<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[13694] CalendarServer/trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.calendarserver.org//changeset/13694">13694</a></dd>
<dt>Author</dt> <dd>sagen@apple.com</dd>
<dt>Date</dt> <dd>2014-06-26 11:07:03 -0700 (Thu, 26 Jun 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Reimplement OS X Server SACLs using cffi</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#CalendarServertrunkcalendarserverprovisionrootpy">CalendarServer/trunk/calendarserver/provision/root.py</a></li>
<li><a href="#CalendarServertrunkcalendarserverprovisiontesttest_rootpy">CalendarServer/trunk/calendarserver/provision/test/test_root.py</a></li>
<li><a href="#CalendarServertrunksetuppy">CalendarServer/trunk/setup.py</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#CalendarServertrunkcalendarserverplatformdarwinsaclpy">CalendarServer/trunk/calendarserver/platform/darwin/sacl.py</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#CalendarServertrunkcalendarserverplatformdarwin_saclc">CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="CalendarServertrunkcalendarserverplatformdarwin_saclc"></a>
<div class="delfile"><h4>Deleted: CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c (13693 => 13694)</h4>
<pre class="diff"><span>
<span class="info">--- CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c 2014-06-26 01:35:18 UTC (rev 13693)
+++ CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c 2014-06-26 18:07:03 UTC (rev 13694)
</span><span class="lines">@@ -1,96 +0,0 @@
</span><del>-/*
- * Copyright (c) 2006-2014 Apple Inc. All rights reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "Python.h"
-#include <Security/Security.h>
-#include <membership.h>
-
-int mbr_check_service_membership(const uuid_t user, const char* servicename, int* ismember);
-int mbr_user_name_to_uuid(const char* name, uuid_t uu);
-int mbr_group_name_to_uuid(const char* name, uuid_t uu);
-
-/*
- CheckSACL(userOrGroupName, service)
- Checks user or group membership in a service.
-*/
-static PyObject *appleauth_CheckSACL(PyObject *self, PyObject *args) {
- char *username;
- int usernameSize;
- char *serviceName;
- int serviceNameSize;
-
- char *prefix = "com.apple.access_";
- char groupName[256];
- uuid_t group_uu;
-
- // get the args
- if (!PyArg_ParseTuple(args, "s#s#", &username,
- &usernameSize, &serviceName, &serviceNameSize)) {
- return NULL;
- }
-
- // If the username is empty, see if there is a com.apple.access_<service>
- // group
- if ( usernameSize == 0 ) {
- if ( strlen(serviceName) > 255 - strlen(prefix) ) {
- return Py_BuildValue("i", (-3));
- }
- memcpy(groupName, prefix, strlen(prefix));
- strcpy(groupName + strlen(prefix), serviceName);
- if ( mbr_group_name_to_uuid(groupName, group_uu) == 0 ) {
- // com.apple.access_<serviceName> group does exist, so
- // unauthenticated users are not allowed
- return Py_BuildValue("i", (-1));
- } else {
- // com.apple.access_<serviceName> group doesn't exist, so
- // unauthenticated users are allowed
- return Py_BuildValue("i", 0);
- }
- }
-
- // get a uuid for the user
- uuid_t user;
- int result = mbr_user_name_to_uuid(username, user);
- int isMember = 0;
-
- if ( result != 0 ) {
- // no uuid for the user, we might be a group.
- result = mbr_group_name_to_uuid(username, user);
- }
-
- if ( result != 0 ) {
- return Py_BuildValue("i", (-1));
- }
-
- result = mbr_check_service_membership(user, serviceName, &isMember);
-
- if ( ( result == 0 && isMember == 1 ) || ( result == ENOENT ) ) {
- // passed
- return Py_BuildValue("i", 0);
- }
-
- return Py_BuildValue("i", (-2));
-}
-
-/* Method definitions. */
-static struct PyMethodDef _sacl_methods[] = {
- {"CheckSACL", appleauth_CheckSACL},
- {NULL, NULL} /* Sentinel */
-};
-
-void init_sacl(void) {
- Py_InitModule("_sacl", _sacl_methods);
-}
</del></span></pre></div>
<a id="CalendarServertrunkcalendarserverplatformdarwinsaclpy"></a>
<div class="addfile"><h4>Added: CalendarServer/trunk/calendarserver/platform/darwin/sacl.py (0 => 13694)</h4>
<pre class="diff"><span>
<span class="info">--- CalendarServer/trunk/calendarserver/platform/darwin/sacl.py (rev 0)
+++ CalendarServer/trunk/calendarserver/platform/darwin/sacl.py 2014-06-26 18:07:03 UTC (rev 13694)
</span><span class="lines">@@ -0,0 +1,85 @@
</span><ins>+##
+# Copyright (c) 2005-2014 Apple Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+from __future__ import print_function
+
+__all__ = [
+ "checkSACL"
+]
+
+from cffi import FFI, VerificationError
+
+ffi = FFI()
+
+definitions = """
+ typedef unsigned char uuid_t[16];
+ int mbr_check_service_membership(const uuid_t user, const char* servicename, int* ismember);
+ int mbr_user_name_to_uuid(const char* name, uuid_t uu);
+ int mbr_group_name_to_uuid(const char* name, uuid_t uu);
+"""
+
+ffi.cdef(definitions)
+
+try:
+ lib = ffi.verify(definitions, libraries=[])
+except VerificationError as ve:
+ raise ImportError(ve)
+
+
+def checkSACL(userOrGroupName, serviceName):
+ """
+ Check to see if a given user or group is a member of an OS X Server
+ service's access group. If userOrGroupName is an empty string, we
+ want to know if unauthenticated access is allowed for the given service.
