[CalendarServer-changes] [983]
CalendarServer/branches/users/dreid/sudoers-3
source_changes at macosforge.org
source_changes at macosforge.org
Mon Jan 8 16:33:04 PST 2007
Revision: 983
http://trac.macosforge.org/projects/calendarserver/changeset/983
Author: dreid at apple.com
Date: 2007-01-08 16:33:04 -0800 (Mon, 08 Jan 2007)
Log Message:
-----------
Resolve conflicts
Modified Paths:
--------------
CalendarServer/branches/users/dreid/sudoers-3/conf/accounts-test.xml
CalendarServer/branches/users/dreid/sudoers-3/conf/accounts.xml
CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd-test.plist
CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd.plist
CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.resource.patch
CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_acl.patch
CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_resource.patch
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/config.py
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/aggregate.py
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/principal.py
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sqldb.py
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/xmlaccountsparser.py
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/resource.py
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/tap.py
Added Paths:
-----------
CalendarServer/branches/users/dreid/sudoers-3/conf/sudoers.plist
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sudo.py
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/sudoers.plist
CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/test_sudo.py
Modified: CalendarServer/branches/users/dreid/sudoers-3/conf/accounts-test.xml
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/accounts-test.xml 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/accounts-test.xml 2007-01-09 00:33:04 UTC (rev 983)
@@ -24,12 +24,6 @@
<password>admin</password>
<name>Super User</name>
</user>
- <user>
- <uid>proxy</uid>
- <password>proxy</password>
- <name>User who can authorize as someone else</name>
- <canproxy/> <!-- FIXME: Is the directory the right place to configure this bit? -->
- </user>
<user repeat="99">
<uid>user%02d</uid>
<password>user%02d</password>
@@ -52,4 +46,12 @@
<password>resource%02d</password>
<name>Resource %02d</name>
</resource>
+ <group>
+ <uid>group01</uid>
+ <password>group01</password>
+ <name>Group 01</name>
+ <members>
+ <member type="users">user01</member>
+ </members>
+ </group>
</accounts>
Modified: CalendarServer/branches/users/dreid/sudoers-3/conf/accounts.xml
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/accounts.xml 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/accounts.xml 2007-01-09 00:33:04 UTC (rev 983)
@@ -25,12 +25,6 @@
<name>Super User</name>
</user>
<user>
- <uid>proxy</uid>
- <password>proxy</password>
- <name>User who can authorize as someone else</name>
- <canproxy/> <!-- FIXME: Is the directory the right place to configure this bit? -->
- </user>
- <user>
<uid>test</uid>
<password>test</password>
<name>Test User</name>
Modified: CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd-test.plist
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd-test.plist 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd-test.plist 2007-01-09 00:33:04 UTC (rev 983)
@@ -191,6 +191,9 @@
<array>
<string>/principals/users/admin/</string>
</array>
+
+ <key>SudoersFile</key>
+ <string>conf/sudoers.plist</string>
<key>ServerType</key>
<string>singleprocess</string>
Modified: CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd.plist
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd.plist 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd.plist 2007-01-09 00:33:04 UTC (rev 983)
@@ -136,6 +136,9 @@
<array>
<string>/principals/users/admin/</string>
</array>
+
+ <key>SudoersFile</key>
+ <string>/etc/caldavd/sudoers.plist</string>
<key>ServerType</key>
<string>singleprocess</string>
Copied: CalendarServer/branches/users/dreid/sudoers-3/conf/sudoers.plist (from rev 980, CalendarServer/branches/users/dreid/sudoers-2/conf/sudoers.plist)
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/sudoers.plist (rev 0)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/sudoers.plist 2007-01-09 00:33:04 UTC (rev 983)
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+<key>users</key>
+<array>
+<!-- Sudo user definitions -->
+<!-- With the exception of username and password none of the following
+ elements are used in the current implementation. -->
+<!--
+ <dict>
+ <key>authorize-as</key>
+ <dict>
+ <key>allow</key>
+ <true/>
+ <key>principals</key>
