[CalendarServer-changes] [4201] CalendarServer/trunk/twistedcaldav/directory
source_changes at macosforge.org
source_changes at macosforge.org
Wed May 6 23:45:44 PDT 2009
Revision: 4201
http://trac.macosforge.org/projects/calendarserver/changeset/4201
Author: sagen at apple.com
Date: 2009-05-06 23:45:44 -0700 (Wed, 06 May 2009)
Log Message:
-----------
Left off the extension
Added Paths:
-----------
CalendarServer/trunk/twistedcaldav/directory/appleopendirectory.py
Removed Paths:
-------------
CalendarServer/trunk/twistedcaldav/directory/appleopendirectory
Deleted: CalendarServer/trunk/twistedcaldav/directory/appleopendirectory
===================================================================
--- CalendarServer/trunk/twistedcaldav/directory/appleopendirectory 2009-05-07 06:43:32 UTC (rev 4200)
+++ CalendarServer/trunk/twistedcaldav/directory/appleopendirectory 2009-05-07 06:45:44 UTC (rev 4201)
@@ -1,932 +0,0 @@
-##
-# Copyright (c) 2006-2009 Apple Inc. All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-##
-
-"""
-Apple Open Directory directory service implementation.
-"""
-
-__all__ = [
- "OpenDirectoryService",
- "OpenDirectoryInitError",
-]
-
-import sys
-import time
-from uuid import UUID
-
-from twext.python.plistlib import readPlistFromString
-
-from xml.parsers.expat import ExpatError
-
-import opendirectory
-import dsattributes
-import dsquery
-
-from twisted.internet.threads import deferToThread
-from twisted.cred.credentials import UsernamePassword
-from twisted.web2.auth.digest import DigestedCredentials
-from twistedcaldav.config import config
-
-from twistedcaldav.directory.cachingdirectory import CachingDirectoryService,\
- CachingDirectoryRecord
-from twistedcaldav.directory.directory import DirectoryService, DirectoryRecord
-from twistedcaldav.directory.directory import DirectoryError, UnknownRecordTypeError
-from twistedcaldav.directory.principal import cuAddressConverter
-
-class OpenDirectoryService(CachingDirectoryService):
- """
- Open Directory implementation of L{IDirectoryService}.
- """
- baseGUID = "891F8321-ED02-424C-BA72-89C32F215C1E"
-
- def __repr__(self):
- return "<%s %r: %r>" % (self.__class__.__name__, self.realmName, self.node)
-
- def __init__(
- self,
- node="/Search",
- restrictEnabledRecords=False,
- restrictToGroup="",
- dosetup=True,
- cacheTimeout=30
- ):
- """
- @param node: an OpenDirectory node name to bind to.
- @param restrictEnabledRecords: C{True} if a group in the directory is to be used to determine
- which calendar users are enabled.
- @param restrictToGroup: C{str} guid or name of group used to restrict enabled users.
- @param dosetup: if C{True} then the directory records are initialized,
- if C{False} they are not.
- This should only be set to C{False} when doing unit tests.
- @param cacheTimeout: C{int} number of minutes before cache is invalidated.
- """
-
- super(OpenDirectoryService, self).__init__(cacheTimeout)
-
- try:
- directory = opendirectory.odInit(node)
- except opendirectory.ODError, e:
- self.log_error("Open Directory (node=%s) Initialization error: %s" % (node, e))
- raise
-
- self.realmName = node
- self.directory = directory
- self.node = node
- self.restrictEnabledRecords = restrictEnabledRecords
- self.restrictToGroup = restrictToGroup
- try:
- UUID(self.restrictToGroup)
- except:
- self.restrictToGUID = False
- else:
- self.restrictToGUID = True
- self.restrictedGUIDs = None
- self.restrictedTimestamp = 0
- self._records = {}
- self._delayedCalls = set()
-
- def __cmp__(self, other):
- if not isinstance(other, DirectoryRecord):
- return super(DirectoryRecord, self).__eq__(other)
-
- for attr in ("directory", "node"):
- diff = cmp(getattr(self, attr), getattr(other, attr))
- if diff != 0:
- return diff
- return 0
-
- def __hash__(self):
- h = hash(self.__class__)
- for attr in ("directory", "node"):
- h = (h + hash(getattr(self, attr))) & sys.maxint
- return h
-
- def _expandGroupMembership(self, members, nestedGroups, processedGUIDs=None, returnGroups=False):
-
- if processedGUIDs is None:
- processedGUIDs = set()
-
- if isinstance(members, str):
- members = [members]
-
- if isinstance(nestedGroups, str):
- nestedGroups = [nestedGroups]
-
- for memberGUID in members:
- if memberGUID not in processedGUIDs:
- processedGUIDs.add(memberGUID)
- yield memberGUID
-
- for groupGUID in nestedGroups:
- if groupGUID in processedGUIDs:
- continue
-
- self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
- self.directory,
- dsattributes.kDS1AttrGeneratedUID,
- groupGUID,
- dsattributes.eDSExact,
- False,
- dsattributes.kDSStdRecordTypeGroups,
- [dsattributes.kDSNAttrGroupMembers, dsattributes.kDSNAttrNestedGroups]
- ))
- result = opendirectory.queryRecordsWithAttribute_list(
- self.directory,
- dsattributes.kDS1AttrGeneratedUID,
- groupGUID,
- dsattributes.eDSExact,
- False,
- dsattributes.kDSStdRecordTypeGroups,
- [dsattributes.kDSNAttrGroupMembers, dsattributes.kDSNAttrNestedGroups]
- )
-
- if not result:
- self.log_error("Couldn't find group %s when trying to expand nested groups."
- % (groupGUID,))
- continue
-
- group = result[0][1]
-
- processedGUIDs.add(groupGUID)
- if returnGroups:
- yield groupGUID
-
- for GUID in self._expandGroupMembership(
- group.get(dsattributes.kDSNAttrGroupMembers, []),
- group.get(dsattributes.kDSNAttrNestedGroups, []),
- processedGUIDs,
- returnGroups,
- ):
- yield GUID
-
- def _calendarUserAddresses(self, recordType, recordData):
- """
- Extract specific attributes from the directory record for use as calendar user address.
-
- @param recordData: a C{dict} containing the attributes retrieved from the directory.
- @return: a C{set} of C{str} for each expanded calendar user address.
- """
- # Now get the addresses
- result = set()
-
- # Add each email address as a mailto URI
- emails = recordData.get(dsattributes.kDSNAttrEMailAddress)
- if emails is not None:
- if isinstance(emails, str):
- emails = [emails]
- for email in emails:
- result.add("mailto:%s" % (email.lower(),))
-
- return result
-
- def recordTypes(self):
- return (
- self.recordType_users,
- self.recordType_groups,
- self.recordType_locations,
- self.recordType_resources,
- )
-
- def groupsForGUID(self, guid):
-
- attrs = [
- dsattributes.kDS1AttrGeneratedUID,
- ]
-
- recordType = dsattributes.kDSStdRecordTypeGroups
-
- guids = set()
-
- query = dsquery.match(dsattributes.kDSNAttrGroupMembers, guid, dsattributes.eDSExact)
- try:
- self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
- self.directory,
- query.attribute,
- query.value,
- query.matchType,
- False,
- recordType,
- attrs,
- ))
- results = opendirectory.queryRecordsWithAttribute_list(
- self.directory,
- query.attribute,
- query.value,
- query.matchType,
- False,
- recordType,
- attrs,
- )
- except opendirectory.ODError, ex:
- self.log_error("Open Directory (node=%s) error: %s" % (self.realmName, str(ex)))
- raise
-
- for (_ignore_recordShortName, value) in results:
-
- # Now get useful record info.