+
+ @param userOrGroupName: the name of the user or group
+ @type userOrGroupName: C{unicode}
+
+ @param serviceName: the name of the service (e.g. calendar, addressbook)
+ @type serviceName: C{str}
+
+ @return: True if the user or group is allowed access to service
+ @rtype: C{bool}
+ """
+
+ userOrGroupName = userOrGroupName.encode("utf-8")
+ prefix = "com.apple.access_"
+ uu = ffi.new("uuid_t")
+
+ # See if the access group exists. If it does not, then there are no
+ # restrictions
+ groupName = prefix + serviceName
+ groupMissing = lib.mbr_group_name_to_uuid(groupName, uu)
+ if groupMissing:
+ return True
+
+ # See if userOrGroupName matches a user
+ result = lib.mbr_user_name_to_uuid(userOrGroupName, uu)
+ if result:
+ # Not a user, try looking up a group of that name
+ result = lib.mbr_group_name_to_uuid(userOrGroupName, uu)
+
+ if result:
+ # Neither a user nor a group matches the name
+ return False
+
+ # See if the uuid is a member of the service access group
+ isMember = ffi.new("int *")
+ result = lib.mbr_check_service_membership(uu, serviceName, isMember)
+ if not result and isMember[0]:
+ return True
+
+ return False
</ins></span></pre></div>
<a id="CalendarServertrunkcalendarserverprovisionrootpy"></a>
<div class="modfile"><h4>Modified: CalendarServer/trunk/calendarserver/provision/root.py (13693 => 13694)</h4>
<pre class="diff"><span>
<span class="info">--- CalendarServer/trunk/calendarserver/provision/root.py 2014-06-26 01:35:18 UTC (rev 13693)
+++ CalendarServer/trunk/calendarserver/provision/root.py 2014-06-26 18:07:03 UTC (rev 13694)
</span><span class="lines">@@ -19,6 +19,12 @@
</span><span class="cx"> "RootResource",
</span><span class="cx"> ]
</span><span class="cx">
</span><ins>+try:
+ from calendarserver.platform.darwin.sacl import checkSACL
+except ImportError:
+ # OS X Server SACLs not supported on this system, make SACL check a no-op
+ checkSACL = lambda *ignored: True
+
</ins><span class="cx"> from twext.python.log import Logger
</span><span class="cx"> from twisted.cred.error import LoginFailed, UnauthorizedLogin
</span><span class="cx"> from twisted.internet.defer import inlineCallbacks, returnValue, succeed
</span><span class="lines">@@ -75,10 +81,7 @@
</span><span class="cx"> super(RootResource, self).__init__(path, *args, **kwargs)
</span><span class="cx">
</span><span class="cx"> if config.EnableSACLs:
</span><del>- if RootResource.CheckSACL:
- self.useSacls = True
- else:
- log.warn("SACLs are enabled, but SACLs are not supported.")
</del><ins>+ self.useSacls = True
</ins><span class="cx">
</span><span class="cx"> self.contentFilters = []
</span><span class="cx">
</span><span class="lines">@@ -122,7 +125,7 @@
</span><span class="cx">
</span><span class="cx">
</span><span class="cx"> @inlineCallbacks
</span><del>- def checkSacl(self, request):
</del><ins>+ def checkSACL(self, request):
</ins><span class="cx"> """
</span><span class="cx"> Check SACLs against the current request
</span><span class="cx"> """
</span><span class="lines">@@ -147,7 +150,7 @@
</span><span class="cx"> # with an empty string.
