[CalendarServer-changes] [909]
CalendarServer/branches/users/dreid/sudoers
source_changes at macosforge.org
source_changes at macosforge.org
Thu Jan 4 08:18:51 PST 2007
Revision: 909
http://trac.macosforge.org/projects/calendarserver/changeset/909
Author: dreid at apple.com
Date: 2007-01-04 08:18:50 -0800 (Thu, 04 Jan 2007)
Log Message:
-----------
refactor sudoer support so we never access the directory directly. add principalForShortName, so we can get sudoer principals as well as user principals.
Modified Paths:
--------------
CalendarServer/branches/users/dreid/sudoers/conf/sudoers.plist
CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/aggregate.py
CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/directory.py
CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/principal.py
CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/sudo.py
CalendarServer/branches/users/dreid/sudoers/twistedcaldav/extensions.py
CalendarServer/branches/users/dreid/sudoers/twistedcaldav/resource.py
CalendarServer/branches/users/dreid/sudoers/twistedcaldav/tap.py
Modified: CalendarServer/branches/users/dreid/sudoers/conf/sudoers.plist
===================================================================
--- CalendarServer/branches/users/dreid/sudoers/conf/sudoers.plist 2007-01-04 03:21:21 UTC (rev 908)
+++ CalendarServer/branches/users/dreid/sudoers/conf/sudoers.plist 2007-01-04 16:18:50 UTC (rev 909)
@@ -31,9 +31,9 @@
-->
<dict>
<key>username</key>
- <string>bob</string>
+ <string>superuser</string>
<key>password</key>
- <string>bob</string>
+ <string>superuser</string>
</dict>
</array>
</dict>
Modified: CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/aggregate.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/aggregate.py 2007-01-04 03:21:21 UTC (rev 908)
+++ CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/aggregate.py 2007-01-04 16:18:50 UTC (rev 909)
@@ -103,6 +103,21 @@
else:
return None
+ userRecordTypes = ['user', 'sudoer']
+
+ def requestAvatarId(self, credentials):
+ for type in self.userRecordTypes:
+ user = self.recordWithShortName(
+ type,
+ credentials.credentials.username)
+
+ if user:
+ return self.serviceForRecordType(
+ type).requestAvatarId(credentials)
+
+ raise UnauthorizedLogin("No such user: %s" % (
+ credentials.credentials.username,))
+
class DuplicateRecordTypeError(DirectoryError):
"""
Duplicate record type.
Modified: CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/directory.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/directory.py 2007-01-04 03:21:21 UTC (rev 908)
+++ CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/directory.py 2007-01-04 16:18:50 UTC (rev 909)
@@ -76,8 +76,6 @@
credentialInterfaces = (IPrincipalCredentials,)
def requestAvatarId(self, credentials):
- import pdb
- pdb.set_trace()
credentials = IPrincipalCredentials(credentials)
# FIXME: ?
Modified: CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/principal.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/principal.py 2007-01-04 03:21:21 UTC (rev 908)
+++ CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/principal.py 2007-01-04 16:18:50 UTC (rev 909)
@@ -87,14 +87,17 @@
for recordType in self.directory.recordTypes():
self.putChild(recordType, DirectoryPrincipalTypeResource(self.fp.child(recordType).path, self, recordType))
+ def principalForShortName(self, type, name):
+ typeResource = self.getChild(type)
+ if typeResource is None:
+ return None
+ return typeResource.getChild(name)
+
def principalForUser(self, user):
- return self.getChild("user").getChild(user)
+ return self.principalForShortName('user', user)
def principalForRecord(self, record):
- typeResource = self.getChild(record.recordType)
- if typeResource is None:
- return None
- return typeResource.getChild(record.shortName)
+ return self.principalForShortName(record.recordType, record.shortName)
def _principalForURI(self, uri):
if uri.startswith(self._url):
Modified: CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/sudo.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/sudo.py 2007-01-04 03:21:21 UTC (rev 908)
+++ CalendarServer/branches/users/dreid/sudoers/twistedcaldav/directory/sudo.py 2007-01-04 16:18:50 UTC (rev 909)
@@ -30,6 +30,8 @@
from twisted.cred.credentials import (IUsernamePassword,
IUsernameHashedPassword)