- recordGUID = value.get(dsattributes.kDS1AttrGeneratedUID)
- if recordGUID:
- guids.add(recordGUID)
-
- query = dsquery.match(dsattributes.kDSNAttrNestedGroups, guid, dsattributes.eDSExact)
- try:
- self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
- self.directory,
- query.attribute,
- query.value,
- query.matchType,
- False,
- recordType,
- attrs,
- ))
- results = opendirectory.queryRecordsWithAttribute_list(
- self.directory,
- query.attribute,
- query.value,
- query.matchType,
- False,
- recordType,
- attrs,
- )
- except opendirectory.ODError, ex:
- self.log_error("Open Directory (node=%s) error: %s" % (self.realmName, str(ex)))
- raise
-
- for (_ignore_recordShortName, value) in results:
-
- # Now get useful record info.
- recordGUID = value.get(dsattributes.kDS1AttrGeneratedUID)
- if recordGUID:
- guids.add(recordGUID)
-
- return guids
-
- def proxiesForGUID(self, recordType, guid):
-
- # Lookup in index
- try:
- # TODO:
- return ()
- except KeyError:
- return ()
-
- def readOnlyProxiesForGUID(self, recordType, guid):
-
- # Lookup in index
- try:
- # TODO:
- return ()
- except KeyError:
- return ()
-
- _ODFields = {
- 'fullName' : {
- 'odField' : dsattributes.kDS1AttrDistinguishedName,
- 'appliesTo' : set([
- dsattributes.kDSStdRecordTypeUsers,
- dsattributes.kDSStdRecordTypeGroups,
- dsattributes.kDSStdRecordTypePlaces,
- dsattributes.kDSStdRecordTypeResources,
- ]),
- },
- 'firstName' : {
- 'odField' : dsattributes.kDS1AttrFirstName,
- 'appliesTo' : set([
- dsattributes.kDSStdRecordTypeUsers,
- ]),
- },
- 'lastName' : {
- 'odField' : dsattributes.kDS1AttrLastName,
- 'appliesTo' : set([
- dsattributes.kDSStdRecordTypeUsers,
- ]),
- },
- 'emailAddresses' : {
- 'odField' : dsattributes.kDSNAttrEMailAddress,
- 'appliesTo' : set([
- dsattributes.kDSStdRecordTypeUsers,
- dsattributes.kDSStdRecordTypeGroups,
- ]),
- },
- 'recordName' : {
- 'odField' : dsattributes.kDSNAttrRecordName,
- 'appliesTo' : set([
- dsattributes.kDSStdRecordTypeUsers,
- dsattributes.kDSStdRecordTypeGroups,
- dsattributes.kDSStdRecordTypePlaces,
- dsattributes.kDSStdRecordTypeResources,
- ]),
- },
- 'guid' : {
- 'odField' : dsattributes.kDS1AttrGeneratedUID,
- 'appliesTo' : set([
- dsattributes.kDSStdRecordTypeUsers,
- dsattributes.kDSStdRecordTypeGroups,
- dsattributes.kDSStdRecordTypePlaces,
- dsattributes.kDSStdRecordTypeResources,
- ]),
- },
- }
-
- _toODRecordTypes = {
- DirectoryService.recordType_users :
- dsattributes.kDSStdRecordTypeUsers,
- DirectoryService.recordType_locations :
- dsattributes.kDSStdRecordTypePlaces,
- DirectoryService.recordType_groups :
- dsattributes.kDSStdRecordTypeGroups,
- DirectoryService.recordType_resources :
- dsattributes.kDSStdRecordTypeResources,
- }
-
- _fromODRecordTypes = dict([(b, a) for a, b in _toODRecordTypes.iteritems()])
-
-
- def recordsMatchingFields(self, fields, operand="or", recordType=None):
-
- # Note that OD applies case-sensitivity globally across the entire
- # query, not per expression, so the current code uses whatever is
- # specified in the last field in the fields list
-
- def collectResults(results):
- self.log_info("Got back %d records from OD" % (len(results),))
- for key, val in results.iteritems():
- self.log_debug("OD result: %s %s" % (key, val))
- try:
- guid = val[dsattributes.kDS1AttrGeneratedUID]
- record = self.recordWithGUID(guid)
- if record:
- yield record
- except KeyError:
- pass
-
- def multiQuery(directory, queries, attrs, operand):
- results = {}
-
- for query, recordTypes in queries.iteritems():
- if not query:
- continue
-
- expressions = []
- for ODField, value, caseless, matchType in query:
- if matchType == "starts-with":
- comparison = dsattributes.eDSStartsWith
- elif matchType == "contains":
- comparison = dsattributes.eDSContains
- else:
- comparison = dsattributes.eDSExact
- expressions.append(dsquery.match(ODField, value, comparison))
-
- complexExpression = dsquery.expression(operand, expressions).generate()
-
- self.log_info("Calling OD: Types %s, Operand %s, Caseless %s, %s" %
- (recordTypes, operand, caseless, complexExpression))
-
- results.update(
- opendirectory.queryRecordsWithAttributes(
- directory,
- complexExpression,
- caseless,
- recordTypes,
- attrs,
- )
- )
-
- return results
-
-
- operand = (dsquery.expression.OR if operand == "or"
- else dsquery.expression.AND)
-
- if recordType is None:
- # The client is looking for records in any of the four types
- recordTypes = set(self._toODRecordTypes.values())
- else:
- # The client is after only one recordType
- recordTypes = [self._toODRecordTypes[recordType]]
-
- queries = buildQueries(recordTypes, fields, self._ODFields)
-
- deferred = deferToThread(
- multiQuery,
- self.directory,
- queries,
- [ dsattributes.kDS1AttrGeneratedUID ],
- operand
- )
- deferred.addCallback(collectResults)
- return deferred
-
-
- def queryDirectory(self, recordTypes, indexType, indexKey):
-
- attrs = [
- dsattributes.kDS1AttrGeneratedUID,
- dsattributes.kDSNAttrRecordName,
- dsattributes.kDSNAttrAltSecurityIdentities,
- dsattributes.kDSNAttrRecordType,
- dsattributes.kDS1AttrDistinguishedName,
- dsattributes.kDS1AttrFirstName,
- dsattributes.kDS1AttrLastName,
- dsattributes.kDSNAttrEMailAddress,
- dsattributes.kDSNAttrMetaNodeLocation,
- ]
-
- origIndexKey = indexKey
- if indexType == self.INDEX_TYPE_CUA:
- # The directory doesn't contain CUAs, so we need to convert
- # the CUA to the appropriate field name and value:
- queryattr, indexKey = cuAddressConverter(indexKey)
- # queryattr will be one of:
- # guid, emailAddresses, or recordName
- # ...which will need to be mapped to DS
- queryattr = self._ODFields[queryattr]['odField']
-
- else:
- queryattr = {
- self.INDEX_TYPE_SHORTNAME : dsattributes.kDSNAttrRecordName,
- self.INDEX_TYPE_GUID : dsattributes.kDS1AttrGeneratedUID,
- }.get(indexType)
- assert queryattr is not None, "Invalid type for record faulting query"
-
- query = dsquery.match(queryattr, indexKey, dsattributes.eDSExact)
-
-
- listRecordTypes = []
- for recordType in recordTypes:
- if recordType == DirectoryService.recordType_users:
- listRecordTypes.append(dsattributes.kDSStdRecordTypeUsers)
-
- elif recordType == DirectoryService.recordType_groups:
- listRecordTypes.append(dsattributes.kDSStdRecordTypeGroups)
- attrs.append(dsattributes.kDSNAttrGroupMembers)
- attrs.append(dsattributes.kDSNAttrNestedGroups)
-
- elif recordType == DirectoryService.recordType_locations:
- if queryattr != dsattributes.kDSNAttrEMailAddress:
- listRecordTypes.append(dsattributes.kDSStdRecordTypePlaces)
- # MOR: possibly can be removed
- attrs.append(dsattributes.kDSNAttrResourceInfo)
-
- elif recordType == DirectoryService.recordType_resources:
- if queryattr != dsattributes.kDSNAttrEMailAddress:
- listRecordTypes.append(dsattributes.kDSStdRecordTypeResources)
- # MOR: possibly can be removed
- attrs.append(dsattributes.kDSNAttrResourceInfo)
-
- else:
- raise UnknownRecordTypeError("Unknown Open Directory record type: %s" % (recordType))
-
-
- try:
- self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
- self.directory,
- query.attribute,
- query.value,
- query.matchType,
- False,
- listRecordTypes,
- attrs,
- ))
- results = opendirectory.queryRecordsWithAttribute_list(
- self.directory,
- query.attribute,
- query.value,
- query.matchType,
- False,
- listRecordTypes,
- attrs,
- )
- self.log_debug("opendirectory.queryRecordsWithAttribute_list matched records: %s" % (len(results),))
-
- except opendirectory.ODError, ex:
- if ex.message[1] == -14140 or ex.message[1] == -14200:
- # Unsupported attribute on record - don't fail
- return
- else:
- self.log_error("Open Directory (node=%s) error: %s" % (self.realmName, str(ex)))
- raise
-
- def _uniqueTupleFromAttribute(attribute):
- if attribute:
- if isinstance(attribute, str):
- return (attribute,)
- else:
- s = set()
- return tuple([(s.add(x), x)[1] for x in attribute if x not in s])
- else:
- return ()
-
- def _setFromAttribute(attribute, lower=False):
- if attribute:
- if isinstance(attribute, str):
- return set((attribute.lower() if lower else attribute,))
- else:
- return set([item.lower() if lower else item for item in attribute])
- else:
- return ()
-
- enabledRecords = []
- disabledRecords = []
-
- for (recordShortName, value) in results:
-
- # Now get useful record info.
