[CalendarServer-changes] [983] CalendarServer/branches/users/dreid/sudoers-3

source_changes at macosforge.org source_changes at macosforge.org
Mon Jan 8 16:33:04 PST 2007


Revision: 983
          http://trac.macosforge.org/projects/calendarserver/changeset/983
Author:   dreid at apple.com
Date:     2007-01-08 16:33:04 -0800 (Mon, 08 Jan 2007)

Log Message:
-----------
Resolve conflicts

Modified Paths:
--------------
    CalendarServer/branches/users/dreid/sudoers-3/conf/accounts-test.xml
    CalendarServer/branches/users/dreid/sudoers-3/conf/accounts.xml
    CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd-test.plist
    CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd.plist
    CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.resource.patch
    CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_acl.patch
    CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_resource.patch
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/config.py
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/aggregate.py
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/principal.py
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sqldb.py
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/xmlaccountsparser.py
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/resource.py
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/tap.py

Added Paths:
-----------
    CalendarServer/branches/users/dreid/sudoers-3/conf/sudoers.plist
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sudo.py
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/sudoers.plist
    CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/test_sudo.py

Modified: CalendarServer/branches/users/dreid/sudoers-3/conf/accounts-test.xml
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/accounts-test.xml	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/accounts-test.xml	2007-01-09 00:33:04 UTC (rev 983)
@@ -24,12 +24,6 @@
     <password>admin</password>
     <name>Super User</name>
   </user>
-  <user>
-    <uid>proxy</uid>
-    <password>proxy</password>
-    <name>User who can authorize as someone else</name>
-    <canproxy/> <!-- FIXME: Is the directory the right place to configure this bit? -->
-  </user>
   <user repeat="99">
     <uid>user%02d</uid>
     <password>user%02d</password>
@@ -52,4 +46,12 @@
     <password>resource%02d</password>
     <name>Resource %02d</name>
   </resource>
+  <group>
+    <uid>group01</uid>
+    <password>group01</password>
+    <name>Group 01</name>
+    <members>
+      <member type="users">user01</member>
+    </members>
+  </group>
 </accounts>

Modified: CalendarServer/branches/users/dreid/sudoers-3/conf/accounts.xml
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/accounts.xml	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/accounts.xml	2007-01-09 00:33:04 UTC (rev 983)
@@ -25,12 +25,6 @@
     <name>Super User</name>
   </user>
   <user>
-    <uid>proxy</uid>
-    <password>proxy</password>
-    <name>User who can authorize as someone else</name>
-    <canproxy/> <!-- FIXME: Is the directory the right place to configure this bit? -->
-  </user>
-  <user>
     <uid>test</uid>
     <password>test</password>
     <name>Test User</name>

Modified: CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd-test.plist
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd-test.plist	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd-test.plist	2007-01-09 00:33:04 UTC (rev 983)
@@ -191,6 +191,9 @@
   <array>
     <string>/principals/users/admin/</string>
   </array>
+
+  <key>SudoersFile</key>
+  <string>conf/sudoers.plist</string>
   
   <key>ServerType</key>
   <string>singleprocess</string>

Modified: CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd.plist
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd.plist	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/caldavd.plist	2007-01-09 00:33:04 UTC (rev 983)
@@ -136,6 +136,9 @@
   <array>
     <string>/principals/users/admin/</string>
   </array>
+
+  <key>SudoersFile</key>
+  <string>/etc/caldavd/sudoers.plist</string>
   <key>ServerType</key>
   <string>singleprocess</string>
   