+ <array>
+ <string>all</string>
+ <string>/principals/user/wsanchez</string>
+ </array>
+ </dict>
+ <key>authorize-from</key>
+ <array>
+ <string>127.0.0.1</string>
+ </array>
+
+ <key>username</key>
+ <string></string>
+
+ <key>password</key>
+ <string></string>
+ </dict>
+-->
+ <dict>
+ <key>username</key>
+ <string>superuser</string>
+ <key>password</key>
+ <string>superuser</string>
+ </dict>
+</array>
+</dict>
+</plist>
Modified: CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.resource.patch
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.resource.patch 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.resource.patch 2007-01-09 00:33:04 UTC (rev 983)
@@ -548,6 +548,19 @@
# Compare two HRefs and do group membership test as well
if principal1 == principal2:
yield True
+@@ -1296,9 +1392,9 @@
+ def testGroup(group):
+ # Get principal resource for principal2
+ if group and isinstance(group, DAVPrincipalResource):
+- members = group.groupMembers()
+- if principal1 in members:
+- return True
++ for member in group.groupMembers():
++ if member.principalURL() == principal1:
++ return True
+
+ return False
+
@@ -1426,7 +1522,7 @@
log.err("DAV:self ACE is set on non-principal resource %r" % (self,))
yield None
Modified: CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_acl.patch
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_acl.patch 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_acl.patch 2007-01-09 00:33:04 UTC (rev 983)
@@ -10,7 +10,7 @@
from twisted.web2.dav.util import davXMLFromStream
from twisted.web2.dav.auth import TwistedPasswordProperty, IPrincipal, DavRealm, TwistedPropertyChecker, AuthenticationWrapper
-@@ -38,6 +39,11 @@
+@@ -38,6 +39,22 @@
from twisted.web2.dav.test.util import Site, serialize
from twisted.web2.dav.test.test_resource import TestResource, TestDAVPrincipalResource
@@ -18,11 +18,22 @@
+ def __init__(self, url, children):
+ DAVPrincipalCollectionResource.__init__(self, url)
+ TestResource.__init__(self, url, children, principalCollections=(self,))
++
++ def principalForUser(self, user):
++ return self.principalForShortName('users', user)
+
++ def principalForShortName(self, type, shortName):
++ typeResource = self.children.get(type, None)
++ user = None
++ if typeResource:
++ user = typeResource.children.get(shortName, None)
++
++ return user
++
class ACL(twisted.web2.dav.test.util.TestCase):
"""
RFC 3744 (WebDAV ACL) tests.
-@@ -46,8 +52,14 @@
+@@ -46,8 +63,14 @@
if not hasattr(self, "docroot"):
self.docroot = self.mktemp()
os.mkdir(self.docroot)
@@ -38,7 +49,7 @@
portal = Portal(DavRealm())
portal.registerChecker(TwistedPropertyChecker())
-@@ -56,26 +68,14 @@
+@@ -56,26 +79,14 @@
loginInterfaces = (IPrincipal,)
self.site = Site(AuthenticationWrapper(
Modified: CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_resource.patch
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_resource.patch 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_resource.patch 2007-01-09 00:33:04 UTC (rev 983)
@@ -54,12 +54,11 @@
else:
return davxml.Principal(davxml.Unauthenticated())
-@@ -400,17 +398,23 @@
+@@ -399,18 +397,21 @@
+
def accessControlList(self, request, **kwargs):
return succeed(self.acl)
-
-+ def principalForUser(self, user):
-+ return self.children[user]
+-
class AuthAllResource (TestResource):
- """Give Authenticated principals all privileges deny everything else
Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/config.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/config.py 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/config.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -61,7 +61,9 @@
'ServicePrincipal': '',
},
},
+
'AdminPrincipals': ['/principals/users/admin/'],
+ 'SudoersFile': '/etc/caldavd/sudoers.plist',
'twistdLocation': '/usr/share/caldavd/bin/twistd',
'pydirLocation': '/usr/share/caldavd/bin/pydir++.py',
Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/aggregate.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/aggregate.py 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/aggregate.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -103,6 +103,21 @@
else:
return None
+ userRecordTypes = ['user', 'sudoer']
+
+ def requestAvatarId(self, credentials):
+ for type in self.userRecordTypes:
+ user = self.recordWithShortName(
+ type,
+ credentials.credentials.username)
+
+ if user:
+ return self.serviceForRecordType(
+ type).requestAvatarId(credentials)
+
+ raise UnauthorizedLogin("No such user: %s" % (
+ credentials.credentials.username,))
+
class DuplicateRecordTypeError(DirectoryError):
"""
Duplicate record type.
Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/principal.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/principal.py 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/principal.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -87,14 +87,18 @@
for recordType in self.directory.recordTypes():
self.putChild(recordType, DirectoryPrincipalTypeResource(self.fp.child(recordType).path, self, recordType))
+ def principalForShortName(self, type, name):
+ typeResource = self.getChild(type)
+ if typeResource is None:
+ return None
+ return typeResource.getChild(name)
+
def principalForUser(self, user):
- return self.getChild(DirectoryService.recordType_users).getChild(user)
+ return self.principalForShortName(DirectoryService.recordType_users,
+ user)
def principalForRecord(self, record):
- typeResource = self.getChild(record.recordType)
- if typeResource is None:
- return None
- return typeResource.getChild(record.shortName)
+ return self.principalForShortName(record.recordType, record.shortName)
def _principalForURI(self, uri):
if uri.startswith(self._url):
Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sqldb.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sqldb.py 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sqldb.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -25,7 +25,7 @@
User Database:
-ROW: RECORD_TYPE, SHORT_NAME (unique), PASSWORD, NAME, CAN_PROXY
+ROW: RECORD_TYPE, SHORT_NAME (unique), PASSWORD, NAME
Group Database:
@@ -161,13 +161,12 @@
shortName = record.shortName
password = record.password
name = record.name
- canproxy = ('F', 'T')[record.canproxy]
self._db_execute(
"""
- insert into ACCOUNTS (RECORD_TYPE, SHORT_NAME, PASSWORD, NAME, CAN_PROXY)
- values (:1, :2, :3, :4, :5)
- """, recordType, shortName, password, name, canproxy
+ insert into ACCOUNTS (RECORD_TYPE, SHORT_NAME, PASSWORD, NAME)
+ values (:1, :2, :3, :4)
+ """, recordType, shortName, password, name
)
# Check for members
@@ -224,8 +223,7 @@
RECORD_TYPE text,
SHORT_NAME text,
PASSWORD text,
- NAME text,
- CAN_PROXY text(1)
+ NAME text
)
"""
)
Copied: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sudo.py (from rev 980, CalendarServer/branches/users/dreid/sudoers-2/twistedcaldav/directory/sudo.py)
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sudo.py (rev 0)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sudo.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -0,0 +1,141 @@
+##
+# Copyright (c) 2006 Apple Computer, Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# DRI: David reid, dreid at apple.com
+##
+
+"""
+Directory service implementation for users who are allowed to authorize
+as other principals.
+"""
+
+__all__ = [
+ "SudoDirectoryService",
+]
+
+from twisted.python.filepath import FilePath
+
+from twisted.cred.credentials import (IUsernamePassword,
+ IUsernameHashedPassword)
+
+from twisted.cred.error import UnauthorizedLogin
+
+from twistedcaldav.py.plistlib import readPlist
+from twistedcaldav.directory.directory import (DirectoryService,
+ DirectoryRecord,
+ UnknownRecordTypeError)
+
+class SudoDirectoryService(DirectoryService):
+ """
+ L{IDirectoryService} implementation for Sudo users.
+ """
+ baseGUID = "1EE00E46-1885-4DBC-A001-590AFA76A8E3"
+
+ realmName = None
+
+ plistFile = None
+
+ recordType = "sudoer"
+
+ def __repr__(self):
+ return "<%s %r: %r>" % (self.__class__.__name__, self.realmName,
+ self.plistFile)
+
+ def __init__(self, plistFile):
+ super(SudoDirectoryService, self).__init__()
+
+ if isinstance(plistFile, (unicode, str)):
+ plistFile = FilePath(plistFile)
+
+ self.plistFile = plistFile
+ self._fileInfo = None
+ self._accounts()
+
+ def _accounts(self):
+ fileInfo = (self.plistFile.getmtime(), self.plistFile.getsize())
+ if fileInfo != self._fileInfo:
+ self._plist = readPlist(self.plistFile.path)
+
+ return self._plist
+
+ def recordTypes(self):
+ return (self.recordType,)
+
+ def _recordForEntry(self, entry):
+ return SudoDirectoryRecord(
+ service=self,
+ recordType=self.recordType,
+ shortName=entry['username'],
+ entry=entry)
+
+
+ def listRecords(self, recordType):
+ if recordType != self.recordType:
+ raise UnknownRecordTypeError(recordType)
+
+ for entry in self._accounts()['users']:
+ yield self._recordForEntry(entry)
+
+ def recordWithShortName(self, recordType, shortName):
+ if recordType != self.recordType:
+ raise UnknownRecordTypeError(recordType)
+
+ for entry in self._accounts()['users']:
+ if entry['username'] == shortName:
+ return self._recordForEntry(entry)
+
+ def requestAvatarId(self, credentials):
+ # FIXME: ?
+ # We were checking if principal is enabled; seems unnecessary in current
+ # implementation because you shouldn't have a principal object for a
+ # disabled directory principal.