- recordGUID = value.get(dsattributes.kDS1AttrGeneratedUID)
- recordShortNames = _uniqueTupleFromAttribute(value.get(dsattributes.kDSNAttrRecordName))
- recordType = value.get(dsattributes.kDSNAttrRecordType)
- if isinstance(recordType, list):
- recordType = recordType[0]
- recordAuthIDs = _setFromAttribute(value.get(dsattributes.kDSNAttrAltSecurityIdentities))
- recordFullName = value.get(dsattributes.kDS1AttrDistinguishedName)
- recordFirstName = value.get(dsattributes.kDS1AttrFirstName)
- recordLastName = value.get(dsattributes.kDS1AttrLastName)
- recordEmailAddresses = _setFromAttribute(value.get(dsattributes.kDSNAttrEMailAddress), lower=True)
- recordNodeName = value.get(dsattributes.kDSNAttrMetaNodeLocation)
-
- if not recordType:
- self.log_debug("Record (unknown)%s in node %s has no recordType; ignoring."
- % (recordShortName, recordNodeName))
- continue
-
- recordType = self._fromODRecordTypes[recordType]
-
- if not recordGUID:
- self.log_debug("Record (%s)%s in node %s has no GUID; ignoring."
- % (recordType, recordShortName, recordNodeName))
- continue
-
- if recordGUID.lower().startswith("ffffeeee-dddd-cccc-bbbb-aaaa"):
- self.log_debug("Ignoring system record (%s)%s in node %s."
- % (recordType, recordShortName, recordNodeName))
- continue
-
- # Determine enabled state
- if recordType == self.recordType_groups:
- enabledForCalendaring = False
- else:
- if (
- self.restrictEnabledRecords and
- config.Scheduling.iMIP.Username != recordShortName
- ):
- if time.time() - self.restrictedTimestamp > self.cacheTimeout:
- attributeToMatch = dsattributes.kDS1AttrGeneratedUID if self.restrictToGUID else dsattributes.kDSNAttrRecordName
- valueToMatch = self.restrictToGroup
- self.log_debug("Doing restricted group membership check")
- self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
- self.directory,
- attributeToMatch,
- valueToMatch,
- dsattributes.eDSExact,
- False,
- dsattributes.kDSStdRecordTypeGroups,
- [dsattributes.kDSNAttrGroupMembers, dsattributes.kDSNAttrNestedGroups,],
- ))
- results = opendirectory.queryRecordsWithAttribute_list(
- self.directory,
- attributeToMatch,
- valueToMatch,
- dsattributes.eDSExact,
- False,
- dsattributes.kDSStdRecordTypeGroups,
- [dsattributes.kDSNAttrGroupMembers, dsattributes.kDSNAttrNestedGroups,],
- )
-
- if len(results) == 1:
- members = results[0][1].get(dsattributes.kDSNAttrGroupMembers, [])
- nestedGroups = results[0][1].get(dsattributes.kDSNAttrNestedGroups, [])
- else:
- members = []
- nestedGroups = []
- self.restrictedGUIDs = set(self._expandGroupMembership(members, nestedGroups, returnGroups=True))
- self.log_debug("Got %d restricted group members" % (len(self.restrictedGUIDs),))
- self.restrictedTimestamp = time.time()
-
- enabledForCalendaring = recordGUID in self.restrictedGUIDs
- else:
- enabledForCalendaring = True
-
- if enabledForCalendaring:
- calendarUserAddresses = self._calendarUserAddresses(recordType, value)
- else:
- # Some records we want to keep even though they are not enabled for calendaring.
- # Others we discard.
- if recordType not in (
- self.recordType_users,
- self.recordType_groups,
- ):
- self.log_debug(
- "Record (%s) %s is not enabled for calendaring"
- % (recordType, recordShortName)
- )
- continue
-
- self.log_debug(
- "Record (%s) %s is not enabled for calendaring but may be used in ACLs"
- % (recordType, recordShortName)
- )
- calendarUserAddresses = ()
-
- # Special case for groups, which have members.
- if recordType == self.recordType_groups:
- memberGUIDs = value.get(dsattributes.kDSNAttrGroupMembers)
- if memberGUIDs is None:
- memberGUIDs = ()
- elif type(memberGUIDs) is str:
- memberGUIDs = (memberGUIDs,)
- nestedGUIDs = value.get(dsattributes.kDSNAttrNestedGroups)
- if nestedGUIDs:
- if type(nestedGUIDs) is str:
- nestedGUIDs = (nestedGUIDs,)
- memberGUIDs += tuple(nestedGUIDs)
- else:
- memberGUIDs = ()
-
- record = OpenDirectoryRecord(
- service = self,
- recordType = recordType,
- guid = recordGUID,
- nodeName = recordNodeName,
- shortNames = recordShortNames,
- authIDs = recordAuthIDs,
- fullName = recordFullName,
- firstName = recordFirstName,
- lastName = recordLastName,
- emailAddresses = recordEmailAddresses,
- calendarUserAddresses = calendarUserAddresses,
- enabledForCalendaring = enabledForCalendaring,
- memberGUIDs = memberGUIDs,
- )
- if enabledForCalendaring:
- enabledRecords.append(record)
- else:
- disabledRecords.append(record)
-
- record = None
- if len(enabledRecords) == 1:
- record = enabledRecords[0]
- elif len(enabledRecords) == 0 and len(disabledRecords) == 1:
- record = disabledRecords[0]
-
- if record:
- self.log_debug("Storing (%s %s) %s in internal cache" % (indexType, origIndexKey, record))
- self.recordCacheForType(recordType).addRecord(record, indexType, origIndexKey)
-
- def _parseResourceInfo(self, plist, guid, recordType, shortname):
- """
- Parse OD ResourceInfo attribute and extract information that the server needs.
-
- @param plist: the plist that is the attribute value.
- @type plist: str
- @param guid: the directory GUID of the record being parsed.
- @type guid: str
- @param shortname: the record shortname of the record being parsed.
- @type shortname: str
- @return: a C{tuple} of C{bool} for auto-accept, C{str} for proxy GUID, C{str} for read-only proxy GUID.