Copied: CalendarServer/branches/users/dreid/sudoers-3/conf/sudoers.plist (from rev 980, CalendarServer/branches/users/dreid/sudoers-2/conf/sudoers.plist)
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/conf/sudoers.plist	                        (rev 0)
+++ CalendarServer/branches/users/dreid/sudoers-3/conf/sudoers.plist	2007-01-09 00:33:04 UTC (rev 983)
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+<key>users</key>
+<array>
+<!-- Sudo user definitions -->
+<!-- With the exception of username and password none of the following
+     elements are used in the current implementation. -->
+<!--
+  <dict>
+    <key>authorize-as</key>
+    <dict>
+      <key>allow</key>
+      <true/>
+      <key>principals</key>
+      <array>
+	<string>all</string>
+        <string>/principals/user/wsanchez</string>
+      </array>
+    </dict>
+    <key>authorize-from</key>
+    <array>
+      <string>127.0.0.1</string>
+    </array>
+
+    <key>username</key>
+    <string></string>
+
+    <key>password</key>
+    <string></string>
+  </dict>
+-->
+  <dict>
+    <key>username</key>
+    <string>superuser</string>
+    <key>password</key>
+    <string>superuser</string>
+  </dict>
+</array>
+</dict>
+</plist>

Modified: CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.resource.patch
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.resource.patch	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.resource.patch	2007-01-09 00:33:04 UTC (rev 983)
@@ -548,6 +548,19 @@
          # Compare two HRefs and do group membership test as well
          if principal1 == principal2:
              yield True
+@@ -1296,9 +1392,9 @@
+         def testGroup(group):
+             # Get principal resource for principal2
+             if group and isinstance(group, DAVPrincipalResource):
+-                members = group.groupMembers()
+-                if principal1 in members:
+-                    return True
++                for member in group.groupMembers():
++                    if member.principalURL() == principal1:
++                        return True
+                 
+             return False
+ 
 @@ -1426,7 +1522,7 @@
                  log.err("DAV:self ACE is set on non-principal resource %r" % (self,))
                  yield None

Modified: CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_acl.patch
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_acl.patch	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_acl.patch	2007-01-09 00:33:04 UTC (rev 983)
@@ -10,7 +10,7 @@
  from twisted.web2.dav.util import davXMLFromStream
  from twisted.web2.dav.auth import TwistedPasswordProperty, IPrincipal, DavRealm, TwistedPropertyChecker, AuthenticationWrapper
  
-@@ -38,6 +39,11 @@
+@@ -38,6 +39,22 @@
  from twisted.web2.dav.test.util import Site, serialize
  from twisted.web2.dav.test.test_resource import TestResource, TestDAVPrincipalResource
  
@@ -18,11 +18,22 @@
 +    def __init__(self, url, children):
 +        DAVPrincipalCollectionResource.__init__(self, url)
 +        TestResource.__init__(self, url, children, principalCollections=(self,))
++    
++    def principalForUser(self, user):
++        return self.principalForShortName('users', user)
 +
++    def principalForShortName(self, type, shortName):
++        typeResource = self.children.get(type, None)
++        user = None
++        if typeResource:
++            user = typeResource.children.get(shortName, None)
++
++        return user
++
  class ACL(twisted.web2.dav.test.util.TestCase):
      """
      RFC 3744 (WebDAV ACL) tests.
-@@ -46,8 +52,14 @@
+@@ -46,8 +63,14 @@
          if not hasattr(self, "docroot"):
              self.docroot = self.mktemp()
              os.mkdir(self.docroot)
@@ -38,7 +49,7 @@
              portal = Portal(DavRealm())
              portal.registerChecker(TwistedPropertyChecker())
  
-@@ -56,26 +68,14 @@
+@@ -56,26 +79,14 @@
              loginInterfaces = (IPrincipal,)
  
              self.site = Site(AuthenticationWrapper(

Modified: CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_resource.patch
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_resource.patch	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/lib-patches/Twisted/twisted.web2.dav.test.test_resource.patch	2007-01-09 00:33:04 UTC (rev 983)
@@ -54,12 +54,11 @@
          else:
              return davxml.Principal(davxml.Unauthenticated())
  
-@@ -400,17 +398,23 @@
+@@ -399,18 +397,21 @@
+ 
      def accessControlList(self, request, **kwargs):
          return succeed(self.acl)
-     
-+    def principalForUser(self, user):
-+        return self.children[user]
+-    
  
  class AuthAllResource (TestResource):
 -    """Give Authenticated principals all privileges deny everything else

Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/config.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/config.py	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/config.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -61,7 +61,9 @@
             'ServicePrincipal': '',
             },
         },
+
     'AdminPrincipals': ['/principals/users/admin/'],
+    'SudoersFile': '/etc/caldavd/sudoers.plist',
 
     'twistdLocation': '/usr/share/caldavd/bin/twistd',
     'pydirLocation': '/usr/share/caldavd/bin/pydir++.py',

Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/aggregate.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/aggregate.py	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/aggregate.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -103,6 +103,21 @@
         else:
             return None
 
+    userRecordTypes = ['user', 'sudoer']
+
+    def requestAvatarId(self, credentials):
+        for type in self.userRecordTypes:
+            user = self.recordWithShortName(
+                type,
+                credentials.credentials.username)
+
+            if user:
+                return self.serviceForRecordType(
+                    type).requestAvatarId(credentials)
+        
+        raise UnauthorizedLogin("No such user: %s" % (
+                credentials.credentials.username,))
+
 class DuplicateRecordTypeError(DirectoryError):
     """
     Duplicate record type.

Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/principal.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/principal.py	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/principal.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -87,14 +87,18 @@
         for recordType in self.directory.recordTypes():
             self.putChild(recordType, DirectoryPrincipalTypeResource(self.fp.child(recordType).path, self, recordType))
 
+    def principalForShortName(self, type, name):
+        typeResource = self.getChild(type)
+        if typeResource is None:
+            return None
+        return typeResource.getChild(name)
+
     def principalForUser(self, user):
-        return self.getChild(DirectoryService.recordType_users).getChild(user)
+        return self.principalForShortName(DirectoryService.recordType_users, 
+                                          user)
 
     def principalForRecord(self, record):
-        typeResource = self.getChild(record.recordType)
-        if typeResource is None:
-            return None
-        return typeResource.getChild(record.shortName)
+        return self.principalForShortName(record.recordType, record.shortName)
 
     def _principalForURI(self, uri):
         if uri.startswith(self._url):

Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sqldb.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sqldb.py	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sqldb.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -25,7 +25,7 @@
 
 User Database:
 
-ROW: RECORD_TYPE, SHORT_NAME (unique), PASSWORD, NAME, CAN_PROXY
+ROW: RECORD_TYPE, SHORT_NAME (unique), PASSWORD, NAME
 
 Group Database:
 
@@ -161,13 +161,12 @@
         shortName = record.shortName
         password = record.password
         name = record.name
-        canproxy = ('F', 'T')[record.canproxy]
 
         self._db_execute(
             """
-            insert into ACCOUNTS (RECORD_TYPE, SHORT_NAME, PASSWORD, NAME, CAN_PROXY)
-            values (:1, :2, :3, :4, :5)
-            """, recordType, shortName, password, name, canproxy
+            insert into ACCOUNTS (RECORD_TYPE, SHORT_NAME, PASSWORD, NAME)
+            values (:1, :2, :3, :4)
+            """, recordType, shortName, password, name
         )
         
         # Check for members
@@ -224,8 +223,7 @@
                 RECORD_TYPE  text,
                 SHORT_NAME   text,
                 PASSWORD     text,
-                NAME         text,
-                CAN_PROXY    text(1)
+                NAME         text
             )
             """
         )