+ sudouser = self.recordWithShortName("sudoer",
+ credentials.credentials.username)
+ if sudouser is None:
+ raise UnauthorizedLogin("No such user: %s" % (sudouser,))
+
+ if sudouser.verifyCredentials(credentials.credentials):
+ return (
+ credentials.authnPrincipal.principalURL(),
+ credentials.authzPrincipal.principalURL(),
+ )
+ else:
+ raise UnauthorizedLogin(
+ "Incorrect credentials for %s" % (sudouser,))
+
+
+class SudoDirectoryRecord(DirectoryRecord):
+ """
+ L{DirectoryRecord} implementation for Sudo users.
+ """
+
+ def __init__(self, service, recordType, shortName, entry):
+ super(SudoDirectoryRecord, self).__init__(
+ service=service,
+ recordType=recordType,
+ guid=None,
+ shortName=shortName,
+ fullName=shortName,
+ calendarUserAddresses=set())
+
+ self.password = entry['password']
+
+ def verifyCredentials(self, credentials):
+ if IUsernamePassword.providedBy(credentials):
+ return credentials.checkPassword(self.password)
+ elif IUsernameHashedPassword.providedBy(credentials):
+ return credentials.checkPassword(self.password)
+
+ return super(SudoDirectoryRecord, self).verifyCredentials(credentials)
Copied: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/sudoers.plist (from rev 980, CalendarServer/branches/users/dreid/sudoers-2/twistedcaldav/directory/test/sudoers.plist)
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/sudoers.plist (rev 0)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/sudoers.plist 2007-01-09 00:33:04 UTC (rev 983)
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>users</key>
+ <array>
+ <dict>
+ <key>authorize-as</key>
+ <dict>
+ <key>allow</key>
+ <true/>
+ <key>principals</key>
+ <array>
+ <string>all</string>
+ </array>
+ </dict>
+ <key>authorize-from</key>
+ <array>
+ <string>127.0.0.1</string>
+ </array>
+ <key>password</key>
+ <string>alice</string>
+ <key>username</key>
+ <string>alice</string>
+ </dict>
+ </array>
+</dict>
+</plist>
Copied: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/test_sudo.py (from rev 980, CalendarServer/branches/users/dreid/sudoers-2/twistedcaldav/directory/test/test_sudo.py)
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/test_sudo.py (rev 0)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/test_sudo.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -0,0 +1,66 @@
+##
+# Copyright (c) 2005-2006 Apple Computer, Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# DRI: David Reid, dreid at apple.com
+##
+import os
+
+from twisted.python.filepath import FilePath
+
+import twistedcaldav.directory.test.util
+from twistedcaldav.directory.sudo import SudoDirectoryService
+from twistedcaldav.py.plistlib import writePlist
+
+plistFile = FilePath(os.path.join(os.path.dirname(__file__), "sudoers.plist"))
+
+class SudoTestCase(
+ twistedcaldav.directory.test.util.BasicTestCase,
+ twistedcaldav.directory.test.util.DigestTestCase
+):
+ """
+ Test the Sudo Directory Service
+ """
+
+ recordTypes = set(('sudoer',))
+ recordType = 'sudoer'
+
+ sudoers = {'alice': {'password': 'alice',},
+ }
+
+ def plistFile(self):
+ if not hasattr(self, "_plistFile"):
+ self._plistFile = FilePath(self.mktemp())
+ plistFile.copyTo(self._plistFile)
+ return self._plistFile
+
+ def service(self):
+ service = SudoDirectoryService(self.plistFile())
+ service.realmName = "test realm"
+ return service
+
+ def test_listRecords(self):
+ for record in self.service().listRecords(self.recordType):
+ self.failUnless(record.shortName in self.sudoers)
+ self.assertEqual(self.sudoers[record.shortName]['password'],
+ record.password)
+
+ def test_recordWithShortName(self):
+ service = self.service()
+
+ record = service.recordWithShortName('sudoer', 'alice')
+ self.assertEquals(record.password, 'alice')
+
+ record = service.recordWithShortName('sudoer', 'bob')
+ self.failIf(record)
Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/xmlaccountsparser.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/xmlaccountsparser.py 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/xmlaccountsparser.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -44,7 +44,6 @@
ELEMENT_MEMBERS = "members"
ELEMENT_MEMBER = "member"
ELEMENT_CUADDR = "cuaddr"
-ELEMENT_CANPROXY = "canproxy"
ATTRIBUTE_REALM = "realm"
ATTRIBUTE_REPEAT = "repeat"
@@ -143,7 +142,6 @@
self.members = set()
self.groups = set()
self.calendarUserAddresses = set()
- self.canproxy = False
def repeat(self, ctr):
"""
@@ -176,7 +174,6 @@
result.name = name
result.members = self.members
result.calendarUserAddresses = calendarUserAddresses
- result.canproxy = self.canproxy
return result
def parseXML(self, node):
@@ -198,9 +195,6 @@
elif child_name == ELEMENT_CUADDR:
if child.firstChild is not None:
self.calendarUserAddresses.add(child.firstChild.data.encode("utf-8"))
- elif child_name == ELEMENT_CANPROXY:
- CalDAVResource.proxyUsers.add(self.shortName)
- self.canproxy = True
else:
raise RuntimeError("Unknown account attribute: %s" % (child_name,))
Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/resource.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/resource.py 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/resource.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -73,10 +73,6 @@
