[CalendarServer-changes] [6694] CalendarServer/trunk

source_changes at macosforge.org source_changes at macosforge.org
Tue Dec 14 20:16:29 PST 2010


Revision: 6694
          http://trac.macosforge.org/projects/calendarserver/changeset/6694
Author:   sagen at apple.com
Date:     2010-12-14 20:16:23 -0800 (Tue, 14 Dec 2010)
Log Message:
-----------
Interprocess authentication (primarily the /inbox POSTs for iMIP delivery) now uses a new header -- x-calendarserver-internal -- along with a shared secret, rather than relying on using the directory service for authenticating.  This eliminates the problem that occurs when the special system user's (com.apple.calendarserver) password got changed but the copy in the system keychain didn't.  (7828657)

Modified Paths:
--------------
    CalendarServer/trunk/calendarserver/provision/root.py
    CalendarServer/trunk/calendarserver/provision/test/test_root.py
    CalendarServer/trunk/twistedcaldav/mail.py
    CalendarServer/trunk/twistedcaldav/scheduling/imip.py
    CalendarServer/trunk/twistedcaldav/stdconfig.py

Modified: CalendarServer/trunk/calendarserver/provision/root.py
===================================================================
--- CalendarServer/trunk/calendarserver/provision/root.py	2010-12-14 22:24:53 UTC (rev 6693)
+++ CalendarServer/trunk/calendarserver/provision/root.py	2010-12-15 04:16:23 UTC (rev 6694)
@@ -174,6 +174,30 @@
         for filter in self.contentFilters:
             request.addResponseFilter(filter[0], atEnd=filter[1])
 
+        # Examine headers for our special internal authorization, used for
+        # POSTing to /inbox between workers and mail gateway sidecar.
+        if not hasattr(request, "checkedInternalAuthHeader"):
+            request.checkedInternalAuthHeader = True
+            headerName = config.Scheduling.iMIP.Header
+            secrets = request.headers.getRawHeaders(headerName, None)
+            secretVerified = False
+            if secrets is not None:
+                log.debug("Internal authentication header (%s) detected" %
+                    (headerName,))
+                for secret in secrets:
+                    if secret == config.Scheduling.iMIP.Password:
+                        secretVerified = True
+                        break
+
+            if secretVerified:
+                log.debug("Internal authentication header (%s) verified" %
+                    (headerName,))
+                guid = config.Scheduling.iMIP.GUID
+                log.debug("Internal principal %s being assigned to authnUser and authzUser" % (guid,))
+                request.authzUser = request.authnUser = davxml.Principal(
+                    davxml.HRef.fromString("/principals/__uids__/%s/" % (guid,))
+                )
+
         # Examine cookies for wiki auth token; if there, ask the paired wiki
         # server for the corresponding record name.  If that maps to a
         # principal, assign that to authnuser.

Modified: CalendarServer/trunk/calendarserver/provision/test/test_root.py
===================================================================
--- CalendarServer/trunk/calendarserver/provision/test/test_root.py	2010-12-14 22:24:53 UTC (rev 6693)
+++ CalendarServer/trunk/calendarserver/provision/test/test_root.py	2010-12-15 04:16:23 UTC (rev 6694)
@@ -36,6 +36,7 @@
 
 from calendarserver.provision.root import RootResource
 from twistedcaldav.directory import augment
+from twistedcaldav.config import config
 
 class FakeCheckSACL(object):
     def __init__(self, sacls=None):
@@ -293,6 +294,35 @@
         except HTTPError, e:
             self.assertEquals(e.response.code, 401)
 
+    @inlineCallbacks
+    def test_internalAuthHeader(self):
+        """
+        Test the behavior of locateChild when x-calendarserver-internal
+        header is set.
+
+        authnuser and authzuser will be set to the internal principal
+        """
+        self.patch(config.Scheduling.iMIP, "Password", "xyzzy")
+
+        headers = http_headers.Headers({})
+        headers.setRawHeaders("x-calendarserver-internal", ["xyzzy"])
+
+        request = SimpleRequest(
+            self.site,
+            "GET",
+            "/principals/",
+            headers=headers,
+        )
+
+        resrc, segments = (yield
+            RootResource.locateChild(self.root.resource, request, ["principals"]
+        ))
+
+        expected = "<?xml version='1.0' encoding='UTF-8'?>\n<principal xmlns='DAV:'>\r\n  <href>/principals/__uids__/%s/</href>\r\n</principal>" % (config.Scheduling.iMIP.GUID,)
+        self.assertEquals(request.authnUser.toxml(), expected)
+        self.assertEquals(request.authzUser.toxml(), expected)
+
+
     def test_DELETE(self):
         def do_test(response):
             response = IResponse(response)

