[CalendarServer-changes] [1876] CalendarServer/branches/users/cdaboo/server2server-1842/ twistedcaldav/schedule_common.py

source_changes at macosforge.org source_changes at macosforge.org
Mon Sep 17 08:40:42 PDT 2007 

Revision: 1876
          http://trac.macosforge.org/projects/calendarserver/changeset/1876
Author:   cdaboo at apple.com
Date:     2007-09-17 08:40:41 -0700 (Mon, 17 Sep 2007)

Log Message:
-----------
Fix up some error codes. Make sure we only accept connections from known server domains (do ip lookup to be sure).

Modified Paths:
--------------
    CalendarServer/branches/users/cdaboo/server2server-1842/twistedcaldav/schedule_common.py

Modified: CalendarServer/branches/users/cdaboo/server2server-1842/twistedcaldav/schedule_common.py
===================================================================
--- CalendarServer/branches/users/cdaboo/server2server-1842/twistedcaldav/schedule_common.py	2007-09-13 19:55:50 UTC (rev 1875)
+++ CalendarServer/branches/users/cdaboo/server2server-1842/twistedcaldav/schedule_common.py	2007-09-17 15:40:41 UTC (rev 1876)
@@ -51,7 +51,9 @@
 from twistedcaldav.servertoserver import ServerToServer
 from twistedcaldav.servertoserver import ServerToServerRequest
 
+import itertools
 import md5
+import socket
 import time
 
 class Scheduler(object):
@@ -366,11 +368,19 @@
             if not server:
                 # Cannot do server-to-server for this recipient.
                 err = HTTPError(ErrorResponse(responsecode.NOT_FOUND, (caldav_namespace, "recipient-allowed")))
-                responses.add(recipient.cuaddr, Failure(exc_value=err), reqstatus="3.7;Invalid Calendar User")
+                responses.add(recipient.cuaddr, Failure(exc_value=err), reqstatus="5.3;No scheduling support for user")
             
                 # Process next recipient
                 continue
             
+            if not server.allow_to:
+                # Cannot do server-to-server outgoing requests for this server.
+                err = HTTPError(ErrorResponse(responsecode.NOT_FOUND, (caldav_namespace, "recipient-allowed")))
+                responses.add(recipient.cuaddr, Failure(exc_value=err), reqstatus="5.1;Service unavailable")
+            
+                # Process next recipient
+                continue
+            
             groups.setdefault(server, []).append(recipient)
         
         if len(groups) == 0:
@@ -691,13 +701,34 @@
         Check the validity of the Originator header.
         """
     
-        # For remote requests we do not allow the originator to be a local user or one within our domain
+        # For remote requests we do not allow the originator to be a local user or one within our domain.
         originator_principal = self.resource.principalForCalendarUserAddress(self.originator)
         if originator_principal or self.isCalendarUserAddressInMyDomain(self.originator):
             log.err("Cannot use originator that is on this server: %s" % (self.originator,))
             raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "originator-allowed")))
         else:
             self.originator = Scheduler.RemoteCalendarUser(self.originator)
+            
+        # We will only accept originator in known domains.
+        servermgr = ServerToServer()
+        server = servermgr.mapDomain(self.originator.domain)
+        if not server or not server.allow_from:
+            log.err("Originator not on recognized server: %s" % (self.originator,))
+            raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "originator-allowed")))
+        else:
+            # Get the request IP and map to hostname.
+            clientip = self.request.remoteAddr.host
+            
+            # First compare as dotted IP
+            if clientip != server.host:
+                # Now do hostname lookup
+                host, aliases, _ignore_ips = socket.gethostbyaddr(clientip)
+                for host in itertools.chain((host,), aliases):
+                    if host == server.host:
+                        break
+                else:
+                    log.err("Originator not on allowed server: %s" % (self.originator,))
+                    raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "originator-allowed")))
 
     @deferredGenerator
     def checkRecipients(self):
@@ -817,7 +848,7 @@
         """
         @param xml_responses: an interable of davxml.Response objects.
         @param location:      the value of the location header to return in the response,
-                              or None.
+            or None.
         """
 
         Response.__init__(self, code=responsecode.OK,
@@ -847,7 +878,7 @@
     def setLocation(self, location):
         """
         @param location:      the value of the location header to return in the response,
-                              or None.
+            or None.
         """
         self.location = location
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070917/9120bd3e/attachment.html

More information about the calendarserver-changes mailing list