Copied: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sudo.py (from rev 980, CalendarServer/branches/users/dreid/sudoers-2/twistedcaldav/directory/sudo.py)
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sudo.py	                        (rev 0)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/sudo.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -0,0 +1,141 @@
+##
+# Copyright (c) 2006 Apple Computer, Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# DRI: David reid, dreid at apple.com
+##
+
+"""
+Directory service implementation for users who are allowed to authorize
+as other principals.
+"""
+
+__all__ = [
+    "SudoDirectoryService",
+]
+
+from twisted.python.filepath import FilePath
+
+from twisted.cred.credentials import (IUsernamePassword, 
+                                      IUsernameHashedPassword)
+
+from twisted.cred.error import UnauthorizedLogin
+
+from twistedcaldav.py.plistlib import readPlist
+from twistedcaldav.directory.directory import (DirectoryService, 
+                                               DirectoryRecord,
+                                               UnknownRecordTypeError)
+
+class SudoDirectoryService(DirectoryService):
+    """
+    L{IDirectoryService} implementation for Sudo users.
+    """
+    baseGUID = "1EE00E46-1885-4DBC-A001-590AFA76A8E3"
+
+    realmName = None
+
+    plistFile = None
+
+    recordType = "sudoer"
+
+    def __repr__(self):
+        return "<%s %r: %r>" % (self.__class__.__name__, self.realmName,
+                                self.plistFile)
+
+    def __init__(self, plistFile):
+        super(SudoDirectoryService, self).__init__()
+
+        if isinstance(plistFile, (unicode, str)):
+            plistFile = FilePath(plistFile)
+            
+        self.plistFile = plistFile
+        self._fileInfo = None
+        self._accounts()
+
+    def _accounts(self):
+        fileInfo = (self.plistFile.getmtime(), self.plistFile.getsize())
+        if fileInfo != self._fileInfo:
+            self._plist = readPlist(self.plistFile.path)
+
+        return self._plist
+
+    def recordTypes(self):
+        return (self.recordType,)
+
+    def _recordForEntry(self, entry):
+        return SudoDirectoryRecord(
+            service=self,
+            recordType=self.recordType,
+            shortName=entry['username'],
+            entry=entry)
+
+
+    def listRecords(self, recordType):
+        if recordType != self.recordType:
+            raise UnknownRecordTypeError(recordType)
+
+        for entry in self._accounts()['users']:
+            yield self._recordForEntry(entry)
+
+    def recordWithShortName(self, recordType, shortName):
+        if recordType != self.recordType:
+            raise UnknownRecordTypeError(recordType)
+
+        for entry in self._accounts()['users']:
+            if entry['username'] == shortName:
+                return self._recordForEntry(entry)
+
+    def requestAvatarId(self, credentials):
+        # FIXME: ?
+        # We were checking if principal is enabled; seems unnecessary in current
+        # implementation because you shouldn't have a principal object for a
+        # disabled directory principal.
+        sudouser = self.recordWithShortName("sudoer", 
+                                            credentials.credentials.username)
+        if sudouser is None:
+            raise UnauthorizedLogin("No such user: %s" % (sudouser,))
+        
+        if sudouser.verifyCredentials(credentials.credentials):
+            return (
+                credentials.authnPrincipal.principalURL(),
+                credentials.authzPrincipal.principalURL(),
+                )
+        else:
+            raise UnauthorizedLogin(
+                "Incorrect credentials for %s" % (sudouser,)) 
+
+
+class SudoDirectoryRecord(DirectoryRecord):
+    """
+    L{DirectoryRecord} implementation for Sudo users.
+    """
+
+    def __init__(self, service, recordType, shortName, entry):
+        super(SudoDirectoryRecord, self).__init__(
+            service=service,
+            recordType=recordType,
+            guid=None,
+            shortName=shortName,
+            fullName=shortName,
+            calendarUserAddresses=set())
+
+        self.password = entry['password']
+
+    def verifyCredentials(self, credentials):
+        if IUsernamePassword.providedBy(credentials):
+            return credentials.checkPassword(self.password)
+        elif IUsernameHashedPassword.providedBy(credentials):
+            return credentials.checkPassword(self.password)
+        
+        return super(SudoDirectoryRecord, self).verifyCredentials(credentials)

Copied: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/sudoers.plist (from rev 980, CalendarServer/branches/users/dreid/sudoers-2/twistedcaldav/directory/test/sudoers.plist)
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/sudoers.plist	                        (rev 0)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/sudoers.plist	2007-01-09 00:33:04 UTC (rev 983)
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>users</key>
+  <array>
+    <dict>
+      <key>authorize-as</key>
+      <dict>
+	<key>allow</key>
+	<true/>
+	<key>principals</key>
+	<array>
+	  <string>all</string>
+	</array>
+      </dict>
+      <key>authorize-from</key>
+      <array>
+	<string>127.0.0.1</string>
+      </array>
+      <key>password</key>
+      <string>alice</string>
+      <key>username</key>
+      <string>alice</string>
+    </dict>
+  </array>
+</dict>
+</plist>