+from twisted.cred.error import UnauthorizedLogin
+
from twistedcaldav.py.plistlib import readPlist
from twistedcaldav.directory.directory import (DirectoryService,
DirectoryRecord,
@@ -99,20 +101,21 @@
# We were checking if principal is enabled; seems unnecessary in current
# implementation because you shouldn't have a principal object for a
# disabled directory principal.
-
- user = self.recordWithShortName("sudoer",
- credentials.credentials.username)
- if user is None:
- raise UnauthorizedLogin("No such user: %s" % (user,))
-
- if user.verifyCredentials(credentials.credentials):
+ sudouser = self.recordWithShortName("sudoer",
+ credentials.credentials.username)
+ if sudouser is None:
+ raise UnauthorizedLogin("No such user: %s" % (sudouser,))
+
+ if sudouser.verifyCredentials(credentials.credentials):
return (
credentials.authnPrincipal.principalURL(),
credentials.authzPrincipal.principalURL(),
- )
+ )
else:
- raise UnauthorizedLogin("Incorrect credentials for %s" % (user,))
+ raise UnauthorizedLogin(
+ "Incorrect credentials for %s" % (sudouser,))
+
class SudoDirectoryRecord(DirectoryRecord):
"""
L{DirectoryRecord} implementation for Sudo users.
Modified: CalendarServer/branches/users/dreid/sudoers/twistedcaldav/extensions.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers/twistedcaldav/extensions.py 2007-01-04 03:21:21 UTC (rev 908)
+++ CalendarServer/branches/users/dreid/sudoers/twistedcaldav/extensions.py 2007-01-04 16:18:50 UTC (rev 909)
@@ -52,18 +52,13 @@
the authentication identifier passed in. Check for sudo users before
regular users.
"""
+ for collection in self.principalCollections():
+ principal = collection.principalForShortName('sudoer', authid)
+ if principal is not None:
+ return principal
- record = self.directory.recordWithShortName('sudoer', authid)
+ return super(DAVFile, self).findPrincipalForAuthID(authid)
- if record:
- for collection in self.principalCollections():
- principal = collection.principalForRecord(record)
- if principal is not None:
- return principal
-
- return super(DAVResource, self).findPrincipalForAuthID(authid)
-
-
class DAVFile (SuperDAVFile):
"""
Extended L{twisted.web2.dav.static.DAVFile} implementation.
@@ -233,12 +228,19 @@
def findPrincipalForAuthID(self, authid):
"""
- returns the principals by asking it's parent, because it doesn't have
- a reference to the directory
+ Return an authentication and authorization principal identifiers for
+ the authentication identifier passed in. Check for sudo users before
+ regular users.
"""
- return self.parent.findPrincipalForAuthID(authid)
+ for collection in self.principalCollections():
+ principal = collection.principalForShortName('sudoer', authid)
+ if principal is not None:
+ return principal
+ return super(DAVFile, self).findPrincipalForAuthID(authid)
+
+
class ReadOnlyResourceMixIn (object):
"""
Read only resource.
Modified: CalendarServer/branches/users/dreid/sudoers/twistedcaldav/resource.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers/twistedcaldav/resource.py 2007-01-04 03:21:21 UTC (rev 908)
+++ CalendarServer/branches/users/dreid/sudoers/twistedcaldav/resource.py 2007-01-04 16:18:50 UTC (rev 909)
@@ -254,15 +254,15 @@
# Substitute the authz value for principal look up
authz = authz[0]
- # See if authenticated uid is a proxy user
- sudoRecord = self.directory.recordWithShortName(
- 'sudoer',
- authid)
+ def isSudoPrincipal(authid):
+ for collection in self.principalCollections():
+ if collection.principalForShortName('sudoer', authid):
+ return True
+ return False
- if sudoRecord:
+ if isSudoPrincipal(authid):
if authz:
- record = self.directory.recordWithShortName('sudoer', authz)
- if record:
+ if isSudoPrincipal(authz):
log.msg("Cannot proxy as another proxy: user '%s' as user '%s'" % (authid, authz))
raise HTTPError(responsecode.UNAUTHORIZED)
else:
Modified: CalendarServer/branches/users/dreid/sudoers/twistedcaldav/tap.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers/twistedcaldav/tap.py 2007-01-04 03:21:21 UTC (rev 908)
+++ CalendarServer/branches/users/dreid/sudoers/twistedcaldav/tap.py 2007-01-04 16:18:50 UTC (rev 909)
@@ -204,8 +204,8 @@
# FIXME: This is a hack, why doesn't aggregate directory service
# do the right thing.
- if sudoDirectory:
- portal.registerChecker(sudoDirectory)
+# if sudoDirectory:
+# portal.registerChecker(sudoDirectory)
realm = directory.realmName or ""
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070104/76eae97c/attachment.html
More information about the calendarserver-changes
mailing list