dovecot - Jan 2019 - doveadm_allowed_commands doesn't work as expected

Trying to limit the API calls to doveadm-http-api by configure allowed 
commands, but once the commands added to the list, the RestAPI no longer 
work.


1) Return correct reply when doveadm_allowed_commands is empty

# curl -k -H "Content-Type: application/json" -H "Authorization: 
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 
-d'[["quotaGet",{"user":"user1 at
mydomain.com"},"c01"]]'
[["doveadmResponse",[{"root":"User 
quota","type":"STORAGE","value":"0","limit":1024","percent":"0"},{"root":"Userquota","type":"MESSAGE","value":"0","limit":"-","percent":"0"}],"c01"]]


2) Return unAuthorized when doveadm_allowed_commands = 
quotaGet,quotaRecalc,expunge

# curl -k -H "Content-Type: application/json" -H "Authorization: 
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 
-d'[["quotaGet",{"user":"user1 at
mydomain.com"},"c01"]]'
[["error",{"type":"unAuthorized",
"exitCode":0},"c01"]]


Here is my config,

 ?# uname -a
Linux ad92422d8e94 3.10.0-862.2.3.el7.x86_64 #1 SMP Wed May 9 18:05:47 
UTC 2018 x86_64 Linux
# free -m
 ???????????? total?????? used?????? free???? shared??? buffers cached
Mem:???????? 15885?????? 7133?????? 8751????????? 0 1?????? 4374
-/+ buffers/cache:?????? 2758????? 13126
Swap:??????????? 0????????? 0????????? 0

/ # dovecot -n
# 2.3.2.1 (0719df592): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.2 (7704de5e)
# OS: Linux 3.10.0-862.2.3.el7.x86_64 x86_64? xfs
# Hostname: ad92422d8e94
auth_mechanisms = plain login
doveadm_allowed_commands = quotaGet,quotaRecalc,expunge
doveadm_api_key =? # hidden, use -P to show it
hostname = mailhost.mydomain.com
info_log_path = /dev/stdout
lda_mailbox_autosubscribe = yes
log_path = /dev/stderr
login_greeting = Dovecot ready.
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = maildir:/var/vmail/%d/%n/Maildir
mail_plugins = " quota zlib"
mail_privileged_group = vmail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext imapsieve vnd.dovecot.imapsieve
namespace inbox {
 ? inbox = yes
 ? location  ? mailbox Drafts {
 ??? auto = subscribe
 ??? special_use = \Drafts
 ? }
 ? mailbox Junk {
 ??? auto = subscribe
 ??? special_use = \Junk
 ? }
 ? mailbox Sent {
 ??? auto = subscribe
 ??? special_use = \Sent
 ? }
 ? mailbox "Sent Messages" {
 ??? auto = subscribe
 ??? special_use = \Sent
 ? }
 ? mailbox Trash {
 ??? auto = subscribe
 ??? special_use = \Trash
 ? }
 ? prefix }
passdb {
 ? args = /etc/dovecot/dovecot-sql.conf.ext
 ? driver = sql
}
plugin {
 ? imapsieve_mailbox1_before = 
file:/etc/dovecot/sieve/global/learn-spam.sieve
 ? imapsieve_mailbox1_causes = COPY
 ? imapsieve_mailbox1_name = Junk
 ? imapsieve_mailbox2_before = 
file:/etc/dovecot/sieve/global/learn-ham.sieve
 ? imapsieve_mailbox2_causes = COPY
 ? imapsieve_mailbox2_from = Junk
 ? imapsieve_mailbox2_name = *
 ? quota = maildir:User quota
 ? quota_exceeded_message = User %u has exhausted allowed storage space.
 ? recipient_delimiter = -
 ? sieve = file:~/sieve;active=~/.dovecot.sieve
 ? sieve_before = /etc/dovecot/sieve/global/spam-to-folder.sieve
 ? sieve_global_extensions = +vnd.dovecot.pipe
 ? sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
 ? sieve_pipe_exec_timeout = 60s
 ? sieve_plugins = sieve_imapsieve sieve_extprograms
 ? zlib_save = gz
 ? zlib_save_level = 6
}
postmaster_address = postmaster at mydomain.com
protocols = lmtp imap pop3 sieve
recipient_delimiter = -
service auth {
 ? inet_listener {
 ??? port = 9000
 ? }
}
service doveadm {
 ? client_limit = 1
 ? drop_priv_before_exec = no
 ? executable = doveadm-server
 ? extra_groups = $default_internal_group
 ? inet_listener http {
 ??? port = 9088
 ??? ssl = yes
 ? }
 ? service_count = 1
}
service lmtp {
 ? inet_listener lmtp {
 ??? port = 24
 ? }
}
service managesieve-login {
 ? inet_listener sieve {
 ??? port = 4190
 ? }
}
ssl_cert = </etc/tls/mailserver.crt
ssl_dh =? # hidden, use -P to show it
ssl_key =? # hidden, use -P to show it
submission_host = mta-host.mydomain.com
userdb {
 ? args = /etc/dovecot/dovecot-sql.conf.ext
 ? driver = sql
}
protocol lmtp {
 ? mail_plugins = " quota zlib sieve"
}
protocol imap {
 ? mail_plugins = " quota zlib imap_sieve imap_quota imap_zlib"
}

