Code cleaned and modules renamed

*Radicale is probably broken now*

radicale/auth/IMAP.py

@@ -0,0 +1,86 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Radicale Server - Calendar Server
+# Copyright © 2012 Daniel Aleksandersen
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+IMAP authentication.
+
+Secure authentication based on the ``imaplib`` module.
+
+Validating users against a modern IMAP4rev1 server that awaits STARTTLS on
+port 143. Legacy SSL (often on legacy port 993) is deprecated and thus
+unsupported. STARTTLS is enforced except if host is ``localhost`` as
+passwords are sent in PLAIN.
+
+Python 3.2 or newer is required for TLS.
+
+"""
+
+import imaplib
+
+from radicale import config, log
+
+IMAP_SERVER = config.get("auth", "imap_auth_host_name")
+IMAP_SERVER_PORT = config.get("auth", "imap_auth_host_port")
+
+
+def is_authenticated(user, password):
+    """Check if ``user``/``password`` couple is valid."""
+
+    log.LOGGER.debug(
+        "[IMAP AUTH] Connecting to %s:%s." % (IMAP_SERVER, IMAP_SERVER_PORT,))
+    connection = imaplib.IMAP4(host=IMAP_SERVER, port=IMAP_SERVER_PORT)
+
+    server_is_local = (IMAP_SERVER == "localhost")
+
+    connection_is_secure = False
+    try:
+        connection.starttls()
+        log.LOGGER.debug("IMAP server connection changed to TLS.")
+        connection_is_secure = True
+    except AttributeError:
+        if not server_is_local:
+            log.LOGGER.error(
+                "Python 3.2 or newer is required for IMAP + TLS.")
+    except (imaplib.IMAP4.error, imaplib.IMAP4.abort) as exception:
+        log.LOGGER.warning(
+            "IMAP server at %s failed to accept TLS connection "
+            "because of: %s" % (IMAP_SERVER, exception))
+
+    if server_is_local and not connection_is_secure:
+        log.LOGGER.warning(
+            "IMAP server is local. "
+            "Will allow transmitting unencrypted credentials.")
+
+    if connection_is_secure or server_is_local:
+        try:
+            connection.login(user, password)
+            connection.logout()
+            log.LOGGER.debug(
+                "Authenticated IMAP user %s "
+                "via %s." % (user, IMAP_SERVER))
+            return True
+        except (imaplib.IMAP4.error, imaplib.IMAP4.abort) as exception:
+            log.LOGGER.error(
+                "IMAP server could not authenticate user %s "
+                "because of: %s" % (user, exception))
+    else:
+        log.LOGGER.critical(
+            "IMAP server did not support TLS and is not ``localhost``. "
+            "Refusing to transmit passwords under these conditions. "
+            "Authentication attempt aborted.")
+    return False  # authentication failed

radicale/auth/LDAP.py

@@ -0,0 +1,79 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Radicale Server - Calendar Server
+# Copyright © 2011 Corentin Le Bail
+# Copyright © 2011-2012 Guillaume Ayoub
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+LDAP authentication.
+
+Authentication based on the ``python-ldap`` module
+(http://www.python-ldap.org/).
+
+"""
+
+import ldap
+from radicale import config, log
+
+
+BASE = config.get("auth", "ldap_base")
+ATTRIBUTE = config.get("auth", "ldap_attribute")
+FILTER = config.get("auth", "ldap_filter")
+CONNEXION = ldap.initialize(config.get("auth", "ldap_url"))
+BINDDN = config.get("auth", "ldap_binddn")
+PASSWORD = config.get("auth", "ldap_password")
+SCOPE = getattr(ldap, "SCOPE_%s" % config.get("auth", "ldap_scope").upper())
+
+
+def is_authenticated(user, password):
+    """Check if ``user``/``password`` couple is valid."""
+    global CONNEXION
+
+    try:
+        CONNEXION.whoami_s()
+    except:
+        log.LOGGER.debug("Reconnecting the LDAP server")
+        CONNEXION = ldap.initialize(config.get("auth", "ldap_url"))
+
+    if BINDDN and PASSWORD:
+        log.LOGGER.debug("Initial LDAP bind as %s" % BINDDN)
+        CONNEXION.simple_bind_s(BINDDN, PASSWORD)
+
+    distinguished_name = "%s=%s" % (ATTRIBUTE, ldap.dn.escape_dn_chars(user))
+    log.LOGGER.debug(
+        "LDAP bind for %s in base %s" % (distinguished_name, BASE))
+
+    if FILTER:
+        filter_string = "(&(%s)%s)" % (distinguished_name, FILTER)
+    else:
+        filter_string = distinguished_name
+    log.LOGGER.debug("Used LDAP filter: %s" % filter_string)
+
+    users = CONNEXION.search_s(BASE, SCOPE, filter_string)
+    if users:
+        log.LOGGER.debug("User %s found" % user)
+        try:
+            CONNEXION.simple_bind_s(users[0][0], password or "")
+        except ldap.LDAPError:
+            log.LOGGER.debug("Invalid credentials")
+        else:
+            log.LOGGER.debug("LDAP bind OK")
+            return True
+    else:
+        log.LOGGER.debug("User %s not found" % user)
+
+    log.LOGGER.debug("LDAP bind failed")
+    return False

