Use the same import mechanisms for auth, storage, rights
This commit is contained in:
parent
3ddbb80674
commit
17857654b0
@ -46,11 +46,17 @@ except ImportError:
|
||||
from urlparse import urlparse
|
||||
# pylint: enable=F0401,E0611
|
||||
|
||||
from radicale import access, config, ical, log, storage, xmlutils
|
||||
from radicale import auth, config, ical, log, rights, storage, xmlutils
|
||||
|
||||
|
||||
VERSION = "git"
|
||||
|
||||
# Standard "not allowed" response
|
||||
NOT_ALLOWED = (
|
||||
client.FORBIDDEN,
|
||||
{"WWW-Authenticate": "Basic realm=\"Radicale - Password Required\""},
|
||||
None)
|
||||
|
||||
|
||||
class HTTPServer(wsgiref.simple_server.WSGIServer, object):
|
||||
"""HTTP server."""
|
||||
@ -119,7 +125,8 @@ class Application(object):
|
||||
def __init__(self):
|
||||
"""Initialize application."""
|
||||
super(Application, self).__init__()
|
||||
access.load()
|
||||
auth.load()
|
||||
rights.load()
|
||||
storage.load()
|
||||
self.encoding = config.get("encoding", "request")
|
||||
if config.getboolean("logging", "full_environment"):
|
||||
@ -202,20 +209,21 @@ class Application(object):
|
||||
authorization = environ.get("HTTP_AUTHORIZATION", None)
|
||||
|
||||
if authorization:
|
||||
auth = authorization.lstrip("Basic").strip().encode("ascii")
|
||||
authorization = \
|
||||
authorization.lstrip("Basic").strip().encode("ascii")
|
||||
user, password = self.decode(
|
||||
base64.b64decode(auth), environ).split(":")
|
||||
base64.b64decode(authorization), environ).split(":")
|
||||
else:
|
||||
user = password = None
|
||||
|
||||
if not items or function == self.options or \
|
||||
access.is_authenticated(user, password):
|
||||
auth.is_authenticated(user, password):
|
||||
last_collection_allowed = None
|
||||
allowed_items = []
|
||||
for item in items:
|
||||
if isinstance(item, ical.Collection):
|
||||
if access.read_authorized(user, item) or \
|
||||
access.write_authorized(user, item):
|
||||
if rights.read_authorized(user, item) or \
|
||||
rights.write_authorized(user, item):
|
||||
log.LOGGER.info("%s has access to collection %s" % (
|
||||
user, item.name or "/"))
|
||||
last_collection_allowed = True
|
||||
@ -277,13 +285,6 @@ class Application(object):
|
||||
# Return response content
|
||||
return [answer] if answer else []
|
||||
|
||||
def response_not_allowed(self):
|
||||
"""Return a standard "not allowed" response."""
|
||||
headers = {
|
||||
"WWW-Authenticate":
|
||||
"Basic realm=\"Radicale Server - Password Required\""}
|
||||
return client.FORBIDDEN, headers, None
|
||||
|
||||
# All these functions must have the same parameters, some are useless
|
||||
# pylint: disable=W0612,W0613,R0201
|
||||
|
||||
@ -304,11 +305,11 @@ class Application(object):
|
||||
etag = environ.get("HTTP_IF_MATCH", item.etag).replace("\\", "")
|
||||
if etag == item.etag:
|
||||
# No ETag precondition or precondition verified, delete item
|
||||
if access.write_authorized(user, collection):
|
||||
if rights.write_authorized(user, collection):
|
||||
answer = xmlutils.delete(environ["PATH_INFO"], collection)
|
||||
return client.OK, {}, answer
|
||||
else:
|
||||
return self.response_not_allowed()
|
||||
return NOT_ALLOWED
|
||||
|
||||
# No item or ETag precondition not verified, do not delete item
|
||||
return client.PRECONDITION_FAILED, {}, None
|
||||
@ -334,36 +335,35 @@ class Application(object):
|
||||
# Get collection item
|
||||
item = collection.get_item(item_name)
|
||||
if item:
|
||||
if access.read_authorized(user, collection):
|
||||
if rights.read_authorized(user, collection):