Copied: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/test_sudo.py (from rev 980, CalendarServer/branches/users/dreid/sudoers-2/twistedcaldav/directory/test/test_sudo.py)
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/test_sudo.py	                        (rev 0)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/test/test_sudo.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -0,0 +1,66 @@
+##
+# Copyright (c) 2005-2006 Apple Computer, Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# DRI: David Reid, dreid at apple.com
+##
+import os
+
+from twisted.python.filepath import FilePath
+
+import twistedcaldav.directory.test.util
+from twistedcaldav.directory.sudo import SudoDirectoryService
+from twistedcaldav.py.plistlib import writePlist
+
+plistFile = FilePath(os.path.join(os.path.dirname(__file__), "sudoers.plist"))
+
+class SudoTestCase(
+    twistedcaldav.directory.test.util.BasicTestCase,
+    twistedcaldav.directory.test.util.DigestTestCase
+):
+    """
+    Test the Sudo Directory Service
+    """
+
+    recordTypes = set(('sudoer',))
+    recordType = 'sudoer'
+
+    sudoers = {'alice': {'password': 'alice',},
+             }
+
+    def plistFile(self):
+        if not hasattr(self, "_plistFile"):
+            self._plistFile = FilePath(self.mktemp())
+            plistFile.copyTo(self._plistFile)
+        return self._plistFile
+
+    def service(self):
+        service = SudoDirectoryService(self.plistFile())
+        service.realmName = "test realm"
+        return service
+
+    def test_listRecords(self):
+        for record in self.service().listRecords(self.recordType):
+            self.failUnless(record.shortName in self.sudoers)
+            self.assertEqual(self.sudoers[record.shortName]['password'],
+                             record.password)
+
+    def test_recordWithShortName(self):
+        service = self.service()
+
+        record = service.recordWithShortName('sudoer', 'alice')
+        self.assertEquals(record.password, 'alice')
+
+        record = service.recordWithShortName('sudoer', 'bob')
+        self.failIf(record)

Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/xmlaccountsparser.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/xmlaccountsparser.py	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/directory/xmlaccountsparser.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -44,7 +44,6 @@
 ELEMENT_MEMBERS      = "members"
 ELEMENT_MEMBER       = "member"
 ELEMENT_CUADDR       = "cuaddr"
-ELEMENT_CANPROXY     = "canproxy"
 
 ATTRIBUTE_REALM      = "realm"
 ATTRIBUTE_REPEAT     = "repeat"
@@ -143,7 +142,6 @@
         self.members = set()
         self.groups = set()
         self.calendarUserAddresses = set()
-        self.canproxy = False
 
     def repeat(self, ctr):
         """
@@ -176,7 +174,6 @@
         result.name = name
         result.members = self.members
         result.calendarUserAddresses = calendarUserAddresses
-        result.canproxy = self.canproxy
         return result
 
     def parseXML(self, node):
@@ -198,9 +195,6 @@
             elif child_name == ELEMENT_CUADDR:
                 if child.firstChild is not None:
                     self.calendarUserAddresses.add(child.firstChild.data.encode("utf-8"))
-            elif child_name == ELEMENT_CANPROXY:
-                CalDAVResource.proxyUsers.add(self.shortName)
-                self.canproxy = True
             else:
                 raise RuntimeError("Unknown account attribute: %s" % (child_name,))
 

Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/resource.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/resource.py	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/resource.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -73,10 +73,6 @@
     # resources to that size, or C{None} for no limit.
     sizeLimit = None
 
-    # Set containing user ids of all the users who have been given
-    # the right to authorize as someone else.
-    proxyUsers = set()
-
     ##
     # HTTP
     ##
@@ -257,28 +253,42 @@
             # Substitute the authz value for principal look up
             authz = authz[0]
 
