diff --git a/radicale/acl/IMAP.py b/radicale/acl/IMAP.py index e944f4d..dd50111 100644 --- a/radicale/acl/IMAP.py +++ b/radicale/acl/IMAP.py @@ -2,8 +2,6 @@ # # This file is part of Radicale Server - Calendar Server # Copyright © 2012 Daniel Aleksandersen -# Copyright © 2011 Corentin Le Bail -# Copyright © 2011 Guillaume Ayoub # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -39,45 +37,53 @@ from radicale import acl, config, log IMAP_SERVER = config.get("acl", "imap_auth_host_name") IMAP_SERVER_PORT = config.get("acl", "imap_auth_host_port") + def has_right(owner, user, password): """Check if ``user``/``password`` couple is valid.""" - if not user or (owner not in acl.PRIVATE_USERS and user != owner): # No user given, or owner is not private and is not user, forbidden return False - log.LOGGER.debug("[IMAP ACL] Connecting to %s:%s." % (IMAP_SERVER, IMAP_SERVER_PORT,)) + log.LOGGER.debug( + "[IMAP ACL] Connecting to %s:%s." % (IMAP_SERVER, IMAP_SERVER_PORT,)) connection = imaplib.IMAP4(host=IMAP_SERVER, port=IMAP_SERVER_PORT) - def secure_connection(): - try: - connection.starttls() - log.LOGGER.debug("[IMAP ACL] Server connection changed to TLS.") - return True - except (IMAP4.error, IAMP4.abort) as err: - import sys - PY_MIN = float(3.2) - PY_SYS = float("%s.%s" % (sys.version_info.major, sys.version_info.minor)) - if PY_SYS < PY_MIN: - log.LOGGER.error("[IMAP ACL] Python 3.2 or newer is required for TLS.") - log.LOGGER.warning("[IMAP ACL] Server at %s failed to accept TLS connection because of: %s" % (IMAP_SERVER, str(err))) - return False # server is not secure + server_is_local = (IMAP_SERVER == "localhost") - def server_is_local(): - if IMAP_HOST == "localhost": - log.LOGGER.warning("[IMAP ACL] Server is local. Will allow transmitting unencrypted credentials.") - return True - return False # server is not local + connection_is_secure = False + try: + connection.starttls() + log.LOGGER.debug("[IMAP ACL] Server connection changed to TLS.") + connection_is_secure = True + except AttributeError: + if not server_is_local: + log.LOGGER.error( + "[IMAP ACL] Python 3.2 or newer is required for TLS.") + except (imaplib.IMAP4.error, imaplib.IMAP4.abort) as exception: + log.LOGGER.warning( + "[IMAP ACL] Server at %s failed to accept TLS connection " + "because of: %s" % (IMAP_SERVER, exception)) - """Enforcing security policy of only transmitting credentials over TLS or to local server.""" - if secure_connection() or server_is_local(): + if server_is_local and not connection_is_secure: + log.LOGGER.warning( + "[IMAP ACL] Server is local. " + "Will allow transmitting unencrypted credentials.") + + if connection_is_secure or server_is_local: try: - connection.login( user, password ) + connection.login(user, password) connection.logout() - log.LOGGER.debug("[IMAP ACL] Authenticated user %s via %s." % (user, IMAP_SERVER)) + log.LOGGER.debug( + "[IMAP ACL] Authenticated user %s " + "via %s." % (user, IMAP_SERVER)) return True - except ( imaplib.IMAP4.error, imaplib.IMAP4.abort, Exception ) as err: - log.LOGGER.error("[IMAP ACL] Server could not authenticate user %s because of: %s" % (user, str(err))) + except (imaplib.IMAP4.error, imaplib.IMAP4.abort) as exception: + log.LOGGER.error( + "[IMAP ACL] Server could not authenticate user %s " + "because of: %s" % (user, exception)) else: - log.LOGGER.critical("[IMAP ACL] Server did not support TLS and is not ``localhost``. Refusing to transmit passwords under these conditions. Authentication attempt aborted.") - return False # authentication failed + log.LOGGER.critical( + "[IMAP ACL] Server did not support TLS and is not ``localhost``. " + "Refusing to transmit passwords under these conditions. " + "Authentication attempt aborted.") + return False # authentication failed