|
||||
items = collection.timezones
|
||||
items.append(item)
|
||||
answer_text = ical.serialize(
|
||||
collection.tag, collection.headers, items)
|
||||
etag = item.etag
|
||||
else:
|
||||
return self.response_not_allowed()
|
||||
return NOT_ALLOWED
|
||||
else:
|
||||
return client.GONE, {}, None
|
||||
else:
|
||||
# Create the collection if it does not exist
|
||||
if not collection.exists and \
|
||||
access.write_authorized(user, collection):
|
||||
rights.write_authorized(user, collection):
|
||||
log.LOGGER.debug("Creating collection %s" % collection.name)
|
||||
collection.write()
|
||||
|
||||
if access.read_authorized(user, collection):
|
||||
if rights.read_authorized(user, collection):
|
||||
# Get whole collection
|
||||
answer_text = collection.text
|
||||
etag = collection.etag
|
||||
else:
|
||||
return self.response_not_allowed()
|
||||
|
||||
headers = {
|
||||
"Content-Type": collection.mimetype,
|
||||
"Last-Modified": collection.last_modified,
|
||||
"ETag": etag}
|
||||
answer = answer_text.encode(self.encoding)
|
||||
return client.OK, headers, answer
|
||||
else:
|
||||
return NOT_ALLOWED
|
||||
|
||||
def head(self, environ, collections, content, user):
|
||||
"""Manage HEAD request."""
|
||||
@ -373,6 +373,7 @@ class Application(object):
|
||||
def mkcalendar(self, environ, collections, content, user):
|
||||
"""Manage MKCALENDAR request."""
|
||||
collection = collections[0]
|
||||
if rights.write_authorized(user, collection):
|
||||
props = xmlutils.props_from_request(content)
|
||||
timezone = props.get("C:calendar-timezone")
|
||||
if timezone:
|
||||
@ -381,24 +382,23 @@ class Application(object):
|
||||
with collection.props as collection_props:
|
||||
for key, value in props.items():
|
||||
collection_props[key] = value
|
||||
if access.write_authorized(user, collection):
|
||||
collection.write()
|
||||
else:
|
||||
return self.response_not_allowed()
|
||||
return client.CREATED, {}, None
|
||||
else:
|
||||
return NOT_ALLOWED
|
||||
|
||||
def mkcol(self, environ, collections, content, user):
|
||||
"""Manage MKCOL request."""
|
||||
collection = collections[0]
|
||||
if rights.write_authorized(user, collection):
|
||||
props = xmlutils.props_from_request(content)
|
||||
with collection.props as collection_props:
|
||||
for key, value in props.items():
|
||||
collection_props[key] = value
|
||||
if access.write_authorized(user, collection):
|
||||
collection.write()
|
||||
else:
|
||||
return self.response_not_allowed()
|
||||
return client.CREATED, {}, None
|
||||
else:
|
||||
return NOT_ALLOWED
|
||||
|
||||
def move(self, environ, collections, content, user):
|
||||
"""Manage MOVE request."""
|
||||
@ -415,13 +415,13 @@ class Application(object):
|
||||
to_path, to_name = to_url.rstrip("/").rsplit("/", 1)
|
||||
to_collection = ical.Collection.from_path(
|
||||
to_path, depth="0")[0]
|
||||
if access.write_authorized(user, to_collection) and \
|
||||
access.write_authorized(user.from_collection):
|
||||
if rights.write_authorized(user, to_collection) and \
|
||||
rights.write_authorized(user.from_collection):
|
||||
to_collection.append(to_name, item.text)
|
||||
from_collection.remove(from_name)
|
||||
return client.CREATED, {}, None
|
||||
else:
|
||||
return self.response_not_allowed()
|
||||
return NOT_ALLOWED
|
||||
else:
|
||||
# Remote destination server, not supported
|
||||
return client.BAD_GATEWAY, {}, None
|
||||
@ -442,6 +442,7 @@ class Application(object):
|
||||
|
||||
def propfind(self, environ, collections, content, user):
|
||||
"""Manage PROPFIND request."""