# resources to that size, or C{None} for no limit.
sizeLimit = None
- # Set containing user ids of all the users who have been given
- # the right to authorize as someone else.
- proxyUsers = set()
-
##
# HTTP
##
@@ -257,28 +253,42 @@
# Substitute the authz value for principal look up
authz = authz[0]
- # See if authenticated uid is a proxy user
- if authid in CalDAVResource.proxyUsers:
+ def getPrincipalForType(type, name):
+ for collection in self.principalCollections():
+ principal = collection.principalForShortName(type, name)
+ if principal:
+ return principal
+
+ def isSudoPrincipal(authid):
+ if getPrincipalForType('sudoer', authid):
+ return True
+ return False
+
+ if isSudoPrincipal(authid):
if authz:
- if authz in CalDAVResource.proxyUsers:
+ if isSudoPrincipal(authz):
log.msg("Cannot proxy as another proxy: user '%s' as user '%s'" % (authid, authz))
- raise HTTPError(responsecode.UNAUTHORIZED)
+ raise HTTPError(responsecode.FORBIDDEN)
else:
- authzPrincipal = self.findPrincipalForAuthID(authz)
+ authzPrincipal = getPrincipalForType('group', authz)
+ if not authzPrincipal:
+ authzPrincipal = self.findPrincipalForAuthID(authz)
+
if authzPrincipal is not None:
log.msg("Allow proxy: user '%s' as '%s'" % (authid, authz,))
yield authzPrincipal
return
else:
- log.msg("Could not find proxy user id: '%s'" % authid)
- raise HTTPError(responsecode.UNAUTHORIZED)
+ log.msg("Could not find authorization user id: '%s'" %
+ (authz,))
+ raise HTTPError(responsecode.FORBIDDEN)
else:
log.msg("Cannot authenticate proxy user '%s' without X-Authorize-As header" % (authid, ))
- raise HTTPError(responsecode.UNAUTHORIZED)
+ raise HTTPError(responsecode.BAD_REQUEST)
elif authz:
log.msg("Cannot proxy: user '%s' as '%s'" % (authid, authz,))
- raise HTTPError(responsecode.UNAUTHORIZED)
+ raise HTTPError(responsecode.FORBIDDEN)
else:
# No proxy - do default behavior
d = waitForDeferred(super(CalDAVResource, self).authorizationPrincipal(request, authid, authnPrincipal))
Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/tap.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/tap.py 2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/tap.py 2007-01-09 00:33:04 UTC (rev 983)
@@ -45,7 +45,11 @@
from twistedcaldav.config import config, parseConfig, defaultConfig
from twistedcaldav.logging import RotatingFileAccessLoggingObserver
from twistedcaldav.root import RootResource
+from twistedcaldav.resource import CalDAVResource
from twistedcaldav.directory.principal import DirectoryPrincipalProvisioningResource
+from twistedcaldav.directory.aggregate import AggregateDirectoryService
+from twistedcaldav.directory.sudo import SudoDirectoryService
+
from twistedcaldav.static import CalendarHomeProvisioningFile
try:
@@ -146,8 +150,19 @@
# Setup the Directory
#
directoryClass = namedClass(config.DirectoryService['type'])
- directory = directoryClass(**config.DirectoryService['params'])
+ baseDirectory = directoryClass(**config.DirectoryService['params'])
+ sudoDirectory = None
+
+ if config.SudoersFile and os.path.exists(config.SudoersFile):
+ sudoDirectory = SudoDirectoryService(config.SudoersFile)
+ sudoDirectory.realmName = baseDirectory.realmName
+
+ CalDAVResource.sudoDirectory = sudoDirectory
+
+ directory = AggregateDirectoryService((baseDirectory,
+ sudoDirectory))
+
#
# Setup Resource hierarchy
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070108/32156e0f/attachment.html
More information about the calendarserver-changes
mailing list