[CalendarServer-changes] [2572] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Tue Jun 17 11:19:43 PDT 2008
Revision: 2572
http://trac.macosforge.org/projects/calendarserver/changeset/2572
Author: wsanchez at apple.com
Date: 2008-06-17 11:19:42 -0700 (Tue, 17 Jun 2008)
Log Message:
-----------
Merge http://svn.calendarserver.org/repository/calendarserver/CalendarServer/branches/users/wsanchez/fixed-acls.
Root resource ACLs are now determined by config object not via dead properties.
Modified Paths:
--------------
CalendarServer/trunk/conf/caldavd-test.plist
CalendarServer/trunk/conf/caldavd.plist
CalendarServer/trunk/support/Makefile.Apple
CalendarServer/trunk/support/submit
CalendarServer/trunk/twistedcaldav/config.py
CalendarServer/trunk/twistedcaldav/root.py
CalendarServer/trunk/twistedcaldav/tap.py
Modified: CalendarServer/trunk/conf/caldavd-test.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd-test.plist 2008-06-17 17:56:11 UTC (rev 2571)
+++ CalendarServer/trunk/conf/caldavd-test.plist 2008-06-17 18:19:42 UTC (rev 2572)
@@ -195,7 +195,11 @@
<key>EnableProxyPrincipals</key>
<true/>
+ <!-- Anonymous read access for root resource -->
+ <key>EnableAnonymousReadRoot</key>
+ <true/>
+
<!--
Authentication
-->
Modified: CalendarServer/trunk/conf/caldavd.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd.plist 2008-06-17 17:56:11 UTC (rev 2571)
+++ CalendarServer/trunk/conf/caldavd.plist 2008-06-17 18:19:42 UTC (rev 2572)
@@ -147,7 +147,11 @@
<key>EnableProxyPrincipals</key>
<true/>
+ <!-- Anonymous read access for root resource -->
+ <key>EnableAnonymousReadRoot</key>
+ <true/>
+
<!--
Authentication
-->
Modified: CalendarServer/trunk/support/Makefile.Apple
===================================================================
--- CalendarServer/trunk/support/Makefile.Apple 2008-06-17 17:56:11 UTC (rev 2571)
+++ CalendarServer/trunk/support/Makefile.Apple 2008-06-17 18:19:42 UTC (rev 2572)
@@ -105,7 +105,7 @@
$(_v) cd $(BuildDirectory)/Twisted && $(TwistedSubEnvironment) $(PYTHON) twisted/web2/topfiles/setup.py install $(PY_INSTALL_FLAGS)
$(_v) for so in $$(find "$(DSTROOT)$(SHAREDIR)/caldavd/lib" -type f -name '*.so'); do $(STRIP) -Sx "$${so}"; done
$(_v) for f in $$(find "$(DSTROOT)$(ETCDIR)" -type f ! -name '*.default'); do cp "$${f}" "$${f}.default"; done
- $(_v) for f in $$(find "$(DSTROOT)$(SHAREDIR)/caldavd/lib/python/twisted/plugins/" -type f ! -name 'caldav.*' ! -name '__init__.*'); do rm "$${f}"; done
+ $(_v) for f in $$(find "$(DSTROOT)$(SHAREDIR)/caldavd/lib/python/twisted/plugins/" -type f ! -name 'caldav.*' ! -name 'twisted_reactors.*' ! -name 'twisted_trial.*' ! -name '__init__.*'); do rm "$${f}"; done
$(_v) rm -rf "$(DSTROOT)$(SHAREDIR)/caldavd/lib/python/twisted/python/zsh"
$(_v) rm -f "$(DSTROOT)$(SHAREDIR)/caldavd/lib/python/twisted/python/zshcomp.py"
$(_v) rm -f "$(DSTROOT)$(SHAREDIR)/caldavd/lib/python/twisted/python/zshcomp.py"
Modified: CalendarServer/trunk/support/submit
===================================================================
--- CalendarServer/trunk/support/submit 2008-06-17 17:56:11 UTC (rev 2571)
+++ CalendarServer/trunk/support/submit 2008-06-17 18:19:42 UTC (rev 2572)
@@ -118,7 +118,7 @@
echo "Copying ${src}...";
ignores="$(mktemp -t CalendarServer_ignores)";
svn st --no-ignore | sed -n -e 's|^I......||p' > "${ignores}";
- rsync -av --exclude=".svn" --exclude-from="${ignores}" "${src}/" "${wc}";
+ rsync -av --exclude=".svn" --exclude="_trial_temp" --exclude-from="${ignores}" "${src}/" "${wc}";
rm "${ignores}";
else
echo "";
Modified: CalendarServer/trunk/twistedcaldav/config.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/config.py 2008-06-17 17:56:11 UTC (rev 2571)
+++ CalendarServer/trunk/twistedcaldav/config.py 2008-06-17 18:19:42 UTC (rev 2572)
@@ -17,6 +17,8 @@
import os
import copy
+from twisted.web2.dav import davxml
+from twisted.web2.dav.resource import TwistedACLInheritable
from twistedcaldav.py.plistlib import readPlist
from twistedcaldav.log import Logger
@@ -87,6 +89,7 @@
"AdminPrincipals": [], # Principals with "DAV:all" access (relative URLs)
"SudoersFile": "/etc/caldavd/sudoers.plist", # Principals that can pose as other principals
"EnableProxyPrincipals": True, # Create "proxy access" principals
+ "EnableAnonymousReadRoot": True, # Allow unauthenticated read access to /
#
# Authentication
@@ -236,6 +239,9 @@
return str(self._data)
def update(self, items):
+ #
+ # Special handling for directory services configs
+ #
dsType = items.get("DirectoryService", {}).get("type", None)
if dsType is None:
dsType = self._data["DirectoryService"]["type"]
@@ -261,6 +267,36 @@
del self._data["DirectoryService"]["params"][param]
#
+ # Root ACL, derived from AdminPrincipals
+ #
+ if self.EnableAnonymousReadRoot:
+ rootReader = davxml.All()
+ else:
+ rootReader = davxml.Authenticated()
+
+ aces = [
+ # Read access for authenticated users.