|
||||
# Rights is handled by collection in xmlutils.propfind
|
||||
headers = {
|
||||
"DAV": "1, 2, 3, calendar-access, addressbook, extended-mkcol",
|
||||
"Content-Type": "text/xml"}
|
||||
@ -452,11 +453,15 @@ class Application(object):
|
||||
def proppatch(self, environ, collections, content, user):
|
||||
"""Manage PROPPATCH request."""
|
||||
collection = collections[0]
|
||||
answer = xmlutils.proppatch(environ["PATH_INFO"], content, collection)
|
||||
if rights.write_authorized(user, collection):
|
||||
answer = xmlutils.proppatch(
|
||||
environ["PATH_INFO"], content, collection)
|
||||
headers = {
|
||||
"DAV": "1, 2, 3, calendar-access, addressbook, extended-mkcol",
|
||||
"Content-Type": "text/xml"}
|
||||
return client.MULTI_STATUS, headers, answer
|
||||
else:
|
||||
return NOT_ALLOWED
|
||||
|
||||
def put(self, environ, collections, content, user):
|
||||
"""Manage PUT request."""
|
||||
@ -474,7 +479,7 @@ class Application(object):
|
||||
# Case 1: No item and no ETag precondition: Add new item
|
||||
# Case 2: Item and ETag precondition verified: Modify item
|
||||
# Case 3: Item and no Etag precondition: Force modifying item
|
||||
if access.write_authorized(user, collection):
|
||||
if rights.write_authorized(user, collection):
|
||||
xmlutils.put(environ["PATH_INFO"], content, collection)
|
||||
status = client.CREATED
|
||||
# Try to return the etag in the header.
|
||||
@ -485,7 +490,7 @@ class Application(object):
|
||||
if new_item:
|
||||
headers["ETag"] = new_item.etag
|
||||
else:
|
||||
return self.response_not_allowed()
|
||||
return NOT_ALLOWED
|
||||
else:
|
||||
# PUT rejected in all other cases
|
||||
status = client.PRECONDITION_FAILED
|
||||
@ -495,10 +500,10 @@ class Application(object):
|
||||
"""Manage REPORT request."""
|
||||
collection = collections[0]
|
||||
headers = {"Content-Type": "text/xml"}
|
||||
if access.read_authorized(user, collection):
|
||||
if rights.read_authorized(user, collection):
|
||||
answer = xmlutils.report(environ["PATH_INFO"], content, collection)
|
||||
return client.MULTI_STATUS, headers, answer
|
||||
else:
|
||||
return self.response_not_allowed()
|
||||
return NOT_ALLOWED
|
||||
|
||||
# pylint: enable=W0612,W0613,R0201
|
||||
|
@ -1,63 +0,0 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# This file is part of Radicale Server - Calendar Server
|
||||
# Copyright © 2011-2012 Guillaume Ayoub
|
||||
#
|
||||
# This library is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This library is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Radicale. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
"""
|
||||
Radicale access module.
|
||||
|
||||
Manage access to collections.
|
||||
|
||||
"""
|
||||
|
||||
from radicale import auth, rights, log
|
||||
|
||||
AUTH = None
|
||||
RIGHTS = None
|
||||
|
||||
|
||||
def load():
|
||||
"""Load authentication and rights modules."""
|
||||
global AUTH, RIGHTS
|
||||
AUTH = auth.load()
|
||||
RIGHTS = rights.load()
|
||||
|
||||
|
||||
def is_authenticated(user, password):
|
||||
"""Check if the user is authenticated."""
|
||||
if AUTH is None:
|
||||
return True
|
||||
return AUTH.is_authenticated(user, password) if user else False
|
||||
|
||||
|
||||
def read_authorized(user, collection):
|
||||
"""Check if the user is allowed to read the collection."""
|
||||
if RIGHTS is None:
|
||||
return True
|
||||
user_authorized = RIGHTS.read_authorized(user, collection)
|
||||
log.LOGGER.debug(
|
||||
"Read %s %s -- %i" % (user, collection.owner, user_authorized))
|
||||
return user_authorized
|
||||
|
||||
|
||||
def write_authorized(user, collection):
|
||||
"""Check if the user is allowed to write the collection."""
