[CalendarServer-changes] [2943] CalendarServer/branches/users/cdaboo/byebye-serviceslocator-2937/ twistedcaldav/directory/appleopendirectory.py

source_changes at macosforge.org source_changes at macosforge.org
Sat Sep 6 13:02:50 PDT 2008 

Revision: 2943
          http://trac.macosforge.org/projects/calendarserver/changeset/2943
Author:   cdaboo at apple.com
Date:     2008-09-06 13:02:50 -0700 (Sat, 06 Sep 2008)
Log Message:
-----------
Change SACL and nested group logic.

Modified Paths:
--------------
    CalendarServer/branches/users/cdaboo/byebye-serviceslocator-2937/twistedcaldav/directory/appleopendirectory.py

Modified: CalendarServer/branches/users/cdaboo/byebye-serviceslocator-2937/twistedcaldav/directory/appleopendirectory.py
===================================================================
--- CalendarServer/branches/users/cdaboo/byebye-serviceslocator-2937/twistedcaldav/directory/appleopendirectory.py	2008-09-06 16:54:18 UTC (rev 2942)
+++ CalendarServer/branches/users/cdaboo/byebye-serviceslocator-2937/twistedcaldav/directory/appleopendirectory.py	2008-09-06 20:02:50 UTC (rev 2943)
@@ -92,9 +92,6 @@
         self._records = {}
         self._delayedCalls = set()
 
-        self.doSACLs = config.EnableSACLs
-        self.SACLwasEnabled = False
-
         if dosetup:
             for recordType in self.recordTypes():
                 self.recordsForType(recordType)
@@ -115,7 +112,7 @@
             h = (h + hash(getattr(self, attr))) & sys.maxint
         return h
 
-    def _expandGroupMembership(self, members, nestedGroups, processedGUIDs=None):
+    def _expandGroupMembership(self, members, nestedGroups, processedGUIDs=None, returnGroups=False):
 
         if processedGUIDs is None:
             processedGUIDs = set()
@@ -162,11 +159,14 @@
             group = result[0][1]
 
             processedGUIDs.add(groupGUID)
+            if returnGroups:
+                yield groupGUID
 
             for GUID in self._expandGroupMembership(
                 group.get(dsattributes.kDSNAttrGroupMembers, []),
                 group.get(dsattributes.kDSNAttrNestedGroups, []),
-                processedGUIDs
+                processedGUIDs,
+                returnGroups,
             ):
                 yield GUID
 
@@ -339,15 +339,7 @@
             # Determine enabled state
             enabledForCalendaring = True
 
-            if self.doSACLs and self.SACLwasEnabled and recordType == DirectoryService.recordType_users:
-                # We have already filtered based on allowed GUIDs
-                enabledForCalendaring = True
-
-            elif not self.restrictEnabledRecords:
-                # Enable everything
-                enabledForCalendaring = True
-            
-            elif self.restrictedGUIDs is not None:
+            if self.restrictEnabledRecords and self.restrictedGUIDs is not None:
                 enabledForCalendaring = recordGUID in self.restrictedGUIDs
 
             if not enabledForCalendaring:
@@ -522,17 +514,9 @@
         else:
             raise UnknownRecordTypeError("Unknown Open Directory record type: %s" % (recordType))
 
-        # Query policy:
-        #
-        # For Users - always check for SACL and use that to determine enabled users
-        #             if no SACL then do same processing as for other types
-        #
-        # Other types - load all records. If restricted access is in place, load the
-        #               group membership for the restricted group and enable those users
-        #               in the group
-
-        processed = False
-        if self.doSACLs and recordType == DirectoryService.recordType_users:
+        # First see if SACL is enabled and if so only allow users in the SACL group
+        # to be valid user records.
+        if config.EnableSACLs and recordType == DirectoryService.recordType_users:
             if shortName is None and guid is None:
                 self.log_debug("Doing SACL membership check")
                 self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
@@ -555,7 +539,6 @@
                 )
 
                 if len(results) == 1:
-                    self.SACLwasEnabled = True
                     members      = results[0][1].get(dsattributes.kDSNAttrGroupMembers, [])
                     nestedGroups = results[0][1].get(dsattributes.kDSNAttrNestedGroups, [])
     
@@ -572,12 +555,13 @@
     
                     query = dsquery.expression(dsquery.expression.OR, guidQueries)
                     self.log_debug("Got %d SACL members" % (len(guidQueries),))
-                    processed = True
                 else:
-                    self.SACLwasEnabled = False
                     self.log_debug("SACL not enabled for calendar service")
         
-        if not processed and self.restrictEnabledRecords and self.restrictedGUIDs is None:
+        # If restricting enabled records, then make sure the restricted group member
+        # details are loaded. Do nested group expansion and include the nested groups
+        # as enabled records too.
+        if self.restrictEnabledRecords and self.restrictedGUIDs is None:
 
             attributeToMatch = dsattributes.kDS1AttrGeneratedUID if self.restrictToGroupGUID else dsattributes.kDSNAttrRecordName 
             valueToMatch = self.restrictToGroupGUID if self.restrictToGroupGUID else self.restrictToGroupName
@@ -609,9 +593,7 @@
                 members = []
                 nestedGroups = []
 
-            self.restrictedGUIDs = set()
-            for expanded_guid in self._expandGroupMembership(members, nestedGroups):
-                self.restrictedGUIDs.add(expanded_guid)
+            self.restrictedGUIDs = set(self._expandGroupMembership(members, nestedGroups, returnGroups=True))
             self.log_debug("Got %d restricted group members" % (len(self.restrictedGUIDs),))
 
         if shortName is not None:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080906/4ec70169/attachment-0001.html

More information about the calendarserver-changes mailing list