- """
- try:
- plist = readPlistFromString(plist)
- wpframework = plist.get("com.apple.WhitePagesFramework", {})
- autoaccept = wpframework.get("AutoAcceptsInvitation", False)
- proxy = wpframework.get("CalendaringDelegate", None)
- read_only_proxy = wpframework.get("ReadOnlyCalendaringDelegate", None)
- except (ExpatError, AttributeError), e:
- self.log_error(
- "Failed to parse ResourceInfo attribute of record (%s)%s (guid=%s): %s\n%s" %
- (recordType, shortname, guid, e, plist,)
- )
- raise ValueError("Invalid ResourceInfo")
-
- return (autoaccept, proxy, read_only_proxy,)
-
- def getResourceInfo(self):
- """
- Resource information including proxy assignments for resource and
- locations, as well as auto-schedule settings, used to live in the
- directory. This method fetches old resource info for migration
- purposes.
- """
- attrs = [
- dsattributes.kDS1AttrGeneratedUID,
- dsattributes.kDSNAttrResourceInfo,
- ]
-
- for recordType in (dsattributes.kDSStdRecordTypePlaces, dsattributes.kDSStdRecordTypeResources):
- try:
- self.log_debug("opendirectory.listAllRecordsWithAttributes_list(%r,%r,%r)" % (
- self.directory,
- recordType,
- attrs,
- ))
- results = opendirectory.listAllRecordsWithAttributes_list(
- self.directory,
- recordType,
- attrs,
- )
- except opendirectory.ODError, ex:
- self.log_error("Open Directory (node=%s) error: %s" % (self.realmName, str(ex)))
- raise
-
- for (recordShortName, value) in results:
- recordGUID = value.get(dsattributes.kDS1AttrGeneratedUID)
- resourceInfo = value.get(dsattributes.kDSNAttrResourceInfo)
- if resourceInfo is not None:
- try:
- autoSchedule, proxy, readOnlyProxy = self._parseResourceInfo(resourceInfo,
- recordGUID, recordType, recordShortName)
- except ValueError:
- continue
- yield recordGUID, autoSchedule, proxy, readOnlyProxy
-
-
-def buildQueries(recordTypes, fields, mapping):
- """
- Determine how many queries need to be performed in order to work around opendirectory
- quirks, where searching on fields that don't apply to a given recordType returns incorrect
- results (either none, or all records).
- """
-
- fieldLists = {}
- for recordType in recordTypes:
- fieldLists[recordType] = []
- for field, value, caseless, matchType in fields:
- if field in mapping:
- if recordType in mapping[field]['appliesTo']:
- ODField = mapping[field]['odField']
- fieldLists[recordType].append((ODField, value, caseless, matchType))
-
- queries = {}
- for recordType, fieldList in fieldLists.iteritems():
- key = tuple(fieldList)
- queries.setdefault(key, []).append(recordType)
- return queries
-
-
-class OpenDirectoryRecord(CachingDirectoryRecord):
- """
- Open Directory implementation of L{IDirectoryRecord}.
- """
- def __init__(
- self, service, recordType, guid, nodeName, shortNames, authIDs,
- fullName, firstName, lastName, emailAddresses,
- calendarUserAddresses,
- enabledForCalendaring,
- memberGUIDs,
- ):
- super(OpenDirectoryRecord, self).__init__(
- service = service,
- recordType = recordType,
- guid = guid,
- shortNames = shortNames,
- authIDs = authIDs,
- fullName = fullName,
- firstName = firstName,
- lastName = lastName,
- emailAddresses = emailAddresses,
- calendarUserAddresses = calendarUserAddresses,
- enabledForCalendaring = enabledForCalendaring,
- )
- self.nodeName = nodeName
- self._memberGUIDs = tuple(memberGUIDs)
-
- self._groupMembershipGUIDs = None
-
- def __repr__(self):
- if self.service.realmName == self.nodeName:
- location = self.nodeName
- else:
- location = "%s->%s" % (self.service.realmName, self.nodeName)
-
- return "<%s[%s@%s(%s)] %s(%s) %r>" % (
- self.__class__.__name__,
- self.recordType,
- self.service.guid,
- location,
- self.guid,
- ",".join(self.shortNames),
- self.fullName
- )
-
- def members(self):
- if self.recordType != self.service.recordType_groups:
- return
-
- for guid in self._memberGUIDs:
- userRecord = self.service.recordWithGUID(guid)
- if userRecord is not None:
- yield userRecord
-
- def groups(self):
- if self._groupMembershipGUIDs is None:
- self._groupMembershipGUIDs = self.service.groupsForGUID(self.guid)
-
- for guid in self._groupMembershipGUIDs:
- record = self.service.recordWithGUID(guid)
- if record:
- yield record
-
- def verifyCredentials(self, credentials):
- if isinstance(credentials, UsernamePassword):
- # Check cached password
- try:
- if credentials.password == self.password:
- return True
- except AttributeError:
- pass
-
- # Check with directory services
- try:
- if opendirectory.authenticateUserBasic(self.service.directory, self.nodeName, self.shortNames[0], credentials.password):
- # Cache the password to avoid future DS queries
- self.password = credentials.password
- return True
- except opendirectory.ODError, e:
- self.log_error("Open Directory (node=%s) error while performing basic authentication for user %s: %s"
- % (self.service.realmName, self.shortNames[0], e))
-
- return False
-
- elif isinstance(credentials, DigestedCredentials):
- #
- # We need a special format for the "challenge" and "response" strings passed into open directory, as it is
- # picky about exactly what it receives.
- #
- try:
- challenge = 'Digest realm="%(realm)s", nonce="%(nonce)s", algorithm=%(algorithm)s' % credentials.fields
- response = (
- 'Digest username="%(username)s", '
- 'realm="%(realm)s", '
- 'nonce="%(nonce)s", '
- 'uri="%(uri)s", '
- 'response="%(response)s",'
- 'algorithm=%(algorithm)s'
- ) % credentials.fields
- except KeyError, e:
- self.log_error(
- "Open Directory (node=%s) error while performing digest authentication for user %s: "
- "missing digest response field: %s in: %s"
- % (self.service.realmName, self.shortNames[0], e, credentials.fields)
- )
- return False
-
- try:
- if self.digestcache[credentials.fields["uri"]] == response:
- return True
- except (AttributeError, KeyError):
- pass
-
- try:
- if opendirectory.authenticateUserDigest(
- self.service.directory,
- self.nodeName,
- self.shortNames[0],
- challenge,
- response,
- credentials.method
- ):
- try:
- cache = self.digestcache
- except AttributeError:
- cache = self.digestcache = {}
-
- cache[credentials.fields["uri"]] = response
-
- return True
- else:
- self.log_debug(
-"""Open Directory digest authentication failed with:
- Nodename: %s
- Username: %s
- Challenge: %s
- Response: %s
- Method: %s
-""" % (self.nodeName, self.shortNames[0], challenge, response, credentials.method))
-
- except opendirectory.ODError, e:
- self.log_error(
- "Open Directory (node=%s) error while performing digest authentication for user %s: %s"
- % (self.service.realmName, self.shortNames[0], e)
- )
- return False
-
- return False
-
- return super(OpenDirectoryRecord, self).verifyCredentials(credentials)
-
-class OpenDirectoryInitError(DirectoryError):
- """
- OpenDirectory initialization error.
- """
Copied: CalendarServer/trunk/twistedcaldav/directory/appleopendirectory.py (from rev 4200, CalendarServer/trunk/twistedcaldav/directory/appleopendirectory)
===================================================================
--- CalendarServer/trunk/twistedcaldav/directory/appleopendirectory.py (rev 0)
+++ CalendarServer/trunk/twistedcaldav/directory/appleopendirectory.py 2009-05-07 06:45:44 UTC (rev 4201)
@@ -0,0 +1,932 @@
+##
+# Copyright (c) 2006-2009 Apple Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+"""
+Apple Open Directory directory service implementation.