</span><span class="cx"> if authzUser is None:
</span><span class="cx"> for saclService in saclServices:
</span><del>- if RootResource.CheckSACL("", saclService) == 0:
</del><ins>+ if checkSACL("", saclService):
</ins><span class="cx"> # No group actually exists for this SACL, so allow
</span><span class="cx"> # unauthenticated access
</span><span class="cx"> returnValue(True)
</span><span class="lines">@@ -169,7 +172,7 @@
</span><span class="cx">
</span><span class="cx"> access = False
</span><span class="cx"> for saclService in saclServices:
</span><del>- if RootResource.CheckSACL(username, saclService) == 0:
</del><ins>+ if checkSACL(username, saclService):
</ins><span class="cx"> # Access is allowed
</span><span class="cx"> access = True
</span><span class="cx"> break
</span><span class="lines">@@ -346,7 +349,7 @@
</span><span class="cx"> self.useSacls and
</span><span class="cx"> not hasattr(request, "checkedSACL")
</span><span class="cx"> ):
</span><del>- yield self.checkSacl(request)
</del><ins>+ yield self.checkSACL(request)
</ins><span class="cx">
</span><span class="cx"> if config.RejectClients:
</span><span class="cx"> #
</span><span class="lines">@@ -432,11 +435,3 @@
</span><span class="cx">
</span><span class="cx"> def http_DELETE(self, request):
</span><span class="cx"> return responsecode.FORBIDDEN
</span><del>-
-# So CheckSACL will be parameterized
-# We do this after RootResource is defined
-try:
- from calendarserver.platform.darwin._sacl import CheckSACL
- RootResource.CheckSACL = CheckSACL
-except ImportError:
- RootResource.CheckSACL = None
</del></span></pre></div>
<a id="CalendarServertrunkcalendarserverprovisiontesttest_rootpy"></a>
<div class="modfile"><h4>Modified: CalendarServer/trunk/calendarserver/provision/test/test_root.py (13693 => 13694)</h4>
<pre class="diff"><span>
<span class="info">--- CalendarServer/trunk/calendarserver/provision/test/test_root.py 2014-06-26 01:35:18 UTC (rev 13693)
+++ CalendarServer/trunk/calendarserver/provision/test/test_root.py 2014-06-26 18:07:03 UTC (rev 13694)
</span><span class="lines">@@ -26,22 +26,27 @@
</span><span class="cx"> from twistedcaldav.test.util import StoreTestCase, SimpleStoreRequest
</span><span class="cx"> from twistedcaldav.directory.principal import DirectoryPrincipalProvisioningResource
</span><span class="cx">
</span><del>-from calendarserver.provision.root import RootResource
</del><ins>+import calendarserver.provision.root # for patching checkSACL
</ins><span class="cx">
</span><span class="cx">
</span><del>-class FakeCheckSACL(object):
- def __init__(self, sacls=None):
- self.sacls = sacls or {}
</del><ins>+TEST_SACLS = {
+ "calendar": [
+ "dreid"
+ ],
+ "addressbook": [
+ "dreid"
+ ],
+}
</ins><span class="cx">
</span><span class="cx">
</span><del>- def __call__(self, username, service):
- if service not in self.sacls:
- return 1
</del><ins>+def stubCheckSACL(username, service):
+ if service not in TEST_SACLS:
+ return True
</ins><span class="cx">
</span><del>- if username in self.sacls[service]:
- return 0
</del><ins>+ if username in TEST_SACLS[service]:
+ return True
</ins><span class="cx">
</span><del>- return 1
</del><ins>+ return False
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx">
</span><span class="lines">@@ -51,7 +56,7 @@
</span><span class="cx"> def setUp(self):
</span><span class="cx"> yield super(RootTests, self).setUp()
</span><span class="cx">
</span><del>- RootResource.CheckSACL = FakeCheckSACL(sacls={"calendar": ["dreid"]})
</del><ins>+ self.patch(calendarserver.provision.root, "checkSACL", stubCheckSACL)
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx">
</span><span class="lines">@@ -337,7 +342,7 @@
</span><span class="cx"> "PROPFIND",
</span><span class="cx"> "/principals/users/dreid/",
</span><span class="cx"> headers=http_headers.Headers({
</span><del>- 'Depth': '1',
</del><ins>+ 'Depth': '1',
</ins><span class="cx"> }),
</span><span class="cx"> authPrincipal=principal,
</span><span class="cx"> content=body
</span><span class="lines">@@ -353,7 +358,7 @@
</span><span class="cx"> "PROPFIND",
</span><span class="cx"> "/principals/users/dreid/",
</span><span class="cx"> headers=http_headers.Headers({
</span><del>- 'Depth': '1',
</del><ins>+ 'Depth': '1',
</ins><span class="cx"> }),
</span><span class="cx"> authPrincipal=principal,
</span><span class="cx"> content=body
</span></span></pre></div>
<a id="CalendarServertrunksetuppy"></a>
<div class="modfile"><h4>Modified: CalendarServer/trunk/setup.py (13693 => 13694)</h4>
<pre class="diff"><span>
<span class="info">--- CalendarServer/trunk/setup.py 2014-06-26 01:35:18 UTC (rev 13693)
+++ CalendarServer/trunk/setup.py 2014-06-26 18:07:03 UTC (rev 13694)
</span><span class="lines">@@ -256,17 +256,8 @@
</span><span class="cx">
</span><span class="cx"> extensions = []
</span><span class="cx">
</span><del>-# if sys.platform == "darwin":
-# extensions.append(
-# Extension(
-# "calendarserver.platform.darwin._sacl",
-# extra_link_args=["-framework", "Security"],
-# sources=["calendarserver/platform/darwin/_sacl.c"]
-# )
-# )
</del><span class="cx">
</span><span class="cx">
</span><del>-
</del><span class="cx"> #
</span><span class="cx"> # Run setup
</span><span class="cx"> #
</span></span></pre>
</div>
</div>
</body>
</html>