Modified: CalendarServer/trunk/twistedcaldav/mail.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/mail.py	2010-12-14 22:24:53 UTC (rev 6693)
+++ CalendarServer/trunk/twistedcaldav/mail.py	2010-12-15 04:16:23 UTC (rev 6694)
@@ -199,21 +199,11 @@
         expanding=False, inherited_aces=None):
 
         if not hasattr(self, "iMIPACL"):
-
-            for principalCollection in self.principalCollections():
-                principal = principalCollection.principalForShortName("users",
-                    config.Scheduling.iMIP.Username)
-                if principal is not None:
-                    break
-            else:
-                log.err("iMIP injection principal not found: %s" %
-                    (config.Scheduling.iMIP.Username,))
-                raise HTTPError(responsecode.FORBIDDEN)
-
+            guid = config.Scheduling.iMIP.GUID
             self.iMIPACL = davxml.ACL(
                 davxml.ACE(
                     davxml.Principal(
-                        davxml.HRef.fromString(principal.principalURL())
+                        davxml.HRef.fromString("/principals/__uids__/%s/" % (guid,))
                     ),
                     davxml.Grant(
                         davxml.Privilege(caldavxml.ScheduleDeliver()),
@@ -357,6 +347,7 @@
         'Content-Type' : 'text/calendar',
         'Originator' : attendee,
         'Recipient' : organizer,
+        config.Scheduling.iMIP.Header : config.Scheduling.iMIP.Password,
     }
 
     data = str(calendar)
@@ -369,7 +360,7 @@
         port = config.HTTPPort
 
     # If we're running on same host as calendar server, inject via localhost
-    if config.Scheduling['iMIP']['MailGatewayServer'] == 'localhost':
+    if config.Scheduling.iMIP.MailGatewayServer == 'localhost':
         host = 'localhost'
     else:
         host = config.ServerHostName
@@ -382,10 +373,6 @@
     factory = client.HTTPClientFactory(url, method='POST', headers=headers,
         postdata=data, agent="iMIP gateway")
 
-    if config.Scheduling.iMIP.Username:
-        factory.username = config.Scheduling.iMIP.Username
-        factory.password = config.Scheduling.iMIP.Password
-
     factory.noisy = False
     factory.protocol = AuthorizedHTTPGetter
 

Modified: CalendarServer/trunk/twistedcaldav/scheduling/imip.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/scheduling/imip.py	2010-12-14 22:24:53 UTC (rev 6693)
+++ CalendarServer/trunk/twistedcaldav/scheduling/imip.py	2010-12-15 04:16:23 UTC (rev 6694)
@@ -110,14 +110,11 @@
             'Content-Type' : 'text/calendar',
             'Originator' : fromAddr,
             'Recipient' : toAddr,
+            config.Scheduling.iMIP.Header : config.Scheduling.iMIP.Password,
         }
         factory = client.HTTPClientFactory(url, method='POST', headers=headers,
             postdata=caldata, agent="CalDAV server")
 
-        if config.Scheduling.iMIP.Username:
-            factory.username = config.Scheduling.iMIP.Username
-            factory.password = config.Scheduling.iMIP.Password
-
         factory.noisy = False
         factory.protocol = AuthorizedHTTPGetter
         reactor.connectTCP(mailGatewayServer, mailGatewayPort, factory)

Modified: CalendarServer/trunk/twistedcaldav/stdconfig.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/stdconfig.py	2010-12-14 22:24:53 UTC (rev 6693)
+++ CalendarServer/trunk/twistedcaldav/stdconfig.py	2010-12-15 04:16:23 UTC (rev 6694)
@@ -418,6 +418,8 @@
             "MailGatewayPort"   : 62310,
             "Username"          : "com.apple.calendarserver", # For account injecting replies
             "Password"          : "",    # For account injecting replies
+            "GUID"              : "B86ED9D3-49BD-44F8-8F5E-C89D08753DAC", # GUID for special internal user
+            "Header"            : "x-calendarserver-internal", # HTTP header for internal authentication
             "Sending": {
                 "Server"        : "",    # SMTP server to relay messages through
                 "Port"          : 587,   # SMTP server port to relay messages through
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20101214/385fd592/attachment-0001.html>


More information about the calendarserver-changes mailing list