Revision: 881 http://trac.macosforge.org/projects/calendarserver/changeset/881 Author: dreid@apple.com Date: 2006-12-21 16:20:09 -0800 (Thu, 21 Dec 2006) Log Message: ----------- Add better Authentication configuration Modified Paths: -------------- CalendarServer/trunk/conf/caldavd-test.plist CalendarServer/trunk/conf/caldavd.plist CalendarServer/trunk/twistedcaldav/config.py CalendarServer/trunk/twistedcaldav/tap.py Modified: CalendarServer/trunk/conf/caldavd-test.plist =================================================================== --- CalendarServer/trunk/conf/caldavd-test.plist 2006-12-21 16:28:22 UTC (rev 880) +++ CalendarServer/trunk/conf/caldavd-test.plist 2006-12-22 00:20:09 UTC (rev 881) @@ -156,15 +156,32 @@ <key>SACLEnable</key> <false/> - <key>AuthSchemes</key> - <array> - <string>Basic</string> - </array> + <key>Authentication</key> + <dict> + <key>Basic</key> + <dict> + <key>Enabled</key> + <true/> + </dict> + <key>Digest</key> + <dict> + <key>Enabled</key> + <false/> + <key>Algorithm</key> + <string>md5</string> + </dict> + <key>Kerberos</key> + <dict> + <key>Enabled</key> + <false/> + <key>ServicePrincipal</key> + <string></string> + </dict> + </dict> <key>AdminPrincipals</key> <array> <string>/principals/user/admin</string> </array> - </dict> </plist> Modified: CalendarServer/trunk/conf/caldavd.plist =================================================================== --- CalendarServer/trunk/conf/caldavd.plist 2006-12-21 16:28:22 UTC (rev 880) +++ CalendarServer/trunk/conf/caldavd.plist 2006-12-22 00:20:09 UTC (rev 881) @@ -102,15 +102,32 @@ <key>SACLEnable</key> <true/> - <key>AuthSchemes</key> - <array> - <string>Basic</string> - </array> + <key>Authentication</key> + <dict> + <key>Basic</key> + <dict> + <key>Enabled</key> + <true/> + </dict> + <key>Digest</key> + <dict> + <key>Enabled</key> + <false/> + <key>Algorithm</key> + <string>md5</string> + </dict> + <key>Kerberos</key> + <dict> + <key>Enabled</key> + <false/> + <key>ServicePrincipal</key> + <string></string> + </dict> + </dict> <key>AdminPrincipals</key> <array> <string>/principals/user/admin</string> </array> - </dict> </plist> Modified: CalendarServer/trunk/twistedcaldav/config.py =================================================================== --- CalendarServer/trunk/twistedcaldav/config.py 2006-12-21 16:28:22 UTC (rev 880) +++ CalendarServer/trunk/twistedcaldav/config.py 2006-12-22 00:20:09 UTC (rev 881) @@ -47,10 +47,23 @@ 'Verbose': False, 'twistdLocation': '/usr/share/caldavd/bin/twistd', 'SACLEnable': False, - 'AuthSchemes': ['Basic'], + 'Authentication': { + 'Basic': { + 'Enabled': True, + }, + 'Digest': { + 'Enabled': False, + 'Algorithm': 'md5', + }, + 'Kerberos': { + 'Enabled': False, + 'ServicePrincipal': '', + }, + }, 'AdminPrincipals': ['/principals/user/admin'] } + class Config (object): def __init__(self, defaults): self.update(defaults) @@ -60,6 +73,7 @@ for key, value in items: setattr(self, key, value) + config = Config(defaultConfig) def parseConfig(configFile): Modified: CalendarServer/trunk/twistedcaldav/tap.py =================================================================== --- CalendarServer/trunk/twistedcaldav/tap.py 2006-12-21 16:28:22 UTC (rev 880) +++ CalendarServer/trunk/twistedcaldav/tap.py 2006-12-22 00:20:09 UTC (rev 881) @@ -34,8 +34,8 @@ from twisted.web2.dav import auth from twisted.web2.dav import davxml from twisted.web2.dav.resource import TwistedACLInheritable -from twisted.web2.auth import basic -from twisted.web2.auth import digest +from twisted.web2.auth.basic import BasicCredentialFactory +from twisted.web2.auth.digest import DigestCredentialFactory from twisted.web2.channel import http from twisted.web2.tap import Web2Service @@ -47,8 +47,8 @@ from twistedcaldav.root import RootResource from twistedcaldav.directory.principal import DirectoryPrincipalProvisioningResource from twistedcaldav.static import CalendarHomeProvisioningFile +from twistedcaldav.authkerb import NegotiateCredentialFactory - class CaldavOptions(Options): optParameters = [ ["config", "f", "/etc/caldavd/caldavd.plist", @@ -80,7 +80,7 @@ elif isinstance(defaultConfig[key], (int, float, long)): value = type(defaultConfig[key])(value) - elif isinstance(defaultConfig[key], (list, tuples)): + elif isinstance(defaultConfig[key], (list, tuple)): value = value.split(',') elif isinstance(defaultConfig[key], dict): @@ -104,6 +104,7 @@ self.parent['logfile'] = config.ErrorLogFile self.parent['pidfile'] = config.PIDFile + class CaldavServiceMaker(object): implements(IPlugin, service.IServiceMaker) @@ -187,28 +188,31 @@ realm = directory.realmName or "" - # TODO: figure out the list of supported schemes from the directory - schemes = { - "basic" : basic.BasicCredentialFactory(realm), - "digest": digest.DigestCredentialFactory("md5", realm), - } - - for scheme in config.AuthSchemes: + for scheme, schemeConfig in config.Authentication.iteritems(): scheme = scheme.lower() - if scheme not in schemes: - print "Scheme not supported: %s" % (scheme,) - sys.exit(1) - else: - # TODO: limit basic scheme to SSL - credentialFactories.append(schemes[scheme]) - + credFactory = None + + if schemeConfig['Enabled']: + if scheme == 'kerberos': + credFactory = NegotiateCredentialFactory( + schemeConfig['ServicePrincipal']) + + elif scheme == 'digest': + credFactory = DigestCredentialFactory( + schemeConfig['Algorithm'], realm) + + elif scheme == 'basic': + credFactory = BasicCredentialFactory(realm) + + if credFactory: + credentialFactories.append(credFactory) + authWrapper = auth.AuthenticationWrapper( root, portal, credentialFactories, - (auth.IPrincipal,) - ) + (auth.IPrincipal,)) site = Site(LogWrapperResource(authWrapper)) @@ -224,6 +228,7 @@ if not config.SSLOnly: httpService = internet.TCPServer(int(config.Port), channel) + httpService.setServiceParent(service) if config.SSLEnable: @@ -232,8 +237,8 @@ int(config.SSLPort), channel, DefaultOpenSSLContextFactory(config.SSLPrivateKey, - config.SSLCertificate) - ) + config.SSLCertificate)) + httpsService.setServiceParent(service) return service