> On 03 January 2019 at 22:45 Ronald Poon <ronaldpoon at ud.hk> wrote:
> 
> 
> Trying to limit the API calls to doveadm-http-api by configure allowed 
> commands, but once the commands added to the list, the RestAPI no longer 
> work.
> 
> 
> 1) Return correct reply when doveadm_allowed_commands is empty
> 
> # curl -k -H "Content-Type: application/json" -H
"Authorization:
> X-Dovecot-API <base64 api key>"
https://localhost:9088/doveadm/v1
> -d'[["quotaGet",{"user":"user1 at
mydomain.com"},"c01"]]'
> [["doveadmResponse",[{"root":"User 
>
quota","type":"STORAGE","value":"0","limit":1024","percent":"0"},{"root":"Userquota","type":"MESSAGE","value":"0","limit":"-","percent":"0"}],"c01"]]
> 
> 
> 2) Return unAuthorized when doveadm_allowed_commands = 
> quotaGet,quotaRecalc,expunge
> 
> # curl -k -H "Content-Type: application/json" -H
"Authorization:
> X-Dovecot-API <base64 api key>"
https://localhost:9088/doveadm/v1
> -d'[["quotaGet",{"user":"user1 at
mydomain.com"},"c01"]]'
> [["error",{"type":"unAuthorized",
"exitCode":0},"c01"]]
This is mostly because v1 API is not so fantastic. Try 

doveadm_allowed_commands="quota get,quota recalc,expunge"

Aki

Err...! I thought it is matching the API commands, instead, matching 
doveadm cli commands.

Thanks you so much,

Ronald

On 4/1/2019 5:02 AM, Aki Tuomi wrote:
>> On 03 January 2019 at 22:45 Ronald Poon <ronaldpoon at ud.hk>
wrote:
>>
>>
>> Trying to limit the API calls to doveadm-http-api by configure allowed
>> commands, but once the commands added to the list, the RestAPI no
longer
>> work.
>>
>>
>> 1) Return correct reply when doveadm_allowed_commands is empty
>>
>> # curl -k -H "Content-Type: application/json" -H
"Authorization:
>> X-Dovecot-API <base64 api key>"
https://localhost:9088/doveadm/v1
>> -d'[["quotaGet",{"user":"user1 at
mydomain.com"},"c01"]]'
>> [["doveadmResponse",[{"root":"User
>>
quota","type":"STORAGE","value":"0","limit":1024","percent":"0"},{"root":"Userquota","type":"MESSAGE","value":"0","limit":"-","percent":"0"}],"c01"]]
>>
>>
>> 2) Return unAuthorized when doveadm_allowed_commands >>
quotaGet,quotaRecalc,expunge
>>
>> # curl -k -H "Content-Type: application/json" -H
"Authorization:
>> X-Dovecot-API <base64 api key>"
https://localhost:9088/doveadm/v1
>> -d'[["quotaGet",{"user":"user1 at
mydomain.com"},"c01"]]'
>> [["error",{"type":"unAuthorized",
"exitCode":0},"c01"]]
> This is mostly because v1 API is not so fantastic. Try
>
> doveadm_allowed_commands="quota get,quota recalc,expunge"
>
> Aki