+ davxml.ACE(
+ davxml.Principal(rootReader),
+ davxml.Grant(davxml.Privilege(davxml.Read())),
+ davxml.Protected(),
+ ),
+ ]
+
+ # FIXME: This should be added to calendar homes, not above.
+ for principal in config.AdminPrincipals:
+ aces.append(
+ davxml.ACE(
+ davxml.Principal(davxml.HRef(principal)),
+ davxml.Grant(davxml.Privilege(davxml.All())),
+ davxml.Protected(),
+ TwistedACLInheritable(),
+ )
+ )
+
+ self.rootACL = davxml.ACL(*aces)
+
+ #
# FIXME: Use the config object instead of doing this here
#
from twistedcaldav.resource import CalendarPrincipalResource
Modified: CalendarServer/trunk/twistedcaldav/root.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/root.py 2008-06-17 17:56:11 UTC (rev 2571)
+++ CalendarServer/trunk/twistedcaldav/root.py 2008-06-17 18:19:42 UTC (rev 2572)
@@ -14,7 +14,12 @@
# limitations under the License.
##
-from twisted.internet import defer
+__all__ = [
+ "RootACLMixIn",
+ "RootResource",
+]
+
+from twisted.internet.defer import maybeDeferred, succeed
from twisted.python.failure import Failure
from twisted.cred.error import LoginFailed, UnauthorizedLogin
@@ -34,13 +39,17 @@
log = Logger()
-def addConnectionClose(request, response):
- response.headers.setHeader('connection', ('close',))
- request.chanRequest.channel.setReadPersistent(False)
- return response
+class RootACLMixIn (object):
+ def defaultAccessControlList(self):
+ return config.rootACL
-class RootResource(DAVFile):
+ def accessControlList(self, request, inheritance=True, expanding=False, inherited_aces=None):
+ # Permissions here are fixed, and are not subject to inherritance rules, etc.
+ return succeed(self.defaultAccessControlList())
+
+
+class RootResource (RootACLMixIn, DAVFile):
"""
A special root resource that contains support checking SACLs
as well as adding responseFilters.
@@ -75,6 +84,10 @@
self.contentFilters.append((gzip.gzipfilter, True))
if not config.EnableKeepAlive:
+ def addConnectionClose(request, response):
+ response.headers.setHeader('connection', ('close',))
+ request.chanRequest.channel.setReadPersistent(False)
+ return response
self.contentFilters.append((addConnectionClose, True))
@@ -134,7 +147,7 @@
d.addCallback(_checkedSACLCb)
return d
- d = defer.maybeDeferred(self.authenticate, request)
+ d = maybeDeferred(self.authenticate, request)
d.addCallbacks(_authCb, _authEb)
d.addCallback(_checkSACLCb)
return d
@@ -185,7 +198,7 @@
if request.method == 'PROPFIND' and not getattr(
request, 'notInCache', False):
- d = defer.maybeDeferred(self.authenticate, request)
+ d = maybeDeferred(self.authenticate, request)
d.addCallbacks(_authCb, _authEb)
d.addCallback(_getCachedResource, request)
d.addErrback(_resourceNotInCacheEb)
Modified: CalendarServer/trunk/twistedcaldav/tap.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/tap.py 2008-06-17 17:56:11 UTC (rev 2571)
+++ CalendarServer/trunk/twistedcaldav/tap.py 2008-06-17 18:19:42 UTC (rev 2572)
@@ -34,8 +34,6 @@
from twisted.cred.portal import Portal
from twisted.web2.dav import auth
-from twisted.web2.dav import davxml
-from twisted.web2.dav.resource import TwistedACLInheritable
from twisted.web2.auth.basic import BasicCredentialFactory
from twisted.web2.channel import http
@@ -518,7 +516,7 @@
root.putChild('principals', principalCollection)
root.putChild('calendars', calendarCollection)
- # Timezone service is optional
+ # Timezone service is optional
if config.EnableTimezoneService:
timezoneService = self.timezoneServiceResourceClass(
os.path.join(config.DocumentRoot, "timezones"),
@@ -526,35 +524,6 @@
)
root.putChild('timezones', timezoneService)
- # Configure default ACLs on the root resource
-
- log.info("Setting up default ACEs on root resource")
-
- rootACEs = [
- davxml.ACE(
- davxml.Principal(davxml.All()),
- davxml.Grant(davxml.Privilege(davxml.Read())),
- ),
- ]
-
- log.info("Setting up AdminPrincipals")
-
- for principal in config.AdminPrincipals:
- log.info("Added %s as admin principal" % (principal,))
-
- rootACEs.append(
- davxml.ACE(
- davxml.Principal(davxml.HRef(principal)),
- davxml.Grant(davxml.Privilege(davxml.All())),
- davxml.Protected(),
- TwistedACLInheritable(),
- )
- )
-
- log.info("Setting root ACL")
-
- root.setAccessControlList(davxml.ACL(*rootACEs))
-
#
# Configure ancillary data
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080617/7bb7b5b3/attachment-0001.htm
More information about the calendarserver-changes
mailing list