radicale/auth/PAM.py

@@ -0,0 +1,74 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Radicale Server - Calendar Server
+# Copyright © 2011 Henry-Nicolas Tourneur
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+PAM authentication.
+
+Authentication based on the ``pam-python`` module.
+
+"""
+
+import grp
+import pam
+import pwd
+
+from radicale import config, log
+
+
+GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership")
+
+
+def is_authenticated(user, password):
+    """Check if ``user``/``password`` couple is valid."""
+
+    # Check whether the user exists in the PAM system
+    try:
+        pwd.getpwnam(user).pw_uid
+    except KeyError:
+        log.LOGGER.debug("User %s not found" % user)
+        return False
+    else:
+        log.LOGGER.debug("User %s found" % user)
+
+    # Check whether the group exists
+    try:
+        members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem
+    except KeyError:
+        log.LOGGER.debug(
+            "The PAM membership required group (%s) doesn't exist" %
+            GROUP_MEMBERSHIP)
+        return False
+
+    # Check whether the user belongs to the required group
+    for member in members:
+        if member == user:
+            log.LOGGER.debug(
+                "The PAM user belongs to the required group (%s)" %
+                GROUP_MEMBERSHIP)
+            # Check the password
+            if pam.authenticate(user, password):
+                return True
+            else:
+                log.LOGGER.debug("Wrong PAM password")
+            break
+    else:
+        log.LOGGER.debug(
+            "The PAM user doesn't belong to the required group (%s)" %
+            GROUP_MEMBERSHIP)
+
+    return False

radicale/auth/__init__.py

@@ -0,0 +1,38 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Radicale Server - Calendar Server
+# Copyright © 2008-2012 Guillaume Ayoub
+# Copyright © 2008 Nicolas Kandel
+# Copyright © 2008 Pascal Halter
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Authentication management.
+
+"""
+
+from radicale import config, log
+
+
+def load():
+    """Load list of available authentication managers."""
+    auth_type = config.get("auth", "type")
+    log.LOGGER.debug("Authentication type is %s" % auth_type)
+    if auth_type == "None":
+        return None
+    else:
+        module = __import__(
+            "auth.%s" % auth_type, globals=globals(), level=2)
+        return getattr(module, auth_type)

radicale/auth/courier.py

@@ -0,0 +1,61 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Radicale Server - Calendar Server
+# Copyright © 2011 Henry-Nicolas Tourneur
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Courier-Authdaemon authentication.
+
+"""
+
+import sys
+import socket
+
+from radicale import config, log
+
+
+COURIER_SOCKET = config.get("auth", "courier_socket")
+
+
+def is_authenticated(user, password):
+    """Check if ``user``/``password`` couple is valid."""
+
+    line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password)
+    line = "AUTH %i\n%s" % (len(line), line)
+    try:
+        sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        sock.connect(COURIER_SOCKET)
+        log.LOGGER.debug("Sending to Courier socket the request: %s" % line)
+        sock.send(line)
+        data = sock.recv(1024)
+        sock.close()
+    except socket.error as exception:
+        log.LOGGER.debug(
+            "Unable to communicate with Courier socket: %s" % exception)
+        return False
+
+    log.LOGGER.debug("Got Courier socket response: %r" % data)
+
+    # Address, HOME, GID, and either UID or USERNAME are mandatory in resposne
+    # see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
+    for line in data.split():
+        if "GID" in line:
+            return True
+
+    # default is reject
+    # this alleviates the problem of a possibly empty reply from authlib
+    # see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
+    return False

radicale/auth/htpasswd.py

@@ -0,0 +1,68 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Radicale Server - Calendar Server
+# Copyright © 2008-2012 Guillaume Ayoub
+# Copyright © 2008 Nicolas Kandel
+# Copyright © 2008 Pascal Halter
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Htpasswd authentication.
+
+Load the list of login/password couples according a the configuration file
+created by Apache ``htpasswd`` command. Plain-text, crypt and sha1 are
+supported, but md5 is not (see ``htpasswd`` man page to understand why).
+
+"""
+
+import base64
+import hashlib
+
+from radicale import config
+
+
+FILENAME = config.get("auth", "htpasswd_filename")
+ENCRYPTION = config.get("auth", "htpasswd_encryption")
+
+
+def _plain(hash_value, password):
+    """Check if ``hash_value`` and ``password`` match using plain method."""
+    return hash_value == password
+
+
+def _crypt(hash_value, password):
+    """Check if ``hash_value`` and ``password`` match using crypt method."""
+    # The ``crypt`` module is only present on Unix, import if needed
+    import crypt
+    return crypt.crypt(password, hash_value) == hash_value
+
+
+def _sha1(hash_value, password):
+    """Check if ``hash_value`` and ``password`` match using sha1 method."""
+    hash_value = hash_value.replace("{SHA}", "").encode("ascii")
+    password = password.encode(config.get("encoding", "stock"))
+    sha1 = hashlib.sha1()  # pylint: disable=E1101
+    sha1.update(password)
+    return sha1.digest() == base64.b64decode(hash_value)
+
+
+def is_authenticated(user, password):
+    """Check if ``user``/``password`` couple is valid."""
+    for line in open(FILENAME).readlines():
+        if line.strip():
+            login, hash_value = line.strip().split(":")
+            if login == user:
+                return globals()["_%s" % ENCRYPTION](hash_value, password)
+    return False