+"""
+
+__all__ = [
+ "OpenDirectoryService",
+ "OpenDirectoryInitError",
+]
+
+import sys
+import time
+from uuid import UUID
+
+from twext.python.plistlib import readPlistFromString
+
+from xml.parsers.expat import ExpatError
+
+import opendirectory
+import dsattributes
+import dsquery
+
+from twisted.internet.threads import deferToThread
+from twisted.cred.credentials import UsernamePassword
+from twisted.web2.auth.digest import DigestedCredentials
+from twistedcaldav.config import config
+
+from twistedcaldav.directory.cachingdirectory import CachingDirectoryService,\
+ CachingDirectoryRecord
+from twistedcaldav.directory.directory import DirectoryService, DirectoryRecord
+from twistedcaldav.directory.directory import DirectoryError, UnknownRecordTypeError
+from twistedcaldav.directory.principal import cuAddressConverter
+
+class OpenDirectoryService(CachingDirectoryService):
+ """
+ Open Directory implementation of L{IDirectoryService}.
+ """
+ baseGUID = "891F8321-ED02-424C-BA72-89C32F215C1E"
+
+ def __repr__(self):
+ return "<%s %r: %r>" % (self.__class__.__name__, self.realmName, self.node)
+
+ def __init__(
+ self,
+ node="/Search",
+ restrictEnabledRecords=False,
+ restrictToGroup="",
+ dosetup=True,
+ cacheTimeout=30
+ ):
+ """
+ @param node: an OpenDirectory node name to bind to.
+ @param restrictEnabledRecords: C{True} if a group in the directory is to be used to determine
+ which calendar users are enabled.
+ @param restrictToGroup: C{str} guid or name of group used to restrict enabled users.
+ @param dosetup: if C{True} then the directory records are initialized,
+ if C{False} they are not.
+ This should only be set to C{False} when doing unit tests.
+ @param cacheTimeout: C{int} number of minutes before cache is invalidated.
+ """
+
+ super(OpenDirectoryService, self).__init__(cacheTimeout)
+
+ try:
+ directory = opendirectory.odInit(node)
+ except opendirectory.ODError, e:
+ self.log_error("Open Directory (node=%s) Initialization error: %s" % (node, e))
+ raise
+
+ self.realmName = node
+ self.directory = directory
+ self.node = node
+ self.restrictEnabledRecords = restrictEnabledRecords
+ self.restrictToGroup = restrictToGroup
+ try:
+ UUID(self.restrictToGroup)
+ except:
+ self.restrictToGUID = False
+ else:
+ self.restrictToGUID = True
+ self.restrictedGUIDs = None
+ self.restrictedTimestamp = 0
+ self._records = {}
+ self._delayedCalls = set()
+
+ def __cmp__(self, other):
+ if not isinstance(other, DirectoryRecord):
+ return super(DirectoryRecord, self).__eq__(other)
+
+ for attr in ("directory", "node"):
+ diff = cmp(getattr(self, attr), getattr(other, attr))
+ if diff != 0:
+ return diff
+ return 0
+
+ def __hash__(self):
+ h = hash(self.__class__)
+ for attr in ("directory", "node"):
+ h = (h + hash(getattr(self, attr))) & sys.maxint
+ return h
+
+ def _expandGroupMembership(self, members, nestedGroups, processedGUIDs=None, returnGroups=False):
+
+ if processedGUIDs is None:
+ processedGUIDs = set()
+
+ if isinstance(members, str):
+ members = [members]
+
+ if isinstance(nestedGroups, str):
+ nestedGroups = [nestedGroups]
+
+ for memberGUID in members:
+ if memberGUID not in processedGUIDs:
+ processedGUIDs.add(memberGUID)
+ yield memberGUID
+
+ for groupGUID in nestedGroups:
+ if groupGUID in processedGUIDs:
+ continue
+
+ self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
+ self.directory,
+ dsattributes.kDS1AttrGeneratedUID,
+ groupGUID,
+ dsattributes.eDSExact,
+ False,
+ dsattributes.kDSStdRecordTypeGroups,
+ [dsattributes.kDSNAttrGroupMembers, dsattributes.kDSNAttrNestedGroups]
+ ))
+ result = opendirectory.queryRecordsWithAttribute_list(
+ self.directory,
+ dsattributes.kDS1AttrGeneratedUID,
+ groupGUID,
+ dsattributes.eDSExact,
+ False,
+ dsattributes.kDSStdRecordTypeGroups,
+ [dsattributes.kDSNAttrGroupMembers, dsattributes.kDSNAttrNestedGroups]
+ )
+
+ if not result:
+ self.log_error("Couldn't find group %s when trying to expand nested groups."
+ % (groupGUID,))
+ continue
+
+ group = result[0][1]
+
+ processedGUIDs.add(groupGUID)
+ if returnGroups:
+ yield groupGUID
+
+ for GUID in self._expandGroupMembership(
+ group.get(dsattributes.kDSNAttrGroupMembers, []),
+ group.get(dsattributes.kDSNAttrNestedGroups, []),
+ processedGUIDs,
+ returnGroups,
+ ):
+ yield GUID
+
+ def _calendarUserAddresses(self, recordType, recordData):
+ """
+ Extract specific attributes from the directory record for use as calendar user address.
+
+ @param recordData: a C{dict} containing the attributes retrieved from the directory.
+ @return: a C{set} of C{str} for each expanded calendar user address.
+ """
+ # Now get the addresses
+ result = set()
+
+ # Add each email address as a mailto URI
+ emails = recordData.get(dsattributes.kDSNAttrEMailAddress)
+ if emails is not None:
+ if isinstance(emails, str):
+ emails = [emails]
+ for email in emails:
+ result.add("mailto:%s" % (email.lower(),))
+
+ return result
+
+ def recordTypes(self):
+ return (
+ self.recordType_users,
+ self.recordType_groups,
+ self.recordType_locations,
+ self.recordType_resources,
+ )
+
+ def groupsForGUID(self, guid):
+
+ attrs = [
+ dsattributes.kDS1AttrGeneratedUID,
+ ]
+
+ recordType = dsattributes.kDSStdRecordTypeGroups
+
+ guids = set()
+
+ query = dsquery.match(dsattributes.kDSNAttrGroupMembers, guid, dsattributes.eDSExact)
+ try:
+ self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
+ self.directory,
+ query.attribute,
+ query.value,
+ query.matchType,
+ False,
+ recordType,
+ attrs,
+ ))
+ results = opendirectory.queryRecordsWithAttribute_list(
+ self.directory,
+ query.attribute,
+ query.value,
+ query.matchType,
+ False,
+ recordType,
+ attrs,
+ )
+ except opendirectory.ODError, ex:
+ self.log_error("Open Directory (node=%s) error: %s" % (self.realmName, str(ex)))
+ raise
+
+ for (_ignore_recordShortName, value) in results:
+
+ # Now get useful record info.
+ recordGUID = value.get(dsattributes.kDS1AttrGeneratedUID)
+ if recordGUID:
+ guids.add(recordGUID)
+
+ query = dsquery.match(dsattributes.kDSNAttrNestedGroups, guid, dsattributes.eDSExact)
+ try:
+ self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
+ self.directory,
+ query.attribute,
+ query.value,
+ query.matchType,
+ False,
+ recordType,
+ attrs,
+ ))
+ results = opendirectory.queryRecordsWithAttribute_list(
+ self.directory,
+ query.attribute,
+ query.value,
+ query.matchType,
+ False,
+ recordType,
+ attrs,
+ )
+ except opendirectory.ODError, ex:
+ self.log_error("Open Directory (node=%s) error: %s" % (self.realmName, str(ex)))
+ raise
+
+ for (_ignore_recordShortName, value) in results:
+
+ # Now get useful record info.