-        # See if authenticated uid is a proxy user
-        if authid in CalDAVResource.proxyUsers:
+        def getPrincipalForType(type, name):
+            for collection in self.principalCollections():
+                principal = collection.principalForShortName(type, name)
+                if principal:
+                    return principal
+
+        def isSudoPrincipal(authid):
+            if getPrincipalForType('sudoer', authid):
+                return True
+            return False
+
+        if isSudoPrincipal(authid):
             if authz:
-                if authz in CalDAVResource.proxyUsers:
+                if isSudoPrincipal(authz):
                     log.msg("Cannot proxy as another proxy: user '%s' as user '%s'" % (authid, authz))
-                    raise HTTPError(responsecode.UNAUTHORIZED)
+                    raise HTTPError(responsecode.FORBIDDEN)
                 else:
-                    authzPrincipal = self.findPrincipalForAuthID(authz)
+                    authzPrincipal = getPrincipalForType('group', authz)
 
+                    if not authzPrincipal:
+                        authzPrincipal = self.findPrincipalForAuthID(authz)
+
                     if authzPrincipal is not None:
                         log.msg("Allow proxy: user '%s' as '%s'" % (authid, authz,))
                         yield authzPrincipal
                         return
                     else:
-                        log.msg("Could not find proxy user id: '%s'" % authid)
-                        raise HTTPError(responsecode.UNAUTHORIZED)
+                        log.msg("Could not find authorization user id: '%s'" % 
+                                (authz,))
+                        raise HTTPError(responsecode.FORBIDDEN)
             else:
                 log.msg("Cannot authenticate proxy user '%s' without X-Authorize-As header" % (authid, ))
-                raise HTTPError(responsecode.UNAUTHORIZED)
+                raise HTTPError(responsecode.BAD_REQUEST)
         elif authz:
             log.msg("Cannot proxy: user '%s' as '%s'" % (authid, authz,))
-            raise HTTPError(responsecode.UNAUTHORIZED)
+            raise HTTPError(responsecode.FORBIDDEN)
         else:
             # No proxy - do default behavior
             d = waitForDeferred(super(CalDAVResource, self).authorizationPrincipal(request, authid, authnPrincipal))

Modified: CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/tap.py
===================================================================
--- CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/tap.py	2007-01-09 00:27:29 UTC (rev 982)
+++ CalendarServer/branches/users/dreid/sudoers-3/twistedcaldav/tap.py	2007-01-09 00:33:04 UTC (rev 983)
@@ -45,7 +45,11 @@
 from twistedcaldav.config import config, parseConfig, defaultConfig
 from twistedcaldav.logging import RotatingFileAccessLoggingObserver
 from twistedcaldav.root import RootResource
+from twistedcaldav.resource import CalDAVResource
 from twistedcaldav.directory.principal import DirectoryPrincipalProvisioningResource
+from twistedcaldav.directory.aggregate import AggregateDirectoryService
+from twistedcaldav.directory.sudo import SudoDirectoryService
+
 from twistedcaldav.static import CalendarHomeProvisioningFile
 
 try:
@@ -146,8 +150,19 @@
         # Setup the Directory
         #
         directoryClass = namedClass(config.DirectoryService['type'])
-        directory = directoryClass(**config.DirectoryService['params'])
+        baseDirectory = directoryClass(**config.DirectoryService['params'])
 
+        sudoDirectory = None
+
+        if config.SudoersFile and os.path.exists(config.SudoersFile):
+            sudoDirectory = SudoDirectoryService(config.SudoersFile)
+            sudoDirectory.realmName = baseDirectory.realmName
+
+            CalDAVResource.sudoDirectory = sudoDirectory
+        
+        directory = AggregateDirectoryService((baseDirectory,
+                                               sudoDirectory))
+
         #
         # Setup Resource hierarchy
         #

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070108/32156e0f/attachment.html


More information about the calendarserver-changes mailing list