|
||||
if RIGHTS is None:
|
||||
return True
|
||||
user_authorized = RIGHTS.write_authorized(user, collection)
|
||||
log.LOGGER.debug(
|
||||
"Write %s %s -- %i" % (user, collection.owner, user_authorized))
|
||||
return user_authorized
|
@ -23,6 +23,8 @@ Authentication management.
|
||||
|
||||
"""
|
||||
|
||||
import sys
|
||||
|
||||
from radicale import config, log
|
||||
|
||||
|
||||
@ -33,6 +35,18 @@ def load():
|
||||
if auth_type == "None":
|
||||
return None
|
||||
else:
|
||||
module = __import__(
|
||||
root_module = __import__(
|
||||
"auth.%s" % auth_type, globals=globals(), level=2)
|
||||
return getattr(module, auth_type)
|
||||
module = getattr(root_module, auth_type)
|
||||
# Override auth.is_authenticated
|
||||
sys.modules[__name__].is_authenticated = module.is_authenticated
|
||||
return module
|
||||
|
||||
|
||||
def is_authenticated(user, password):
|
||||
"""Check if the user is authenticated.
|
||||
|
||||
This method is overriden if an auth module is loaded.
|
||||
|
||||
"""
|
||||
return True # Default is always True: no authentication
|
||||
|
@ -23,6 +23,8 @@ Rights management.
|
||||
|
||||
"""
|
||||
|
||||
import sys
|
||||
|
||||
from radicale import config, log
|
||||
|
||||
|
||||
@ -33,6 +35,28 @@ def load():
|
||||
if rights_type == "None":
|
||||
return None
|
||||
else:
|
||||
module = __import__(
|
||||
root_module = __import__(
|
||||
"rights.%s" % rights_type, globals=globals(), level=2)
|
||||
return getattr(module, rights_type)
|
||||
module = getattr(root_module, rights_type)
|
||||
# Override rights.[read|write]_authorized
|
||||
sys.modules[__name__].read_authorized = module.read_authorized
|
||||
sys.modules[__name__].write_authorized = module.write_authorized
|
||||
return module
|
||||
|
||||
|
||||
def read_authorized(user, collection):
|
||||
"""Check if the user is allowed to read the collection.
|
||||
|
||||
This method is overriden if an auth module is loaded.
|
||||
|
||||
"""
|
||||
return True
|
||||
|
||||
|
||||
def write_authorized(user, collection):
|
||||
"""Check if the user is allowed to write the collection.
|
||||
|
||||
This method is overriden if an auth module is loaded.
|
||||
|
||||
"""
|
||||
return True
|
||||
|
@ -24,12 +24,14 @@ configuration.
|
||||
|
||||
"""
|
||||
|
||||
from radicale import config
|
||||
from radicale import config, ical
|
||||
|
||||
|
||||
def load():
|
||||
"""Load list of available storage managers."""
|
||||
storage_type = config.get("storage", "type")
|
||||
module = __import__(
|
||||
root_module = __import__(
|
||||
"storage.%s" % storage_type, globals=globals(), level=2)
|
||||
return getattr(module, storage_type)
|
||||
module = getattr(root_module, storage_type)
|
||||
ical.Collection = module.Collection
|
||||
return module
|
||||
|
@ -112,6 +112,3 @@ class Collection(ical.Collection):
|
||||
self._create_dirs()
|
||||
with open(self._props_path, "w") as prop_file:
|
||||
json.dump(properties, prop_file)
|
||||
|
||||
|
||||
ical.Collection = Collection
|
||||
|
@ -35,7 +35,7 @@ except ImportError:
|
||||
import re
|
||||
import xml.etree.ElementTree as ET
|
||||
|
||||
from radicale import client, config, ical, access
|
||||
from radicale import client, config, ical, rights
|
||||
|
||||
|
||||
NAMESPACES = {
|
||||
@ -200,7 +200,7 @@ def propfind(path, xml_request, collections, user=None):
|
||||
multistatus = ET.Element(_tag("D", "multistatus"))
|
||||
|
||||
for collection in collections:
|
||||
if access.read_authorized(user, collection):
|
||||
if rights.read_authorized(user, collection):
|
||||
response = _propfind_response(path, collection, props, user)
|
||||
multistatus.append(response)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user