+ recordGUID = value.get(dsattributes.kDS1AttrGeneratedUID)
+ if recordGUID:
+ guids.add(recordGUID)
+
+ return guids
+
+ def proxiesForGUID(self, recordType, guid):
+
+ # Lookup in index
+ try:
+ # TODO:
+ return ()
+ except KeyError:
+ return ()
+
+ def readOnlyProxiesForGUID(self, recordType, guid):
+
+ # Lookup in index
+ try:
+ # TODO:
+ return ()
+ except KeyError:
+ return ()
+
+ _ODFields = {
+ 'fullName' : {
+ 'odField' : dsattributes.kDS1AttrDistinguishedName,
+ 'appliesTo' : set([
+ dsattributes.kDSStdRecordTypeUsers,
+ dsattributes.kDSStdRecordTypeGroups,
+ dsattributes.kDSStdRecordTypePlaces,
+ dsattributes.kDSStdRecordTypeResources,
+ ]),
+ },
+ 'firstName' : {
+ 'odField' : dsattributes.kDS1AttrFirstName,
+ 'appliesTo' : set([
+ dsattributes.kDSStdRecordTypeUsers,
+ ]),
+ },
+ 'lastName' : {
+ 'odField' : dsattributes.kDS1AttrLastName,
+ 'appliesTo' : set([
+ dsattributes.kDSStdRecordTypeUsers,
+ ]),
+ },
+ 'emailAddresses' : {
+ 'odField' : dsattributes.kDSNAttrEMailAddress,
+ 'appliesTo' : set([
+ dsattributes.kDSStdRecordTypeUsers,
+ dsattributes.kDSStdRecordTypeGroups,
+ ]),
+ },
+ 'recordName' : {
+ 'odField' : dsattributes.kDSNAttrRecordName,
+ 'appliesTo' : set([
+ dsattributes.kDSStdRecordTypeUsers,
+ dsattributes.kDSStdRecordTypeGroups,
+ dsattributes.kDSStdRecordTypePlaces,
+ dsattributes.kDSStdRecordTypeResources,
+ ]),
+ },
+ 'guid' : {
+ 'odField' : dsattributes.kDS1AttrGeneratedUID,
+ 'appliesTo' : set([
+ dsattributes.kDSStdRecordTypeUsers,
+ dsattributes.kDSStdRecordTypeGroups,
+ dsattributes.kDSStdRecordTypePlaces,
+ dsattributes.kDSStdRecordTypeResources,
+ ]),
+ },
+ }
+
+ _toODRecordTypes = {
+ DirectoryService.recordType_users :
+ dsattributes.kDSStdRecordTypeUsers,
+ DirectoryService.recordType_locations :
+ dsattributes.kDSStdRecordTypePlaces,
+ DirectoryService.recordType_groups :
+ dsattributes.kDSStdRecordTypeGroups,
+ DirectoryService.recordType_resources :
+ dsattributes.kDSStdRecordTypeResources,
+ }
+
+ _fromODRecordTypes = dict([(b, a) for a, b in _toODRecordTypes.iteritems()])
+
+
+ def recordsMatchingFields(self, fields, operand="or", recordType=None):
+
+ # Note that OD applies case-sensitivity globally across the entire
+ # query, not per expression, so the current code uses whatever is
+ # specified in the last field in the fields list
+
+ def collectResults(results):
+ self.log_info("Got back %d records from OD" % (len(results),))
+ for key, val in results.iteritems():
+ self.log_debug("OD result: %s %s" % (key, val))
+ try:
+ guid = val[dsattributes.kDS1AttrGeneratedUID]
+ record = self.recordWithGUID(guid)
+ if record:
+ yield record
+ except KeyError:
+ pass
+
+ def multiQuery(directory, queries, attrs, operand):
+ results = {}
+
+ for query, recordTypes in queries.iteritems():
+ if not query:
+ continue
+
+ expressions = []
+ for ODField, value, caseless, matchType in query:
+ if matchType == "starts-with":
+ comparison = dsattributes.eDSStartsWith
+ elif matchType == "contains":
+ comparison = dsattributes.eDSContains
+ else:
+ comparison = dsattributes.eDSExact
+ expressions.append(dsquery.match(ODField, value, comparison))
+
+ complexExpression = dsquery.expression(operand, expressions).generate()
+
+ self.log_info("Calling OD: Types %s, Operand %s, Caseless %s, %s" %
+ (recordTypes, operand, caseless, complexExpression))
+
+ results.update(
+ opendirectory.queryRecordsWithAttributes(
+ directory,
+ complexExpression,
+ caseless,
+ recordTypes,
+ attrs,
+ )
+ )
+
+ return results
+
+
+ operand = (dsquery.expression.OR if operand == "or"
+ else dsquery.expression.AND)
+
+ if recordType is None:
+ # The client is looking for records in any of the four types
+ recordTypes = set(self._toODRecordTypes.values())
+ else:
+ # The client is after only one recordType
+ recordTypes = [self._toODRecordTypes[recordType]]
+
+ queries = buildQueries(recordTypes, fields, self._ODFields)
+
+ deferred = deferToThread(
+ multiQuery,
+ self.directory,
+ queries,
+ [ dsattributes.kDS1AttrGeneratedUID ],
+ operand
+ )
+ deferred.addCallback(collectResults)
+ return deferred
+
+
+ def queryDirectory(self, recordTypes, indexType, indexKey):
+
+ attrs = [
+ dsattributes.kDS1AttrGeneratedUID,
+ dsattributes.kDSNAttrRecordName,
+ dsattributes.kDSNAttrAltSecurityIdentities,
+ dsattributes.kDSNAttrRecordType,
+ dsattributes.kDS1AttrDistinguishedName,
+ dsattributes.kDS1AttrFirstName,
+ dsattributes.kDS1AttrLastName,
+ dsattributes.kDSNAttrEMailAddress,
+ dsattributes.kDSNAttrMetaNodeLocation,
+ ]
+
+ origIndexKey = indexKey
+ if indexType == self.INDEX_TYPE_CUA:
+ # The directory doesn't contain CUAs, so we need to convert
+ # the CUA to the appropriate field name and value:
+ queryattr, indexKey = cuAddressConverter(indexKey)
+ # queryattr will be one of:
+ # guid, emailAddresses, or recordName
+ # ...which will need to be mapped to DS
+ queryattr = self._ODFields[queryattr]['odField']
+
+ else:
+ queryattr = {
+ self.INDEX_TYPE_SHORTNAME : dsattributes.kDSNAttrRecordName,
+ self.INDEX_TYPE_GUID : dsattributes.kDS1AttrGeneratedUID,
+ }.get(indexType)
+ assert queryattr is not None, "Invalid type for record faulting query"
+
+ query = dsquery.match(queryattr, indexKey, dsattributes.eDSExact)
+
+
+ listRecordTypes = []
+ for recordType in recordTypes:
+ if recordType == DirectoryService.recordType_users:
+ listRecordTypes.append(dsattributes.kDSStdRecordTypeUsers)
+
+ elif recordType == DirectoryService.recordType_groups:
+ listRecordTypes.append(dsattributes.kDSStdRecordTypeGroups)
+ attrs.append(dsattributes.kDSNAttrGroupMembers)
+ attrs.append(dsattributes.kDSNAttrNestedGroups)
+
+ elif recordType == DirectoryService.recordType_locations:
+ if queryattr != dsattributes.kDSNAttrEMailAddress:
+ listRecordTypes.append(dsattributes.kDSStdRecordTypePlaces)
+ # MOR: possibly can be removed
+ attrs.append(dsattributes.kDSNAttrResourceInfo)
+
+ elif recordType == DirectoryService.recordType_resources:
+ if queryattr != dsattributes.kDSNAttrEMailAddress:
+ listRecordTypes.append(dsattributes.kDSStdRecordTypeResources)
+ # MOR: possibly can be removed
+ attrs.append(dsattributes.kDSNAttrResourceInfo)
+
+ else:
+ raise UnknownRecordTypeError("Unknown Open Directory record type: %s" % (recordType))
+
+
+ try:
+ self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
+ self.directory,
+ query.attribute,
+ query.value,
+ query.matchType,
+ False,
+ listRecordTypes,
+ attrs,
+ ))
+ results = opendirectory.queryRecordsWithAttribute_list(
+ self.directory,
+ query.attribute,
+ query.value,
+ query.matchType,
+ False,
+ listRecordTypes,
+ attrs,
+ )
+ self.log_debug("opendirectory.queryRecordsWithAttribute_list matched records: %s" % (len(results),))
+
+ except opendirectory.ODError, ex:
+ if ex.message[1] == -14140 or ex.message[1] == -14200:
+ # Unsupported attribute on record - don't fail
+ return
+ else:
+ self.log_error("Open Directory (node=%s) error: %s" % (self.realmName, str(ex)))
+ raise
+
+ def _uniqueTupleFromAttribute(attribute):
+ if attribute:
+ if isinstance(attribute, str):
+ return (attribute,)
+ else:
+ s = set()
+ return tuple([(s.add(x), x)[1] for x in attribute if x not in s])
+ else:
+ return ()
+
+ def _setFromAttribute(attribute, lower=False):
+ if attribute:
+ if isinstance(attribute, str):
+ return set((attribute.lower() if lower else attribute,))
+ else:
+ return set([item.lower() if lower else item for item in attribute])
+ else:
+ return ()
+
+ enabledRecords = []
+ disabledRecords = []
+
+ for (recordShortName, value) in results:
+
+ # Now get useful record info.
