[CalendarServer-changes] [1580] CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav

source_changes at macosforge.org source_changes at macosforge.org
Wed May 30 12:58:59 PDT 2007


Revision: 1580
          http://trac.macosforge.org/projects/calendarserver/changeset/1580
Author:   cdaboo at apple.com
Date:     2007-05-30 12:58:59 -0700 (Wed, 30 May 2007)

Log Message:
-----------
Fix for SACL check causing Kerberos auth to fail. Plus optimize SACL check so it only happens once in any one
request.

Modified Paths:
--------------
    CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav/extensions.py
    CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav/root.py

Modified: CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav/extensions.py
===================================================================
--- CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav/extensions.py	2007-05-30 17:31:35 UTC (rev 1579)
+++ CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav/extensions.py	2007-05-30 19:58:59 UTC (rev 1580)
@@ -24,7 +24,7 @@
     "DAVResource",
     "DAVFile",
     "ReadOnlyResourceMixIn",
-    "SudoAuthIDMixin",
+    "SudoSACLMixin",
 ]
 
 import cPickle as pickle
@@ -49,12 +49,22 @@
 from twistedcaldav.directory.sudo import SudoDirectoryService
 from twistedcaldav.directory.directory import DirectoryService
 
-class SudoAuthIDMixin(object):
+class SudoSACLMixin(object):
     """
     Mixin class to let DAVResource, and DAVFile subclasses below know
     about sudoer principals and how to find their AuthID
     """
 
+    def authenticate(self, request):
+        # Bypass normal authentication if its already been done (by SACL check)
+        if (hasattr(request, "authnUser") and
+            hasattr(request, "authzUser") and
+            request.authnUser is not None and
+            request.authzUser is not None):
+            return (request.authnUser, request.authzUser)
+        else:
+            return super(SudoSACLMixin, self).authenticate(request)
+
     def findPrincipalForAuthID(self, authid):
         """
         Return an authentication and authorization principal identifiers for 
@@ -68,7 +78,7 @@
             if principal is not None:
                 return principal
 
-        return super(SudoAuthIDMixin, self).findPrincipalForAuthID(authid)
+        return super(SudoSACLMixin, self).findPrincipalForAuthID(authid)
 
     def authorizationPrincipal(self, request, authid, authnPrincipal):
         """
@@ -131,7 +141,7 @@
             raise HTTPError(responsecode.FORBIDDEN)
         else:
             # No proxy - do default behavior
-            d = waitForDeferred(super(SudoAuthIDMixin, self).authorizationPrincipal(request, authid, authnPrincipal))
+            d = waitForDeferred(super(SudoSACLMixin, self).authorizationPrincipal(request, authid, authnPrincipal))
             yield d
             yield d.getResult()
             return
@@ -139,8 +149,7 @@
     authorizationPrincipal = deferredGenerator(authorizationPrincipal)
 
 
-
-class DAVResource (SudoAuthIDMixin, SuperDAVResource):
+class DAVResource (SudoSACLMixin, SuperDAVResource):
     """
     Extended L{twisted.web2.dav.resource.DAVResource} implementation.
     """
@@ -335,7 +344,7 @@
             return davxml.ResourceType(davxml.Principal())
 
 
-class DAVFile (SudoAuthIDMixin, SuperDAVFile):
+class DAVFile (SudoSACLMixin, SuperDAVFile):
     """
     Extended L{twisted.web2.dav.static.DAVFile} implementation.
     """

Modified: CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav/root.py
===================================================================
--- CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav/root.py	2007-05-30 17:31:35 UTC (rev 1579)
+++ CalendarServer/branches/users/cdaboo/sacl-1576/twistedcaldav/root.py	2007-05-30 19:58:59 UTC (rev 1580)
@@ -48,7 +48,7 @@
                 self.useSacls = True
             else:
                 log.msg(("RootResource.CheckSACL is unset but "
-                         "config.EnableSACLs is True, SACLs will not be"
+                         "config.EnableSACLs is True, SACLs will not be "
                          "turned on."))
 
         self.contentFilters = []
@@ -83,6 +83,10 @@
                         request.remoteAddr)))
 
         def _checkSACLCb((authnUser, authzUser)):
+            # Cache the authentication details
+            request.authnUser = authnUser
+            request.authzUser = authzUser
+
             # Figure out the "username" from the davxml.Principal object
             username = authzUser.children[0].children[0].data
             username = username.rstrip('/').split('/')[-1]
@@ -91,6 +95,8 @@
                 log.msg("User '%s' is not enabled with the '%s' SACL" % (username, self.saclService,))
                 return Failure(HTTPError(403))
 
+            # Mark SACL's as having been checked so we can avoid doing it multiple times
+            request.checkedSACL = True
             return True
             
         d = defer.maybeDeferred(self.authenticate, request)
@@ -102,7 +108,7 @@
         for filter in self.contentFilters:
             request.addResponseFilter(filter[0], atEnd=filter[1])
 
-        if self.useSacls:
+        if self.useSacls and not hasattr(request, "checkedSACL"):
             d = self.checkSacl(request)
             d.addCallback(lambda _: super(RootResource, self
                                           ).locateChild(request, segments))

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070530/1d7f5b3d/attachment.html


More information about the calendarserver-changes mailing list