Revision: 1572 http://trac.macosforge.org/projects/calendarserver/changeset/1572 Author: dreid@apple.com Date: 2007-05-25 10:59:23 -0700 (Fri, 25 May 2007) Log Message: ----------- Move implementation of authorizationPrincipal to the SudoAuthIDMixin which gets shoehorned into the MRO of the CalDAVResource where this was previously. This moves sudo authorization onto the DAVResource and DAVFile extensions, which means the RootResource (a DAVFile) can do the resolution before checking SACLs Modified Paths: -------------- CalendarServer/trunk/twistedcaldav/extensions.py CalendarServer/trunk/twistedcaldav/resource.py Modified: CalendarServer/trunk/twistedcaldav/extensions.py =================================================================== --- CalendarServer/trunk/twistedcaldav/extensions.py 2007-05-25 02:40:24 UTC (rev 1571) +++ CalendarServer/trunk/twistedcaldav/extensions.py 2007-05-25 17:59:23 UTC (rev 1572) @@ -47,8 +47,8 @@ from twisted.web2.dav.resource import DAVPrincipalResource as SuperDAVPrincipalResource from twisted.web2.dav.util import joinURL from twistedcaldav.directory.sudo import SudoDirectoryService +from twistedcaldav.directory.directory import DirectoryService - class SudoAuthIDMixin(object): """ Mixin class to let DAVResource, and DAVFile subclasses below know @@ -70,7 +70,76 @@ return super(SudoAuthIDMixin, self).findPrincipalForAuthID(authid) + def authorizationPrincipal(self, request, authid, authnPrincipal): + """ + Determine the authorization principal for the given request and authentication principal. + This implementation looks for an X-Authorize-As header value to use as the authoization principal. + + @param request: the L{IRequest} for the request in progress. + @param authid: a string containing the uthentication/authorization identifier + for the principal to lookup. + @param authnPrincipal: the L{IDAVPrincipal} for the authenticated principal + @return: a deferred result C{tuple} of (L{IDAVPrincipal}, C{str}) containing the authorization principal + resource and URI respectively. + """ + # FIXME: Unroll defgen + # Look for X-Authorize-As Header + authz = request.headers.getRawHeaders("x-authorize-as") + + if authz is not None and (len(authz) == 1): + # Substitute the authz value for principal look up + authz = authz[0] + + def getPrincipalForType(type, name): + for collection in self.principalCollections(): + principal = collection.principalForShortName(type, name) + if principal: + return principal + + def isSudoPrincipal(authid): + if getPrincipalForType(SudoDirectoryService.recordType_sudoers, + authid): + return True + return False + + if isSudoPrincipal(authid): + if authz: + if isSudoPrincipal(authz): + log.msg("Cannot proxy as another proxy: user '%s' as user '%s'" % (authid, authz)) + raise HTTPError(responsecode.FORBIDDEN) + else: + authzPrincipal = getPrincipalForType( + DirectoryService.recordType_groups, authz) + + if not authzPrincipal: + authzPrincipal = self.findPrincipalForAuthID(authz) + + if authzPrincipal is not None: + log.msg("Allow proxy: user '%s' as '%s'" % (authid, authz,)) + yield authzPrincipal + return + else: + log.msg("Could not find authorization user id: '%s'" % + (authz,)) + raise HTTPError(responsecode.FORBIDDEN) + else: + log.msg("Cannot authenticate proxy user '%s' without X-Authorize-As header" % (authid, )) + raise HTTPError(responsecode.BAD_REQUEST) + elif authz: + log.msg("Cannot proxy: user '%s' as '%s'" % (authid, authz,)) + raise HTTPError(responsecode.FORBIDDEN) + else: + # No proxy - do default behavior + d = waitForDeferred(super(SudoAuthIDMixin, self).authorizationPrincipal(request, authid, authnPrincipal)) + yield d + yield d.getResult() + return + + authorizationPrincipal = deferredGenerator(authorizationPrincipal) + + + class DAVResource (SudoAuthIDMixin, SuperDAVResource): """ Extended L{twisted.web2.dav.resource.DAVResource} implementation. Modified: CalendarServer/trunk/twistedcaldav/resource.py =================================================================== --- CalendarServer/trunk/twistedcaldav/resource.py 2007-05-25 02:40:24 UTC (rev 1571) +++ CalendarServer/trunk/twistedcaldav/resource.py 2007-05-25 17:59:23 UTC (rev 1572) @@ -235,74 +235,6 @@ return super(CalDAVResource, self).accessControlList(*args, **kwargs) - def authorizationPrincipal(self, request, authid, authnPrincipal): - """ - Determine the authorization principal for the given request and authentication principal. - This implementation looks for an X-Authorize-As header value to use as the authoization principal. - - @param request: the L{IRequest} for the request in progress. - @param authid: a string containing the uthentication/authorization identifier - for the principal to lookup. - @param authnPrincipal: the L{IDAVPrincipal} for the authenticated principal - @return: a deferred result C{tuple} of (L{IDAVPrincipal}, C{str}) containing the authorization principal - resource and URI respectively. - """ - # FIXME: Unroll defgen - - # Look for X-Authorize-As Header - authz = request.headers.getRawHeaders("x-authorize-as") - - if authz is not None and (len(authz) == 1): - # Substitute the authz value for principal look up - authz = authz[0] - - def getPrincipalForType(type, name): - for collection in self.principalCollections(): - principal = collection.principalForShortName(type, name) - if principal: - return principal - - def isSudoPrincipal(authid): - if getPrincipalForType(SudoDirectoryService.recordType_sudoers, - authid): - return True - return False - - if isSudoPrincipal(authid): - if authz: - if isSudoPrincipal(authz): - log.msg("Cannot proxy as another proxy: user '%s' as user '%s'" % (authid, authz)) - raise HTTPError(responsecode.FORBIDDEN) - else: - authzPrincipal = getPrincipalForType( - DirectoryService.recordType_groups, authz) - - if not authzPrincipal: - authzPrincipal = self.findPrincipalForAuthID(authz) - - if authzPrincipal is not None: - log.msg("Allow proxy: user '%s' as '%s'" % (authid, authz,)) - yield authzPrincipal - return - else: - log.msg("Could not find authorization user id: '%s'" % - (authz,)) - raise HTTPError(responsecode.FORBIDDEN) - else: - log.msg("Cannot authenticate proxy user '%s' without X-Authorize-As header" % (authid, )) - raise HTTPError(responsecode.BAD_REQUEST) - elif authz: - log.msg("Cannot proxy: user '%s' as '%s'" % (authid, authz,)) - raise HTTPError(responsecode.FORBIDDEN) - else: - # No proxy - do default behavior - d = waitForDeferred(super(CalDAVResource, self).authorizationPrincipal(request, authid, authnPrincipal)) - yield d - yield d.getResult() - return - - authorizationPrincipal = deferredGenerator(authorizationPrincipal) - ## # CalDAV ##