+ recordGUID = value.get(dsattributes.kDS1AttrGeneratedUID)
+ recordShortNames = _uniqueTupleFromAttribute(value.get(dsattributes.kDSNAttrRecordName))
+ recordType = value.get(dsattributes.kDSNAttrRecordType)
+ if isinstance(recordType, list):
+ recordType = recordType[0]
+ recordAuthIDs = _setFromAttribute(value.get(dsattributes.kDSNAttrAltSecurityIdentities))
+ recordFullName = value.get(dsattributes.kDS1AttrDistinguishedName)
+ recordFirstName = value.get(dsattributes.kDS1AttrFirstName)
+ recordLastName = value.get(dsattributes.kDS1AttrLastName)
+ recordEmailAddresses = _setFromAttribute(value.get(dsattributes.kDSNAttrEMailAddress), lower=True)
+ recordNodeName = value.get(dsattributes.kDSNAttrMetaNodeLocation)
+
+ if not recordType:
+ self.log_debug("Record (unknown)%s in node %s has no recordType; ignoring."
+ % (recordShortName, recordNodeName))
+ continue
+
+ recordType = self._fromODRecordTypes[recordType]
+
+ if not recordGUID:
+ self.log_debug("Record (%s)%s in node %s has no GUID; ignoring."
+ % (recordType, recordShortName, recordNodeName))
+ continue
+
+ if recordGUID.lower().startswith("ffffeeee-dddd-cccc-bbbb-aaaa"):
+ self.log_debug("Ignoring system record (%s)%s in node %s."
+ % (recordType, recordShortName, recordNodeName))
+ continue
+
+ # Determine enabled state
+ if recordType == self.recordType_groups:
+ enabledForCalendaring = False
+ else:
+ if (
+ self.restrictEnabledRecords and
+ config.Scheduling.iMIP.Username != recordShortName
+ ):
+ if time.time() - self.restrictedTimestamp > self.cacheTimeout:
+ attributeToMatch = dsattributes.kDS1AttrGeneratedUID if self.restrictToGUID else dsattributes.kDSNAttrRecordName
+ valueToMatch = self.restrictToGroup
+ self.log_debug("Doing restricted group membership check")
+ self.log_debug("opendirectory.queryRecordsWithAttribute_list(%r,%r,%r,%r,%r,%r,%r)" % (
+ self.directory,
+ attributeToMatch,
+ valueToMatch,
+ dsattributes.eDSExact,
+ False,
+ dsattributes.kDSStdRecordTypeGroups,
+ [dsattributes.kDSNAttrGroupMembers, dsattributes.kDSNAttrNestedGroups,],
+ ))
+ results = opendirectory.queryRecordsWithAttribute_list(
+ self.directory,
+ attributeToMatch,
+ valueToMatch,
+ dsattributes.eDSExact,
+ False,
+ dsattributes.kDSStdRecordTypeGroups,
+ [dsattributes.kDSNAttrGroupMembers, dsattributes.kDSNAttrNestedGroups,],
+ )
+
+ if len(results) == 1:
+ members = results[0][1].get(dsattributes.kDSNAttrGroupMembers, [])
+ nestedGroups = results[0][1].get(dsattributes.kDSNAttrNestedGroups, [])
+ else:
+ members = []
+ nestedGroups = []
+ self.restrictedGUIDs = set(self._expandGroupMembership(members, nestedGroups, returnGroups=True))
+ self.log_debug("Got %d restricted group members" % (len(self.restrictedGUIDs),))
+ self.restrictedTimestamp = time.time()
+
+ enabledForCalendaring = recordGUID in self.restrictedGUIDs
+ else:
+ enabledForCalendaring = True
+
+ if enabledForCalendaring:
+ calendarUserAddresses = self._calendarUserAddresses(recordType, value)
+ else:
+ # Some records we want to keep even though they are not enabled for calendaring.
+ # Others we discard.
+ if recordType not in (
+ self.recordType_users,
+ self.recordType_groups,
+ ):
+ self.log_debug(
+ "Record (%s) %s is not enabled for calendaring"
+ % (recordType, recordShortName)
+ )
+ continue
+
+ self.log_debug(
+ "Record (%s) %s is not enabled for calendaring but may be used in ACLs"
+ % (recordType, recordShortName)
+ )
+ calendarUserAddresses = ()
+
+ # Special case for groups, which have members.
+ if recordType == self.recordType_groups:
+ memberGUIDs = value.get(dsattributes.kDSNAttrGroupMembers)
+ if memberGUIDs is None:
+ memberGUIDs = ()
+ elif type(memberGUIDs) is str:
+ memberGUIDs = (memberGUIDs,)
+ nestedGUIDs = value.get(dsattributes.kDSNAttrNestedGroups)
+ if nestedGUIDs:
+ if type(nestedGUIDs) is str:
+ nestedGUIDs = (nestedGUIDs,)
+ memberGUIDs += tuple(nestedGUIDs)
+ else:
+ memberGUIDs = ()
+
+ record = OpenDirectoryRecord(
+ service = self,
+ recordType = recordType,
+ guid = recordGUID,
+ nodeName = recordNodeName,
+ shortNames = recordShortNames,
+ authIDs = recordAuthIDs,
+ fullName = recordFullName,
+ firstName = recordFirstName,
+ lastName = recordLastName,
+ emailAddresses = recordEmailAddresses,
+ calendarUserAddresses = calendarUserAddresses,
+ enabledForCalendaring = enabledForCalendaring,
+ memberGUIDs = memberGUIDs,
+ )
+ if enabledForCalendaring:
+ enabledRecords.append(record)
+ else:
+ disabledRecords.append(record)
+
+ record = None
+ if len(enabledRecords) == 1:
+ record = enabledRecords[0]
+ elif len(enabledRecords) == 0 and len(disabledRecords) == 1:
+ record = disabledRecords[0]
+
+ if record:
+ self.log_debug("Storing (%s %s) %s in internal cache" % (indexType, origIndexKey, record))
+ self.recordCacheForType(recordType).addRecord(record, indexType, origIndexKey)
+
+ def _parseResourceInfo(self, plist, guid, recordType, shortname):
+ """
+ Parse OD ResourceInfo attribute and extract information that the server needs.
+
+ @param plist: the plist that is the attribute value.
+ @type plist: str
+ @param guid: the directory GUID of the record being parsed.
+ @type guid: str
+ @param shortname: the record shortname of the record being parsed.
+ @type shortname: str
+ @return: a C{tuple} of C{bool} for auto-accept, C{str} for proxy GUID, C{str} for read-only proxy GUID.
