWithIntrospection(String token) {
+        return Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(token,
+                this.oidcConfiguration.getJwksURL(),
+                this.oidcConfiguration.getClaim(),
+                this.oidcConfiguration.getIntrospectionEndpoint()
+                    .map(endpoint -> new IntrospectionEndpoint(endpoint, this.oidcConfiguration.getIntrospectionEndpointAuthorization()))
+                    .orElseThrow()))
+            .blockOptional()
+            .map(Username::of);
+    }
+}
+
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/transcode/ArgumentParser.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/transcode/ArgumentParser.java
@@ -53,10 +53,6 @@ public ArgumentParser(CoreCommands core, boolean validatePutSize) {
         this.validatePutSize = validatePutSize;
     }
 
-    public String getAdvertisedCapabilities() {
-        return core.getAdvertisedCapabilities();
-    }
-
     public String capability(Session session, String args) {
         if (!args.trim().isEmpty()) {
             return "NO \"Too many arguments: " + args + "\"";
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/transcode/ManageSieveProcessor.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/transcode/ManageSieveProcessor.java
@@ -129,8 +129,8 @@ private String matchCommandWithImplementation(Session session, String arguments,
         return "NO unknown " + command + " command";
     }
 
-    public String getAdvertisedCapabilities() {
-        return argumentParser.getAdvertisedCapabilities();
+    public String getAdvertisedCapabilities(Session session) {
+        return argumentParser.capability(session, "") + "\r\n";
     }
 
 }
diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java
@@ -20,16 +20,20 @@
 
 package org.apache.james.managesieve.util;
 
+import java.util.Optional;
+
 import org.apache.james.core.Username;
 import org.apache.james.managesieve.api.Session;
 import org.apache.james.managesieve.api.commands.Authenticate;
+import org.apache.james.protocols.api.OidcSASLConfiguration;
 
 public class SettableSession implements Session {
 
     private Username user;
     private State state;
     private Authenticate.SupportedMechanism choosedAuthenticationMechanism;
     private boolean sslEnabled;
+    private Optional<OidcSASLConfiguration> oidcSASLConfiguration = Optional.empty();
 
     public SettableSession() {
         this.state = State.UNAUTHENTICATED;
@@ -80,4 +84,14 @@ public void setSslEnabled(boolean sslEnabled) {
     public boolean isSslEnabled() {
         return sslEnabled;
     }
+
+    @Override
+    public Optional<OidcSASLConfiguration> getOidcSASLConfiguration() {
+        return this.oidcSASLConfiguration;
+    }
+
+    @Override
+    public void setOidcSASLConfiguration(Optional<OidcSASLConfiguration> configuration) {
+        this.oidcSASLConfiguration = configuration;
+    }
 }
diff --git a/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveChannelUpstreamHandler.java b/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveChannelUpstreamHandler.java
@@ -21,12 +21,14 @@
 
 import java.io.Closeable;
 import java.net.InetSocketAddress;
+import java.util.Optional;
 
 import org.apache.james.managesieve.api.Session;
 import org.apache.james.managesieve.api.SessionTerminatedException;
 import org.apache.james.managesieve.transcode.ManageSieveProcessor;
 import org.apache.james.managesieve.transcode.NotEnoughDataException;
 import org.apache.james.managesieve.util.SettableSession;
+import org.apache.james.protocols.api.OidcSASLConfiguration;
 import org.apache.james.protocols.netty.Encryption;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -48,12 +50,14 @@ public class ManageSieveChannelUpstreamHandler extends ChannelInboundHandlerAdap
     private final ManageSieveProcessor manageSieveProcessor;
     private final Encryption secure;
     private final int maxLineLength;
+    private final Optional<OidcSASLConfiguration> oidcConfiguration;
 
     public ManageSieveChannelUpstreamHandler(
-        ManageSieveProcessor manageSieveProcessor, Encryption secure, int maxLineLength) {
+        ManageSieveProcessor manageSieveProcessor, Encryption secure, int maxLineLength, Optional<OidcSASLConfiguration> oidcConfiguration) {
         this.manageSieveProcessor = manageSieveProcessor;
         this.secure = secure;
         this.maxLineLength = maxLineLength;
+        this.oidcConfiguration = oidcConfiguration;
     }
 
     private boolean isSSL() {
@@ -120,13 +124,14 @@ public void channelActive(ChannelHandlerContext ctx) throws Exception {
             LOGGER.info("Connection established from {}", address.getAddress().getHostAddress());
 
             Session session = new SettableSession();
+            session.setOidcSASLConfiguration(this.oidcConfiguration);
             if (isSSL()) {
                 session.setSslEnabled(true);
             }
             ctx.channel().attr(NettyConstants.SESSION_ATTRIBUTE_KEY).set(session);
             ctx.channel().attr(NettyConstants.RESPONSE_WRITER_ATTRIBUTE_KEY).set(new ChannelManageSieveResponseWriter(ctx.channel()));
             super.channelActive(ctx);
-            ctx.channel().attr(NettyConstants.RESPONSE_WRITER_ATTRIBUTE_KEY).get().write(manageSieveProcessor.getAdvertisedCapabilities() + "OK\r\n");
+            ctx.channel().attr(NettyConstants.RESPONSE_WRITER_ATTRIBUTE_KEY).get().write(manageSieveProcessor.getAdvertisedCapabilities(session));
         }
     }
 
diff --git a/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveServer.java b/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveServer.java

Original file line number	Diff line number	Diff line change
`@@ -20,15 +20,12 @@`
`20`	`20`
`21`	`21`	`package org.apache.james.managesieve.api.commands;`
`22`	`22`
`23`		`-import org.apache.james.managesieve.api.CapabilityAdvertiser;`
`24`		`-`
`25`	`23`	`/**`
`26`	`24`	`* Core RFC 5804 Commands common to all transports`
`27`	`25`	`*`
`28`	`26`	`* @see <a href=http://tools.ietf.org/html/rfc5804#section-2>RFC 5804 Commands</a>`
`29`	`27`	`*/`
`30`	`28`	`public interface CoreCommands extends Capability, CheckScript, DeleteScript, GetScript, HaveSpace,`
`31`		`- ListScripts, PutScript, RenameScript, SetActive, Noop, Unauthenticate, Logout, Authenticate, StartTLS,`
`32`		`- CapabilityAdvertiser {`
	`29`	`+ ListScripts, PutScript, RenameScript, SetActive, Noop, Unauthenticate, Logout, Authenticate, StartTLS {`
`33`	`30`
`34`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -129,8 +129,8 @@ private String matchCommandWithImplementation(Session session, String arguments,`
`129`	`129`	`return "NO unknown " + command + " command";`
`130`	`130`	`}`
`131`	`131`
`132`		`- public String getAdvertisedCapabilities() {`
`133`		`- return argumentParser.getAdvertisedCapabilities();`
	`132`	`+ public String getAdvertisedCapabilities(Session session) {`
	`133`	`+ return argumentParser.capability(session, "") + "\r\n";`
`134`	`134`	`}`
`135`	`135`
`136`	`136`	`}`