+ """
+ try:
+ plist = readPlistFromString(plist)
+ wpframework = plist.get("com.apple.WhitePagesFramework", {})
+ autoaccept = wpframework.get("AutoAcceptsInvitation", False)
+ proxy = wpframework.get("CalendaringDelegate", None)
+ read_only_proxy = wpframework.get("ReadOnlyCalendaringDelegate", None)
+ except (ExpatError, AttributeError), e:
+ self.log_error(
+ "Failed to parse ResourceInfo attribute of record (%s)%s (guid=%s): %s\n%s" %
+ (recordType, shortname, guid, e, plist,)
+ )
+ raise ValueError("Invalid ResourceInfo")
+
+ return (autoaccept, proxy, read_only_proxy,)
+
+ def getResourceInfo(self):
+ """
+ Resource information including proxy assignments for resource and
+ locations, as well as auto-schedule settings, used to live in the
+ directory. This method fetches old resource info for migration
+ purposes.
+ """
+ attrs = [
+ dsattributes.kDS1AttrGeneratedUID,
+ dsattributes.kDSNAttrResourceInfo,
+ ]
+
+ for recordType in (dsattributes.kDSStdRecordTypePlaces, dsattributes.kDSStdRecordTypeResources):
+ try:
+ self.log_debug("opendirectory.listAllRecordsWithAttributes_list(%r,%r,%r)" % (
+ self.directory,
+ recordType,
+ attrs,
+ ))
+ results = opendirectory.listAllRecordsWithAttributes_list(
+ self.directory,
+ recordType,
+ attrs,
+ )
+ except opendirectory.ODError, ex:
+ self.log_error("Open Directory (node=%s) error: %s" % (self.realmName, str(ex)))
+ raise
+
+ for (recordShortName, value) in results:
+ recordGUID = value.get(dsattributes.kDS1AttrGeneratedUID)
+ resourceInfo = value.get(dsattributes.kDSNAttrResourceInfo)
+ if resourceInfo is not None:
+ try:
+ autoSchedule, proxy, readOnlyProxy = self._parseResourceInfo(resourceInfo,
+ recordGUID, recordType, recordShortName)
+ except ValueError:
+ continue
+ yield recordGUID, autoSchedule, proxy, readOnlyProxy
+
+
+def buildQueries(recordTypes, fields, mapping):
+ """
+ Determine how many queries need to be performed in order to work around opendirectory
+ quirks, where searching on fields that don't apply to a given recordType returns incorrect
+ results (either none, or all records).
+ """
+
+ fieldLists = {}
+ for recordType in recordTypes:
+ fieldLists[recordType] = []
+ for field, value, caseless, matchType in fields:
+ if field in mapping:
+ if recordType in mapping[field]['appliesTo']:
+ ODField = mapping[field]['odField']
+ fieldLists[recordType].append((ODField, value, caseless, matchType))
+
+ queries = {}
+ for recordType, fieldList in fieldLists.iteritems():
+ key = tuple(fieldList)
+ queries.setdefault(key, []).append(recordType)
+ return queries
+
+
+class OpenDirectoryRecord(CachingDirectoryRecord):
+ """
+ Open Directory implementation of L{IDirectoryRecord}.
+ """
+ def __init__(
+ self, service, recordType, guid, nodeName, shortNames, authIDs,
+ fullName, firstName, lastName, emailAddresses,
+ calendarUserAddresses,
+ enabledForCalendaring,
+ memberGUIDs,
+ ):
+ super(OpenDirectoryRecord, self).__init__(
+ service = service,
+ recordType = recordType,
+ guid = guid,
+ shortNames = shortNames,
+ authIDs = authIDs,
+ fullName = fullName,
+ firstName = firstName,
+ lastName = lastName,
+ emailAddresses = emailAddresses,
+ calendarUserAddresses = calendarUserAddresses,
+ enabledForCalendaring = enabledForCalendaring,
+ )
+ self.nodeName = nodeName
+ self._memberGUIDs = tuple(memberGUIDs)
+
+ self._groupMembershipGUIDs = None
+
+ def __repr__(self):
+ if self.service.realmName == self.nodeName:
+ location = self.nodeName
+ else:
+ location = "%s->%s" % (self.service.realmName, self.nodeName)
+
+ return "<%s[%s@%s(%s)] %s(%s) %r>" % (
+ self.__class__.__name__,
+ self.recordType,
+ self.service.guid,
+ location,
+ self.guid,
+ ",".join(self.shortNames),
+ self.fullName
+ )
+
+ def members(self):
+ if self.recordType != self.service.recordType_groups:
+ return
+
+ for guid in self._memberGUIDs:
+ userRecord = self.service.recordWithGUID(guid)
+ if userRecord is not None:
+ yield userRecord
+
+ def groups(self):
+ if self._groupMembershipGUIDs is None:
+ self._groupMembershipGUIDs = self.service.groupsForGUID(self.guid)
+
+ for guid in self._groupMembershipGUIDs:
+ record = self.service.recordWithGUID(guid)
+ if record:
+ yield record
+
+ def verifyCredentials(self, credentials):
+ if isinstance(credentials, UsernamePassword):
+ # Check cached password
+ try:
+ if credentials.password == self.password:
+ return True
+ except AttributeError:
+ pass
+
+ # Check with directory services
+ try:
+ if opendirectory.authenticateUserBasic(self.service.directory, self.nodeName, self.shortNames[0], credentials.password):
+ # Cache the password to avoid future DS queries
+ self.password = credentials.password
+ return True
+ except opendirectory.ODError, e:
+ self.log_error("Open Directory (node=%s) error while performing basic authentication for user %s: %s"
+ % (self.service.realmName, self.shortNames[0], e))
+
+ return False
+
+ elif isinstance(credentials, DigestedCredentials):
+ #
+ # We need a special format for the "challenge" and "response" strings passed into open directory, as it is
+ # picky about exactly what it receives.
+ #
+ try:
+ challenge = 'Digest realm="%(realm)s", nonce="%(nonce)s", algorithm=%(algorithm)s' % credentials.fields
+ response = (
+ 'Digest username="%(username)s", '
+ 'realm="%(realm)s", '
+ 'nonce="%(nonce)s", '
+ 'uri="%(uri)s", '
+ 'response="%(response)s",'
+ 'algorithm=%(algorithm)s'
+ ) % credentials.fields
+ except KeyError, e:
+ self.log_error(
+ "Open Directory (node=%s) error while performing digest authentication for user %s: "
+ "missing digest response field: %s in: %s"
+ % (self.service.realmName, self.shortNames[0], e, credentials.fields)
+ )
+ return False
+
+ try:
+ if self.digestcache[credentials.fields["uri"]] == response:
+ return True
+ except (AttributeError, KeyError):
+ pass
+
+ try:
+ if opendirectory.authenticateUserDigest(
+ self.service.directory,
+ self.nodeName,
+ self.shortNames[0],
+ challenge,
+ response,
+ credentials.method
+ ):
+ try:
+ cache = self.digestcache
+ except AttributeError:
+ cache = self.digestcache = {}
+
+ cache[credentials.fields["uri"]] = response
+
+ return True
+ else:
+ self.log_debug(
+"""Open Directory digest authentication failed with:
+ Nodename: %s
+ Username: %s
+ Challenge: %s
+ Response: %s
+ Method: %s
+""" % (self.nodeName, self.shortNames[0], challenge, response, credentials.method))
+
+ except opendirectory.ODError, e:
+ self.log_error(
+ "Open Directory (node=%s) error while performing digest authentication for user %s: %s"
+ % (self.service.realmName, self.shortNames[0], e)
+ )
+ return False
+
+ return False
+
+ return super(OpenDirectoryRecord, self).verifyCredentials(credentials)
+
+class OpenDirectoryInitError(DirectoryError):
+ """
+ OpenDirectory initialization error.
+ """
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20090506/cb949bf9/attachment-0001.html>
More information about the calendarserver-changes
mailing list